Monday, September 15, 2014

Q & A About Apple Pay

"Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment."

In that context, what can one say about the security of Apple Pay?

We can say with confidence that Apple Pay is more secure than the alternative widely used payment mechanisms such as cash, mag-stripe cards, or comntactless (RFID) (debit or credit) cards.  Its security is comparable to that of EMV ("Chip" cards).

What is necessary to use Apple Pay?

One must have one or more credit card or other bank accounts to charge.  (By default, Apple Pay will use the account registered with the Apple Store. ). One must  have use of an iPhone 6 or iPhone 6 Plus and Touch ID.  Finally, the merchant must have point of sale devices that have contactless readers.  These readers work with both contactless  (RFID) credit cards and mobile computers using Near Field Communication (NFC).

If one loses one's iPhone can a finder use Apple Pay.

No.  Both possession of the IPhone and the right fingerprint are necessary to use Apple Pay.  Similarly someone with merely a copy of your fingerprint cannot use it.  Of course, one would still want to remotely disable the iPhone.

If my password is disclosed, I can change it, but I cannot change my fingerprint.

True but there is no need.  Passwords work only because they are secret.  Fingerprints work because they are difficult to counterfeit; no need for secrecy.  In fact one leaves copies of one's fingerprints all around in the normal course of things.

One can do Apple Pay with Apple Watch.  Does it have a fingerprint reader?  

No. The Apple Watch uses a different but equally effective authentication scheme.  After one puts the Watch on, one enters a 4 digit personal identification number (PIN).  This lasts until the sensors on the watch indicate that the watch has been taken off.  Both of these authentication schemes are examples of Two-factor Authentication, iPhone and Touch ID, Watch and PIN.  When used with the Secure Module and the one-time digital token to resist replay, Apple Pay has Strong Authentication..  

What is "NFC?"  

NFC is a low power, low speed, extremely short range digital radio capability.  Its applications include retail payments.  Apple Pay uses NFC to communicate with the register or point-of-sale device.  While NFC is only one alternative communication method, payment systems that use it may be identified as "NFC" systems.  

Is NFC secure?

NFC makes no security claims.  All required security must be built into the application.  While it is low power and short range, NFC includes no other security properties, functions or features.  Apple Pay does not rely upon NFC for security.  The token value that Apple Pay uses NFC to send to the point of sale is a one-time value.  Unlike a credit card number, it is not vulnerable to disclosure or reuse.  

How do I know how much I am being charged?

As with credit card transactions, the amount that you will be charged is displayed on the register. As with credit card transactions, you may be asked to "accept" or confirm pthe amount to the register.  As with credit card transactions, the register will provide you with a paper receipt.   

How do I know that the amount that appears on the register, that I confirm, and that is printed on the receipt is what is actually charged to my account?

By benign design and intent, systems will automatically ensure that the displayed amount and the charged amount are the same.  One can imagine a system designed to cheat but these will be very rare, easily detected, and quickly shut  down.  To some degree, this will depend on you.  

As with credit cards and checks, some of you must reconcile charges (perhaps using the paper receipt) to your account to what you authorized.  (Some other "wallet" programs immediately confirm the location and amount to the mobile device by SMS.  It remains to be seen whether Apple Pay will do this but it is likely.)   (Your bank or account holder may also offer transaction confirmation features.  For example, American Express offers its customers the option to have "card not present" transactions confirmed in real time by e-mail.  Incidentally, Apple Pay transactions look to American Express as "card not present.")

What if the charges to my account are not the same as I authorized?

Errors or fraud will be rare but you will continue to enjoy the same right to dispute charges that you have always had.

Lest you think that these questions are trivial, I heard each of them raised seriously by serious people on TV this week.

Monday, September 8, 2014

"Come Back with a Warrant."

Recently, in recognition of my routine contribution, the Electronic Frontier Foundation (EFF) sent me a little sheet of stickers highlighting their areas of interest and action.  Since advocacy of the Fourth Amendment to the US Constitution is one of my pursuits, I particularly liked the one that said "Come Back with a Warrant."  I inferred that, as good custodians of the private information of others, when asked for that information by government, our default response should be "Come back with a warrant."

As one who has had occasion to draft rules and regulations, if not law, I have always stood in awe of those who crafted our Constituion.  It is a model of brevity, clarity, and balance.  While tortured by events and progress, it has served us well.  Not only is the Fourth Amendment not an exception to this observation, it is an example of it.  Having recently thrown off the yolk of tyranny, the Authors were exquisitely sensitive to the potential for abuse of the power of the state.  In the Fourth Amendment the Authors sought to place a limit on the magisterial police powers of their awesome creature.

They stipulated that the people have a right to be secure in their "persons, houses, papers, and effects" from "searches and seizures."  In consideration of police necessity, the Authors qualified the searches and seizures that they were addressing as "unreasonable," leaving open the possibility of reasonable ones, and to specifically include those where the state had a "warrant" of a specific character.

In recent times, in response to threats real and imagined, the state, congress, courts, and executive, have dramatically limited the right of the people to be secure in "persons, houses, papers, and effects."  Congress has passed laws, such as the USA Patriot Act, granting massive exceptions to the requirements for warrants in the name of "counter-terrorism."  Secret courts have permitted seizures so massive as to defy the wildest definitions of reasonable.  The Executive has engaged in secret programs of "warrantless surveillance" and officially lied to the American people about their existence.  They have systematically parsed every word in the Amendment, specifically including "unreasonable," "seizure," "papers," and even "their" so as to eviscerate the protection that the Amendment was intended to afford.

For example, It is hard to imagine a definition of seizure that does not include "taking from another under force of law."  However, for their own convenience this administration, Departments of Defense and Justice, secretly agreed among themselves to a definition that such an act did not constitute seizure as long as one promised not to look at what one had "taken."  Having gotten a secret court to agree to this definition, the act was now not only "legal" but also, at least by this arguable definition, constitutional.  Such "weasel wording" might be laughable in another context.

So, where should we take our stand?  I propose that we stand with the EFF, that we adopt enterprise policy that, at least by default, we expect a warrant.  We should not wait until we are served with a National Security Letter, which may even say that we may not consult counsel, but we should proactively adopt and direct counsel to implement a policy that we expect a warrant and will resist deficient orders.

I am willing to grant the government access to almost anything for which they have a warrant.  Some even say I have given up.  However, even a capricious warrant offers us fundamental protections.  First, unlike some other orders, it is never unilateral.  Two people, usually with different motives, must cooperate before there can be a warrant.  An investigator must at least have the consent of a magistrate.

Second, a warrant requires probable cause, not merely "articulable suspicion."  It requires that an investigator not only present the court with "probable cause" but do so under oath, subject to penalties for perjury.  The investigator may not simply make an assertion.

Finally, while it may be broad, a warrant must be limited in its scope.  The Amendment requires specify the "place to be searched, and the persons or things to be seized."  As the custodians of the personal data of others, we should at least assert that the warrant should specify the data to be searched, the arguments to be used and the functions that are responsive.  We should be prepared to challenge warrants that we believe to be overly broad but even if we fail, the specifications will be a matter of record.

The Authors of the Amendment gave state the, admittedly carefully limited, warrant as an exception to the right of the people to be secure from searches and seizures.  Even those who do not agree with me that they should be required, have to concede that they are just not that hard to get. Let's expect them to bring one.