FYI: The Challenge of Turning Phones into Credit Cards - The Challenge of Security & Why the UK is Key.

Peter Tomlinson pwt at iosis.co.uk
Fri Feb 25 16:39:13 GMT 2011 

The transaction model described appears to be very similar to the 
contactless payment method using debit/credit cards that is being rolled 
out here now - and a dual PR push for contactless debit/credit for 
public transport in London, featuring Transport For London and a head 
Mastercard honcho, happened this week [1]. The extra gained by using the 
mobile phone is the bonus for the user: a receipt stored in the phone.

There is indeed a great deal of work going into transaction security for 
this architecture, and of course there are several architectures 
available for the phone and Simcard and microSD card (maybe with 
Bluetooth as well). This one will run and run - and a number of security 
people are tearing their hair out as they try to work through the matrix 
of not just secure element architectures but also of the multiplicity of 
phone operating systems.

Its a consumer product; money has to be made by transferring money and 
by executing the real transactions (buying things and services [2]); 
there will be some casualties, but a great number of people will like it.

Peter

[1] on London buses before the Olympics, on all TfL services a bit later.

[2] And money transfer in some countries

On 25/02/2011 14:38, Anish Mohammed wrote:
> Hi Peter,
>  Doing a micropayment, I dont see much of a problem. I have to admit 
> at this point i was working as security expert for one such product 
> from Ericsson a decade ago. It didnt take off as it was too early ( or 
> too much security :-) )
> regards
> Anish
>
> On Fri, Feb 25, 2011 at 2:26 PM, Peter Fairbrother 
> <zenadsl6186 at zen.co.uk <mailto:zenadsl6186 at zen.co.uk>> wrote:
>
>     Chris Salter wrote:
>
>         Hello UKCrypto,
>
>         "The Challenge of Turning Phones into Credit Cards - The
>         Challenge of
>         Security & Why the UK is Key".
>
>         http://www.trustedreviews.com/mobile-phones/review/2011/02/24/The-Challenge-of-Turning-Phones-into-Credit-Cards/p1?utm_source=newsletter&utm_campaign=clicks&utm_medium=daily_20110225_1277
>         <http://www.trustedreviews.com/mobile-phones/review/2011/02/24/The-Challenge-of-Turning-Phones-into-Credit-Cards/p1?utm_source=newsletter&utm_campaign=clicks&utm_medium=daily_20110225_1277>
>         or
>         http://preview.tinyurl.com/4w4wz46
>
>
>     It seems to be a very stupid implementation, and quite possibly a
>     stupid idea as well - no-one seems to have worked out the security
>     model so far, or even have worked out any working security model.
>
>     That should have been done *first*.
>
>     Is this micropayments, or major purchases? Is a PIN entered on the
>     'phone? Does the issuer put a tamperproof chip in the 'phone?
>
>     I'm not surprised that the Kaspersky guy is keen, more business
>     for him - but is he going to take responsibility. and more
>     important accept liability, when things go wrong? As K. take zero
>     liability for the effectiveness of their software at present, I
>     kinda doubt it.
>
>
>
>     However if Visa want to implement it, and take the risk, fine by
>     me - as long as I don't have to bail them out (again), and as long
>     as paying by card remains an option. This should be a legal
>     requirement, like chip and signature cards vs chip and PIN cards.
>
>     Come to think of it, it may be a legal requirement already,
>     depending on the way the present law is interpreted - but that's
>     not an area of law I'm familiar with.
>
>
>
>     BTW I don't have a mobile 'phone, and I don't want one.
>
>
>     -- Peter Fairbrother
>
>
>
>
>
>
>
>
>
>
>
>

More information about the ukcrypto mailing list