Security Review – Charge It to My Cell

By lmarsh16 at 10:34 pm on November 19, 2008 | 1 Comment

When in a rush and craving a quick soda or snack, people just don’t want to deal with the hassle of lines and other people. That is why the vending machine is such a great invention; it’s a fast, easy way to get something so people can continue on their way. But there’s a way to make this process even quicker and simpler. Everyone has a cell phone nowadays. Why not purchase the items via mobile phone? In Japan, they already have such a device; they’re called wallet phones. Wallet phones combine an I-mode phone and the FeliCa smart card. To use it, one doesn’t even have to press any buttons. When the vending machine is ready, the user place their cell phone near it, and the cell phone beeps to let the user know the transaction is complete. But this wallet phone doesn’t only work with vending machines, it also can serve as a bus or train pass if the right equipment is set up. To counter fraud, the FeliCa smart card dynamically generates an encryption key each time mutual authentication is performed. Though not the default, the wallet phone can be configured so that a four digit PIN is required before any transaction. The phone operates much like a debit card with a limit of about $500. If the phone gets lost or stolen, the user must call up the company and cancel the service.

One of the first things to consider about any system is who are the potential stakeholders and adversaries. The most obvious stakeholders are the wallet phone users who choose to use this feature. Other stakeholders are the companies who sell products in the vending machines and the vending machine companies that much change their machines to accommodate for these cell phones. The adversaries are basically anyone who wishes to come between a user and their transaction. It could be a competitor attempting to get the service to malfunction on the other companies’ products or someone who wants to steal someone else’s money or get a free beverage.

The first and most important security goal is ensuring the security of the transaction. No one but the consumer and machine should be involved in the transaction, and the data should not leak to a third party. Another concern is integrity; the consumer should be charged for only the products and services he or she has purchased. Cell phones may become our new electronic wallet, so we must ensure that they are properly secured.

The biggest weakness I see with the wallet phone is the fact that it is a cell phone. While it may be very convenient, there is a saying, “Don’t put your eggs all in one basket.” I think that the wallet phone does just that. In today’s world, more and more people are becoming dependent on their cell phones. Leaving one’s cell phone at home has become almost as awful as forgetting one’s house keys or wallet. It has steadily become most people’s prime method of communication. In fact, the current trend is for individuals to not have LAN line telephones at all. And today’s mobile phones offer more than just telephone service; users can text, send e-mails, take photographs, browse the Internet, listen to music, watch TV, etc. Also, lots of important information is stored in phones such as phone numbers, addresses, birthdays, and schedules. So, I think that turning a person’s mobile into a debit card is really erring on the side of too much convenience. Thieves would start targeting cell phones. I don’t know how many thieves today attempt to steal cell phones, but I do know that if cell phones also doubled as wallets, those numbers would increase. If consumers really do wish to use their cell phones as debit cards, then the phones need to be handled with a little different mental model they how they are being used now. Lock the cell phone with a password when it’s not in use, just as one would do with a computer in a public setting.

There’s also another weakness I noticed with these cell phones, particularly in Japan. Now, while I do think that that PINs are a great way to protect the consumer, there was an inherent problem with how that number was stored. When I was setting up my cell phone, it asked me to write my PIN on the application in pen in plain view for anyone in the company to see, and that’s what my PIN was set up to be. Also, although the menu of my phone was in English, I never did figure out how to change that number. So, one thing that definitely needs to be carefully considered is how these PINs are handled. The system used for PIN numbers at banks seems like a good place to start for that. The person selects their own 4-digit password on a machine; there is no need for any employee of the company to see it. As stated in many computer security textbooks, security is only as good as the weakest link. My PIN may do a wonderful job of protecting my phone, but who is going to protect my pin.

One other thing that bothers me about this implementation is that the consumer does not have to do anything to complete the vending machine transaction. The consumer just must be standing within a certain distance of the machine for the transaction to be completed. This creates a different kind of security issue. Imagine our good old friends Bob and Eve. Let’s say that Eve would like to make a purchase from a vending machine or pay for her daily commute, but she doesn’t have any money on her cell phone. And then let’s say that Bob is standing fairly close to Eve, who she knows happens to have a wallet phone in his possession. All Eve has to do is go through the motions of making the purchase, and then at payment time, nudge Bob in the right direction to get his cell phone to complete the transaction for her. One could compare this action to a temporary purse snatch. However, there is a fundamental difference between this and stealing someone’s wallet or purse. To get to someone’s money, a thief has to actually open and get inside the purse, bag, wallet, or whatever the victim is using. There is that extra step of effort beyond just pushing someone in the direction of the machine. And from personal experience, I can safely say that nudging someone in the midst of heavy Japan metropolis traffic would be not such a hard feat at all. The other person may not even realize their cell phone was used if the noise and bustle were great enough.

Technology was created in order for our lives to be more convenient, but we still have to be careful about how ‘convenient’ we allow technology to be. In the last example, which showed that people could steal another’s money just by nudging them, technology seems to err on the side of too convenient. If that extra purchase confirmation screen was added to the transaction, it would make it harder for other people to take the user’s money, whether it is on purpose or on accident. While it may be impossible to slow down technology being more heavily incorporated in our lives, it is possible to use that technology in a way that does not cause unexpected problems to arise. It just takes some forethought.

Wallet phones are inevitable. With the widespread use of cell phones and the public desire for speed and convenience, it was only a matter of time before someone thought to merge one’s wallet and mobile phone together. And this isn’t necessarily a bad thing. It is convenient; it is faster, and it might also be something the general populace wants. However, several security issues need to be addressed to make sure these wallet phones don’t cause problems for society as a whole. The mental model of a cell phone as just a communication device (whether it is actual calling, text, or e-mail) needs to be modified accordingly as more features are added. I’m sure the introduction of wallet phones to America is only a matter of time. I just hope that they meet the security needs of the people who use them.

Filed under: Security Reviews1 Comment »

1 Comment

  • 1
    Get your own gravatar for comments by visiting

    Comment by Sven Türpe

    November 20, 2008 @ 6:11 am

    As you are doing this in public I suppose an outside comment is in order. While your review is good by all textbook standards I see two points that may deserve being reconsidered. Considering the purpose of this blog, I’m going to ask a lot of questions without answering them. I do not request that you answer any or all of them here.

    Before you read on, please take the time to have a glance over two lists, the 1995 W3C roadmap of electronic payment schemes and another list of payment mechanisms designed for the Internet, collected between 1994 and 2001. Ask yourself a) how many of these systems had been designed primarily as security systems; b) how many of those are still around; and c) what the security properties of the credit card system—the entire system, not just one card—are and what the success of this design may tell us about requirements.

    Done? Great. Here are the issues that I have with your analysis. The first one is with this claim: “The first and most important security goal is ensuring the security of the transaction.” If just one transaction failed in one of the possible ways that you describe, what would it mean to the stakeholders and to the system as a whole? If we consider multiple/all transactions, what would be the result of multiple attacks for the stakeholders, for the system, and for the adversary? Can you describe conditions where the system is neither perfectly secure (i.e. nothing undesired can happen) nor entirely insecure (i.e. free Coke for everybody)? Can you describe, in abstract terms, an attack that may be possible to carry out in theory and practic, yet economically infeasible?

    Returning to the credit card, which so far survived all “secure” payment systems, how are transactions secured there? Can we use some of the concepts in a cellphone payment system as well? Which ones and how?

    The second issue that I have is with your idea that the technology may err “on the side of too convenient.” We must be careful here: making something less convenient does not necessarily make it more secure; humans tend to circumvent obstacles if they can; competing technologies are available that are easy to use, such as cash money or, again, credit cards; and we will likely fail if we attempt to impose arbitrary rules upon the user. So if you consider any improvements to the technology, please ask yourself what their impact on the user will be—and what is going to happen if the user fails to complay with your assumptions.

RSS feed for comments on this post