Skim milk

How do you make smartphones into trustworthy platforms? Some recent attempts are problematic.

This week, the CEO of Verifone—Douglas Bergeron—issued a scathing diatribe on Square, a startup selling a plug-in credit card reader for mobile devices.

The device enables a vendor to turn a mobile device into a retail payment terminal, at low cost—far lower than, say, purchasing a Verifone point-of-sale terminal. I'm guessing the transaction fees to the merchant are also lower.

The Square passes swiped card data, in the clear, to the smartphone app. Only then is that data encrypted over the air to the back-end payment processor. To help make its point, Verifone wrote a smartphone impersonation app: it trivially skims card data from the Square reader—the data can then be saved, emailed, or texted to anyone.  

Assuming Bergeron's information is accurate, the Square system is a danger to consumers and vendors. It blows my mind that someone could go as far as to launch a company and mass-produce such a device without the payment-card industry crying foul. Would VISA approve of such a contraption? Let's hope not.

However, Bergeron's proposed fix is also frightening. He asserts that the Square hardware ought to use encryption (and presumably secure key storage, such as via a smart card chip) to protect credit card data en route between the dongle and the phone. While necessary, this still isn't sufficient. The credit card data will be decrypted by the app, sitting in RAM, in the clear. Any phone rootkit enables an attacker to commandeer the app and the card data within.

Furthermore, the typical mobile phone app environment uses crappy key management—for example, keys stored in the phone OS's file system—for the reader-phone and phone-processor tunnels and any required data-at-rest encryption. A mobile OS rootkit gives malware access to these keys: game over.

If we want to use mobile devices as payment terminals—a wonderful idea—the first thing developers need to accept is that any data processed by the main phone OS must be considered PUBLIC. Now think what can be done to protect card data from the swipe to payment processor. At the same time, we want to take maximum advantage of the phone's snazzy UI to manage the payment experience.

As a start, we must avoid the Square problem and use a swiper that creates an authenticated, encrypted connection to the phone for transmitting card data. Smart chip credit cards would solve this part of the problem if smartphones supported them (they don't) and we had them (we don't, at least not in the USA).

The other end of that handshake must be performed with cryptographic protocols and key management that is strongly isolated from the main phone OS. For example, we can use TrustZone that is available on most modern smartphone/tablet apps processors. The main phone OS only sees encrypted data and is never involved in crypto.