Very good insight on BlackPOS malware, which was reportedly used in attack on Target points of sale, in HP Security Research Blog. Interesting fact: BlackPOS (at least its latest version) uses custom credit card track information pattern matching logic while most other POS malware programs use regular expressions to filter out the card track data. The custom implementation of the search might be more efficient than generic regular expression approach. It looks like the authors of BlackPOS are aware of potential POS hardware and software performance issues!
This essay was previously published by VentureBeat on January 26, 2014
Recent developments associated with Bitcoin, its silver-like sister Litecoin, and other crypto-currencies forced many merchants to start thinking seriously about accepting these digital alternatives to cash and plastic cards. In fact, some businesses already accept Bitcoin. E-commerce merchants were first to accept Bitcoin; however, just as life once emerged from the ocean to the land, Bitcoin is slowly but surely creeping out of its virtual cradle to the real world of brick-and-mortar merchants.
The benefits of crypto-currency for consumers are well known. They provide:
There are also some downsides. Unlike credit cards, Bitcoin transaction fees are paid by senders. Fraudulent transactions cannot be disputed or reversed. Bitcoin wallets can be hacked. But the million-dollar (oh, I’m sorry — thousand-Bitcoin) question is, can Bitcoin technology meet the picky requirements and withstand the tough conditions of real retailers?
An uncertain mechanism of calculating the transaction fee is one of the factors that could negatively affect mainstream acceptance of crypto-currencies. In the world of traditional retail payments, buyers do not deal with transaction fees at all: They’re handled by the seller. Even though the average fee for a Bitcoin transaction (0.0001 BTC) is much lower than credit or debit card processing fees (up to 3%), the average buyer may ask, why should I use Bitcoins if I can pay by credit card and spend less? This is especially important for micropayments, where the amount of the fee is comparable to the transaction amount.
On a related point, not all Bitcoin transactions are created equal, so the fee also affects the transaction processing time (as I’ll discuss below). The lower the fee, which can be set either automatically by the software or manually by the buyer, the lower the transaction priority in the Bitcoin processing network. Imagine a cashier in a grocery store asking you for tips in order to cut the checkout line.
Besides the transaction fee issues, there are security concerns that should be clarified and resolved before implementing Bitcoin payments in brick-and-mortar stores on a large scale. First, let’s understand which area is mostly problematic.
As is well known in theory of information security, there are three security domains: confidentiality, integrity, and availability. When those domains are applied to the security of traditional electronic payments, the first one is most famous (card data breaches), the second one is also often cited (counterfeit cards and fraudulent transactions), while the third one is sometimes overlooked or simply discarded into a non-security category, although it is no less important than the other two. Just think about issues such as payment network downtime, backup of transaction records, or transaction processing time — they are all subjects of availability!
Ironically, this domain — availability — is the only one that is mostly kept under control in the payment card industry. If you compare the security of the Bitcoin ecosystem with credit cards, it is pretty obvious that the designer (or designers — we still don’t know) of the digital currency had a different order of priorities. Integrity is mainly taken care of (thanks to modern cryptography); confidentiality is still problematic but manageable; but availability is out of scope. Perhaps, that’s due to a lack of experience with retail payment processing systems. Or maybe the Internet was the only target?
Transaction processing time is one of the main differences between online and brick-and-mortar cultures. While it is acceptable in most cases to wait several minutes, hours, or sometimes days for shipment and delivery of goods purchased online, the customer in a brick-and-mortar store gives up very quickly if there are delays. Tough competition forces the point-of sale hardware and software vendors along with the payment processors to fight on milliseconds. This situation is aggravated by the fact that a single ecommerce website can process multiple transactions simultaneously, while a single point of sale machine — either attended or unattended — can handle only one customer at a time.
Large chains save a lot of money on employees’ salaries and POS hardware/software fees by cutting transaction processing time (which includes payment processing time) just by a few milliseconds. Now let’s look at the Bitcoin timing. The average time of first confirmation (analog of pre-authorization in the payment card industry) is 10 minutes. That’s a huge delay compared to the several hundred milliseconds required for the average online credit card approval. Yes, the initial validation of a Bitcoin transaction can be done by client software and also received from other nodes of the network within seconds. But the fact that the transaction record is valid does not guarantee that the payment will be accepted by the entire network.
Such behavior is determined by Bitcoin design. Each transaction is recorded in a special registry called the blockchain, which is visible and accessible to anyone on the Internet. The blockchain consists of transaction blocks that are created every 10 minutes on average. Even though a transaction cannot be reversed once it’s transmitted to the network, it can be rejected by the network before or after it’s added to the new block. The reason for rejection can be another transaction with the same source address (if someone tries to send the same money at different addresses simultaneously). A Bitcoin transaction is considered finally confirmed only after five blocks are added to the blockchain on top of the block containing the transaction and accepted by the majority of the network nodes. This mechanism prevents double-spending (remember the integrity domain?) and works pretty well, but there is a price for it: A one-hour waiting time for final confirmation. Such a delay is obviously not acceptable in a regular merchant environment where a customer usually walks away right after the payment is done (think about fast food restaurants, grocery stores, or gas stations).
The first solution that comes to mind to this problem of confirmation delay is introducing some kind of intermediary that would guarantee a merchant that the transaction is valid without having to wait an hour (in the credit card world this function is performed by the issuing bank). The customer can be asked to make an initial deposit to a special account (similar to a debit card), or provide identification so her previous purchase history can be analyzed (just like with a credit card). Of course the problem with this solution is that it nullifies the fundamental properties of crypto-currency: anonymity, independence from financial institutions, and decentralization.
So why should consumers bother using the Bitcoin wallet if it behaves exactly as a credit or debit card? Litecoin and other altcoins partially resolve this issue by reducing the time between the blocks. The Litecoin network creates block every 2.5 minutes, while recently created Worldcoin has the lowest interval, one minute, which — as the creators claim — enables Worldcoin acceptance in the brick-and-mortar merchant environment without design changes.
It’s fair to say, however, that the slow processing is a less important issue for some groups of retailers whose typical transaction amount is too small or too big. When the amount of payment is small (a cup of coffee), the probability of attack, and therefore the risk of losing money, is low. When the transaction amount is big (buying a car), a one-hour wait time could be acceptable for the buyer (compare that to the time needed for a bank check validation or the time required to withdraw and count cash).
Another factor that affects transaction processing time (and therefore the overall availability of the system) is scalability – the ability of the payment network to absorb successfully a very large number of transactions simultaneously. Visa processes on average 1,500 transactions per second (tps) in the US alone. The figure is much higher during rush hours and holiday seasons, so the maximum total capability of Visa’s network is more than 10,000 tps. If we add to this number all the transactions handled by other brands — MasterCard, American Express, Discover, and JCB, plus private label, stored value, and fleet card processors — we get a very serious load that is supported by pretty sophisticated infrastructure. Now imagine that customers and merchants suddenly decide to abandon traditional payment cards and rush to spend and accept a crypto-currency. Is the Bitcoin network scalable enough to process an equivalent volume of transactions without significant delays and failures? Let’s take a look again at the Bitcoin design to review those two threats.
The size of a typical Bitcoin transaction record is 500 bytes, while the maximum block size is (artificially) set to 250,000 bytes, which means that, on average, a maximum of 500 transactions can be added to a single block. That gives us a maximum current capacity of less than 1 tps on the Bitcoin network. The initial confirmation of any over-the-limit payments will be delayed. In addition, the size of the blockchain will grow significantly, which will demand more computing power from processing nodes. Obviously, serious design changes as well as software updates and hardware upgrades are required in order to provide the scalability required for big retailers.
One of the natural solutions to this problem would be using multiple parallel networks in the form of accepting alternative crypto-currencies (“altcoins”) such as Litecoin and Worldcoin. Currently, there are more than 80 types of altcoins, and many of them are actively traded online and have significant market capitalization. Each altcoin has an independent blockchain and network of transaction processing nodes.
Another option is changing the design of the Bitcoin blockchain; for example, expanding the block size, reducing the time between the blocks, or maybe even adding parallel blockchains that would be able to absorb more transactions simultaneously.
The risk of failure is less obvious but more dangerous. The networks of Visa and other card payment brands are supported by thousands of paid professionals who continuously design, develop, test, and maintain their systems. The Bitcoin network is supported by a community of crypto-currency enthusiasts who do not report to any private company or state, meaning there is no accountability (another security feature) if something goes wrong. We don’t know how the mechanism of making decisions on code changes exactly works, or how secure the Bitcoin software development lifecycle is. A single bug or virus in a Bitcoin client application can bring down the entire system as well as significantly affect the Bitcoin value. Perhaps, this is another reason for merchants to preserve diversity of payment methods and accept multiple crypto-currencies.
With that said, I like Bitcoin for its brilliant idea, comprehensive design, cutting-edge technology, and taste of freedom. I believe that all the problems eventually will be resolved in one way or another.
Zerocoin is supposed to solve the problem with Bitcoin anonymity, or pseudonymity. Initially, it was designed as an extension for Bitcoin network. Now the authors plan to create and release the Zerocoin as a new separate crypto-currency with the infrastructure independent from the Bitcoin network.
Here is a good explanation of the Bitcoin anonymity problem.
The Bitcoin payment network offers a highly decentralized mechanism for creating and transferring electronic cash around the world. Unfortunately, Bitcoin suffers from a major limitation: since transactions are stored in a public ledger (called the “block chain”) it may be possible to trace the history of any given payment — even years after the fact. Worse, since the Bitcoin ledger is public, any party can recover this information and data mine to identify users and patterns in the transactions. In other words: Bitcoin transactions are conducted in public.The Bitcoin protocol and clients address this in two ways: (1) all Bitcoin transactions are conducted using public keys as identifiers, and these public keys are not linked to individual names. And (2) Bitcoin clients are capable of generating many public keys (“identities”) to help users resist tracking. Unfortunately, a growing body of research indicates that these protections are insufficient. This information may allow data miners to link individual transactions, identify related payments, and otherwise trace the activities of Bitcoin users.
Marriott hotels join an everyday growing group of retailers, including Target, Neiman-Marcus, Michaels, and many other merchants, who recently experienced credit and debit card data breach.
Marriott's Response to White Lodging Data Breach