My new book Bitcoin for Nonmathematicians is now available in Amazon Kindle and B&N Nook ebook formats
Recently, I had a discussion about information security, and somebody asked me “how’s bitcoin actually related to information security?”
Here is how bitcoin is linked to information security.
First, bitcoin is an alternative payment system, which was created in order to resolve security problems of online payments, and theoretically can replace plastic cards everywhere, not just online. I hope everyone knows about security problems of payment card industry. If by any chance you don’t, read Hacking Point of Sale.
Second, bitcoin and its own security based on cryptography, which is one of the most important subjects of information security. If you want to know more about bitcoin cryptography - read Bitcoin for Nonmathematicians.
And finally, bitcoin is currently one of the main methods of payment on darknet marketplaces where bad guys sell results of bad information security: our stolen credit cards, medical records, bank accounts, etc. If you want to know more about darknet and data breaches… Well, perhaps I should start writing a book about it.
Here is the final cover design for my new Bitcoin book which will be released soon.
Apple Pay, one year later: Why mobile payments have failed to catch on as we're still looking for something better
This essay was previously published by City A.M. on December 17, 2015
Mobile payments became a hot topic just about the time when first iPhone was introduced by Steve Jobs in 2007. Back then experts in payment, retail, telecommunication, and banking industries started thinking about a smartphone as a viable alternative to physical wallets suggesting many different technologies, but no one knew how exactly the winner was going to look.
The only thing they knew for sure: traditional banks, payment brands (like Visa and MasterCard), and merchant payment processors (like First Data and Heartland) would remain indefeasible part of the business. The game rules were changed in 2008 when Satoshi Nakamoto (real identity is still unknown) published a short white paper called Bitcoin: A Peer-to-Peer Electronic Cash System.
The most important innovation of bitcoin is the fact that neither banks nor payment brands are necessary anymore in order to process secure and reliable electronic transactions between customers and merchants, both online and in store.
Merchant payment processors were put out of the equation as well; however, the industry realised that among other problems, bitcoin transaction processing time is too slow (at least 10 minutes) to compete in a brick-and-mortar merchant environment with plastic cards, which get approvals within milliseconds.
Some intermediary should still exist between merchants and blockchain in order to facilitate commercial-grade crypto payment processing, and so the gap was quickly filled by new payment processors specializing on blockchain technology, such as BitPay and Coinkite.
Finally, the breakthrough cryptocurrency was more or less adapted to harmful conditions of retail stores. But it still was not ready for mainstream, due to the lack of convenience which is required in order to win the battle against plastic cards.
Mobile phones were already used for in-store bitcoin transactions, but scanning a barcode from the point of sale display was not as elegant and simple as swiping or waving the plastic card.
So many people, myself included, were surprised when in 2014 Apple announced its Apple Pay.
Instead of creating anything revolutionary similar to blockchain, it fully relied on aging plastic cards and outdated systems behind the scenes: magnetic and chip & pin card technologies at least 30–50 years old.
The supercomplexity of existing payment infrastructure was increased by adding another superstructure, which inevitably lead to problems with reliability and security.
The formula is simple: the more complex is the system the more unreliable and insecure it becomes. We all know the truth about the “security” of plastic cards (think about mega breaches like Target).
Apple Pay uses some technical “tricks” to hide the card number and communicate it securely between the iPhone and the bank, but here is the problem:
Apple and other mobile payment solution providers such as Google and Samsung still “allow” us to keep those insecure magnetic stripe or chip & pin cards.
Consumers will continue using them because mobile payments are still not as common as plastics, merchants will continue accepting them, and while still waiting for better technology, we all together will be caught by next generation of card data breaches.
My article in City A.M. about mobile and crypto payments: Apple Pay, one year later: Why mobile payments have failed to catch on as we're still looking for something better
This essay was previously published by VentureBeat on December 13, 2015
When Apple Pay was first announced back in September 2014, I was very enthusiastic about it. Finally, a dream come true! Someone, and not just someone but the biggest company in the world, had come up with a new generation of payment technology that would combine mobile and biometric forces. The long chain of disappointments, however, started almost immediately.
First, it turned out that the “new technology” was nothing more than just a dexterous combination of our old, limping friends — plastic magnetic bank cards and EMV (EuroPay, MasterCard, Visa) chip cards — seasoned with shiny TouchId (which isn’t a new technology either, to be honest). Well, I thought, remembering the classics, maybe there is nothing new under the sun and Apple Pay isn’t an exception. At least it provided a more convenient way of payment than the older predecessors it imitated behind the scenes. So I patiently waited for the upgrade (not timed with either an iPhone or major iOS release) that would bring me Apple Pay.
While waiting for Apple Pay to arrive, I decided to learn more about the details of new technology. But it turned out that Apple hadn’t bothered to provide an exact technical description of Apple Pay components, which led to multiple speculations and concerns about its level of security. For example, it was unclear whether the actual card PAN (Primary Account Number) or its “scrambled” version was stored on the device.
Finally, Apple Pay arrived on October 20, 2014, and I managed to enter in one of my cards. It did not accept all of my plastics, however. In fact, it did not accept (and still doesn’t) the one I use for day-to-day grocery shopping. No matter, I rushed to the closest grocery store to impress myself and the cashier.
Unfortunately, the store’s payment terminal ignored all my attempts to wave the phone using various trajectories. The cashier asked me what I was trying to do. When I explained, she did not seem to understand. Finally, I pulled out my card, finished the transaction, and headed to another store, where I experienced the same situation. It turned out that most merchants didn’t — and still don’t — support Apple Pay. Eventually, I found one that did and managed to make my first Apple Payment. It worked surprisingly quickly and smoothly.
However, problems began with my second or third payment. My transaction was declined. A second attempt did not help. The cashier told me I didn’t have enough money in my account. Since it was actually a debit card behind the Apple Pay mask, I started worrying about my bank account: had it been hacked? Fortunately, since I could not use Apple Pay in most stores, I still carried my plastic cards with me. So I swiped a card through Apple Pay (the same card that had been declined just a minute earlier), and, lo and behold, it passed. I thought the mistake was an occasional glitch that Apple would soon fix. But when I tried to use Apple Pay several days later, the result was exactly the same. That was my last try. I didn’t want to explain to skeptical cashiers anymore that I did actually have money in my account.
Now I am even more convinced that systems like Apple Pay, Android Pay, and Samsung Pay, which just pretend to be new technology but in fact are complicated (and therefore unreliable) superstructures based on multiple old mechanisms, must eventually be superseded by completely new things. For example, Bitcoin or future cryptocurrency technology based on the Bitcoin concept but supported and enhanced by the banking and payment industries would be good candidates for universal payment systems for several reasons.
First, cryptocurrencies are open source protocols not linked to particular brands like Apple Pay or Android Pay, which makes them more attractive and accessible for everyone. Second, they are totally new, revolutionary technology compared to magnetic stripes and even EMV, which are already 30 – 50 years old (remember that most existing mobile payment solutions are still using plastic cards underneath their shiny modern facades).
Finally, Bitcoin, unlike plastic cards (and mobile payments!), is much more secure as it is based on strong cryptography and does not have a single point of failure in its implementation. At least in theory. But that is topic for separate discussion.
If you are not familiar with Tor yet you should learn about it. In a nutshell, Tor is a system for anonymous Internet browsing. You can install Tor software and browse the Internet anonymously. If you are using Tor along with Bitcoin, you can enjoy the Internet freedom and privacy.
This is Kickstarter project which is supposed to create the Tor hardware box. Anonabox should be more safe and convenient than Tor software as it routes all the traffic from your Ethernet connection through Tor network.
The phrase "devalue the data" was used several times by new PCI SSC General Manager Steve Orfei in his keynote today during the PCI Community meeting in Orlando. I like the term - data devaluation - and that's obviously the right direction. It means that payment transaction data, even if intercepted and stolen by hackers, cannot be useful for processing new transactions. In payment card industry it can be achieved by using different technologies and their combinations: EMV, P2PE, and Tokenization. But it took the payment industry several decades to realize that the data must be devalued, and it will take many more years to fully implement such devaluation. Unlike PCI, Bitcoin and other crypto currencies are designed in a way that transaction data has not value by definition. So is it worth making efforts and trying to patch the old technologies in order to achieve the same level of security that new technologies already provide out of the box?
This is a brief and clear explanation of Bitcoin transaction malleability bug which caused the bankruptcy and shutdown of Mt. Gox - one of the biggest Bitcoin exchanges. There is a reference to the slides from the original presentation at recent Black Hat USA 2014 conference.
I'll be doing two one-hour book signings at Black Hat USA 2014 and DEF CON 22 conferences in Las Vegas:
Black Hat USA 2014:
August 6, 2014, 5:30 pm
Mandalay Bay Conference Center, Tripwire booth 141
(I'll be doing a short presentation before the book signing)
DEF CON 22:
August 8, 2014, 11:00 am
Rio Hotel & Casino, No Starch Press community table in Vendor Area