Visa has finally released their mobile-payment pilot with US Bank.

After the chip is inserted, smart phone users download an application housed on a secure server controlled by U.S. Bank. The application authenticates the user and his password. The application also links the phone to a payment vehicle. U.S. Bank employees’ phones will be linked to the U.S. Bank’s AccelaPay, a Visa-branded prepaid payroll card. “Bank employees have been depositing money into their card accounts,” Venturo said. Montise plc and FIS, formerly known as Fidelity National Information Services, two mobile payment-service providers, developed an application that enables smart phone users to make purchases and check account balances as part of the pilot.

You may remember the promotional video from last May that showed how to “Streamline Your Ballgame Experience”. It starts with a sports fan that lost his wallet and says life would be soooooo much easier if he could make payments with his phone and “much less stressful” to not have to “figure out how much money to bring”:

Why is it so hard to calculate how much money to bring?

I guess it is easier to spend your money if you do not calculate your budget ahead of time. This is, after all, a promotional video for living on credit.

Anyway, security feels misrepresented by these press releases and videos. Here is a good example:

The marketing makes a case for less risk because you do not have to carry cash but instead carry something that can easily be replaced — a chip that makes payments.

The problem with this analysis is that, instead of a limited amount of cash, you are carrying an expensive and easily stolen or broken smart phone.

When an iPhone gets ripped out of your hand or dropped on the ground, dumped in your beer, etc. there will not be any more payments made unless you carry a spare iPhone. Cash is a lot more resilient. You also are more likely to be robbed waving around your $400 iPhone with payment chip just to make $10 beer and hot dog purchases.

Losing either one could be equivalent, except for the fact that proximity cloning of a payment chip would mean you could “lose” it without even realizing that it has been stolen. This is similar to identity “theft” when you still have your identity but it also is being shared around the world by criminals for fraud.

Speaking of proximity attacks, the press release gives a funny example why they think a phone is a more convenient option for payments:

If successful, Gajda thinks the smart phone could replace the wallet because of the phone’s location in consumers’ clothing.

“The smart phone is much closer to your hand than a wallet,” he said, explaining that men keep their smart phones in their front pants pocket and their wallets in their back pants pocket.

Maybe they should have called it the man-payment?

What if I put my wallet in my front pocket and my phone in my satchel?

I want my payment chip in a holster on my side so I can out-draw others. Whip up charges faster than anyone else who might be trying to make a payment. Bling, bling, bling…

So I see inexpensive and convenient in the marketing campaign but not a lot of…security. Looks like it might be getting swept under the rug.

The European ATM Security Team (EAST) report released yesterday gives evidence of several changes in attacker behavior and tools

The increase in ATM skimming incidents reported by EAST for the period January to June 2010 continues, with eleven countries reporting increases in such incidents, and four countries decreases. One country has reported that instead of maximising fraudulent cash withdrawals at a single ATM, criminals are now visiting more ATMs and using fewer cards at each site. A new type of analogue skimming device, using audio technology, has been reported by five countries.

Arbor Networks’ Craig Labovitz digs into the debate over Chinese manipulation of Internet routing. His analysis is the best I have seen so far on this issue. He cites original source material and also explains why the real issue appears to be very different than what is being said by those selling fear — cyberwar books (maybe even mugs now).

Here is his report: China Hijacks 15% of Internet Traffic!

While traffic may have exhibited a modest increase to the Chinese Internet provider (AS23724), I’d estimate diverted never topped a handful of Gbps. And in an Internet quickly approaching 80-100Tbps, 1-3 Gbps of traffic is far from 15% (it is much closer to 0.015%).

In fairness, I should note that I don’t know how Mr. Alperovitch obtained his 15% number (the article does not say) and a hijack of 40k routes out of a default-free table of ~340K is not far from fifteen percent. But of course, routes are different from traffic. I also add that both China denied the hijack and many Internet researchers suspect the incident was likely accidental.

The comments below his blog entry support Craig’s analysis with further evidence, page 252 of the congressional report:

For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers.* Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China.

Source 116 is a briefing that Dmitri Alperovitch gave to the Commission Staff on Aug 25 2010. Your assessment of ‘15% of routes’ vs. ‘15% of volume traffic’ is correct, and it looks like Dmitri was misinterpreted.

I also should mention, to be fair, that other blogs have done a good job summarizing the situation and ending with a different conclusion. Renesys, for example, gives a look at how hard it is to prove a negative — prove that China did not look at traffic they could see. They end up suggesting the April 8th traffic flows could have been a demonstration of Chinese “muscle-flexing” to demonstrate “trivially exploitable” Internet infrastructure:

the stage is set for traffic redirection. When you need to send Internet traffic to the defender (for example, to send him email or read his website), it’s passed towards the “closest” organization that asserted ownership. A large fraction of all the defender’s inbound traffic is potentially redirected straight into the waiting arms of the attacker. And until they withdraw their BGP route assertion, or their neighbors start filtering it out, there’s no way to stop it. It’s that simple.
In fact, it’s so simple, that it happens every year to somebody through sheer accidental misconfiguration. It’s been happening like this, periodically, at varying levels of severity, for over a decade. Sometimes it happens to just a network or two, as in Pakistan’s global hijacking of Youtube. Sometimes it happens to tens of thousands of prefixes, as someone briefly asserts ownership of huge swaths of the Internet. Sometimes it’s China, and sometimes it’s Con-Ed. We’ve seen it happen so many times, to so many people, that when it happened again in April, we didn’t even feel like investing the time to blog about it. [Emphasis added]

Ok, now we’re getting somewhere. So, did the April 8th event target the US Government?

No, almost certainly not.

Almost certainly might not good enough for some people. Here is the rub. Some say that China will do evil things period and they can not be trusted. Regardless of whether that is true or not there is no evidence in this instance that they did anything evil.