Friday , August 17, 2018

Security Notes: Complexity: The Enemy Within

The price paid for the dazzling convenience of swipe-and-pay and thumb-and-buy is the monstrosity of backroom complexity. The convenience of Venmo, PayPal, and Square hides the growing dependence on layers on layers of protocols, equipment, and technologies.

Indeed, the flipside of clicking out your banking needs on your phone is that payment has become a Rube Goldberg spaghetti tangle, which no one knows in the whole, and where hackers can find easy-access holes.

It’s the market’s dictate: Everyone tries to win customers by making it as easy as child’s play to move funds. So no one can afford to put security first.

By contrast, convenience is an everyday occurrence. It is how you are judged versus the other payment-service providers. So to survive, you care first and foremost about the user’s experience.

But the user does not see the growing layers of technology, the increasing complexity of algorithms, the menacing dependence on more and more suppliers in farther and farther places. Payment knowledge is exploding, but it is handled by narrower and narrower expertise with a dimmer and dimmer view of the payment cycle as a whole.

Talk to a seasoned payment technologist. She will talk convincingly about the relative merits of different cryptographic modules. But does she understand these modules firsthand? Modern cryptography is based on modular arithmetic, group theory, lattice theory, computability and complexity theory, information theory, probability, entropy, and combinatorics, to name a few. These branches of mathematics require years of learning. The respective experts, by and large, know little about payment technology, much as payment-protocol designers know little about the crypto math.

This mismatch invites the creative hacker to wedge in. Case in point: a side-channel attack. While mathematicians have been scribbling their intimidating crypto equations, and payment technologists have been plugging in crypto modules on electronic boards, the hackers have bypassed the math as if it were the Maginot Line. They’ve monitored the electromagnetic activity emanating from the crypto chip itself.

So while the mathematicians congratulate themselves at their conferences (I know, I go to them), and while the technologists blindly install their products across the payment landscape, the hackers exploit the stitches between these disjointed islands of expertise.

So much has been written about “black swans.” When a big one happens, all the experts tweet, “I told you so!” But we let it happen again and again.

Take digital currency. Most cryptocurrency traders are totally clueless with respect to the mathematical complexity and protocol interconnectedness that run this trade. Yet, the Massachusetts Institute of Technology has joined in warning that quantum computers are coming and they will destroy Bitcoin.

Reports warn that payment technology is vulnerable to implementation bugs and malware sneaking into servers, payment terminals, and network protocols. But this is ignored in favor of the drive to put an easy and appealing interface before the consumer. Apple now uses incredibly complex technology to identify a staring face, so even Touch ID is not needed. Hackers have just begun to take this new technology apart.

What you buy may be complex, what you purchase may be something magical. But what you use to pay should be utterly simple. Our civil order depends on the clarity and simplicity of money and on frictionless but complexity-free payment.

Oddly enough, digital money is ready to pass as the 21st Century version of the old counterfeit-resistant cash. We just have to look at it in the right way. We have to strip off the idea that resolving a hash function (whatever that math monster is) generates money out of thin air, and embrace the simple but powerful idea that money can be minted in the form of a string of bits.

This “bittable” money is the modern equivalent of the old “biteable” coin. Only bits store easily, are secured easily, and transact easily. The basis of this modern cash is primitive randomness and pattern-free sequences, not pattern-complex money like Bitcoin.

Just keep this in mind: Complexity inches up on us, but its collapse will be instantaneous.

—Gideon Samid •

Check Also

Change at Payment Alliance International As Three Top Execs, Including Two Cofounders, Exit

Payment Alliance International, the Louisville, Ky.-based ATM operator, is in the midst of a strategic …