In early March, WikiLeaks revealed the Vault 7 papers, allegedly an insight into CIA techniques. However, their unveiling created a commotion in the security community, particularly when it comes to payments.
“2017 has already proven to be an entertaining and enlightening year on the payments and transactions front,” Jon Ungerland, cofounder of the Aurora, Colo.-based mobile transaction platform provider DaLand Solutions. However, he added, it’s also been intriguing as concerns, and public and political debates, over cyberwarfare, hacking, information security, dragnet surveillance, wiretapping, and a myriad of other personal data privacy and security topics.
On Mar 7, WikiLeaks released a series of documents it called Vault 7. According to WikiLeaks the top-secret documents revealed how intelligence personnel can exploit and gain access to an extensive array of devices such as network routers, web browsers, cell phones and smart TVs. “In short, the documents detail engineering designs and paths to access or control virtually any internet connected device to spy on you (or monitor what you’re doing),” Ungerland explained.
The CIA did not confirm nor deny the authenticity of these documents, but Ungerland suggested the revelation should concern individuals. “A quick review of the meeting minutes, engineering specs and plans, work lists, etc.; seem to indicate they are authentic plans for developing exploitative code. If even partially authentic or true in nature, we should be soiling our metaphorical privacy pants.”
Ungerland added, “Set aside all the possible privacy infringement concerns or constitutional violations, and observe the most basic of pragmatic concerns – Vault 7 documents suggest holders of this exploitative technology (spies, governments, etc.) can’t be deterred by the encryption on your phone, no matter how good it is (despite manufacturer claims).”
That’s because once these tools make their way onto a phone, they can monitor and record outgoing data before it’s encrypted and incoming data after it’s decrypted. “That means your allegedly secure mobile transactions aren’t quite as secure as you may have been led to believe,” Ungerland said.
Technological capabilities and consumer expectations continue to converge towards mobile as the basis for a myriad of transactions. Bitcoin, mobile wallets, retailer branded mobile apps intertwine to update funds movement and transactions in the modern era and the mobile arena.
“Whenever we’re talking about transacting or storing value on a mobile phone (which all the above do) we enter the world where payments and information security/personal privacy are eternally entangled. Or, at least they should be,” Ungerland suggested.
He warned, “Still not connecting the series of compromising dots to the financial sector or financial transactions? Perhaps this comment from John McAfee, (founder of McAfee antivirus) will help drive home the chilling and disturbing reality: ‘Some people have hundreds of thousands of dollars on their smartphone wallet. And I tell them – if you give me your phone number, in five minutes I will transfer all of your bitcoins into my account.’”
Revelations like Vault 7 challenge assumptions of the security and stability of device dependent or local device payments platforms which dominate this moment suspended between the freaky future and the fragile past, Ungerland said. “Financial institutions simply don’t control the devices which dictate the new norms and expectations for convenient and modern transactions – and as it turns out, neither do consumers – prying eyes do.”
However, if the good guys have this technology now, how long do you think it will be before the bad guys have it? “For that matter, the Vault 7 documents are 1-4 years old, so the bad guys may very well have this technology now,” Ungerland added.
“This all points to one of the chief premises upon which DaLand’s STI platform was designed, namely that on-device processing is not secure. Never has been; never will be,” Ungerland said. He added when DaLand set out to build a versatile and flexible platform to support any transaction, they established an inviolable value on centralized, secure, non-local transaction processing. “When I used to tell people that, they’d always ask, ‘so what?’ Vault 7 answers the ‘so what’ question.”
