Last week StorefrontBacktalk ran an article on Mobile Wallets. It underscored my personal naivete in assuming that anyone who designed and built a digital wallet for ecommerce would first and foremost protect customer payment data and other private information. Reading this post I had one of those genuine “Oh $&!#” moments – what if the wallet provider was not interested in my security or privacy? Duh!
A wallet is a small data store for your financial, personal, and shopping information.
Think about that for a minute. If you buy stuff on your computer or from your phone via an eWallet app, over time it will collect a ton of information. Transaction receipts. Merchant lists. Merchant relationship information such as passwords. Buying history. Digital coupons. Pricing information. Favorites and wish lists. Private keys. This is all in addition to “payment instruments” such as credit cards, PayPal accounts, and bank account information. Along with personal data including phone number, address, and (possibly) Social Security Number for antitheft/identity verification. It’s everything about you and your buying history all in one spot – effectively a personal data warehouse, on you. And it’s critical that you control your own data. This is a really big deal! To underscore why, let me provide a similar example from an everyday security product.
For those of you in security, wallets are effectively personal equivalents to key management servers and Hardware Security Modules (HSMs). Key management vendors do not have full access to their customers’ encryption keys. You do not and would not give them a backdoor to the keys that secure your entire IT infrastructure. The whole point of an HSM is to secure the data from everyone who is not authorized to use it. And only the customer who owns the HSM gets to decide who gets keys.
For those of you not in security, think of the eWallet as a combination wallet and keychain. It’s how you gain access to your home, your car, your mailbox, your office, and possibly your neighbors’ houses for when you catsit. And it holds your cash (technically more like a blank checkbook, along with your electronic signature), credit cards, debit card, pictures of your kids, and that Post-It with your passwords. You don’t hand this stuff out to third parties! Heck, when your kid wants to borrow the car, you only give them one key and forty bucks for gas – they don’t get everything!
But the eWallet systems described in that article don’t belong to you – they are the property of third parties, who would naturally want the ability to rummage through them for useful (marketing and sales) data – what you might consider your data. Human history clearly shows that if someone can abuse your trust for financial gain, they will. Seriously, people – don’t give your wallet to strangers.
Let’s throw a couple design principles out there for people who are building these apps:
- If the wallet does not secure all the user’s content – not just credit card data – it’s insecure and the design is a failure.
- If the wallet’s author does not architect and implement controls for the user to select what they wish to share with third parties, they have failed.
- If the wallet does not programatically protect one ‘pocket’, or compartment inside the wallet, from other compartments, it is untrustworthy (as is its creator).
- If the wallet has a vendor backdoor, it has failed.
- If the wallet does not use secure and publicly validated communications protocols, it has failed.
Wallet designers need to consider the HSM / key management security model. It must protect user data from all outsiders first and foremost. If sharing data/coupons/trends/transaction receipts, easy shopping, “loyalty points”, providing location data, or any other objective supersedes security: the wallet needs to be scrapped and re-engineered. Security models like iOS compartmentalization could be adapted, but any intra-wallet communication must be tightly controlled – likely forcing third parties to perform various actions outside the wallet, if the wallet cannot enable them with sufficient security and privacy.
I’ll follow up with consider the critical components of a wallet, as a general design framework; things like payment protocols, communications protocols, logging, authentication, and digital receipts should all be standardized. But more important: the roles of buyer, seller, and any mediators should be defined publicly. Just because some giant company creates an eWallet does not mean you should trust it.
Reader interactions
4 Replies to “A Public Call for eWallet Design Standards”
Agreed – identity management is only part of it. Most low-value transactions today don’t need identity at all, and arguably won’t be acceptable if identity is recorded.
Authorization management is often required, rather than identity management (“are you authorized to rise purchase orders?”). “Delegation” is important to allow agents to act on your behalf – whether they are tax agents, helpers of disabled people, some middleman cloud services. Certainly delegation is not escrow or mediation, as you point out.
@Andrew – In reference to the Jericho identity document, I hope it’s clear that commercial trust goes beyond identity management. Two parties that don’t trust one-another can still conduct commerce through a broker or mediator proxy. I don’t think the concept of ‘delegation’ captures the concepts of escrow or mediation. Further, a payment protocol should be defined to ensure fraud can be detected.
-Adrian
@Andrew – An open source wallet IMO. I am not against vendors providing their wallets, in fact I am all for it. Their incentive is leveraging existing relationships and branding – but they must to provide some evidence they are secure.
Thanks for the link!
-Adrian
A commercial corollary of this is that you (the consumer) will need to buy the wallet yourself. Not just accept it as a free download or free hardware*. That way there will be a proper contract and liabilities.
The Jericho Forum Identity Commandments (http://www.opengroup.org/jericho/Jericho Forum Identity Commandments v1.0.pdf) provide a benchmark to assess mobile wallets and other Identity, Entitlement and Access management systems.
*Or maybe h/w and s/w will be free, but tied in to a fee-based service; or everything will be open source.