Don't Shoot The Messenger

Mark Roberti, owner of the popular RFID Journal (http://www.rfidjournal.com) recently posted a small piece on the RFID Journal Blog where he admonished Greg Day, an analyst for security company McAfee, for comments he made regarding the security issues surrounding contactless payments. While I feel Mr. Roberti has every right to express his opinion of Mr. Day, I was a bit disappointed in a comment he made which I felt characterized security experts as fear mongers:

"So security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point. "

I sent an the following email to Mr. Roberti:

Mark,
I read the article titled "Yes, Contactless Payments Are Safe" and found the final line more than a little alarming:
"So security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point."
While there are many instances we all can point to where scare tactics are used to promote agendas, not all security experts are trying to scare people. In fact, one of the basic tenants of the RFID Security Alliance is to avoid using scare tactics, and carefully presenting information as factually as possible and fostering a collaborative environment to discuss the issues surrounding RFID and security.
As a security expert, there are several points in the article that I would like to discuss. For example, the point of OTA dynamic security patches. Many systems designed to be managed in this manner are fraught with security issues. The iPhone, for example, has had many security patches applied to it in a similar manner (not OTA, but through a downloaded update), and is generally hacked again within 24-48 hours. OTA management systems, once breached, can become a means of mass hacking from literally thousands of miles away. I would love to discuss a threat model about this issue.
Security experts are not here merely to generate Fear, Uncertainty, and Doubt. Believe it or not, many of us truly care about being ethical and shy away from scaring people. Many security problems are caused by fear mongering, because people tend to make rash decisions out of fear, and that is rarely the best decision. Consumers do indeed have much to be concerned with, and security experts are working hard (around the clock) to address and FIX the problems. That is the true measure of our success. Please reconsider the tone of this article. RFID Journal is arguably the most prominent RFID publication in this nation. What you say carries a lot of weight, and the tone of this article may serve to alienate many stakeholders who are indeed concerned with creating secure RFID solutions.
Please consider attending a meeting of the RFID Security Alliance. I have invited you several times. Your presence would be welcomed.
Thank You,
Mike Ahmadi

Mr. Roberti graciously replied:

Mike,
It's interesting that you are alarmed by my comment about security experts and not alarmed by the original article in which Greg Day says that this is a huge threat to consumers. It's okay for Day to say something that is extremely detrimental to the NFC industry, but it's not okay for me to be critical of security experts?
If the Alliance has credibility, it should come out and condemn Day an his irresponsible comments and then set the record straight. I'm sure not all security experts are trying to scare people, but I frankly haven't seen a lot of evidence of that. Comment's like Day's are far more common.
Having said that, I'm interested in open and honest discussion of the issues. I suggest you post your comments about OTA on the blog page for others to read. I'm sure many readers will be interested.
Mark

My response:

Mark,
Thank you very much for your quick response. It is certainly okay for you to voice your opinion on any topic. I truly believe that is what makes the internet fantastic. My point is that you carry quite a bit of weight in what you say. I would like to posit that more people in the RFID industry are familiar with Mark Roberti than they are with Greg Day.
That being said, I do not feel the credibility of the RFID Security Alliance hinges on the condemnation of anyone. We are not here to admonish anyone. We are trying to foster open discussions of security issue surrounding the secure implementation of RFID systems. That is why the RFIDSA is open to all who wish to attend.
As for the comments Greg Day made in the article you mention, I could not find it through the link on your blog, but I did find the Reuter's article at the Reuter's site:
http://uk.reuters.com/articlePrint?articleId=UKNOA94822420080519
While I understand how many in the NFC industry may be concerned by some of Day's comments, I am curious as to why you feel his comments are any more or less irresponsible than making the blanket statement that Contactless Payments Are Safe. Once again, your words carry a lot of weight, and such statements should be carefully considered.
Is there any way we can perhaps foster more of an environment where the RFIDSA can work together with RFID Journal to deliver the message in a better way. I can understand your viewpoint about security experts being alarmist, but there are many of us that choose not to take that stance, and would like to foster a more cooperative environment. Your support can go a long way to creating an environment where we ALL achieve the credibility we would like to have.
Sincerely,

Mike Ahmadi

Mr. Roberti's response:

Mike, Here why I feel my comments are not irresponsible and his are. First, McAfee is a company that is well know and carries a great deal of weight with consumers. The article was published by Reuters, a news agency picked up by hundreds, maybe thousands, of newspapers around the world. It had the potential to influence millions of consumers, and yet Day provided no evidence or reasons for claiming NFC phones are such a huge threat. He said only that criminals will steal in small increments. He doesn’t explain what the security flaws are or why they can’t be addressed by the NFC industry. Reuters was equally irresponsible for not having an NFC person respond in the article.My blanket statement was not irresponsible because my statement is demonstrably true. Even if a hacker steels information stored on your NFC phone and makes a fraudulent purchase, you are not any more responsible for that purchase than you would be if the waiter you gave your card to last night used it to buy something. Also, to my knowledge, there has not been a single case where an NFC device being abused. Further, one would have to be insane to believe that the makers of phones and NFC chips will not continue to enhance the technology in an effort to make it safer.You may believe that my statement is inaccurate. But I think you would be hard pressed to say that I did not try to support it with the facts as I know them, as opposed to Day who does not support his argument. I recognize that I don’t know everything, so if you believe my statement to be wrong, then I would welcome you to publish an article on RFID Journal to say why. I have credibility because I am willing to criticize those in my industry who would not respect people’s privacy and because I am willing to publish views that are contrary and/or critical of my own. Not only am I willing, I believe it is essential to the RFID industry to do so. So I’m more than willing to work with any party to enlighten and inform the public and the RFID industry about potential problems.

mark

Mr. Roberti then posted a new entry:

Fairness
Yes, it is true that consumers have much to be concerned about and it is true that the cost of NFC fraud would be passed on to them. It's equally true that when credit card numbers are stolen from databases and when mag stripe cards are cloned, consumers pay the price for that too. I was wrong to generalize. All security experts aren't trying to scare people. But Day's comments were grossly irresponsible and potentially very damaging to the NFC industry and to consumers who could benefit from the technology should it take off.

I wish to thank Mr. Roberti for clarification of his statement, and wish to once again invite him to attend a meeting of the RFID Security Alliance. As of this date, all my requests to Mr. Roberti to attend a meeting have gone unanswered.

I am sure Mr. Roberti is a very busy person. He should, however, consider working directly with security experts in order to avoid such misunderstandings in the future.

Just my opinion, so take it or leave it!