The seminar was held under Chatham House rules — as, indeed, was the seminar that went to at Chatham House last week — so I can’t go into any details on organisational positions, but I will say that I found the strategic perspective limited. One recirculating meme was that of market failure. A couple of people said something like “the market hasn’t produced secure solutions”, which I think is a misunderstanding of what a market is. If banks wanted better security, they would already be paying for it. To some of the participants, particularly from law enforcement, this is evidence of a market failing, where to me it is evidence of a market working. If the law enforcement guys want, for example, better security for payment cards then they need to either transfer more of the cost of failure away from the public purse and on to the industry (which they’ve started to to in the UK by no longer treating card fraud as a crime) or incentivise the desired behaviour.
The Home Office has been accused of failing to take credit card fraud seriously after it was revealed the crime can no longer be reported by victims directly to the police.
[From Police News – Card Fraud ‘Being Decriminalised’]
There were some crimes being discussed, such as mortgage fraud, that are clearly of scale but unquantified. No-one seemed to know how much of it is going on or how it breaks down. Others, such as sanctions-busting, are very important but there is no obvious way that technology can help: if the tanks get loaded onto the ship labelled “Kenya” then dropped off in Sudan instead, I don’t think that better passwords or chip cards will make much difference to be honest.
As to how technology could make a difference, someone asked a representative of the banking sector precisely that question, and we were told to improve the keys on JCBs! Apparently, every time one of these is driven through a bank wall to steal the ATM, the bank loses about a hundred grand on the ATM and the cash inside, together with five times as much to repair the bank branch. Since the incidence of this kind of crime is both seasonal (it rises towards the holiday season) and recession-enhanced, making mechnical diggers harder to steal would make all the difference!
A major part of the discussion was about the use of PINs captured from tampered POS terminals to withdraw money from overseas ATMs, a crime that is almost out of control here. Hopefully, the use of ICVV should mean that there is a fall in this type of fraud in prospect, but it did once again set me thinking about the dynamic. When customers only ever put PINs into highly-secure, bank-controlled devices (ie, ATMs) then PINs were a good solution to the authentication problem. But now that those PINs are being used in insecure terminals (and in the future maybe on the Internet and in mobile phones) they are as much the problem as the solution. One way forward would be to begin to introduce biometrics for larger transactions, and that’s something we’ll be discussing at next year’s Digital Money Forum. But in the meantime, forum friend Chris Skinner pointed me to a good source of PIN ideas over at Halfbakery, by the way, so you may want to pop over there and enjoy a few of them while I get one of the guys to write me a Javascript to automatically submit all of them to the Patent Office.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
The nerd in me was piqued when I read how banking technology should address keys and JCBs. Visions of HSMs, Key Management and card brands danced around in my head, until I read the punch line about mechanical diggers and ATM repair costs. I’m glad that your blogs are not straight-jacketed. I look forward to reading your blogs.
Cheers & Thanks,
Manju