Author: Consult Hyperion

Does AI mean the End of PIN on Glass?

23rd November 2018by Consult Hyperion1 Comment

The launch of PCI’s SPoC specification, Software PIN on COTS – Commercially Off The Shelf (thats PIN on mobile / PIN on Glass, to you and me) raised an eyebrow or two at Consult Hyperion. Could PIN on mobile actually be secure? The researchers at Newcastle University produced a paper stating that PINs entered on mobiles can be recovered by capturing the mobiles sensor data.

We’re well versed in building the security architectures and systems needed to secure payment cards on mobile devices using software only solutions, think Google Pay / Barclaycard Contactless Mobile, or Worldpay’s fabulous My Business Mobile card reader, all of which protect card PANs in one way or another. As well as building security, we are just as adept at testing such architectures and implementations to validate their security. This leads us to ask the question; is securing a cardholders’ PIN the same as securing a card PAN?

Gut instinct would suggest that exposing a PIN is more risky than exposing a PAN, however one is of no use without the other. A PIN cannot be used without the PAN whereas a PAN can be used without the PIN. Indeed the PAN could be used for online payments, the PIN is only of use if the physical card is present.

PCI SPoC sets out a comprehensive architecture to protect the cardholders’ PIN involving the mobile device, card reader and host system, which is all very sensible. From a business point of view, reducing the cost of the card reader device by removing the physical keyboard, may make accepting payment cards a more attractive option from a cost perspective. Equally from a customer experience point of view, it appears quick and easy and less cumbersome than interactions with a different PED.

However, what if you could use the mobile devices own sensors to steal the PIN? Is this possible? Can you use a mobiles sensor data to recreate a PIN? Even if it were possible surely a PIN entry application would ensure the sensor data was blocked? Researchers at Newcastle University published a paper on “Stealing PINs via Mobile Sensors: Actual Risk versus User Perception.” In this paper the team of researchers claim an accuracy of 80% on obtaining PINs from mobile sensors, which if true, would significantly compromise PIN on Glass solutions as set out in the PCI SPoC standard.

We set our Hyperlab team the task of recreating the research to fully understand the proposed attack and if it did indeed translate into a realistic attack, and if so could we counter it. We contacted the researchers at Newcastle University who were very helpful in setting us on the right path to recreate their work. We built the PIN Logger App and the AI engine which would process the data to attempt to “guess the PIN”. The attack works by feeding mobile sensor data into an AI / Machine Learning engine, actually it’s a Neural Network, which is then able to determine the PIN number pressed. However in order for the AI Engine to correctly guess the PIN number, it needs to learn the patterns of sensor data associated with the PIN number. This takes data, lots of data, and lots of processing power.

In their paper, the researchers at Newcastle University used 1.4million data points (that’s 140,000 per PIN digit) to train their Neural Network over 10million iterations, after which they were then able to achieve a 70-80% accuracy on a restricted number of PINs (just 50 PINs from ~10,000 possible PINs).

Our Hyperlab team worked their magic, and by applying a few restrictions and limitations (i.e. using fewer data points and restricting the mobile PIN entry to a single plane) we were able to reproduce the attack with a 30% accuracy. We were able to adjust the accuracy level by feeding fewer or more data points when training the Neural Network, which leads us to believe that the results obtained by the Newcastle researchers are achievable. What’s more it’s not possible to block a background app in Android from obtaining the sensor data whilst PIN entry (as defined in PCI SPoC) is taking place. Surely this is a disaster for software PIN on Glass?

There are several things to consider here. In order to mount the attack you need 1.4million data points, and plenty of processing power to train the Neural Network, and that’s just for a single mobile device. Plus the training app needs to use the same keypad layout as the keypad you are trying to steal PINs from. A malicious data gathering app then needs to be present and active on a PCI SPoC device. However even then it does not know when a PIN will be entered, and will have to find the PIN entry within the rest of the screen taps, e-mails, SMS, rounds of Candy Crush that a merchant may use their mobile for on a normal day. This amount of entropy itself would render the attack method futile.

Hats off to the researchers at Newcastle University their paper and attack vector is enlightening and should be taken seriously. Whilst we do not believe it is a scalable attack it will certainly be taken into consideration when we build our next clients security architectures to support PCI SPoC PIN entry.

Consult Hyperion is known for robust architecture designs and rigorous test plans, making sure our clients launch products and services that protect their customers financial and personal data, and the brand reputation of the client. If you would like to talk to us, please do get in touch – info@chyp.com.

And Relax …

29th October 2018by Consult HyperionLeave a comment

According to a reputable news source well, the (Daily Mail) the Royal Mint is casting (sic) around to find things to do when the Treasury caves to the inevitable and tells them to quit wasting everyone’s time and money by minting coins. They’ve come up with the idea of making a credit card out of real gold. This isn’t the Royal Mint’s idea, of course. They stole it wholesale from 30 Rock a few years ago.

The cards will have the owners signature engraved on the back (I’ve no idea why, since the card schemes are discontinuing the use of the pointless signature panels on cards) and will apparently be worth $3,000 each which (as a number of Twitterwags immediately pointed out) will greatly increase the number of fake ATMs in the streets around Belgravia after midnight. They are apparently working on ways to get these 18-carat gold cards to work in ATMs and, of course, at contactless terminals.

Wait, what?

Contactless?

How do you make metal cards work in contactless terminals? The metal card messes with the magnetic jiggery-pokery that makes contactless cards work. I know this because Consult Hyperion’s awesome contactless robot test rig (below) has a frame for the card, terminal or card under investigation that is made from wood so the there’s no metal in the field when testing.

The metal contactless cards that I’ve seen before are made using a plastic laminate or by cutting a segment from the metal and replacing it with plastic, so I discounted this report on the Royal Mail’s bold ambitions and filed it away and went off to enjoy Money20/20 in Las Vegas with my Consult Hyperion colleagues.

I had a great time in Las Vegas chairing the “Around the World of Identity” session on the first day, and then I enjoyed the tremendous privilege of interviewing Jed McCaleb and Adam Ludwin of Interstellar on the main stage on the third day. Interstellar is the crypto giant formed by the takeover of Adam’s Chain by Stellar’s Lightyear. This was particular fun for me because I’d visited both Stellar [here] and Chain [here] for our “Tomorrow’s Transactions” podcast series some time ago (we rather pride ourselves on helping clients to spot what’s coming next) and had noted that both of these guys were really smart and really nice. As they proved on stage.

During a break from conference sessions, business meetings and blackjack I went for a stroll around the exhibition floor to catch up with old friends and see what sort of fun fintech things are heading our way. You could have knocked me down with a feather when spotted a stand from Amatech, who are based in Galway in Ireland. They were prominently displaying the bold claim that they had working contactless metal cards. Naturally, I went to investigate, it turns out that they were telling the truth. They’ve developed a clever manufacturing process that combines multiple layers of metal with different elecromagnetic characteristics so that the metal card now helps the chip on a card to communicate contactlessly instead of blocking such communications. Wow. Very cool (and they can do it with graphite too). I saw it working with my own eyes…

For all the talk about changing business models in the self-sovereign identity world to orient around data sharing, re-imaging AML with AI to change the cost-benefit around the regulations and on using cryptocurrency to transfer value across borders, you just can’t beat talking with someone who has made something that you didn’t know existed until you saw it. The satisfying clunk of a metal card on a glass counter was the highlight of the day for me. Apart from running into Shaq in the green room, of course.

Money2020 was exhausting, because all of our clients (and a great many of our prospective clients) are all there and I loved meeting all of them, but I wouldn’t miss it! I’m already looking forward to flying the CHYP flag at the inaugural Money2020 China next month. See you all there!

Facebook has been hacked…

25th October 2018by Consult Hyperion1 Comment

I notice that Facebook has been hacked. Apparently, some 30 million people had their phone numbers and personal details exposed in a “major cyber attack” on the social network in September. Around half of them had their usernames, gender, language, relationship status, religion, hometown, city, birthday, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches all compromised. Wow.

Now, I don’t really care about this much personally. Like all normal people I have Facebook and enjoy using it to connect with family and close friends, but I don’t use my “real” name for it and I never ever gave in to their pleading for my phone number. Not because I was unsure that it would at some point get hacked (I assumed this to be the case) or because I thought that if I used it for two-factor authentication they might use it for advertising purposes, but on the general data minimisation principle that’s it’s none of their business.

(We should, as a rule, never provide data to anyone even if we trust them unless it is strictly necessary to enable a specific transaction to take place.)

One of the reasons that I don’t care is that just as people around the globe are getting spammed by fraudsters pretending to be Facebook, I’m not worried about spammers getting my data and pretending to be Facebook. When I get e-mail from Facebook, it is encrypted and signed using a public key linked to the e-mail address I use for this purpose (pseudonymous access). See…

My e-mail client (in this case, Apple Mail) will flag up if the signature is invalid. If you want to send encrypted e-mail to me at mail@dgwbirch.com then you can get my PGP key from a public key server (check the fingerprint is 50EF 7B0E FD4B 3475 D456 4D7E 7268 01F2 A1C5 075B if you want to) and then fire away. It’s not that difficult. Facebook asked me if I wanted secure e-mail, I said yes, they asked me for my key, I gave it to them. End of. I really don’t understand why other organisations cannot do the same.

Banks, for example.

Here’s an e-mail that I got purporting to be from Barclays. They are asking me for feedback on their mortgage service and inviting me to click on a link. I suppose some people might fall for this sort of spamming but not me. I deleted it right away.

This of course might lead reasonable people to ask why Barclays can’t do the same as Facebook. Why can’t Barclays send e-mail that is encrypted so that crooks can’t read it and signed so that I know it came from the bank and not from spammers. Surely it’s just a couple of lines of COBOL somewhere ask me to upload my public key to their DB2 and then turn on encryption. Right? After all, it’s unencrypted and unsigned e-mail that is at the root of a great many frauds so why not give customers the option of providing an S/MIME or PGP key and then using it to protect them?

Well, I think I know. I can remember a time working on a project for a client in Europe who asked, because of the very confidential nature of the work, that all e-mail be encrypted and signed. We spent all morning messing around with Outlook/Exchange to get S/MIME set up, to sort out certificates and so forth. But we eventually got it working and sent the first encrypted and signed mail. The client called back and asked if we could turn off encryption because the people working on the project were reading the e-mail on smartphones and didn’t have S/MIME on their devices. The next day they called and asked us to turn off signing because the digital signatures were confusing their anti-spam software and all of our e-mails were being put in escrow.

So we know absolutely everything about security and so did our counterparts and we still gave up because it was all too complicated. It’s just too hard.

(In Denmark, however, that excuse won’t wash. The Danes have decided that e-mails containing “confidential and sensitive persona data” — which certainly includes bank details — must be encrypted. The Data Inspectorate are reasonable people though, they note that this change “will require some adjustment in the private sector” and so the new rule will be not be enforced before 1st January 2019.)

Let’s not use encrypted and signed e-mail. I’ve got a better idea. Why don’t Barclays STOP USING EMAIL AND TEXTS since they have an APP ON MY iPHONE that I use ALL THE TIME and they could send me SECURE MESSAGES using that. It’s time to move to conversational commerce based on messaging and forgot about the bad old days of insecure, spam-filled, fraudophilic and passé e-mail.

Securing Payments in a Post-EMV Chip World

23rd October 2018by Consult Hyperion2 Comments

Now that the US has (finally) migrated from magnetic stripe to chip payments, and signature will soon be going too, the time has come to think about where the fraud will go next. This was the topic of a great discussion at Money 20/20 involving amongst others EMVCo, Capital One and USAA.

Obviously the first place fraud will jump to will be card-not-present transactions such as e-commerce. This is well understood by those of us who went through the EMV chip migration over a decade ago. Brian Byrne outlined the various initiatives in EMVCo to secure these transactions – Tokenisation, 3DS 2.0 (with live solutions being imminent) and SRC (which is open for public comment).

Increasingly though it’s an identity problem. Identity theft and synthetic identities are being used to attack payments in a number of ways.

Because EMV chip cards are much harder to counterfeit than magnetic stripe cards, fraudsters instead will try to get their hands on genuine cards. This could be through opening a fraudulent account or by taking over an account and ordering a replacement card.

Identity fraud will be a big issue in faster payments too, with a need for good authentication on both ends of the transaction.

Synthetic identities are a particular challenge. Detecting them is tough, spotting the subtle clues that indicate that an identity record which looks legitimate has actually be cultivated over time by a fraudster. And this is big business, with criminals using the latest machine learning and ready access to data (thanks to all of those breaches) to launch well organised attacks at scale.

In the following session, Professor Pedro Domingos (author of “The Master Algorithm”) gave the great quote “if you try to fight machine learning with code you are doomed”. But it is not simply a case of implementing machine learning. As the Prof explained, the characteristics of fraud are constantly changing so any machine learning system will need to be constantly tuned and re-trained to keep up.

Definitely a case of whack-a-mole.

Money 20/20 – Digital Identity Day

22nd October 2018by Consult HyperionLeave a comment

Where better to spend a day talking about digital identity than the Venetian in Vegas with its rather synthetic identity.

In giving the topic a full day track, the Money 20/20 organisers have recognised the increasing importance of the topic. However it is a topic that is not straightforward. Andrew Nash from Capital One was right when he said everyone has a different definition of identity. It’s a bit ironic – identity doesn’t have an identity. Here are three questions to summarise what we heard:

Is digital identity just about KYC or the broader sharing of personal data?

There is clearly still a lot of pain with KYC. Idemia explained how in the US, with its fragmented environment, doing basic things creating digital drivers licences that can be used across the country is hard.

But there is shift of focus from the narrow KYC problem towards the broader issue helping people to make their personal data portable in a way that removes friction – the “F” word of Identity, as Neil Chapman from Forgerock put it.

Filip Verley from Airbnb made a useful bridge between these two aspects. It is no surprise that reputation is fundamental to the Airbnb platform. Reputation is the where the value is – Airbnb users don’t care what the name of a renter is but they do want to know they are reputable. But for that to work well that reputation needs to be anchored to the real identity that Airbnb has checked – i.e. their KYC.

Who is digital identity for – the person or the organisation?

Quite rightly there is now widespread acceptance that digital identity needs to be person centric. As well as the privacy point, there are practical reasons why it makes sense to put the person at the centre. For example, the person is in the best place to say which of the residential addresses associated with them is the one where they are actually living.

This is not the same as saying people own their identity. The organisations that provide services to people also have a stake in digital identity too. That’s why in Canada, as Joni Brennan explained, stakeholders across the economy are collaborating through the DIACC to address a need that is bigger than any one of them.

(Bianca Lopes, Joni Brennan and I talking about Digital Identity in Canada)

What will enable interoperable digital identities?

Unsurprisingly there was good representation from the DLT / blockchain crowd including Civic and Shyft. Heather Vescent gave a great overview of the standardisation work around Decentralised Identifiers (DIDs) and the desire of that community to create a new identity layer on the internet – perhaps an 8th “user” layer on top of the OSI 7-layered model of old. Whilst this work is being done through W3C it is still early days.

In contrast, FIDO2 is now a candidate recommendation in W3C and is already supported by Chrome 70 for Android (released last week) meaning that ubiquitous strong device based authentication (which includes biometrics) should not be far off. It’s great to see an initiative that, after a lot of hard work, looks like its about to become mainstream providing a real step forwards towards a more secure digital world.

Interstellar – Money 20/20 USA

18th September 2018by Consult HyperionLeave a comment

One of the more interesting crypto stories of recent weeks was the announcement that Lightyear has bought Chain in order to create a new company, Interstellar, with the former Chain CEO Adam Ludwin as CEO with Jed McCaleb, co-founder of Stellar Development Foundation and Lightyear, as CTO. That’s an impressive combination, so it’s no wonder that it’s attracted plenty of attention and no wonder in turn that I was delighted to be asked by Money20/20 to have a “fireside chat” with Adam and Jed on stage in Las Vegas on October 23rd. I’ll be talking to them about the rationale for the deal, their vision for the new company and their opinions of some of the wider issues around the evolution of what I have taken to calling the Enterprise Shared Ledger (ESL) category. Here’s the blurb…

“In 2014, on the Money20/20 stage, Adam Ludwin launched Chain and set out to lead the market for enterprise adoption of blockchain technology. That same year, Jed McCaleb founded Stellar, an open network that allows any currency or asset to be digitally issued, transferred, and exchanged over the internet. Now meet Interstellar, formed from the acquisition of Chain by Lightyear, Stellar’s commercial arm. For the first time at a major industry event, hear Interstellar’s co-founders share their vision for how assets of all kinds can be tokenized and transferred seamlessly over the internet. Learn how Interstellar seeks to accelerate the adoption of blockchain in the corporate world by providing enterprises–like Chain’s clients Visa, Nasdaq and Citi–access to Stellar’s public blockchain.”

From “Money20/20 US: Meet Interstellar: Tokens as the New For…”.

You’d be mad to miss this, in my humble opinion. The evolution of a regulated token market should be of great interest to anyone who is looking at the future of digital financial services and the next generation of new and better marketplaces.

(By the way, both Stellar and Chain are companies that we were interested in for a variety of reasons. If you want to hear something about them from the archives, here’s a podcast with Jill Carlson at Chain in 2016 and a podcast with Jed McCaleb and Joyce Kim at Stellar in 2015.)

(In case you are wondering about the title of this blog post, Interstellar Overdrive is Pink Floyd at their early avant-garde psychedelic proto-prog finest.)

Protecting customer data; Protecting your share price.

13th September 2018by Consult HyperionLeave a comment

There was a pretty strong market reaction to the news that British Airways’ cybersecurity was bust. Whoever signed off on the web site, must have been regretting cutting the security budget in favour of using celebrities for that annoying safety video when they read that “shares of British Airways’ parent company IAG fell around 4% as markets opened on Friday morning, hours after the airline said the credit card information of at least 380,000 customers had been ‘compromised’ in a data theft”. According to BA, the “compromised” data includes customers’ names, e-mail addresses, billing addresses and payment card information (including CVVs) but not passport details. It subsequently transpired that it was a “Magecart” attack on the scripts running on the BA web site. Hardly surprising, in a way. After all, the book page at BA runs 30 scripts, and remember that many of these are minified scripts spanning thousands of lines of code.

Since I had booked a fair few flights during this period, which included arranging for family members to attend a funeral, I didn’t for one moment doubt that my card details had been hijacked by cyber-criminals. Indeed when I next logged in to check something else I saw a message from BA about something to do with security that I didn’t have time to read because I was in a hurry.

So it all sounds pretty bad.

I don’t really care though.

Here’s why:

First of all, thanks to the government’s nutty ban on card surcharging, I use the most expensive (for BA) payment products possible, which happen to be my American Express cards. Now in my experience, Amex has pretty good anti-fraud software in place and they call me from time to time to check if a transaction is valid. So if cyberrascals try to use my card to buy something I don’t normally buy in a place I don’t normally buy things, they will probably catch it.

Second of all, if they don’t catch it, it is Amex’s money that has been stolen, not mine. Thanks to a combination of consumer protection legislation and Amex terms and conditions, when the transaction shows up on my bill I’ll just call up and cancel it. And if there’s more than a couple of these transactions, I’ll cancel the card and Amex will send me a new one. I’m not going to be out of pocket and it’s not that much hassle.

Third of all, if they don’t catch it and the merchant was not using 3DS secure, then it is the merchant who is out of pocket and not me or Amex. My Amex transactions all pop up on my phone, so if I see something I don’t recognise pop up, then I’ll call Amex to charge it back to whichever merchant was unwise enough to accept the card details.

TL;DR; Not bovvered.

(Incidentally, the last couple of times I’ve attempted to charge things back to Amex, it was for transactions that were actually correct. Due to the ancient ISO 8583 protocol, transactions don’t carry enough information for consumers to recognise them. So when I see a charge of £35 to “BA.COM” with no explanation of what it’s for, I of course automatically click on it for more details only there are no more details, so I charge it back only to discover it was for a change to a family member’s flight that I’d completely forgotten about. But I digress.)

The general problem here is of course that nobody should be typing payment card details into a web site any more and no-one else should be sending them anywhere in 2018. When I click to pay on the British Airways web site, relevant details should pop up on my mobile phone (in this case, in my British Airways app) so that I can then pay with ApplePay. This, as you know, provides a token to pass to the acquirer not the actual card number. So it doesn’t matter if it is stolen.

(As to why British Airways should handle payment details at all, well that’s a story for another day. In a rational world, British Airways would send a digitally-signed invoice to my chosen payment providers – let’s say, for example, my bank – who can then contact me for authorisation, generally by authenticating through a mobile phone app, and return a digitally-signed receipt to British Airways who can then issue the ticket.)

This sort of breach of card data may not be around for much longer though. Earlier in the year Deutsche Bank announced a pilot project with the International Air Transport Association (IATA), the trade association for the world’s airlines, to test a new payment model using account-to-account payments enabled by PSD2. I’m sure my BA app will sprout a new button to pay directly from my bank account (in return for double Avios or whatever) fairly soon and the very notion of storing payment card details to pay for travel will seen almost quaint.

But these are just the sort of problems we help clients figure out. Consult Hyperion does pretty interesting stuff, for pretty interesting people. Securing electronic transactions is in our DNA.

What’s next for rail travel?

15th August 2018by Consult HyperionLeave a comment

Rail travel has been much in the news in the last few weeks in the UK, and it’s not been good. There are ongoing sporadic strikes at South Western Railways and Northern Rail. New timetables have not bedded down in some areas, leading to ongoing cancellations. Perhaps it is small wonder that a customer survey by Which?, published today, has indicated that rail travel is the least trusted consumer service, apart from second-hand car sales.

Ticket prices frequently come in for public criticism too. The announcement this week predicts fare increases of 3.5% for 2019, in line with RPI (retail price index) . But it is not only increases, and the absolute level of fares, that are problematic. As has long been the case with airlines, people sitting next to each other on the same journey may have paid a very different fare, based on complex and opaque rules , which may not be available on all sales channels or at each location. For example, this has led to the well-known anomaly where it can be cheaper to purchase multiple tickets to cover a whole journey (known as “split ticketing”) rather than accept the best available point-to-point fare.

In a widely welcomed development, the Rail Delivery Group has announced a consultation on fare simplification , with the aim of producing recommendations by the autumn for the government to consider. If customers are presented with a simple set of options, with understandable rules, they will have more confidence that they have captured the best available fare, and will save time; perhaps making the difference between opting for public transport or adding to congestion and pollution by using a private car.

Ideally, customers will investigate their journey options, pay for their right to travel and present those rights via their mobile phones, instead of adding to their own stress and station congestion by trying to assess their options at a ticket vending machine . If such a facility can be integrated across other modes of public transport, so much the better.

In our assignments with transport authorities and operators on every continent, we have found that implementing politically-mandated changes to fare structures and policies, with legacy ticketing systems is rarely straightforward. Typically, a range of kiosks, vending machines and hand-held devices need to be changed – in ways that may never have been envisaged when they were procured. In the worst case, customer media, such a smart cards could need to be re-issued. In all cases, changes must be introduced across the estate as quickly as possible, to avoid incompatibilities and anomalies.

For these reasons, the focus of our consultancy and technical design services with agencies around the world has been on account-based ticketing. In this concept, the interaction between customer media (preferably, self-provided) is kept very simple: essentially to log the entry and exit of the passenger into the public transport system. Back-office systems check the customer’s right to travel, reconstruct journeys to ensure that the most advantageous fare is paid for pay-as-you-go, and arrange for net settlement between operators, so that all are compensated according to agreed rules. When a necessary change to fare rules is required, there is a one-off change to a central system, which, following adequate testing, can be switched on, universally, overnight.

Consult Hyperion is helping transit operators on all continents across the world to make the right choices and deliver improved customer experiences. Keen to hear more? Contact us at info@chyp.com.

Real news about fake apps

2nd August 2018by Consult Hyperion1 Comment

The (real) news over the past couple of years has been full of reports of fake news. Well now we have fake apps too.

Last week this report from ESET [1] highlighted fake mobile banking apps on the Google Play store. According to the article ESET discovered and reported a set of fake banking apps that were published and remained on Google Play between June and July 2018. These apps offered lucrative deals to the unwitting banking consumer, one for instance claiming to increase your credit card limit if you installed them. They are of course nothing more than a phishing scam – collecting account and card payment details allowing the scammer to empty your bank account.

Fake apps displaying forms to phish consumer’s bank login details (source [1]).

As you can see some effort was put into making the apps look authentic in order to fool the customer. But how is it that they managed to fool Google into allowing those apps onto the app store in the first place?

Ironically, Google has a “Safe Browsing” initiative to protect consumers from phishing and malware. Play Protect (rebranded Google Bouncer) is used to protect the store and its consumers from malware, spyware and trojans. Google also employs automated scans to detect known threats, heuristics and data analytics on metadata, big data, to monitor downloads, usage and detect anomalies.

So whilst Google does try to spot the technical threats that might compromise the person’s device, for example, it appears they are not always able to spot the blatantly obvious – one of the app says it’s ICICI, but the developer is not ICICI.

In fact, by the time the fake app was reported to Google and they removed it from the store, the damage had already been done to several thousands of trusting consumers!

What can banks do about this to protect their customers? Quite a lot actually. In a robust digital banking solution, the bank will employ numerous measures to establish the authenticity of the device, access channel and customer. A bank should be able to detect when there is a man-in-the-middle and when information captured on one device or channel is replayed into another device or channel. The technology to do this exists and we have been helping banks employ it for years. Unfortunately, until all banks do the same consumers will need to be extra vigilant about the financial apps they load onto their devices.

References:

[1] Fake banking apps on Google Play leak stolen credit card data, ESET, published on 26 July 2018. More information is available here https://www.welivesecurity.com/2018/07/26/fake-banking-apps-google-play-leak-stolen-credit-card-data/

Rearranging the banks

10th July 2018by Consult Hyperion1 Comment

In his new book “Digital Human“, Chris Skinner sets out a straightforward vision of the bank of the future. He says (I paraphrase slightly) that the back office is about analytics, the middle office is about APIs and the front office is moving to smart apps on smart devices. I was thinking about this in an open banking context, and it gave me an idea for a useful way to help people think about the impending change in retail financial services in general and retail banking in particular. Let’s start from the traditional manufacturing/distribution model of retail banking that we are all familiar with and remember the broad economics of that model. On a global basis (these are the McKinsey version of the figures, but others are similar), it is distribution that takes the lion’s share of the profits and makes the better return on equity (ROE).

So now let’s rebuild that model for an open banking world using Chris’ back, middle and front office structure and think about the key technologies that will be transforming the businesses. I’ve invented the word “packaging” to describe the additional essential process that is needed to complete what we call the “Amazonisation” of banking, whereby products are manufactured as API services and distributed throughout the consumption of API services. This gives the three part model that Chris describes a practical technological backbone to make it work.

What we don’t know, of course, is how this model will redistribute ROE. How will banks and “challenger banks” (we prefer the term “niche banks”), non-banks and neo-banks respond to the split of manufacturing and distribution that the new “packaging” layer (again, not sure if that’s the right term, I just couldn’t think of a better one) brings? That’s obviously a key question and one that is pretty important for organisations who are planning any kind of strategy around financial services in general or payments in particular. Since this includes many of our clients, we spend a lot of time thinking about this and the connection between technological choices that are being made now and the long-term strategic options for organisations.

Consult Hyperion took part in a recent American Banker Open Banking “Bootcamp” (a two-part webinar) on the topic. My colleague Tim Richards and I were able to explore some of our ideas and draw on some of our practical experiences with bankers, suppliers and other practitioners. It was fun to take part in it and we really enjoyed it because we were able to learn as well as to share. I mention that webinar here because as part of the bootcamp, Mark Curran from CYBG (The Clydesdale Bank, Yorkshire Bank, “B” Bank Group and now also Virgin Money) set out a very clear high level view of the three strategic options available to retail. We think it’s useful to share them here: the “traditional” bank, the banks as a platform (think Starling) and the bank as an aggregator (think HSBC and Citi).

If, as many people think, it turns out that ROE will remain higher in distribution then the commoditisation of the manufacturing function (as it turns into a “utility”) may well threaten some of the incumbents, because they will not be able to adjust the economics of their manufacturing operation quickly enough to stay in business! This may sound like a radical prediction, but it really is not.

The reality for many banks will, of course, be more of a mixture of these approaches, but you can see the point. The decoupling of the manufacturing and distribution means that banks will have to make some important decisions about where to play, and soon. We’ve already seen how some banks (eg, HSBC) have moved to exploit the aggregator strategy and how some banks (eg, Starling) have moved to become platforms with rich app stores. But what we think may be under-appreciated is the extent to which the traditional bank can develop the packaging process not to shift to one of these strategies but to make itself more efficient and to improve the time-to-market for new products and services while keeping the costs of IT infrastructure under control.

In other words, it makes sense for banks to amazonise themselves.