Consult Hyperion’s Live 5 for 2019

It’s that time of year again. I’ve had a chat with my colleagues at Consult Hyperion, gone back over my notes from the year’s events, taken a look at our most interesting projects around the world and brought together our “live five” for 2019.  Now, as in previous years, I don’t expect you to pay any attention to our prognostications without first reviewing our previous attempts, otherwise you won’t have any basis for taking us seriously! So, let’s begin by looking back over the past year and then we’ll take a shot at the future.

Goodbye 2018

As we start to wind down 2018, let’s see how we did…

  1. 1. Open Banking. Well, it was hardly a tough call and we were bang on with this one. We’ve been working on open banking projects in the UK, on the continent and beyond. What seems to be an obviously European issue, is of course a global one and we’ve been helping the global payment brands understand the opportunities. Helping existing market participants and new market entrants to develop and implement responses to open banking has turned out to be intellectually challenging and complex, and we continue to build our expertise in the field. Planning for the unintended consequences of open banking and the potentially un-level playing field that’s been created by the asymmetry of data, was not the obvious angle of opportunity for traditional tier one banks.

  2. 2. Conversational Transactions. Yes, we were spot on with this one and not only in financial services. Many organisations are shifting to messaging channels for customer support and for transactions, in both the banking and retail sectors. The opportunity for this continues with the advancements of new messaging enablers, such as the GSMA backed RCS. But as new channels for support and service are introduced to the customer experience, so are new points of vulnerability.

  3. 3. The Internet of Cars. This is evolving although the security concerns that we spoke about before, continue to add friction to the development of new products and services in this area. Vulnerabilities to card payments or building entry systems are security threats, vulnerabilities to connected or autonomous vehicles are potentially public safety threats.

  4. 4. Artificial Intelligence. Again, this was an easy prediction because many of our clients were already active. Where we did add to thinking this past year, it was about the interactive landscape of the future (i.e. bots interacting with bots) and how the identity infrastructure needs to evolve to support this.

  5. 5. Tokens/ICOs. Well, we were right to highlight the importance of “tokens” (the basis of Initial Coin Offerings, or ICOs) and our prediction that once the craziness is out of the way, then regulated token markets will become significant looks to be borne out by mainstream commentary. At Money2020 Asia in Singapore, I had the privilege of interviewing Jonathan Larsen, Corporate Venture Capital Manager at Ping An and CEO of their Global Voyager Fund (which has a $billion or so under management). When I put to him that the tokenisation of assets will be a revolution, he said that “tokenisation is a really massive trend… a much bigger story than cryptocurrencies, initial coin offerings (ICOs), and even blockchain”.

As we said, 2018 has seen disruption because the shift to open banking, starting in the UK,has meant the reshaping of financial services while at the same time the advance of AI into the transaction flow (transactions of all types, from buying a train ticket to selling corporate bonds) begins to reshape the way we do business.

Hello 2019

This year we are organising our “live five” in a slightly different way, listing them by priority to our clients rather than as a simple list. So here are the four key technologies that we think will be hot throughout the coming year together with the new technology that we are looking at out of the corner of our eyes, so to speak. The mainstream technologies are authentication,cross-sector digital identity, digital wallets for ticketing and secure IoT in the insurance sector. The one coming up on the outside is post-quantum cryptography.


So here we go…


  1. 1. With our financial services customers we are moving from developing strategies about open banking to developing implementation plans and supporting the development of new systems and services. The most important technology at the customer interface from the secure transactions perspective is going to be the technology of Strong Customer Authentication (SCA). Understanding the rules around which transactions need SCA or not is complicated enough, and that’s before you even start working out which technologies have the right balance of security and convenience for the relevant customer journeys. Luckily, we know how to help on both counts!

As it happens, better authentication technology is going to make life easier for clients in a number of ways, not only because of PSD2. We are already planning 3D Secure v2 (3DSv2) and Secure Remote Commerce (SRC) implementations for customers. Preventing “authentication friction” (using e.g. FIDO) is central to the new customer journeys.

  1. 2. Forward thinking jurisdictions such as Canada and Australia have already started to deliver cross-sector digital identity (where in both cases we’ve been advising stakeholders). New technologies such as machine learning, shared ledgers and self-sovereign identity, if implemented correctly, will start to address the real issues and improvements in know your customer (KYC), anti-money laundering (AML), counter-terrorist financing (CTF) and the management of a politically-exposed person (PEP).  The skewed cost-benefit around regtech and the friction that flawed digitised identity systems cause, mean that there is considerable pressure to shift the balance and in the coming year I think more organisations around the world will look at models adopted and take action.

  1. 3. In our work on ticketing around the world, we see a renewed focus on the deployment of real digital wallets. Transit and other forms of ticketing (such as for sporting events) are the effective anchor tenants of the digital wallet, not payments. In the UK and in some other countries there has been little traction for the smartphone digital wallet because of the effectiveness of the deployment and use of contactless cards. If you look in your real wallets, most of what your find isn’t really about payments. In our markets, payments alone do not drive consumers to digital wallets, but take-up might be about to accelerate. It’s one thing to have xPay put cards into a digital wallet but putting your train tickets, your sports rights and your concert passes into a digital wallet makes all the difference to take-up and means serious traction. Our expertise in using the digital wallets for applications beyond payments will give our clients confidence in setting their strategies.

  2. 4. In the insurance world we see the business cases building around the Internet of Things (IoT). The recent landmark decision of John Hancock, one of the oldest and largest North American life insurers, to stop selling traditional life insurance and instead sell only “interactive” policies that track fitness and health data through wearable devices and smartphones is a significant step both in terms of business model and security infrastructure. We think more organisations in the insurance sector will develop similar new services.  Securing IoT systems becomes a priority. Fortunately, our very structured risk analysis for IoT and considerable experience in the practical assessment of countermeasures, deliver a cost-effective approach.

  3. 5. In our core field of security, we think it’s time to start taking post-quantum cryptography (PQC) seriously not as a research topic but as a strategic imperative around the development and deployment of new transaction systems. As many of you will know, Consult Hyperion’s reputation has been founded on the mass-market deployments of new transactions systems and services and this means we understand the long-term planning of secure platforms. We’re proud to say that we have helped to develop the security infrastructure for services ranging from the Hong Kong smart identity card, to the Euroclear settlement system and from contactless payments to open loop ticketing in major cities. Systems going into service now may well find themselves overlapping with the first practical quantum computer systems that render certain kinds of cryptography worthless, so it’s time to add PQC to strategies for the mass market.

And there you have it! Consult Hyperion’s Live 5 for 2019. Brexit does not mean the end of SCA in the UK (since PSD2 has already been transcribed into UK law) and SCA means that secure digital identities can support transactions conducted from digital wallets, and those digital wallets will contain things other than payment instruments. They might also start to store transit tickets or your right to travel, health and fitness data for your insurance company. Oh, and all of that data will end up in the public sphere unless the organisations charged with protecting it start thinking about post-quantum cryptography or,as Adi Shamir (one of the inventors of public key cryptography) said five years ago, post-cryptographysecurity.

Facebook has been hacked…

I notice that Facebook has been hacked. Apparently, some 30 million people had their phone numbers and personal details exposed in a “major cyber attack” on the social network in September. Around half of them had their usernames, gender, language, relationship status, religion, hometown, city, birthday, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches all compromised. Wow.
 
Now, I don’t really care about this much personally. Like all normal people I have Facebook and enjoy using it to connect with family and close friends, but I don’t use my “real” name for it and I never ever gave in to their pleading for my phone number. Not because I was unsure that it would at some point get hacked (I assumed this to be the case) or because I thought that if I used it for two-factor authentication they might use it for advertising purposes, but on the general data minimisation principle that’s it’s none of their business.
 
(We should, as a rule, never provide data to anyone even if we trust them unless it is strictly necessary to enable a specific transaction to take place.)
 
One of the reasons that I don’t care is that just as people around the globe are getting spammed by fraudsters pretending to be Facebook, I’m not worried about spammers getting my data and pretending to be Facebook. When I get e-mail from Facebook, it is encrypted and signed using a public key linked to the e-mail address I use for this purpose (pseudonymous access). See…
 

 
My e-mail client (in this case, Apple Mail) will flag up if the signature is invalid. If you want to send encrypted e-mail to me at mail@dgwbirch.com then you can get my PGP key from a public key server (check the fingerprint is 50EF 7B0E FD4B 3475 D456 4D7E 7268 01F2 A1C5 075B if you want to) and then fire away. It’s not that difficult. Facebook asked me if I wanted secure e-mail, I said yes, they asked me for my key, I gave it to them. End of. I really don’t understand why other organisations cannot do the same.
 
Banks, for example.
 
Here’s an e-mail that I got purporting to be from Barclays. They are asking me for feedback on their mortgage service and inviting me to click on a link. I suppose some people might fall for this sort of spamming but not me. I deleted it right away.
 

 
This of course might lead reasonable people to ask why Barclays can’t do the same as Facebook. Why can’t Barclays send e-mail that is encrypted so that crooks can’t read it and signed so that I know it came from the bank and not from spammers. Surely it’s just a couple of lines of COBOL somewhere ask me to upload my public key to their DB2 and then turn on encryption. Right? After all, it’s unencrypted and unsigned e-mail that is at the root of a great many frauds so why not give customers the option of providing an S/MIME or PGP key and then using it to protect them?
 
Well, I think I know. I can remember a time working on a project for a client in Europe who asked, because of the very confidential nature of the work, that all e-mail be encrypted and signed. We spent all morning messing around with Outlook/Exchange to get S/MIME set up, to sort out certificates and so forth. But we eventually got it working and sent the first encrypted and signed mail. The client called back and asked if we could turn off encryption because the people working on the project were reading the e-mail on smartphones and didn’t have S/MIME on their devices. The next day they called and asked us to turn off signing because the digital signatures were confusing their anti-spam software and all of our e-mails were being put in escrow.
 
So we know absolutely everything about security and so did our counterparts and we still gave up because it was all too complicated. It’s just too hard.
 
(In Denmark, however, that excuse won’t wash. The Danes have decided that e-mails containing “confidential and sensitive persona data” — which certainly includes bank details — must be encrypted. The Data Inspectorate are reasonable people though, they note that this change “will require some adjustment in the private sector” and so the new rule will be not be enforced before 1st January 2019.)
 
Let’s not use encrypted and signed e-mail. I’ve got a better idea. Why don’t Barclays STOP USING EMAIL AND TEXTS since they have an APP ON MY iPHONE that I use ALL THE TIME and they could send me SECURE MESSAGES using that. It’s time to move to conversational commerce based on messaging and forgot about the bad old days of insecure, spam-filled, fraudophilic and passé e-mail.

Securing Payments in a Post-EMV Chip World

Now that the US has (finally) migrated from magnetic stripe to chip payments, and signature will soon be going too, the time has come to think about where the fraud will go next. This was the topic of a great discussion at Money 20/20 involving amongst others EMVCo, Capital One and USAA.

Obviously the first place fraud will jump to will be card-not-present transactions such as e-commerce. This is well understood by those of us who went through the EMV chip migration over a decade ago. Brian Byrne outlined the various initiatives in EMVCo to secure these transactions – Tokenisation, 3DS 2.0 (with live solutions being imminent) and SRC (which is open for public comment).

Increasingly though it’s an identity problem. Identity theft and synthetic identities are being used to attack payments in a number of ways.

Because EMV chip cards are much harder to counterfeit than magnetic stripe cards, fraudsters instead will try to get their hands on genuine cards. This could be through opening a fraudulent account or by taking over an account and ordering a replacement card.

Identity fraud will be a big issue in faster payments too, with a need for good authentication on both ends of the transaction.

Synthetic identities are a particular challenge. Detecting them is tough, spotting the subtle clues that indicate that an identity record which looks legitimate has actually be cultivated over time by a fraudster. And this is big business, with criminals using the latest machine learning and ready access to data (thanks to all of those breaches) to launch well organised attacks at scale.

In the following session, Professor Pedro Domingos (author of “The Master Algorithm”) gave the great quote “if you try to fight machine learning with code you are doomed”. But it is not simply a case of implementing machine learning. As the Prof explained, the characteristics of fraud are constantly changing so any machine learning system will need to be constantly tuned and re-trained to keep up.

Definitely a case of whack-a-mole.

Money 20/20 – Digital Identity Day

 

Where better to spend a day talking about digital identity than the Venetian in Vegas with its rather synthetic identity.

In giving the topic a full day track, the Money 20/20 organisers have recognised the increasing importance of the topic. However it is a topic that is not straightforward. Andrew Nash from Capital One was right when he said everyone has a different definition of identity. It’s a bit ironic – identity doesn’t have an identity. Here are three questions to summarise what we heard:

Is digital identity just about KYC or the broader sharing of personal data?

There is clearly still a lot of pain with KYC. Idemia explained how in the US, with its fragmented environment, doing basic things creating digital drivers licences that can be used across the country is hard.

But there is shift of focus from the narrow KYC problem towards the broader issue helping people to make their personal data portable in a way that removes friction – the “F” word of Identity, as Neil Chapman from Forgerock put it. 

Filip Verley from Airbnb made a useful bridge between these two aspects. It is no surprise that reputation is fundamental to the Airbnb platform. Reputation is the where the value is – Airbnb users don’t care what the name of a renter is but they do want to know they are reputable. But for that to work well that reputation needs to be anchored to the real identity that Airbnb has checked – i.e. their KYC.

Who is digital identity for – the person or the organisation?

Quite rightly there is now widespread acceptance that digital identity needs to be person centric. As well as the privacy point, there are practical reasons why it makes sense to put the person at the centre. For example, the person is in the best place to say which of the residential addresses associated with them is the one where they are actually living.

This is not the same as saying people own their identity. The organisations that provide services to people also have a stake in digital identity too. That’s why in Canada, as Joni Brennan explained, stakeholders across the economy are collaborating through the DIACC to address a need that is bigger than any one of them.

(Bianca Lopes, Joni Brennan and I talking about Digital Identity in Canada)

What will enable interoperable digital identities?

Unsurprisingly there was good representation from the DLT / blockchain crowd including Civic and Shyft. Heather Vescent gave a great overview of the standardisation work around Decentralised Identifiers (DIDs) and the desire of that community to create a new identity layer on the internet – perhaps an 8th “user” layer on top of the OSI 7-layered model of old. Whilst this work is being done through W3C it is still early days.

In contrast, FIDO2 is now a candidate recommendation in W3C and is already supported by Chrome 70 for Android (released last week) meaning that ubiquitous strong device based authentication (which includes biometrics) should not be far off. It’s great to see an initiative that, after a lot of hard work, looks like its about to become mainstream providing a real step forwards towards a more secure digital world.

 

 

Real news about fake apps

The (real) news over the past couple of years has been full of reports of fake news. Well now we have fake apps too.
 
Last week this report from ESET [1] highlighted fake mobile banking apps on the Google Play store. According to the article ESET discovered and reported a set of fake banking apps that were published and remained on Google Play between June and July 2018. These apps offered lucrative deals to the unwitting banking consumer, one for instance claiming to increase your credit card limit if you installed them. They are of course nothing more than a phishing scam – collecting account and card payment details allowing the scammer to empty your bank account.
 

 
Fake apps displaying forms to phish consumer’s bank login details (source [1]).
 
As you can see some effort was put into making the apps look authentic in order to fool the customer. But how is it that they managed to fool Google into allowing those apps onto the app store in the first place?
 
Ironically, Google has a “Safe Browsing” initiative to protect consumers from phishing and malware. Play Protect (rebranded Google Bouncer) is used to protect the store and its consumers from malware, spyware and trojans. Google also employs automated scans to detect known threats, heuristics and data analytics on metadata, big data, to monitor downloads, usage and detect anomalies.
 
So whilst Google does try to spot the technical threats that might compromise the person’s device, for example, it appears they are not always able to spot the blatantly obvious – one of the app says it’s ICICI, but the developer is not ICICI.
 
In fact, by the time the fake app was reported to Google and they removed it from the store, the damage had already been done to several thousands of trusting consumers!
 
What can banks do about this to protect their customers? Quite a lot actually. In a robust digital banking solution, the bank will employ numerous measures to establish the authenticity of the device, access channel and customer. A bank should be able to detect when there is a man-in-the-middle and when information captured on one device or channel is replayed into another device or channel. The technology to do this exists and we have been helping banks employ it for years. Unfortunately, until all banks do the same consumers will need to be extra vigilant about the financial apps they load onto their devices.
 
References:
 
[1] Fake banking apps on Google Play leak stolen credit card data, ESET, published on 26 July 2018. More information is available here https://www.welivesecurity.com/2018/07/26/fake-banking-apps-google-play-leak-stolen-credit-card-data/

Who would have ex-Spectre-d this?

At Consult Hyperion we’re always interested in the latest news in cyber security and in case you haven’t heard, 2018 has started with the news that the most processors found inside current computers, tablets, phones and cloud servers are vulnerable to a new class of attack. These attacks have been named Meltdown and Spectre, and are caused by common optimisations built into modern processors. Processors designed by Intel, AMD and ARM are all affected to varying degrees and, as it is a hardware issue (possibly dating back to 1995 if some reports are correct), it could affect any operating system. It’s likely the machine you’re reading this on is affected – whether it’s running Windows, Macs, iOS, Android or is in “the cloud”!!

At a basic level, these vulnerabilities break down the fundamental security barriers between an application and the operating system (OS). This means that a malicious application running on your processor may be able to read your, or your OS’s, secrets which may include passwords, keys or possibly payment data, present in processor caches or memory.

I’m not going to discuss how the vulnerabilities achieve what they do (there’s plenty of sites which attempt to do this), however I’d rather consider its impact on people, such as our clients, who may be handling sensitive data on mobile devices – e.g. payments, banking information. If you do want to understand the low-level details of the vulnerabilities and how they work, I suggest looking at https://spectreattack.com/ which has links to the original papers on both Spectre and Meltdown.

So, what can be done about it? The good news is that whilst the current processors cannot be fixed, several operating system patches have already been released to try and mitigate these problems.

However, my concern is that as this is a new class of attack, Spectre and Meltdown may be the tip of a new iceberg. Even over the last week, the issue has changed from it only affecting Intel processors, to now including AMD and ARM to some extent. I suspect that over the coming weeks and months, as more security researchers (and probably less savoury characters as well) start looking into this class of attack, there may be additional vulnerabilities discovered. Whether they would already be mitigated by the patches coming out now, we’ll have to see.

It should also be understood that for the vulnerability to be exploited, there are a few conditions which must be met:

1. You must have a vulnerable processor (highly likely)
2. You must have a vulnerable OS (i.e. unpatched)
3. An attacker must be able to execute their malicious code on your device

 
For point 1, most modern devices will be vulnerable to some extent, so we can probably assume the condition is always met.

Point 2 highlights two perennial problems, a.) getting people to apply software updates to their devices and b.) getting access to appropriate software updates.

For many devices, software updates are frequent, reliable and easy to install (often automatic) and there are very few legitimate reasons for consumers to not just take the latest updates whenever they are made available. We would always recommend that consumers apply security updates as soon as possible.

A bigger problem for some platforms is the availability of updates in the first place. Within the mobile space, Microsoft, Apple and Google all regularly release software updates; however, many Android OEMs can be slow to release updates for their devices (if they release them at all). Android devices are notorious for not running the latest version of Android – for example, Google’s latest information (https://developer.android.com/about/dashboards/index.html – obtained 5th January 2018 and represents devices accessing the Google Play Store in the prior 7 days) shows that for the top 81% of devices in use:

• 0.5% of devices are running the latest version of Android – Oreo (v8.0, released August 2017)
• 25% are running Nougat (v7.x, released August 2016)
• 30% running Marshmallow (v6.0, released October 2015)
• 26% running Lollipop (v5.x, released November 2014).

 
It should be noted that Google’s Nexus and Pixel devices have a commitment to receiving updates for a set period of time, and Google is very keen to encourage OEMs to improve their support for prompt and frequent updates – for example, the Android One (https://www.android.com/one/) programme highlights that these devices get regular software updates.

If you compare to iOS, it’s estimated (https://data.apteligent.com/ios/) that less than a month after it was released in December 2017, over 75% of iOS devices are already running iOS 11.

The final requirement is Point 3 – getting malicious code onto your device. This could be via a malicious application installed on a device, however, the malicious code could also come via a website as it’s been shown that even JavaScript sandboxed in a browser can exploit these vulnerabilities. As its not unheard of for legitimate websites to unwittingly serve up 3rd-party adverts which contain malicious code, a user doesn’t have to be accessing malicious websites for the problem to occur. Several browsers are receiving patches to try and prevent Meltdown and Spectre working via this route. Regarding malicious applications, we’d always recommend that applications are only ever installed from legitimate sources, however malicious apps still regularly appear in legitimate app stores, so this is not fool-proof.

Thinking specifically about mobile banking and HCE payment applications, which is what interests many of our customers – these applications should already be including protections to prevent, or at least detect, malicious attacks. These protections typically include numerous measures such as root/jailbreak detection, code obfuscation, data minimisation, white-box cryptography and so on.

If anything, these latest vulnerabilities are a useful reminder that security is not a single task within a project plan, ticked off when complete before moving onto the next sprint or task. Rather, it is an ongoing concern for the lifetime of the system – something that Consult Hyperion quietly helps its customers with. A year ago, few would have considered this class of attack to either have been possible, let alone something which needs to be actively mitigated.

Using Big Data to Identify Fraudulent Transactions

With Thanksgiving upon us and the drive for mass consumption to continue through the Black Friday and Cyber Monday purchasing frenzy in the US, we regularly hear the comment from US merchants that the migration to EMV (contact) payment cards has driven the increase in Card Not Present (CNP) fraud. I guess to a small extent they’re correct; smartcards are more difficult to clone so the fraudsters have been forced to look for alternative sources of income. However, I would suggest that the main driver has been the increase in the efficiency with which fraudsters collect and use PII (personal identifiable information) and account information.

The days of shoulder-surfing people at the ATM for their PIN and/or stealing a phone for the PII and account information stored within it are confined to the minor or opportunistic criminals. Today the specifications for PANs, test PAN numbers and real PII and account information from data breaches within the many high street names, can be purchased on the internet. These are used by organized criminals as the basis for attacks in which a range of PAN and CVV numbers are sent to multiple merchants to identify valid combinations. Valid account information is the then used to procure goods from a range of merchants.

Luckily for the merchants and banks that Consult Hyperion work with, there is a wealth of information available to determine whether or not a transaction is valid. The mobile network operators, either directly or through brokers such as Payfone (USA) and Enstream (Canada), can provide the location of the account holder’s mobile phone, which should be close to the location from which the payment transaction is initiated. The account holder’s behavioral patterns can be monitored to determine whether or not the transaction is out of character. Device fingerprinting companies such as InAuth and mSignia can tell them if the transaction has been initiated from a new device, or one with odd characteristics, such as a foreign keyboard.

However, not many companies understand the scope of the information that they have in their possession or how it can be used to mitigate the risks associated with fraudulent transactions. Recognizing the opportunity, a number of third parties are offering AI based services to help such organizations to use the patterns in their data to identify fraudulent transactions. Consult Hyperion’s customers have benefited from a more rigorous analysis of the data in their possession and how it is generated, before they started working with these third parties.

My colleagues at New York and Guildford, UK, have a detailed understanding of the messages passed between the Merchant and Issuer and all parties in between in a retail payment transaction. Over the last 15 years, we have used this knowledge to de-bug or optimize the flow of information between all parties. More recently we have been asked to evaluate how patterns in the data can be used to identify fraudulent transactions. You would be surprised how often the PAN number is included in the transaction message. Comparing each instance of the PAN will allow you to check that the criminals have not tampered with those messages.

The results of our analysis helped our clients to focus their engagement with prospective vendors. They now have a better understanding of how the different parts of their authorization systems interact with each other, what data can be monitored and why. Their initial discussions with third parties have moved from “Is this possible?”, to “This is what we want to do”.

I hope that you have a Great Thanksgiving if you are in the US or London this weekend and that between them, Uber, Equifax et al have left you with sufficient credible payment credentials to allow you to enjoy the consumer fest that follows. Me, personally, I am heading somewhere I can be off-grid for the weekend, if only to stay away from all those tempting offers.

The Challenge of Delivering mPOS Services through Off-The-Shelf Mobile Devices

 

The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.

Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.

Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.

The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.

Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.

So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?

There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.

So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.

People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!

From “Top of Wallet” to “Front of Phone”

Over the last few weeks, I have been working with the team inside Consult Hyperion trying to understand the potential impact of the European Union’s PSD2 regulation on our clients’ business. One thing is for certain: it has generated a large number of not-quite-three letter acronyms that will ensure high scores in any game of Acronym Bingo running during a presentation on the subject.

It is clear that the Account Service Payment Service Provider’s (ASPSP or bank to you and me) mobile application will play an important role in any PSD2 compliant transaction. Every time I want to make a bank to bank payment to a new payee, a message will appear in my mobile banking application asking me to verify the transaction and authenticate myself. Will this be the reason I need to keep the mobile banking application on my phone?

Personally, I sit down once a month in front of a computer to do my expenses and pay my bills. I have sufficient standing orders to maximise the return on my Santander 123 account. The rest are settled using Faster Payments, when there are sufficient funds in my account. Being a payment geek, over the years I have loaded several banking applications and PingIt onto my phone. None of these survived the transfer to my next phone as I was not using them. The alternative (my PC and contactless Amex card) are more convenient or deliver the customer experience I need. But perhaps that is changing.

At Consult Hyperion’s excellent Tomorrows Transactions Forum in London earlier this year, Greg Wolfond, CEO of SecureKey, outlined the customer experience to be delivered by the blockchain-based digital identity and attribute sharing service they are building in Canada, with the support of local banks. At the centre of this service was a push notification from the bank, via their mobile banking application, that a third party wanted confirmation of my age or address and a request for permission for the bank to share those details with the third party. To me the bank is the logical place to keep valuable personal information. Most have been doing it for over 100 years usually in the form of paper documents – birth, marriage certificates and Land Registry Property Deeds. However, in a connected world third parties need to be able to access this information when I give them permission. This process must be instantaneous, as I am likely to be on the third party’s website or in their store signing up for a service when the request comes through. I will be in a similar place when I want to make a PSD2 compliant payment.

Earlier this summer, I sold the last of my larger toys, a Laser 1 dinghy. Kids have left home, wife prefers to ramble with the dog, sailing club just too far away, water too cold …. The list of reasons why I should keep it was getting too long.

I posted the boat on Apollo Duck, (think eBay for the sailing community) assuming people would come to view it, we would agree a price, they would give me a cheque, I would bank it and they come back a week later to pick up the boat, when the funds were in my account. Everything was going to plan, until it came to payment. Rather than pull out a pad of paper, he opened his Barclays’ mobile banking application, asked for my bank details and transferred the funds using Faster Payments. Five minutes later the funds were in my account and we were packing the boat up for him to take away. The whole process, from viewing to take away was reduced from 7 days to just over 90 minutes. We did not move from my front lawn, except to access my PC to check that the funds had gone into my account.

This appears to have been the vision of those very clever people in the European Union when they drew up the PSD2 regulations. However, is the mobile banking application the right channel for such services?

In the UK smartphone penetration rates are around 81% of all mobile phone users. However, this figure varies according to the subscribers age, from 90% of subscribers aged between 16 and 24 to 18% of those over 64 . The older generation are likely to have more savings spread across multiple products from multiple providers. If they prefer not to load the mobile banking application onto their phone are there alternative solutions which they can use to authenticate themselves to multiple ASPSP?

Barclays UK does a very good job verifying me using my payment card and their PinSentry device or mobile application across all the channels that I access their services. I can also use the PinSentry device with cards from other banks which support the CAP User Interface Specification, but don’t tell Barclays. There are other solutions from organisations such as FiTeq which remove the need for the separate CAP reader and the payment schemes who are promoting the use of their 3D Secure service for use with other payment solutions.

One of the drivers behind PSD2 was to drive innovation and competition. Is SCA the first place we will see this?

UK Finance is the wrong idea

Payments used to be a banking business. Now it is not, and the interests of the banks and the payments industry are no longer wholly coincident. The banks don’t own Visa and MasterCard any more, kids using Venmo neither know nor care whether it is a bank or not and there are plenty of non-bank players out there who want to have (and are going to get) access to the payments infrastructure. It seems to me that regulatory frameworks such as PSD2 cut across institutional boundaries: they are not “bank things” and they need a response from a wider constituency. The general thrust of regulation is to separate payments from banking further — separating the systemically risky from the systemically non-risky — and to drive competition in the provision of payment services. I’m sure we all agree that this is a good thing.

Back in 1999, the Federal Reserve Bank of New York Economic Policy Review said that “Economic theory on the operations of commercial banks cannot, by itself, explain why they provide payment services on such a large scale”. Quite.

From Separation, not divorce | Consult Hyperion

I wrote that a decade ago, drawing on work from a decade before. This is hardly a radical or futuristic position. The provision of payment services and the provision of banking services are different ecological niches in the modern economy and they need to be filled by different and better-adapted organisms.  This, it seems to me, further implies that there should be different consumer organisations, trade bodies and lobby groups in each of these niches as well. It would be a logical, sound and practical structure for the UK (for example) to have some kind of an Association for Payment Institutions (UKAPI) and some kind of an Association for Credit Institutions (UKACI). Well… that’s not what is happening. Since the start of this month, the UK has had a new trade association for the financial services industry. It’s called “UK Finance”.

Stephen Jones has been appointed as the chief executive of the new banking group, which will merge the British Bankers’ Association, Council of Mortgage Lenders, Payments UK, Asset Based Finance Association, UK Cards Association and Financial Fraud Action UK.

From Stephen Jones named as UK Finance CEO | ICAEW Economia

Just as a recap, the old trade associations were:

  • The British bankers Association which had 200 member banks that operate in 180 jurisdictions worldwide and whose activities span both retail and wholesale banking and capital markets;

  • The Council of Mortgage Lenders which represented 133 UK mortgage lenders accounting for almost all of the UK’s residential lending;

  • Payments UK which represented the U.K.’s payment industry;

  • UK Cards Association which had 32 members who accounted for the vast majority of cards issued in the UK;

  • The asset-based finance association which represented around 95% of the companies from the UK and Ireland providing factoring invoice discounting and asset-based lending (which will join in a second phase).

So what was the rationale for this daft rearrangement that will inevitably have to be reversed within a few years? Well, as I understand it from talking to a variety of different people in the industry is that first of all there was duplication of effort in the different trade bodies and hence money wasted and secondly that it was thought a unified trade association might have more influence.

As to the first point, I’m sure that this was true, so some kind of merger or rearrangement made sense (but not this one).

As to the second, I have my doubts  and while reading through Statutory Instrument 2017 no. 752 (the transcription of the Second Payment Services Directive into UK law), those doubts crystallised.  This is because of the new organisations that will come into the space as PSPs of one form or another and will not only be allowed access to bank accounts via open banking APIs. Note that new organisations will further be allowed access to the payments infrastructure. I expect to see an interesting variety of plays in this space. I suggest you take a look at the excellent Emerging Payments Association report from that year which argued that, under the appropriate licence conditions, non-banks should be allowed access to instant payments infrastructure through the use of a new kind of limited pre-funded settlement account at the Bank of England. This is now happening.

The Bank of England is announcing today that a new generation of non-bank payment service providers is now eligible to apply for a settlement account in the Bank’s RTGS system.

From Bank of England extends direct access to RTGS accounts to non-bank payment service providers | Bank of England

The Bank’s decision will open up competition in an area previously the preserve of the main banks. It will give non-bank PSPs direct access to full and final settlement in central bank money through systems including Faster Payments, BACS, CHAPS and the (under construction) digital cheque imaging system. This must, and will, lead to a shake up in the payments sector as the new players (with new business models) come into the space. Just to pick one obvious example: suppose Amazon bring Amazon Reload to the UK, but with direct access to settlement so that you can send money between bank accounts and your Amazon Prime account? That could make Amazon Pay a lot of fun. But why would it be represented through the same trade association as the people who give you mortgages? How are their interests coincident? Further, there are important benefits that come from having more specialised trade associations [see Patel, K. “Trading places”. Financial World. London (2016)]. One of the main functions of these associations is to scrutinise new rules and regulations (the nutty ban on credit card surcharging, to give a current example) and such bodies have a closer connection to and deeper understanding of the markets they represent. Now that there is going to be a New Payment Architecture (NPA) in the UK, there should be a New Payment Trade Association to go with it.

The consolidation of the three main UK retail Payment System Operators: Bacs Payment Schemes Limited (BPSL), Cheque and Credit Clearing Company Limited (C&CCCL) and Faster Payments Scheme Limited (FPSL). A PSO Delivery Group (PSO DG) was established by the Bank of England (BoE) and the Payment Systems Regulator (PSR) to plan the consolidation of the three PSOs into a single entity – the New Payment System Operator (NPSO).

There are a lot of great people at UK Finance but they have been put into a decidedly suboptimal structure, especially at a time when that just-released new national payments strategy in the UK is going to bring together the payment rails under the single body. In my opinion, there is no logic to the jumbling together of payments and other banking activities in a single trade association. I give it a couple of years tops before the non-bank complaints result in a new payments industry trade association. I suggest we call it the Association of Payment and Cashless Services (APACS) and we can invite the by-then former Prime Minister to be the Honorary Chair. She can use her old business cards.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.