Real news about fake apps

The (real) news over the past couple of years has been full of reports of fake news. Well now we have fake apps too.
 
Last week this report from ESET [1] highlighted fake mobile banking apps on the Google Play store. According to the article ESET discovered and reported a set of fake banking apps that were published and remained on Google Play between June and July 2018. These apps offered lucrative deals to the unwitting banking consumer, one for instance claiming to increase your credit card limit if you installed them. They are of course nothing more than a phishing scam – collecting account and card payment details allowing the scammer to empty your bank account.
 

 
Fake apps displaying forms to phish consumer’s bank login details (source [1]).
 
As you can see some effort was put into making the apps look authentic in order to fool the customer. But how is it that they managed to fool Google into allowing those apps onto the app store in the first place?
 
Ironically, Google has a “Safe Browsing” initiative to protect consumers from phishing and malware. Play Protect (rebranded Google Bouncer) is used to protect the store and its consumers from malware, spyware and trojans. Google also employs automated scans to detect known threats, heuristics and data analytics on metadata, big data, to monitor downloads, usage and detect anomalies.
 
So whilst Google does try to spot the technical threats that might compromise the person’s device, for example, it appears they are not always able to spot the blatantly obvious – one of the app says it’s ICICI, but the developer is not ICICI.
 
In fact, by the time the fake app was reported to Google and they removed it from the store, the damage had already been done to several thousands of trusting consumers!
 
What can banks do about this to protect their customers? Quite a lot actually. In a robust digital banking solution, the bank will employ numerous measures to establish the authenticity of the device, access channel and customer. A bank should be able to detect when there is a man-in-the-middle and when information captured on one device or channel is replayed into another device or channel. The technology to do this exists and we have been helping banks employ it for years. Unfortunately, until all banks do the same consumers will need to be extra vigilant about the financial apps they load onto their devices.
 
References:
 
[1] Fake banking apps on Google Play leak stolen credit card data, ESET, published on 26 July 2018. More information is available here https://www.welivesecurity.com/2018/07/26/fake-banking-apps-google-play-leak-stolen-credit-card-data/

PSD2, Curtains for Direct Carrier Billing?

The Second Payment Services Directive, aka PSD2, contains much that is admirable, some that is debatable and yet more that is downright mysterious. As we await the forthcoming final version of the  Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA), putting everyone on a 21-month implementation cycle, I thought I’d cast an eye over one of the, as yet, largely undiscovered areas of the directive; namely the exclusion from SCA for direct carrier billing (DCB). Like so much in PSD2 no exemption comes without penalty.

It’s the directive itself that excludes direct carrier billing from regulation, in Article 3, where it specifically excludes:

(f) payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a subscriber to the network or service:

(i) for purchase of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the related bill; or

(ii) performed from or via an electronic device and charged to the related bill within the framework of a charitable activity or for the purchase of tickets;

provided that the value of any single payment transaction referred to in points (i) and (ii) does not exceed EUR 50 and:

— the cumulative value of payment transactions for an individual subscriber does not exceed EUR 300 per month, or

— where a subscriber pre-funds its account with the provider of the electronic communications network or service, the cumulative value of payment transactions does not exceed EUR 300 per month;

If you care to deconstruct this it means that PSD2 doesn’t apply to direct carrier billing – payments made using a subscriber’s existing mobile account – if the subscriber doesn’t spend more than €300 a month or pay more than €50 on any single payment. Which is a useful exclusion for network operators and providers of DCB services, but does rather put a limit on any ambitions to extend and grow these services into genuine competitors for consumer payments.  The exclusion also doesn’t apply to physical goods, limiting any expansion plans in that area.

Fail to meet those conditions and DCB automatically falls into the jaws of the RTS on Strong Customer Authentication, requiring two factor authentication to be applied, subject to the normal exemptions not being invoked. Given that banks, who have a track record of applying authentication to consumer payments, are finding meeting the SCA requirements challenging it’s not immediately obvious how mobile operators are going to address this, although you’d imagine that they could use the mobile handset itself as the possession factor.  Nonetheless, forcing customers to enter passwords or implementing a handset based biometric through an app isn’t going to do anything for the customer payment experience which hitherto has largely been invisible.

The problem is that doing nothing is not an option. Not implementing SCA means capping the amount customers can spend each month and failing to do that will mean customers have the automatic right to apply for a refund as payments over the limit will, in PSD2 terms, be unauthorised. T&Cs will need to be rewritten to make sure the operators can get their money back, although in the absence of regulatory guidance it’s not clear that the directive might not override that – if PSD2 is about one thing it’s about the pre-eminence of consumer rights. Oh, and go over that limit and the operator will find themselves considered a payment service provider under the regulatory conditions of PSD2 with all that it entails.

Some DCB providers have already taken the initiative and become Electronic Money Institutions, which means they don’t have to worry about the restrictions but do have to suffers the slings and arrows of Strong Customer Authentication, outrageous or otherwise.  Others seem so far less bothered, although no doubt the proposed regulatory penalties when published will concentrate minds. What’s really interesting is that the other side of PSD2 – the so called XS2A, Access to Account, via bank implemented APIs – actually opens up a real opportunity for any mobile operator or DCB player smart enough to spot it. After all, if you can connect to any consumer’s bank account to draw funds or examine their spending patterns you’re halfway to a pervasive retail consumer payments solution.

As for the other half, well that’s what we at Consult Hyperion are paid to solve. We think that the elements to allow this are already in place, all it needs now is someone with the foresight to take advantage of them. At that point the European Commission may well get the kind of innovation and competition in consumer payments that it desires, but in the meantime we’ll just continue twiddling our thumbs waiting for the RTS.

Post-Industrial Archeology

The BBC World Service has a podcast series called “50 things that made the modern economy” hosted by the economist Tim Harford. It features inventions ranging from COBOL and banks to antibiotics and, interestingly, M-PESA. This caught my attention because M-PESA is one of the Consult Hyperion projects from the last couple of decades that we might find ourselves chatting about at the forthcoming 20th annual Forum, Tomorrow’s Transactions 2017. The Forum will be held at the America Square conference centre in London on 26th/27th April and Kevin Amateshe, the current M-PESA product manager will be coming in from Nairobi to give us a detailed picture of where M-PESA is now and where it will be going next.

The Forum, thanks to the wonderful support from our friends at Vocalink, PaySafeGroup, WorldPay and Olswang, will once again provide a unique environment for learning, investigation, discussion and debate about the future of electronic transactions. The future of people, businesses and government in the post-industrial online and interconnected economy.

This year’s invited keynote will be given by Professor Lisa Servon, one of the world’s leading authorities on financial and social inclusion. All delegates will receive a copy of Lisa’s new book “The Unbanking of America: How the New Middle Class Survives”.

 Other speakers and panelists include Gilad Rosner (IoT Privacy Forum), Nick Telford-Reed (WorldPay), Amy Parsons (Discover), Sandra Alzetta (Visa), Terry Cordeiro (Lloyds Bank), Jane Zavalishina (Yandex Data Factory), Tim Jones (Mondex co-founder), Will Judge (MasterCard), Katie Evans (Money and Mental Health), Vasily Suvorov (Luxoft), David Rennie (gov.verify), Emma Lindley (Innovate Identity), Andy Tobin (Evernym), Ben Whittaker (Masabi) and other people who are shaping the future of retail electronic transactions right now will be discussing PSD2, shared ledgers, AI, real-time payments, the Internet of Things, financial inclusion, open-loop migration and everything else shaping strategy across a variety of industries.
 
In addition to a fireside chat about instant payments with David Yates (CEO, VocaLink) and Ron Kalifa (Vice Chairman, WorldPay), there will be an introductory keynote from me, the judging of the annual Future of Money Design Award for artists and at the end of the first day a 20th anniversary drinks and networking reception. You’d be mad to miss it. As always, the Forum is limited to 100 people to ensure every gets a chance to meet and interact with everyone else so run, don’t walk, to our web site and buy a place right now. I look forward to seeing you all there.

Incidentally, listening to the BBC podcast narrating the story of our good friends Nick Hughes and Susie Lonie (Susie will be at the Forum too if you’d like to come along and say hi to her) brought back many memories, so I decided to conduct a little bit of post-industrial archaeology and I tracked down the presentations on M-PESA that Nick Hughes and our very own Paul Makin (who led the original feasibility study for M-PESA!) ave at the Centre for the Study of Financial Innovation (CSFI) in November 2005 when M-PESA had 300 users and eight agents!!! As of today, it has 25 million users and 261,000 agents across 11 countries.

You can read them here….

Nick Hughes [csfi_Nov_05_Hughes.pdf]Paul Makin [csfi_Nov_05_Makin.pdf]

See you all in April when we get together and try to work out what the next M-PESA will be!

A way to embrace “over the counter” mobile money transactions

As one of the pioneers of mobile money (cutting my teeth on the initial service proposition and business model for M-PESA, way back in 2004, three years before commercial launch), I’m always naturally inclined to see its potential in a positive light. But I’m starting to wonder if maybe we need to give it a bit of a nudge – realign it, if you will.
One of the more interesting phenomena we’ve seen in recent years is the rise of Over The Counter (OTC) transactions – those transactions carried out by agents on a customer’s behalf, in many cases without any link to the real people relating to a transaction. We’ve seen cases where agents maintain four or five mobile money accounts, on different phones, so that they can spread their customers’ transactions across accounts and so avoid transaction limits.
The reasons for OTC can be various, but certainly include illiteracy, lack of appropriate language support on mobile handsets, and – fairly commonly – liability (after all, if things are going to go wrong, you want someone else to blame, don’t you?). But the obvious potential for money laundering means that this situation can be a financial regulator’s nightmare.
Of course, it doesn’t have to be this way, and there are examples of it being done properly, with even in some cases biometric authentication of all parties to an OTC transaction. Worldwide, however, this is rare.
But I digress. What I really wanted to talk about was the somewhat self-congratulatory attitude we in the industry are all guilty of at some time – after all, an industry that has grown from nothing to something more than 270 services in over 90 countries in only fifteen years is undeniably impressive. But I do wonder if we’re all kidding ourselves sometimes. I mean, sure, for the middle classes, and for many of the employed poor, it has been an amazing opportunity, and has transformed access to financial services. But there are gaps – possibly some big gaps.
As an example, I’d like to relate a recent experience. First, you have to understand that I believe you can’t develop anything new without spending time with the people who are going to be using it; so I like to go out to the field, and see what people are actually doing, not what the research tells me. Just sit and watch, and ask the occasional question. It can be very educational.
So we were working with this mobile money operator (MMO), who has a deal with an MFI for the delivery of MFI services through MM. On paper, it all looks very good, plenty of transactions, lots of people receiving loans and making repayments, all through MM. I was very keen to go to a group meeting and find out what the customers thought, how they used it, what else they did – the usual.
We turned up at the meeting, and the first thing that was happening was training from the field officer. Great. But there was a surprise in store; the training included the following advice about security: “Always keep your PIN secret. Never tell anybody. EXCEPT the Agent – you should whisper it quietly into his ear” – uh oh. The alarm bells started to ring.
And then the Agent turned up. At this point the field officer started to gather repayments, in the traditional way for group lending – laboriously entering everyone’s name into a list, checking that they have the cash to make the repayment, noting down the repayment amount, all at a glacial pace (now this is one area where investment in IT could make an immediate impact) – and then the mobile money part started. Each person making a repayment took their phone and their cash, one by one, to the Agent – who took their phone, ‘deposited’ the cash for them, then forwarded the repayment to the MFI.
There were also three loan disbursements that day, and the process was much the same: hand your phone to the Agent, whisper your PIN to him, walk away with a wad of cash.
All of these people at the group meeting are in the MMO’s books as active mobile money subscribers. So I have to ask: in what way are these people mobile money subscribers? How is this empowerment? All that I can see is that the MFI has outsourced their cash management problems to the Agent, who walks the streets with a bag full of cash. Glad that’s not me.
So there are clearly a large number of people, down towards the bottom of the pyramid, for whom the step from a pure cash environment to being asked to use a mobile money wallet or account to manage their finances is just too big. Expecting people who’ve never had a bank account to make the conceptual leap from paper cash to mobile finance in one step is asking too much. Without help many of them will never do it.
Maybe the way forward is to make the steps a little more manageable. Introduce an intermediate step. And I think the way to do that is to embrace OTC, but to do it in a way that formalises it and addresses the concerns of the regulatory authorities: give this section of customers a card, which identifies their account. Maybe secure it with biometrics, if you want. Let them visit an agent, and get the agent to do the transactions for them, but now with all transactions linked to the card/the account. Link it to their mobile phone, so that the more adventurous can see their balance via the MM service. Make sure they’re comfortable with this, and make sure there’s a migration path that leads to the full MM service over time.
After all, this is the long term migration path we’ve seen in Europe over the course of decades; the move from cash, to bank accounts, to debit and credit cards, to Internet banking and mobile payments has happened, of course; but with each step taking years or even decades. Expecting people immersed in a world of cash to make the leap in a matter of days or weeks is just unrealistic. Why should they be any different?

Footnote: Yes, the author is well aware of Safaricom’s moves to issue a companion card for the use of M-PESA for retail transactions. That’s somewhat different to the case described here, though in itself interesting.

Developing services that change people’s lives

One of the most exciting things about working here at Consult Hyperion is that you are involved in the design and delivery of services which have a huge impact on people’s lives. My family moaned when I asked the taxi driver that took us from the airport into Nairobi whether he used M-PESA. However they were soon having similar conversations as they realised how important the service is to every Kenyan they met. More recently they have accused me of being responsible for “card clash” on the London Underground and have resorted to buying shielded wallets to ensure that TfL only take money from the Oyster Cards that I fund!

Sat here as I am at the AidEx conference in Brussels, surrounded by the great and good of the Humanitarian Aid community, I feel that Consult Hyperion is on the verge of delivering yet another life changing service.

The refugee issue is a regular topic of discussion across all media. Most stories focus on the plight of the individuals walking across Eastern Europe. However there is a growing awareness of the impact of so many refugees on the local economy. For example Alex Forsyth, reporting for the BBC’s From Our Own Correspondent, highlighted that the holiday season in Lesbos has been extended, as people descend on the island to help the refugees arriving by sea.

The conversations in Brussels have focused on the need to provide aid to the refugees in the form of cash-based payments, rather than physical goods, such as rice or tents. The argument goes that if the refugees have the funds to buy the goods, then the entrepreneurs in the host country will invest in the distribution channels to ensure that the goods that the refugees need are where they want to buy them.

The trouble with cash is that it has a tendency to evaporate, i.e. not all the intended funds reach the recipient, even if it is transported into the region in 40 foot steel shipping containers on the back of a truck.  As we discovered in Nigeria the principal alternative, paper vouchers, have some major disadvantages. They are difficult to manage in large numbers; they must be printed by specialist printers; they have to be ordered significantly in advance; they have to be the right value to allow the refugee to spend all the funds in one visit to the merchant, even when the local currency is devaluing; the merchant and the agency running the scheme have to reconcile the vouchers before the funds can be provided to the merchant; and the used vouchers have to be stored in case of dispute.

Recognising this, there is growing support within the Humanitarian Aid community for the use of Cash Based Transfers (CBTs), essentially smartcard based e-money schemes, which can be rapidly established in times of crisis and in which the reconciliation process can be done automatically in the Cloud. The trials to date have focused on prepaid card schemes. But these also have significant disadvantages, since they require access to expensive payment terminals designed to operate in clean retail environments typically found in urban areas, whilst creating a huge problem with cash liquidity in the local community.

Groups of representatives from the Humanitarian Aid community under the auspices of Electronic Cash Transfer Learning Action Network (ELAN), the Cash Learning Partnership (CALP) and the High Level Panel on Humanitarian Cash Transfers, sponsored by DFID, have analysed these trials and documented their requirements for CBT solutions.

Reviewing these with the retail payment experts within Consult Hyperion it became apparent we had already developed many of the building blocks required to deliver the Humanitarian Aid community’s ideal CBT solution:-

•  A proven, robust and scalable beneficiary registration and voucher distribution service, The TAP Platform, which was used to register in excess of 500,000 subsistence farmers in Nigeria’s northern states to the Ministry of Agriculture and Rural Development’s GES voucher scheme. The transparent nature of the information stored within the system allowed us to remotely identify incorrect or fraudulent activity within the system and initiate remedial action accordingly.

•  Mobile applications which can be used to complete transactions initiated by tapping a smartcard to the merchant’s mobile phone, replacing the payment terminals and removing the need for physical cash.

•  AML/KYC compliance solutions developed for use in regions where regulatory supervision is limited, such as Somalia.

•  A group of ethical hackers who could validate the security of the end to end service.

The result is TeMS (the TAP e-Money Service), which we are launching at the AidEx conference. Our market research tells us that TeMS will make it easier for the Humanitarian Organisations to rapidly and securely deliver cash payments in areas with limited or no communications or electricity.

But there is a lot more behind that simple statement. The local community will be more inclined to welcome the recipients as they will bring income into the region. The teams delivering the aid will be able to focus on the financial awareness of the merchants and recipients, helping them to learn how to plan and save, rather than spending time reconciling paper vouchers or ensuring that there is sufficient cash in the region. Donors will have access to detailed information about who is receiving what aid and where, allowing them to respond to the growing demand for value for money information from their local media.

My hope is that my daughter, who is planning to spend time within the Humanitarian Aid Community when she graduates from medical school, will again be able to ask the people she is working with how a product Consult Hyperion developed has changed their lives.

Managing the join

Since 2008 we have been working with Transport for London to allow contactless payment cards (CPCs) to be accepted wherever Oyster cards are accepted. This was first achieved in December 2012 on buses (which are flat fare in London) using a retail payment model. The next step was to introduce a distance-based payment model to allow all the other transport modes to be included which have zoned fares. This was launched in September 2014.

All the convenience of Oyster (such as not having to queue to buy tickets and fares capping so that you do not need to understand the fares structure) but using a card already in your pocket. Whether you are local or just visiting. But this is for London only. And the solution is based on a risk model that knows the maximum charge for a single journey is not very much. The delivery of such a solution relies on the intelligence migrating from the card to the back office. TfL’s back office to allow acceptance of CPCs for transit is complex and took several years to build.

In early 2012 the TfL payment and security models for contactless payment card acceptance in London where pretty much complete and the rest was ‘mere implementation’. TfL asked us to help them consider how it might work if they offered their back office as a service to transport operators outside of London. These might be in the UK, or potentially anywhere in the world (though different payment model are likely to apply outside of the UK). We discussed at length the notion of using your ‘card as a token’, be it a payment card, Oyster, ITSO or, potentially, other secure contactless tokens. Eventually, the ideas were parked to allow TfL to focus on delivery of the system for London in conditions of extreme austerity.

Meanwhile, we were hired by the SEFT (South East Flexible Ticketing) programme to specify the rail validators that could accept ITSO as well as contactless payment cards. At the time, Transport for Greater Manchester was just starting to procure such a back office for their region. We pointed out to SEFT that this CPC back-office-for-tranist stuff is complex and not standardised. It was therefore decided to not include any interfaces to the payment card back office at that time and the SEFT validator specification was ‘mothballed’ for the time being.

Spare a thought for the traveller buying long-distance rail tickets that include travel within the London area. London supports Oyster and CPCs (and a few specific train operator ITSO products, but not many at this point in time). Some train operating companies are implementing 2-D barcode, and some are trying ITSO. But the only technology commonly read across the UK currently and for the foreseeable future is the cardboard ticket with magnetic stripe. Basically, any ticketing innovation is scuppered at the boundary between London and the rest of the UK. This problem is what our friends at Trainline call ‘managing the join’.

Hopes for contactless payment being accepted for transit outside of London were recently dashed with the announcement that Transport for Greater Manchester has sacked their back office supplier. And anyway, it has been speculated that CPCs only work within London because London is a special case and it could not work anywhere else because the operators will not co-operate and/or the fares are too high for the risk model to work.

Enter the cavalry in the form of the UK Cards Association. They are leading a project with the Department for Transport and others (including representing train and bus operators) to develop a contactless transit framework for the UK by the end of 2015. The project to date has identified three contactless transit models:

  • Standard retail model for transit: pay as you go model with a known fare, for buses and trams (like TfL bus retail model).
  • Contactless for transit model: pay as you go model where the fare is aggregated at the end of the day or journey leg, for multi-mode operators (like TfL distance-based model).
  • Card as Authority to Travel (CAATT) model: pre-purchase model.

This last model could be just what we need for ‘card as a token’ or ‘managing the join’ as we have called it. The idea is the customer:

  1. Purchases their ticket online and associates it with their CPC.
  2. Can view their purchase on their statement.
  3. Uses their CPC as their ticket on a train.

Watch this space …

Another report on falling cash usage in the UK

Dgwb blog white border

My son and I have been out and about, living the life of normal folk who don’t care about payments. We made a couple of cash payments and we made a couple of non-cash payments. We didn’t, however, make any chip and PIN or contactless or swipe payments.

The new PSR’s priorities

Dgwb blog white border

The UK’s new Payment Systems Regulator is now open for business. I imagine that their highest priority work stream will be around access to payment systems, because this is what “challenger” banks need in order to create the more competitive environment that the UK Treasury wants.

I’m not sure that “unbanked” is the problem or that “banked” is the solution

Dgwb blog white border

There’s been a lot of buzz around Bill Gates’ challenge to bank the unbanked, set out in this excellent Verge article. Naturally I agree with the sentiments, but the use of the word “unbanked” bothers me.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.