Category: Payments

[Dave Birch] A little while back, the always-interesting Tom Noyes raised an issue about "tokenization", a topic that is now (post-Money 2020) front and centre. Tom said that:

I am implying that banks could leverage their entire acceptance and authorization infrastructure without routing anything through V or MA.

[From Business Implications of Payment Tokens | FinVentures]

Tom's right. But, as I said at the time, let's not for one moment think that the folks at Visa and MasterCard are too dumb to have noticed this. Of course they have, and that's why they are working hard to develop propositions (e.g., wallets) that can deliver more value. Yes, bank tokenization could led to ACH-based solutions that bypass the schemes, but will they? Now we read that…

Visa, MasterCard and American Express want to overhaul global e-commerce security, ditching account numbers in favour of digital tokens for online and mobile transactions.

[From Finextra: Card giants bid to boost online checkout security with digital tokens]

Visa already has some experience with this, as I mentioned a few months ago when I wrote about BankInter's token-based approach to NFC. The BankInter mobile app generates a one-use PAN that is valid for a short time and passes this "token" to the merchant terminal. Since it is a standard PAN, it wends its way across the network back to BankInter, where it is converted back to the customer's debit PAN and authorised. Why bother doing this? Well, it means that the merchant (and the processor etc) never see the real PAN so it doesn't matter if it gets stolen, thus saving money on both fraud and fraud prevention. The solution re-uses the existing rails so it is not especially expensive to implement. This is hardly a new idea: one-use PANs have been around for yonks, but they are huge pain in the arse for consumers because they had to run something to generate the PAN, then copy it over to the whatever form you're filling out on the web. And there are other issues to do with refunds and so forth. But when a mobile app is doing it for them, consumers won't even know that it's not their "real" PAN that is being passed to the merchant.

This all sounds straightforward. Nevertheless we all, I'm sure, understand Tom's reasoning. When the first card network (Diners Club) was launched in 1949, the idea that there would be a free network connecting all of the consumers with all of the merchants and all of the banks was unimaginable (although not to science fiction authors – see Robert Heinlein's "Beyond This Horizon", for example) so it made complete sense to invent just such a network: by telephone and post, in the first instance, so that merchants would phone the network for authorisation and then send in their slips for payment. If you want to see how it worked behind the scenes in those days, check out the old Danny Kaye movie "The Man from Diner's Club" that I wrote about before. Magnetic stripes and automated authorisation, chip cards and 3D Security have made it all more efficient, but the basic concept hasn't changed. So, certain persons (e.g., merchants) say, why not? Now we have a network that connects all of the consumers and all of the merchants and all of the banks, so why don't we just use that? Why bother with Visa and MasterCard? Provided the consumer has some "token" to identify the relevant bank account, why can't they just give this token to the merchant and have the merchant go directly to the bank account to get their money?

One day soon, my Waitrose app will obtain tokens from my V.Me wallet, my MasterPass wallet, my PingIt app, my Zapp app and any other wallets it can find on my phone through a standard discovery process and standard API. Then when I check out at Waitrose, my app will pop up and take care of business. Maybe I will have configured my MasterPass wallet, which is where my John Lewis MasterCard will be stored, to allow the Waitrose app to charge £100 without additional authorisation.

Tom's right that this has significant business implications, which is why I was looking forward to his panel on the topic at Money2020. The tokens don't have to run over the conventional rails, which is why the schemes are moving to get a new standard in place quickly (and this is a good thing). So long as Waitrose don't surcharge, I will always have my app use my John Lewis MasterCard because I get cash back in John Lewis vouchers that I can use at Waitrose. I would always do this, rather than opt for the direct-to-bank payment mechanism, until such time as I am heavily incentivised not to. Tom says that

Each group is working to “lock out” others. Banks are working to lock up the ACH rails, V/MA are placing new network fees and controls, issuers are requiring tokens, retailers are locking up data and delivering financial services, MNOs are pushing SWP NFC.

[From Network War – Battle of the Cloud Part 4 | FinVentures]

Tom's point about ACH is an interesting one. Many industry observers have pointed out that a token front-end to ACH (either as a decoupled debit proposition or as a new low-cost bank-owned brand, like Zapp in the UK) might, given consumers' revealed preference for debit, being what many of the stakeholders would prefer. Except, of course, banks. They would (perfectly reasonably) point out that they have no incentive to move to this.

The network where banks have the most influence is ACH, yet they don’t want to encourage ACH use as there is no revenue.

[From Payment Tokenization | FinVentures]

Indeed. So there are two options: make them do it (rather like the Faster Payment Service in the UK), or couple ACH with non-payment revenue opportunities around data (the mobile wallet).

One final point about tokens for today. On Tom's panel, the discussion ranged around what I have taken to calling "weak" tokenization (ie, one-shot PANs) and what I have taken to calling "strong" tokenization (ie, the consumer's identity in some form or other). I will blog about this in the future, but I just wanted to note here that if the schemes were to adopt a long-term strategy to shift to strong tokenization, then I cannot see why this would be restricted to e-commerce. It would surely be logical to allow people to continue legacy card use at POS for limited purposes but to shift both card-present and card-not-present transactions to the "something present" model. Thus, as a consumer, I have the same payment experience whether in-store, online or via mobile. When I want to buy something, a message pops up on my phone asking me to authorise the transaction, which I do.

[Dave Birch] My wife was very suspicious about my time in Vegas. I told her that nothing unsavoury had occurred, but unfortunately she had the proof. CSI:Woking had spotted that some undershirts in my suitcase had been packed neatly. Damn! She knows I never put away undershirts properly, so I was caught with my pants folded, so to speak. Cornered, I had to tell her the truth…

I love the Peter Rauhoffer “Doomsday” remix of the Frankie Goes To Hollywood 80s classic, “Relax”. It’s a track that genuinely benefits from the longer version, allowing the textures of the •music to evoke and to interweave to form a richer version than the original. Yet the nostalgia that I have for the original remains, refracted and enhanced through the remix. Perfect for a walk across the Aria concourse, into the guest elevators and up to the room.

Pulling on my Marks & Spencers cords, which I think still look good although they are last year’s sage green, I take the elevator down to the casino level. I’m not sure which way to turn, so I just stand there, people watching for a few minutes. A very attractive young lady walks up to me wearing a pair of Gap shorts. I think she must have recognised me from my Money2020 water bottle.

“Hey,” she says, “are looking for some company?”

Yeah, I tell her, I’m looking for Dwolla.

“Me too” she says, and suggests that we go up to my room and I give her five of the new Benjamins. I wasn’t sure if she misheard me because of the loud music or my accent.

I’m outraged by her suggestion, I tell her. Her proposition is disgusting and I reject it utterly. I find the $100 bill morally questionable will simply will not use it. But I am interested in her tender choices. “Have you tried Square?”, I ask her.

“No,” she tells me, and then goes on to say “and if you suggest PayPal, I’ll call the cops myself”.

I’m curious. So I ask her “Is this because of chargebacks?” (which is what I suspected) “or is there some other reason?”.

She ignores me. So I ask her whether future tokenised ACH-based solutions might be interesting to her because of the limited chargeback rights, but she tells me that she has suddenly remembered she has an important meeting. She presses a card into my hand and leaves. I can’t be bothered to read it so I slip it into my pocket.

You’ve got to take your hat off to the Money2020 folk. Out of nothing, they have created a star in the firmament of payments conferences. If you are in our industry, can’t not go. Everyone is there, and while is it undeniably exhausting to fit a year’s worth of meetings into a week, there is an efficiency to it that means the Consult Hyperion crowd will be there again next year.  I finish the meetings of the day and get ready for my session. I think that as there are a lot of bankers present I need to think carefully about my clothes. I think that a suit will hit the right note and luckily I’ve brought a dark grey one that will work. I picked it up a few years ago a little place in Manhattan called Men’s Wearhouse. I haven’t told the other guys about this place because I sort of want to keep it as my secret. If they find it they find it. I think the grey looks good with my white Thomas Pink shirt and my blue Manchester City tie.

After the session I decide that glass of champagne is in order so I head over to the exhibition hall where, as you might imagine, there are girls suspended from the ceiling pouring glasses of champagne as you walk underneath them. I don’t always feel like champagne, generally preferring a gin and tonic at this time of day, but I’ve seen some pretty positive tweeting about my session (it’s not every day that you are labelled the Obi-Wan Kenobi of moderators) so champagne seems appropriate even though it’s not what I really feel like. Conflicted.

Once the alcohol starts to work, I can feel my anger started to burn. I thought I’d made the funniest joke in the entire history of payments conferences. One of the keynote speakers, who had presumably never seen the movie, said that Money 2020 was like Woodstock for payments experts and then went on to announce that his bank was about to launch an NFC product. So I said that he must’ve taken the bad acid. This is a joke that is hilariously funny on several levels. To see why you have to be familiar with the soundtrack of the 60s counterculture gathering. Rather famously, at one point in the soundtrack the stadium announcer warns people against taking the wrong type of acid (this is slang for the noted hallucinogenic lysergic acid diethelamide). Given all of the negative comments about NFC during the last couple of days, my joke was drawing a parallel between the hallucinogenic nature of our acid experience and the location of NFC in a bank strategy. I’m still laughing now thinking about it.

But goddam that Ron Shevlin. He pointed out that the soundtrack soundbite is actually a warning against taking the “brown acid” not the “bad acid”. Goddam that Ron Shevlin. Next time I see him, I’m going to have a nail gun and plenty of polythene sheeting in the trunk.

The best keynote was from Dan Schulman at American Express. He was dressed pretty casually, a carefully-assembled dress down Friday set, and I felt I echoed his outfit perfectly in my sage-green Marks & Spencer’s cords. He talked about financial services for the unbanked, which I will blog about at length shortly, and hit just the right tone. He’s talking about a big win-win.

I love JJ Cale. In fact I’d forgotten how much I love JJ Cale. When I was at college, I used to listen to JJ Cale all the time. “Have you heard the news, it’s same old blues again”. It’s country rock, I suppose, but more than the sum of the parts. When he died, they played a wonderful live version of “After Midnight” that I’d never heard before. Played it on Paul Jones show. So I googled around and found it, went over to Amazon and ordered the CD, but thanks to the brilliant Amazon download service I was able to load the tracks into my iTunes before the CD arrived. Great album, with an especially fun version of “Mama Don’t Like”.

Most fun technology play? That was definitely Loop with their induced magnetic field stripe simulator. Who knows whether it will work out. I was talking with some of the guys over coffee and there was a definite sense that using phones to simulate cards is not the long term trajectory, which is using phones to get rid of cards. At the end of the day though there were two technology threads that I thought would be most immediately relevant to our clients. One is tokenization, the other is “new POS” as you might call it. Tablets and APIs to deliver niche POS services. Companies like Leaf, for example. And the First Data Clover play in that space is sure to be significant. When I was Down Under last year I saw Commonwealth Bank demonstrate something similar and thinking that an app store for POS would lead to some innovation, part of the process of replacing special-purpose devices with general-purpose devices plus special-purpose software.

I wanted a relaxed look for dinner, so I went with the Marks & Spencer’s cords (I think Sage Green is a good look for dinner in such a dark restaurant) and went down. The guys were already at the table. We have a beer. I move around until I’m sitting next to the most attractive woman at the table. It takes negotiation because she is the only woman at the table. Sitting quietly, trying to think of something to say to her. The conversation wanders around until, suddenly, she transfixes me. Wow. She knows everything about the early history of Diner’s Club and how it lost out to American Express because of their heavy investments in technology. She knocks me out with the best piece of payments-related film trivia I’ve ever heard. In the 1963 Danny Kaye caper “The Man from Diner’s Club“, Danny is shown clowning around in front of the Diner’s Club computer, which looks exactly as you would imagine a computer might look in a film from 1963. But Diner’s Club didn’t have a computer, this was invented for the film. Wow again. What a woman. I ask her to go downtown with me, but she says she had a long day is off to bed. I wonder she thought it was a euphemism?

The defining album of psychedelic space rock, and one of the top ten best live albums of all time, is Hawkwind’s “Space Ritual – Alive in Liverpool and London” (1972). I walked through the casino with “Earth calling… this is Earth calling…” rebounding through my head like echoes in a crystal cave. The key changes in the remastered version of “Orgone Accumulator” are visceral. You can feel them reverberate through your body. It must be what the steady throb of life-support machinery in an interstellar spacecraft feels like.

I meet up with the guys and we decide to hit the tables. I want a more casual look, so I decide to go with the Marks & Spencer’s cord and my favourite Ralph Lauren shirt. We jump in a cab and head down to the Golden Nugget. I notice that none of them are dressed as stylishly as me, especially with my Boots light-tint glasses that I think round off the look perfectly. Downtown, I pay for the taxi ride using my watch, as I imagine most normal people would do in the circumstances.

Would you believe it! We end up at the Golden Gate, where it looks as if the gogo dancers are celebrating my good fortune. I’m $50 up from an evening of craps (which I was taught to play by American colleagues Lanny Byers and Howard Hall and ended up loving) and blackjack. I had the good fortune to find myself at the tables between a raven-haired beauty and a knockout blonde. Before you say anything there’s no hypocrisy here. We weren’t gambling with cash, but with casino chips. These are a kind of special-use currency (they would be exempted under the provision of the Payment Service Directive under the limited redemption exception) that you can only use in the specific casino that issued them. Like all currencies, they are a target for forgers. They looked pretty easy to counterfeit to me. Not especially secure at all, not like nuclear missile launch codes or something, which is why a dude in a hat keeps coming round at counting them while the cuties deal the cards.

The blonde seemed to know a fair bit about payments. She was a Brit, so she knew what a real-time payment system looked like. I’m glad I’ve run into her, because her bright white top looks great against my favourite Ralph Lauren shirt,  and because the Brit presentation about Zapp, the new bank-centric ACH solution for retail was one of the best panels I’d attended. I ask whether, in retrospect, it might have been better for the Brits to have gone with an ISO 20022 XML-based standard so that the payment system could carry additional remittance information. She becomes inexplicably drowsy and so she has to leave. It must be jet lag, I guess. I turn back to my left but she is gone too. I see her playing craps with the guy who won $5000 in gold in the SecureKey draw at the exhibition. Gold. Huh.

Walking back into my room at 4am I remember the card in my pocket, and I take it out. It says “call XXX-XXX-XXXX and we’ll have a girl in your hotel room in 20 minutes”. So I call and give my room number, and they say the girl is on her way. I tell them that she needs to bring a Coke and some potato chips. When the girl arrives, she’s tells me she’ll do whatever I want, so I give her some Tide hand wash and send her into the bathroom with my undershirts and pants while I settle down to enjoy my refreshing beverage and overcome my night starvation. She dries off my smalls with the hairdryer and folds them neatly into my suitcase. It’s Las Vegas people. It’s cheaper to get a hooker than to use the hotel minibar or laundry service. Anyway, getting that girl was was the fatal error. I should have put the smalls back in the suitcase myself, then I’d have got away with it.

Heading out to the airport I put Serena Ryder’s “Stompa” on a loop. It’s a lovely confection, stirring together what sounds to me like a little bit of country (although other people say that they can’t hear this), a little bit of dance and a little bit of rock to make a delicious new flavour. Something you can’t stop eating, like the Ben & Jerry’s ice cream that we were given at Money2020 last year.

I’m going home via New York. A detour out of the City to see a special lady in Brooklyn. I decide to go with sage green Marks & Spencer’s cords, and I pull on my favourite Ralph Lauren shirt to go with it. The shirt is old and the collar is torn. The shirt was old when I got it from the thrift shop. Well, truthfully, my sister-in-law got it from the thrift shop for me. Long story that involves Bill Gates, but that’s for another time. The shirt has just the right weight and cut for me. It’s comfortable and stylish, but it’s finished. I have a spot in the garden for it when I get home. I pull on my Eddie Bauer rain jacket (it’s raining) and complete the look with a pair of Boots light-tint prescription glasses. I take the F-train to a little spot she tells me about. I walk in and immediately notice that there’s an iPad with a Square stand where a POS terminal should be.

I ask the girl behind the counter about her POS choice. She tells me that they used to use the audio jack reader but it was unreliable. She loves the new arrangement and is very happy with it. I ask her about cardless choices and she tells me that people do occasionally pay with the iPhone app and she finds it convenient when they do. Nice. She swipes my Simple and I entirely pointlessly sign for the transaction. I spend a few minutes explaining my anti-fraud strategy to her (amazingly she’d never heard of Sergio Aquero, two-goal hero of Manchester City’s 3-1 triumph over Everton last weekend) and showed her my watch. I think she wanted to learn more, but she told me that she’d just heard that her grandmother was sick and she had to leave right away. Oh well.

When I get back in to the City, I meet up with a couple of old friends and we go for a coffee down by Union Square. We stroll in to the coffee shop.

“Check that out”, I whisper as we stand in the line. I gesture at the window, trying not to draw too much attention to myself.

“What?” says my colleague, staring through, not at, the decals in the window.

“Come on, ” I urge them, “really look”. But they don’t get it, so I have to go and show them. The coffee shop has LevelUp and PayPal logos in the window. I have no choice but to try both of them, so I get in line and order a coffee and pay using PayPal Here.

Then I get in line and go round again and pay with LevelUp. Both of them work perfectly. The dynamic is good, because I have time standing in the line to run the relevant app and then the transaction itself is super quick. And in both cases I get the receipt e-mailed to me, which I love, because I hate standing there waiting for a printer to churn out a paper receipt (is this regulation “E” or regulation “Z”?) that I have no interest in and immediately throw away. I ask the girl behind the counter about her preferred options and she says that she likes LevelUp, but she doesn’t say why. Maybe not everyone has as distinctive a cartoon caricature in their PayPal wallet.

A psycho is a person with a mental disorder that makes them prone to behaviour that normal people would regard as abnormal, but that the subject regards as completely normal. A paycho is a person with a mental disorder that makes them prone to believe that normal people think that electronic payments are fascinating, absorbing and central to their lives. For most of the year, I’m just a regular paycho. But for one week every year, I’m an American Paycho.

(With sincere apologies to Brett Easton Ellis.)

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

[Dave Birch] Well we went off to our first ever Bay Area Tomorrow’s Transactions Unconference. For those of you not familiar with these, “Tomorrow’s Transactions” is Consult Hyperion’s brand for our thought leadership activities in digital identity and digital money (hence the Tomorrow’s Transactions Blog and the Tomorrow’s Transactions Podcast and the Tomorrow’s Transactions Forum), and an Unconference is the use of “open space technology” in events where the agenda for the day is chosen by the participants. Hope you get the picture. If not, here’s one of Gloria Benson welcoming me to the Palo Alto Golf and Country Club for the day!

One of my very favourite authors, David Wolman, kicked the day off by reading from his book “The End of Money”“, a copy of which was provided for each of the delegates, and then he joined me on stage for a “fireside chat” with a couple of questions from me to get things started and then questions from the delegates.

After David and I had spent some time speculating about the trajectory of cash in the retail payment space, Nate Wehunt from City National Bank mounted a strong defence for the physical and took the opportunity to announce their new cardless ATM product, whereby you go to an ATM and ask for money, the ATM displays a QR code that is scanned by your City National app. You authenticate on the handset and then the cash drops out of the machine. Excellent idea, although it still wouldn’t persuade me to use cash anywhere other than strictly necessary, such as Las Vegas, to pick a random example.

Somebody asked me if there was anything that surprised me about the day and I have to say that there was and it came from an unexpected direction. After we gathered in the notes in the morning, I saw that there were quite a number of notes asking questions about payments regulation and making observations about the role of payments regulation in innovation. I thought regulation would be a bit boring and that no one would want to talk about it, so I gathered those notes together for an afternoon session and I thought that, since I couldn’t really ask anybody else to do something I thought would be boring, I chaired the table myself. It turned out to be fantastically interesting. Not only were there people at the table who had practical, day-to-day, experience of dealing with US payment regulations, there were people who had interesting ideas about how the regulations could be improved. It was terrific.

My main takeaway from that session was that the people running payment-related businesses weren’t as upset as I thought that they would be about the patchwork nature of US regulation and, in particular, the need for state-by-state licensing for money transmission businesses, because from a business point of view the costs of identity-based compliance were far, far greater. The people round the table were telling me that the cost of know your customer (KYC), anti-money-laundering (AML), and anti-terrorist financing (ATF) regulations (now collectively known as CDD, “customer due diligence”) were the focus of concerns because the associated costs are high and ongoing. I thought I’d make a useful contribution to the group by bringing in the issue of the Financial Action Task Force recommendations on a risk based approach to payment regulation, which I’ve written about at length before on the blog, and by being optimistic about how improvements in the identity infrastructure might help.

One point I could have made, but didn’t want to make too much of the conversation about the UK, was that there are some discussions underway in a number of fora (such as at Intellect, the UK IT trade association, and the Payments Council) about the idea of some kind of financial services passport. Maybe something like this could really help in the US as well. The FIDO Alliance, which was the subject of informed discussion at one of the other tables (because Phil Dunkelberger, their CEO, took part in the discussions) are providing hope on the authentication front and this might be combined with hope from the federated identity side to at least make the vision plausible. I might imagine such a passport being used to open bank accounts, obtain new credit cards, get insurance, manage investment accounts and so on.

This could greatly reduce the costs of CDD, especially if the federated “recognised” customer identity was mutually recognised by the banks and the regulators. So I show up in the US and open up a Simple account, Simple have to bear the cost of the initial CDD, but in addition to giving me an account they give me my financial services passport so that the next time I go to open an account, get a post-paid mobile phone, or get a new credit card then I can just use that Simple passport and no one has to go through these costs again.

But back to regulation. One topic that came up in passing was the European Commission’s consultation on third-party direct access to bank accounts (the so-called XS2A consultation). I will blog about this properly later on but I do want to make the point that it’s an example of a potential regulatory change that may seem obscure from a distance but is actually quite revolutionary if it is adopted. If I can give a third-party permission to access my bank account, much as I give applications permission to post to my Twitter account, then I would think that a great many service providers will opt to go down that route rather than use conventional card networks and this has obvious strategic implications for people investing in the cards businesses. One of them might be, as I’ve long suspected, that the son-of-EMV will be identity driven and more about the passport than the payment.

There were great tables about EMV in the USA and the impact of recent announcements about tokenization on retail payments strategies, key trends in the security space, the design of new payment networks and so on. As far as I could see every single table generated a buzz of discussion and people came away feeling that they’d learned more than had I forced them to sit in rows and read PowerPoint.

We had a nice interlude before lunch. Through the superpower of Twitter I discovered that Forum friend Heather Schlegel was in town, so I asked her to pop over and tell people about her new project, the Future of Money TV series. Heather is, as she put it, eating her own dog food by raising money for the series on Kickstarter. I’ll be supporting Heather’s project and I hope that you will too.

Then it was out to lunch in the beautiful California sunshine where, as you might expect, we spent most of the time discussing the Umberto Eco’s admonition that we should not be nostalgic for Disneyland as a post-modern explanation for the relationship between the gold standard and Bitcoin, amongst other things.

After my thought-piece reviewing some predictions about the future of money from 1998 (I’ll put these in a separate blog post), we had our second round of discussion tables and then we gathered around to join a terrific session led by Sam Lessin, Head of Identity Products at Facebook.

Sam grabbed a pen and a flip chart and proceeded to make everyone really think about the role of transactions in the future. I will not attempt to repeat any of Sam’s excellent riffs on the balance between financial and social capital except to observe that on the relevant value of social and financial capital. He said that if all of his financial capital vanished then his social capital would mean that he could rebuild it, but conversely if his social capital disappeared than it would be much harder for his financial capital to restore it. (Although, as Spike Milligan famously observed, while money may not buy you friends, it does buy you a better class of enemy.) I hope I didn’t annoy Sam by pointing out that Shakespeare had thought of this first! Anyhow, I intend to refer to Sam’s model in a book I’m writing at the moment, so more on this later.

I hope the implications of what Sam was saying were not lost on delegates from the world of banking (ie, identity is the new money). A decade from now, Visa and MasterCard might well be switching your identity, your credentials and your reputation as much as they are switching your ability to pay for something. Making the bank the place that stores your identity, since you can store your money anywhere, makes sense in a world where (if Sam is right) social capital re-asserts its superiority over financial capital.

We had an extended Q&A with Sam, exploring facets of the reputation economy, and then wrapped with coffee, more dessert and sunshine networking. I’d said at the beginning of the day that we run the Unconferences to get new ideas, and that the best way to get new ideas was to give your ideas away for free. Palo Alto proved that calculus of creativity to be substantially accurate.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

At the UK Card Association autumn reception, which was rather splendidly held on the walkway over Tower Bridge, giving an excellent view of the city of London by night, forum friend Melanie Johnson, the Chair of the Association, gave a super talk about pickpockets and prostitutes and there was much good cheer. Melanie used to be a politician but she's really nice and it was a pleasure to see her again. In her talk she mentioned that the industry has had some success in reducing card fraud, but I feel that she missed the opportunity to celebrate a tremendous milestone in the evolution of our card payments industry. So let me do it for her…

I couldn't resist raising a glass of the champagne so liberally supplied and making to a toast to our friends across the water. Yes, the UK is no longer the card fraud capital of the continent. France has overtaken us and, as the chart below shows, while there's a really big drop off to the number three position, we should be pleased to be number two for a change.

In France, overall fraud losses have risen by two-thirds in the last five years, with the highest lost-and-stolen fraud levels in Europe. Although fraud is rising in the UK (up 14% last year and up even faster in the first half of 2013) it is still below its historic high.

The number of frauds against plastic card accounts (e.g. credit or store cards) rose by 19% in first half of 2013 compared with the last six months of 2012. Frauds targeting loan products (personal unsecured loans and payday loans) also increased markedly over the same period.

[From Plastic card account fraud (e.g. credit or store cards) rose by 19% in first half of 2013]

Despite our sterling efforts (sic), it is Russia that has the fastest card fraud growth rate. Overall, card-not-present fraud is booming everywhere, but the UK issuers have spent a lot of money on fraud detection, as evidenced by the phone calls I get from my issuers from time to time. I get robocalls from my bank asking me to confirm transactions (some of which, if I recall, were chip and PIN transactions), a chap from an issuer asking me if I used my card for something or other online which I couldn't remember but turned out to be a shareware licence fee (which, as I recall, was a chip and PIN transaction) and a message asking me to call Amex to see if I'd used my card in Detroit car wash (I hadn't, and my new Amex card arrived yesterday).

You can see how, from the card industry point of view, things aren't too bad. According to the UKCA's annual report for 2013, fraud on UK-issued cards is a touch over six basis points (a decade ago it was over 13 basis points) so the investment in chip and PIN has worked. But this is a narrow analysis. Yes, chip and PIN has made some impact on card-present fraud (although criminals are coming up with ever more sophisticated scams to get hold of cards and PINs), and yes, significant industry investment in various types of fraud prevention and detect systems has stopped card-not-present fraud from zooming off the scale, but this has been at the expense of other stakeholders. The costs have been transferred to merchants and consumers and law enforcement.

If we were keeping a lid on fraud, then all of these costs (e.g., PCI-DSS costs) could be justified and (perhaps shared more fairly) sustained. But they are not. Fraud is going up and the cost of fraud is going up too. LexisNexis reckon that every dollar in fraud loses merchants almost three dollars in total costs. When we as industry add up the total costs of fraud, the costs of fraud prevention and the associated costs that fall on others (e.g., the cost of handling chargebacks) then the picture is not so rosy. Chargebacks are a particularly interesting case: I mentioned before that the most interesting panel that I attended at the CNP Expo this year was the one about chargebacks. I suppose like a lot of people in the payment space I don't spend too much time thinking about the retailers' issues with chargeback management, but these costs are high.

Results of the LexisNexis Fourth Annual True Cost of Fraud Study drive home this point. Conducted by Javelin Strategy & Research, the study calculates the overall cost of chargebacks for merchandise, as well as fees and interest paid to financial institutions and processors to replace and redistribute lost or stolen merchandise. In 2012, that cost worked out to $2.70 for every $1.00 in fraudulent transactions, up from $2.30 in 2011, and that doesn't count costs associated with lost business.

[From The Green Sheet :: E-Magazine]

The costs are not distributed evenly, as you might imagine.

Merchants hardest hit by card fraud are those with mobile, e-commerce and international transactions, the LexisNexis report revealed. In 2012, mobile merchants paid $2.83 for every $1.00 lost, compared to just $2.00 in 2011.

[From The Green Sheet :: E-Magazine]

At that expert panel on Best Practices for Chargeback Management, I learned a lot about the nature of these costs. For example, I learned that criminal fraud using stolen credit card information is the most visible source of chargebacks for merchants, and the most prevalent kind of fraud. Jim Rice, director of market planning for LexisNexis, said during the session some two-thirds of a US merchant’s fraudulent transactions, on average, originate from professional fraudsters using stolen credit-card information. It is just too easy to steal card data and then go and use it. But there's a growing problem for merchants in "friendly fraud", where a cardholder or accomplice makes a card-not-present purchase, receives the goods and then calls the card issuer or merchant and claims he never received it. Rice noted that friendly fraud accounts for a fifth of all fraudulent transactions and that it is more costly to merchants than traditional criminal fraud because it is more expensive to investigate. Jim also pointed out that sometimes chargebacks are not the result of nefarious actions on the part of outsiders at all but stem from the operational processes of the retailers themselves. In fact, an otherwise healthy merchant can expect more than a fifth of their chargebacks to be caused by business process failures.

I think that latter problem is going to get worse. It happened to me a while back when I saw a charge I didn't recognise on my card statement and called up to put it into dispute. It subsequently turned out to be a perfectly valid charge, but it was for a transaction in Spain (where I had been) that was acquired through a French parent company leading to a reference that meant nothing to me. While I was puzzling over the charge ("What is this? I didn't go to France last month") and pointlessly clicking on the online statement for more information (there wasn't any – my issuer knew no more about it than I did). Hopefully, when we get working digital wallets, this problem will go away because my wallet will link the charge and the receipt for me.

In the last two decades we've stuck some band-aids on cards and shoehorned them into new channels while avoiding fundamental changes to the legacy infrastructure. It's time for change. We need to start work on post-internet infrastructure that reduces the costs of fraud and shares those costs fairly across the stakeholders in proportion to the risks that they are prepared to take. Some retailers might prefer a high risk, low cost option (rather like they do in Germany) whereas other might prefer a lower risk but higher cost option. I might mention this idea to a few people at the Merchants & Payments Conference in London in October. Consult Hyperion are one of the sponsors for this excellent event (I've had a heads up on the delegate lists and I'm really happy to see so many merchants coming along – it signals to me that payments have become interesting to them again) and I'm looking forward to chatting to John Lewis, IKEA, Carrefour, Aurora, Waitrose and others to find out what they want from the next-generation payment products. See you there.

Another day and another discussion about the relationship between electronic payments and economic growth. I referred back to this:

The fact that converting cash into e-payments directly lead to an uplift in the macro economy of a region.

[From Mobile Banking: The beneficial impact of e-payments on GDP]

Hannes is absolutely right to highlight the central point. I've read an excellent book on this and related topics called "Banking the World — Empirical foundations of financial inclusion". As I wrote in a review of this book, the title is a little misleading since what many people in the developing world want is not access to formal banking at all but access to transactional payment services (that might be provided better on a utility basis by mobile phone operators or retailers as much as by regulated bank) and access to semiformal and informal sources of capital.

The various chapters had some numbers that I couldn't help but snaffle for use in presentations! Half of the world's adult population do not use formal financial services to save or borrow; Having a mobile phone increases the chances of being banked across-the-board by around 12%; Singapore has 600 bank branches per 1000 km² of land area whereas Ethiopia has less than one. That latter point begs an obvious question: does Singapore have lots of banks because it is rich, or is it rich because it has lots of banks? You would think that the former clause explains everything, but it doesn't and this book deals with that latter clause. Why? Because the availability of private credit leads to economic growth and with no access to private credit and the other financial tools necessary for entrepreneurship, the poor will remain so.

To a technologist like me, there is no doubt about what to do. The mobile phone is cause for optimism. I know how to connect the excluded. But connect them to what? A great many policy makers seems to see banks as the end point, whereas I think it's the non-banks that can really make a difference. We (as a society) want banks to be risk averse, heavily regulated and tightly controlled. This makes them good for society as a whole but does not necessarily make them good for the least well-off in society.

I should say, by the way, that the book is actually a useful collection of chapters written by a variety of experts and will be of interest to anyone working in this field. It's not only for those working in the developing world! There are a great many lessons we can draw from the examples here to help us deal with the difficult problem of excluded groups in the developed world right now. Look at the US, where attempts to raise the total social cost of payments to new highs and to reattribute those costs toward poorer members of society seem to be going well.

Chase and PNC have both been launching ATMs that churn out exact change to the dollar, allowing customers to withdraw denominations as low as $1 and $5.Chase (JPM, Fortune 500) has rolled out between 350 and 400 such ATMs over the past 18 months, and the count is expected to double by the end of the year. Customers can type in the withdrawal amount, opt for "custom denominations" and select how many bills they want in denominations ranging from $1 to $100. The new machines, located within branches or drive-thrus, even have the capability of dispensing coins, a service that will be piloted soon and eventually rolled out nationwide.

[From New ATMs dispense $1 and $5 bills – Jan. 17, 2013]

I loved the way CNN presented this story. Further down the page we see

Related: ATM fees hit record high, free checking accounts decline

[From New ATMs dispense $1 and $5 bills – Jan. 17, 2013]

Related? I'll say. The solution for the less well-off in society is efficient near-bank transaction accounts and electronic payments at POS, not expensive checking accounts and $3 ATM fees on a $9 withdrawal. It's time for some social policy in this field.

Finally, and nothing to do with payments, I would just say that I found the chapter on the role of social capital particularly interesting. I am very curious about the relationship between formal, informal and social institutions as providers of financial services into otherwise excluded groups because the new technology allows a great many possibilities beyond the "standard" bank account. The detailed statistical examination in this chapter distinguishes between the social capital of individuals and the generalised trust in a society and shows how the ability to build up social capital delivers access to both informal and semiformal capital. (By contrast, access to formal capital depends more on generalised trust.) I have to say that the book made me even more convinced that electronic transaction networks, whether through mobile phones or agent networks or whatever, have a direct impact on the lives of the least well-off. I read, to give one example, that fertiliser use depends on the farmer having savings at the right time. Therefore the financial tools to overcome this problem contribute directly to alleviating hunger. This isn't theoretical or esoteric work, it's practical and vital work.

Secure electronic transactions sometimes sounds like a rarefied and esoteric area of interest and expertise. It isn't.

Over the Bank Holiday I thought I'd take the time to sit down and read through the Financial Action Task Force (FATF) document "Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and Internet-Based Payment Services". Remember, I do this so you don't have to. I was specifically looking to see if the proposed risk-based approach might overcome the fundamental problem that new payment systems run into: that compliance imposes such a huge burden on new retail and interpersonal payment systems that it stops them from being viable even when they deliver a great new service that customers want (and that might reduce the overall social costs of payments).

So here were go.

First of all, let's be clear about the scope. The document slightly jumbles the technology and the service to my nerdish gaze. I'm a bit of a purist so I would prefer to seem them separated. I don't think the technology should be part of the regulation. A prepaid account should have the same regulation irrespective of whether it is on a plastic card or on a mobile phone or in the cloud or wherever.

To ensure that the guidance in this paper is relevant and practical, it will focus particularly on three categories of NPPS: (1) Prepaid cards; (2) Mobile payment services; and (3) Internet-based payment services. It is important to note that NPPS are increasingly interconnected, both between these three categories and with traditional payment methods.

The regulations that are under discussion are Know Your Customer (KYC), Anti-Money Laundering (AML) and Anti-Terrorist Financing (ATF) are brought together under the acronym CDD or "customer due diligence". I think I'll switching to using this handy acronym from now on as well.

The G20 Principles for Innovative Financial Inclusion… allow countries to apply a risk-based approach allowing, for example, the application of reduced or simplified customer due diligence (CDD) measures for certain lower-risk products or even, in justified cases, for an exemption from CDD measures.

Now this is, in principle, a very good thing. Assuming that we agree that low-value payment products (I prefer using LVPs as the relevant acronym) are low risk, then a risk-based approach would exclude them from CDD altogether.

Countries should require financial institutions to undertake the following steps for CDD in line with Recommendation 10: (i) identification and verification of the customer’s identity; (ii) identification of the beneficial owner; (iii) understanding the purpose of the business relationship; and (iv) on-going monitoring of the relationship.

This makes no sense in a great many countries because the identification at the root of CDD is non-existent, so getting rid of it for LVPs is an immediate and significant benefit to the less well-off and should be encouraged.

Where NPPS are lower risk and sufficiently low loading or usage limits are applied, countries should still require financial institutions to give sufficient attention to the detection of surfing and structuring schemes intended to circumvent the thresholds and suspicious reporting requirements.

Which is fair enough. In my head, this means that we should let anyone who wants one have an LVP and then use "big data" to look for unusual patterns. This is an infinitely more effective law enforcement technique than creating barriers to LVPs and then having no data to analyse. The obvious question is, then, about the LVP boundary. When it comes to discussing cross-border wire transfers, the document suggests a thousand dollars as the breakpoint, which seems reasonable to me as that would mean most of the remittance traffic that directly benefits people in developing countries. For LVPs in general, a maximum account balance of something in the region of $1,000 seems similarly reasonable.

Should that be a firm boundary? When the document comes to discuss (qualitative) risk factors, it does acknowledge (in Table 1) that setting transaction and account limits is a means to lower the risk factors. I couldn't agree more. So let us set firm limits below which no CDD burdens apply and make the CDD more diligent above those thresholds.

As an example, the closer the functionality of a NPPS is to a bank account, the greater the need to apply comparable regulation, including the application of full CDD measures.

I wasn't sure what "comparable" means because words such as "closer" don't have a precise meaning. Right now, something is either a bank account or it isn't, and I don't really see a problem with that. The idea of transaction accounts or payment accounts that are regulated separately from bank accounts makes sense. but the idea of assessing risk on how close these are to bank accounts doesn't. If they are bank accounts (if, for example, they allow overdrafts), regulate them as bank accounts. If not, and if they have limits as discussed, then don't.

The European regulator acknowledged the claims of the operators and allowed single Member States to apply a simplified CDD for electronic money up to certain thresholds: EUR 150 when electronic money could not be reloaded and a yearly turn-over of up to EUR 2,500 when electronic money could be reloaded. The second electronic money Directive in 2009 raised the threshold for electronic money which cannot be reloaded to a maximum of EUR 250.

The limit of €2,500 per annum is probably on the low side and I'd prefer something in the region of €5,000 but it is tolerable. For a Polish worker sending €500 per month back home then it is too low, but for a teenager spending €100 per month music and games and clothes it is more than enough.

The U.S. requires all providers of "Money or value transfer services" (MVTS), wherever they may be based in the world, to be licensed and registered in the U.S. if the MVTS provider offers services in the U.S. This obligation has particular relevance for Internet-based MVTS providers that may have no easily identifiable physical business presence anywhere.

To me this sounds like a tremendous barrier to innovation, but that's for another post some time. I wanted to move on to make a point about risk in a risk-based approach. One risk that doesn't seem to be addressed in the document is the risk that high CDD barriers to LVPs will mean that criminals, money launderers and terrorists will carry on using cash and therefore be invisible to law enforcement agencies. I have argued before that it is more important to be able to track the flows than to know, for certain, who the endpoints are. FATF quite correctly say that

Unique to a mobile payment are the phone numbers of the sender and receiver as well as the sender, and potentially the receiver’s, SIM card information. There may also be information captured by the MNO regarding the exact location of the sender and receiver’s phones at the time of the transaction. Depending on the size and nature of the transaction, location information may be a useful component of the transaction record.

Now, to me, that amount of information suggests that we should be doing everything we possibly can to persuade people to use mobile payments at all times and in all circumstances even if we haven't the slightest idea who they are because the information exhaust from the transactions is so valuable, and not only for law enforcement. Therefore, the regulators should exempt LVP from CDD and immediately boost the take-up of a wide variety of mobile payment systems around the world. That is the logical step to take in a risk-based approach. They can then focus their attention (and resources) on larger transactions and, within reasonable bounds, use "big data" to do the heavy lifting on LVP transaction analysis to look for suspicious patterns.

In the UK, where we have had chip and PIN for a few years now, we see card fraud falling. No, wait, I mean rising…

The number of frauds against plastic card accounts (e.g. credit or store cards) rose by 19% in first half of 2013 compared with the last six months of 2012. Frauds targeting loan products (personal unsecured loans and payday loans) also increased markedly over the same period.

[From Plastic card account fraud (e.g. credit or store cards) rose by 19% in first half of 2013]

It's not as if card fraud is the only kind of identity-based fraud that is on the increase either. Criminals are becoming steadily more sophisticated in their attempts to get control of accounts of all kinds. Here's the anatomy of this kind of scam.

The woman was targeted by a phishing email purporting to be from her bank. The email directed her to a web page, a replica of her bank's website. The fraudsters were sent her banking details after she entered them on the fake website. Her stolen details were then sold for £3,200 to another criminal network, who used a third fraudster to call the bank posing as the victim and have contact details associated with the account changed. Her [£1m] savings were stolen via online transfers to numerous accounts, including several controlled by other individuals.

[From Police arrest phishing gang]

A million quid payoff for a £3,200 investment in someone's bank log in details. No wonder "spear phishing" to get the credentials of wealthy customers is on the up. The costs of all of this fraud are not only the direct losses but all of the money that is wasted elsewhere in the economy dealing with it. Just as a proper assessment of the cost of card fraud should include the cost of PCI compliance, so the cost of identity fraud should include the wasted time, money and resources it triggers. This is probably best illustrated by a sequence of events in my own household recently. I'd logged in to my online banking portal to do something or other, and this message from my bank came up:

An increasing number of people have been falling for a persuasive phone scam known as 'vishing'. Be on alert so you can protect yourself against it. Fraudsters have been calling people and posing as someone from a bank's fraud investigation team, the police, a telephone or internet service provider, a utility company, etc. The scammers then try to get credit or debit card details, internet banking security codes, bank account details or other personal information.

A useful reminder about the dangers of this fast-growing category of crime. And it came just a day or two after I got letter from my bank talking about new and improved security for my account. Unfortunately, in order to take advantage of this new and improved security I have to call the telephone banking service, and since I never use the telephone banking services I have no idea what the passcode is. I don't know why they can't authenticate me using the same dongle that I use for Internet banking but whatever. So I can't say what the amazing new security is, only that there is some.

Anyway, while I was logged in, my mobile phone rang. I wasn't going to answer it, because it was an 0800 number, and I assume that 0800 numbers are double-glazing salesmen ("this isn't a sales call, we're conducting a survey of homeowners in your area"). Generally speaking, I don't answer my mobile unless the number shows as recognised. I figure if it's anything important, the caller will either leave a message or text me. But because I had been reading something about savings account interest rates on my portal, my brain was temporarily scrambled and I picked up the call. Here's how it went…

Me: Hello.

Suspected fraudster: Hello, this is [card issuer]. Can you answer a couple of security questions please?

Me: Who are you?

Suspected fraudster: This is [card issuer]. We need to talk to you about your account.

Me: Wait a moment.

I opened up another browser window and logged in to the issuer, pulling up the last few transactions.

Me: OK, I'm looking at my account right now. If you tell me the value of any one of my last ten transactions, I will answer your security questions.

Suspected fraudster: I can't do that.

Me: Why not?

Suspected fraudster: Data protection.

Me: OK, give me a number to call you back then.

Suspected fraudster: I can't do that, this is a call centre. But I will give you another number to call. Please call 0800 XXX XXXX.

Me: What is that number for?

Suspected fraudster: I can't tell you because it will divulge the nature of the call.

Me: Nice try. Bye.

At this point I hung up. Then, out of natural curiosity I googled 0800 XXX XXXX to see if it showed up on one of those fraud reporting web sites. It turned out to be the number for the fraud department of my card issuer. So I called it and was informed that there had been a transaction using a clone of my card at a supermarket in Michigan while I was in Copenhagen. As result, they were cancelling my card and a new one is on its way. I was going to call back and ask me if they could send me one with no stripe on it and automatically decline all further stripe or non-3DS transactions on that card, but had run out of energy at that point.

Now, on the one hand, you might say well done for spotting the suspicious transaction and calling me up. Since it is a card I use in the USA, they can't yet block all stripe transactions since, although I suppose they could block stripe transactions that occur in the US less than six hours after a PIN transaction in Europe. But my issuer has an excellent iPhone app that I use, so here are two suggestions for a better system.

1. Let me use my iPhone app to turn the card on and off, and
2. When you spot a suspicious transaction, message me via the app. Someone who steals the phone won't know the app PIN so they wouldn't be able to read the message.

If we had a real identity infrastructure, then the phone would have a key pair in tamper-resistant memory (either on the SIM, or in a Secure Element or within a Trusted Execution Environment) and the card issuer would send a message encoded using the public key, safe in the knowledge that it could only be decoded in the handset with the corresponding private key. Now that Apple has the Secure Enclave in the iPhone 5S, I'm sure it will only be a matter of time before I will be phone up my bank and mutual authenticate through that (using their public key, my private key and my fingerprint). Why doesn't mobile wallet infrastructure focus on obvious and important critical shared services such as these? This is the sort of question I will be asking at the GSMA Mobile Money Conference in New York on 14th-17th October 2013. Look forward to seeing you there.

But in case you aren't planning to make it to New York, we also have another splendid Consult Hyperion blog competition, also involving mobile wallets, for a free place at an event a bit closer to [our] home, Pay360 in London on October 2nd.

We are currently carrying out consumer research in the US about consumer attitudes to mobile wallets. We will select the winner from the commenters who correctly predict the type of organisation US consumers most trust to issue mobile wallets. The choices are banks, Google, telcos, retailers and 'no-one, I'd never use such an abomination'. Usual terms and conditions apply (no Chyp employees or contractors, prize awarded at our discretion, look left and right before you cross the road etc etc).

However, even if you don't win, my colleague Raymond Lee and I will be facilitating workshops at Pay360, which promises to be highly interactive and a bit more fun than the average conference so we do recommend that you attend.

[Anthony Pickup] Consumer research sometimes makes me wonder. This piece for example, released by SYNQERA, a Russia-based provider of personalized multi-channel communications, a few months ago, shocked me to the core by revealing that 73% of American consumers found the process of waiting to pay for their shopping their least favourite part of shopping in store. Sadly there was no further information about the remaining 27% who clearly love queuing but perhaps they were too busy re-ordering all their possessions in alphabetical order to answer any more questions. 

I had plenty of time to contemplate this statistic the other day in my local corner shop when I got stuck in a queue behind someone trying to make a UK government Simple Payment. It took so long to authenticate them that they let me queue jump to make a cash payment for a lottery ticket (I didn’t win).

Obviously there are people who enjoy a difficult or boring payments process but technology ought to be making these things faster. Indeed a large part of what we do is about making payments, online or in person-– easier, quicker and less confusing, something that should be a common goal for retailers and payment providers.

As much of the recent misinformed media storm in a tea-cup about contactless shows, there’s a lot that needs to be done by payments providers to show that new payments methods are safe (there’s only so much we can do). A customer who isn’t sure which of their cards made the payment is a customer who’s going to reach for cash next time.

However there is still a lot to do to improve the actual process itself, online and off. Online, cart abandonment rates can reach as high as 80%. There are a multitude of reasons for this, including shock postage rates and intrusive cross selling but hard to navigate payments processes is a big one.  Extra steps in the online payments process, added by 3D Secure for example, can be a step too far when someone is buying on impulse. That’s surely one of the reasons Amazon makes its check out process so straightforward.

This is one area where mobile phones could really make everyone’s life easier. Not just by enabling mobile checkout for online shopping – mobile dropout rates are high too – but by doing things that real life leather wallets can’t. We talk about the “triple A play” – authentication, apps and APIs – that go towards blending the payments experience so seamlessly into the retail experience that it disappears (think Hailo for example). Indeed, I favour the “quadruple A play” in the following order –  apps (what the customer uses), APIs (how the app talks to systems via interfaces), authentication (of the app via the API process and consumer through the API) and authorisation (the decision that the customer is allowed to perform the transaction).

In store, mobile payments can cut down on physical queuing time by bringing the POS to the customer and on the tedium of queuing by offering messages and coupons. Online, adding a mobile channel into the mix can introduce extra security and reassurance into the payments process without the need for additional passwords. For mobile payments themselves, Facebook’s plans to test a new feature to reduce the hassle of online form filling when shopping online sound a step in the right direction. In fact by offering at least an API and a degree of authentication, Facebook could simplify payments for a significant number of customers.

 

[James Sellwood] An article reporting on one of the briefings given at Black Hat 2013 came to our attention recently and triggered an interesting discussion amongst our numerous security minded staff. The briefing, “The Factoring Dead: Preparing for the Cryptopocalypse”, discussed recent work into mathematical problems which are relied upon as being 'difficult' by cryptographic algorithms such as RSA and the Diffie-Hellman Key Exchange Protocol. The security of RSA is provided for by the difficulty in factoring large integers, specifically the product of two large primes, whilst Diffie-Hellman makes use of the difficulty of the Discrete Logarithm Problem (DLP).

As the briefing and article both point out, the means by which we solve these two problems is similar enough that advancements in the methods used to solve one problem have historically led to advancements in the methods used to solve the other. The briefing's authors believe that recent work indicates that in the "next two to five years" we may find ourselves in the situation where these problems can no longer be relied upon as the foundation for security systems. They recommend that we begin a concerted effort to move to Elliptical Curve Cryptography (ECC) as a wide spread replacement. Whilst ECC is reliant on similar problems it would be far less significantly affected by the advancements they believe may come.

It was the potential timeframe associated with this "Cryptopocalypse" that initially triggered our discussion. In particular, staff discussed the number of times such prophecies had been heard before and the ongoing use of other cryptographic algorithms, such as DES, which are no longer considered 'secure' in the general case.

Algorithms such as DES and 3DES haven’t yet been completely replaced because they haven't yet had their underlying security foundations ripped away. Whilst DES is no longer secure for most applications, due to the ability to brute force keys in a relatively short period of time, the algorithm itself is still believed to be strong. 3DES is equally considered a strong algorithm although it has been shown that the effective strength of 3-key and 2-key configurations is not what was intended, with 3-key configurations currently taking a greater hit proportional to key size. Such attacks do not, as yet, reduce the cover time to a point where the algorithm is worthless.

If factoring became possible in a polynomial time complexity (in other words, if the advancements result in it being ‘easy’ to do) then RSA would likely be completely crushed. It would be like finding a crack in DES that has not yet, and may not be there to, be found. The repercussions of this are potentially monumental if it happened sometime soon and whilst I have no opinion of the time frame in which this might happen, in my mind it seems to be more plausible than that an algorithm like DES may succumb to a serious flaw in its ability to secure data (without brute force of the now far too small key space).

As I see it the difference between the advancements discussed by the briefing and the expiration of algorithms like DES is precisely the cause of why we don’t know when such a break in RSA might occur. Determining when DES would need replacing due to too small a key space was a straightforward assessment of computing power. It was no surprise when there was a continual incremental improvement in the speed of brute force of DES keys year on year; the computing power used to perform the search was increasing in step. DES only offered a single key size to the user and so there was no way to increase the challenge as the computational power increased. Whilst RSA can be performed with varying key sizes depending on security requirements, the advancements we are discussing may easily neutralise even this protection. With the advancements in factoring we are actually changing the algorithmic mechanism with which we attempt to search for the solution, rather than just performing the same algorithm on faster hardware. Such changes to the algorithm can therefore have dramatic affect by reducing the complexity of the task rather than just working that bit faster. If factoring in general does become ‘easy’ in the near future, then the size of RSA key which would likely be required to provide a reasonable level of security would be so great that the computational cost of performing RSA calculations would make it worthless. The issue and the driving point of the briefing is that for those of us not working in this field we have no idea when such jumps may occur or how great they will be. 

Whether you believe that algorithms such as RSA will fall in the next few years or not there is good reason to work on alternatives. The research time so far spent on looking at the problems relied upon by RSA and Diffie-Hellman is significant and far in excess of that which has so far been levied at alternatives like ECC. As with all replacement technologies, it is only when the technology being replaced is finally unavailable that the real test begins. That said it is not advisable to just wait for that time to come when the potential repercussions of a new technology's teething issues could be significant in the modern world of information security. Systems should be designed with appropriate mitigations in place depending on their requirements. Systems that must secure data for more than a few years and systems that must secure highly confidential information should likely be designed with mechanisms for key and algorithm roll-over in place. 

Whilst it is not the case that everyone is ignoring this issue, there is a significant dependency on RSA which continues to grow as more and more systems are developed without support for alternatives. In essence the problem is one that needs consideration whether discussing RSA or any other cryptographic algorithm which is relied upon to such a degree. Whether the briefing’s “Cryptopocalypse” happens before wide adoption of alternatives will have to wait to be seen. For now, continued work on alternatives is worthy of our attention.