Category: Payment systems

London taking contactless for half of PAYG

26th April 20187th August 2020by John Elliott1 Comment

Four years ago Consult Hyperion completed a transit project which changed not only the way people paid for their travel, but cemented contactless in the vocabulary of the masses. We were focussed on getting contactless bank cards to work for pay-as-you-go (PAYG) transit payments. This was a significant undertaking since it had not been done before and the customer proposition included a fair-price promise. This fair-price promise required the contactless bank card solution to mimic the existing Oyster “capping” which allows customers to travel without knowing the tariffs, trusting that they will only be charged the best price they could have got had they bothered to research it all beforehand. It required adding contactless payment card acceptance to all TfL readers and the building of a bespoke back office to support this new Account-Based Ticketing (ABT) where no travel information is stored on the card.

Convenience is king in mass transit. And our task was to meet the demands of one of the world’s busiest transit environments but make it cheaper to operate. The long-term vision was that by 2018, Oyster cards would be migrated to use the ABT back office and the legacy Oyster system would be turned off. The Oyster brand would remain alongside bank cards for those not using bank cards, but the technology powering this, would be changed to be ABT.

TfL and Consult Hyperion worked closely with the payment schemes to define the process of card acceptance and with the UK Card Association to establish a harmonized set of rules to balance risk between TfL and the card issuers.

The system launched on buses in 2012 and on the rest of the TfL Oyster network in 2014. Later in 2016 the privately-run river buses were added.

Fare collection costs were reduced from 14% to less than 9% of fare revenue. In 2016, 34% of TfL PAYG journeys were made using contactless bank cards (56% were Oyster and 10% were paper tickets). Is this good, bad or indifferent? Well, this figure needs to be understood in context:

Contactless bank cards were still rolling out. In 2015, less than half[1] of UK bank cards were contactless.
Not everyone has a bank account. In 2015, about 5%[2] of UK adults were unbanked and half of these did not want a bank account.
Loss of government subsidy and a mayor-imposed TfL fare freeze meant that the vision of turning the legacy Oyster system off had to be reconsidered. Existing Oyster users have no incentive to switch over to using their bank cards.
Not all foreigners arriving in London are keen to use their bank cards since they may be subject to bank charges back home, making Oyster the better choice for them.

Despite these barriers to the uptake of contactless bank cards, by April 2016, 9% of all UK contactless transactions took place on TfL services.[3] By 2018 (year 4 of acceptance of bank cards on the full Oyster network), the percentage of PAYG journeys made using bank cards (or their emulations on phones or wearables) has risen from 34% to approximately 50%.

Consult Hyperion were uniquely qualified to help TfL deliver their ambition. Bringing in-depth knowledge and a heritage of working with the major payment networks and their detailed specifications for three decades, a solid understanding of proprietary transit technologies and practical experience of delivering innovative payment methods, outside of the retail community.

The team at Consult Hyperion is now involved across the globe working with transit agencies looking to emulate the success of London in their own cities. As well as Transport for the North in the UK, these projects have included working in countries where contactless success has outpaced the UK, such as Australia to territories where contactless payments are still emerging, like India and Colombia. Our US team has been working for a number of agencies who, today are developing systems capable of accepting contactless payment cards, even though issuance is less than 0.01%, in the hope that transit will drive banks to start issuing cards. There are early signs of success.

It is clear, that the success of TfL’s Future Ticketing Project has helped drive a sea-change in the payments and transportation industries that can save money in one industry and drive transaction volumes up in another. With our help, we are confident this success will continue.

[1] UK Cards Association Summary Statistics

[2] Financial Inclusion Commission 2015 Report

[3] UK Cards Association Contactless Transit Project Briefing – May 2016

TLS, DSS, and NCS(C)

20th March 2018by Consult HyperionLeave a comment

As I was scanning my list of security-related posts and articles recently, my eye was drawn by the first sentence of an article on (Google security engineer) Adam Langley’s blog, indicating that Her Majesty’s Government does not understand TLS 1.3. Of course, my first thought was that since HMG doesn’t seem to understand the principles of encryption itself, it’s hardly surprising that they don’t understand TLS. However, these aren’t the thoughts of an understandably non-technical politician but instead those of Ian Levy, the Technical Director of the National Cyber Security Centre at GCHQ – someone you’d hope does understand encryption and TLS. Now normally, I would read this type of article without feeling the need to comment. So what’s different?

Well, following the bulk of the article discussing how proxies are currently used by enterprises to examine and control the data leaving their organisation, by in effect masquerading as the intended server and intercepting the TLS connection, is the following throwaway line:

For example, it looks like TLS 1.3 services are probably incompatible with the payment industry standard PCI-DSS…

Could this be true? Why would it be true? The author provided no rationale for this claim. So, again in the spirit of Adam Langley, “it is necessary to write something, if only to have a pointer ready for when people start citing it as evidence.”

Adam’s own response – again following a discussion about how the problem with proxies is their implementation, not with TLS – is that

…the PCI-DSS requirements are general enough to adapt to new versions of TLS and, if TLS 1.2 is sufficient, then TLS 1.3 is better. (Even those misunderstanding aspects of TLS 1.3 are saying it’s stronger than 1.2.)

which would seem to make sense. Not only that, but

[TLS 1.3] is a major improvement in TLS and lets us eliminate session-ticket encryption keys as a mass-decryption threat, which both PCI-DSS- and HIPAA-compliance experts should take great interest in.

In turn, Ian follows up to clarify that it’s not TLS itself that could present problems, but the audit process employed by organisations

The reference to regulatory standards wasn’t intended to call into question the ability of TLS 1.3 to meet the data protection standards. It was all about the potential to affect (badly) audit regimes that regulated industries have to perform. Right or wrong, many of them rely on TLS proxies as part of this, and this will get harder for them.

So that’s alright. TLS 1.3 is not incompatible with PCI DSS. So what is the problem? Well, helpfully, Simon Gibson outlined this in 2016:

…regulated industries like healthcare and financial services, which have to comply with HIPAA or PCI-DSS, may face certain challenges when moving to TLS 1.3 if they have controls that say, “None of this data will have X, Y, or Z in it” or “This data will never leave this confine and we can prove it by inspecting it.” In order to prove compliance with those controls, they have to look inside the SSL traffic. However, if their infrastructure can’t see traffic or is not set up to be inline with everything that is out of band in their PCI-DSS, they can’t show that their controls are working. And if they’re out of compliance, they might also be out of business.

So the problem is not that TLS 1.3 is incompatible with PCI DSS. It’s that some organisations may have defined controls with which they will no longer be able to show compliance. They may still be compliant with PCI DSS – especially if the only change is to upgrade to TLS 1.3 and keep all else equal – but cannot demonstrate this. So what’s to be done?

Well, you could redefine the controls if necessary. If your control requires you to potentially degrade, if not break, the very security that you’re using to achieve compliance in the first place, is it really suitable? In the case of the two example controls above, however, neither of them should actually require inspection of SSL traffic.

For the organisation to be compliant in the first place, access to the data must only be possible to authorised personnel on authorised (i.e. controlled) systems. If you control the system, you can stop that data leaving the organisation more effectively by prohibiting its access to arbitrary machines in the external world. After all, you have presumably restricted access to any USB and other physical storage connectors, and you hopefully also have controls around visual and other recording devices in the secured area. It is difficult in today’s electronic world to think of a situation where a human (other than the cardholder) absolutely must have access to a full card number without (PCI DSS-compliant) alternatives being available.

So TLS 1.3 is a challenge to organisations who are using faulty proxies and/or inadequate controls already. It certainly doesn’t make you instantly non-compliant with PCI DSS.

Given this, we, as humble international payments security consultants, are left puzzled by the NCSC’s line about TLS 1.3 and PCI DSS compatibility. At worst, organisations need to redefine their audit processes to use the enhanced security of TLS 1.3, rather than degrade their security to meet out of date compliance procedures. But, of course, this is the type of problem we deal with all the time, as we’re frequently called in to help payment institutions address security risks and compliance issues. TLS 1.3 is just another tool in a complex security landscape, but it’s a valuable one that we’re adding to our toolkit in order to help our clients proactively manage their cyber defences.

Who would have ex-Spectre-d this?

5th January 2018by Consult HyperionLeave a comment

At Consult Hyperion we’re always interested in the latest news in cyber security and in case you haven’t heard, 2018 has started with the news that the most processors found inside current computers, tablets, phones and cloud servers are vulnerable to a new class of attack. These attacks have been named Meltdown and Spectre, and are caused by common optimisations built into modern processors. Processors designed by Intel, AMD and ARM are all affected to varying degrees and, as it is a hardware issue (possibly dating back to 1995 if some reports are correct), it could affect any operating system. It’s likely the machine you’re reading this on is affected – whether it’s running Windows, Macs, iOS, Android or is in “the cloud”!!

At a basic level, these vulnerabilities break down the fundamental security barriers between an application and the operating system (OS). This means that a malicious application running on your processor may be able to read your, or your OS’s, secrets which may include passwords, keys or possibly payment data, present in processor caches or memory.

I’m not going to discuss how the vulnerabilities achieve what they do (there’s plenty of sites which attempt to do this), however I’d rather consider its impact on people, such as our clients, who may be handling sensitive data on mobile devices – e.g. payments, banking information. If you do want to understand the low-level details of the vulnerabilities and how they work, I suggest looking at https://spectreattack.com/ which has links to the original papers on both Spectre and Meltdown.

So, what can be done about it? The good news is that whilst the current processors cannot be fixed, several operating system patches have already been released to try and mitigate these problems.

However, my concern is that as this is a new class of attack, Spectre and Meltdown may be the tip of a new iceberg. Even over the last week, the issue has changed from it only affecting Intel processors, to now including AMD and ARM to some extent. I suspect that over the coming weeks and months, as more security researchers (and probably less savoury characters as well) start looking into this class of attack, there may be additional vulnerabilities discovered. Whether they would already be mitigated by the patches coming out now, we’ll have to see.

It should also be understood that for the vulnerability to be exploited, there are a few conditions which must be met:

1. You must have a vulnerable processor (highly likely)
2. You must have a vulnerable OS (i.e. unpatched)
3. An attacker must be able to execute their malicious code on your device

For point 1, most modern devices will be vulnerable to some extent, so we can probably assume the condition is always met.

Point 2 highlights two perennial problems, a.) getting people to apply software updates to their devices and b.) getting access to appropriate software updates.

For many devices, software updates are frequent, reliable and easy to install (often automatic) and there are very few legitimate reasons for consumers to not just take the latest updates whenever they are made available. We would always recommend that consumers apply security updates as soon as possible.

A bigger problem for some platforms is the availability of updates in the first place. Within the mobile space, Microsoft, Apple and Google all regularly release software updates; however, many Android OEMs can be slow to release updates for their devices (if they release them at all). Android devices are notorious for not running the latest version of Android – for example, Google’s latest information (https://developer.android.com/about/dashboards/index.html – obtained 5th January 2018 and represents devices accessing the Google Play Store in the prior 7 days) shows that for the top 81% of devices in use:

• 0.5% of devices are running the latest version of Android – Oreo (v8.0, released August 2017)
• 25% are running Nougat (v7.x, released August 2016)
• 30% running Marshmallow (v6.0, released October 2015)
• 26% running Lollipop (v5.x, released November 2014).

It should be noted that Google’s Nexus and Pixel devices have a commitment to receiving updates for a set period of time, and Google is very keen to encourage OEMs to improve their support for prompt and frequent updates – for example, the Android One (https://www.android.com/one/) programme highlights that these devices get regular software updates.

If you compare to iOS, it’s estimated (https://data.apteligent.com/ios/) that less than a month after it was released in December 2017, over 75% of iOS devices are already running iOS 11.

The final requirement is Point 3 – getting malicious code onto your device. This could be via a malicious application installed on a device, however, the malicious code could also come via a website as it’s been shown that even JavaScript sandboxed in a browser can exploit these vulnerabilities. As its not unheard of for legitimate websites to unwittingly serve up 3rd-party adverts which contain malicious code, a user doesn’t have to be accessing malicious websites for the problem to occur. Several browsers are receiving patches to try and prevent Meltdown and Spectre working via this route. Regarding malicious applications, we’d always recommend that applications are only ever installed from legitimate sources, however malicious apps still regularly appear in legitimate app stores, so this is not fool-proof.

Thinking specifically about mobile banking and HCE payment applications, which is what interests many of our customers – these applications should already be including protections to prevent, or at least detect, malicious attacks. These protections typically include numerous measures such as root/jailbreak detection, code obfuscation, data minimisation, white-box cryptography and so on.

If anything, these latest vulnerabilities are a useful reminder that security is not a single task within a project plan, ticked off when complete before moving onto the next sprint or task. Rather, it is an ongoing concern for the lifetime of the system – something that Consult Hyperion quietly helps its customers with. A year ago, few would have considered this class of attack to either have been possible, let alone something which needs to be actively mitigated.

Can the automotive industry learn from the retail payments sector?

29th November 2017by Consult HyperionLeave a comment

Trying to balance security and convenience provided by technological advancements isn’t new news. Nor is the latest hubbub around keyless vehicle entry and the obvious security risk. A recent video issued by West Midland Police, shows two criminals using information gathered from the electronic key to enter, start and drive away a car. Research reveals that this is a simple “Ghost and Leech” attack, where the boxes held by the thieves extend the read range of the key. When the keyless entry system on the car was initially designed, the cost and size of these boxes confined the fraud to laboratory conditions. Now however, the boxes are readily available on the internet, are smaller and require less power thus making them portable and a convenient tool for organized criminals.

Are the automotive OEMs or their suppliers recognizing these risks and developing countermeasures?

As any information security expert will tell you, you need to understand the threat landscape in which your vehicle will operate and ensure that all cost-effective countermeasures are included in its design prior to commercial launch. It is likely that that countermeasures will have to change over the lifetime of the vehicle, as new functionality is added, e.g. in-car payments, or, as highlighted above, the criminals find new ways of attacking of the car. And so, future proofing becomes front of mind.

The long development and product lifecycles associated with the automotive industry, compared with say smartphones, combined with high certification requirements surrounding any change to the vehicle, makes this difficult. The reputational and financial costs of recalling vehicles to insert a new piece of hardware or load new software, for examples, make the business case for such interventions difficult. Many owners are reluctant to upgrade their vehicles fearing that it will impede its performance. Others are prone to litigation on the grounds that the vehicle is not performing as advertised.

Even in the advent of software advances, there is still the problem of ensuring that the software upgrade is correctly implemented across all vehicles. The mobile network operators (MNOs) are working closely with the automotive OEMs to ensure that software upgrades can be remotely downloaded over the air to connected cars; this is still in its nascent stages. We know of electric car owners that have had to wait for 30 minutes in the morning whilst their cars rebooted and others that have had the functionality of their vehicle changed when the vehicle showed signs of being imported into a different country. Does this process introduce new information security risks as criminals take advantage of inconsistencies in the version of the software loaded into different vehicles?

At Consult Hyperion we use the return on the criminal’s investment in the fraud to determine the probability that it will be committed; always low when the keyless entry system was initially designed and now, many years later, high. The reputational or financial gains from such attacks allow us to evaluate the cost of a countermeasure against the potential losses if it is not implemented. Our clients’ risk appetite determines whether or not they make the investment. We use our understanding about how technology is likely to evolve to assess how and when the current level of risk is likely to change and therefore when the investment in a countermeasure becomes crucial.

Consult Hyperion has around 20 years experience of managing information security risks within distributed systems deployed primarily within the global financial services industry. Whist the context in which the criminals deploy them is different, the techniques the criminals use are the same. The Ghost and Leech attack posed a potential threat to the use of contactless payment cards following the introduction of NFC technology in smartphones. The UK press ran multiple stories about how the phones could be used to collect account information from contactless cards in peoples’ wallets. Consult Hyperion was commissioned to analyze the data that could be collected by devices snooping on the contactless card transaction at the Point of Sale and the opportunity to use that data to buy other goods in another store. As a result of this analysis the UK banks agreed to add additional countermeasures into their systems, all of which had been recommended by the international card schemes. Their introduction was coordinated by APACS, now part of the UK Payments Administration, who had commissioned some of the earlier analysis.

Money 2020: debates, discussions and doubling down

6th November 2017by Consult HyperionLeave a comment

Wow. Another Money 2020 in Vegas. A peculiar combination of exhaustion and exhilaration. Days of back-to-back meetings, serendipity, dinners with old and new friends, learning and (why would I lie to you?) a few drinks and a few hours of blackjack. Back in the land of signing for card transactions, ready to explore the future of financial services.

Last year, I said that all the interesting stuff at Money20/20 was actually about identity and that all of the fintech stuff would have less impact than all of the regtech stuff. I still think this is true. Fintech has become mainstream, there’s no doubt about that. There was a lot of corridor talk (they don’t have water coolers and I couldn’t find the free ice cream) about how the fintechs are integrating with the key players (as if the mammals interbred with the dinosaurs rather than replaced them). The fintechs aren’t what the incumbents were really worried about. What they were worried about (other than regulatory change) were the strategies of the Google-Apple-Facebook-Amazon-Microsofts (GAFAMs) and the Baidu-Alipay-Tencent (BATs) and that (as we will return to later in this discussion) is because of the fight for data.

Perhaps I’m reading too much into coincidences of scheduling, but it seems to me that Sunday is being used to explore new topics and then in the following year some of those topics move from the experimental or exploratory sphere into the mainstream discussion. Last year at Money20/20, for example, I chaired the session on financial inclusion with Professor Lisa Servon and this year I couldn’t help but notice that financial inclusion reappeared in a number of mainstream panels and presentations, including in the superb Monday keynote from Dan Schulman of PayPal. So, if financial inclusion was making its way from the edge to centre last year, there is no doubt that it was artificial intelligence playing that role this year. I chaired the artificial intelligence panel at Money20/20 Europe in Copenhagen this year and it was absolutely stormed. In Vegas, I heard many, many people say that the AI discussion on Sunday was first rate and left them in no doubt that it would be the key mainstream topic next year.

The money going into AI is already huge and if you look at where banks are directing the cash right now, machine learning seems to be the target. This is no surprise. Banks have large quantities of data that in the past they have found difficult to extract wisdom from and they have large transactional flows that they find it difficult to manage in the context of increasing regulatory burdens. Machine learning systems excel at finding patterns and exceptions in such data, provided that they can be fed with enormous quantities of the raw material, so the main use of the machine learning systems is currently fraud detection and prevention (DBR Research, October 2017).

(This, as an aside, throws up an interesting strategic challenge for banks as they shift to AI-centric strategies, because there is a threat to risk management, information analysis and sales/marketing processes in a world of open banking where the banks may not get to see the data held by third-party providers but those providers have access to bank accounts.)

The impact is not only on retail banking. The Bank of England’s recent working paper (no. 274, September 2017) on machine learning at central banks explored the particular case study of banking supervision in an environment of imperfect information (what you and I would call “the real world”!) and came to very optimistic conclusions. In other words, AI is not only a fintech that can help individual organisations to shift improve profitability (both by reducing costs and increasing revenues) but also a regtech that can help jurisdictions to create better financial services sectors by improving the quality of regulation at lower cost.

On Monday I was up on the main stage where I had the privilege and pleasure of moderating the debate between Brett King of Moven and Steve Ellis of Wells Fargo. They are both great guys (and I’m not just saying that for form) and they made it fun for me and for the audience. Wells Fargo put Steve’s perspectives on their web site so you can read them here. As an aside for future conference organisers, I thought this was a great format because both of them made serious and substantial points – someone told me later that he didn’t realise how much his was learning during the debate! – but in an engaging structure that help to wind the day down. Big props to Money20/20 for this idea.

Several people said that what stuck out for them on the Monday was the difference between the Alipay keynote, which was all about the colossal numbers and opportunities, and the ApplePay keynote, which conspicuously failed to include any usage numbers. Now, as we’ve long maintained, this doesn’t really matter because the long-term play is #appandpay not #tapandpay, but there was certainly as suspicion abroad amongst uncharitable persons (of whom I am not one) that ApplePay’s usage at retail POS may be underwhelming at a time when negotiations about renewal contracts with issuers are on the horizon. Jennifer Bailey of Apple also mentioned the coming Apple Cash (which will allow P2P payments via iMessage or whatever it is called now). I don’t know enough about the US market, but I would have thought that in the European markets they will implement API access to bank accounts with access to instant payment networks and that this will come to dominate across platforms, but I wouldn’t bet against Apple on anything as a rule. Anyway, enough of that, let’s go play blackjack with some crypto-folks because they have all the money.

On Tuesday, Talking about inclusion, again, Kosta Peric from The Bill and Melinda Gates Foundation was in town. I went off to have a chat with him to find out all about their new open-source software for the unbanked, Mojaloop. This uses technology from Ripple to deliver interoperability between financial institutions, payment providers and other firms that offer such services to the poor and unbanked. (It uses the Interledger protocol.) This all came out of the Gates Foundation’s Level One Project, which Kosta has championed, so I was keen to understand the roadmap and how it might connect to some of our work in inclusion. Unfortunately, as so often happens, we got sidetracked by giant killer robots.

Last year’s general talk about blockchain this and blockchain that was less in evidence, although with Bitcoins at $6,000 there was a fair amount of cryptocurrency talk (and misunderstandings) swirling around. The blockchain discussions were more focused (there was a good panel on blockchain consortia with JP Morgan, R3, Microsoft and Hyperledger) and I thought there was less of the crazy talk about blockchains fixing everything, although it did continue to irritate me that most of the solutions being discussed were not actually blockchains at all but shared ledgers (and before anyone writes to complain, I refuse to call them distributed ledgers because in at least one example that I discussed there, there was only one node and no consensus algorithm at all).

The big difference from last year was that the main topic of discussion in the crypto space was the token/ICO gold rush. Consult Hyperion hosted a couple of dinners for friends and clients in Vegas and at one of them Arthur and Kathleen Breitman, the people behind one of the highest profile token raises of all (Tezos, now worth more than $400m), came along. Now, I am far from being an expert on the subject, but I genuinely think that when the token/ICO market is regulated correctly (and that must come soon) it is going to be absolutely massive, because it will create a new asset class and (I hope) a new and more transparent marketplace. I might even go so far as to say that it might be one of the most important long-term outcomes of the Crash.

There were a couple of other themes that caught my attention wandering in and out of the conference sessions. Conversational commerce, and therefore conversational payments, is on the rise. Facebook was there, as were other players, and I definitely picked up more buzz about chat and chat bots. Although I didn’t hear it discussed at the event, it seems to me that there is a strong relationship between conversational commerce and the impending shift to Open Banking in the UK. Giving, for example, Facebook API access to your bank account means that you’ll be able to check your balance, look at your transactions, send money to people all without ever leaving WhatsApp. What’s more, given the amount of payment fraud in the UK, this is probably really good news. If your lawyers continue to use e-mail instead of Signal for house purchases, they are borderline negligent.

The big day for Consult Hyperion was Wednesday, because of the “Wednesday Workshops”. I really like the idea of the Wednesday morning 90-minute deep dive sessions on specific topics. This year I was asked to run the “Identity is Fundamental” workshop, which was a genuine honour, and I had an absolutely great set of speakers and panelists to open up the subject. Here they are in the identity cage, waiting to be released at 8.30 sharp…

Considering it was the early morning of the last day of the event, it’s a testament to the intuition of the organisers and the quality of this panel that the ballroom was full. I thought that identity would be a key topic, and I expected a reasonable turnout, but I was surprised to find a full room with people standing at the back when I walked out on stage. I’d like to think that it’s mainly down to Consult Hyperion’s reputation at the forefront of population-scale identity projects (going all the way back to the days of the world’s first smart identity card in Hong Kong), but I think the size of the audience also reflects just how high up the bank agenda digital identity is now.

We divided the workshop into two parts. The first section was about authentication, and Brett McDowell from FIDO Alliance MC’d with input from Intel, Javelin, Diebold Nixdorf and Samsung. I thought these guys delivered a very positive message. Not that things are fixed, but there is at last the potential to fix them. As panelist Al Pascual from Javelin said earlier in the year, commenting on the news that identity theft and fraud in the US was up 16% this year and is now at the highest levels they have ever recorded, “all of the underlying types of fraud we measure are up”. But with smart phones, biometrics and strong authentication frameworks coming into place, there is light at the end of the tunnel. Perhaps it’s a slight exaggeration, but I was left with the impression that strong authentication for transactions is basically a solved problem if you plan out the system properly. We have the architecture, devices and standards to make it all work.

The second part of the workshop was about identification and it closed with a great, great case study. SecureKey and TD Bank took us through the multi-bank digital identity scheme under development in Canada.

If the identity workshop wasn’t the most talked about thing on the final day, Barclaycard’s announcement of the Uber Card probably was. I have to say that it is a beautifully executed product. Uber gives customers the option to apply for the card form inside the app and populates the application form from data on file. Once the customer applies, they get confirmation (or otherwise) within a few minutes and can immediately begin charging rides to the new line of credit. A few days later the plastic card arrives in the post. Folks also can apply for the card online. There are some sweet flashbacks to launch the card, including four percent in restaurants, three 3 percent on on hotels, two percent back on online purchases and one percent on all other purchases. No wonder it got such attention on social media.

Anyway, after three solid days of this I needed to get away so I took up an invitation to visit the futurist Heather Vescent in her dome at Twenty Nine Palms, which turned out to be in the desert. A perfect way to clear my head and to enjoy a mini road trip involving (as it did) highways and diners.

After relaxing and discussing Heather’s new book, the “Cyber Survival Manual“, I said goodbye to the desert and set off back to the daily grind. Thanks once again to the great people at Money 2020 and here’s looking forward to 2018.

The Challenge of Delivering mPOS Services through Off-The-Shelf Mobile Devices

1st September 2017by Consult HyperionLeave a comment

The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.

Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.

Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.

The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.

Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.

So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?

There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.

So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.

People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!

Kicking and screaming into the 1770s

15th May 2017by Consult Hyperion1 Comment

You can’t say that London isn’t a fintech powerhouse and epicentre of the revolution that is forging a new financial services industry in the white heat of old technology. Wait, what?

“The UK is to roll out an image-based cheque clearing system in October that will slash processing times from six ‘weekdays’ to one day”

UK to roll out image-based cheque clearing system

I’d forgotten that some people still use cheques. I haven’t seen one for ages and haven’t the slightest idea where my chequebook is. I can’t even think what I might need a cheque for. In the last couple of weeks I’ve paid our gardener, window cleaner, a contractor and my youngest son using my mobile phone. I have absolutely no need for cheques. Still, they are important to the powers that be.

“These changes will put cheques firmly in the 21st century”

UK to roll out image-based cheque clearing system

Actually, it will put cheques firmly in the 18th century, which is when they last used to clear in one day because the clerks of the London banks had set up their own informal clearing system down the pub.

“Daily cheque clearing began around 1770 when the bank clerks met at the Five Bells, a tavern in Lombard Street in the City of London, to exchange all their cheques in one place and settle the balances in cash.”

Cheque clearing – Wikipedia

Why waste money supporting the declining cheque business (cheque use fell another 15% in the UK last year) when we should be spending the money on identity infrastructure that is need to support the transition to open banking. It could all have been so different!

Why can’t digital identity be easy, like payments?

13th March 2017by Consult Hyperion1 Comment

I have often seen payments (especially the card networks) used as an analogy for digital identity. In fact, I brought up the analogy myself at the fun OIX meeting in Amsterdam last Thursday. Certainly when you look at something like GOV.UK Verify there are some striking comparisons:

A central scheme with a brand, rule book, governance body and switching infrastructure (i.e. Verify itself),
Issuers (i.e. the private sector identity providers), and
Merchant acquirers (well merchants anyway, in the form of government relying parties).

We have to keep reminding ourselves that these card networks did not appear overnight. What we have today is a result of 60 or more years of evolution. Admittedly the pace of change has increased significantly but we need to recognise it often takes time to build scale and gain adoption. There are special cases of course. PayPal, for example, grew out of a significant pain point within eBay – which gave it immediate scale.

There is however one key difference between payments and identity. You cannot sell stuff online without a means to receive payment and normally that means integrating with a payments scheme that works for your customers. You can however sell stuff without leveraging an external identity scheme – you just give the user an ID and password specific to the service. This is however bad news for users – resulting in the fragmented personal data and password mess we find ourselves in today. There needs to be an incentive for merchants to do something different to this. Perhaps merchants need a big stick? Like GDPR for example. Merchants are going to have to be a lot more careful with personally identifiable information in the future. One thing they could do is use an identity provider to hold that data and in the process reduce their risk.

Individuals also need to realise that their personal data is valuable, just like their money. That is going to require some education because so far they’ve been taught to share data without considering the consequences.

In the UK, arguably the most significant digital identity initiative over the past 5 years has been the GOV.UK Verify programme. They are at the stage where they need to grow. The scheme is up and running and so they are now busily signing up citizens and services. It is a critical point in its development. We are very pleased that David Rennie who leads industry engagement on the programme will be taking time out of his busy schedule to join us at Tomorrow’s Transactions. Come along and find out how it is going.

You can also get added to our mailing list here.

Red lights for cash

16th January 2017by Consult Hyperion1 Comment

Down at the PayExpo Middle East and North Africa (MENA) in Dubai this year, I saw an excellent presentation from Uber India. One of the most interesting things I learned was that because most Indian Uber rides are paid for in cash, the Modi government’s racial experiment in currency reform hit them hard. As cash vanished from circulation, so there was a downturn in business.

That was bad news for the Uber drivers who need to drive to survive, but I’m still of the general opinion that the Indian push for a “less cash” (as opposed to cashless) economy makes sense, even for people who are poor, as many in India are. A couple of years ago, I wrote about the misguided view that cash is good for the less well-off. It is not.

People who live on the margin get screwed by cash.

From Cash hits the excluded | Consult Hyperion

This was a comment on a story about counterfeiting, and I concluded it by noting an interesting problem that I had not previously heard about, which was about sex workers being swindled through counterfeit cash:

In a country where counterfeits are widespread, it is obviously the marginalised groups trapped in the cash economy who are the big losers.

From Cash hits the excluded | Consult Hyperion

India’s experiment with demonetisation has accelerated the evolution of the retail payments environment not only for Uber but also for those marginalised people in the less-regulated parts of the Indian economy. As you will recall, with high-value banknotes, more than four-fifths the cash in circulation, vanishing many different parts of the Indian economy have been affected and, clearly, groups dependent on cash will have been hit hardest.

From the time the notes of the denominations of Rs 500 and Rs 1000 ceased to be legal tenders, the number of customers visiting the red-light area have dwindled to negligible numbers.

From Commercial Sex Workers of Nagpur’s Ganga Jamuna Redlight area offer services for payments made through Paytms – Nagpur Today : Nagpur News

The response of at least one group of such marginalised people will have gladdened the heart of Mr. Modi and other advocates of cash-free commerce (e.g., me). They moved quickly to adopt new technology.

Commercial Sex Workers offering services at Nagpur’s Redlight area Ganga Jamuna have started offering [sex] in exchange of payments made through Paytm.

From Commercial Sex Workers of Nagpur’s Ganga Jamuna Redlight area offer services for payments made through Paytms – Nagpur Today : Nagpur News

Yes, mobile payments. There is no reason why mobile payments cannot step in to the breach and take over from cash and, as I constantly opine, deliver something better to the poor, since it is the poor whose money is lost and stolen, it is the poor who cannot pay remotely for better deals and it is the poor who cannot be paid efficiently.

[sex workers said] we have also adapted to the changing times and have adopted the newer mode of payments for the services. They opined that this will also prevent the customers from getting their cash looted by unscrupulous elements who dwell in this disrepute lanes (Badnaam Gali) of Ganga Jamuna area.

From Commercial Sex Workers of Nagpur’s Ganga Jamuna Redlight area offer services for payments made through Paytms – Nagpur Today : Nagpur News

Note that last sentence. Getting rid of cash will make people safer. So not only will these marginalised people no longer have to worry about counterfeiting or the value of foreign currency, but their money will be stored more safely.

I was in Dubai to take part in a fun end-of-event discussion about the coming year for fintech, so I took the first three predictions from the Consult Hyperion “Live Five” for 2017 and shared these with the audience. Then I took the first three cakes, and shared them with me.

I hope I’ll back asked back next year and called to account!

Super-complaints but no super-solutions

9th January 2017by Consult Hyperion2 Comments

I love the BBC’s Money Box programme with Paul Lewis and I listen to it every week. A recent episode included what, I’m afraid, has become an all-too-familiar story.

Paul Lewis hears from a listener who built up savings of £180,000 over more than ten years in business, only to have it all stolen from her account in 24 hours by online scammers. Should her bank have noticed and stepped in?

From BBC Radio 4 – Money Box, Cheaper energy when it rains

The essence of the story is that the customer fell for a scam. She had a phone call from someone purporting to be from BT and the upshot of it was that she allowed fraudsters access to her Santander business account whereupon they immediately began to transfer all of the money out to a variety of other accounts. When she discovered that she had been the victim of fraud she asked the bank for the money back and they said no.

From her perspective, I can see why she feels aggrieved. She feels that the bank’s antifraud mechanisms should have resulted in a phone call or email and text message or something when these completely unusual transactions took place. After all, 33 transfers in 24 hours from an account that is normally used only for direct debits and standing orders would hardly need Watson to flag up a warning. From the bank’s perspective, I can see why they feel they are not responsible since she authenticated all of the fraudulent transfers by entering the 2FA codes they texted her (they hadn’t read my blog on why SMS isn’t security).

Whether the bank is at fault or not for this specific scam the banks, collectively, will have to do something about the instant payment fraud problem in general. These frauds have become a very serious problem and I can understand why consumer groups are upset about what they see as a lack of action from the banks.

The Payment Systems Regulator’s (PSR) response to the Which? super-complaint on bank transfer scams ‘has let the banks off the hook’.

From Super-complaint response lets banks off the hook – December – 2016 – Which? News

It isn’t only phone calls. There’s a huge amount of e-mail fraud going on as well. In essence, fraudsters intercept legitimate requests to transfer money from one account to another using the Faster Payments Service (FPS) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will get into the email of a solicitor and when that solicitor sends an email to one of their clients requesting money for a house purchase to be transferred into the solicitors account, the fraudsters replace the legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow.

A particular problem, of course, is that you identify a payee by giving a sort code number that identifies the bank branch and an account number to receive the funds. I defy anybody to carry around the six digit sort code and nine digit account number of their correspondents in their heads or to be able to spot their solicitors real payment details from some fake payee details when reading an email. If you are expecting to send the money to $dgwbirch (you can try this by the way, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski then you might be a little suspicious, but if you get an e-mail using to switch from sort code 12-34-56 to 34-56-78 its less obviously a fraud.

Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before a transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase.

Hannah Nixon, managing director of the PSR, said: ‘Tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”.

From Super-complaint response lets banks off the hook – December – 2016 – Which? News

Indeed they have. But if I tell my bank to send £10,000 to the Nat West in Barnsley by mistake – whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever – and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?

I agree with the BBC and everyone else that something needs to be done. On this Money Box episode, Hannah Nixon (the UK’s Payment Systems Regulator) mentioned one specific countermeasure that is to be implemented by 2018, which is payee verification, but I wonder if the solution isn’t to put an overlay on top of FPS for retail and SME customers to use. As I wrote earlier in the year,

if someone put a scheme on top of FPS so that they did the payee verification for you and included chargeback rights for a small fee then that might be very attractive to a great many people.

In other news, MasterCard are apparently launching a bid for VocaLink.

From Are the banks telling you that you may as well use bitcoin? | Consult Hyperion

This isn’t just about bank accounts and instant payments, of course. If it was, I wouldn’t be blogging about it. I hate to say it, but the problem and the solution are all about identity. She couldn’t tell it was BT, and bank couldn’t tell it was her (and she wouldn’t have been able to tell it was the bank). Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure. A system based on the gold standard of gas bills is, I am sorry to say, no longer fit for purpose.

Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To’s mailbox.

From Stockport identity fraud victim’s £500k home put on market – BBC News

“Having forged his signature, they then transferred the deeds to his house into Ghani’s name”. Yes, I know I know, I’m sure the blockchain will put a stop to this, but in the meantime… should a homewoner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from the whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from utility bills and forging your signature, society wouldn’t expect you to be the one to lose out and I understand this, would it? Surely if I am able to login to the solicitors email server and then send emails masquerading as them, it’s the solicitor that is being negligent not the bank!

Just whose fault is it when someone gets scammed in an environment that has no effective identity infrastructure?