Ruby reflections, 40 years of technology change at work

silver and gold coins

At this time of year my colleague, Dave Birch looks forward, his annual “Live Five” started as a bit of fun, but over the years has become a thought provoking look at what might impact our industry in the coming year, if you haven’t read it yet, please follow this link.

As we come to the holiday season, we know that we will be bombarded with reviews of 2020 on television, in our newspapers and online. A conversation with some colleagues about how long they had worked in the payments industry, prompted my own review when I realised that on the 8th December, I clocked up 40 years in the industry, how technology has changed our lives in that time.

Are 97% of mobile transactions in Asia fraudulent?

pexels-photo-887751.jpeg

Recently I saw this article suggesting that 97% of mobile transactions in Asia are fraudulent? Can this really be true? I decided to investigate.

The article highlights an excellent report published by Secure-D looking into mobile ad fraud, which it appears is a largely hidden multi-billion dollar enterprise, impacting emerging markets in particular. As you might expect with an enterprise of this size it is multi-faceted and complex. Two of the ways fraudsters are making money are as follows:

  • Fake clicks: The internet runs on advertising revenues obtained when a user clicks on an ad in a mobile app or on a web page. Fraudsters have numerous ways to create fake clicks, that look like they’ve come from a real person, and then be paid the associate fee. One way that they do this is by deploying malicious apps to the devices of unsuspecting users often disguised as a legitimate app offering an innocuous service like providing weather information.
  • Hidden purchases: Many mobile users in emerging markets are unbanked and use their prepaid mobile airtime to purchase goods or services. Those malicious apps deployed to devices can also then siphon off funds from users without them realising it is happening. They just see their airtime running out more quickly than it otherwise might.

Black Friday, Cyber Christmas, and a Contact-Free New Year

paper bags near wall

For most of us 2020 isn’t going to be a year to linger fondly in the memory. It’s been a monumental slog in the face of grim news and little cheer but from a payments perspective we’ve seen an unsurprising surge in interest in all things payment related.

People have moved from cash to electronic payments – contactless transaction numbers have soared. People moved from face to face purchases to online. And, there’s been a ton of stress on payment systems as people have demanded refunds for holidays and flights they couldn’t take due to various travel restrictions. It’s been a year like never before.

We can expect this to be exacerbated over what will likely be an extended Black Friday and Christmas holiday shopping period. Online payments are expected to grow even though economies are in recession. For us in Europe it’s the last hurrah before PSD2 requirements on strong customer authentication come into force on January 1st. Merchants and payment companies will be well staffed on News Year Eve as they wait and see how the systems will hold up, and what sort of abandonment figures they’ll see as puzzled customers are presented with confusing authentication screens. We can probably expect a flood of concerned calls about phishing which are actually Strong Customer Authentication requests.

Fintech South 2020 – Maintaining trust and safety in a digital world

At the (sadly, virtual) Fintech South event the year, I was asked to chair a discussion on identity and privacy with three extremely well-qualified experts who had informed perspectives on the state of, and trends in, those important pillars of a digital society. These were Adam Gunther (SVP, Digital Identity for Equifax), Andrew Gowasack (Co-Founder and President at TrustStamp) and Megan Heinze (President, Financial Institutions, North America for IDEMIA). It was great to talk to a group of people who were not only well-informed on these topics but had some passion for them too.

I won’t go over everything that was discussed, but I do want to pick up on a comment that was made in passing when I was chatting to the panelists: someone said that a guiding principle should be “no scary systems”. Hear hear! But what is a scary system? It is, in my opinion, a system that privileges security over privacy. This is not how we should be designing the identity systems for the 21st century!

Malware Wolves in Developer Sheep’s Clothing

internet screen security protection

When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it.  They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews.  But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.

This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker.  You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction.  There is some suspicion that it may have also been uploading session cookies.

Internet voting – challenging but necessary

i voted sticker lot

What did you think of the US election? I don’t mean the candidates and the outcome. What did you think of the election process? Should it be possible for national elections of this type to be done online? Last week the IET published a paper on internet voting in the UK, led by our good friend at the University of Surrey, Professor Steve Schneider. It’s well worth a read. As the paper explains, internet voting for statutory political elections is a uniquely challenging problem. Firstly voting systems have exacting requirements and secondly, the stakes are high with the threat of state level interference.

Leveraging the payment networks for immunity passports

COVID-19

As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.

I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?

Would you use the NHSX app?

I listened with interest to yesterday’s parliamentary committee on the proposed NHSX contact tracing app, which is being trialled on the Isle of Wight from today. You can see the recording here.

Much of the discussion concerned the decision to follow a centralised approach, in contrast to several other countries such as Germany, Switzerland and Ireland. Two key concerns were raised:

1. Can a centralised system be privacy respecting?
Of course the answer to this question is yes, but it depends on how data is collected and stored. Cryptographic techniques such as differential privacy are designed to allow data to be de-indentified so that is can be analysed anonymously (e.g. for medical research) for example, although there was no suggestion that NHSX is actually doing this.

The precise details of the NHSX app are not clear at this stage but it seems that the approach will involve identifiers being shared between mobile devices when they come into close proximity. These identifiers will then be uploaded to a central service to support studying the epidemiology of COVID-19 and to facilitate notifying people who may be at risk, having been in close proximity to an infected person. Whilst the stated intention is for those identifiers to be anonymous, the parliamentary debate clearly showed there a number of ways that the identifiers could become more identifiable over time. Because the identifiers are persistent they are likely to only be pseudonymous at best.

By way of contrast, a large team of academics has developed an approach called DP-3T, which apparently has influenced designs in Germany and elsewhere. It uses ephemeral (short-lived) identifiers. The approach is not fully decentralised however. When a user reports that they have COVID-19 symptoms, the list of ephemeral identifiers that user’s device has received, when coming into close proximity to other devices, is shared via a centralised service. In fact, they are broadcast to every device in the system so that risk decisioning is made at the edges not in the middle. This means that no central database of identifiers is needed (but presumably there will be database of registered devices).

It also means there will be less scope for epidemiological research.

All of this is way beyond the understanding of most people, including those tasked with providing parliamentary scrutiny. So how can the average person on the street or the average peer in Westminster be confident in the NHSX app? Well apparently the NHSX app is going to be open sourced and that probably is going to be our greatest protection. That will mean you won’t need to rely on what NHSX says but inevitably there will be universities, hackers, enthusiasts and others lining up to pick it apart.

2. Can a centralised system interoperate with the decentralised systems in other countries to allow cross border contact tracing?
It seems to us that whether a system is centralised or not is a gross simplification of the potential interoperability issues. True, the primary issue does seem to be the way that identifiers are generated, shared and used in risk decisioning. For cross border contact tracing to be possible there will need to be alignment on a whole range of other things including technical standards, legal requirements and perhaps even, dare I say it, liability. Of course, if the DP-3T model is adopted by many countries then it could become the de facto standard, in which case that could leave the NHSX app isolated.

Will the NHSX app be an effective tool to help us get back to normal? This will depend entirely on how widely it is adopted, which in turn will require people to see that the benefits outweigh the costs. That’s a value exchange calculation that most people will not be able to make. How can they make a value judgment on the potential risks to their civil liberties of such a system? The average user is probably more likely to notice the impact on their phone’s battery life or when their Bluetooth headphones stop working.

There’s a lot more that could be said and I’ll be discussing the topic further with Edgar WhitleyNicky Hickman and Justin Gage on Thursday during our weekly webinar.

Paying for food

It feels strange to be writing about paying for food, one of the basic skills we learn in early childhood. However, these are exceptional times, when the basic notion of how we pay is being challenged. It seems we are now considering the different options for paying safely when physical contact must be kept to a minimum.

Consult Hyperion has been alerted to many requests for advice from community groups who normally rely on cash payments, so in response we have drawn up some guiding principles:

1. Maintain good practice: be aware of the vulnerability, both real and perceived, of people unable to leave their homes. Asking them to do things differently risks increasing anxiety and leaving them open to fraud.

2. Keep it simple: work with payments options people already use, and those they are familiar with. The large spike in phishing attacks over the past month highlights scammers’ eagerness to abuse this situation.

3. Maintain records: clear and consistent transaction logging is essential to protect both organisers and the people they are helping. Keep invoices for tracking and reconciliation purposes.

4. Work with existing networks: local authorities, housing associations, care providers, charities, community groups, faith groups, even village shops. The mix will vary according to the community.

5. Only allow demonstrably trustworthy individuals to handle payments: the list of people permitted to countersign passport applications could be a good starting point, but each community is different. Trust is vital in payments.

6. Keep payments and shopping separate: older readers will remember having an account with their local shop and having items added to their tally, paying the bill weekly or monthly.

7. School meals provide a good example: cards (or biometrics) are used to ensure all students have equal access to food, without the stigma attached with free school meals. Food is still served, even if the system has technical issues.

8. Take the time to discuss people’s preferences over the phone: The person receiving the shopping doesn’t have to be the person who pays. Be creative in encouraging people to contribute a little extra, or allow friends and family to pay on their behalf.

When organising payments, only use options people already have. This is not the time for a stressful sign-up process. In order of preference:

Online – PayPal, Bank Transfer, Pingit

With any new online payment, if there is a level of trust through an existing relationship, ask the account holder to send a small sum of 1p or 10p to the intended account, to check that it does arrive in the right place.

PayPal: convenient if you already have an account. Allows you to choose different sources of funds to transfer. Can be used for paying individuals as well as organisations. Includes a degree of protection.

Bank transfer (frequently referred to as Faster Payments): Despite communication from many of our banks, the full roll out of Confirmation of Payee is delayed. There is uncertainty over whether the money will arrive in the right place, so test initially with small amounts. It is irreversible. It can be performed easily via internet banking if you have the capability. Telephone banking is currently overloaded.

Some apps enable an invoice with bank details to be presented through a link to web page. This is better than simply sending requests for payments within an email, as fraudsters can’t just intercept the email and change the recipient details. It requires more effort to set up a fraud and is more likely to get spotted.

Pingit: Less widespread but convenient person-to-person payments which can be sent to a mobile number.

Contactless at the door

Using a portable reader from companies like iZettle, SumUp and Square. Apple Pay and Google Pay are good options as they allow higher value payments without the need to touch the device, if people already have the capability. Appropriate distancing must be observed.

Cheques

The householder only has to part with a single piece of paper and does not have to receive change. Cheques will have to be paid in and take a while to clear but there is very little risk of the householder absconding.

Cash

People are encouraged to avoid handling cash and avoid touching ATMs. Keeping cash in the home makes people more vulnerable. However, some people rely on cash. Where change is to be given, this should be arranged in advance and put in an envelope.

These are extraordinary times, which force us to look differently at the way we pay. Consult Hyperion have been enabling secure payments for over 30 years and we are able to apply our own Structured Risk Analysis process to understand the threats and possible countermeasures in every situation. These threats normally relate to the security of systems but in this case also encompass the risk of infection and people being left without essential supplies.

Finally

If you are reading this from home and need help, try phoning your local shop. If they are not organising deliveries themselves, they may well be aware of groups who are. Many local stores and community groups are providing help to these who need it, providing a much needed service. Get in touch with your local group.

Dave New World #IWD2020

One of my favourite quotes is, “at any given IT conference, there are more attendees named Dave[1] than there are women”. Having checked the attendee list at several conferences, it seems a pretty fair rule of thumb.

My first step into IT was to escape a rogue boss, who handled both male and female employees equally, resulting in my predecessor taking a case to tribunal. The local university offered postgraduate qualifications in both IT and accountancy. The first year of IT counted towards both, so I took the path of least resistance. After a year creating expert systems and researching Artificial Life, my choice was made.

Having settled into a technical role with a major network provider, I expressed an interest in moving into the security team, only to be told “you can’t have that job, it’s Dave’s job”. When I insisted, a second opening was found and Dave became a much-valued colleague and friend. When I was promoted to lead the team, it emerged that my salary even after promotion was well below Dave’s and rapid adjustments had to be made.

At around this time I worked alongside a firewall consultant, whose best client had bandwidth beyond our wildest imaginings. She needed cutting edge technology to protect her revenues while engaged in the world’s oldest profession. This consultant, known to use the same password on every system, later put the first firewall into 10 Downing Street. In recent years, I have had the opportunity to research (in a professional capacity) the importance of digital identity in the context of adult services, highlighting the sheer scale of this industry and the important role of technology in this area.

When I first joined Consult Hyperion in 2006, I was asked to organise a workshop for identity experts from across Europe. It was a great opportunity and a real inspiration when Angela Sasse, a leading light in HCI, spoke about the importance of both women and men contributing to systems which are to serve the public. One of my favourite feminists, another Dave, was later to highlight the peculiar assumptions behind some technologies. For instance, the concept of the smart home managed remotely by a man on the move. It may work for people living alone but the ability to turn the lights off or the heating down while partners or family members are at home is not so great.

We are lucky at CHYP to have a diverse and highly skilled team working in Hyperlab, including a Dave. His working proof that an EMV contactless transaction could be completed in under 500ms in a live transit environment was critical to the adoption of the technology by Transport for London, which in turn contributed to the wider implementation of contactless payments. He has also worked on financial inclusion projects in both the UK and Africa, enabling aid to be distributed to farmers in remote areas.

On a personal level, it is always good to see more women joining the industry. It’s a great place to work, with constant change and exciting new challenges. I respect initiatives such as Microsoft’s Girls in STEM[2], although it has caused upset in my household, as my son was very disappointed that there was no equivalent for Boys in STEM. He has a truly inspirational IT teacher, who spent much of her career working in the industry and is equally at home with coding and infrastructure (or ‘the boring stuff’, as my son likes to call my main area of interest). Despite every possible encouragement, there are no girls taking Computer Science in his year. The local girls’ school does not even offer the subject at A level. However, whatever profession you adopt, chances are you will need technology to achieve your goals. At a time of huge opportunity, it is important to remember that there are many different paths into a career in technology. For instance, privacy requires strong legal and technical underpinnings. It is therefore vital that from the earliest years, we encourage children to engage with technology in whatever way best suits their own individual passions.

I’ve run up against some interesting attitudes in my working life: “you don’t look like a techie[3]”, “girls can’t do firewalls”, “a female consultant?” and, disappointingly, female colleagues refusing to take on “men’s work”. Having spent my formative years around a boys’ prep school, where women were mostly ‘below stairs’, I learned early to take this kind of thing in my stride.


[1] In this article, the term ‘Dave’ is used to denote anyone with the given name of ‘David’.

[2] https://www.microsoft.com/en-us/corporate-responsibility/skills-employability/girls-stem-computer-science

[3] https://www.bbc.co.uk/news/blogs-trending-33783007

To paraphrase Plato: the cost of not taking part is to be subject to the decisions of those less capable than you.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.