My policy has been talking to your policy

[Dave Birch] The November 2012 issue of the “Mobile Wallet Report” has an article headlined “Mobile network operators ‘keep calm and carry on with NFC'”. I can tell you that this is unequivocally not the case. Not only are banks, mobile network operators and others canning NFC projects right now, they are not keeping calm at all. They are not calm because they are not sure they have backed the right horse. Or, as more critical persons might say, the right horses: the SIM-centric model for NFC and the EMV-centric model for payments. The UK has, at the time of writing, precisely one NFC-EMV handset on sale (from Orange) and industry observers think it unlikely you will see a torrent of similar handsets reaching the shops in the near term. Events have started to overtake the argument that NFC-EMV made sense because it meant that the existing acquiring infrastructure could be used and it would minimise the retailers’ expenditure on POS equipment. I’m no longer satisfied by using NFC-EMV to pay at the car park ticket machine at Woking station because I’d rather just use the RingGo app on my iPhone and not go near the ticket machine at all. Retailers are abandoning the conventional POS for staff wandering around with iPads and the one mobile wallet that I use all the time is from Starbucks and doesn’t use NFC at all. Now is not the time to simply carry on with the same-old, same-old. Now is the time to stop and re-think the mobile wallet. It’s time for the “hyper wallet”.

A hyper wallet doesn’t try and simulate a physical wallet: it meet the requirements for a wallet in the modern, online world. It doesn’t emulate the leather wallet, it blows the leather wallet away.

[From Wallets, mobile wallets and hyper wallets]

I went along to the excellent Mobile Wallet Summit in London last week and sat through some excellent sessions, in particular the well-informed discussion about mobile acquiring featuring Petter Made and TT pals Stewart Roberts of iZettle and Dan Wagner from mPowa.

Untitled

I spoke about this idea of hyper wallets in an identity-centric context, meaning that is the identity of the consumer that is the source of value in a world where the margin on payments continues to trend down. I also said that the convenience of NFC will put it into consumers’ hands. But the convenience will be used for purposes other than EMV payments. The hyper wallet will do things that physical wallets and digital wallets can’t do, not emulate the things that they can do just fine, like make card payments. The fact that hyper wallets are smart and connected means that they can deliver entirely different kinds of services.

Mobile wallets can use their computing power to instantly resolve these questions and present the user with optimal choice(s).

[From The Digital Wallet Value Proposition (NetBanker)]

Jim is characteristically spot on here. I want my mobile phone to do all the boring stuff that I don’t want to do, like figure out where to get Waitrose cash back or British Airways miles on any particular transaction. As I’ve written before, I can imagine selecting various overall policies from a menu somewhere on my phone and then leaving it up to the device from then on. I certainly don’t want to get involved in any dreary per-transaction decisions. I made another point at the Summit to go with this: hyper wallets should implement functions that simply cannot be implemented in physical wallets (I used the example of cryptographic tokens for review sites, but I’m sure smarter people than me will think of others).

When you pay your hotel bill, your wallet sends a blinded token to the hotel which then signs and returns it. Your wallet unblinds the token. When you log in to Trip Advisor, or whatever, you can send the token to them. The token proves that you stayed at the hotel, but is mathematically unlinkable. Trip Advisor and the hotel and the other viewers can know for sure that you stayed in the hotel but your Trip Advisor account can remain anonymous.

[From Security isn’t the killer app for digital identity]

This all does rather change the nature of competition in our industry, though. If consumers aren’t involved in the decision whether to use Amex or MasterCard at POS, because the computing power and the connectivity of the mobile wallet does it better, then what’s the point of the adverts and direct mail and promotions?

Barclays will have to convince my phone, not me, to use one of their products. This won’t happen, of course, because consumers either won’t be bothered to make these decisions or won’t be capable of making them. What they will do instead is download policy profiles into their wallets: the Money Telegraph Profile or the Suze Orman Profile or the Walmart Profile, so the issuers will be reduced to making deals with the policymakers. If the “Saga” policy is a popular choice for older British persons with their phones, then Barclays will have to do a deal with Saga in order to be part of their policy. It will be my Saga app that decides which payment card to use in the shop, not me. The TV advertisements will be even more of a waste of money than they are now.

If you put all this together, you see an impending shift in wallet strategy. The hyper wallet is getting closer.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

W8 IZ ~SCURE

[Dave Birch] I think most of us are familiar with services that use text messaging as a mean to authenticate a transaction. When I log in to PayPal, for example, it sends a six digit code to my phone and I have to type this code in to continue. It’s not PayPal’s only defence of course, because they have a sophisticated and well-developed infrastructure for fraud detection and prevention, but it presumably further tips the balance away from the fraudster. By itself, however, SMS isn’t the answer.

The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction… Today, SMS authentication is used by three of the four largest Australian retail banks as a preferred mode of second-factor authentication for transactions to unfamiliar accounts.

[From Telcos declare SMS ‘unsafe’ for bank transactions – News – iTnews Mobile Edition]

I have to say this isn’t entirely unexpected. Security experts have long regarded SMS as vulnerable and from a risk analysis perspective seen it as only one of a group of appropriate countermeasures that need to be deployed in transactional systems.

I saw Charles Brookson, the head of the GSMA security group, make a very interesting point recently. Charles was talking about the use of SMS for mobile banking and payment services and he made the point that SMS has, to all intents and purposes, no security whatsoever. The spoofing of SMS originating numbers, in particular, is trivial (this is why M-PESA, for example, encrypts and signs all SMS messages using a SIM Toolkit application).

[From Digital Identity: SOS SMS]

Some months before this, I’d cautioned about that same issue in a post about SMS from that risk analysis perspective (which is not surprising, since the risk analysis of transactional systems is, frankly, something of a specialty of Consult Hyperion).

My guess is that this is a general result: once you train customers to perform some simple action in order to obtain security, they won’t do any of the other cross-checks and because they think (for no reason) that SMS is somehow secure, then SMS-based approaches may be even more exposed.

[From Digital Identity: Out of band, out of mind]

One of the reasons for writing this piece was that the attacks on SMS were not hypothetical. (And, naturally, I wanted to trumpet tha the SIM-based architecture that we had developed for M-PESA was not subject to these same frauds.) In fact, at the time of writing, substantial frauds had already occurred.

The customer’s SIM card gets falsely declared stolen by the fraudster at the service provider. A replacement SIM card is issued, rendering the customer’s original SIM card void. What this means is that all security messages and codes sent to the customer by Standard Bank are sent to the fraudsters who utilise the customer’s replacement SIM card. Using the bank’s secure OTP, the criminals were able to change and add beneficiaries and transfer money out of the customer’s account using the original information obtained through the phishing compromise.

[From Digital Identity: Out of band, out of mind]

So where does that leave us? Well, I think that we need to move away from the idea that text messaging is a solution and look at implementing a generalised, SIM-based, MNO-interoperable, PKI. We already know how to do this (because some MNOs already do it) so perhaps it needs a vehicle to get anywhere. The wallet plays such as Oscar seem to me to be an obvious mechanism, especially given everything that is being said about mobile wallets needing to evolve identity-based value-added services as payments are commoditised.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

Mobile identity on the move

[Dave Birch] I recently posted about the need for a cross-sector identity management infrastructure in the financial services world and suggested that banks need to get on and start working on it. I didn’t mean to imply that banks should be the exclusive providers of that kind of infrastructure, since there are other organisations who might do a better job. One part of a spectrum of possible future might, for example, involve mobile operators providing both the infrastructure and one class of identity and attribute provision businesses.

Now, one of the obvious reasons why mobile operators are well-placed to provide infrastructure in the identity space is that they have the SIM. I’ve written countless times before, going back many years, that the SIM might be a good place to store digital identities. In fact, way back in 2006…

I said a long time ago that “SimID” might be more profitable than Simpay!

[From Digital Identity: Norwegians would]

I still have a presentation on my laptop that was a proposal for an identity play (then known as the “Genie Passport”) for Cellnet two recessions ago, but I can hardly claim to be the only person with that idea. It was common currency more than a decade ago in the days of Wireless PKI and Raddichio.

If the operators provide SIM-based PKI and then rent it out on reasonable terms, banks will be only the first mass market to shift identity and authentication out of the cloud and on to the handsets.

[From Digital Identity: Cloudy with a chance of PKI]

The point was made repeatedly, by multiple speakers, that the operators should work together to create an infrastructure. I agree with this, but I think it is a reasonable point to make that this co-operation needs a shared narrative to animate it. In other words, what’s the story? It’s one thing to say that the SIM should store identity, but quite another to say what exactly this “identity” is, how it ail work in prosaic cases and what infrastructure needs to be developed to make all of it possible. But this post isn’t about that narrative.

Last month the GSMA invited me down to Nice for their Mobile Identity meeting. The meeting was held under the Chatham House rule so I’m not going to say who said what, but I will say that it was interesting to see a group of mobile operators from around the world taking the business of identity seriously and looking at launching commercial services. A concrete proposition for a standard “Operator-ID” was put forward by one of the MNOs and I have to say that I thought it was pretty good. The idea is simply to provide a generalised SSO that all service providers can use: your login menu at a web site would be “Facebook/Twitter/Your Mobile Operator”. There were five reasons to provide this service put forward by the protagonists:

  1. Reach. The operators have a lot of customers, and using OpenIDConnect the operators can deliver this large customer base to service providers in a standardised way. They can then combine this with SIM-based PKI to provide strongly authenticated identities (set aside what the operators mean by “identity” in this instance). Moving from unverified to verified users is a good idea, even if the operator doesn’t know who the “real” identity is, if you see what I mean.
  2. User insight. What I would call reputation, this is a crucial dataset for monetizing the proposition. Once again, the operator does not need to know who you really are in order to know that you go to Waterloo station every day, or visit Subway every week or travel to France every month.
  3. Business model. The idea of some kind of freemium service, free for personal use but with paid-for value-added services to business, seems plausible to me.  The idea that operators will be able to charge per-login to make a profit is possible, but I wouldn’t bet on it. But suppose banks, for example, said that they would accept OpenIDConnect logins but only from 2FA identity providers that meant certain minimums (what we call “qualified digital signatures” in Europe) then they could save money messing about with dongles and switch quickly.
  4. Seamless bundles. The operators already provide their own services (e.g., Joyn) that could switch immediately to eat their own dog food, as our transatlantic cousins would have it. It’s a pain in the arse right now for me to log in to O2, Orange and 3 with different usernames and different passwords. If Orange gave me an OpenIDConnect service through my iPad, I’d use it to log on to O2, Virgin and 3 as well and not have to keep going through the “forgot your password?” loop.
  5. Processes. Many of the practicalities of mass-market identity mean that the scale processes of operators deliver a competitive advantage. The proposal for a cross-operator discovery layer, for example, solves the problem of having to know which operator a particular number corresponds to.

I liked this presentation a lot, partly because I knew that it would support some of the conclusions of my subsequent presentation but mainly because it covered some details that I hadn’t really been thinking about: the integration with operators processes and back-end systems. The key point of the proposal — using OpenIDConnect — was music to my ears. Here’s what I wrote a couple of years ago:

Nevertheless technology is an important part of the equation, and we need to pay attention to the emerging technologies, because it will take some real effort by a coordinated industry grouping in order to get worthwhile (ie, involving tamper-resistant hardware) authentication deployed and this will need to be linked to a framework (such as the new OpenID Connect) that can easily be adopted by web sites, mobile services and across other channels.

[From Digital Identity: Identity is the new money]

I don’t understand why MNOs don’t provide this service already: I’ve lost count of the presentations I’ve made to different groups in different operators on the topic. It seems as if each of the operators that I deal with as a customer has spent money on their own SSO  and this doesn’t seem particularly cost-effective to me. If they don’t get together on this, then eventually some form of handset trusted execution environment (TEE) will become the home of the mobile PKI and they will be bypassed. Why not try and make something of the SIM or the SIM-based secure element (SE) while they still can?

The best way to to this is to engage with the rest of the digital identity community that tries to solves these problems globally (see earlier post), and add the MNO assets, the mobile device and the SIM to it, and not to treat it as a stand-alone service.

[From What about mobile ID | It’s all about ID]

So, we all agree, it’s a good idea. Why now? Well, one driver that was discussed in Nice was Europe. As you may know, the EU has put out a proposed Regulation COM(212) 238 (final 4th June 2012) on electronic identification and trust services which will call for, amongst other things, interoperability between certain kinds of electronic identity. They are thinking primarily about access to public services, banking and the like.  Right now there are 13m EU citizens working outside their home country and the cross-border use of electronic identities would make life much easier. The idea is that member states will “notify” European Commission of identity services for access to public services and then all member states will have to allow access to public services by “notified” providers. (Note that as part of this, the notified providers must provide free authentication services).

As far as I understand it, suitable identities will be ones that can form “qualified” digital signatures. There are around 100 CAs in the EU offering such qualified digital signatures but they tend to be rooted in national systems so even where there is cross-border interoperability at the technical level, there is none at the application layer. This is an old and well-known problem, and there has been some progress exploring ways to make it work, yet the current situation shows little sign of change. However, given the EU’s desire to see change, it may be that the MNOs have a particular window to provide infrastructure for notified providers and make it easy for those providers to offer interoperability through that infrastructure at little cost to themselves. And the MNOs, like the EU, want to see a Europe-wide solution so there is an alignment of interests there.

There was one particularly interesting discussion during the GSMA’s morning session covering the “problem” of multiple SIMs and multiple devices. For example: in my house I have a phone with an O2 SIM, an iPad with an Orange SIM and a dongle with a 3 SIM. There are multiple SIM phones. So how would mobile ID work in this environment? In my mental model this isn’t a problem because I assume that the digital identities in each SIM will be bound to the same real identity, because I separate the binding of the digital identities to the “real” identities and the binding of the digital identities to the virtual identities used on line. And I should be able to link any or all of these virtual identities to the services I want to access online.

The bottom line is that, to my mind, the technologies to do something about identity in the mobile space not only exist but are well understood. The idea of using PKI with SIM-based key pairs has been around for many years and the Mobile Signature Service Platform (MSSP) is already standardised (ETSI TS 102 203 and 102 204) and companies such as Valimo provide off-the-shelf products. The Open Mobile API (a mandatory part of the GSMA NFC handset requirements) provides an route forward for storing and manipulating digital identities that can be used in physical as well as virtual interactions. The services provided using these standards are probably not rich enough and I suspect that they will need another layer on top so that they can fit inside the industry frameworks that are being developed right now (NSTIC, IDA and such like). 

The best way to to this is to engage with the rest of the digital identity community that tries to solves these problems globally, and add the MNO assets, the mobile device and the SIM to it, and not to treat it as a stand-alone service.

[From What about mobile ID | It’s all about ID]

Assaf Bielski is surely right about this. Perhaps, as I’ve suggested in the context of Project Oscar and ISIS, a place to focus might be digital identity services for wallets. Everyone loves wallets and everyone and his brother are developing one at the moment. Why not provide an identity API for wallet developers to use so that customers can have a shared and stable identity and authentication process across handsets and operators? The GSMA could co-ordinate industry requirements here and develop a narrative vision that might make it easier for the MNOs to develop an API in a reasonable (i.e., months rather than years) time. This would be a genuine win-win: a value-added service from the operators that keeps them in the loop and a significant cost-saving to banks, retailers and others.

A final observation: I think I did detect a sense of urgency that I hadn’t seen before. The operators (correctly) think that if they don’t do something about identity quickly, then the FAGs (FacebookAppleGoogle and other scary OTT providers) will shift to 2FA (using TEE or whatever) and bypass the operators completely.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

Quick response

[Dave Birch] A couple of interesting discussions about QR codes at Money 2020 earlier today. Well, I’ve been looking at some technology roadmaps around NFC and QR codes again in connection with a couple of projects we’re involved in and I think I’ve got at least an interim conclusion. While I have no inside information on the subject, I do expect a future iPhone (and, for that matter, iPad) to have NFC. NFC is a convenience technology, and Apple loves convenience. As, it seems, do customers.

In fact, in the tests that were held by Kraft, NFC experienced an engagement level that was twelve times greater than the results that were achieved by QR codes… However, at the same time, NFC did have its own drawbacks, which Kraft found to be rather significant for the moment. To start, most older phones do not have this technology and therefore cannot take advantage of its availability in a store or on a product, even if the consumer is interested. Moreover, the technology is also absent in all Apple products that have been released to date… This means that NFC automatically ignores the largest segment of the mcommerce marketplace.

[From QR codes and NFC tested by Kraft in mobile commerce trials]

In other words, NFC is great but not yet relevant. This, to be honest, seem like a pretty reasonable assessment of the current situation and contains both good and bad news. The bad news is that the money that the payments industry is spending on NFC will have a much longer payback time than had been hoped. The good news is that we (consumers) end up with something that is simple and quick and secure.

Osama Bedier, VP of Wallet & Payments… believes that [NFC is] a better technical solution than the QR codes that Apple uses on Passbook, calling them one of “many bridge technologies between now and what is a destination solution.” He pointed out that “you still have to futz” with QR codes.

[From Google still believes in NFC for mobile payments, doesn’t see ‘eye to eye’ with Verizon | The Verge]

As far as transactional applications go, though, I think it fair to observe that there will be developments beyond the initial conflation of NFC with payments at the EMV nexus. While not the topic of this post, a key message coming out of Money 2020 has been that the complex ecosystem assembled by handset manufacturers, SIM suppliers, TSM operators, the GSMA, bank issuers and schemes may well be bypassed in the longer run but in the short run is actively holding bad NFC evolution!

Incidentally, while we’re on the topic of NFC vs. QR again, I wanted to mention a related issue. There is a slight problem with the writing of a blog such as this one. The nature of Consult Hyperion’s work with clients around the world is such that we are, from time to time, privy to commercially confidential information. This is true for most companies, naturally. But it means that sometimes I write things on the blog that I know aren’t quite correct. Here’s an example. Earlier in the year I wrote about hypothetical attacks on NFC tags and QR codes because of the lack of identity infrastructure, saying that

It’s simply impossible to tell whether a QR code is “real” or not.

[From A quick response to the problem]

At the time I wrote this, I knew perfectly well that the attacks on both QR codes and NFC tags discussed in the piece were not hypothetical but had actually occurred. It would not have been appropriate to mention, at the that time, that I knew that attacks had occurred or who the victims were. So I’m glad to say that (although I won’t point at the victims) I have heard the attacks discussed at a couple of recent events so now I think it’s OK to at least talk about what the attacks were.

In both cases the same vulnerability was exploited: when a consumer uses a smartphone to either read a QR or an NFC tag, they have no idea whether what they are reading indeed comes from the poster, advertisement, magazine or whatever else they are looking at:

  • In the attack on a travel-related NFC poster, the attackers stuck their own NFC tags on the posters. Instead of pushing the number to call for more information about travel products, the number was for a reverse-charge premium-rate phone call to South America.
  • In the attack on bank advert with a QR code, the attackers had printed their own version of the QR code and stuck them over adverts in public places in London. Customers who scanned the code in order to get more information about a bank product instead got malware downloaded to their phone. At least 4,000 customers were fooled this way.

We already know what the solution to the NFC problem is, since a standard for digitally-signing the data content of an NFC tag has existed for a couple of years (although no-one seems to have implemented it) and we also know how to manage the keys and certificates that would be needed to make this all work in the mass market. For QR codes there is no such standard, although there are companies out there (e.g., Ensygnia) who have been developing proprietary solutions.

The real problem with this large number of QR code scans is that consumers have no way to detect the presence of malware in the code before it is too late.

[From Portals and Rails]

Quite. All in all, this proves a point that I’ve made many times in the past: connection is easy, disconnection is hard. In this case, I think that shifts the dynamic toward NFC. You could imagine a situation in which a powerful player like Apple, using Passbook, forces a scheme for digitally-signing QR codes and sets up a structure for key and certificate management, in which case the operators and banks will be kicking themselves for not setting up an industry-wide digital signature scheme and implementing the NFC standards for tag security. If customers and retailers could be sure that NFC tags 

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

You don’t know ‘jack

[Dave Birch] A bit of a “dog bites man” story coming from the Black Hat lot out in Las Vegas naturally caught my eye because it mentioned NFC. The story is, essentially, that you can hijack an Android handset (well, certain kinds of Android handset) by combining NFC tag reading with some known vulnerabilities of the operating system.

Android Beam, Google’s souped-up version of NFC’s peer-to-peer communication feature in its Android 4.0 operating system, could enable a hacker to induce a victim’s phone to visit a malicious Web site

[From Smartphone Hacker Claims He Can Hijack Handsets Using NFC | NFC Times – Near Field Communication and all contactless technology.]

Under certain condition, the malicious web site can take over the handset. What is puzzling to me about this story is that not only is this vulnerability well-known, but the countermeasure is similarly well-known yet completely ignored. Note, however, that the vulnerability is an instance of a much wider set of problems. It’s not limited to NFC and it’s not limited to Android.

The problem we see in both of the examples–the QR code scanning by the iPhone and the NFC tag reading by the Samsung smartphone–is that the software which interacts with the code/tag proceeds to act on the data in the code/tag without asking permission.

[From Abuse of QR Codes and NFC Chips: Preview-and-authorize should be default mode | ESET ThreatBlog]

For the purposes of customer convenience and usability, you want people to be able to tap and go. Yet if they think they’re tapping a “get me more information about this excellent credit card offer from a reputable bank” link at the bus stop but are actually tapping a “please hack my phone and steal valuable data” link (or, for that matter, a porn link) things will go wrong. So everyone is vulnerable, except in the case where the security protocol for NFC has been implemented correctly so that the device (e.g., the phone) can read and validate the digital signature on the data. I’m not aware of a similar standard for QR codes, although there are companies (e.g., Ensygnia in the UK) who have developed secure versions of QR codes. So, the generalised countermeasure is that the obvious way to stop phones from automagically visiting dodgy links is to tell the phones to respond only to digitally-signed links. In the case of NFC, the Black Hat example that kicked off this post, the security protocol mentioned above has been around for ages.

There’s an easy way to guard against such scams in the NFC world, because the NFC specifications already include the ability to add digital signatures

[From A quick response to the problem]

The specification I refer to here is nearly three years old but is still, to the best of my knowledge, not implemented in any of the handsets that are out in the market.

The NFC Forum, (http://www.nfc-forum.org), a non-profit industry association that advances the use of Near Field Communication (NFC) technology, today announced the adoption and release of the Logical Link Control Protocol (LLCP) specification, which supports bi-directional communications between NFC-compliant devices. The organization also announced the new NFC Signature Record Type Definition (RTD) candidate specification, which defines how to digitally sign data records in NFC Data Exchange Format (NDEF) messages. Both specifications are available to the public for download at no charge at: http://www.nfc-forum.org/specs/.

[From NFC Forum : NFC Forum Announces Specifications to Support Peer-to-Peer Device Communication and Verify Data Authenticity]

The reason that I said I find this “puzzling” is that, as we discussed with many clients a couple of years ago, this particular standard provides the elements of a business model as well as a technical solution to a technical problem. Suppose you are, say, putting adverts in a shopping mall. You want shoppers to tap the ads to get info about special offers. Then you will need to add a digital signature to the tags. In order to do this, you will need to get a key that will be recognised by the shoppers’ handsets. Where do you get this key from? Clearly you are going to have to buy it from somebody. If the operators had any sense, they would have already organised this service so that advertisers and other would have a one-stop shop. YOu can imagine how this might work: I’m running a campaign so I got to the operators shop and buy a certificate that is valid for, say, a month. That certificate is signed by a key that is recognised by all of the operators’ handsets.

Of course I could always, as an advertiser, put out unsigned tags. But customers would have to specifically check the “please make me vulnerable to hacking” box on their handset, otherwise the handset would simply ignore all tags without a digital signature that it can resolve.

Simple. And great place for operators to get together and create an actual win-win proposition that advertisers will pay for and consumers will like. And, in fact, I’ve been involved in a number of discussions around this opportunity with operators and not much has happened. But why not? I’m beginning to imagine the gulf between business and technology in mobile operators to be an insurmountable barrier, and that I’m not capable of bridging it.

I say “digital signatures are an opportunity to develop a business model around tags and tagging while simultaneously enhancing safety and security for customers.”

The marketing guys hear “digital signatures blah blah blah”. Remember, they don’t know what a digital signature is.

The accounting guys say “how much incremental ARPU in years one to five?”.

I tell them that I haven’t the slightest idea. It’s an entirely new service. Advertisers have never known which actual advert customers looked at before and bad guys weren’t able to hijack peoples’ eyes before. So it’s new territory.

Then they say no thanks. Someone else will build this business (Apple? They seem to be getting all sorts of NFC-related patents at the moment) and then the operators will once again complain about being pipes. Is Tom Noyes right to say that 

No one can orchestrate value in NFC.  What is truly ironic is that as the carriers spend hundreds of millions of dollars on NFC and their walled garden strategy to “force control”, Apple and Google will be further ahead in coordinating value in new networks. This value delivery outside of the mobile network will further cement carriers roles as dumb pipes

[From Apple Passbook: No NFC Here… « FinVentures]

What can we do to break the logjam! Are the operators doomed to hand digital identity over to OTT players without a fight!

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

Press the red button for financial inclusion

[Dave Birch] I can’t remember exactly when it was, but one of the first conference papers that I ever presented relating to the internet was called “Smartcards on the Superhighway”. I think it was in 1995, because I subsequently turned it into a journal paper that was published in The Journal of Internet Research 7(2), p.116-119 (1997). I can remember putting it together, because we’d been asked by a couple of financial services customers to take a look at the nascent internet and see if it might be used for their products and services. One of them, as I recall, was the London Stock Exchange, and I went off to talk to some people—including Forum friend Steve Bowbrick, who was at that time running the first Internet Cafe in London, called Cyberia —about what wasn’t even called electronic commerce yet.

My conclusion was that the best way forward would be to leave the IP infrastructure alone and forget about trying to build security into the network, because the dynamism of the Internet was so critical to its success. The fact that anyone could connect to it and send anything they want to anyone they wanted to was a fantastic, unparalleled landscape for creativity. Instead, I thought, if we wanted to use the Internet for business, for government, for “serious” communications, then it would be better to secure the end-points, and since software would never be adequate, that meant tamper-resistant hardware. Since the only tamper-resistant hardware I could see in the mass market was smart cards, I drew the inevitable conclusion: we’d do business on the web using smart cards. There were three ways, I thought, that this might work.

  1. We could take smart cards issued by banks, governments and others and connect them to our PCs using smart card interfaces. I was seriously wrong about this: I figured that as a smart card interface would cost a couple of dollars, we’d all have them, but it really didn’t work out like that. I don’t think I ever got a working smart card reader plugged into my Mac ever, except the one (that worked perfectly) from the Britney Spears’ fan club.
  2. We could use the smart cards inside mobile phones, the SIMs, in some way. Some of the projects we were working on at that time were for what was then Cellnet (now O2) and the precursor to T-Mobile (on things like prepaid services) so I didn’t think that that was much of a prediction. It seemed obvious that phones would become important payment devices.
  3. My final vector was TV. We’d done a fair bit of work on satellite data transmission and digital TV. Since I could see that set top boxes would use smart cards for subscriber management, I thought that (as in the case of the mobile phone) these smart cards could be used for identification and payment as well as access control.

I think this analysis has held up pretty well over the years. I’ve written a few times that I thought that digital TV deserved more attention as a channel but for one reason or another it hasn’t really taken off. Where are we now? If my remote control were to sprout an NFC interface so that I could buy stuff online by just tapping my phone or contactless card on it, as they have in Japan, then I would unhesitatingly use it. But I’d also use it if the telly caused a message to pop up on my iPhone asking me for a PIN. Either way, the combination of the TV and the mobile looks terrific. Television itself has changed over that time as well. My kids watch TV on their laptops or iPads, not in the living room, and the living room is now the province of the “smart TV”. Well, sort of smart TV.

Estimates at the end of 2011 from retailer John Lewis suggested that no more than 15 per cent of Smart TVs are ever actually plugged in to the web.

[From One in four ‘abandoning scheduled TV’ – Telegraph]

My smart TV is fully plumbed-in, as is my smart blu-ray player, but I never use either of them online because I have an Apple TV and that works much better. But the general trend is there. TV has gone digital (the analogue signal has now been switched off in the UK) and it is going connected.

What will you do with your connected TV? I imagine that one of the things you will do is buy stuff, so bringing payments to the channel is vital. Consult Hyperion has done plenty of work on this in the past (we worked on the Sky Barclaycard, for example) and we put forward a number of idea for using one-time password, remote controls and even NFC on different TV-related projects.

[From TV’s times]

Perhaps the likely trajectory is one where digital TV is used to deliver financial services around a particular niche that is not well served by the web, where the combination of convenience and security forms the right balance. And so to the point! The London Rebuilding Society (LRS) and Consult Hyperion have been awarded funding by the Technology Strategy Board (TSB) to explore the use of the television as a channel for payments for socially-excluded groups, using both bank accounts and pre-paid “jam jar” accounts to explore the relationship between financial and social inclusion. The project’s aim is to help the 1 million unbanked people and the further 2.5 million people in the UK that use the very basic form of bank accounts. These basic accounts can often impose extra costs of up to £1000 per annum on households. Additionally, some 12 million bank customers per year pay charges for going overdrawn or making unauthorised payments. Current solutions to the problem of financial exclusion are not working, and these low income and vulnerable households are paying the price, especially as mainstream providers of credit are moving out of the personal loans market, and high cost lenders and loan sharks are stepping in.

“We want to turn the way retail financial services are done on their head, said Naomi Kingsley,” The London Rebuilding Society. “Instead of providing off the shelf products which are often socially useless, we design products to meet the needs of those excluded from the mainstream. If it works for those at the bottom of the ladder, you can bet the mainstream will follow, so we’re pleased to partner and utilise Consult Hyperion’s experience in payments to help make this concept and working reality and change the lives of the millions that have been let down by the current financial system.”

The project team will develop a working prototype of a standard EMV prepaid card account that users can manage through an IPTV (Internet Protocol Television) set-top box, using a contactless interface on the TV’s remote control. Account holders will have full account management capabilities via their television screen, enabling them to track and manage their finances and manage regular payments and bills on a standard pre-paid card account.

“Digital technologies are opening up new opportunities to tackle financial exclusion,” said Margaret Ford, Consult Hyperion. “We’ve seen mobile phones transform the lives of people in Africa and other developing countries, so we’re looking forward to using our expertise in digital payments and partnering with The London Rebuilding Society on the HomePay project and help people here in the UK. The ”in-home” service will allow users to make transactions, pay bills, and manage their money – all via their TV sets (and other platforms too, including smart phones and game consoles). Plus the pre-paid account offers greater control, convenience and autonomy to potentially vulnerable people.”

Currently at proof of concept stage, a prototype will be developed, and then working in partnership with groups such as Payments Services Providers, charities and Local Authorities the project team will run field trials, initially with older people, in association with Social Landlords. Finally through evaluation, the team will carry out further development of the solution during further field trials.

What’s envisaged is a prepaid “near bank” account with a companion chip and PIN card that can be used to access a range of financial services via the set-top box. One might imagine, for example, that an elderly person might gain access to their account by simply tapping the contactless chip and PIN card to their remote control, thus combining the convenience of the big screen and familiar controls with the security of the chip. I’ll write more about “near banks” shortly, but suffice to say that one of the key roles envisaged for such a service is to handle welfare payments to excluded groups. For such groups the PC and the web are inappropriate and (without, I hope, caricaturing) for the young excluded the mobile is the preferred channel for transactions whereas for the old it is the TV. If we can bring them together, we can make a big difference in the UK mass market for financial services.

We kicked the project off with an evening event in June with Forum friend Sir Brian Pomeroy, Chair of the Financial Inclusion Task Force (and previously chair of the Payments Council), who opened the discussions by setting out some of the issues and opportunities around the dynamics of exclusion, the context of an ageing population, the imminent transition to the new Universal Credits system and so on. We then had breakout groups—including organisations ranging from the Department of Work and Pensions and American Express to Everything Everywhere and IDEO—to talk about different aspects of using digital TV to overcome exclusion and come up with a few ideas for us to feed into our design process. It was an excellent evening, by the way, and I’m very grateful to my colleague Margaret Ford for pulling it all together with our friends from LRS.

This isn’t the place to go into the technology discussion—we’re busy working on that right now—but we hope to have the IPTV box specifications finished later in the summer and then the project will move on to a small-scale LRS pilot with around 10-20 households in East London. The project will then be looking for commercial organisations to get involved (some already are) with future roll-out, so if you are interested by all means get in touch.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

 

Why O2 Money is interesting

[Dave Birch] By the way, before I get e-mails about this, let me make the appropriate disclosure: Consult Hyperion provides paid professional services to Telefonica O2 UK Limited. However, everything discussed in this post is based on public information and is my personal opinion.

I’ve been out and about trying out my splendid new O2 Money Visa card. This is a prepaid Visa card that is issued as a companion to the O2 Wallet on the phone. It’s a standard chip and PIN online-only prepaid card with an online-only contactless interface (service code 221) issued on behalf of O2 by IDT Finance. (IDT are the BIN sponsors and e-money issuers while O2 is waiting for its licences to be approved.) I was surprised to see that it has a magnetic stripe on the back and has signature enabled in the CVM list, and I don’t know why it has my name printed on the front, but there you go. Cards people are a conservative bunch.

You know I’m not the sort of person to go by advertisements, PR statements or by management consultants’ Powerpoint, so I applied for a card as an interested member of the general public (which, apart from the three passwords and one PIN that I now have to remember, was a straightforward process except for when I got the passwords mixed up and got locked out) and set out to try it out. The first thing I did was try and scan the card in the envelope to see if the card might be vulnerable to Channel 4-style fraudsters, but it correctly implements contactless best practice: the contactless interface didn’t give up any details and it won’t do so until the card has been used in a contact transaction. Hurrah.

When the PIN mailer arrived, I went down to an ATM to change the PIN and then tried to scan it again. Nothing. Excellent.

The first experiment was to load the card. I went into our local newsagent and asked them if they could load the card for me. They said they could (because it had a PayPoint logo on it) so I gave them £40 and in a few seconds I was on my way with a mobile wallet with £39 in it (it cost £1 to load it). You can also load it from a debit card or a bank account but I couldn’t be bothered to set these up. (I subsequently set up a debit card and it worked fine.)

Untitled

I went off into Guildford to try it out. A contact transaction first, which went splendidly well. I got an almost instantaneous message on the phone confirming the transaction. So I immediately ordered an extra coffee and paid for it contactlessly. Again, an almost immediate confirmation message. Love it.

Untitled

Naturally, as soon as I got back to the office I put the card into Dr. Fiske’s box of tricks to see if I could do some Daily Mail-style hacking, but once again found that the card implements best practice and does not give out the cardholder name out over the contactless interface. Remember, I do this so you don’t have to.

At home, the card has now become our “house card”. I keep a prepaid card at home in the hallway for the boys to use if they pop out to get the shopping or need to buy something for school or such like. The O2 Money card is perfect for this and displaced the incumbent immediately. There are two key reasons why it took over: one is the almost instant text messages when it’s used and the second is that it’s really easy to load from the O2 Wallet. Super product, works well. But none of that is why you should find it such an interesting case study in the world of payments…

It is the transition from a bank product to a non-bank product that makes O2 Money such a fascinating case study. As you may recall, when the O2 Money product was first launched it was a “simple” Visa prepaid card (actually issued by RBS) that was connected to the consumer’s phone only in the sense that you got text messages when you used the card. That was a very limited degree of interaction between the phone and the card, but nevertheless customers liked it. But there was a problem. Well, two problems, really. I hope I’m not telling tales out of school to note that bank platforms tend to be a) expensive and b) inflexible. So Telefonica O2 decided to go down a different route by applying for their own (non-bank) licences under the recent EU regulations around Payment Institutions (PIs) and Electronic Money Institutions (ELMIs) and setting up their own scheme. They canned the old O2 Money card and launched their new combination: the O2 Money Wallet with an optional O2 Money Card. I expect to see this template replicated across sectors, because the newly-built PI will be cheaper and more flexible than a bank system.

I was surprised by how much of the comment around the O2 wallet launch was of the form of “O2 becoming a bank”, which it clearly isn’t. It isn’t a bank because it does make loans or take deposits. The O2 Wallet is a prepaid account with a wrapper around it. Now it is possible to imagine a very bank-like wrapper (so that you can make payments, pay bills and so on) but it still isn’t a bank. Perhaps a “near bank”, but not a bank. Now I happen to think that the “near bank” is a very appealing commercial model for many businesses in many sectors and I’m sure we’ll see more such organisations spring up over the next few years in response to the regulatory space that has been opened up in Europe.

A very good example of a new “near bank” is the Finnish startup Holvi. Holvi is a “near bank” with a new kind of account aimed at groups. So the idea is that each account has multiple owners and the owners have different privileges.

Holvi was one of the pitches that I voted for at Finovate Europe 2012

[From Payments work fine, why are you bothering us?]

You might imagine this kind of account product integrated into other forms of new financial services. Look at Zopa, the P2P lender that now has some 3+% of the UK personal lending market. I might log in to something like Holvi that is integrated with something like Zopa so that surplus funds are transferred from the prepaid account into the P2P lending account. It looks like a bank to the customer, but it isn’t. (I was thinking about this when I was writing about the idea of near-banks for the elderly a few days ago, because you could imagine something like Holvi that allows relatives access to elderly persons accounts under defined controls together with access to insurance, savings and so on.)

There’s another point to be made here as well. Saying that O2 isn’t becoming a bank isn’t the same thing as saying that they will not take some banking business, because there’s real dynamic around this: not non-banks becoming banks, but bank products and services becoming non-bank “bank-like” products and services that look the same to the customer but are better and cheaper. There is inevitable disintermediation here.

“With open access to borrower information, held centrally and virtually, there is no reason why end-savers and end-investors cannot connect directly. The banking middle men may in time become the surplus links in the chain. Where music and publishing have led, finance could follow.”

[From Technology could take the bankers out of banking, says BoE policmaker Andy Haldane – Telegraph]

This isn’t some techno-autistic matrix-deterministic digital money hype merchant (e.g., me) talking. It’s Andy Haldane, the Executive Director of Financial Stability at the Bank of England.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

 

Mobile is more secure

[Dave Birch] The mobile wallet is much in the news at the moment and, since I’ve been to three different meetings about mobile wallets in the last three days, much in my mind as well. I don’t think it’s an exaggeration to say that the mobile wallet is inevitable, and I also think it’s fair to say that the mobile wallet appears to meet the needs of stakeholders (including consumers and retailers) in a way that “simple” mobile payments do not. One particular area where this is true is security, even if some of the stakeholders don’t realise it. 

Security tops the list of consumer concerns about mobile payments. Half of all American consumers say potential security and fraud significantly influence their likelihood to use smartphone technology to make purchases in the future.

[From Study: Consumers Unlikely to Abandon Wallets in Favor of Paying With Smartphones — NEW YORK, Feb. 29, 2012 /PRNewswire/ —]

So when you talk about moving to a mobile wallet, some people will say “sounds great, but what if I lose my phone or it is stolen?” without really thinking through the security risk analysis. If they did, they would see that things in a mobile wallet are far more secure than things in a leather wallet.

Your credit card is a data string, not a physical piece of plastic: why not enclose that data—and the privileges and responsibilities it unlocks—in a remotely accessible mobile container with an extensive system of checks and balances that has a much healthier respect for that data?

[From How A Stolen Wallet Made Me A Mobile-Payments Enthusiast | paidContent]

There are three main factors here. First of all, you are much more likely to notice if your phone is missing than if your wallet is missing anyway. Secondly, since the wallet is smart, it can be rendered useless to criminals (it can require a PIN, or passphrase, or it can be set to only work in certain locations or whatever). And finally, it can be built online, so when you walk out of the shop with your new phone, your wallet will automagically reappear, which doesn’t happen with your leather wallet. As Cindy Merrit from the Atlanta Fed says succinctly

the mobile phone will be a much more secure payment device than the plastic cards we use today

[From Portals and Rails]

I agree. As we have long maintained, mobile payments are more secure than card payments. I further claim that the security of your virtual credit card inside your mobile phone is not only greater, but much greater than the security of your actual credit card in your back pocket. This is why I predict that the interchange rate for “phone present” transactions will, in the long term, be lower than the interchange rate for card present transactions.

In fact the bottom line is that the fraud figures have been improving, and I expect them to improve further still over the next couple of years as we begin the integration of cards and mobiles.

[From Digital Money: The fraud trajectory]

So nothing to worry about? Not quite. Security is still a problem. Just because there is a potentially secure platform available to implement a service doesn’t mean that the service will be implemented in a secure way, if you see what I mean, and it would be jolly useful if, once a secure way to implement something is found, the security went across services. (So, for example, that a common identification and authentication scheme might be implemented and used across a variety of banking, telecommunications, retail and other services.)

Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value

[From Portals and Rails]

This is why if you are, say, Visa and O2, then there is a long and complex path to a wallet and handset and SIM and secure element combination that can deliver security appropriate to mass-market, population-scale payments. Other apps might be able to cut corners and accept higher levels of risk, but these guys can’t. This necessarily implies that developing a mass-market mobile wallet such as the recently-announced O2 Wallet means paying proper attention to se curity and bringing world-leading expertise to bear on the process, products and services. 

We recognise that security is absolutely key in order for our customers to trust and want to use the service, so O2 Wallet has been trialed internally for months and has undergone extensive ‘stress-testing’ with the help of security experts Consult Hyperion,” said James Le Brocq, Managing Director at O2 Money.

[From Media – Consult Hyperion]

There are so many interesting issues to talk about here, at the cusp of telecommunications, technology and finance that it’s a great area to be working in.(I’ll be posting about using the O2 Wallet next week.) One of the issues that comes up all the time is trust. Will customers trust a mobile operator to deliver financial services? Can trust built up in one sector be transferred to another? What is the balance between trust and convenience? These are very real, and very hotly debated, issues in our space at the moment.

What about the Google (GOOG) wallet? Would people trust that? Yes, again.

[From Why Banks Will Continue To Lose Online Payment Market Share To Tech – Seeking Alpha]

Well, as they say, that was then and this is now. The much publicised security problem with the Google Wallet proves this point. It didn’t represent any real threat, no consumers lost money (and nor were they realistically likely to) but the story was all over the media, because they love that kind of story, and the nuances were lost. All that people remember is that there was a security problem with the Google Wallet.

As Google Inc. learned in the past week, the security problems with digital wallets are thorny and complex… Any misstep, however temporary, could erode the delicate trust banks and technology companies are trying to build around mobile payments.

 [From Google Wallet s Security Issues Could Strike Other Mobile Wallets – American Banker Article]

We use a risk analysis methodology — known as Structured Risk Analysis (SRA) — that we have specifically developed over the years to handle secure electronic transactions and to take account of the reality of an environment that involves not on technical and commercial risk but repetitional risk as well. We’ve used it on projects for customers ranging from central bank settlement system to manned space missions, so we think we know what we’re talking about. And we used it for M-PESA, as mentioned the book “Money, Real Quick“.

Consult Hyperion were at that time engaged by the Central Bank to carry out the very detailed operational risk audit which the Permanent Secretary in the Ministry of Finance, Joseph Kinuya, said had found the service “safe and reliable”.

[From Book corner – “Money, Real Quick – The Story of M-PESA”]

A sound risk analysis means that a system can be “balanced” so that expenditure on countermeasures can be directed appropriately  and it means that transactional systems can be engineered so that costs and benefits are clear and subject to informed management decisions. If you want to know how to do this, just give us a call.

 

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers


Signed and sealed

[Dave Birch] Whilst bored at the airport last month I picked up “The Daily Mail” for 25th April 2012 found myself reading the “Money Mail” section. This had two really interesting stories in it, both of which posed a decent challenge to us in the secure electronic transaction space.

The first story concerned a woman who lived somewhere where she couldn’t get a mobile signal (near Dover). To access her home banking, she logs in and then gets in her car and drives for 10 minutes to somewhere she can get a signal, at which point the SMS “one time password” (OTP) arrives from her bank. Then she drives home and logs in!

The second story concerned a man who doesn’t have a mobile phone and doesn’t want one. He can’t use home banking at all because his bank uses SMS codes too, and he was complaining about having to use how bank’s telephone banking because it wasn’t as good as the internet banking service (I hate telephone banking too).

Thinking about these stories, I came up with two possible answers.

  1. Tough.
    It’s a bit rich to complain that you can’t get a better service for something or other because you don’t want a mobile. That’s like me complaining that I want to watch Sky Sports but don’t want to pay for cable or satellite. It’s hard luck. Mobile phones cost, to all intents and purposes, nothing. When my son lost his phone last year, I went down to the store and bought him the cheapest mobile phone I could find. It was £4.95, if memory serves. And if I had broadband but lived somewhere with no mobile signal, then I’d get my own base station. Vodafone sell just such a “femtocell” under the brand name “Sure Signal” even in Dover.
  2. Opportunity.
    The right solution to the problem is to use digital signatures with the keys stored in tamper-resistant memory (e.g., in the SIM for people who have mobile phones or in a smart card, hat, badge, watch or implant for people who don’t) and to implement proper security on the banking side (using open standards).

Broadly speaking, the protocol should be that I log in to my bank, my bank sends a digitally-signed challenge to my selected device:

  • My phone over-the-air.
  • My phone via local interface such as NFC or Bluetooth.
  • My token, such as a SecureKey USB stick.
  • My PC, using an on-board Trusted Execution Environment (TEE), rather like the old Trusted Processing Modules (TPMs) that never really went mass-market in laptops.

In all cases, the message is decoded and the signature checked (inside the tamper-resistant hardware) and a response message is constructed using my digital signature (again, signed using my private key inside the tamper-resistant hardware). This would be real, standardised, open security and would mean that banks could reach all of their customers, all of the time, through all of their devices. It’s really not that difficult.

If the operators provide SIM-based PKI and then rent it out on reasonable terms, banks will be only the first mass market to shift identity and authentication out of the cloud and on to the handsets. Identity really is the new money

[From Digital Identity: Cloudy with a chance of PKI]

The operators need to implement SIM-based PKI anyway if they want to have secure QR code and NFC tags, and since the chips used for SIMs implement all of the relevant cryptography I can’t see any barrier to doing this. So what’s the block? Suggestions on an e-postcard, please.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers


Book corner – “Money, Real Quick – The Story of M-PESA”

[Dave Birch] The M-PESA mobile money transfer scheme in Kenya is, as is well-known to Tomorrow’s Transactions readers, an astonishing success. It will be a business school case study for years to come and I am sure that it will be come to be seen as what futurologists call a “weak signal for change” to a new monetary order. Astonishing? Yes. M-PESA launched in 2007 and last year handled it $10 billion. The scheme, which allows people to deposit and withdraw cash from accounts associated with their mobile phone numbers has something like 16 million users (more than two-thirds of the adult population) and 30,000+ agents. To understand these numbers in context, note that it took banks in Kenya a century to create a mere one thousand bank branches, 1,500 ATMs and a hundred thousand credit card customers.

M-PESA is so important that its origins and trajectory need to be recorded and reported from many perspectives. I was delighted to see a recent addition to the literature in the form of a book. In “Money, Real Quick – The story of M-PESA”, Tonny Omwansa and Nicholas Sullivan tell its story. It’s a super read if you’re new to the topic, explaining the history and the people involved, and is packed with potted case studies that clearly illustrate the magnitude of the impact of M-PESA on Kenyans and (always my favourite) the unexpected consequences of its introduction.

The first hero of the story (in my eyes, anyway) is Nick Hughes. Nick was then Head of Social Enterprise at Vodafone which owned 40% of Kenya’s Safaricom. Safaricom was the market leader in Kenya, with just over half the market. Nick had had the idea of using mobile phones to make the distribution of microfinance loans in Africa more efficient and he submitted a proposal to the UK Department for International Development (DFID) for matching funding. This was granted back in 2003, and M-PESA was born. Nick then brought in what the book refers to as “UK-based consultants” to develop the idea. Modesty forbids me from mentioning who these midwives to monetary revolution were (oh, all right then, it was Consult Hyperion).

The second hero of the story is Susie Lonie, also from Vodafone. Susie had been working on mobile commerce in the UK, and in 2005 she was sent to Nairobi to get the M-PESA pilot up and running. She combined first-class project management skills with real vision, and together with Nick steered the system from a pilot that could so easily have run out of control, such was the popularity of the system once it launched, to the launch of a genuinely new national payments scheme in 2007. By last year…

Local transactions by Kenya’s mobile money service, M-Pesa currently exceed transactions made by Western Union globally, the International Monetary Fund (IMF) reports.

[From Local transactions by Kenya’s mobile money service, M-Pesa exceeds Western Union’s global transactions – The Next Web]

That is a truly amazing growth curve from Nick and Susie’s pilot to national powerhouse in less than five years. I should say, incidentally, that it isn’t only me who sees Nick and Susie as heroes. In 2010, “The Economist” magazine gave them its Social and Economic Innovation award:

Mobile money-transfer services have proven a huge success in Kenya and several other developing countries. To mark this fact, The Economist today announces that Nick Hughes and Susie Lonie will jointly receive the Social and Economic award at its forthcoming Innovation Awards ceremony for their outstanding contributions in this field.

[From Social and Economic Innovation Award Winners 2010 | Economist Conferences UK]

When the system went live it was immediately apparent that the market was using it in ways that had not been part of the original business model. In particular, businesses began to use it. They started to deposit cash (as a kind of “night safe”) as well settling transactions and paying wages. Now there are some 600 businesses in Kenya accept payments through M-PESA. These include the national airline, the power utility and insurance companies.

Customers travelling on British Airways can now make payments for their tickets and ticket changes in Kenya through the mobile money platform (M-Pesa) thereby affording customers a quicker and more convenient way to make payments.

[From BA to use Safaricom M-Pesa | BiztechAfrica Business, Telecom, Technology & IT News Africa]

But I’m jumping ahead. Once Nick and Susie had got the pilot up and running, the very forward-looking CEO of Safaricom, Michael Joseph, realised that something big was going on and drove the team on to scale. Within a year, they had two million subscribers and were handling $1.5 million per day and he turned his attention to developing the agent network. Safaricom already had agents, of course, because they used them to sell airtime, but Michael realised that they needed to increase the size of the network substantially, and quickly. I won’t distract the reader with it here, but I strongly recommend anyone interested in the topic to read how this was done and the issues that needed to be managed: agent incentives, float management, trading and so forth. Suffice to say that becoming an M-PESA agent became an attractive proposition. (Betty Mwangi, Safaricom’s terrific M-PESA manager, says that she still gets 500 applications per day.)

Despite being familiar with the M-PESA story there were sections of this book which introduced me to new and fascinating aspects of the scheme’s growth and development. The section on the impact on the poor, and the dynamics in the Kibera slum, should be required reading for anyone interested in the topic. For instance: the average M-PESA balance has gone up fivefold since 2008. The poor are clearly using the service as an alternative to the mattress or the tin under the bed. Even with the M-PESA fees, mobile money is more cost-effective than cash.

Safaricom M-Pesa customers can now send and receive as little as Ksh10 (12 US cents) compared to a previous limit of 50 US Cents, for a transaction fee of 3 US Cents.

[From Safaricom drops M-Pesa rates | BiztechAfrica Business, Telecom, Technology & IT News Africa]

In summary: a non-bank payment system founded on new technology rather legacy infrastructure has changed people’s lives in ways that could not have been envisaged by the people who created it.

What general lessons can we draw from M-PESA’s rise? I would like to highlight a few points that the book didn’t dwell on but that I think deserve further reflection beyond M-PESA because they may help to stimulate the development of more efficient payment infrastructures in developed countries as well as in other developing countries.

One lesson concerns the regulatory environment that allowed M-PESA to flourish and how, despite the banks’ reservations about the scheme, once it was successful banks were able to use it to offer financial services to an new customer base. The authors indeed note that “commercial banks have finally decided to expand their borders beyond branches by hiring agents. But that was only after they tried, and failed, to shut down M-PESA”. This is why, for me, the most interesting part of the story comes once M-PESA reached five million subscribers (more than all 43 of Kenya’s commercial banks combined) back in 2008. At that time the acting Finance Minister said he was not sure that M-PESA would “end up well”. There was more than a suspicion that the worries were not around consumer safety and protection but the Kenya Banker’s Association concerns about competition. In the unrest that had followed the previous year’s elections, many consumers had withdrawn money from commercial banks and deposited it with M-PESA, which they judged to be less risky. When you think about it, that was a cusp in the evolution of monetary institutions. The post-election unrest also saw the telco replace the bank as a channel for aid.

Concern Worldwide pioneered the use of M-PESA for bulk cash transfers during the post-election emergency in early 2008 in the Kerio Valley, one of the remotest parts of Kenya. During the violence, cattle rustlers attacked communities in the Kerio Valley, looting their livestock and displacing them. Concern’s initial response was to provide food aid, but carrying and distributing food proved very costly and insecure. Cash transfers were seen as a way of overcoming the challenges posed by the terrain and the security situation.

[From Mobile phone-based cash transfers lessons from the Kenya emergency response – Issue 40 – Humanitarian Exchange Magazine – Humanitarian Practice Network]

No-one was sure who was supposed to be regulating M-PESA, but the Minister asked the Central Bank to study the scheme. Consult Hyperion were at that time engaged by the Central Bank to carry out the very detailed operational risk audit which the Permanent Secretary in the Ministry of Finance, Joseph Kinuya, said had found the service “safe and reliable”. He also said “there is nothing wrong with competition”. Hear hear.

M-Pesa now has over 15 million subscribers and the value its transactions topped Sh828 billion last year, equivalent of half of Kenya’s GDP… There are four other mobile money transfer services in the country, Airtel’s AirtelMoney, Telkom Orange’s OrangeMoney, and Essar Telecom’s YuCash.

[From Mobile money transactions to be audited by banks regulator | Mobile Money Africa]

Michael Joseph was always admirably clear on the key issue. M-PESA was not a bank, it was a payment system, and should be regulated as such. What’s more, the figures showed very clearly that despite the vast number of transactions flowing through M-PESA, the total amount of money was still inconsequential compared to daly inter-bank settlement. What’s more, starting back in 2007, the commercial banks had begun to offer new services over the M-PESA network, thereby demonstrating that mobile money could deliver financial inclusion. As the banks began to offer more services, and became part of the M-PESA ecosystem as savings accounts and super agents, it seems to me that the whole financial sector was invigorated. Dynamic partnerships (such as the one with Equity Bank that led to M-KESHO savings accounts) delivered products that simply would not exist in a “traditional” bank environment. These included pensions, micro insurance, “layaway” and more. In essence, as Omwansa and Sullivan say, a new financial sector emerged.

Another lesson is that I simply do not believe that a bank-led solution would have triggered the innovation revolution that M-PESA clearly did. A key element in its success is that it was born in telco culture, and conceived as an infrastructure for others to build on. Mark Pickens makes a point about “adjacent industries” stimulated by M-PESA and this seems to have led to a high-tech boom in “Swahili Silicon Valley” around iHub in Nairobi. Cashless schools, pay-for-use water, e-health and an incredible range of applications have been made possible by the ready availability of a mass market payment system for the 21st century. As the CEO of Kenya Commercial Bank is quoted as saying in the book, when asked if M-PESA is a threat to banks, “if you don’t respond it’s a threat, but if you embrace it, then it’s an opportunity”. I see this as a template for payment system evolution in the Europe and hopefully the US as well.

Finally, I cannot help but point to the relationship between identity and money. One of the most unexpected impacts of M-PESA was the use of M-PESA transaction histories as substitutes for conventional credit ratings. Remember that many M-PESA agents are merchants, so it is natural for them to extend credit in this way. In other words, M-PESA became a means for previously excluded people to demonstrate identity and reputation. Paul Makin, the head of Consult Hyperion’s Mobile Money practice (and the chap who carried out the original feasibility study on behalf of Vodafone), and I have discussed this many times.

One semi-technical note. I can see a future in which the regulator insists on interoperability between mobile money schemes and regulates the interchange rates, but some players want more than this, and in this they adumbrate skirmishes about to break out in developed markets. In Chapter 7, the authors refer to Safaricom’s control of the SIM and tensions arising from this because the banks want (but haven’t got) access to it. I can remember from the early days of the project that there was considerable debate about how to implement the service for consumers. Consult Hyperion recommended going down the hardware security route (i.e., using the SIM card). This meant writing new “SIM Toolkit” software and re-issuing Safaricom SIMs to customers who wanted to use mobile payments. Safaricom decided to make the investment required to go down this high-security route rather than use SMS or USSD, hoping that it would act as an anti-churn factor in a SIM-based market. This was at the time a brave decision, but one that has been repaid many times over. Good for them. I can’t see how regulators can realistically force operators to open up the SIM for more SIM Toolkit applications. But as in the case of smartphone applications in developed countries, it might be realistic to ask the operators to agree on a standard, SIM-based identity management infrastructure and then provide open, transparent and non-discriminatory access to it. But that’s another story.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.