A cryptocurrency for Scotland?

jane100100I rarely recommend reading the reader comments at the Guardian Online (or indeed any other newspaper site) unless you need a fast cure for low blood pressure or get a kick out despising your fellow man. However last week I did actually learn something interesting from the comments to a Guardian article about Bitcoin.

In common with countries such as Iceland, Scotland now has its own cryptocurrency – Scotcoin.

It’s not altogether clear from the Scotcoin website (http://scotcoin.org) exactly how Scotcoins are created but in contrast to Bitcoin they are pre-mined and will be distributed free to anyone in Scotland who wants some. At present they cannot be exchanged for other altcoins and they have no value in fiat currency (unless the free market decides otherwise, according to the website). Nor is it entirely clear whether the founder is actually based in Scotland but he was, he says, born there.  The purpose of Scotcoin, he says, is to provide a plan B currency for an independent Scotland.

Now, as someone who is not by nature a libertarian, at least where others are concerned, I’m a bit suspicious about cryptocurrencies. I don’t own any Bitcoin and feel slightly seasick at the idea of an asset whose value fluctuates more than the waves on a bad ferry crossing. Here at Consult Hyperion thought we generally believe that the technology behind Bitcoin, the blockchain, is a lot more interesting than the currency itself.

Nonetheless I felt moved, as a Scottish resident, to obtain some Scotcoins. Purely out of professional curiousity, you understand.

This involved downloading and installing the Scotcoin wallet. In other words downloading and installing an executable file from a non-https website I’d previously not heard of. As an IT security graduate this made me feel even sicker than the Bitcoin exchange rate but I did it nonetheless (to an old laptop) and I now own 1000 shiny Scotcoins.

Now what? It’s hard to say. Is it for real?

I feel obliged to report that not everyone is convinced about Scotcoin (see http://loggingoff.tygabitworks.com/) but then there’s a lot of negativity about Bitcoin too. I’m absolutely not endorsing that view, merely reporting it but the Scotcoin website certainly displays a creative attitude to punctuation and spelling, whether that means anything or not. On the other hand around 100 or so other Scots seem to have downloaded the wallet so presumably they think it’s fine*. And my virus checker (paid for AVG) hasn’t picked up anything feeding my online banking details offshore.

In any case there’s absolutely nothing wrong with the concept of a Scottish cryptocurrency, irrespective of whether Scotcoin is it or not and Alex Salmond would be well advised to consider it. If you’d like to know more, Dave Birch will be talking about the idea of a Scottish virtual currency to the Financial Services Club Scotland in Edinburgh on 29th April. 

*I’m enchanted to note that one of the first power users is called Dug. Dug of course is Scots for Doge.

Google Wallet Review

OLYMPUS DIGITAL CAMERA

Google Wallet is back!  They have moved away from a focus on NFC to an e-wallet that will work with all mobile phones and have drastically reduced the friction with merchants, banks, mobile carriers and customers.

Downloading the Google Wallet app to my iPhone was quick and easy.  After downloading the wallet, it asks you to “sign in with your Google Account” or “create an account”.  The tag line is “One Google Account for everything Google”…you don’t see sign-in with Facebook here!

Wallets, wallets everywhere! Which ones have an edge today?

OLYMPUS DIGITAL CAMERAAs someone that is exposed to the payments industry, attends conferences, reads the industry publications and generally interested in all things payment related, even I am surprised at the number of mobile wallets that are available.  Everyone wants me to download his or her e-wallet to my mobile phone – from Starbucks, to Square Wallet to Isis and the list goes on.  So I have decided to take a journey over the next few weeks and experience a variety of mobile wallets that are available in the US marketplace.  And here is the real challenge – I carry an iPhone! 

Threats, risk and attacker motivation: a real life example

Margaret FordTravelling home from a meeting at the Payments Council on Monday afternoon, I was enjoying the peace and quiet of the train gradually emptying as it drew further out of town. At Sunningdale, a station normally notable only for the most prosperous passengers, a group of excitable teenagers joined the train obviously looking for trouble. Brandishing camera phones, they seemed more of an irritant than a threat.

Avidly reading advice on strategies to avoid arrest by over-zealous US police officers, quoted in an article from the latest edition of Cryptogram, I felt comfortably detached from my surroundings. The luxury of a half-empty train on the Reading line is a rare treat.

The author of the article advised that unlawful activity is best indulged in from the comfort of your own home. If you must commit crimes in public, avoid drawing attention to yourself. In particular, even if you become aware of an officer while performing an illegal act, it is better to continue rather than raise suspicion through a sudden change in behaviour.

At this point I became aware that I had unwittingly become the focus of the gang, who had moved on from threatening to punch random strangers to wielding newspapers and cigarette lighters while daring each other to take my phone. Suddenly alert to the situation, I put my phone away, muttered ‘excuse me’ and wandered gently up the carriage. They left the train at the next station.

I’d made the mistake of forgetting that my brand new phone which I regarded as a standard device for accessing content and keeping in touch, could also be seen as a status symbol with significant market value. On reflection, it gave me a tangible example of one of the key risk concepts being investigated by the TREsPASS project: attacker motivation. This had moved from the general to the specific, as an opportunity was spotted and the incident unfolded. It was clearly unpremeditated and yet in many ways predictable.

As my brother commented the next morning, teenage gangs in our area just aren’t what they were in our youth, when they would steam the length of trains in groups of twenty or more. He also gave me a great tip for protecting my phone in future, which in his experience deters all potential muggers.  Waterproof, costing only a few pence, with the option of additional cotton wool for extra authenticity: an attractive little black plastic bag with yellow drawstring, as commonly carried by dog walkers.

If it’s not malware it should be

[Jane Adams] I’ve got a sore back. Or to be more precise I’ve got a sore tail bone. I don’t know whether it’s from being thrown in a fight or from the amount of time I spend on trains commuting between home (Edinburgh) and work (Guildford) but sitting down has been painful recently. Last night I felt moved to Google the problem on my phone to see what could be done.

Google did its job with a multiplicity of results. But I couldn’t access any of them because my MNO blocked them all as adult content. I didn’t use *rse or b*m as search terms but anything below the waist appears to be out for this MNO.

What I was presented with was a tiny, barely legible (even on my Samsung S3), barely branded screen asking me to input my credit card details to prove that I was old enough to read about what is probably age-related spine degeneration.

On an Android phone? You must be kidding.

And why is this necessary? I have an account with my phone provider (one of the big 4). I’ve had a business account with my phone provider for something like 10 years. Until recently, when I got my proper job with Consult Hyperion, I was VAT registered and the MNO had that information in its system. If, as the phone owner, I’m old enough for a VAT registration, I’m old enough to read about bottoms. And if I’m not the venerable phone owner and I’ve nicked their phone, I’ve probably nicked their credit card too.

There’s a lot of talk about big data at the moment. Proper use of data could considerably improve the prospects for mobile wallets. However if this is indicative of what mobile operators are doing with data, I’m not optimistic.

Frankly, I rather hope that the screen was malware generated rather than genuine.

Mobile money in the UK

[Paul Makin] When you use the term ‘mobile money’, your audience generally assumes you are referring to the phenomenon of mobile phone-based money transfer schemes in emerging markets, in particular its poster child, M-PESA in Kenya.  And there’s good reason for this; most press about mobile money focuses on emerging markets and if you visit the GSMA’s Mobile Money Tracker (http://www.mobileworldlive.com/mobile-money-tracker), it lists a large number (182 at the last count) of mobile money deployments around the world, all of which are in the emerging markets of Latin America, Africa, and South and Southeast Asia.

This may be because the data is supplied by the GSMA’s Mobile Money for the Unbanked (MMU) team and focuses on the community that the MMU team engages with, so perpetuating the view that mobile money is exclusively an emerging market phenomenon – a view that I disagree with, if not in actuality, certainly in potential.

Consider what constitutes a mobile money scheme:

·         Customers’ access to their account, for carrying out transactions or for managing their account, is primarily through the medium of the mobile phone;

·         Cash can be deposited and withdrawn via the intermediary of human ‘agents’ in local shops;

·         Cash can (sometimes) be withdrawn at ATMs;

·         Transactions are fast, and tariffs are low;

·         Registration is simpler and faster than for a local bank account.

In addition, it is fair to say that mobile money schemes are generally aimed at the unbanked market – that is, people who are unable to access traditional banking services, however basic – but I would argue that that is a characteristic of the available, under-served market, rather than any law of nature.

The dramatic growth of mobile money services in the emerging markets is a consequence of the huge size of the unbanked market in those countries, coupled with the launch of services that provide them for the first time with readily accessible basic financial services.

But there are mobile money services elsewhere, and they certainly occur in the so-called emerged markets. In the UK, for example, we have seen a number of such services being launched in recent years. A prime example is O2 Money, launched in Q2 2012. This has all of the characteristics of a mobile money scheme, as described earlier, but with one important extension to ensure its applicability to the British way of living – it has a companion card, a plastic card which allows O2 Money to be spent in shops, and which can also used for ATM withdrawals.

It must be said, though, that none of the schemes in the emerged markets have broken through in quite the same way that M-PESA has in Kenya. This is principally due to the differences in the markets. As an example, in the UK (as in other “developed” countries), people with a bank account can access the services offered by mobile money using cards on line or in person and most have access to mobile banking.

So people with UK bank accounts are unlikely to be regular users of a mobile money scheme, and therefore a strategy needs to be developed to recruit customers that offers something beyond the basic financial services. I am of the firm belief that such a strategy can be developed, and that a successful strategy would embrace elements aimed at three different groups: the mainstream banked; the not yet banked (teenagers); and the unbanked (the poorer sections of society).

The mainstream banked will be the most difficult to attract, and the key here will be differentiators from the mainstream banks’ offerings.  As mentioned above, mobile money offers little advantage to them.

The not yet banked are a slightly easier proposition –almost all of them have a relationship with a mobile phone operator, and are very familiar with buying things with their mobile phone. A proposition is required to meet their needs, by incorporating elements such as entertainment tickets (discounts are the key) and products linked to stadiums and venues (such as closed loop payments), and the option of a companion plastic card is essential.  But ultimately, whether or not this supports an attractive business case is another matter.

But the UK unbanked are a proposition with great potential.  There are around 1.25 million unbanked households in the UK[1], equating to around 4.5 million unbanked individuals. There is a real need here, and the unbanked could form a valuable element of a broader model for a mobile money operator. And you can bet that, in modern Britain, the vast majority of these people have a mobile phone.

To those who would say that the unbanked have no money, and cannot therefore be of interest, I would point out that, in common with poor people the world over, they pay significantly more for financial and other services than any other segment: fuel, cheque cashing, and short term loans are all examples of the amount such people are forced to pay for services that the mainstream gets either for free or at very low cost.

At the core of any unbanked proposition must be the facilitation of social payments. The majority of social payments in the UK (including pensions) are delivered directly to bank accounts, and in a cost-efficient manner that is at least competitive with any mobile money offering. However, the 4.5 million unbanked recipients receive their payments by alternative means, and at significant expense to the UK Government. Giving these recipients a mobile money account, and facilitating these social payments, should be at the core of any strategy.

Access to cash is also an issue. In many of the poorer areas of the UK bank branches have been closed, and the only ATMs that remain are private ones in small shops that typically charge around £2 for a withdrawal. By adopting the agent approach of emerging markets, access to cash from the mobile money account would be greatly facilitated, and drive additional revenue into the local community.

By definition, unbanked people do not have access to the conventional banking system, and there is an opportunity for a mobile money operator to facilitate that access and so enhance their own proposition. Basic functionality, such as direct debits, should be offered in order to address, for example, fuel poverty (if you cannot pay for fuel – gas and electricity – by direct debit in the UK, you will be paying a lot more for the fuel you use). Another aspect of being unbanked is the lack of access to loans at reasonable cost (hence the controversial rise of the so-called ‘payday loan’) – there is an opportunity for a mobile money operator to create a portfolio of relevant of financial services for their customers here, in which partnerships could be formed with local organisations, such as credit unions, in order to promote savings and loans.  I am sure there are lessons that can be learned from the experiences of microfinance institutions (MFIs) in the emerging markets.

In summary, I do not believe that mobile money is exclusively a phenomenon of the emerging markets. There are significant populations in developed markets that closely match the characteristics of mobile money customers in the emerging markets, and there is a clear opportunity for the right mobile money propositions.



[1]Defined as households without access to a bank account – savings accounts are excluded.

Finovate Europe

I really enjoyed the first Finovate Europe in London. We had an excellent couple of days, because we had BarCampBankLondon the day before (I’ll write something about it later), and lots of folk came in for that too.

Although it was in London, three of the UK’s four biggest banks had just one person at the event. Three of the others didn’t send anyone at all. Barclaycard and Santander sent six each. Hmmm. Perhaps the others are just being careful with taxpayers’ money. I wish the head of eBusiness from my bank had been there.

[From Some Observations From Finovate Europe | Forrester Blogs]

To be completely honest, I was looking at most of the presentations in horribly mercenary terms: asking only which of our clients might be able to exploit this? As a consequence, I wasn’t really grabbed by what one of my fellow delegates called the “wheelspinning” around personal financial management (looking at pie charts of your overdraft and that sort of thing). Our space is the secure electronic transaction space, so I enjoyed the presentations from our friends at SecureKey and VoiceCommerce. It’s that kind of thing that is hot, I think. I’m going to find out more about Miicard as well.

I liked the StockTwits presentation, which probably combined innovation in technology and innovation in business model in the most interesting way, targeting a specific niche in an engaging way. There’s a lesson for me here: if I used Twitter for something more than moaning about South West Trains, I could have been a contender. Boku were great and so were Ixaris: I understand what they are trying to do in payments and I’m sure that both of them will succeed. None of my picks made it in to the delegate’s top three in the final vote, but I’m happy to stand alone.

All things considered it was a super day, an excellent opportunity to connect with clients and colleagues, and an energising look around the space. Jim and all of the chaps should be very happy with it.

The presentation that I probably thought about the most after the event, though, was the one from Fidor Bank. They have integrated a variety of alternative currencies into their online banking platform. These are presumably attractive to German consumers fleeing the euro, with folks memories of hyperinflation pushing them toward non-fiat stores of value.

The partnership will enable Fidor’s customers to buy gold, silver, platinum and palladium without completing any GoldMoney application forms. Orders will be processed daily through the FidorPay Account at the bank and then placed with GoldMoney through an ‘Omnibus-Holding’ in the name of Fidor.

[From Finextra: Germany’s Fidor Bank to offer retail access to precious metals via GoldMoney]

If you want to find out more about GoldMoney, forum friend James Turk, their CEO, will be at this year’s Digital Money Forum. Although only precious metals are live at the moment, Fidor are planning to integrate virtual currencies the future. I didn’t get a chance to talk to them to find out what the mechanism for this is: as far as I know there’s no API for accessing your Everquest platinum (or, literally, a payments wizard) so it would have to be done using screen scraping with usernames and passwords, just as it is for other services with no security (eg, banking).

I’m naturally fascinated to see how customers respond to this. If you can shift from euros to gold to World of Warcraft gold in a simple and friction free way, then we might see some interesting markets emerging.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Making credentials practical

When I’m talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline “False CV Fooled Bank” that:

A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.

I assumed that everybody made up stuff on their resumes, but it turns out that it’s against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he’ll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.

PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)

[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]

To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I’d be hard pressed to provide it. I don’t have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn’t forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn’t forged the O-Level in British Constitution certificate?

When I started my first job after university, I don’t remember being asked to provide any such proof. Come to that, I don’t remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.

Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.

[From Files Vanished, Young Chinese Lose the Future – NYTimes.com]

How are we going to deal with this digitally? It shouldn’t be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).

Something does have to be done though. The current system is simply a joke. It’s quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.

A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.

He bought a fake university certificate off the internet, the court heard.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.

the BBC suffered another embarrassment today after a man interviewed on Radio 4’s World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.

[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]

How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area

[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]

Step forward the mobile phone. Every single one of the people who were “verifying” IDs in these stories has a mobile phone, so there’s no need to look any further. The military policeman’s mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you’re both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it’s me, but I need to be able check it’s the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter’s NFC phone against their NFC phone and see a full list of his credentials.

(Law enforcement has special additional issue though: sometimes, the policeman doesn’t want to reveal that he’s a policeman, but that’s a topic for another day.)

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Apple and NFC, a strawman

WIth Apple’s domination of media mindshare almost total, the fact that you can already buy other handsets with NFC in them (eg, the Google Nexus S and the Nokia C7, although both are currently software-limited) and that the first Blackberry handsets are imminent has been overlooked. All press comment (I know, because I contributed to some of it) has been about the iPhone. One of the questions that I was asked, repeatedly, was about iTunes morphing into a new payment scheme.

“They have 160 million users with digital wallets in iTunes accounts. They don’t have to do anything other than to NFC-enable their phones,” Litan said.

[From Analysts: Apple could disrupt mobile payment industry | BappProducts | iOS Central | Macworld]

They do have numbers on their side, that’s true. But as we all know, payments is a two-sided market, so there has to be a reason for the merchants to get on board too.

For merchants, an Apple payment system could prove attractive. Many merchants are raring for alternative payment systems, to avoid having to pay the hefty fees that credit card companies charge for every transaction.

[From Analysts: Apple could disrupt mobile payment industry | BappProducts | iOS Central | Macworld]

Yes, but how will Apple avoid them? Everything I buy on iTunes goes to my MasterCard. Sure, Apple aggregates the payments, but the banks don’t provide this service for free, even for Steve Jobs. In order to avoid having to pay credit card fees, Apple would have to do what PayPal does and start persuading people to sign up with their bank account details, which would in turn mean building the kind of anti-fraud platform that PayPal have been building for a decade. And why would they do that? It seems like a lot of non-core investment to commit to.

This investment is needed because the biggest problem will be security. So long as my iTunes password only allows you to buy music tracks for my iPod or games for my iPad or note-taking applications for my Macintosh, to risk is manageable. But if my iTunes password allows you to walk out of a store with a pair of shoes or a telly, then my iTunes password will become valuable. Microseconds after extending iTunes payments to retail stores, Apple would be dealing with millions of customers calling up because their passwords had been phished, copied, guessed.

Japanese police have arrested two people suspected of stealing virtual goods from players of online game Lineage II. The pair tricked victims via a booby-trapped program that claimed to help people play the game. Instead of boosting a character’s abilities the program stole account names and passwords.

[From BBC News – Lineage II pair arrested for stealing virtual goods]

I’m sure Apple are perfectly well aware of this kind of crime and know that were iTunes to become a general payment paltform, then it would become widespread. This is hardly wild projection, since the phishing of iTunes accounts is already widespread.

It least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal. One targeted customer told us, “My account was charged over $4700. I called security at PayPal and was told a large number of iTunes store accounts were compromised.”

[From Fraudsters Drain PayPal Accounts Through iTunes]

I’m sure Apple already has lots of people working on this problem but ultimately it’s very difficult to stop people from giving away their passwords and I’m sure the phishers will soon learn to send out the right kind of e-mail messages.

Roughly 50,000 Apple iTunes accounts stolen by hackers are said to be for sale on China’s largest auction site.

[From 50,000 Stolen iTunes Accounts On China Auction Site — Apple iTunes — InformationWeek]

The underlying problem is, of course, that passwords are not security and no-one should be allowed to use the phrase “password security” in any serious context. So long as the cost of phishing, guessing or actually breaking passwords is fantastically less than the value of the account that they give access to, there is no solution.

Thomas Roth of Cologne, Germany told Reuters he used custom software running on Amazon’s Elastic Compute Cloud service to break into a WPA-PSK protected network in about 20 minutes. With refinements to his program, he said he could shave the time to about six minutes. With EC2 computers available for 28 cents per minute, the cost of the crack came to just $1.68.

[From Researcher cracks Wi-Fi passwords with Amazon cloud • The Register]

Ah, you might say, but suppose Apple implements a Secure Element (SE) for NFC and that SE uses standard PKI applications on industry-standard Global Platform in an industry-standard JavaCard. Then a thief would have to steal the iPhone as well as the password, and this indeed true. Apple could implement an identity-based payment mechanism and persuade merchants to install the contactless terminals, implement the new scheme and pay Apple instead of paying the banks (whose fees have just been capped by the Durbin amendment.

Again, why bother. You may as well do a deal with a bank to put a contactless EMV application in the SE. But suppose you are not going to care about anything at retail POS — except in your own stores — but instead want to improve security and convenience for customers in general? Imagine this scenario a year from now: I log in to iTunes and it gives me the option of switching to two-factor authentication. (Apple wouldn’t call it that, they have better marketing people – suppose they call it Apple Passport or something like that, maybe iMe or whatever.) I accept. From then on, when I log in to iTunes on my iPhone, I don’t noticed anything different, but under the hood iTunes is sending a digitally-signed challenge to a digital signature application in the SE. It’s decoded using Apple’s public key, and signed using my public key (which, of course, Apple know) and sent back. Sorted. Now with this strong authentication, Apple can have higher-priced items for sale via iTunes. When I log in on my PC, a message pops up on my iPhone and I have to enter my passcode. Under the hood, the same process. Now you have to steal my passcode and my iPhone.

A little later, I’ll be given the option of making my OSX login “iMe only” and so on.

If anyone can bring PKI to the masses, Apple can. Soon, other companies will negotiate with Apple to join “iMe Connect” and because it is more secure than a password, they will pay to use it. There are payments applications for this (it means that mobile payments can be lifted beyond ringtones and music tracks, and at a lower margin than operators) but I don’t see them as being central to the business proposition, because people will be using their iPhone to log in to everything (internet banking, shopping, government) and then, because of the NFC interface, they will begin to use it to “log in” in Apple retail stores and then, soon, enough, other places. Meanwhile, credit cards and Bling, Amex and PIN debit will all be loaded into the SE anyway, so customers will find themselves using their iPhones to get on BART and pay in CVS. This will save the issuers money, because they don’t need to issue the plastic, so they can offer a good deal. Andrew Johnson was surely right to point this out in American Banker.

In the end, banks have a lot to gain by being willing to give pricing concessions to Apple in exchange for getting their payment card information directly located in Apple’s mobile wallet service. Doing so could give those banks a first-mover advantage.

[From In Apple Mobile Pay Plans, a Possible Opening for Banks – American Banker Article]

Apple doing the identification and micropayments, leaving larger payments to the finance sector who will in turn pay Apple. Now we can see the real play, and a first-rate strategy for the next phase of online evolution: own identity and authentication. ITunes as a payment scheme to rival cards, PayPal, iDeal? No. iTunes as a payment scheme to get people used to logging into things with their iPhones? Plausible. iTunes as something that delivers a variety of customer communication and management option of real value to merchants (a cross between Barclaycard Freedom, Bling and Taggo)? Yes. Why? Because knowing who someone is is so much more valuable than a small slice of their payments, a fact that informed industry observers have pointed to since the Apple/NFC rumourmongering began.

the real revenue streams to Apple will not be from “interchange” but from advertising as iAD provides the “Yang” to the NFC’s “Ying”. Creating a new payment ecosystem means having incented partners. The timing on Apple’s iAD and NFC developments are not accidental, my belief is that they are part of a very solid mCommerce expansion strategy.

[From Apple’s NEW NFC Patent « New Ventures in Financial Services]

Look, I don’t know what Apple’s strategy is any more than you do, but from the perspective of helping clients to formulate their own broad strategies for NFC, payments, value-added payment services and identity, this is a reasonable strawman, which is why we’ve been using it.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.