Category: Uncategorized

[Dave Birch] With contactless payment systems continuing to expand, I see another report from the U.S. concerning fears that the wireless technology behind those systems is not secure enough for widespread adoption, despite assurances from Visa, MasterCard, and other major players. Aneace pointed to a similar discussion in May, except that that time it was that retailers who were saying that

Once the U.S. overcomes its security issues with contactless payments and assures the public of the safety of using them, this technology will explode.

But what are these stories about (and what do they mean)? A typical example is this story about cards transmitting cardholders names and numbers in the clear that is illustrated with a picture of a card that doesn’t. But look at the heart of that story. According to a study by researchers at the University of Massachusetts and at security companies RSA and Innealta, many contactless cards will transmit your name, the credit card’s number, and its expiration date (but not the CVV) unencrypted to anyone nearby with an RFID scanner. This is true, but I’d put a different spin on it: researchers have discovered that these cards comply with their specifications and do exactly what they are supposed to do.

Technorati Tags: contactless, security

Continue reading “Security reporters”

[Dave Birch] The Chicago Fed published an interesting letter asking whether mobile is the new smart card by which they mean, in an American context, will mobile payments flare and then die away. They agree with me (!) that mobile holds a significant advantage over contactless cards in the area of paperless two-way communication. Cards just do not allow for the sending, receiving, and presenting of information, as mobile devices do. These are clearly factors that point to mobile beginning to encroach on cards territory. They are already are in some places. France, for example, where Orange has announced that it will launch the first mobile contactless services, based on NFC technology, in Bordeaux in early 2008. And in the U.S., where Wells Fargo and Visa are to conduct public mobile payments trial with up to 500 customers in the fourth quarter of the year. So is mobile the new smart card: ie, a new payment technology that starts in France and then spreads worldwide except for the U.S., finally sneaking in to the U.S. under the guise of contactless? Well, I guess, the answer must be yes!

Technorati Tags: contactless, mobile

Continue reading “Is mobile the new smartcard?”

[Dave Birch] I can’t helping reading stupid non-stories in the newspaper when they touch on anything related to identity. Hence I found myself reading the “60 Second Interview” in the free London metro. The interview with Freema Agyeman, the actress who plays Doctor Who‘s current assistant and is therefore a major heroine in our household, covers her early career working at Blockbuster. As Blockbuster are often rather lazily held up as a central part of the pro-ID card business case (“imagine how much easier it will be to rent a video using an identity card), I couldn’t help but note her comment that

The not-so-good times were when people lost their temper. At one point, the membership applications got really strict because stuff was going missing. People had to bring in two proofs of address dated in the previous four months. They brought in passports and driving licences and shouted at us that if they could open a bank account with them, why couldn’t they get a Blockbuster card.

Has Freema uncovered the killer application? I didn’t see her at the Public Private Forum on Identity (PPFI) meeting at the Treasury, so I think someone should alert the authorities at the earliest opportunity.

Technorati Tags: ID cards

Continue reading “How did I manage to work Dr. Who into ID cards?”

[Dave Birch] EMV migration in the UK is complete, as you all know, and the fact of the matter is that it went pretty smoothly and on the whole, worked rather well. According to APACS cards and fraud control manager of operations, Martin Lewis, and head of cards technical unit David Baker, there are now 133 million chip and PIN cards in operation, supported by 900,000 sales terminals and more than 61,000 ATMs. The migration is spreading around the world, all the way up to the U.S. border. When even Canadian and Mexican migration is complete, will the U.S. then be forced to issue EMV? Probably not, because of on-line authorisation. Besides, who knows what new technologies will be dominating the retail payments space by then?

Technorati Tags: EMV, fraud

Continue reading “EMV USA”

[Dave Birch] There’s been a rash of announcements of new payment schemes recently, many of them centred on mobiles. I find myself reading some of these announcements and thinking “well, that sounds neat” but then saying to myself “I couldn’t see me using it”. There’s a disconnect. But some of them I could see myself using. For example, Pay By Touch have developed a Reward and Gift Card Kiosk. The Internet-enabled kiosk lets shoppers create customized store-branded and third-party gift cards with personalized “to” and “from” names and single or multiple design full-color graphics. Gift cards can be purchased and dispensed directly from the self-serve kiosk, eliminating the current requirement of purchasing gift cards at the check-out lane or customer service counter. The kiosks store an unlimited number of graphics, so multiple merchants or brands can be supported on a single kiosk. Here’s how it works:

1. Using a touch-screen, the shopper chooses from multiple designs to match the gift-giving occasion, and chooses the denomination he or she prefers.
2. The shopper then types in both the recipient’s and the gift giver’s name (likely her own) into the “to” and “from” fields.
3. Using a credit card, the shopper purchases the gift card directly through the kiosk. The shopper presses “print” and a personalized, activated gift card is printed in seconds, along with a receipt.

Technorati Tags: loyalty, p2p, payments

Continue reading “I could imagine using this”

[Dave Birch] A discussion that I was in earlier today reminded about a point made earlier in the year. I was discussing the idea of using software in mobile phones instead of bank-provided “tokens”. It’s superficially very attractive, but it needs the operators to get on board. And then service providers, such as banks, may not want to use it because they don’t want someone else in between them and their customers. While the mobile phone with a SIM is an excellent repository for phishing-resistant credentials, the fact the mobile operators control access to the SIM (and often severely restrict that access) turns many people off. On the other hand, if the mobile phone were to be used as part of a standard open authentication scheme — so if the operator doesn’t play ball, banks (or whoever) had plenty of choice of alternative tokens — then that’s not so much of a barrier. With the continued progress of OATH (who we’ve spoken to before) in making interoperable authentication practical, this scenario isn’t particular far-fetched if there’s a convenient way of implementing OATH in the phone.

Technorati Tags: identity, mobile

Continue reading “Opening authentication”

[Dave Birch] You may not have noticed, but the European Parliament finally adopted the Payment Services Directive (PSD). The The text of the PSD will now be forwarded to the EU Council for final adoption. The Member States should then transpose the Directive as early as possible, and by 1 November 2009 at the latest, into national law. So if all goes well, in a couple of years time, I’ll be able to use my debit card in Ireland (as I did last week) and my credit card in The Netherlands (as I did a couple of weeks ago). Hhhmmm. Oh well, at least I’ll now be able to give my bank account details to companies in Romania so that they can direct debit my current account…

Technorati Tags: banking, costs, regulation, SEPA

Continue reading “The glorious five year plan”

[Dave Birch] I don’t think a biometric register, by itself, is a bad thing. In fact, it’s on balance probably a good thing. But it has to work to a high standard: a biometric that is 99.99% accurate will return hundreds of false matches against a population register. That’s why I think that if there is going to be a proper National Identity Register in the U.K., it should comprise multiple high-quality biometrics (and no other personal information, but that’s a separate point). The U.S. is already moving in this direction. The FBI’s planned biometric register upgrade will store not only fingerprints but also iris scans, and in the future may include enhancements to their ability to use DNA as a forensic tool, according to a recent briefing on plans for its Next Generation Identification (NGI) system.

Technorati Tags: biometrics, identity

Continue reading “Register this”

[Dave Birch] Looking at figures coming from various markets, it looks as if a bullish position on contactless is reasonable.  Statistics from a MasterCard research study on how PayPass is being used show an increased spending of 19 percent per PayPass account, as compared with accounts for which consumers have only been issued magnetic-stripe cards.  The study also shows that consumers with PayPass cards or fobs are using them 29 percent more often than those with non-PayPass cards, and that the average transaction size of a PayPass payment is smaller than for transactions made with magnetic stripe cards which confirms their position as a cash replacement: almost 80 percent of PayPass transactions are for purchases $25 or less.  In the U.S., $25 is the "no signature" boundary, so retailers do not have to require signatures for the transactions anyway, and contactless fits in neatly.  But I am starting to wonder if the same dynamic will work in the EMV environment.  In the U.K., the transaction limit is 10 pounds and contactless is predicted do well:  Datamonitor rate the U.K. as the biggest European market for low-value cash transactions.  One of the key subsectors is service stations, but only around 18% of service station transactions are suitable for contactless payment (Datamonitor research shows that this would increase to around 40% if the ceiling was increased to 20 pounds).  This leads me to suspect that the limit will be raised sooner rather than later.

Technorati Tags: ATM, cashless, coins, contactless, payments, retail

Continue reading “Contactless in the marketplace”

BBC NEWS | UK | Call for car number plate revamp

More than 40,000 sets of number plates were stolen in 2006, a rise of almost 25%, according to police estimates.

Police blame rules registering plate buyers and suppliers and make fake plates more difficult to get hold of.

Powered by ScribeFire.