Finovate Europe

I really enjoyed the first Finovate Europe in London. We had an excellent couple of days, because we had BarCampBankLondon the day before (I’ll write something about it later), and lots of folk came in for that too.

Although it was in London, three of the UK’s four biggest banks had just one person at the event. Three of the others didn’t send anyone at all. Barclaycard and Santander sent six each. Hmmm. Perhaps the others are just being careful with taxpayers’ money. I wish the head of eBusiness from my bank had been there.

[From Some Observations From Finovate Europe | Forrester Blogs]

To be completely honest, I was looking at most of the presentations in horribly mercenary terms: asking only which of our clients might be able to exploit this? As a consequence, I wasn’t really grabbed by what one of my fellow delegates called the “wheelspinning” around personal financial management (looking at pie charts of your overdraft and that sort of thing). Our space is the secure electronic transaction space, so I enjoyed the presentations from our friends at SecureKey and VoiceCommerce. It’s that kind of thing that is hot, I think. I’m going to find out more about Miicard as well.

I liked the StockTwits presentation, which probably combined innovation in technology and innovation in business model in the most interesting way, targeting a specific niche in an engaging way. There’s a lesson for me here: if I used Twitter for something more than moaning about South West Trains, I could have been a contender. Boku were great and so were Ixaris: I understand what they are trying to do in payments and I’m sure that both of them will succeed. None of my picks made it in to the delegate’s top three in the final vote, but I’m happy to stand alone.

All things considered it was a super day, an excellent opportunity to connect with clients and colleagues, and an energising look around the space. Jim and all of the chaps should be very happy with it.

The presentation that I probably thought about the most after the event, though, was the one from Fidor Bank. They have integrated a variety of alternative currencies into their online banking platform. These are presumably attractive to German consumers fleeing the euro, with folks memories of hyperinflation pushing them toward non-fiat stores of value.

The partnership will enable Fidor’s customers to buy gold, silver, platinum and palladium without completing any GoldMoney application forms. Orders will be processed daily through the FidorPay Account at the bank and then placed with GoldMoney through an ‘Omnibus-Holding’ in the name of Fidor.

[From Finextra: Germany’s Fidor Bank to offer retail access to precious metals via GoldMoney]

If you want to find out more about GoldMoney, forum friend James Turk, their CEO, will be at this year’s Digital Money Forum. Although only precious metals are live at the moment, Fidor are planning to integrate virtual currencies the future. I didn’t get a chance to talk to them to find out what the mechanism for this is: as far as I know there’s no API for accessing your Everquest platinum (or, literally, a payments wizard) so it would have to be done using screen scraping with usernames and passwords, just as it is for other services with no security (eg, banking).

I’m naturally fascinated to see how customers respond to this. If you can shift from euros to gold to World of Warcraft gold in a simple and friction free way, then we might see some interesting markets emerging.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Making credentials practical

When I’m talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline “False CV Fooled Bank” that:

A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.

I assumed that everybody made up stuff on their resumes, but it turns out that it’s against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he’ll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.

PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)

[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]

To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I’d be hard pressed to provide it. I don’t have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn’t forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn’t forged the O-Level in British Constitution certificate?

When I started my first job after university, I don’t remember being asked to provide any such proof. Come to that, I don’t remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.

Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.

[From Files Vanished, Young Chinese Lose the Future – NYTimes.com]

How are we going to deal with this digitally? It shouldn’t be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).

Something does have to be done though. The current system is simply a joke. It’s quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.

A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.

He bought a fake university certificate off the internet, the court heard.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.

the BBC suffered another embarrassment today after a man interviewed on Radio 4’s World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.

[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]

How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area

[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]

Step forward the mobile phone. Every single one of the people who were “verifying” IDs in these stories has a mobile phone, so there’s no need to look any further. The military policeman’s mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you’re both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it’s me, but I need to be able check it’s the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter’s NFC phone against their NFC phone and see a full list of his credentials.

(Law enforcement has special additional issue though: sometimes, the policeman doesn’t want to reveal that he’s a policeman, but that’s a topic for another day.)

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Apple and NFC, a strawman

WIth Apple’s domination of media mindshare almost total, the fact that you can already buy other handsets with NFC in them (eg, the Google Nexus S and the Nokia C7, although both are currently software-limited) and that the first Blackberry handsets are imminent has been overlooked. All press comment (I know, because I contributed to some of it) has been about the iPhone. One of the questions that I was asked, repeatedly, was about iTunes morphing into a new payment scheme.

“They have 160 million users with digital wallets in iTunes accounts. They don’t have to do anything other than to NFC-enable their phones,” Litan said.

[From Analysts: Apple could disrupt mobile payment industry | BappProducts | iOS Central | Macworld]

They do have numbers on their side, that’s true. But as we all know, payments is a two-sided market, so there has to be a reason for the merchants to get on board too.

For merchants, an Apple payment system could prove attractive. Many merchants are raring for alternative payment systems, to avoid having to pay the hefty fees that credit card companies charge for every transaction.

[From Analysts: Apple could disrupt mobile payment industry | BappProducts | iOS Central | Macworld]

Yes, but how will Apple avoid them? Everything I buy on iTunes goes to my MasterCard. Sure, Apple aggregates the payments, but the banks don’t provide this service for free, even for Steve Jobs. In order to avoid having to pay credit card fees, Apple would have to do what PayPal does and start persuading people to sign up with their bank account details, which would in turn mean building the kind of anti-fraud platform that PayPal have been building for a decade. And why would they do that? It seems like a lot of non-core investment to commit to.

This investment is needed because the biggest problem will be security. So long as my iTunes password only allows you to buy music tracks for my iPod or games for my iPad or note-taking applications for my Macintosh, to risk is manageable. But if my iTunes password allows you to walk out of a store with a pair of shoes or a telly, then my iTunes password will become valuable. Microseconds after extending iTunes payments to retail stores, Apple would be dealing with millions of customers calling up because their passwords had been phished, copied, guessed.

Japanese police have arrested two people suspected of stealing virtual goods from players of online game Lineage II. The pair tricked victims via a booby-trapped program that claimed to help people play the game. Instead of boosting a character’s abilities the program stole account names and passwords.

[From BBC News – Lineage II pair arrested for stealing virtual goods]

I’m sure Apple are perfectly well aware of this kind of crime and know that were iTunes to become a general payment paltform, then it would become widespread. This is hardly wild projection, since the phishing of iTunes accounts is already widespread.

It least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal. One targeted customer told us, “My account was charged over $4700. I called security at PayPal and was told a large number of iTunes store accounts were compromised.”

[From Fraudsters Drain PayPal Accounts Through iTunes]

I’m sure Apple already has lots of people working on this problem but ultimately it’s very difficult to stop people from giving away their passwords and I’m sure the phishers will soon learn to send out the right kind of e-mail messages.

Roughly 50,000 Apple iTunes accounts stolen by hackers are said to be for sale on China’s largest auction site.

[From 50,000 Stolen iTunes Accounts On China Auction Site — Apple iTunes — InformationWeek]

The underlying problem is, of course, that passwords are not security and no-one should be allowed to use the phrase “password security” in any serious context. So long as the cost of phishing, guessing or actually breaking passwords is fantastically less than the value of the account that they give access to, there is no solution.

Thomas Roth of Cologne, Germany told Reuters he used custom software running on Amazon’s Elastic Compute Cloud service to break into a WPA-PSK protected network in about 20 minutes. With refinements to his program, he said he could shave the time to about six minutes. With EC2 computers available for 28 cents per minute, the cost of the crack came to just $1.68.

[From Researcher cracks Wi-Fi passwords with Amazon cloud • The Register]

Ah, you might say, but suppose Apple implements a Secure Element (SE) for NFC and that SE uses standard PKI applications on industry-standard Global Platform in an industry-standard JavaCard. Then a thief would have to steal the iPhone as well as the password, and this indeed true. Apple could implement an identity-based payment mechanism and persuade merchants to install the contactless terminals, implement the new scheme and pay Apple instead of paying the banks (whose fees have just been capped by the Durbin amendment.

Again, why bother. You may as well do a deal with a bank to put a contactless EMV application in the SE. But suppose you are not going to care about anything at retail POS — except in your own stores — but instead want to improve security and convenience for customers in general? Imagine this scenario a year from now: I log in to iTunes and it gives me the option of switching to two-factor authentication. (Apple wouldn’t call it that, they have better marketing people – suppose they call it Apple Passport or something like that, maybe iMe or whatever.) I accept. From then on, when I log in to iTunes on my iPhone, I don’t noticed anything different, but under the hood iTunes is sending a digitally-signed challenge to a digital signature application in the SE. It’s decoded using Apple’s public key, and signed using my public key (which, of course, Apple know) and sent back. Sorted. Now with this strong authentication, Apple can have higher-priced items for sale via iTunes. When I log in on my PC, a message pops up on my iPhone and I have to enter my passcode. Under the hood, the same process. Now you have to steal my passcode and my iPhone.

A little later, I’ll be given the option of making my OSX login “iMe only” and so on.

If anyone can bring PKI to the masses, Apple can. Soon, other companies will negotiate with Apple to join “iMe Connect” and because it is more secure than a password, they will pay to use it. There are payments applications for this (it means that mobile payments can be lifted beyond ringtones and music tracks, and at a lower margin than operators) but I don’t see them as being central to the business proposition, because people will be using their iPhone to log in to everything (internet banking, shopping, government) and then, because of the NFC interface, they will begin to use it to “log in” in Apple retail stores and then, soon, enough, other places. Meanwhile, credit cards and Bling, Amex and PIN debit will all be loaded into the SE anyway, so customers will find themselves using their iPhones to get on BART and pay in CVS. This will save the issuers money, because they don’t need to issue the plastic, so they can offer a good deal. Andrew Johnson was surely right to point this out in American Banker.

In the end, banks have a lot to gain by being willing to give pricing concessions to Apple in exchange for getting their payment card information directly located in Apple’s mobile wallet service. Doing so could give those banks a first-mover advantage.

[From In Apple Mobile Pay Plans, a Possible Opening for Banks – American Banker Article]

Apple doing the identification and micropayments, leaving larger payments to the finance sector who will in turn pay Apple. Now we can see the real play, and a first-rate strategy for the next phase of online evolution: own identity and authentication. ITunes as a payment scheme to rival cards, PayPal, iDeal? No. iTunes as a payment scheme to get people used to logging into things with their iPhones? Plausible. iTunes as something that delivers a variety of customer communication and management option of real value to merchants (a cross between Barclaycard Freedom, Bling and Taggo)? Yes. Why? Because knowing who someone is is so much more valuable than a small slice of their payments, a fact that informed industry observers have pointed to since the Apple/NFC rumourmongering began.

the real revenue streams to Apple will not be from “interchange” but from advertising as iAD provides the “Yang” to the NFC’s “Ying”. Creating a new payment ecosystem means having incented partners. The timing on Apple’s iAD and NFC developments are not accidental, my belief is that they are part of a very solid mCommerce expansion strategy.

[From Apple’s NEW NFC Patent « New Ventures in Financial Services]

Look, I don’t know what Apple’s strategy is any more than you do, but from the perspective of helping clients to formulate their own broad strategies for NFC, payments, value-added payment services and identity, this is a reasonable strawman, which is why we’ve been using it.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Age old problem

The simple and prosaic case of age verification has always been a litmus test for digital identity infrastructure and it’s taken on new dimensions because of social networking. We need some clear thinking to see through fog of moral panic, made worse by the turbocharging impact of the mobile phone, because it is such an individual and personal device. The spectre of legions of perverts luring children via their mobile phones is, indeed, disturbing. If only there were some way to know whether your new social networking friend is actually a child of your age and not an adult masquerading as such.

A mobile phone application which claims to identify adults posing as children is to be released. The team behind Child Defence says the app can analyse language to generate an age profile, identifying potential paedophiles.

[From BBC News – Researchers launch mobile device ‘to spot paedophiles’]

Of course, it ought to work the other way round as well. One of my son’s friends told me that members of his World of Warcraft Guild (all 13- and 14-year olds) enjoy pretending to be “grown ups” online (by pretending to have jobs and wives). But this seems an odd way to move forward, as well as something that will surely be gamed by determined perverts.

Why on Earth can’t we just do this properly, at the infrastructural level. If we had a half-decent digital identity infrastructure, there would be no need for this sort of thing. Look, here’s a simple of example of this, in Japan. If you want to use social networks via your mobile phone then it is the operator who verifies your age to the social network service (SNS) provider. Since the operator has the billing relationship, this makes sense.

KDDI announces age verification service for mobile SNS platforms; Gree, Mixi and MobaGa to start at the end of Jan

[From Mobile SNS Age Verification Service by Wireless Watch Japan]

Note that this has no implications for privacy. The operator could require you to come to one of their outlets and prove that you are, say, 18. Then they set a flag for service providers to tell them that you are over 18. It doesn’t tell them your age, or your name or where you are. Just that you are over 18. Note that this system hasn’t been invented for social networking: it is already used to prove age at vending machines (you can’t buy cigarettes or sake or whatever unless your phone says that you are old enough). It ought to be simple enough to do the same thing but using proper technology. Suppose that your Facebook page came with a red border if you have not provided proof of age? Then you could provide that proof of age and have your border changed to blue for under 18 or green for over 18 – then make the rule that anyone with a red border is only allowed to connect to people with green borders.

You see what I mean. Have something that is understandable at the user level and implement it using certificates, digital signatures and keys in tamper-resistant storage (in, for example, mobile phones). There would be no need to try and explain to people how PKI actually works (which killed it in the mass consumer market last time), just show them how to log in to things using their phones. There’s a waiting mass market for this sort of thing if you can be clear to consumers that it will protect their privacy and that market is adult services: porn and gambling, primarily, either of which should generate a decent income stream for the successful service provider.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Competition, not regulation, should be the focus

The cases of debit interchange in the US and cross-border interchange in Europe will, in the longer-term, serve to illustrate a general point: price controls don’t work, a fact well-known since the days of Diocletian:

Despite the fact that the death penalty applied to violations of the price controls, they were a total failure. Lactantius, a contemporary of Diocletian’s, tells us that much blood was shed over “small and cheap items” and that goods disappeared from sale. Yet, “the rise in price got much worse.” Finally, “after many had met their deaths, sheer necessity led to the repeal of the law.”

[From How Excessive Government Killed Ancient Rome]

OK, so the Durbin amendment probably wont lead to rioting in the streets, but it’s still price control, and it will have unfortunate consequences (not for me, since I never use a debit in the US anyway). There’s a good article in the January issue of Digital Transactions by Lauri Giesen examining the US card market. She’s specifically looking at the strategy of retailers with respect to cards. Having won lower debit card fees, retailers are going to go after the credit card business. Trixi Wexler, a spokeperson for the Washington DC-based Electronic Payments Coalition, says that retailers didn’t spend $10 million in lobbying “just to walk away with lower debit card fees”. I’m sure that’s true, but even if it isn’t, that $10 million represents pretty good value for money, since it will result in considerable savings for retailers.

The big retailers and other merchants — who are the real winners — claim they are going to help consumers from their end by passing their savings on in the form of lower prices… But those claims are spurious at best. In countries where these types of interchange rules have been adopted, like Australia, consumers have seen no benefit.

[From Bill Cheney: New Interchange Rules for Debit Cards: A Perceived ‘Win’ Is Really a Loss]

Retailers in the UK make the same claim.

The BRC claim that if charges for every payment method were as low as they are for cash, its members could pass on £480 million in cost savings to their customers.

[From Retailers concerned over ‘unjustified’ fees]

Yes, I’m sure they *could*, but they won’t. The evidence from Australia shows that the retailers managed to persuade the regulator to cap bank fees (for no real economic reason) and then simply kept the loot. That’s exactly what I’d do if I was them: it’s called “regulatory capture” by economists, because market participants are using regulation rather than competition to obtain a larger share of market rent. This all left me wondering, once again, what exactly the lobbyees (is that a word?) think that they are achieving by transferring this share of market rent from banks to retailers. Why, for example, are retailers more deserving of 0.1% of my supermarket purchase than banks? It’s not even as if it’s all retailers anyway.

Cooper said 80% of the projected debit card interchange revenues banks stand to lose will go to 1% of merchants.

[From Untitled]

This, to me, looks less and less like Durbin striking a blow for the little guy and more and more like regulatory capture by some of America’s biggest businesses, the culmination of a well-managed campaign.

Retailers have begged Congress for years, in vain, to limit the fees they must pay to banks when customers swipe credit or debit cards.

[From Debit Fee Cut Is Rare Loss for Largest U.S. Banks – NYTimes.com]

I imagine consumers have begged Congress for years, in vain, to limit the fees they must pay to retailers for food or to gas stations for fuel, so what’s the difference? Why has Congress intervened in order to transfer wealth from one group within society (consumers) to another group (retailers)? The answer, of course, is lobbying.

But retailers mounted an unusually effective yearlong campaign to frame the issue as a chance for Congress to help small business. A leading trade group for chain retailers worked with small-business groups to make sure that every time a senator held a town hall meeting back home, a local business owner showed up to ask about card fees.

[From Debit Fee Cut Is Rare Loss for Largest U.S. Banks – NYTimes.com]

Lobbying on behalf of banks is a bit of a lost cause at the moment, so you can’t blame the retailers for striking while the iron is hot, but if Congress wants to reduce the fees paid by retailers for payments, then it should create a regulatory environment that allows new entrants to come in and provide (non-bank, if necessary) solutions to the marketplace. Are they going to do this? (It’s not a rhetorical question – I genuinely don’t know, and look forward to hearing from some of our US readers to tell me.)

In short, then, if banks had gone up the hill asking regulators to cap the price of food, on the perfectly reasonable grounds that employee salaries are a big part of their costs and that employees spend a lot of their money on food, they would have got short shrift. But given the general hatred of banks, retailers spotted a good opportunity to transfer some of their costs away.

MasterCard said… This provision stands to benefit some of the largest retailers in the world and will harm not only consumers, but also community banks, credit unions, and government benefits administrators. Currently, merchants pay their fair share of debit acceptance; in the future, consumers will be responsible for bearing this cost.

[From Consumers to Pay More for Merchants’ Debit Card Benefits | MasterCard®]

I don’t want to be accused of being MasterCard shill [full disclosure: my employer Consult Hyperion has provided paid professional services to MasterCard within the last year] but there is a valid point here: what’s best for society is to have payment systems that have the lowest total social cost. Speaking in very general terms, this means debit cards (and in particular, PIN debit). So if that’s best for society, how should society apportion the costs? Unless we think we can do better than the market, then we should leave the market alone. Since neither I, nor retailers, nor banks, nor regulators know what the interchange fee should be, they should focus on competition to set them at the right level.

There’s another point that the Digital Transactions article makes that I found interesting. Trixi says that the money from card fees goes to pay for innovation and that without the income, issuers will stop innovating. This may be correct, although innovation is more about non-banks than banks and it is not only Durbin that is hampering payment innovation.

Rich started his address with the assertion that the “Payments system is under attack,” from a regulatory barrage – the CARD ACT, NSF/OD regulation, forthcoming rulings under the Durbin Amendment and the newly formed Consumer Financial Protection Bureau (CFPB) all are paralyzing innovation in the financial services sector. At the same time, innovations from outside the financial services industry are happening at an incredible pace.

[From Payment System Under Attack? Solutions Found in Georgia! – pymnts.com]

I think that in the US case it also means that the retail payments business will slide down the priority list. The lost income from debit interchange, which should have been reduced by competition (ie, the regulators should have told the big retailers “if you don’t like cards, don’t take them” or “if you think you can do it cheaper, go right ahead”) rather than by regulation, will be replaced by fee income from consumers and the marketing, management and retention of checking accounts will surely become more of a priority than debit card activation.

If retailers think that payment systems are too expensive, then why don’t they start one? Or why don’t they invest in payment startups? Starbucks seems to have done quite well by running its own prepaid card scheme and its own mobile payment service, and has been exploiting the benefits of integrated mobile so successfully that it has now decided to go for an immediate national roll-out with barcodes, switching to NFC when the handsets are out there.

However, Starbucks Corp., one of the few stores with a mobile payments program in place, says these transactions are little different from other card purchases, and the real benefit to the merchant comes when people use its app to reload their accounts while waiting in line instead of at the register.

[From Upside For Mobile Payments Comes Before The Payment – PaymentsSource Article]

Perhaps it will be the innovative retailers, working in partnership with technology companies, who will make the breakthroughs while the biggest retailers still find it more cost-effective to spend the money on lobbying.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

The technology of money

The idea of the talk is to reflect on the impact of technology on the various functions of money: that is, as a unit of account, mechanism for exchange, store of value and means of deferred payment. We tend to jumble these functions together, but if we want to understand how money might develop in the future, we need to pull them apart and then look at what technology might do to each of them. I’ll therefore look at how the evolution technology has changed these in the past, leading to the evolution of money.

For the purposes of the talk, I will having another go at categorising money technologies, this time by dividing the evolution of the technology of money into four eras:

Money 1.0 was atoms: grain, gold, stone discs, wampun, whatever. Guildford had a mint making silver pennies (the only coin of the day) by the time Edward the Martyr (975-979) so I like to think that at Consult Hyperion we are part of a tradition of new money technology by the River Wey!

Money 2.0 was atoms about atoms. From the tally sticks of Norman England to the private “tokens” (ie, coins worth more than their base metal content), these items were convenient than the commodities they represented.

Money 3.0 was bits about atoms: that is, fiat currency banknotes, electronic transfers and accounts. Once these bits could move faster than a galloping horse, our relationship with money changed.

Our current era, Money 4.0, can be dated in retrospect to 1971 when Richard Nixon finally ended the gold standard and Visa introduced the Base 1 network for authenticating card payments based on the magnetic stripe. Money 4.0 is bits about bits, but we still apply the wrong mental model, and imagine it to be bits about atoms.

So what does this mean for the future? Well, we can look at three distinct sources of pressure for change:

The first of all there are the technology pressures. These are actually the easiest to understand, at least in the short to medium term. All of the technologies that will impact the world of money, payments and banking over the next generation already exist, it’s just a question of looking around the world to see which of them will have disruptive impact. We don’t need to look much beyond the mobile phone to understand the key platform, since the mobile phone (or, I suppose, more properly, the device formerly known as the mobile phone) will be the most disruptive technology across many sectors. The addition of the short range, zero configuration, medium-speed wireless Near Field Communication (NFC) interface to the mobile handset changes the handset from being the very edge of the network to a pivot between local and global environments that it can integrate in a secure uncontrolled way. A credit card replaces cash if you want to pay a shop, the mobile phone replaces cash if you want to get paid.

Next there are the business pressures. It’s interesting to reflect within the UK, cash accounts for less than 3% of the “money” in use but still accounts for nearly 2/3 of retail transactions by volume, which makes for cost, cost, cost. And when it comes to the dynamic new channels for online business, we’ve got by shoehorning the cards and so forth into the new technology, but we haven’t yet seen the new money for the Internet emerge: perhaps Facebook Credits will take over! Over the coming generation, the payment business and the banking business will become more distinct and as a result more dynamic and efficient payment businesses will find new ways to replace cash. Cheque clearing is scheduled to end in the UK in 2018, so Internet and mobile phone-based alternatives will need to be operational fairly soon.

Finally and most importantly, there are the social pressures. Right now, the retail payments sector is a deadweight of around half a percent of GDP (in Europe). This is largely due to the continuing high use of cash and cheques rather than more efficient electronic alternatives. Clearly, replacing cash would reduce this total social cost and make the economy more efficient but this by itself won’t be enough to trigger action. However, there are growing pressures for governments to reduce the use of cash because it is used to facilitate crime and tax evasion more than because it is inefficient. In if we just focus on Europe we can see that these pressures take different forms in different regions. There are streets in Amsterdam but no longer take cash because the city council has subsidised the retailers electronic terminals in order to reduce crime and lower the costs for smaller retailers. In Sweden, a broad alliance of retail and banking trade unions wants to see the use of cash reduced in order to protect their staff. Post-crunch, these pressures will grow as governments and citizens alike demand action. And since no-one other than tax evaders or drug dealers actually wants the stuff, perhaps change will be quicker than many people think.

I’ll be reflecting on these issues, and more, in my talk and looking forward to being put on the spot in an informed question and answer session afterwards.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Real-time serendipity

Naturally, given my obsessions, I was struck by a subset of the Real-Time Club discussions about identities on the web at their evening with Aleks Krotoski. In particular, I was struck by the discussion about multiple identities on the web, because it connects with some work we (Consult Hyperion) have been doing for the European Commission. One point that was common to a number of the discussions was the extent to which identity is needed for, or integral to, online transactions. Generally speaking, I think many people mistake the need for some knowledge about a counterparty with the need to know who they are, a misunderstanding that actually makes identity fraud worse because it leads to identities being shared more widely than they need be. There was a thread to the discussion about children using the web, as there always is in such discussions, and this led me to conclude that proving that you are over (or under) 18 online might well be the acid test of a useful identity infrastructure: if your kids can’t easily figure out a way to get round it, then it will be good enough for e-government, e-business and the like.

I think the conversation might have explored more about privacy vs. anonymity, because many transactions require the former but not the latter. But then there should be privacy rather than anonymity for a lot of things, and there should be anonymity for some things (even if this means friction in a free society, as demonstrated by the Wikileaks storm). I can see that this debate is going to be difficult to organise in the public space, simply because people don’t think about those topics in a rich enough way: they think common sense is a useful guide which, when it comes to online identity, it isn’t.

On a different subject, a key element of the evening’s discussion was whether the use of social media, and the directions of social media technology, lead to more or less serendipity. (Incidentally, did you know that the word “serendipity” was invented by Horace Walpole in 1754?) Any discussion about social media naturally revolves around Facebook.

Facebook is better understood, not as a country, but as a refugee camp for people who feel today’s lack of identity-forging social experience.

[From Facebook: the heart in a heartless world | spiked]

I don’t agree, but I can see the perspective. But I don’t see my kids fleeing into Facebook, I see them using Facebook to multiply and enrich their interpersonal interactions. Do they meet new people on Facebook? Yes, they do. Is that true for all kids, of all educational abilities, of all socio-economic classes, I don’t know (and I didn’t find out during the evening, because everyone who was discussing the issue seemed to have children at expensive private schools, so they didn’t seem like a statistically-representative cross-section of the nation).

Personally, I would come down on the side of serendipity. Because of social media I know more people than I did before, but I’ve also physically met more people than I knew before: social media means that I am connected with people who a geographically and socially more dispersed. I suppose you might argue that its left me less connected with the people who live across the street from me, but then I don’t have very much in common with them.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Why bother with the new $100 bill?

The US is soon to release a new $100 bill. But why? What do they do with $100 bills? They're not, as you might imagine, needed to support commerce and trade.

In 2001 the Federal Reserve estimated that 90 percent of the $100 bills ordered by the Federal Reserve (which accounts for the overwhelming majority of C-notes ordered nationwide) were paid out to foreign banks

[From Hundred-dollar bills are for criminals and sociopaths. Why do we still print them? – By Timothy Noah – Slate Magazine]

Around two-thirds of all of the US dollars in "circulation" are not in the US at all and are unlikely to be repatriated. This represents a tremendous interest-free loan from the rest of the world to Uncle Sam. But is this income sufficient to outweigh the negative effects of cash?

So why do we keep printing $100 bills? As with any valuable export, we worry that if the C-note ceased to be available to foreign criminals and dictators, another paper currency would take its place. The leading candidate would be the 500 euro note,

[From Hundred-dollar bills are for criminals and sociopaths. Why do we still print them? – By Timothy Noah – Slate Magazine]

Well, that's true, and the conspiracy theory that the European Central Bank (ECB) only had the 500 euro note printed in order to replace the $100 bill in the stashes of drug dealers and tax evaders is widely recirculated. But that's a reason to scrap 500 euro notes, not to print more $100 bills, especially when the $100 bills have to be completely re-designed anyway.

But the biggest upgrade is a blue "3D Security Ribbon"… The strip contains a series of images of bells and digits; tip the note, and the images come into 3D relief. "It only takes a few seconds to check the new $100 note and know it's real," says Larry R. Felix, Director of the Treasury's Bureau of Engraving and Printing.

[From US Treasury: New 100 dollar bill needs 3D tech – CSMonitor.com]

Sounds exciting. But why bother? Why not just forget about the $100 (and, for that matter, the $50 bill)? After all, high-denomination notes have been withdrawn before, and for much the same reason. We have to weigh up the overall impact on society and try to make the right decision, and sometimes that decision might mean a radical change.

In 1969, the Treasury stopped issuing $500, $1,000, $5,000 and $10,000 bills specifically to impede crime syndicates — the only entities that were still using such large bills after the introduction of electronic money transfers.

[From Turn In Your Bin Ladens – NYTimes.com]

And before I get deluged with e-mails calling me a New World Order stooge intent on introducing the Mark of the Beast across the USA, let me merely point out that if the public were to desire anonymity for payments (they don't, by the way) then it's possible to create anonymous electronic money: this is an implementation choice, not any sort of technological constraint. Of course, the fact that the US government stops producing high-denomination notes doesn't necessarily mean that they will disappear…

Malaysian police have arrested a Lebanese man allegedly carrying fake currency with a face value of $66 million after he tipped a hotel staff with a $500 note, an official said Friday.

The largest U.S. note currently in wide circulation is a $100 bill. But police found bundles of $1 million, $100,000 and $500 notes in the man's hotel room in Kuala Lumpur on Sunday, said Izany Abdul Ghany, head of the city's commercial crime unit.

[From $500 Tip Leads Police to $66 Million in Fake Bills – ABC News]

If only all counterfeiters were that good!

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

The US administration is creating a new sector of the economy: the identity business

Last year I said that I thought that the US National Strategy for Trusted Identities in Cyberspace (NSTIC) was heading in the right direction. I'm very much in favour of the private sector providing multiple identities into a framework that it used by the public sector and vice versa. I'm in favour of choice: if I choose to use my Barclays identity to access the DVLA or my DWP identity to access O2 it shouldn't matter to the effective and efficient use of online transactions. There was one area where I felt it could have presented a slightly different vision, and that's in the use of pseudonyms, which I think should be the norm rather than the exception.

People should consider it normal to get a virtual identity from their bank or their mobile phone operator in a pseudonymous name so that they can browse, transact and comment without revealing anything about themselves other than the facts relevant to a transaction.

[From Digital Identity: USTIC]

James Van Dyke, when discussing NSTIC (which seems have become known unofficially as "Obama's Internet Identity System") warned about

Apocalyptic fear-mongers. Yes I’m ending with the crazies here, but hear me out. The extreme cable networks and televangelists will surely jump on this as the digital incarnation of the Mark of either the Beast or “(gasp!) Obama liberals. Historians will recall that social security numbers were supposed to be an apocalyptic conspiracy.

[From Obama’s Internet Identity System: Could This Change Everything? – Javelin Strategy & Research Blog]

I don't think the danger is the crazies — although I feel a little sheepish writing this a couple of days after a crazy did, in fact, murder several people and seriously injure a congresswoman — but the journalists, politicians, commentators and observers who don't really understand the rather complex topic of digital identity. Or, as "Identity Woman" Kailya Hamlin (who some of you may remember from the first European Internet Identity Workshop that Consult Hyperion sponsored with our friends from Innopay and Mydex back in October) said about NSTIC:

I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative

[From National! Identity! Cyberspace!: Why we shouldn't freak out about NSTIC. | Fast Company]

She's bang on with this. Here's a couple of typical examples from the blogosphere:

CNET reported on January 7, 2011 that Obama has signed authority over to U.S. Commerce Department to create new privacy laws that require American citizens to hold an Internet ID card.

[From Internet Anonymity: Obama Pushes for an American Internet ID]

And

President Obama has signaled that he will give the United States Commerce Department the authority over a proposed national cybersecurity measure that would involve giving each American a unique online identity

[From Obama administration moves forward with unique internet ID for all Americans, Commerce Department to head system up — Engadget]

As far as I can see, NSTIC being managed by the Commerce Department has nothing to do with "privacy laws" and the idea that it will require Americans to have an "Internet ID" is a journalistic invention. The actual situation is that NSTIC is to go from being an idea to an actual system:

The Obama administration plans to announce today plans for an Internet identity system that will limit fraud and streamline online transactions, leading to a surge in Web commerce, officials said. While the White House has spearheaded development of the framework for secure online identities, the system led by the U.S. Commerce Department will be voluntary and maintained by private companies,

[From Internet Identity System Said Readied by Obama Administration – BusinessWeek]

What this means is not that Americans will get an "Internet Driver's License" but that they will be able to log in to their bank, the Veteran's Administration, the DMV and their favourite blogs using a variety of IDs provided by their bank, their mobile phone operators and others.

[White House Cybersecurity Coordinator] Howard Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. "I don't have to get a credential, if I don't want to," he said.

[From Obama to hand Commerce Dept. authority over cybersecurity ID | Privacy Inc. – CNET News]

As long as it's a matter of choice, I really don't see a problem with this. The idea of NSTIC is that it is the infrastructure that is standardised, and this is good. We need standards for credentials and such like so that I can use my Woking Council ID to log in central government services and my Barclays Bank ID so that I can log in to do my taxes online: but I might pay Barclays for an additional ID that has some key credentials (IS_A_PERSON, IS_OVER_18, IS_NOT_BANKRUPT, that sort of thing) but does not reveal my identity. This sort of Joe Bloggs (or, for our cousins over the water, John Doe) identity would be more than adequate for the vast majority of web browsing and if other people want to wander the highways and byways of the interweb with a Manchester United, Prince or BBC ID, then it's up to them. Let a thousand flowers bloom, as they say (well, as Chairman Mao said).

If the crazies want to be concerned about a single ID mark of the e-beast infocalypse, they're perfectly entitled to, but I don't understand why they are convinced it will come from the government in general or Obama in particular – there are half-a-billion people out there (including me) who have already handed over their personal information to a single unaccountable entity.

Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It's easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site's users will see a "Connect with Facebook" button. If they're already logged into Facebook (having recently visited the site), they can just click on it and they're in. If they haven't logged in recently, they are prompted for their Facebook user name and password.

[From Facebook Wants to Supply Your Internet Driver's License – Technology Review]

Now, at the moment Facebook Connect just uses a password, so it's no more secure than banks or government agencies, but it could move to a 2FA implementation implementation in the future. Widespread 2FA access to online services really should have become a business for banks or mobile operators already (think how long Identrus has been around) but it just hasn't happened: I can't use my Barclays PINSentry to log on to Barclaycard, let alone the government or an insurance company. But suppose my Facebook login required access to my mobile phone so it was much more secure: you know the sort of thing, enter e-mail address, wait for code to arrive on mobile phone, enter code (a proper UICC-based digital signature solution would be much better, but that's another topic). Then I could use Facebook Connect for serious business. This would have an interesting side-effect: Facebook would know where I go on the web, which seems to me to be much more like the mark of the e-beast.

An interesting side benefit for website operators is that Facebook Login provides the site with users' real names (in most cases) and optionally a variety of other information, such as the users' "friends" and "likes."

[From Facebook Wants to Supply Your Internet Driver's License – Technology Review]

Which is, of course, why I don't use it. On the other hand, if Facebook decided to use cryptography to secure and protect this sort of information, they could at a stroke create a desirable internet passport: by "blinding" the passport to prevent service providers from tracking the identity across web sites Facebook could significantly improve both convenience and privacy for the average users.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Who needs cash?

[Dave Birch] Cash has some unpleasant side-effects and these really ought to be factored into the big picture when it comes to examining the transition to digital money.

In terms of public safety and national security, the sooner the world moves to a digital cashless economy, the better.

[From Turn In Your Bin Ladens – NYTimes.com]

Most of the cash “in circulation” (I use the quotes because it is not, of course, actually in circulation at all but being hoarded in various places) is used only for criminal purposes: tax evasion, money laundering, drug dealing and so forth.

Somali pirates are reported to have received a total of $12.3m (£7.6m) in ransom money to release two ships. They are believed to have been paid a record $9.5m (£5.8m) for Samho Dream, a South Korean oil tanker, and nearly $2.8m (£1.7m) for the Golden Blessing, a Singaporean flagged ship.

“We are now counting our cash,” a pirate who gave his name as Hussein told Reuters news agency.

[From BBC News – Somali pirates receive record ransom for ships’ release]

Once again, these miscreants aren’t looking for prepaid mobile phones, gift cards or PayPal accounts: they are after cash, and I’ll lay a pound to a penny that they didn’t want Yuan or Roubles or Kenyan Shillings and an M-PESA account in a false name: they wanted dollars, and in $100 bills. The cash was dropped from a helicopter on to the ship. Now, I’ve heard some people — including some people from banks — say that this is fair enough, because the seigniorage on the cash represents a tax on criminal activity and it’s better to collect this stealth tax from the bad guys that impose more taxation on honest, hard-pressed taxpayers. But I have two objections to this line of thinking:

  1. First of all, it is not at all clear to me that the state should live off of criminal earnings. If something is legal and taxed, fine. But if it’s illegal, it’s illegal.
  2. Secondly, the revenues that accrue to the central bank from this enterprise are small compared to the revenues denied to other parts of government. So in the central bank books, life looks good. But over at the treasury, there’s a black hole where the revenues from honest enterprise should be.

Perhaps the non-central bank parts of government might look to the central bank to use some of seigniorage revenues to subsidise the introduction of electronic payments to parts of the economy dominated by cash. But what kind of electronic payments? I suppose the government could start developing its own form of e-cash, but I’m not sure that’s the best way forward. Maybe there’s another way. Perhaps we need a new form of e-cash (that we haven’t seen yet) for the new economy because we are trapped using money developed in a previous age for the commerce of the next. In his excellent book “The Birmingham Button Makers“, Professor George Selgin explains how the British economy faced that same problem during the industrial revolution.

Today, the big problem of small change is no longer such a big problem, although shortages of wanted coin continue to occur sporadically around the world (e.g. here and here) as well as surpluses of unwanted coin. Nevertheless, the basic problems of private coinage were trust and credibility. Modern issuers of digital cash face the same problems and thus Selgin’s history is a valuable reminder about the scope and potential of alternative monetary institutions.

[From Marginal Revolution: Good Money]

Indeed, and apart from a general interest in the history of money, this is precisely why I found George’s work so interesting. Could we see a similar trajectory in the post-industrial economy? This would suggest that private operators might step in to the market to fill the void and then when the competition had run its course and the “best” coinage had been established, then the government would step in and provide it as a public good. Perhaps the Bank of England should run its own version of PayPal and the government should insist that everyone has an account if they want to receive state payments of any kind: welfare, pensions, wages and so on! Once all of money is digital, as opposed to the current 96.3% (in the UK), who knows where that will take us.

As money becomes completely digitized, infinitely transferable, and friction-free, it will again revolutionize how we think about our economy.

[From The Future of Money: It’s Flexible, Frictionless and (Almost) Free | Magazine]

I think this is true. You’ll have a chance to kick around these kinds of ideas if you come along to the 14th annual Consult Hyperion Digital Money Forum in London on 2nd/3rd March 2011, where George Selgin will be along in person to give a keynote talk.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.