Leveraging the payment networks for immunity passports

COVID-19

As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.

I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?

It is no longer unusual for a company in the City to regularly test its employees before allowing them to work in their offices and support the additional costs of their commute avoiding public transport.

Billions are being invested in vaccine research and tests to confirm that we have the antibodies to protect us and those with whom we interact. But will that be sufficient? Will it allow you to visit your relatives in the care home, sit inside your favorite restaurant, work in close proximity to your colleagues and/or travel without the need to quarantine for 14 days when you arrive and/or return?

Experience would suggest that over the next year or so a variety of vaccinations and tests will be released, which will work to a greater or lesser extent. The question will be: ‘is the vaccination, or test, recognized by the venue (and their insurers), or country, which you are trying to enter?’

For some organizations, the fact that the COVID-19 tracing application on your phone turns green, will be sufficient. Others will only recognize specific vaccinations and tests and will want to check that the immunizations are still valid. Both will be concerned by the availability of fake immunity certificates. Thus, in parallel with the medical developments, we have to implement a robust and efficient method of sharing and remotely validating the immunity certificates or passports that they will deliver.

Those of us who regularly travel in North Africa and South America are used to handing over our yellow International Certificate of Vaccination or Prophylaxis (ICVP), with our passport, to prove that we had yellow fever vaccine. This program, which is governed by International Health Regulations, could provide the governance framework for the operation of the COVID-19 immunity passports.

Over the last few months, Consult Hyperion has proven that the contactless payment networks, which allow you to use your credit or debit card anywhere in the world, can also be used to share and remotely validate your COVID-19 immunity passport.

Our idea is that anywhere you can use your payment card you can also validate that you have the required immunity to enter the building or country. As with your payment transaction, an organization can choose whether or not to accept your immunity passport based on the:

  • Issuer of the immunity passport
  • Vaccinations and/or tests administered
  • Date when the vaccinations and/or tests were administered
  • Potential that the passport is a fake or you are not the genuine passport holder

If required, the organization can also revert to the issuer of the immunity passport to check there and then that your passport is still valid.

The consumer experience delivered by the immunity passport is similar to that of a contactless, Apple Pay or Google Pay transaction. The immunity passport is stored in a secure application in your smartphone or biometric smartcard. When asked to prove your Immunity Status you use your fingerprint to authenticate yourself to your phone/card and then touch your phone/card to a contactless reader. An application on the reader validates your immunity passport and passes only the required information to the restaurateur, owner of the care home or office or border control officer.

From the international community’s perspective, the payment infrastructure over which the immunity passports are shared and remotely validated is in place, proven and robust. It is supported by a raft of rules administered by PCI, which protect the security of personal information, at rest and in flight, within the system. There is an active marketplace for cheap, certified readers, operating secure protocols, which offer Contact Free validation of the immunity passport away from the classical point of sale locations. These include mPOS and SoftPOS solutions which allow a standard mobile phone to be used as a contactless payment terminal, and ruggedized terminals used to validate tickets in high traffic areas, such as the entrance to sports arenas and concert venues.

While the world waits to see if the science supports the ability to establish immunity to COVID-19, and society works through the implications of immune people being able to avoid restrictions which apply to others, we technologists need to prepare the infrastructure that will allow people to share and validate immunity passports.

One of the things I love about working at Consult Hyperion is that we regularly come up with, and deliver, ideas that significantly impact people’s lives – contact and contactless payment cards (worldwide), M-PESA (Kenya), Open Loop Transit Ticketing (London) and more recently SoftPOS (London), just to mention a few. Something tells me that immunity passports will be the next. If you are interested and would like to help deliver the network that will allow life to return to something close to ‘old normal’, please let me know.

China’s PSD2 SCA

QR codes are everywhere because anyone can read them, anyone can use them, anyone can write them. This is in part because there is no security infrastructure. The result in China, where there was little card infrastructure in place beforehand, was the near-ubiquity of QR in the world’s biggest mobile payments market.

“Ogilvy & Mather and Ipsos concluded in a survey of China’s mobile payment market that ‘[Chinese] mobile payment has permeated all aspects of life and changed basic, everyday habits.’”

From “How Chinese Mobile Payments Are Quietly Conquering the World“.

It seemed to us that fraud would be an inevitable consequence of this QR-centric approach, that is indeed what happened. Last year, for example, the South China Morning Post reported that in March 2017 some 90m Yuan were stolen via QR code scams in Guangdong alone (a suspect in one case was found to have replaced merchants legitimate bar codes with fake ones that embedded a virus to steal personal information) and that in China as a whole, a quarter of viruses and trojans were coming in via QR.

Now, while even the man who invented QR codes says that they are an interim technology, there’s no denying that they are here to stay. Hence it makes sense to find a way to make them more secure, and the obvious way to do this is two-factor authentication (2FA). It turns out that the Chinese regulators have come to the same conclusion and have implemented the equivalent of the European Union (EU) Second Payment Services Directive (PSD2) Regulatory Technical Standards (RTS) on Secure Customer Authentication (SCA).

“Under new rules released by the People’s Bank of China [in December 2017], all transactions over 500 yuan (US$76) will be subject to additional levels of verification. As the transaction value passes each trigger point – 1,000 yuan, 5,000 yuan and unlimited – so the security checks will increase.”

From “China’s central bank tightens security“.

Introducing further authentication methods makes obvious sense. Just as in the UK we have contactless for low-value payments but 2FA for higher-value payments (ie, chip and PIN for cards or CDCVM for mobile), QR will be used for low-value payments but 2FA will be required for higher-value payments. Of course, in the Chinese system, QR works just as well on-line as in-person whereas in our system we don’t use chip and PIN online.

This is where we (ie, the industry) should focus our efforts in 2018, since card-not-present fraud is currently growing at 9% per annum in the UK. So what is the way to use chip and PIN online? Well, we already know – it’s the combination of web and mobile browsing with mobile wallets for transactions. When I see a web form asking me to type in my card details – in 2018 already! – my heart sinks. I’ve used ApplePay in-browser a couple of times now (which is the equivalent of using chip and PIN online, as it uses the token in the wallet on the iPhone to complete a web transactions) and I’m already frustrated that more web sites don’t use this kind of solution. If we put our minds to it, we can have online payments that are as ubiquitous as in China, but more secure.

WTF USA EMV CVM POS PIN SNAFU

I’ve been reading a lot of comment about the US EMV migration recently and there seems to be pretty universal condemnation of the process (some of it from me). In the UK, we had chip and PIN day (St.Valentine’s Day 2006) and that, pretty much, was that. But in the US, the migration has been piecemeal, confusing and fraught with problems. But why?

Critics have told me that banks opted for a signature versus a PIN code because it saves them large amounts of money by not having to store PIN codes for everyone. Banks, on the other hand, say they feared that their customers would have a difficult time remembering a four digit code.

From The EMV chip credit card transition in the US has been a disaster — Quartz

As far as I know, neither of these is true. Some issuers preferred chip and signature because it has higher interchange, not because US consumers are morons who uniquely amongst the nations of the Earth cannot remember a four digit personal identification number (PIN) that they use several times every day. Merchants wanted PIN because the fraud rate on PIN is two orders of magnitude less than with signature. Consumers wanted speed and, since they were given that by the no-signature online-authorised stripe transactions that they were familiar with, there was no traction for contactless (which delivers speed and convenience in an EMV environment and provides fertile ground for mobile payments).

The typical US consumer approaches a POS with some trepidation, I imagine, since it is completely opaque as to the experience that awaits them. Tap, swipe, dip, PIN or sign, hand over the card or keep it… every transaction is an adventure. I suppose many stakeholders take the position that it doesn’t really matter because mobile and in-app are going to steadily erode card transactions (Jupiter is reporting that almost half of US consumers already use some form of contactless payment, and a fifth already use it every day – mostly Starbucks I’d imagine). At some point in the imaginable future, “tap and pay” and “app and pay” will together exceed both EMV and magnetic stripe transactions at retail point of sale (POS) and at this point (the plastic singularity or, as I prefer it, #cardmaggedon or the #cardocalypse) signature versus PIN will seem to our children something of a medieval argument along the lines of angels on the head of a PIN. Right now, though, it is still a live debate.

My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.”

From The Great EMV Fake-Out: No Chip For You! — Krebs on Security

However, until such time, we should probably make an effort to improve the user experience (UX) for the typical consumer and make cards work better for the merchants. As I recall from the excellent NYPAY discussion on the topic, US merchants are particularly aggrieved by the rise in chargebacks that they have seen over the past few months.

Chargebacks for card-present transactions increased 50% following the Oct. 1 EMV liability shift,

From EMV Chargebacks Proving To Be a Card-Present Merchant Problem

You understand why this, I’m sure. It’s because before 1st October, if you spotted a $3.95 charge at Starbucks on your statement and you knew that you couldn’t possibly have made that transaction, then you would call up your issuer and complain and they would just eat the charge because it would have been more trouble than it’s worth to go back to Starbucks, pull the receipt, check the signature if there was one etc etc. However, after 1st October, if you spot a bogus $3.95 charge on your account and call up, the issuer will check the transaction codes and, if you had a chip card but it was swiped by a merchant who didn’t have (or didn’t use) a chip reader, then the $3.95 is charged back to the merchant. The net result is — entirely as expected and as it should be — that merchants see big increases in card-present chargebacks as previously hidden magnetic stripe fraud is revealed.

A good way to reduce that previously hidden fraud would be to simply give customers the option to block magnetic stripe transactions from cards with a chip on them. Why are the banks not giving consumers the option to disable stripe transactions? My debit card has embossing and a magnetic stripe on it for absolutely no reason that I can fathom since I never use it a non-chip ATM and in practice I don’t need it when abroad. I’ve just returned from trips to Rome and Munich where I never once used cash and never needed an ATM (I used my Caxton FX pre-paid card in shops and ticket machines and I used Uber for transport).

Brit abroad

Proof that I was in Rome and that it’s not empty blog rhetoric.

I want my bank to auto-decline any magnetic stripe transaction made using my chip-enabled contactless debit card and I want the ability to set that parameter from my excellent mobile banking app. Why is this so difficult? Meanwhile, back in the US, the mounting annoyance with chip and PIN continues. Perhaps it’s time for the networks to announce the sunset date for magnetic stripes: perhaps 1st January 2019, after which time no new cards will be issued with magnetic stripes or embossing?

Card fraud is really only a small part of all fraud

The latest CIFAS Fraudscape figures for the UK show identity theft up by half again in 2015. And there’s no end in sight.  I’m genuinely not sure whether the fraudsters are getting smarter or the public is getting stupider. It does seem to me that some of the frauds being perpetrated might well be beyond the defensive capabilities of even the most advanced technology.

A taxpayer who bought and handed over £15,000 in Apple iTunes gift card vouchers is one of “hundreds” of HMRC customers to be defrauded in the past month, a scam bulletin says.

From Fraudsters posing as HMRC hijack iTunes :: Contractor UK

So much of the fraud going on depends, in one way or another, on the lack of an identity infrastructure and the useless proxies that support our daily interactions. That taxpayer had no reasonable way to determine whether they were talking to HMRC or not. There’s not going to be a green light on the phone that tells you the caller is who they say they are, although I can imagine how a some sort of digital passport that can check whether other digital passports are valid and I’m sure someone could come up with good mobile UX for it. The consequences are pretty significant.

The annual cost of fraud in the UK could be as high as £193bn a year, far higher than a government estimate of £50bn, according to a new report. The latest Annual Fraud Indicator, based on research from Portsmouth university, has estimated that private sector losses could be as high as £144bn a year — much larger than the public sector figure of £37.5bn. It also counted the cost of fraud against individuals.

From Fraud costs the UK up to £193bn per year, reports says – FT.com

Well, let’s not panic. After all, £193 billion doesn’t buy as much as it used to. Let’s call it £200 billion for a round figure. Against this, card fraud is a miserable half a billion, about a quarter of a percent. Hardly worth worrying about. And, of course, thanks to EMV and 3D Secure and all that, it’s going down. Oh wait…

Statistics by Financial Fraud Action (FFA) UK show fraud losses on UK payment cards totalled £567.5 million in 2015, representing an 18% increase from £479 million one year before.

From UK payment cards annual fraud losses hit £567.5 million

OK, so it’s going up but we should be doing about it? Since there doesn’t seem to much enthusiasm for a general identity infrastructure to actually fix the problem, we should probably continue to focus on better authentication against revocable tokens in tamper-resistant hardware for payments for the time being (although that really isn’t going to stop people from sending gift vouchers to the “inland revenue”) and then see if we can move that model into other areas. If I can have a token that says I can pay by Visa but does not give away my actual PAN, then why can’t I have a token that says I’m over 18 without giving away my age or allowed to drive a car without giving away my address?

SMS authentication isn’t security. And that’s official

Earlier in the week I blogged about mobile banking security, and I said that in design terms it is best to assume that the internet is in the hands of your enemies. In case you think I was exaggerating…

The thieves also provided “free” wireless connections in public places to secretly mine users’ personal information.

From Gone in minutes: Chinese cybertheft gangs mine smartphones for bank card data | South China Morning Post

Personally, I always use an SSL VPN when connected by wifi (even at home!) but I doubt that most people would ever go to this trouble or take the time to configure a VPN and such like. Anyway, the point is that the internet isn’t secure. And actually SMS isn’t much better, which is why it shouldn’t really be used for securing anything as important as home banking.

The report also described how gangs stole mobile security codes – which banks automatically send to card holders’ registered mobile phones to verify online transactions – by using either a Trojan virus in the smartphone or a device that intercepted mobile signals up to a kilometre away.

From Gone in minutes: Chinese cybertheft gangs mine smartphones for bank card data | South China Morning Post

Of course, no-one who takes security seriously ever wanted to do things this way in the first place (which is why, for example, we used a SIM Toolkit application for M-PESA). This is hardly a new opinion or me going on about things with the wisdom of hindsight.

I saw Charles Brookson, the head of the GSMA security group, make a very interesting point recently. Charles was talking about the use of SMS for mobile banking and payment services and he made the point that SMS has, to all intents and purposes, no security whatsoever.

From SOS SMS | Consult Hyperion

In case you’re interested, that blog post comes from 2008 and if I remember correctly I’d made a presentation around that time drawing on a story from 2007 to illustrate that the mass market use of SMS for secure transactions might prove to be unwise despite the convenience.

Identity theft and a fraudulent SIM swap cost a children’s charity R90 000.

From Standard, MTN point fingers in fraud case | ITWeb

These are all symptoms of the fact that nobody listens to me about mobile banking security. Well, sort of. I’m sure other people have made the same point about keeping private keys in tamper-resistant hardware so that all bank-customer communications are securely encrypted and digitally-signed at all times, but since I’ve been making the same point for two decades (back to the days of the proposed “Genie Passport” at BT Cellnet) and despite the existence proof of M-PESA nothing much seems to be happening. Or at least it wasn’t. But perhaps this era is, finally, coming to an end. Here is what the US Department of Commerce’s National Institute of Standards and Technology (NIST) say about out-of-band (OOB) text messaging in their latest Digital Authentication Guideline (July 2016):

OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

From DRAFT NIST Special Publication 800-63B

I looked up “deprecated” just to make sure I understood, since I assumed it meant something other than a general disapproval. According to my dictionary: “(chiefly of a software feature) be usable but regarded as obsolete and best avoided, typically because it has been superseded: this feature is deprecated and will be removed in later versions”. So: as of now, no-one should be planning to use SMS for authentication.

The NIST guideline goes on to talk about using push notifications to applications on smart phones, which is how we think it should be done. But how should this work in the mass market? The banks and the telcos and the handset manufacturers and the platforms just do not agree on how it should all work. But surely we all know what the answer is, which is that all handsets should have a Trusted Execution Environment (like the iPhones and Samsungs do) and third-parties should be allowed access to it on open, transparent and non-discriminatory terms. The mobile operators should use the SIM to offer a basic digital identity services (as indeed some are beginning to do with the GSMA’s Mobile Connect). The banks should use standard identity services from the SIM and store virtual identities in the TEE. There you go, sorted.

[Note: there’s no need to read this paragraph if you don’t care what happens under the hood] Now, when the Barclays app loads up on my phone it would bind the digital identity in my SIM to my Barclays identity and use the TEE for secure access to resources (e.g. the screen). Standard authentication services via FIDO should be in place so that Barclays can request appropriate authentication as and when required. Then when Barclays want to send me a message they generate a session key and encrypt the message. Then they encrypt the session key using the public key in my Barclays identity. Then they send the message to the app. The only place in the world where the corresponding private key exists is in my SIM, so the app sends the encrypted session key to the SIM and gets back the key it can then use to decrypt the message itself. In order to effect the use of the private key, the SIM requires authentication, so the TEE takes over the screen and the fingerprint reader and I swipe my finger or enter a PIN or whatever. (You could, of course, in true Apple style simply ignore the SIM and put the private key in the TEE, but I don’t want to get sidetracked.)

Why is this all so hard? Why don’t I have a secure “Apple Passport” or “Telefonica Passport” or “British e-Passport” on my iPhone right now with secure visas for all the places I want to visit like my bank and Manchester City Football Club and Waitrose?

It seems to me that there is little incentive for the participants to work together so long as each of them thinks that they can win and control the whole process. Apple and Google and Samsung and Verizon and Vodafone all want to charge the bank a dollar per log in (or whatever) and the banks are worried that if they pay up (in what might actually be a reasonable deal at the beginning) then they will be over a barrel in the mass market. Is it possible to find some workable settlement between these stakeholders so that we can all move on? Or a winner?

Banking is going in-app just like everything else

I very rarely use Internet banking these days and it seems I’m not alone. Almost every interaction with my bank takes place through one of my mobile banking applications: my Barclays banking application, my Barclays PingIt application (which I assume will soon disappear inside WhatsApp and Waitrose and Hailo and so on), my Simple application, my Barclaycard application, my American Express application and so on and so forth. Thinking about it, the only time I can remember using my home banking application in recent times was to search back through transactions to check on some payments on behalf of one of my kids at university and to set up a new payee for Faster Payments. Unusually, I appear to represent the man using the Clapham ISP in this respect, as the latest figures from the British Bankers’ Association show.

The number of internet banking logins made by Brits each day fell last year, as customers continued to migrate to apps, BBA research shows… The number of payments made using banking apps hit 347 million last year, a 54% rise. Internet banking still has the edge here, used for 417 million payments in 2015, but this was up just two per cent.

From Apps crush internet for UK banking logins

The BBC were kind enough to invite me to talk about this on Breakfast TV, because some of the members of the public that they had been talking to expressed concerns about the security of mobile banking. As this is a core area of expertise for Consult Hyperion (in fact, one of the biggest projects that we are working on right now deals with planning, executing and testing mobile app security strategy for one of the world’s biggest banks), I took the opportunity to reassure viewers that not only was mobile banking safe it was, in my opinion, much safer than internet banking. You can watch it here [at 25:50].

BBC Breakfast

 

There are several reasons for this — the fact that the phone contains a smart card and tamper-resistant memory, the fact that the phone tracks you and (perhaps the most mundane of all) that if you lose your phone you notice fairly quickly — but the main point is that if you carry out any form of methodical risk analysis you will see that the mobile phone in essence offers a bundle of security countermeasures that work to reinforce each other. Of course we must be vigilant, but mobile security is doing OK.

Note also that mobile security extends across other channels: mobile is often used to secure internet login anyway. Right now this is often through the not-very-secure use of text messages but there are initiatives such as the GSMA’s Mobile Connect out there trying to introduce some real security.  This is where I expect to see further real innovation in the not too distant future and why I keep posting repetitive tweets about annoying internet logins and anticipating the advent of Apple ID. Since just about everything on the Internet is insecure, the obvious way to improve the security of end applications is to (essentially) ignore the Internet completely in security terms. Just assume that everything sent across the Internet has no defence whatsoever against even the most basic assaults on integrity, confidentiality and availability. In planning terms, assume that the Internet is owned and operated by your nemesis! Thus, everything that goes across the Internet must be encrypted and digitally signed.

If we are going to do this then we need a place to store the private keys that are needed to make the encryption and signing work properly. We can’t store them inside PCs because by and large PCs are just as insecure as the Internet. But since everyone has smart phone, a rather obvious thing to do is to store keys inside the tamper-resistant storage that the handsets provide. After all, if the “secure enclave” (Apple’s name for the ARM Trusted Execution Environment, TEE) inside your Apple iPhone is safe enough to store payment tokens then it is safe enough to store a variety of the virtual identities that I need to operate in the online world. I’ll blog about how this might work in the banking case later in week, but at this point I just want to re-iterate what I told the BBC. When it comes down to it, mobile isn’t as secure as web, it’s much more secure than the web.

Apple are right and wrong

I’m sure you’ve all seen this story by now.

Thousands of iPhone 6 users claim they have been left holding almost worthless phones because Apple’s latest operating system permanently disables the handset if it detects that a repair has been carried out by a non-Apple technician.

From ‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone 6 | Money | The Guardian

Now, when I first glanced at this story on Twitter, my immediate reaction was to share the natural sense of outrage expressed by other commentators. After all, it seems to be a breach of natural justice that if you have purchased a phone and then had it repaired, it is still your phone you should still be able to use it.

I have my Volvo fixed by someone who isn’t a Volvo dealer and it works perfectly. The plumber who came round to fix the leak in our bathroom a couple of weeks ago doesn’t work for the company that built the house, nor did he install the original pipes and he has never fixed anything in or house before. (He did an excellent job, by the way, so hats off to British Gas HomeCare).

If you read on however, I’m afraid the situation is not so clear-cut and I have some sympathy for Apple’s actions, even though I think they chose the wrong way to handle the obvious problem. Obvious problem? Yes.

The issue appears to affect handsets where the home button, which has touch ID fingerprint recognition built-in, has been repaired by a “non-official” company or individual.

From ‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone 6 | Money | The Guardian

Now you can see the obvious problem. If you’re using your phone to make phone calls and the screen is broken then what does it matter who repairs the screen as long as they repair it properly. But if you’re using your phone to authenticate access to financial services using touch ID then it’s pretty important that no one has messed around with the touch ID sensor to, for example, store copies of your fingerprint templates for later replay under remote control. The parts of the phone that other organisations are depending on as part of their security infrastructure (e.g., the SIM) are not just components of the phone like any other component because they feature in somebody else’s risk analysis. In my opinion, Apple is right to be concerned. Charles Arthur just posted a detailed discussion of what is happening.

TouchID (and so Apple Pay and others) don’t work after a third-party fix that affects TouchID. The pairing there between the Secure Element/Secure Enclave/TouchID, which was set up when the device was manufactured, is lost.

From Explaining the iPhone’s #error53, and why it puts Apple between conspiracy and rock-hard security | The Overspill: when there’s more that I want to say

Bricking people’s phones when they detect an “incorrect” touch ID device in the phone is the wrong response though. All Apple has done is make people like me wonder if they should really stick with Apple for their next phone because I do not want to run the risk of my phone being rendered useless because I drop it when I’m on holiday need to get it fixed right away by someone who is not some sort of official repairer.

 What Apple should have done is to flag the problem to the parties who are relying on the risk analysis (including themselves). These are the people who need to know if there is a potential change in the vulnerability model. So, for example, it would seem to me to be entirely reasonable in the circumstances to flag the Simple app and tell it that the integrity of the touch ID system can no longer be guaranteed and then let the Simple app make its own choice as to whether to continue using touch ID (which I find very convenient) or make me type in my PIN, or use some other kind of strong authentication, instead. Apple’s own software could also pick up the flag and stop using touch ID. After all… so what?

Touch ID, remember, isn’t a security technology. It’s a convenience technology. If Apple software decides that it won’t use Touch ID because it may have been compromised, that’s fine. I can live with entering my PIN instead of using my thumbprint. The same is true for all other applications. I don’t see why apps can’t make their own decision.

Apple is right to take action when it sees evidence that the security of the touch ID subsystem can no longer be guaranteed, but surely the action should be to communicate the situation and let people choose how to adjust their risk analysis?

Will America bypass chip and PIN? One of the things I’m going to Money2020 to find out

Another article, this time in American Banker, questioning the rather odd trajectory of EMV in the USA. You’ll recall, I’m sure, that a number of international observers expressed surprise when (some time back) the banks over there decided to roll out chip and signature rather than chip and PIN or, indeed, chip and anything else (fingerprints, body odour or voice recognition). No-one seems to know why.

One reason banks offer for this choice is the presumed difficulty of remembering another PIN. Are we to think that Americans are not quite as capable as the British, Dutch or Canadians — all of whom managed to figure out a way to make the more secure Chip and PIN work?

[From A Chip Without a PIN Is Asking for Fraud | Bank Think]

Is that really it? That American card issuers think that Americans are too stupid to remember a four digit PIN? The seems somewhat patronising to me. I wonder what the American government thinks about it? The FBI thinks that Americans can use a PIN. Or at least they did, before their CVM recommendation was mysteriously taken down.

The alert, which was removed from the FBI’s Internet Crime Complaint Center site on Oct. 9, noted: “When using the EMV card at a POS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card”… That recommendation left many of us scratching our heads because the vast majority of U.S. banks and credit unions have opted to roll out EMV as a chip-and-signature, not chip-and-PIN, transaction.

[From FBI Quickly Pulls Alert About EMV – BankInfoSecurity]

So. Checkpoint. What do we know. Well, we know that PIN is far more secure than signature (I remember being told by Walmart that fraud on PIN debit cards was 250 times less than fraud on signature debit cards). The US banks are going to the expense of issuing chip cards that will defend only against the particular fraud of card counterfeiting — although to be fair according to the Nilson report, counterfeit card fraud losses to US issuers were something like a quarter of total world card fraud losses last year. But why not defend against other kinds of fraud (e.g., lost and stolen cards) by adding the PIN? Old chum David Poole says that the US is “stark raving mad” not to adopt PIN, on the basis of the latest fraud figures.

I was fascinated to read the latest fraud figures as reported in The Nilson Report this week. Worldwide card fraud is up 15% to $16b in 2014. Read that again – $16b that could potentially solve some austerity problems not to mention some poverty. I dare say many organisations would love to be reporting >15% top line revenue growth.

[From None as blind as those that can’t see. If you can’t see it, smell the “coffee”… | David Poole | LinkedIn]

Let’s just put those figures in context. One of my favourite statistics last year, one that I often dropped into presentations, was that the US is a quarter of the world’s card volume but half of the world’s card fraud. Well, I’m afraid that statistic in no longer valid. On the basis of the latest figures, the US is now a fifth of the world’s card volume and half of the world’s card fraud. And remember, this the cost to issuers. It does not take into account the costs to merchants or the police.

The USA accounted for 48% of these losses. But a very important detail should not be omitted; this figure is over only 21% of the purchase volume. While this globally represents 5.65 cents in every $100 spent, the USA has more than doubled that at 12.75c per $100, and over the last five years the figure has increased each year.

[From None as blind as those that can’t see. If you can’t see it, smell the “coffee”… | David Poole | LinkedIn]

The US has a problem. Yet, to be frank, if you were inventing EMV today, in a world of smartphones and online and biometrics, then you almost certainly wouldn’t come up with chip and PIN. You’d probably use a combination of convenient authentication and back-office analysis. It would not be surprising to me if the US banks have thought about this and have no intention of going to chip and PIN for their domestic market because chip solves their biggest card present fraud category (counterfeit, which is about half of their losses in the US) and tokenisation is a better solution to the card not present fraud category (and pretty much everything else). The evidence for this is that they’ve gone to chip, but rather than spend hundreds of millions on upgrading ATM networks for PIN management, waiting for merchants to add PINpads and educating customers about looking after their PINs, they’ve instead spent the money on tokenisation infrastructure, assuming that the growth of mobile, especially in-app, will be a more effective means to tackle overall fraud.

So, what does this mean? Well, that’s what I’m hoping to find out at Money2020 in Las Vegas next week, where I am chairing the session on authentication. For most of our clients, where to invest next is a crucial strategic question. Do they assume that US consumers and merchants will get fed up with “chip and wait” pretty quickly and so develop an appetite for contactless that they lack in a “swipe and go” world? Do they assume that none of this matters because in-store, online and mobile will all converge on in-app solutions? Do they assume that clever use of tokenisation platforms will deliver new services over and above fraud reduction? Well, it’s probably all three, but I will be fascinated to discover the sentiment in the corridors of the Venetian and will, of course, report back.

“Personal” computers weren’t

Kicking off the session on “Old vs. New P2P” at Mobile Banking & Payments in New York, Steve Kirsch (the CEO of Token) made the strong point that somehow the era of the PC and the Internet left the basic payment “rails” unchanged. For a long time we’ve papered over the cracks — using 3D Secure, PCI-DSS and so on — but with the arrival of the smartphone we could all see that it was time for change. What we may have underestimated is just how big that change will be.

it can still feel natural to talk of the PC as the most fully-featured version of the internet, and mobile as the place where you have to make lots of allowances for limitations of various kinds… I’d suggest that we should think about inverting this – it’s actually the PC that has the limited, basic, cut-down version of the internet.

[From Mobile first — Benedict Evans]

I couldn’t agree more. And in my framing, it’s all to do with identity. The PC was never personal: it didn’t have a SIM. My laptop isn’t mine in the same sense that my smartphone is and, as a consequence, will never be able to deliver as personal a service. Now, I suppose you could argue that it’s silly to talk about smartphones as PCs because they are, after all, phones.

The study also showed that four in ten users could manage without the call-making capability on their handset.

[From Soft cell: 40% of Brits don’t make calls on smartphones – report — RT UK]

I rarely make calls on my smartphone and I rarely answer them either. Unless it’s the police, my CEO or my wife then I’ll let it go to voicemail or hit the “please text me if it’s anything important” button. Calling it a phone is just a figure of speech, like when you say you are going to dial a number to someone who has never seen a phone dial and has no idea why the word “dial” is used in that context.

So what is the smartphone for?

We’ve all seen a thousand conference slides that show the smartphone as a Swiss army knife: calendar, watch, contact book, diary, games console, social media gateway, radio and so on. But if we go back to Benedict’s point, then we can answer the question in a different way. My smartphone is… me. Well, as good as. It’s sort of proxy me.

a smartphone knows much more than a PC did… It can see who your friends are, where you spend your time, what photos you’ve taken, whether you’re walking or running and what your credit card is.

[From Mobile first — Benedict Evans]

We can all see the what the consequences are in payments and banking. The practical result of the identity-less PC vs. the proxy-identity smartphone is that when I want to transfer some money or pay a bill, I use my excellent Barclays mobile app. I’ll only use my laptop if I absolutely have to because I have to type stuff in (like setting up a new payee). Conversely, it seems bizarre that when I phone up my bank, or my insurance company, or my airline or whatever else, I’m asked to demonstrate my identity by getting involved in (as I heard someone describe it recently) an episode of Jeopardy hosted by Kafka — OK, Franz, let’s go with “places I have lived” — when they could just ask the other me. The mini-me. The mobile-me.

Similarly when I go into a bank branch or a retail outlet or a government office, why do they ask me for bits of paper that cannot possibly be verified when they could just ping mobile-me. App pops up on the phone, you put your finger on the sensor, job done. And just as the crucial role of the smartphone in disrupting the payments industry is to take payments, not make them, so the crucial role of the smartphone in disrupting the payments industry is to validate credentials, not present them. Since my mobile-me can check that your mobile-me is real, our mobile world ought to be much safer our internet world.

Mobile payment is fun, but mobile ID might be indispensable

We hardly notice identity fraud any more. Every day the wires bring more tales of fraud, theft, mischief and mayhem. Our antediluvian identity infrastructure, still based on the pre-industrial infrastructure of paper and signatures, has shifted from being a business irritant to a fundamental barrier to progress.

To my horror, I discovered my savings were nearly wiped out. Over the previous two business days, a woman claiming to be me had used a fake photo ID to make five large, in-person cash withdrawals from different branches of my bank in two faraway states. The largest withdrawal was $4,800; the smallest was $2,400.

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

Now, you might think that this is a little odd. Surely, you would imagine, if someone walks into a bank to draw out a few thousand dollars in cash then the bank would take their identity document and authenticate it — let’s say take their secure microchip on a plastic card and get them to enter a PIN, or take their e-passport and verify via digital signature and online lookup — before doling out the dosh. But apparently not.

Why was it so easy for a petty criminal to get away with so much cash? It doesn’t take many brains to understand that data breaches have created a thriving market for confidential financial information. And modern technology apparently provides the means to create authentic-looking fake IDs… In many of today’s bank branches, it seems in-person transactions still rely heavily on paper and trust. “If the teller feels that the person standing in front of them is indeed the customer, they’ll give out the cash,” several bank employees explained to me. Am I really to believe that with more tools available than ever to detect crime, a major bank relies on employees’ “feelings” to verify customers’ identities?

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

This is indeed puzzling. Not that anyone should be using driver’s licenses as identity documents anyway, since bank tellers and bar bouncers are not anti-terrorist geniuses capable for spotting fake IDs from around the world in an instant — note that if they actually did want to verify these documents properly, they could always use technology to do it (e.g., Au10tix) — when everyone that walks into the bank or the bar is carrying a piece of technology that can easily provide the combination of identification and strong authentication that is more than adequate for business.

Mobile financial services can’t expand fast enough, in my opinion. Though nothing is foolproof, a mobile phone seems like a good starting point for verifying a customer’s identity and immediate physical location

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

If I walk into a branch of Barclays (I can’t off the top of my head imagine why I might do this, but let’s just say) then the Barclays mobile app is more than capable of telling the branch who I am. It seems like an obvious way forward. But there is another reason why a mobile app might be a better basis for establishing identity than a scrawled signature or a trivially-counterfeitable utility bill or whatever, is the principle of identity symmetry. When the bank asks your mobile app to authenticate you, your mobile app can simultaneously verify the digital signature on the requests so that it knows it is dealing with your real bank. The Secure Enclave that hosts my tokens could also validate other peoples’ tokens to close the security loop. Ah, you might think, that might apply online but why would you need that in a physical branch? Well,

A Chinese man made thousands of dollar by opening a fake branch of one of the world’s largest banks. The man, whose surname is Zhang, equipped the fraudulent China Construction Bank outlet with card readers, passbooks and three teenage girls at the teller counter. One of the girls posing at the branch near Linyi, Shandong province, was the man’s 15-year-old daughter.

[From Chinese farmer swindles thousands of dollars by opening fake BANK | Daily Mail Online]

Brilliant. I love this story. No-one spotted that this entire bank branch was fake, not until a woman who deposited $6,200 at the fake branch could not withdraw it from a real branch a month later. The managers there spotted the fake deposit and contacted the police!

We can use mobile phones to prevent this kind of thing. But who will do so? Why don’t we all have working mobile ID already given that the idea has been around for years? The key question is: will the banks and the mobile operators and the handset manufacturers and the platform providers the government be able to work together to deliver a mobile ID infrastructure just as they did not work together to deliver a mobile payments infrastructure? Assuming the answer is no, then we are relying on Apple to once again perform its sheepdog role of corralling the banks so that the next time I access my bank online, use an ATM, walk into a bank branch or phone the bank from home, I will expect my bank app to pop open on my iPhone and ask for authentication. Once I’ve used TouchID or entered my PIN then I will know that I’m dealing with my real bank web site, ATM, call centre or branch and I’ll be able to get my banking service with a minimum of fuss.

The ability to recognise each other (as I’ve written many times before) is the fundamental precursor to relationships (and therefore transactions). If there were a cost-effective and convenient mechanism to do this that could be used for governments and citizens to recognise each other, for businesses and consumers to recognise each other and for banks and their customers to recognise each other, we would see an inevitable growth in transactions and open up the virtual world to even more innovation and entrepreneurship. If my “Apple ID” provides a convenient mechanism for mutual recognition in person and on line, it will be indispensable in short order. I am heartily sick of usernames and passwords, account numbers and one-time codes, call centres and secret words and I can’t wait for my mobile to do away with them.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.