Defending secure applications against Jedi mind tricks

man people woman connection

Here at Consult Hyperion, we are often involved in design implementation and testing of secure systems on devices such as smart cards and mobile phones for payments, banking and other applications where security is critical.

The Disintermediation of Business Banking

architectural design architecture banks barclays

I recently had the pleasure of “attending” the LendIt Fintech – Europe 2020 virtual event.  Now, much of the content covered banking services for Small and Medium Enterprises (SMEs), an area that personally I’m not particularly familiar with, but one that is gaining more focus in the news of late.  One thing that struck me was the potential disruption of traditional business banking brought about by open banking.

City Currency

The pandemic has revised interest in a topic that has surfaced repeatedly in Tomorrow’s Transactions events over the years, and that is the issue of local and complementary currencies. The Bristol Pound, the Brixton Pound, the Lewes Pound and many other experiments have sprung up around the country (indeed, around the world) to try to stimulate and regenerate local and regional trade and prosperity in response the changing economic circumstances. We tend to think of currencies as being instruments of the nation state but that’s actually a recent invention in the great scheme of things. There’s no reason to see optimal currency areas as inviolable laws of nature rather than transitional borders under prevailing monetary and financial arrangements.

Who would have ex-Spectre-d this?

At Consult Hyperion we’re always interested in the latest news in cyber security and in case you haven’t heard, 2018 has started with the news that the most processors found inside current computers, tablets, phones and cloud servers are vulnerable to a new class of attack. These attacks have been named Meltdown and Spectre, and are caused by common optimisations built into modern processors. Processors designed by Intel, AMD and ARM are all affected to varying degrees and, as it is a hardware issue (possibly dating back to 1995 if some reports are correct), it could affect any operating system. It’s likely the machine you’re reading this on is affected – whether it’s running Windows, Macs, iOS, Android or is in “the cloud”!!

At a basic level, these vulnerabilities break down the fundamental security barriers between an application and the operating system (OS). This means that a malicious application running on your processor may be able to read your, or your OS’s, secrets which may include passwords, keys or possibly payment data, present in processor caches or memory.

I’m not going to discuss how the vulnerabilities achieve what they do (there’s plenty of sites which attempt to do this), however I’d rather consider its impact on people, such as our clients, who may be handling sensitive data on mobile devices – e.g. payments, banking information. If you do want to understand the low-level details of the vulnerabilities and how they work, I suggest looking at which has links to the original papers on both Spectre and Meltdown.

So, what can be done about it? The good news is that whilst the current processors cannot be fixed, several operating system patches have already been released to try and mitigate these problems.

However, my concern is that as this is a new class of attack, Spectre and Meltdown may be the tip of a new iceberg. Even over the last week, the issue has changed from it only affecting Intel processors, to now including AMD and ARM to some extent. I suspect that over the coming weeks and months, as more security researchers (and probably less savoury characters as well) start looking into this class of attack, there may be additional vulnerabilities discovered. Whether they would already be mitigated by the patches coming out now, we’ll have to see.

It should also be understood that for the vulnerability to be exploited, there are a few conditions which must be met:

1. You must have a vulnerable processor (highly likely)
2. You must have a vulnerable OS (i.e. unpatched)
3. An attacker must be able to execute their malicious code on your device

For point 1, most modern devices will be vulnerable to some extent, so we can probably assume the condition is always met.

Point 2 highlights two perennial problems, a.) getting people to apply software updates to their devices and b.) getting access to appropriate software updates.

For many devices, software updates are frequent, reliable and easy to install (often automatic) and there are very few legitimate reasons for consumers to not just take the latest updates whenever they are made available. We would always recommend that consumers apply security updates as soon as possible.

A bigger problem for some platforms is the availability of updates in the first place. Within the mobile space, Microsoft, Apple and Google all regularly release software updates; however, many Android OEMs can be slow to release updates for their devices (if they release them at all). Android devices are notorious for not running the latest version of Android – for example, Google’s latest information ( – obtained 5th January 2018 and represents devices accessing the Google Play Store in the prior 7 days) shows that for the top 81% of devices in use:

• 0.5% of devices are running the latest version of Android – Oreo (v8.0, released August 2017)
• 25% are running Nougat (v7.x, released August 2016)
• 30% running Marshmallow (v6.0, released October 2015)
• 26% running Lollipop (v5.x, released November 2014).

It should be noted that Google’s Nexus and Pixel devices have a commitment to receiving updates for a set period of time, and Google is very keen to encourage OEMs to improve their support for prompt and frequent updates – for example, the Android One ( programme highlights that these devices get regular software updates.

If you compare to iOS, it’s estimated ( that less than a month after it was released in December 2017, over 75% of iOS devices are already running iOS 11.

The final requirement is Point 3 – getting malicious code onto your device. This could be via a malicious application installed on a device, however, the malicious code could also come via a website as it’s been shown that even JavaScript sandboxed in a browser can exploit these vulnerabilities. As its not unheard of for legitimate websites to unwittingly serve up 3rd-party adverts which contain malicious code, a user doesn’t have to be accessing malicious websites for the problem to occur. Several browsers are receiving patches to try and prevent Meltdown and Spectre working via this route. Regarding malicious applications, we’d always recommend that applications are only ever installed from legitimate sources, however malicious apps still regularly appear in legitimate app stores, so this is not fool-proof.

Thinking specifically about mobile banking and HCE payment applications, which is what interests many of our customers – these applications should already be including protections to prevent, or at least detect, malicious attacks. These protections typically include numerous measures such as root/jailbreak detection, code obfuscation, data minimisation, white-box cryptography and so on.

If anything, these latest vulnerabilities are a useful reminder that security is not a single task within a project plan, ticked off when complete before moving onto the next sprint or task. Rather, it is an ongoing concern for the lifetime of the system – something that Consult Hyperion quietly helps its customers with. A year ago, few would have considered this class of attack to either have been possible, let alone something which needs to be actively mitigated.

Friends and relations

While I was sitting through a presentation (a very good presentation, I might add) on social media strategy for one of our client’s financial services businesses, it struck me that they were slightly misjudging the more interactive and transactional nature of social media, doing great stuff but treating social media as another customer communication channel. I’m naturally more interested in social media for transactions: social commerce. I’ve given a couple of talks about this recently, pointing out the opportunities that social commerce opens up.

One prediction says social commerce will top $30 billion globally by 2015 with Facebook-generated sales one of the primary drivers.

[From Infographic: The history of F-commerce | SMI]

There are many different ways that financial services organisations can exploit this. A good example, to my mind, is the way in which Amex works with Foursquare.

Just after announcing that it passed 10 million users, location-based check-in service Foursquare has said it is partnering with American Express to give members even better deals when they check in at merchants’ stores across the country.

[From Foursquare partners with American Express for deal check-ins | VentureBeat]

This is a terrific proposition and it’s well implemented (through statement credits, so no coupons or vouchers or anything are needed). And, to follow this example, Amex also has a Facebook pages where its large number of fans can come to learn about products and services, share with the community of card holders and so on. Great stuff. And it isn’t only financial services organisations that are integrating themselves into social media to create new kinds of social commerce.

That is because the well-known mobile service provider is now allowing its customers to log on to Facebook to purchase phone credit.

[From O2 details new contactless payment technique]

Wow, that’s pretty interesting.

Pre-paid subscribers will now be able to access a secure app on the social networking website, where they will put in credit card details in order to purchase top ups.

[From O2 details new contactless payment technique]

Credit card details? Not Facebook credits? But you get the picture. Something like Facebook can be used to create a more intimate transactional environment without having to develop software, making it easy for consumers to “friend” and “like” and so forth. Personally, I don’t find this sort of thing particularly appealing because to me it’s the wrong kind of social relationship: I want something more granular.

Here’s what I mean. I don’t want to be friends with my bank — after all, I’m a typical consumer so I hate banks — but I do want to be friends with my bank account. Why can’t Barclays let me friend my current account so I can see its status updates like “Premium card fee £10.00”, “Direct Debit British Gas £37.85” and “Counter Credit £5.00” and so forth? I quite like the text messages that Barclays sends me but would prefer something more immediate and more detailed (I often call this “streaming commerce”) so that I can make decisions and respond.

Similarly, I don’t especially want to be friends with MBNA, but I do want to be friends with my MBNA American Express card. I’m using “friend” generically, of course, I don’t mean to imply that Facebook is the one and only way to implement a social media strategy.

Facebook usage in the UK fell nearly 4pc in July to its lowest level since 2009, sparking concerns that the social network has hit its peak and may be declining in popularity.

[From Facebook usage falls to three-year low – Telegraph]

I don’t use Facebook that much — it’s really for sharing with my brother and sister, other family members and a few old friends — and I’ve not got a crystal ball to see whether we’ll still be using it in a couple of years.

Many of the smartest people I know are leaving Facebook as well. I predict we’ll see many people leaving over the coming months and adopting Twitter.

[From The Facebook Exodus and the Future of Human Communication « Far Beyond The Stars | Cyborgs, second selves and cybernetic yogis]

My idea would work even better with Twitter though. Suppose Twitter made a small change to their system so that a user could opt to be in “secure” mode. A secure mode user can only be followed (or searched) by users in their “secure list” or whatever. Then, my MasterCard could be secure user “mc-53XX-XXXX-XXXX-XXXX” the only name in its secure list would be “@dgwbirch”. Now, when anyone else tries to follow or search mc-53XX-XXXX-XXXX-XXXX they see nothing.

I’d love to follow my John Lewis MasterCard on Twitter in the way instead of having to log in to find out what it’s been up to. Since I use Twitter all day and every day anyway, it would be a much better channel for payment products to develop a more intimate relationship with me. And think of the practical benefits: if I get a tweet from my debit card telling me it’s just been used to withdraw money from an ATM in Belarus, I can call Barclays right away to block it from further misbehaviour. This doesn’t seem terribly complex: all Barclays need to know is my twitter name and then it can use the Twitter API to post tweets and only allow me to follow them.

If I could follow my transactional instruments, I could also (in time) feed their tweets, status updates, notifications and so on into other software for mash-ups. I don’t know what kind of mash-ups – I’m not smart enough for that – but I’m sure there are people out there who could do great stuff with the data. So a plea to my account, card and service providers: I don’t want to be friends with you, because you are corporations and not mates, but I don’t want to be friends with my stuff: my money, my cards, my phone. How hard can it be?

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Bitcoins and PCs

Anyone in the e-payment space will not have failed to notice the attention that Bitcoin has been attracting over the last few weeks. I have to say that I was surprised by the interest from journalists — I was even interviewed for the Wired podcast and for New Scientist — for what is, after all, pretty small potatoes. Thanks to its open and transparent nature, it’s easy to see just how big the Bitcoin economy is. This is how it looked on one of the biggest exchanges on 18th May 2011 when I was talking to a European journalist:

Last Price: 7.285; High:7.98; Low: 6.9799; Volume: 34428

[From Mt Gox – Bitcoin Exchange]

So that’s a quarter of a million dollars in trades, although you can’t tell how much of that is people shifting bitcoins between their own accounts and how much is new money coming in. That’s not a huge business. Yet in some of the more hysterical reporting — the most dangerous idea ever, etc etc — you’d think that China was switching its reserves from dollars to bitcoins.

Because on Friday, the Bitcoin experienced a rather dramatic drop. In the words of one anonymous commenter: “it looks like it lost 1/3 of its value in the last 24 hours. Lots of big sells, complaints of liquidity, and pissed off nerds.”

[From FT Alphaville » Bitcoin’s Black Friday]

A couple of weeks later, then, the value has fallen and the first bitcoin heist has been reported.

In the first Bitcoin theft of its size, a user has lost 25,000 BTC — or nearly $487,749 at today’s market rates — to an unknown thief.

[From Close to US$500k stolen in first major Bitcoin theft – Industry]

As I somewhat uncharitably posted on Twitter, “help I want my anonymous, untraceable digital cash back!”. Now we read that Bitcoin is dead, it’s a scam, it’s a bubble etc etc. So what’s the truth? What strategy, if any, should stakeholders in the e-payments space consider?

The only thing that’s even kept Bitcoin alive this long is its novelty. Either it will remain a novelty forever or it will transition from novelty status to dead faster than you can blink.

[From The Underground Economist, Why Bitcoin can’t be a currency]

I think it’s more than a novelty. I’d actually started writing something about Bitcoin a while back, when twitter friends pointed me to a paper “Mobile Payment Systems and Services: An Introduction” by Mahil Carr which says that (with no evidence at all to support the assertion) “mobile payments have to be as anonymous as cash transactions” and I’d been involved in a subsequent discussion about whether bitcoin might be suited to this environment. I couldn’t help but observe that cash is the wrong benchmark: it isn’t as anonymous as some people think.

On April 26, a state police trooper was called to the Subway after the owner said one of her employees found three “obviously counterfeit” $20s in the safe. The owner checked the surveillance video and saw one of her employees, the 17-year-old boy, take bills from his pocket and exchange it for money in the cash register… Before exchanging the bills, the employee marked the bills with a counterfeit marking pen, which resulted in a dark brown mark, meaning they were fake.

[From subway counterfeit money: subway counterfeit money, teens charged with making fake money on computer scanner –]

In a world of mobile phones, twitter and CCTV, anonymity is a high bar to set. In the virtual world, however, anonymity can be an implementation choice, should it be a requirement for a payment system. Personally, I don’t think it is. Transactions need to be private, not anonymous, and that means a different set of design principles. In all of my experience, even during my days as an firm proponent of anonymity as a key element of retail transaction schemes, I never saw the slightest demand for this from any of the stakeholders, including consumers. Nevertheless, that doesn’t mean that new technology could not, quite easily, lead to entirely new ways of making payments recognising the fact that the underlying technology has changed beyond all recognition in the previous generation.

Visa processed 37 billion transactions in FY2008, or an average of 100 million transactions per day. That many transactions would take 100GB of bandwidth, or the size of 12 DVD or 2 HD quality movies, or about $18 worth of bandwidth at current prices.

[From Cryptography, Law and Privacy Blog: Re: Bitcoin P2P e-cash paper]

Will Bitcoin be the new technology to revolutionise money? To answer that, I have to step back a little. Generally speaking, I think there is a problem with language, because people (I mean normal people, not people like us) never think about what money is or how it works. Sterling (the currency) could continue to exist even if there were no notes printed by the Bank of England or coins produced by the Royal Mint. People could sign contracts for Sterling payments, but those payments would be commuted for execution: when the payment falls due, the counterparties agree on a mechanism for exchange (which might be Dollars in a bank account, Euro bank notes or cowrie shells). Why would they, then, sign a contract in Sterling in the first place? Well, it’s because they expect the currency to serve as a means for deferred payment in that its value in the future is predictable. I’m not saying that this always works well, because currencies are not as stable as might be hoped, but that’s the theory.

Now let’s move on to this specifc implementation. Bitcoin is a decentralised, peer-to-peer means of exchange. If you have a bitcoin, which is just a string of numbers, you can send that bitcoin (or a subdivision of it) to anyone else on the interweb. If you want to understand how Bitcoin works, a good place to start is the original paper on the topic, “Bitcoin: A Peer-to-Peer Electronic Cash System” by Satoshi Nakamoto. I’m no expert on cryptography but there’s no reason I know of to question the basic idea: use a computationally difficult challenge to create strings of bits that it’s hard to make but easy to copy, then use digital signatures for transactions. I get my bitcoin (a string of bits) and then in order to transfer them to you I add a digital signature and send them to you. Every time we do a transactions, we tell (essentially) everybody else that the bits now belong to you. The closest analogy to this is the stone currency of the island of Yap, in the South Pacific. The huge stones that represented money never went anywhere, people just remembered who they belonged to.

Every transfer of ownership is public knowledge, and the physical stone can stay in place.

[From Quezi » How is Yap stone money similar to Bitcoin?]

Rather like Bitcoin, in some ways. So far so good. But why would people use Bitcoin? There seem to be three key reasons: one is that they want a cheap, irreversible online means of exchange (cash for the 21st century), another is that they want an anonymous means of exchange (coins for the 21st century) and yet another is that they want to use of non-government currency because they don’t trust governments to manage money properly. Let’s have a quick look at each of these.

Frictionless low-value payments

Now, having been involved in a previous attempt to create a global, decentralised, peer-to-peer means of exchange that addressed the first two of these issues, Mondex, I’m naturally interested to see how Bitcoin develops. I’m frankly sympathetic to many of its goals, because I too believe that a “frictionless” means of exchange for the online world would stimulate a new era of trade, and therefore prosperity. In an essentially frictionless system, where the transfer of value is simply the transfer of bits, the key problem to overcome is that of “double spending”. In other words, if I send you some value (bits), how do you know that I haven’t already sent that value (ie, a copy of those bits) to someone else? There are a number of different approaches.

  • The usual solution is to have a central register.
  • The Mondex solution was to use tamper-resistant hardware (smartcard chips) to store the balances.
  • The Bitcoin solution is to distribute the transaction record across the network (every node knows every transaction), which works provided that the timestamps can be co-ordinated properly (otherwise the nodes wouldn’t know the order of the transactions). When you get a bitcoin, it takes a few minutes before you can spend it again because the network needs to be updated.

Which is best? It’s not really the topic of this post, but I’d say a combination of 1 and 2: a central register plus tamper-resistant hardware so that low-value payments can handled quickly, offline in some environments.


What the general public want is privacy, not anonymity. If I lose my wallet, I want my money back. This is why I always carry prepaid cards when I travel, rather than carrying cash. In fact I’ve just been through the very process of getting my money back because I gave my son a prepaid Euro card to use on a school trip in Spain (a Thomson MasterCard) and he lost it when there were still €70 on the card. No-one else can use that card (they don’t know the PIN and it has no name on it so they can’t pass AVS online) and I am getting the money back. Personally, I think this is closer to the kind of cash that makes sense in the new economy. It’s economically infeasible (although not computationally infeasible) to track and research every payment, but when something goes wrong it can be restored. And if I did use the card for some illegal purpose, the police could get a warrant and Thomson would of course point them to me.

I’m not sure that I want to live in a society where unconditional anonymity exists for payments. I don’t want the bad guys to be able to operate with impunity. But neither do I want every little transaction I make trawled by corporates, the media, the government. The solution has to be payment systems with privacy built-in, so that privacy is the default and it takes legal process to uncover transaction details.

Private Currency

This may well be the most contentious area for debate. I am a Hayekian, in that I would prefer to see a system of competing private currencies rather than government monopolies, because I think that sound money is an important base for the economy. But this issue is, to my mind, orthogonal to the other two. You could implement competing private currencies in anonymous, pseudonymous or absonymous (note to pedants: this is a word I made up, that’s why it fails the spell-check, not because I spelt it wrong) ways and you could implement the mechanism for exchange using all sorts of systems. Whether transactions are reversible or not has nothing to do with the currency.


Is Bitcoin a good currency? I suspect not, but I’m not an economist, so I must defer to the experts. The question that most of our clients are interested in is whether Bitcoin will form a niche parallel economy or whether they will scale into the mainstream economy. I have a suspicion that this won’t happen, and that’s because the anonymity that is the attractive feature to the early-adopting bitcoiners is not attractive to the mass market.

The best strategy is to learn, and to think about ways that the cryptography at the heart of Bitcoin can be used to deliver new kinds of services in a connected environment. I don’t think cash will be one of them.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Harsh, but fair

[Dave Birch] A few days ago I was at Experian’s annual Payment Strategies conference, where I had been kindly invited to provide a closing keynote. In it, I made a few predictions about the next phase of evolution of the European payments business, and in passing I mentioned that I felt that some progress had been slow.

Birch lambasted traditional banks and payments providers for their failure to grasp the nature of the opportunities presented by mobile technologies, which has led them to miss the boat. “I’m almost embarrassed to stand before you and say that I thought that banks and mobile operators could work together,” he told the conference. “It was a stupid fantasy for which I apologise.”

[From Identity is the next big thing for payments | Banking Technology magazine]

This isn’t a new rant, but a considered opinion. In fact, I wrote about this last year, round about the time I made some similar remarks at an event at the GSMA, reflecting the fact that I think that mobile operators should have been quicker in to the NFC space and with more open models, and that I think banks should have been quicker to develop and implement mobile approaches other than “windows on to the web” or “cut down ATM” solutions.

All of my experience over the last few years has served to reinforce my opinion from those ancient times that it’s much harder for banks and operators to work together than either of them might think. So perhaps this part of the [Booz Allen Hamilton] 2001 vision for 2010 may never become reality

[From Digital Money: Let’s put the future behind us]

The reference to Booz Allen Hamilton, a management consultancy, is because the post was discussing a magazine article by them from a decade ago:  “Why banks and telecoms must merge to surge” from the Booz Allen Hamilton strategy+business magazine that I’d filed away back in 2001. I took some comfort from it, because it meant that I wasn’t the only one who had expected banks and operators to get together, but I was commenting on the cultural factors that meant that it had proved very difficult for them to co-operate effectively.

This has meant that it has taken longer for the infrastructure to develop than he’d predicted, but more importantly, banks are still missing out: only recently, banks in the US had told him that there is no business case for subsidising the installation of contactless readers in retail premises, just as Google was announcing that it will.

[From Identity is the next big thing for payments | Banking Technology magazine]

It is absolutely true that I (as well as number of other consultants) were at an event with US banks earlier in the year where this opinion was expressed. But there was nothing special about it: the banks had said exactly the same thing in public to retailers.

Representatives of three of the country’s largest banks, Bank of America, Citigroup and U.S. Bank, attended a meeting last month organized by the Merchant Advisory Group… to talk about the new opportunities that mobile technologies, such as NFC, will create for the payments industry. “You know what they (banks) told us? There’s just not a business case right now,” Dodd Roberts, head of the merchant group, said last week

[From Digital Money: Inception]

But back to the 2001 article, which agreed with me about one particular strategic element. That is, that while banks had have a strong hold over payment systems, mobile network operators would be challengers.

Today, banks are at another competitive crossroads. This time the new contenders in financial services are telephone companies, specifically wireless telecoms.

[From Why Banks and Telecoms Must Merge to Surge]

The Booz Allen Hamilton article finishes up by saying that it would be logical for “mega players” such as Vodafone and Citi to combine. This hasn’t happened and I can’t help but observe that Vodafone’s most successful mobile payment service, in fact, probably the world’s most successful mobile payment service, M-PESA, doesn’t involve banks at all except as a secure repositories of funds.

So why did my comments about banks and operators working together sound so harsh? It’s because we (Consult Hyperion) have been involved in a number of projects, going all the way back to the Orange/NatWest joint venture, and so have seen at first hand what works and what doesn’t in these relationships. And, yes, things are improving: but it may well be the case that having let a couple of years evolution slip away, the idea of the bank/operator partnership as the central organising principle for mobile payments is over. European operators have started to apply for their own Payment Institution licences, while I expect banks to focus more on developing value-adding services for the retailers and consumers and less on the “bare” retail payments (where the downward pressure on transactional fee income will continue).

Incidentally, I wonder if both the banks and the mobile operators held back because they’d been listening to their customers? If you had done a survey of consumers asking them if they wanted an iPod, the day before hte iPod had been invented, you would never have launched it.

in an interview with the Daily Telegraph in February 2005. The founder of Amstrad said: “Next Christmas the iPod will be dead, finished, gone, kaput.”

[From Bill Gates and Sir Alan Sugar made some of worse technology predictions of all time – Telegraph]

Predictions are difficult, as the saying goes, especially ones about the future. Of course, you do have to understand what it is that you are predicting, and in many cases people don’t really understand the proper context. This is why I read surveys like these with a raised eyebrow.

Just One-in-Five Brits Currently Interested in Paying by Mobile Phone

[From Just One-in-Five Brits Currently Interested in Paying by Mobile Phone]

Now this might be interesting news if I cared what the public think about anything (I don’t), but I wonder if it’s the sort of thing that causes mass market players to slow down? It caught my eye because it tallies with the revealed consumer preferences of Japanese consumers, where mobile proximity payments are mainstream. Indeed, only around one in five or six people in Japan use their proximity handsets for payments. But then only one in five or six people here pay for things using credit cards (debit cards dominate in Europe) and that’s still a business. The headline intends to be negative, but what it says to me is that the potential for mobile payments is such that ten million people could be using them in the UK in the not-too-distant future, if banks and operators (or someone else?) can come up with the right proposition.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


There’s something odd about a conference on Mobile Money & Migrant Remittances held in a hotel with no mobile coverage and a $25/day charge for wifi, but despite that I thoroughly enjoyed popping along and meeting up with friends from around the world there. I was on the Strategy Panel covering financial inclusion, and this coincidentally, the day after I had been quoted in Warren’s “Washington Internet Daily“:

Mobile payment systems are often treated with a lighter regulatory touch than mobile banking, to reach as many users as possible, Birch said. The need to integrate the “unbanked” into society should “tip the value” toward less regulation of low-value transactions, he said.

An entirely accurate representation of my views. A correspondent wrote in response:

Very sensible words! Not sure if you have actually read FATF’s NPM report from October 2010, but it is actually pretty good, and recommends the right thing: a light KYC regime (including no verification) for specific low risk accounts, praising the power of transactions limits and monitoring.

As it happens, I hadn’t read the FATF New Payment Methods report, so I downloaded it to take a look and discovered some surprisingly sensible conclusions. By “New Payment Methods”, or NPM, the FATF means specifically internet payment systems, mobile payment systems and prepaid card products. My correspondent had noted, to my surprise, that some of their conclusions echo my own ranting on the topic: that is, a light-touch KYC regime (including no verification for specific low risk accounts), with attention paid to setting the right transaction limits and appropriate monitoring and reporting requirements. The report is based on a number of case studies, so the conclusions are based in practical analysis, however it must be said that they are probably not statistically utterly sound.

The project team analysed 33 case studies, which mainly involved prepaid cards or internet payment systems. Only three cases were submitted for mobile payment systems, but these involved only small amounts.

Personally, I found many of the case studies in chapter four of the report uninteresting. Yes, in some cases prepaid cards, or whatever, were used as a part of a crime, but in many of the frauds so were cash and bank accounts. One of the case studies concerned the use of multiple prepaid cards by an individual found to have 12 legally-obtained driving licences in different names (and $145,000 in cash). I’d suggest that cracking down on the driving licence issuing process ought to be more of a priority! The issue of access to transaction record is, I think, much more complicated than many imagine. You could, for example, imagine transaction records that are encrypted with two keys — your key and the system key — so that you can go back and decrypt your records whenever you want, but the forces of law and order would need to obtain a warrant to get the system key. Sounds good. But I might not want a foreign, potentially corrupt, government department to obtain my transactions for perfectly good reasons (like it’s none of their business).

The report says very clearly that the overall threat is “difficult” to assess (so some of the rest of it, I think, is necessarily a trifle fuzzy) but also that the anti-money laundering (AML) and counter terrorist financing (CTF), henceforth AML/CTF, risks posed by anonymous products can be effectively mitigated. I agree. And I also strongly agree with chapter three of the report notes that electronic records give law enforcement something to go on where cash does not. This is something that I’ve mentioned previously, both on this blog and in a variety of other fora, because I think it’s a very important point.

I said that I was not sure that keeping people out of the “system” was the best strategy (because if the terrorists, drug dealers and bank robbers on the run stay in the cash economy, then they can’t be tracked, traced or monitored in any way)

[From Digital Money: Anti-anti money laundering]

The report goes on to expand on the issue of mitigation and, to my mind, deals with it very well. It says that:

Obviously, anonymity as a risk factor could be mitigated by implementing robust identification and verification procedures. But even in the absence of such procedures, the risk posed by an anonymous product can be effectively mitigated by other measures such as imposing value limits (i.e., limits on transaction amounts or frequency) or implementing strict monitoring systems.

Why is this so important? As well as keeping costs down for industry and stimulating the introduction of competitive products, the need for identification is a barrier to inclusion. This link between identification and inclusion is clear, whatever you think about the identification system itself. India is turning out to be a fascinating case study in that respect.

The process would benefit beneficiaries of welfare schemes like old-age pension and NREGA, enabling them to draw money from anywhere as several blocks in Jharkhand have no branches of any bank and would save them from travelling to distant places for collecting money.

[From Unique numbers will save duplication in financial transactions – Ranchi – City – The Times of India]

But I can’t help cautioning that while customer identification is difficult where no national identity scheme exists, but there is a scheme it may give a false sense of security because obtaining fraudulent identities might be easier than obtaining fraudulent payment services in some jurisdictions or where officials from dodgy regimes (like the UK) are at work…

Prosecutor Simon Wild told the court Griffith abused his position by rubber stamping work permit applications that were obviously fake or forged using false names and references.

[From British embassy official ‘nodded through scores of visa applications’ | Mail Online]

For low risk products, then, the way forward is absolutely clear: no identification requirements, potentially strong authentication requirements and controlled access to transactions records. One small problem, though, that the report itself highlights: there are no uniform, international, cross-border standards for what constitutes a “low risk” product. But that’s for another day.

Finally, I couldn’t help but notice that the payment mechanisms that scored worst in the high-level risk table (on page 23) and therefore the one that FATF should be working hardest to crack down on is cash.

P.S. I apologise to the conference organisers for my radio silence during the event, but I belong to the #canpaywontpay tendency: I can afford $25/day for wifi (since I’m not paying, I just expense it to the compnay) but I won’t pay it, because it’s outrageous. No wifi means no twitter, no blog, no buzz. That’s not how conferences should be in 2011.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Bringing home the bacon

There’s a lot going on in the world of payments in Denmark, sparked in part by SEPA, but with other factors as well. Many people think only of Denmark in terms of its principal exports — such as bacon, Lego and sperm — but it means only one thing to me: Danmont, the first of the European smartcard-based e-purses to try and take on cash half a generation ago.

In a statement, PBS says Danmont has not been adopted by the Danes as a preferred way of making small payments… the debit card Dankort has taken over from Danmønt in areas where the e-purse was formerly used as a form of payment. The scheme will continue to operate until 31 December 2005.

[From Finextra: Danish e-purse Danmont to close]

Now everything is changing again, because the domestic debit scheme can no longer discriminate against “foreign” cards and there needs to be a new national payment strategy. This is why its such an interesting time there and why I was so delighted to be invited by the Copenhagen Finance IT Region, a “cluster organisation” with 13 partners including the Danish Bankers Association, to come and talk at their event looking at the future of money. I was invited along with Alberto Jiminez, the Mobile Payments Global Leader at IBM, and Roslyn Layton from KLEAN, a Danish consultancy. Alberto was talking about mobile, Roslyn was talking about the internet, and I was talking about mercantilism, Kublai Khan and Facebook Credits. Here we are in the Tivoli!


Alberto divided the world into developed (North America, Western Europe, South Korea, Japan, Australia and New Zealand) and developing payment markets, a simpler model than the “quadrants” that we use at Consult Hyperion. Anyway, he pointed out that in the developing countries where there are real opportunities only a handful (Kenya, Philippines, South Africa, Pakistan, Uganda) have reached scale, which he defined as being more than a million users. He explored the benefits of opening up mobile payment markets which, in the IBM model, fall into three categories: the revenue opportunities, cost savings and the “indirect” benefits. This last category — which includes social inclusion, government agendas, brand benefits and so on — I find really interesting, probably because it’s the least understood. He also mentioned government agendas, something that has come up in a few recent discussions that I’ve been involved in.

In her talk, Roslyn touched on one of my very favourite topics, which is the online games business and the growth of what she called “funny money”. But she was also taking about the permeable boundary between loyalty schemes and pseudo-currency. In particular, she drew attention to a Lufthansa “Miles & More’ scheme that lets you trade in your frequent flier miles for a cash management account (CMA) that can contain both securities and deposits. She also drew attention to the relative size of some markets: online games are a $15 billion business at the moment, sure, but premium SMS (as Tomi never tires of reminding me!) is a $23 billion business and online gambling is a $35 billion business. Great stuff. She finished up, though, by saying that we won’t go to an entirely virtual economy, because people ultimately want to keep their money in banks.

Well, up to a point. There’s a big difference between keeping money in the bank and keeping bank money, one of the points I tried to bring out it my discussion about the “ages of money” and the shifting implementation of the functions of money. I’ve included the slides below for anyone interested.

I think the main point that I was trying to get over was that while new technology means real change in payments, it also means real change in money itself. All in all, a really enjoyable event, where I learned a lot and had fun too. Many thanks to everyone involved.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

An idea for the Independent Commission on Banking

The Independent Commission on Banking recently published an interim report on their Consultation on Reform Options. This interim report raises the subject of bank account number portability. Section 5.17, to be specific, says that:

Beyond improvements to the existing system, full account number portability would enable customers to change banking service providers without changing their bank account number. This would remove the need to transfer direct debits and standing orders, which remains the main area where problems may arise. In the past, portability has been rejected as overly costly, but if no other solutions appear effective and practicable, it should be reconsidered to see if this remains the case given improvements in IT and the payments system infrastructure.

It seems reasonable for the Commission to wonder why customers cannot port their account number from one bank to another the way that they can port their mobile phone number from one network to another. That seems a plausible request for 2011, but phone numbers and account numbers aren’t quite the same thing. A phone number is an indirect reference to your phone (well, your SIM card actually) whereas the account number is the “target”. Thus, we shouldn’t really compare the account number to the phone number, but think of it more as the SIM. Each SIM card has a unique identifier, just as each bank account has an international bank account number (IBAN). When you turn on your phone, essentially, your SIM tells your mobile operator which phone it is in and then “registers” with a network. I am writing this in Singapore, where I just turned on my iPhone, so now my O2 SIM card is registered with Singtel. When you call my number, O2 will route the call to Singtel, who will then route it to my phone. But how does the call get to O2 in the first place?

In most developed nations there is what is called an “All Call Query” or ACQ system: there is a big database of mobile phone numbers that tells the operators which mobile network each number is routed by. In order to make call connections as fast as possible, each operator has their own copy of this database that is regularly updated. Note that for reasons that are too complicated (and boring) to go into there, in the UK there is a different scheme, known as indirect routing, whereby when you dial my phone number 07973 XXXXXX it is routed to Orange (because that’s where all 07973 numbers originated from) and then Orange looks XXXXXX number up in its own database to see where to route the call to (in this case to O2). This is why calls to ported numbers in the UK take longer to connect than they do in other countries.

It’s entirely possible to envisage a similar system working for banks, whereby we separate the equivalent of the mobile phone number — let’s call it the Current Account Number (CAN) — from the underlying bank account and have an industy database that maps CANs to IBANs. This database would be the equivalent of the ACQ database. (I rather like the branding too: if the banks decided to operate this cross-border, they could label it the international current account number, or iCan.) So the bank sends your salary via FPS to the iCan, and the database tells FPS which actual IBAN to route it to. No matter which bank accounts you use or change to throughout your employment, the employer always sends the salary to the iCan and thus reduces their own costs.

There is an analogy to this is in the way that some of the new contactless payment cards work. In the US, American Express credit cards give up what is called an “alias PAN”. The PAN, or primary account number, is the 16-digit number on your credit card. When you use your Amex card via contactless, the 16-digit number it gives up is not the actual plan but an alias PAN. Only Amex know which actual PAN this alias PAN refers to. The advantage of doing this is that if criminals get hold of the alias PAN, they can’t use it to make a counterfeit magnetic stripe card, because the alias PANs are only valid for the contactless cards (which they can’t counterfeit, because the contactless cards have computer chips in them).

In the UK, we route by sort codes. Any account number beginning 20- is known to be Barclays, so a payment switch will send the payment through to Barclays. We might decide, say, that sort codes beginning with 00 are iCans. When you get your first bank account, the bank sets up the IBAN and iCan. For your salary, direct debits, standing orders and so forth, you give the iCan. BACS and FPS will be told about iCans, so when a payment to an IBAN beginning “UK00-” enters one of those systems, they go to a shared database and look up the IBAN to route the payment to.

The advantages of this are that banks would not have to do anything with their existing systems, because the iCans will always be translated into IBANs by the time they reach their systems.

The disadvantages are that the public might not understand what is going on and, since they don’t change bank accounts that often, they might not bother to find their iCan and tell their employers, utility companies and others. It doesn’t deliver enough value to them, so we need to find some way of bundling the iCan to find more ways to use it to the benefit of stakeholders. One idea might be to create some kind of Financial Services Identifier, or FSI, which is an index not only to the iCan but to other data as well. If this meant an increase in consumer convenience, then it would spread by itself and take the iCan with it.

To see how it might work, consider my household. I rather belatedly decided to remortgage in order to abandon my outrageous fixed rate and obtain a base rate plus variable rate mortgage just in time for interest rates to rise again (I know nothing about personal finance). I went along to Barclays, my bank of 33 years, to apply and they sent me a multi-page form to complete. I was unable to uncover a single question on this form that they didn’t already know the answer to. Yet I had to fill it out and they had to type it in. What a waste of time and money.

Similarly, when I applied for the most middle-class of all financial instruments, the John Lewis MasterCard with cashback in the form of Waitrose vouchers, I went off to their web site and filled some stuff out and it said something like “congratulations, you’re accepted”. My happiness was short lived, as it soon became apparent that they weren’t going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month’s bank statement, a handy identity theft kit all in one. Coincidentally, she also had to post off her driving licence because of a speed camera ticket, and it never came back. Foreign readers might be puzzled at this Victorian process, but it’s because British driving licences have a paper supplement on which (I’m not making this up) the police write your speeding points. Such is the state of our identity infrastructure in 2011.

All of this is ridiculous in this day and age. Once someone is “known” to the British, or perhaps even European, financial services industry then there should be no need to go through all of this nonsense every single time they come into contact with the industry again.

In the world of payments, a related discussion has sprung up. This is the discussion about Legal Entity Identifiers (LEIs) that have been going on recently. Many interbank payment messages have account identifiers only and the some law enforcement agencies want to stop this and have banks validate the names as well (it will help to track funds to and from suspects I guess).

A global standardized Legal Entity Identifier (LEI) will help enable organizations to more effectively measure and manage counterparty exposure, while providing substantial operational efficiencies and customer service improvements to the industry … The LEI Solution is a capability that will help global regulators and supervisors better measure and monitor systemic risk.

[From Legal Entity Identifiers: An Emerging Risk Management System]

I’m sure I’d heard somewhere before, possibly at the International Payment Summit, that the plan was to use the SWIFT business identifier codes (BICs), but apparently that’s no longer the case. Fabian Vandenreydt, the new Head of Securities and Treasury Markets at SWFIT, recently said that the International Standardization Organization’s Technical Committee 68 (ISO TC68) has concluded that developing a new code would help avoid ambiguities that might be involved if existing codes are used. The BIC is made up of eight to 11 alphanumeric characters with four letters for the bank, two letters for the country, two digits for the location, and three digits for the specific branch but ISO TC68 want we we nerds call an MBUN (a “meaningless but unique number”).

I don’t think this is way forward for people, though. LEIs are unique corporate identifiers: a corporate identity has one, and only one, LEI. Fortunately, or unfortunately, depending on your view, there is no unique identifier for British persons (and nor is there likely to be under the present administration), nor Europeans, nor citzens of the world. And I don’t think we would want the financial services industry to develop its own sort-of-identity card scheme. We just want a simple, portable, pointer to a person that can be used to index into their KYC’d persona.

The easiest way to do this would be to assign a unique financial services identifier (FSI) to a person or other legal entity the first time that they go through a KYC process. I might have the FSI “citizendave!”, for example. One someone has one of these FSIs, then there would be no need to drag them through “know your customer” (KYC) again. This would greatly reduce industry costs and make the process of obtaining a new financial service — a new bank account, a new credit card, a new insurance policy, a new accountant — much simpler. Imagine the simplicity of applying for in-store credit for that new sofa by just giving them your FSI and watching the application form magically populate by itself on screen.

It doesn’t matter if a person has multiple FSIs, because each FSI will have been obtained as the result of a KYC process. If the FSI Directory ends up with two “Dave Birch” entries, so what? It’s not an ID card scheme, it’s a “save money for the financial services sector and make life easier for consumers” scheme. And it wouldn’t matter either if both of my FSIs point to different iCans: I might, for example, have a personal persona and a small business persona — lets say citizendave! and citizendave! and that point to my personal and my small business accounts — and I want to use them for different purposes.

Picture this. You are fed up with the appalling service you get from your bank, so you walk into a branch of New Bank. You ask to open an account, and are directed to the ATM in the lobby and asked to request a balance from your existing current account. You put in the card and enter the PIN. While the ATM is carrying out the balance enquiry, the FSI (obtained from your card) is sent to the Directory and within a couple of seconds both your account balance (from your bank) and your picture (from the FSI Directory) are on the screen. The New Bank agent presses a button and a pre-filled application form is printed out for you to sign and, once you have, the existing system for transferring accounts is triggered.

There might be another useful spin-off from the FSI as well. Suppose you could designate a default account against the FSI: generally speaking, your iCan, but it could also be a prepaid account somewhere, or your PayPal account or whatever. Then someone could send you money by giving your FSI: no need to type in names, sort codes, account numbers. Anyone could pay anyone by entering the FSI into the ATM, or their internet banking screen, or (most likely) their mobile. You might get used to storing FSIs in address books. There’s nothing secret about them, and because every use of an FSI would require two-factor authentication, no-one can do anything with your FSI just by knowing it (except send you money).

For this to work, then, there needs to be some way for a customer to prove that they are, indeed, the person referenced by the FSI. There’s no need to invent anything new for this: banks could use CAP/DPA, some third-party service (which in a rational world would be provided by mobile operators) or their own app to do the authorisation. We have everything we need to deliver the results that the Commission wants: step 1 create the iCan, step 2 create the FSI, step 3 operate a more efficient, more effective and more convenient banking system.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights