Are 97% of mobile transactions in Asia fraudulent?

pexels-photo-887751.jpeg

Recently I saw this article suggesting that 97% of mobile transactions in Asia are fraudulent? Can this really be true? I decided to investigate.

The article highlights an excellent report published by Secure-D looking into mobile ad fraud, which it appears is a largely hidden multi-billion dollar enterprise, impacting emerging markets in particular. As you might expect with an enterprise of this size it is multi-faceted and complex. Two of the ways fraudsters are making money are as follows:

  • Fake clicks: The internet runs on advertising revenues obtained when a user clicks on an ad in a mobile app or on a web page. Fraudsters have numerous ways to create fake clicks, that look like they’ve come from a real person, and then be paid the associate fee. One way that they do this is by deploying malicious apps to the devices of unsuspecting users often disguised as a legitimate app offering an innocuous service like providing weather information.
  • Hidden purchases: Many mobile users in emerging markets are unbanked and use their prepaid mobile airtime to purchase goods or services. Those malicious apps deployed to devices can also then siphon off funds from users without them realising it is happening. They just see their airtime running out more quickly than it otherwise might.

Who would have ex-Spectre-d this?

At Consult Hyperion we’re always interested in the latest news in cyber security and in case you haven’t heard, 2018 has started with the news that the most processors found inside current computers, tablets, phones and cloud servers are vulnerable to a new class of attack. These attacks have been named Meltdown and Spectre, and are caused by common optimisations built into modern processors. Processors designed by Intel, AMD and ARM are all affected to varying degrees and, as it is a hardware issue (possibly dating back to 1995 if some reports are correct), it could affect any operating system. It’s likely the machine you’re reading this on is affected – whether it’s running Windows, Macs, iOS, Android or is in “the cloud”!!

At a basic level, these vulnerabilities break down the fundamental security barriers between an application and the operating system (OS). This means that a malicious application running on your processor may be able to read your, or your OS’s, secrets which may include passwords, keys or possibly payment data, present in processor caches or memory.

I’m not going to discuss how the vulnerabilities achieve what they do (there’s plenty of sites which attempt to do this), however I’d rather consider its impact on people, such as our clients, who may be handling sensitive data on mobile devices – e.g. payments, banking information. If you do want to understand the low-level details of the vulnerabilities and how they work, I suggest looking at https://spectreattack.com/ which has links to the original papers on both Spectre and Meltdown.

So, what can be done about it? The good news is that whilst the current processors cannot be fixed, several operating system patches have already been released to try and mitigate these problems.

However, my concern is that as this is a new class of attack, Spectre and Meltdown may be the tip of a new iceberg. Even over the last week, the issue has changed from it only affecting Intel processors, to now including AMD and ARM to some extent. I suspect that over the coming weeks and months, as more security researchers (and probably less savoury characters as well) start looking into this class of attack, there may be additional vulnerabilities discovered. Whether they would already be mitigated by the patches coming out now, we’ll have to see.

It should also be understood that for the vulnerability to be exploited, there are a few conditions which must be met:

1. You must have a vulnerable processor (highly likely)
2. You must have a vulnerable OS (i.e. unpatched)
3. An attacker must be able to execute their malicious code on your device

 
For point 1, most modern devices will be vulnerable to some extent, so we can probably assume the condition is always met.

Point 2 highlights two perennial problems, a.) getting people to apply software updates to their devices and b.) getting access to appropriate software updates.

For many devices, software updates are frequent, reliable and easy to install (often automatic) and there are very few legitimate reasons for consumers to not just take the latest updates whenever they are made available. We would always recommend that consumers apply security updates as soon as possible.

A bigger problem for some platforms is the availability of updates in the first place. Within the mobile space, Microsoft, Apple and Google all regularly release software updates; however, many Android OEMs can be slow to release updates for their devices (if they release them at all). Android devices are notorious for not running the latest version of Android – for example, Google’s latest information (https://developer.android.com/about/dashboards/index.html – obtained 5th January 2018 and represents devices accessing the Google Play Store in the prior 7 days) shows that for the top 81% of devices in use:

• 0.5% of devices are running the latest version of Android – Oreo (v8.0, released August 2017)
• 25% are running Nougat (v7.x, released August 2016)
• 30% running Marshmallow (v6.0, released October 2015)
• 26% running Lollipop (v5.x, released November 2014).

 
It should be noted that Google’s Nexus and Pixel devices have a commitment to receiving updates for a set period of time, and Google is very keen to encourage OEMs to improve their support for prompt and frequent updates – for example, the Android One (https://www.android.com/one/) programme highlights that these devices get regular software updates.

If you compare to iOS, it’s estimated (https://data.apteligent.com/ios/) that less than a month after it was released in December 2017, over 75% of iOS devices are already running iOS 11.

The final requirement is Point 3 – getting malicious code onto your device. This could be via a malicious application installed on a device, however, the malicious code could also come via a website as it’s been shown that even JavaScript sandboxed in a browser can exploit these vulnerabilities. As its not unheard of for legitimate websites to unwittingly serve up 3rd-party adverts which contain malicious code, a user doesn’t have to be accessing malicious websites for the problem to occur. Several browsers are receiving patches to try and prevent Meltdown and Spectre working via this route. Regarding malicious applications, we’d always recommend that applications are only ever installed from legitimate sources, however malicious apps still regularly appear in legitimate app stores, so this is not fool-proof.

Thinking specifically about mobile banking and HCE payment applications, which is what interests many of our customers – these applications should already be including protections to prevent, or at least detect, malicious attacks. These protections typically include numerous measures such as root/jailbreak detection, code obfuscation, data minimisation, white-box cryptography and so on.

If anything, these latest vulnerabilities are a useful reminder that security is not a single task within a project plan, ticked off when complete before moving onto the next sprint or task. Rather, it is an ongoing concern for the lifetime of the system – something that Consult Hyperion quietly helps its customers with. A year ago, few would have considered this class of attack to either have been possible, let alone something which needs to be actively mitigated.

Cash means a lot of baggage

With my feet up and a cup of tea, I was relaxing reading David R. Warwick’s “The Case Against Cash” in the July edition of “The Futurist” magazine. He notes that of the $829 billion in US currency “in circulation”, two-thirds is outside the US. According to the Boston Fed, the average US consumer has only $79 about their person, with another $157 at home or in the office. Say $200 each for 200 million consumers, that comes to only $40 billion. Even if you calculate it at $300 each for 300m consumers, that’s still only $90 billion, which would imply that about two-thirds of the cash in the US in unaccounted for, a figure that tallies well with more detailed calculations made for some European countries. That means that if the US is as law-abiding as, say, Norway, then there’s about $200 billion of cash in the US that is only used for tax evasion, crime, money laundering and so on.

Mr. Warwick says that the biggest single benefit of the abolition of cash in the US will be the elimination of cash robberies, which costs the country about $140 billion per annum. This may be so, but personally, I think that the greatest benefit will be what he puts second on the list: financial inclusion. People trapped in a cash economy are not only discriminated against (because they pay the highest transactions costs) but they are cannot get on the financial services ladder. They have to take payday loans instead of bank loans, use cheque-cashing services and so on. Helping these people on to that ladder is a very positive outcome for the electronic payments industry (assuming that it can deliver the low-cost products that are needed to do this).

Naturally I sympathise with Mr. Warwick, but I don’t hold out much short term hope for the US getting rid of cash, although I can see that there are some interesting ways to make progress. A correspondent wrote, kindly, in response to a recent post I made about the role of e-payments in reducing cash evasion.

In addition to strict regulations that require POS technology to retain sales records (and criminal liability if they are found to be tampered), the Brazilian state of Sao Paulo created a program called “Nota Fiscal Paulista” which works by consumer demand. It encourages consumers to ask for their receipts, which pressures the business into declaring their sales taxes to the state tax collector. At year’s end the consumer gets a share of their taxes paid returned to them, as well as an entry in a larger lottery. I’ve had family members win sizeable pots simply for opting in to this receipt at check out.

Many merchants really dislike this scheme, presumably because it works, but they are obliged to offer it because of consumer pressure. There’s another similar scheme in Korea, whereby merchants who take more than some threshold (75%?) volume of their transactions electronically rather than in cash get a tax break. The government has presumably calculated that reducing tax evasion from cash sales more than makes up for the revenue reduction from the tax break. Perhaps in these straightened times the US tax authorities might begin to make similar calculations.

However, while the US may not be able to get rid of cash domestically — more’s the pity — it could at least start trying to get rid of cash in some other theatres. Perhaps a good place to start might be somewhere where, unlike America, there is a viable mobile phone-based alternative to cash: Afghanistan, where the M-PAISA scheme is up and running.

Electronic payments, if implemented properly, can bring transparency as well as efficiency. And transparency can have some unexpected consequences. Look what happened when the M-PESA service was launched in Afghanistan (as M-PAISA) and used to introduce efficiency into the process of salary payments for civil servants…

[From Digital Money: Cash does have some unique properties]

Another factor pointing to Afghanistan as the nexus for such an experiment is that the campaign against cash there may be able to co-opt a pretty powerful ally: the US military.

For the past few years the military has been striving to replace its cash transactions with electronic fund transfers and debit card payments in the hopes of achieving a “cashless battlefield,” in the words of Peter Kunkel, a former assistant secretary of the Army.

[From Turn In Your Bin Ladens – NYTimes.com]

Right now, the battlefield is only cashless because all of the cash is being spirited away as soon as it arrives and (I’m sure) to no good purpose — as I heard our (former) man in Kabul Sherard Cowper-Coles pointing out on the BBC’s Start the Week programme recently — and there doesn’t seem to be any way to keep it in place.

Last month, a well-dressed Afghan man en route to Dubai was found carrying three briefcases stuffed with $3 million in U.S. currency and $2 million in Saudi currency, according to an American official who was present when the notes were counted. A few days later, the same man was back at the Kabul airport, en route to Dubai again, with about $5 million in U.S. and Saudi bank notes.

[From Officials puzzle over millions of dollars leaving Afghanistan by plane for Dubai]

I love the title of the article, don’t you? It doesn’t seem that much of a “puzzle” to me.

Cash declaration forms filed at Kabul International Airport and reviewed by The Washington Post show that Afghan passengers took more than $180 million to Dubai during a two-month period starting in July. If that rate held for the entire year, the amount of cash that left Afghanistan in 2009 would have far exceeded the country’s annual tax and other domestic revenue of about $875 million.

[From Officials puzzle over millions of dollars leaving Afghanistan by plane for Dubai]

There really ought to be more upset about the havoc that these billions of US dollars cause but not merely facilitating but actively encouraging corruption on such an enormous scale, yet even at the very highest levels there’s no sense (that I can find) of outrage. In fact, everyone (except taxpayers, presumably) seems quite happy with the seigniorage-powered status quo.

Karzai said cash transactions are quite normal and then-President George W. Bush was aware of the Iranian donations. The United States supposedly gives him bags of cash as well.

[From BlogPost – Karzai’s bags of cash a conundrum for the U.S.]

Interestingly, when he says “bags of cash” he isn’t speaking metaphorically: they actually do give him bags of cash, as do the Iranians apparently. I don’t think any of them are going to get behind my campaign to reduce the use of cash to the great benefit of society as a whole.

Suspicions of corruption in the Afghan government, with one cable alleging that vice president Zia Massoud was carrying $52m in cash when he was stopped during a visit to the United Arab Emirates.

[From US embassy cables leak sparks global diplomatic crisis | World news | The Guardian]

Not mobile phone top-up vouchers or open-loop prepaid cards or high-street vouchers, but FIFTY TWO MILLION GREENBACKS. That made me wonder about his baggage allowance. How much would $52m in weigh? Could you fit it in cabin luggage or would you have to check it? After all 520,000 $100 bills take up a fair bit of space. I seem to remember from a previous discussion, that a cereal box can hold $500,000 so we’re talking about 100 cereal boxes at least.

In reality, restricting ourselves to $100 bills, the maximum is only $450,000 (the New Jersey ne’erdowells didn’t pack optimally!).

[From Digital Money: Has cash jumped the shark?]

I don’t think you could fit 100 cereal boxes in the two checked bags that you’re allowed on British Airways, but I suppose vice presidents are allowed a couple more. But back to the point, which is…

Why does the world need 1 billion $100 bills? Indeed, why does the U.S. continue to print C-notes at all?

[From Hundred-dollar bills are for criminals and sociopaths. Why do we still print them? – By Timothy Noah – Slate Magazine]

Look, I’m not making any sort of political point about Afghanistan, I’m arguing this general point. The US should cease printing $50 and $100 bills immediately. They have no function in supporting commerce.

And it’s not just that carrying around cash is inconvenient and time consuming. These days, one of its main functions is to finance the black economy: drug deals, counterfeiting, under-the-table employment and other nefarious activities. Because cash is anonymous, people can easily opt out of the taxable economy – leaving the rest of us to pick up the tab for their use of public services. Remove cash entirely, and you make it far more difficult to avoid tax, not to mention discouraging criminal activity.

[From I’m dreaming of a cashless Christmas – Telegraph]

I written before about a current example of large amounts of cash making a problem (that no-one would claim is caused by cash) significantly worse.

Ransoms are paid in cash, partly because Somalia has no functioning banking system, and partly to hamper American anti-money-laundering investigators

[From Piracy: No stopping them | The Economist]

I have to say that this piracy is looking more and more like a viable career option to me. It is very well remunerated and there appears to be much less chance of going to jail than in, say, investment banking or management consultancy.

Of the 650 Somali pirates caught since late 2008, 460 have already been released, according to Lloyd’s Market Association

[From Prime Numbers: The Pirate Den – By Bridget Coggins | Foreign Policy]

The English have a proud history of piracy, so I think I’d fit right in. Avast ye landlubbers!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Why use contactless?

The results from the first couple of years of contactless payments use in the UK show that, as expected, contactless is being used as cash replacement for small transactions.

The average value of a contactless transaction is only £4.93.

[From Tap-and-go is on the move to a shop near you | Mail Online]

It’s not always used simply because of the convenience, as one commentator noted in the comments on this story:

I have swtiched to using the contactless payment method to purchase sandwiches at shops such as Pret A Manger and Eat mainly because I am fed up with them ofloading their fake pound coins on me in their change

[From Tap-and-go is on the move to a shop near you | Mail Online]

Bizarrely, I was thinking about this the other day. I parked in Derby, which is in the midlands and when I returned to the car the local council wanted to charge me £11.20. In some kind of hommage to Derby’s past, the machine didn’t take cards or mobile payments, so we were reduced to emptying out our pockets, rummaging in the glove compartment and searching the floor of the car for change. Fortunately, my fellows had plenty of pocket change. But when we started feeding it into the machine, four out of the ten £1 coins we had amassed were repeatedly rejected, presumably because they were fake. I’d never really thought that the avoidance of fake currency would be part of the retailer’s business case, but I need to revise my opinion!

But what is the business case? Is it just about payments? For some kinds of retailers, the convenience of contactless payments makes sense only when it is also part of some bigger model, generally involving value-added propositions such as loyalty. The was recognised by Bling Nation, when they decided to refocus on the loyalty side of things…

John Paul Coupa of Coupa Café has the system in all three of his northern California locations. “It gets used a lot,” says Coupa, “(even) more than American Express.” Coupa recently implemented the FanConnect system.

[From ContactlessNews | Contactless payment scheme enables loyalty via Facebook]

In Northern California, then, things look good. But on the other side of the country, on the apparently more conservative east cost, the results were quite different.

Other merchants have not enjoyed the same level of success. Charles Savas, president of Center Beverage in Stoneham, Mass., got rid of the system after just three months. “They were going to charge me $40 a month,” he says, “and I only had $35 in sales for the first three months.”

[From ContactlessNews | Contactless payment scheme enables loyalty via Facebook]

A mixed picture. But does any of this early experience matter? If contactless is important only as the rails for mobile to run on, then the early feedback from the contactless card deployments doesn’t really matter. It doesn’t tell us anything about the mobile future, does it?

These, and related topics, will be discussed at Contactless Cards and Mobile Payments in London on 20th and 21st June at the Kensington Hilton. I’m chairing the event on 21st and look forward to see you all there. And guess what? The utterly splendid people at SMi have given me a two-day delegate pass worth an astonishing ONE THOUSAND TWO HUNDRED AND NINETY NINE POUNDS to give away on this blog as a competition prize. So if you are going to be in London on those dates and you’d like to come along to learn more about the world of contactless, all you have to do is be the first person to respond to this post with the current maximum payment value for “no PIN” contactless payments in the UK.

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been designed to be carbon neutral. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

News from the bunker

The government is battening down the hatches and repelling all boarders, even if they have e-tickets. And not before time!

Foreign intelligence agencies are carrying out sustained cyberattacks on the UK Treasury, targeting it with malicious emails and programs designed to steal information, the Chancellor, George Osborne, has revealed. He said that government systems are the target of up to 20,000 malicious emails every month

[From Osborne: Treasury under sustained cyberattack | Technology | guardian.co.uk]

And that’s not counting the ones from taxpayers, I imagine. Setting aside how ludicrous and meaningless this figure is, there is nonetheless a serious point. If Son-of-Stuxnet crashes the Treasury, that might well be a net benefit to the economy, but if it crashes the electricity distribution network, even I won’t be laughing. We need effective cyberdefences. So what should the authorities do to bolster these defences? I would have thought that have some kind of working identity infrastructure might be a first step, and in that respect things haven’t been going to well in the UK.

The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.

[From Henry Porter – Home Office suppressed embarrassing ID cards report]

The report says that there were no specifications for usage or verification (which we knew – this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that “it is likely that European travel” will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed, what the Identity & Passport Service (IPS) delivered was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it “Passport Plus” and selling it to frequent travellers (eg, me) as a convenience, and idea that really should have been taken more seriously by the coalition administration.

As an aside, the report also says (in section 5.5) that the “significant” number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.

The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).

[From Home Office suppressed embarrassing ID cards report – 1/7/2011 – Computer Weekly]

How did it all go do wrong? Liam Byrne was supposed something about IT as he used to work for Accenture, as did the James Hall (Joan Ryan was a sociology teacher who later became famous for claiming more than £170k/annum in expenses). All in all, it was a pretty disastrous period for those of us who think that identity infrastructure is crucial to the future of UK plc, let alone the UK government. This is not to say that, despite all of the evidence (including today’s fascinating FT piece on the UK government’s equally disastrous NHS infrastructure project), that the UK is uniquely hopeless at developing identity infrastructure for the 21st century.

Thai citizens who applied for their first national identity card or who applied to have their ID card renewed, have been issued with a yellow slip instead of the new microchip-embedded “smart” cards. The reason behind the problem is that the Interior Ministry refused to accept the new “smart” cards which were supplied by the Ministry of Information and Communications Technology, claiming that they did not meet the prescribed specifications stipulated in the ministerial regulation.

[From Bangkok Post : The silly saga of ‘smart’ cards]

Now, this may seem funny, but I ought to point out in the interests of international balance that there are, right now, in 2011, many people walking around branches of the British government with printed pictures of smart cards hanging around their necks. Yes, that’s right: pictures of smart cards, rather than actual smart cards. I’m afraid our cyberdefences are more a cyber home guard at the moment.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Prepaid could be, should be, great

At the risk of turning into the Victor Meldrew of retail payments, I want to make a point about something. When I wrote about some bad experiences with contactless a couple of weeks ago, I did it because I genuinely care about this stuff, and I genuinely want the contactless experience to get better. I don’t think the blog would be useful, particularly to my colleagues in the industry who read it, if it never contained criticism, so long as that criticism is well-founded and honest. Similarly with prepaid. I really like prepaid, I really want it to succeed and I really get upset when it doesn’t work as well as it should.

Prepaid is growing. In the last five years, the volume of card transactions in Europe has grown about 9% per annum but the value has grown 7% per annum (because the average transaction size has fallen) and most of that growth has actually come from prepaid cards [F. Burelli. “Profitability dynamics of card payments” in Nordic Card Markets, Stockholm (Jan. 2010)]. Looking forward, the outlook appears to be pretty rosy. Yet I can’t help feeling that prepaid isn’t where it should be. My recent experiences with prepaid have been pretty good. I had a Visa prepaid card (which has just expired) that we were using as our “house” card at home: the kids used it when they needed to run to the supermarket or buy stuff for school. It had a simple web interface, I could see what they had been spending the money on and I could easily top it up from my debit card. Best of all, it didn’t have a name on it, so if they lost it then no-one could use it in shops (because it’s a chip and PIN card) or online (because they wouldn’t know the name or address associated with the card). Now that it’s expired, I got my eldest to go and get an Orange Cash card which annoyingly has a name on it (review to be posted shortly), so we’ll see if that can take over as house card.

But I digress. Right now, I am annoyed with prepaid. Just as I was leaving for the airport, I remembered that I had less than $100 on my Travelex US Dollar prepaid card. As I was going to be in the US for a few days, I’d need a bit more to cover meals etc so I decided to load a couple of hundred more dollars. Now, obviously I wasn’t going to bother to do that at the airport given the palaver I went through last time: I had £50 in cash in my pocket and I stopped at a Travelex booth in Heathrow to add it to my card and it took about a quarter of an hour and involved taking photocopies of my passport, the card, the receipt as well as answering security questions. The process was, presumably, designed to drive up the cost of prepaid cards to keep them beyond the reach of the poor.

Naturally, I thought that there would be some way to top up online, so I entered my 16-digit card number, my username and password and logged in to my cash passport account, only to find that there is no option for reloading (only for changing PIN and looking at transaction history). I went back to the home page and found that there’s a separate option for reloading, I clicked that, and was asked to enter the first six digits of my card number. This took me back to the account screen. I went back round again, and somehow found another link (I can’t remember what it was now) that asked my for the first six digits again and then took me to a reload screen. I entered the number of my Visa card, my address, the CVV and the amount, and was met with a screen saying tough luck.

Screen shot 2011-05-02 at 12.24.53

I wondered if it might be something to do with credit vs. debit, so I went round the loop again, this time using my Visa debit card instead. After typing in the amount, card number, address, CVV again, I got the same results. Much against my better judgement I decided to call, so I phoned the (mercifully) free phone number on the back of the card. I stupidly chose the option for speaking to an operator, and the line just went dead. So I dialled back and chose account services and then something else and then talk to an operator. I was shocked when a woman answered. After giving her my (I’m not making this up) card numbers, address, name, date of birth and a couple of other things, she put me through to another chap who said he would top up the card. I asked him if it was possible to do it via home banking and he said that it was and that he would e-mail me the details. After asking some more security questions, I started to give him my debit card number and he stopped me and said that he first had to check whether I was on the electoral roll at that address. I gave up, grabbed my BA Amex card and my John Lewis MasterCard and my Visa OnePulse and jumped in the cab.

All the way to the airport I was wondering why it was all so complicated. Why can’t I load via the ATMs at the airport, or using an app on my iPhone or by PayPal. Prepaid should be a simple, inexpensive alternative to cash, not something that has you jumping through hoops! When I got the US, I decided to get another prepaid US$ card, but this time I would register it in the US so that I could have a US BIN and billing address (some stores, such as Levenger, will let you ship internationally but will only accept payment from cards with a US billing address). Although in the end I didn’t have time, because I got sidetracked playing with my new Square, this does illustrate (once again) that there are lots of good reasons for wanting prepaid cards that are nothing to do with not being able to get a credit or debit card.

From the consumer side, prepaid allows consumers to test new opportunities and options without risking a lot of money or putting their bank accounts or credit cards on the line.

[From PaymentsJournal – When It Comes to New Payments Technology, Prepaid Will Lead the Way]

This is a good point, but I feel there’s another reason for thinking that prepaid will be developing in interesting directions, at least in Europe. You don’t need to be a bank to offer prepaid services: the combination of an Electronic Money Institution Licence (ELMI) and a Payment Institution Licence (PI) means that any company can offer a full service: an open-loop prepaid card. I suspect that many of the companies applying for these licences are doing so because they want to use new technology to deliver new services that need payment, if you see what I mean. That is, they don’t expect to earn money from the payments themselves, but from the value-added services that need the payments to take place.

I’ll be looking out for trends around value-added at this year’s Prepaid Conference in London on 13th-15th June 2011. In an act of magnificent generosity, the wonderful people at Clarion have given me a delegate pass for the conference — worth an amazing ONE THOUSAND FOUR HUNDRED AND NINETY FIVE POUNDS — to give away on this blog as a competition prize. So if you are going to be in London on those dates and you’d like to come along to meet practitioners, thought leaders and me, then all you have to do is be the first person to respond to this post telling me what the conference sponsors MasterCard were originally called when they started in 1966.

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been designed to be carbon neutral. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Mexican standoff

At last year’s conference on The Macroeconomics of Mobile Money held at Columbia University in April 2010, Carol van Cleef (a partner at Paton Boggs LLP in Washington) gave a presentation on the “Opportunities and Dangers of E-Payments”, in which she noted that the Mumbai terrorists used mobile phones and “showed themselves to be part of the mobile phone generation” (as, I imagine, they showed themselves to be part of the mass transit generation and the automatic weapons generation). She notes that the attackers were using their own phones (so the IMEIs could be tracked, making the life of law enforcement easier) and that they had purchased more than 37 SIMs in different names using false identification (so the compulsory SIM registration was shown to be pointless — although some of the SIM card sellers were arrested). She also says that the most critical tool for drug traffickers in Canada is the prepaid phone (I’m sure she’s wrong: I’ll bet it’s either cash or cars).

I remember thinking when I read this at the time that this continued law enforcement focus on the prepaid phone and the prepaid card, both of which are critical tools for financial inclusion, would end up with restrictions on both that would make no difference to criminals but would make life much harder for the financially excluded, because of the strong link between identity and money.

Why do I think that? Well it is just not clear to me that demanding strong proof of identity for prepaid products will help. In Mexico there is a national registry for prepaid phones and all purchasers are recorded and fingerprinted, the operators keep calls logs, texts and voice mail for a year (in a database only accessible with a court order — or by criminals, I’d wager). All prepaid phones not in the registry were supposed to be turned off this month, although a quick round of googling and searching couldn’t tell me whether this is actually happening or not. As I wrote a couple of weeks ago, in the context of the Mexican government’s reward scheme for people who call in reports of money laundering:

Good luck to anyone who decides to report in person, or by telephone. SIM registration is mandatory in Mexico, which means that the money launderers will find you before the police do

[From Reputation does not depend on “real” identity]

If we focus on phones, for a moment, is it reasonable to assume that demanding identity in the purchase of phones (prepaid or otherwise) will do anything to reduce crime (or will it simply shift the crime to acquiring identities and actually raise the criminal premium on those identities?).

Eight men and one woman have been arrested on suspicion of conspiracy to defraud… calling expensive premium-rate numbers owned by the fraudsters that charge up to £10 a minute… O2 had a total of £1.2m stolen through premium phone lines throughout July, with police claiming that a West African gang bought the phones from high street stores using false identities.

[From British police arrest iPhone scam gang | News | TechRadar UK]

Like many similar scams, this isn’t a mobile fraud or a payment fraud or any other kind of fraud: it’s basic identity fraud, yet again. To some extent, therefore, one has to be a tiny bit unsympathetic to O2. Clearly, if they make everyone jump through hoops to get an iPhone then they won’t sell very many of them. On the other hand, allowing people to take out contracts without really proving who they are or (and this is the commercial arrangement that is lacking) providing an identity that is underwritten by someone who will take liability for it being wrong, means accepting risk. Remember, it’s not the mobile operators, handset manufacturers or criminals who pay for the police raids, the court system, the prison time: it’s us, the taxpayer. So the distribution of risks is not aligned with the distribution of liabilities, as is so often the case in the world of identity fraud. This isn’t a UK-only problem. It is very clear that in countries without secure national identity registers (ie, almost all countries), requiring mobile operators to determine the identity of subscribers (contract or prepaid) will solve nothing. This does not, by the way, mean that it is impossible to catch criminals. Far from it.

Deputy District Attorney Mena Guirguis said that after Manunga and her former boyfriend stopped dating in 2008, she took out a pre-paid cell phone in his sister-in-law’s name, and started sending the threatening text messages to her regular cell phone… Her scheme was uncovered when the victims went to the phone store, talked with the salesman and learned that Manunga had bought the pre-paid phone under the sister-in-law’s name, Guirguis said.

They reported that information to a Costa Mesa police detective, but by then a third arrest warrant had been issued for the sister-in-law. During a follow-up investigation, the detective discovered that most of the threatening text messages were sent when the pre-paid cell phone was in close proximity to Manjunga’s home or work.

[From Woman jailed for making threats – to herself | sister, law, manunga – News – The Orange County Register]

What this story shows is that actual police work is helped by the perps using mobile phones, even if you don’t know the identity of the person using the phone, because phones mean tracking and tracing and location. We read today that iPhones keep a complete record of everywhere they’ve been…

Apple iPhone users’ movements are being tracked and stored without their knowledge in a file that could easily be accessed by a snooping employer or jealous spouse, security researchers have found.

[From Apple iPhone tracks users’ location in hidden file – Telegraph]

Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.

In all conscience

I’m giving a keynote at the Smart Card Alliance conference in Chicago in a couple of weeks. It’s going to be about EMV in the USA. I’ve just been mulling it over, and once again looked at Deborah Baxley’s neat summary of the immediate future for the US cards business:

Banks scrambling to replace lost fee revenue will likely shift focus to credit and prepaid, impose DDA and other fees, along with new account services and comprehensive pricing packages.

[From Changing the Game in Cards – pymnts.com]

It’s not just banks who have to rethink their strategies because of developments in the payment sector. I note that in the UK, according to the Centre for Economics & Business Research reported in Fraud Watch 6(18), nearly 100,000 people were victims of direct debt fraud last year, a direct consequence of the use of chip and PIN at retail POS. As card fraud has become more difficult, the criminals have shifted their focus. Direct debit fraud was one basis point of identity fraud cases a decade ago, now it is a tenth of all cases. Criminals have to adapt to chip and PIN just as banks and merchants do.

A GROUP of seven postmen intercepted letters containing credit cards, switched the microchips of the cards with fake ones and then delivered them to the applicants… the syndicate also had the help of a National Registration Department (NRD) officer who supplied them with the names of the mothers of the real credit card applicants

[From 7 M’sian postmen nabbed for credit card fraud]

It’s interesting to think like a criminal. Well, sometimes. In Chicago, two men were shot by guards while trying to rob a cash transit.

The dead suspect was identified as Jimmy Townsend, 52… a convicted felon and was sentenced to 10 years in prison for two separate armed robbery convictions.

[From 2 suspects shot, one fatally, in armored truck heist – Chicago Breaking News]

Armed robbery is a bizarre crime. I think I’m right in saying that in the UK the average sentence is longer than that for murder. In the US, Mr. Townsend spent years in jail for it, and then got killed doing it again. How dumb did he have to be go back to trying to rob armoured cars. If only he read the Digital Money Blog, he would have known that there are much easier targets.

The heavily-armed gang made off with the tournament jackpot of 242,000 euros ($327,000; £217,000) in early March. Police said a 28-year-old Lebanese man, the fourth arrested in connection with the raid, had been detained on Sunday.

[From BBC News – German police arrest poker tournament heist suspect]

OK, so not all of them got away, but casinos are not a bad idea for enterprising criminals. They do have lots of cash, and often the people in them will not report cash as stolen.

Masked men have stormed a packed casino near the Swiss border city of Basel, making off with hundreds of thousands of francs, prosecutors say.

About 10 raiders pulled up at the Grand Casino in two cars just after 0400 (0200 GMT) and smashed their way in, brandishing machine-guns and pistols. The French-speaking gang ordered the 600 guests and employees to the floor while they emptied registers.

[From BBC News – Switzerland casino is robbed by armed gang]

Criminals follow the path of least resistance. I hope Bankerstuff don’t mind me quoting from a marketing e-mail they sent me concerning a forthcoming webinar.

A Former Bank Robber Shares Security Insights During Live Webinar on April 28 from 2:00 – 3:00pm Eastern

Troy Evans pursued a career as a self-employed addict, drug dealer, gambler and thief for more than 15 years. Ultimately, his disregard of values and discipline resulted in a 13 year federal prison sentence. Facing the obstacles, pressures and violence of prison life, he was determined that his time behind bars would not be wasted… Having met and interviewed over 300 bank and credit union robbers he is able to give us a “look into the mind of the enemy”. Troy answers questions such as… What can financial institutions do to deter a desperate criminal?

I would have thought than an obvious idea would be to not have any cash since, as another bank robber famously remarked, he went “where the money is”? When it comes to card payments, the money is in getting hold of card details and (because of the switch to chip and PIN) PINs. Here, the criminals soon adapted their strategies to deal with the new instruments.

Victorian Police believe international crime syndicates are bribing shop workers in return for access to EFTPOS terminals as part of an elaborate scam. They believe criminals have stolen as much as $80 million from Australian bank accounts over the past year…

The syndicates install cameras in ceilings to film people entering their identification numbers.

[From EFTPOS scam costs Australians $80m – ABC News (Australian Broadcasting Corporation)]

They’re using these PINs (since they can’t make counterfeit chip and PIN cards) with the card details to withdraw cash from ATMs. Once all of the cards and ATMs are chip-only, this avenue will be closed to them. Thus while chip and PIN isn’t perfect, it’s good enough to push criminals into other channels. So: a thought experiment…

Suppose we improve the security of payment systems to the point where they cannot, effectively, be broken. Theft, fraud and hacking are not possible. Where would criminals go next? I think they’re spoilt for choice, so relatively small improvements in payment security would send them off to pasture news.

The poll of 533 firms shows that 55% experienced fraud in the last 12 months, with 61% of these hit more than once, a similar picture to the previous year. In total, 75% of the businesses participating in the study experienced online account takeover and/or online fraud.

[From Finextra: Account takeover fraud plaguing US small businesses]

SME account takeover seems much easier than armed robbery and much more profitable. The so-called man-in-the-middle attacks on OTP systems for remote access to baking accounts are an established attack vector.

According to BillingScore, 19.4% of the value of all transactions in the U.K. premium rate sector are fraudulent, or roughly £1 on every £5 spent. “With the premium rate sector in the U.K. mobile industry currently worth in the region of £700 million, this equates to £135.8 million per year being lost to fraud in the U.K. alone,” the company said.

[From UK mobile operators ‘hide’ £136m annual fraud loss]

A fifth? As opposed to a few bp in cards? I predict that any forward-looking criminal in this scenario will be eyeing up the telecommunications opportunities. So let’s look at what some forward-looking criminals are doing. I think criminals in eastern Europe are a useful barometer, because they tend to be well-educated and computer-savvy. And they get arrested for time to time so we can see what they get up to. Here’s the stash of Romanian hackers arrested last year. You will, of course, note that it does not include low maximum balance prepaid cards or accounts.

77,350 euros, 49,000 U.S. dollars, 64,860 pounds, 60,645 lei, a luxury watch, a rifle, three pistols and 150 grams of gold. 70 laptops, 165 mobile phones, 35 desktop computers, 15 modems, new servers, 10 blank cards, 2425 SIM cards…

[From CyberCrime & Doing Time: Nicolae Popescu, Romanian hacker, at large!]

So not only the usual euros and dollars, but also gold (clearly the hackers were diversifying) and also two-and-a-half thousand SIM cards. Two-and-a-half thousand! Here are people taking the messages of convergence, future-proofing and cloud payments quite seriously. As Eric Schmidt said when still with Google, if you don’t have a mobile strategy then you don’t have a strategy. Now, if you’re like me, you will wonder what on Earth they are going to do with these SIMs. Then I remembered something that I’d read a while ago.

Only days after almost two million Bulgarians registered their SIM cards, the Interior Ministry warns that new forms of abuse are appearing. According to the ministry, two cases had recently been uncovered in which telephone fraudsters had allegedly offered 50 leva to Romas for registered SIM cards, Bulgarian daily Standard reported… the Interior Ministry as saying that it expected a flood of SIM cards, registered to Romas and homeless people, to appear on the market in the coming weeks.

[From Interior Ministry warns of trade in registered pre-paid SIM cards – Bulgaria – The Sofia Echo]

Mystery solved. The answer to why there should be a significant value attached to SIM cards that you can buy for virtually nothing in any shop is, naturally, government policy. After pocketing their windfalls from selling their SIM cards, the homeless and Roma presumably went off to celebrate their good fortune, whereas the criminals went off to figure out how to create a mass supply instead of having to negotiate with individuals.

…only four months into 2010, and organised crime groups already have found ways of beating the system. In fact, there are unsuspecting people right now who are completely unaware that their mobile phones, or names and registration, are being used for serious criminal activities… Radio host Borislav Borissov found out that he was the “proud owner” of about 200 different SIM cards, all registered to his name and personal social security number.

[From Bulgarian criminals ‘beating the system’ of pre-paid SIM card registration – Bulgaria – The Sofia Echo]

I know where I’d invest my criminal dollars! Mobile is the future! No, of course, I’m just joking to make a point. If I really was going to invest dollars in a criminal enterprise, it would be in Somali pirates, except for one sticking point. I’m afraid my strict ethical position will not allow me to deal with these people.

The al Shabaab group, which professes loyalty to al Qaeda, said mobile money transfers (MMT) helped feed Western capitalism and were turning Somalia’s Muslims against Islamic banking practices.

[From Somalia’s al Shabaab bans mobile money transfers | Top News | Reuters]

I cannot do sufficient violence to my conscience to support a group who are against mobile payments.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Black Wednesday

They called April 6th “Black Wednesday” in the UK. Well, I heard someone say that on the BBC. It’s because it was the start of the new tax year, and since the government maxed out the credit card, the payments are going up. There’s going to be some pressure to collect to more tax, because there’s a limit to how much you can put the rates up before avoidance (and emigration) reduces the total amount collected. I wonder if we will soon be going down the Greek route.

The Greek government announced Thursday it is shutting down bars and nightclubs… that fail to offer receipts. So far, six bars and clubs have been shut down as par of a broader sweep where two-thirds of all inspected businesses were fined. The absence of receipts allows businesses to avoid value added tax, or consumption tax, the Ministry of Finance said in a press release.

[From Euro Debt Crisis – Cash-Strapped Greece Cracks Down on Fun – CNBC]

Now this could be good for the e-payments industry, because the easiest away to avoid receipts and therefore evade tax is to pay in cash. Here, in the birthplace of income tax, the government are apparently going to have something of a crackdown on tax evasion.

HMRC has targeted so-called ‘ash cash’ or payments to doctors for signing death certificates before bodies can be cremated and also undeclared cash payments to dentists.

[From HMRC targets middle class tax evaders – Telegraph Blogs]

This seems on the margin to me: I shouldn’t think the amount of tax being evaded by doctors writing death certificates will amount to one payoff of a local government official and I have to say that none of my dentists has ever asked me for a cash payment for anything.

It could even be argued that agreeing to pay your builder in cash might be seen as a conspiracy to defraud the Revenue

[From HMRC targets middle class tax evaders – Telegraph Blogs]

Now you’re talking! Agreeing to pay your builder in cash is precisely engaging in a conspiracy to evade tax, and people who do it should be prosecuted. If they paid their share, mine wouldn’t be so much.

And it’s not just that carrying around cash is inconvenient and time consuming. These days, one of its main functions is to finance the black economy: drug deals, counterfeiting, under-the-table employment and other nefarious activities. Because cash is anonymous, people can easily opt out of the taxable economy – leaving the rest of us to pick up the tab for their use of public services.

[From I’m dreaming of a cashless Christmas – Telegraph]

Getting rid of cash won’t eradicate tax evasion, but it will make it more difficult, and hopefully more expensive, thus shifting otherwise black commerce back into the formal economy. And since the scale of tax evasion in Europe is so colossal, small improvements will deliver significant sums to the treasuries. I couldn’t find a reasonable estimate for this in the most recent tax year, but I did find this estimate for VAT alone.

The current collection model brings with it a VAT Gap due to e.g. VAT fraud, insolvencies, mistakes by the taxable persons in the VAT return and VAT avoidance schemes. Desk research shows that the VAT Gap for 2009 can be cautiously estimated at 6,9% of GDP and 12% of total VAT liability in the EU-27. This means that, in the EU-27, a total of EUR 118,8 billion has according to those estimates not been collected by the tax authorities in 2009.

[From 118,8bn euros lost in 2009]

Let’s say that 20 billion of this is in the UK, and that getting rid of cash would cut it by a quarter. That’s an instant five billion bonus to the exchequer. I look forward to my rebate.

The fraud trajectory

There’s no doubt that chip and PIN is one of the key planks in the industry strategy to reduce card fraud to manageable levels (which is not the same as eliminating card fraud, note). One of the reasons why it is so secure is that is uses offline PIN verification, where the chip on the card checks that the PIN input at POS is the correct one. And since the PIN is known only to the cardholder, and they never divulge it, this provides validation that… no, wait…

Despite the strict recommendations from card providers about keeping your PIN confidential, research by shopping website VoucherCodes.co.uk has revealed that over half (59pc) of Brits are flouting the rules by sharing their bank card PIN codes and are putting their personal finances in jeopardy.

[From More than half of card users share their PIN – Telegraph]

Uh oh. But come on – anyone out there in the real world will know that it’s impossible to get through life without giving your spouse your PIN. What happens when (to pick a hypothetical example) she can’t remember what the hell she’s done with her handbag and needs to get to Homebase to buy some paint? Or (to pick a hypothetical example) a husband may have stupidly left his wallet in his desk at work but needs to get cash out at an ATM on the way to a football game. Come on – we’ve all done it (except me, I should point out to the terms and conditions chaps at Barclaycard).

The poll of 3,000 people revealed that Brits are most likely to entrust their partners with this security information, but a surprising one in twenty (5pc) adults feel that it is safe to divulge this information to their children.

[From More than half of card users share their PIN – Telegraph]

What? Not in my house they don’t. We have a Visa prepaid card for “house” use, so if the kids need to get some shopping, stuff for school or other supplies, they use that one, and I top it up online when necessary. It’s a simple way to manage money, so I’m surprised more people don’t do this: and it has the added benefit that it doesn’t have a name on it, so if it gets lost or stolen it can’t be used to start identity fraud.

Incidentally: 3 per cent of the people surveyed said that they wrote their PIN on a piece of paper and kept it in their wallet, which may account for at least some of the incidence of the ATM and POS chip and PIN fraud more plausibly than complex attacks on the unencrypted messages between the card and terminal.

There are plenty of other initiatives aimed at improving the overall level of card security. 3D-Secure has taken a long time to get traction but is now widely used in e-commerce. PCI-DSS is costing a fortune, but may reduce the industrial-scale counterfeiting of the magnetic stripe cards still widely used for retail payments in less-developed parts of the world.

In raids conducted Feb. 1, agents seized $300,000 in cash, three firearms and ammunition as well as equipment to make fake credit cards from the gang… The credit card details and stolen identity information was purchased from “online data traffickers via Web-based portals, and the purchasers would store the stolen credit card information in shared e-mail accounts, allowing several defendants to begin creating counterfeit credit cards,” prosecutors said.

[From US indicts 27 in Apple product credit-card fraud ring | MP3 Players | Macworld]

Anything that stops card details like these from falling into criminal hands so easily must be worth the money, right? Actually, on the costs of PCI-DSS, there may be some relief in sight for European retailers.

Visa last week announced a new programme which means European merchants will no longer need to prove they adhere to PCI DSS regulations on an annual basis, as long as 75 percent or more of their transactions originate from EMV-enabled chip and pin terminals. The programme will be introduced on 31 March, 2011

[From Visa PCI DSS exemptions send out mixed messages to merchants | Business Computing World]

So come on, it’s not all bad. In fact the bottom line is that the fraud figures have been improving, and I expect them to improve further still over the next couple of years as we begin the integration of cards and mobiles. This is because even simple integration (eg, texting unusual transactions) delivers good returns and the impending integration of payments with handsets means that issuers will be able to go even further with 24/7 access to the “card”. I won’t rehearse the basic arguments, but I think there are many reasons for thinking that the mobile is a means to manage card fraud down, and line of thinking that we have presented frequently over the years.

So, are mobile payments safe or not? It’s not a “yes” or “no” question, as we hope this discussion has shown. Let’s ask another question instead: Can we make the risks of mobile transactions manageable? The answer to that is “yes”. In fact, in the particular case of mobile proximity payments, we happen to believe that there is more security overall in using a mobile than in using a card payment

[From TM Forum – Article: Mobile Payments – Safer than Cards?]

For one thing, as noted, we can use the mobile to provide information and as communication channel to report on and detect suspicious activity. Potentially more interesting, though, there are techniques that take advantage of the characteristics of the mobile channel, primarily location There are some practical problems to be overcome though.

ValidSoft [has] direct access to mobile networks, tables, and services around the globe and can provide mobile based location services without requiring that users opt in. Many financial institutions are interested in using these services for fraud detection but are concerned about the privacy implications and don’t want their customers thinking they are following them around.

[From Visa Europe sets trend with mobile location-based fraud detection]

Actually, I might well want my issuer to follow me around, but I might also want it to stop other people from following me around. Anyway, I’ll be talking about this kind of thing — including lessons from our practical experience advising leading payments organisations around the world and some of the things we are learning from the Ph.D in mobile handset security that Consult Hyperion is funding at the University of Surrey — at the excellent UK Card Fraud Conference on 29th/30th March 2011 in London.

The magnificent people at DT Conferences have given me a delegate pass for the event — worth an amazing ONE THOUSAND TWO HUNDRED POUNDS plus VAT — to give away on this blog as a competition prize! So if you are going to be in London on those dates and you’d like to come along to meet some of the leading thinkers in the UK’s fight against card fraud (and me) then all you have to do is be the first person to comment on this post with the name of the doomed precursor to 3D-Secure, the PKI-based online card payment security system developed in the 1990s: full name, please, not just the TLA!

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been gritted for your safety. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights