Why us?

Our good friends at ACI Worldwide have just released their annual Global Card Fraud Survey, which contains some rather bad news: the UK has more card fraud than many other countries. We’re up there with the US, with three times as many people affected than in Germany and the Netherlands. So a third of us have been victims of card fraud compared to only a tenth in Netherlands. Why? Are the Dutch more honest than Brits? Are their cards more sophisticated? No. I think there are two main reasons for this discrepancy.

First of all, while chip and PIN has cut fraud on the high street, card-not-present fraud is still a big problem. In the UK, cards still account for a big portion of online payments. In the Netherlands, and some other countries, they don’t. More than two-thirds of Dutch e-commerce purchases are made with iDeal, a bank-based scheme that has no equivalent in the UK (or the US, or pretty much anywhere else for that matter).

Second, UK credit cards have high limits. In the last couple of weeks, both of my main card issuers have written to me raising credit limits (I didn’t ask for this in either case). If you’re going to steal some card details, you’d go for cards that are likely to be some way from their limit.

The survey wasn’t all bad news, by any means. I found it interesting that the proportion of people who had been victims of card fraud but were satisfied with the response of their issuer had actually increased slightly, to almost four-fifths, which isn’t bad. Personally, like the majority of people surveyed, the last time there was a strange charge on my card, the bank took off the charge then cancelled and reissued the card.

The agent informed me that new cards for me and my wife would be Fed-Ex’d, to arrive today or tomorrow. What followed were a series of texts from merchants that have my credit card on file for automatic billing, delighting me with the knowledge that I won’t be able to use such services as the Bay’s FasTrak toll lanes or uninterrupted cable service until I update my records.

[From I’m a five-time ID Fraud victim; How crazy is that? – Javelin Strategy & Research Blog]

Think how expensive this all this though: cancelling and re-issuing cards, call centre seats, letters and whatever else. So we still need to do better. Only around a third of people (fewer than before) said that they would switch financial institutions because of card fraud, which is bad news for people trying to sell anti-card fraud solutions to high street banks.

The poll of 970 UK adults, part of the bi-annual global Unisys Security Index, reveals that cyber-security is the public’s chief concern, with 85% of respondents worried, and over 50% “seriously concerned”, about bank card fraud and identity theft.

[From Finextra: Brits switching banks over security and privacy concerns – Unisys]

This is odd, I think. I couldn’t care less about bank card fraud, since it’s the banks’ problem and not mine. I never use a debit card for anything, offline or online, so I’m totally protected by the legislation around credit cards. I’m more worried about identity theft, because it’s more time consuming to put right, but that’s a different issue (being discussed at the CSFI yesterday, as it happens).

The press release also noted that 81% of people have confidence in their issuer protecting them from fraud. I think that this may be a little simplistic, for that very reason: had I been asked for the survey, I would have said that I don’t really care about Barclays’ ability to prevent fraud on my splendid OnePulse credit card because it’s their problem.

Time to do something about ATMs

There has been another spate of cash machine fraud, near where I live, entirely coincidentally. The police have instructed us to… well, let them tell you.

Officers have advised members of the public that if possible they should not leave the scene if their card is retained

[From BBC News – Cash machine users in Woking warned over thefts]

So, essentially, if an ATM keeps your card (this has never, ever, happened to me) then you should stay by the machine and call for help. Who you are supposed to call is not made clear, but I will call one of our local police stations. These are open from 8am to 10pm. As an aside, when I last went to one of our local police stations, I was ushered into a small room with a telephone, from where you are connected to the same call centre as if you had just stayed at home and phoned them, so come to think of it I may just as well call the call centre directly. Perhaps it’s time to rethink the “hello 1966” card plus 4-digit PIN system and either get rid of ATMs completely or improve their security.

Perhaps we should look further afield for ideas for new ATMs.

The Intelligent ATM comes equipped with a camera that recognises the customer’s face and sends details of the facial dimensions to a database for verification… Its use could also reduce the now common incidents where carjackers force their victims to empty their accounts at gunpoint, often taking the card and the personal identification number (PIN).

[From Daily Nation: – News |Your face is all you’ll need at an ATM]

I think this is unlikely: it would simply replace customers being forced to hand over their ATM card at gunpoint with customers being forced to go to an ATM at gunpoint, which strikes me as being more dangerous! Relatively few people are carjacked and shot dead in Woking at the moment — this generally happens up the A3 in South London — but it could all change. Mind you, you’ve got to be pretty brave to use an ATM at all in the UK.

‘We were surprised by our results because the ATM machines were shown to be heavily contaminated with bacteria; to the same level as nearby public toilets… In addition the bacteria we detected on ATMs were similar to those from the toilet, which are well known as causes of common human illnesses.’

[From Cash machines ‘as dirty as public toilets’ | Mail Online]

Yuk. It’s time to stop the silly 1960s fashion for putting things in slots and touching filthy keypads. This might help prevent fraud as well as the propagation of intestinal disorders.

The future may lie with RFID chips and mobile phones. If a mobile phone replaced the ATM card and withdrawals could be performed only by placing an RFID phone near an ATM then cell site analysis (plus E911 and E112 compliance) would greatly limit the scope of fraud against banks. But such a secure deployment needs investment – and in these difficult times this looks doubtful.

[From Forensic Computing Expert and Barrister – Automated Teller Machines]

Maybe Barclays, who have issued millions of contactless debit cards in the UK, might want to start experimenting with ATM de nos jours. After all, I want to leave home without a wallet, with only a phone, but there are still backward and underdeveloped parts of the world (eg, Woking) where many retailers do not yet have contactless terminals and so there is the need for occasional recourse to the hole in the wall, but it’s difficult to get my iPhone in the slot, especially when it is fitted with anti-fraud devices. Consider this appealing alternative: take splendid new Barclaycard/Orange mobile phone with NFC, open card application and enter numerical passcode and amount of money required. Then hold phone next to ATM and wait for the money to come out.

Benjamin 3D

[Dave Birch] The US is soon to release a new $100 bill. But why? What do they do with $100 bills? They’re not, as you might imagine, needed to support commerce and trade.

In 2001 the Federal Reserve estimated that 90 percent of the $100 bills ordered by the Federal Reserve (which accounts for the overwhelming majority of C-notes ordered nationwide) were paid out to foreign banks

[From Hundred-dollar bills are for criminals and sociopaths. Why do we still print them? – By Timothy Noah – Slate Magazine]

Around two-thirds of all of the US dollars in “circulation” are not in the US at all and are unlikely to be repatriated. This represents a tremendous interest-free loan from the rest of the world to Uncle Sam. But is this income sufficient to outweigh the negative effects of cash?

So why do we keep printing $100 bills? As with any valuable export, we worry that if the C-note ceased to be available to foreign criminals and dictators, another paper currency would take its place. The leading candidate would be the 500 euro note,

[From Hundred-dollar bills are for criminals and sociopaths. Why do we still print them? – By Timothy Noah – Slate Magazine]

Well, that’s true, and the conspiracy theory that the European Central Bank (ECB) only had the 500 euro note printed in order to replace the $100 bill in the stashes of drug dealers and tax evaders is widely recirculated. But that’s a reason to scrap 500 euro notes, not to print more $100 bills, especially when the $100 bills have to be completely re-designed anyway.

But the biggest upgrade is a blue “3D Security Ribbon”… The strip contains a series of images of bells and digits; tip the note, and the images come into 3D relief. “It only takes a few seconds to check the new $100 note and know it’s real,” says Larry R. Felix, Director of the Treasury’s Bureau of Engraving and Printing.

[From US Treasury: New 100 dollar bill needs 3D tech – CSMonitor.com]

Sounds exciting. But why bother? Why not just forget about the $100 (and, for that matter, the $50 bill)? After all, high-denomination notes have been withdrawn before, and for much the same reason. We have to weigh up the overall impact on society and try to make the right decision, and sometimes that decision might mean a radical change.

In 1969, the Treasury stopped issuing $500, $1,000, $5,000 and $10,000 bills specifically to impede crime syndicates — the only entities that were still using such large bills after the introduction of electronic money transfers.

[From Turn In Your Bin Ladens – NYTimes.com]

And before I get deluged with e-mails calling me a New World Order stooge intent on introducing the Mark of the Beast across the USA, let me merely point out that if the public were to desire anonymity for payments (they don’t, by the way) then it’s possible to create anonymous electronic money: this is an implementation choice, not any sort of technological constraint. Of course, the fact that the US government stops producing high-denomination notes doesn’t necessarily mean that they will disappear…

Malaysian police have arrested a Lebanese man allegedly carrying fake currency with a face value of $66 million after he tipped a hotel staff with a $500 note, an official said Friday.

The largest U.S. note currently in wide circulation is a $100 bill. But police found bundles of $1 million, $100,000 and $500 notes in the man’s hotel room in Kuala Lumpur on Sunday, said Izany Abdul Ghany, head of the city’s commercial crime unit.

[From $500 Tip Leads Police to $66 Million in Fake Bills – ABC News]

If only all counterfeiters were that good!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

What is cash actually for?

[Dave Birch] Cash has some unpleasant side-effects and these really ought to be factored into the big picture when it comes to examining the transition to digital money.

In terms of public safety and national security, the sooner the world moves to a digital cashless economy, the better.

[From Turn In Your Bin Ladens – NYTimes.com]

Most of the cash “in circulation” (I use the quotes because it is not, of course, actually in circulation at all but being hoarded in various places) is used only for criminal purposes: tax evasion, money laundering, drug dealing and so forth.

Somali pirates are reported to have received a total of $12.3m (£7.6m) in ransom money to release two ships. They are believed to have been paid a record $9.5m (£5.8m) for Samho Dream, a South Korean oil tanker, and nearly $2.8m (£1.7m) for the Golden Blessing, a Singaporean flagged ship.

“We are now counting our cash,” a pirate who gave his name as Hussein told Reuters news agency.

[From BBC News – Somali pirates receive record ransom for ships’ release]

Once again, these miscreants aren’t looking for prepaid mobile phones, gift cards or PayPal accounts: they are after cash, and I’ll lay a pound to a penny that they didn’t want Yuan or Roubles or Kenyan Shillings and an M-PESA account in a false name: they wanted dollars, and in $100 bills. The cash was dropped from a helicopter on to the ship. Now, I’ve heard some people — including some people from banks — say that this is fair enough, because the seigniorage on the cash represents a tax on criminal activity and it’s better to collect this stealth tax from the bad guys that impose more taxation on honest, hard-pressed taxpayers. But I have two objections to this line of thinking:

  1. First of all, it is not at all clear to me that the state should live off of criminal earnings. If something is legal and taxed, fine. But if it’s illegal, it’s illegal.
  2. Secondly, the revenues that accrue to the central bank from this enterprise are small compared to the revenues denied to other parts of government. So in the central bank books, life looks good. But over at the treasury, there’s a black hole where the revenues from honest enterprise should be.

Perhaps the non-central bank parts of government might look to the central bank to use some of seigniorage revenues to subsidise the introduction of electronic payments to parts of the economy dominated by cash. But what kind of electronic payments? I suppose the government could start developing its own form of e-cash, but I’m not sure that’s the best way forward. Maybe there’s another way. Perhaps we need a new form of e-cash (that we haven’t seen yet) for the new economy because we are trapped using money developed in a previous age for the commerce of the next. In his excellent book “The Birmingham Button Makers“, Professor George Selgin explains how the British economy faced that same problem during the industrial revolution.

Today, the big problem of small change is no longer such a big problem, although shortages of wanted coin continue to occur sporadically around the world (e.g. here and here) as well as surpluses of unwanted coin. Nevertheless, the basic problems of private coinage were trust and credibility. Modern issuers of digital cash face the same problems and thus Selgin’s history is a valuable reminder about the scope and potential of alternative monetary institutions.

[From Marginal Revolution: Good Money]

Indeed, and apart from a general interest in the history of money, this is precisely why I found George’s work so interesting. Could we see a similar trajectory in the post-industrial economy? This would suggest that private operators might step in to the market to fill the void and then when the competition had run its course and the “best” coinage had been established, then the government would step in and provide it as a public good. Perhaps the Bank of England should run its own version of PayPal and the government should insist that everyone has an account if they want to receive state payments of any kind: welfare, pensions, wages and so on! Once all of money is digital, as opposed to the current 96.3% (in the UK), who knows where that will take us.

As money becomes completely digitized, infinitely transferable, and friction-free, it will again revolutionize how we think about our economy.

[From The Future of Money: It’s Flexible, Frictionless and (Almost) Free | Magazine]

I think this is true. You’ll have a chance to kick around these kinds of ideas if you come along to the 14th annual Consult Hyperion Digital Money Forum in London on 2nd/3rd March 2011, where George Selgin will be along in person to give a keynote talk.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Red army

[Dave Birch] Oh no! According to tonight’s news reports, the UK is bracing itself for cyberattack from the “hackers” supporting Julian Assange and Wikileaks. Apparently vital government services are at risk from the group called “Anonymous” launching distributed denial-of-service (DDOS) attacks. A bit like this guy, from the group “Not Anonymous At All”:

A 17-year-old from Manchester has been arrested by the Metropolitan Police’s e-crime unit (PCeU) on suspicion of being behind a denial of service attack against the online game Call of Duty.

[From Call of Duty DDoS attack police arrest teen • The Register]

He was, of course, traced from his IP address. I thought it was funny, in a way, that journalists and politicians refer to the LOIC kids as “hackers” when they are anything but. What’s more, as I said when Charles Arthur was kind enough to invite me on to The Guardian’s Technology Podcast, they have chosen a particularly funny way to join the Anonymous group of internet vigilantes: software that isn’t anonymous in the least and that delivers their IP addresses to their intended victims, thus making it easy for them to be traced and arrested. This is, in fact, precisely what has happened.

A 16-year-old boy was arrested in the Netherlands in connection with a series of cyber attacks on Visa, MasterCard

[From Dutch teen arrested over cyber attacks on Visa, MasterCard]

My personal views about Wikileaks and the “Cable Gate” DDOS attacks are irrelevant. (I will say this: that if you don’t like MasterCard then cancel your card and leave mine out of it). But they will certainly have an impact on thinking and the calls for “something to be done” mean change. Since there’s no way to stop people from copying data (as the music industry has discovered), that’s probably not a fruitful line of thinking. So what will happen?

What technology may lead to are “red” and “blue” internets. (Note that “blue and red” are here allusions to the military labelling of secure and insecure networks, they are nothing to do with blue and red pills in The Matrix.) Essentially, there will be secure and insecure internets both running over the same IP networks.

On the red, open, internet people and organisations will exchange encrypted data across an untrusted network. Some people may choose not to connect to the red internet at all and only crazy people (and organisations) will send unencrypted data to unauthenticated counterparties.

On the blue, closed, internet you will need to authenticate yourself before you are allowed to access anything and a digital identity infrastructure will deliver privacy (and in some cases anonymity) through cryptography, not through data protection registrars or privacy ombudsmen. In order to connect to the government, or Facebook, or Amazon, you will have to use the blue internet: they simply won’t be connected to the red internet any more. At home, I will probably set my internet connection to blue only.

Now, some of you may be concerned that, as The Daily Telegraph told us, the Chinese government have a master key that can decrypt everything on the Internet, in which case the entire Internet will be — very literally indeed — red forever.

While sensitive data such as emails are generally encrypted before being transmitted, the Chinese government holds a copy of an encryption master key which could be used to break into redirected traffic.

[From China ‘hijacks’ 15 per cent of world’s internet traffic – Telegraph]

But look on the bright side: since the Chinese have “a copy” of this mythical master key, someone else must have the original, and they will be able to read all of the Chinese government’s e-mail and put that on Wikileaks too.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Put your game face on

[Dave Birch] Who are you? That’s an easy question to answer in cyberspace, because no-one knows you’re a dog, so you can be anyone you want to be. This means that you can do bad things, doesn’t it? Surely it would be better to make people disclose their “real” identities online.

Stux on you

[Dave Birch] The media are full of cyberwar at the moment. I’m sleeping safely in my bed knowing that we now have a cyberwar strategy. But there does appear to have been one cyberwar attack that has already succeeded. The story about Stuxnet is fascinating, especially now that the Iranians have admitted that it worked.

President Mahmoud Ahmadinejad admitted Monday that “several” uranium enrichment centrifuges were damaged by “software installed in electronic equipment,” amid speculation Iran’s nuclear activities had come under cyberattack.

[From France24 – Iran admits uranium enrichment hit by malware]

So whoever wanted to stop the Iranians from enriching uranium (the Americans, the Saudis, the Israelis etc) found a cheaper and more efficient way to do it than launching cruise missiles or dropping bunker busting bombs.

It’s a card Jim, but not as we know it

[Dave Birch] The issue about EMV migration continues to attract attention and discussion as the US and EU become two regions divided by a common standard, as one might say. The problems with using US-issued magnetic stripe cards (dynamic or otherwise) elsewhere are becoming more common and more serious. Take this representative tale of woe from Business Week, concerning an American stuck in Europe following volcanic misbehaviour in the North Atlantic.

Burke stood in line for more than seven hours at an Amsterdam train station in April as he sought passage to Belgium. He watched European travelers, also grounded by the eruption, buy tickets at automated kiosks that accepted microchip-embedded credit cards. Burke’s Bank of America (BAC)-issued Visa (V) card, with the standard magnetic stripe on the back, was useless. When the 64-year-old retired economist from Bandon, Ore., returned home, he called Bank of America to ask whether he could get a chip card. The answer disappointed him: “They have basically said, ‘Sorry, but you’re out of luck.’ “

[From Why U.S. Credit Cards May Not Work Abroad – BusinessWeek]

How they resisted the temptation to say “it’s card Jim, but not as we know it” I’ll never know. But there’s a serious point to all this: the end of the universal acceptance. It’s always been a pretty fundamental consumer characteristic of the international card schemes that customers expect to be able to use the cards wherever they see the acceptance mark, but how much longer can this last? I mean, I know it’s my business to mess around with different, new cards (and near-cards) all the time, but I do find it slightly worrying that I can no longer tell when going to buy something whether my cards will be accepted or not. It’s worse for our American friends, because the transition to chip and PIN makes it more attractive to have unattended POS for higher-value transactions.

The problem is particularly acute at automated kiosks in Europe, such as the vending machines at regional rail stations and bicycle rental racks in Paris, parking meters in parts of London, toll roads and gas stations, all of which accept only chip-and-PIN cards. And the problem could get worse. More unattended pay stations are appearing in Europe.

[From Americans abroad run into trouble using credit cards – USATODAY.com]

I don’t know what proportion of US cardholders travel to Europe, or indeed anywhere else, but I imagine it’s quite low. So, we’re soon going to see a situation where unless US issuers provide chip and PIN cards to those cardholders, they will start to find their cards useless. At which point, they might be vulnerable to an assault from Bling or Isis or whoever.

In line with Europol’s stance on the future of the magnetic stripe and in support of the industry’s efforts to enhance the security of cards transactions by migrating from the “magnetic stripe” to “EMV chip” cards, the Eurosystem considers that, to ensure a gradual migration, from 2012 onwards, all newly issued SEPA cards should be issued, by default, as “chip-only” cards.

[From The end for the magnetic stripe on payment cards?]

Of course, the reverse will also be true. Persons such as myself who travel to the US will have to obtain magnetic stripe cards from their banks. I already have a Travelex $ Cash Passport stripe-only prepaid card that I take to the US with me, and I really wouldn’t have a problem with paying a couple of quid to my issuer to get a stripe-only limited-time card for use in the US when I travel there. I would also like the ability to limit my Barclays Visa debit card to ATM-only use in the US. I’m not alone in thinking about this sort of thing.

In the first poll 60% of the respondents felt that European EMV cards should not hold sensitive cardholder data as standard in a magnetic stripe, and in the second poll 28% indicated that they would be happy to contact their bank to activate the stripe on their card before travelling outside of Europe, 12% were happy to carry a Chip only card, and to apply for a separate stripe card should they need to travel outside Europe, and 20% were in favour of both.

[From The end for the magnetic stripe on payment cards?]

How do we balance this out? What is the appropriate strategy in the US? We might categorise the broad options as migrate to EMV (very expensive), keep stripe and issue EMV to international travellers (very inexpensive) or forget about stripe and chip and (via contactless) let them fade away as we move to NFC, mobile, biometrics and other forms of 21st-century payment (costs utterly unknown).

Clipper chips

[Dave Birch] I've read quite a few stories about the new Citi card with a chip in it. Not an EMV chip, of course, but a chip that allows the cardholder to dynamically rewrite the "magnetic stripe" on the back of the card so that it can switches between a credit card and a rewards card.

Next month, Citibank will begin testing a card that has two buttons and tiny lights that allow users to choose at the register whether they want to pay with rewards points or credit, at most any merchant they please.

[From The Mundane Credit Card Gets a Modern Makeover – NYTimes.com]

These are the "dynamic stripe" cards from Dynamics. The idea of them is that since US retailers are not going to replace magnetic stripe readers with chip readers, the way to deliver new services to customers is by emulating the magnetic stripe.

Called “Redemption,” the cards will work at any merchant where mag stripe readers are used. The new cards include programmable and electronic components such as a battery, an embedded chip, buttons and a card-programmable magnetic stripe.

[From Citi’s Pushes Buttons With 2G – Bank Technology News]

You can see how this kind of thing might have a window in the US where the retailers don't have chip terminals. It would make no sense anywhere else: in the UK, for example, Barclaycard's new Freedom rewards programme works at the POS so when you put your card in it asks you if you want to pay with Pounds or Points, which seems much easier than press a button the card, but anyway. And if you try to use a magnetic stripe card in a UK terminal, whether it's dynamic or not, they'll assume you're a fraudster and call the police.

So why do I say that using this kind of technology in the US may have a window?

Well, consider the example of the Cutty Sark. The Cutty Sark was a tea clipper, built for speed, and at one time was the fastest ship of its size afloat, famously beating the fastest steamship afloat and doing the Australia to UK run in 67 days. At the time, get tea from Asia to Europe at high speed was economically important and so there was pressure from the tea companies to get the fastest ships (so they weren't built just for the fun of it, or to show off the technology, but because of the economic imperative.

What's the point of brining this up? Well, it makes the point that the fastest sailing ship was built after the steamships arrived. In Christopher Freeman and Francisco Louca's "As Time Goes By: From the industrial revolutions to the information revolution" they note that

However, it had taken a fairly long time for the steamship to defeat competition from sailing ships, which also began to use iron hulls. The competitive innovations in sailing ships are sometimes described to this day as the 'sailing ship effect', to indicate this possibility in technological competition for a threatened industry.

In the long run, the sailing ships vanished, except for leisure, and the steamships took over. But when the steamships first came on to the scene they stimulated a final burst of innovation from the sailing ship world, which was then stimulated into building some great ships as a kind of "last hurrah".


Source: Historic Naval Ships Assocation (2004).

Perhaps we should look at the Citi initiative as the "last hurrah" of the magnetic stripe. I bumped into our good friend Adrian Cannon from Edgar Dunn while I was writing this, and he summed it up as "a very complicated way to achieve a partial answer" to the problem of card security, which strikes me as an accurate description.

Unprotected text

[Dave Birch] When I checked in to PayPal X "Innovate 2010" I was given a free "Bling Powered by PayPal" sticker with a free $10 on it to spend at local merchants (such as the diner round the corner). Hurrah!

IMG_0064  

A helpful young chap explained to me that I had to text the sticker number to 78787 to activate it, so I did, and then I got this puzzling response.

IMG_0065

I showed it to the chap, and he explained to me that Bling and PayPal are discriminating against foreigners and that the short code only works if you have an American phone number: if you have an international phone number, you have to pay for you own breakfast at the diner! Fair enough: there is a bit of backlash against immigrants in the US at the moment. But they should have told me before I texted my Bling sticker number to a UK "dating" service. I just got this message…

IMG_0066

Unlike e-mail, there's no junk filter for text so I can't put this number onto a kill list or send the messages into junk mail automatically. I hope my wife is reading this.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.