Building SoftPOS – not as easy as you think.

selective focus photography of person holding iphone displaying white screen

For the third year running, my colleague Gary Munro facilitated a thought-provoking debate around the use of mobile phones and tablets as contactless payment terminals during last week’s virtual Merchant Payments Ecosystem (MPE) conference. For the last three years, Gary and his panellists have tracked the progress of the SoftPOS technology and standards.  The three key messages that I took away from this year’s conversation were that:

Banking is going in-app just like everything else

I very rarely use Internet banking these days and it seems I’m not alone. Almost every interaction with my bank takes place through one of my mobile banking applications: my Barclays banking application, my Barclays PingIt application (which I assume will soon disappear inside WhatsApp and Waitrose and Hailo and so on), my Simple application, my Barclaycard application, my American Express application and so on and so forth. Thinking about it, the only time I can remember using my home banking application in recent times was to search back through transactions to check on some payments on behalf of one of my kids at university and to set up a new payee for Faster Payments. Unusually, I appear to represent the man using the Clapham ISP in this respect, as the latest figures from the British Bankers’ Association show.

The number of internet banking logins made by Brits each day fell last year, as customers continued to migrate to apps, BBA research shows… The number of payments made using banking apps hit 347 million last year, a 54% rise. Internet banking still has the edge here, used for 417 million payments in 2015, but this was up just two per cent.

From Apps crush internet for UK banking logins

The BBC were kind enough to invite me to talk about this on Breakfast TV, because some of the members of the public that they had been talking to expressed concerns about the security of mobile banking. As this is a core area of expertise for Consult Hyperion (in fact, one of the biggest projects that we are working on right now deals with planning, executing and testing mobile app security strategy for one of the world’s biggest banks), I took the opportunity to reassure viewers that not only was mobile banking safe it was, in my opinion, much safer than internet banking. You can watch it here [at 25:50].

BBC Breakfast


There are several reasons for this — the fact that the phone contains a smart card and tamper-resistant memory, the fact that the phone tracks you and (perhaps the most mundane of all) that if you lose your phone you notice fairly quickly — but the main point is that if you carry out any form of methodical risk analysis you will see that the mobile phone in essence offers a bundle of security countermeasures that work to reinforce each other. Of course we must be vigilant, but mobile security is doing OK.

Note also that mobile security extends across other channels: mobile is often used to secure internet login anyway. Right now this is often through the not-very-secure use of text messages but there are initiatives such as the GSMA’s Mobile Connect out there trying to introduce some real security.  This is where I expect to see further real innovation in the not too distant future and why I keep posting repetitive tweets about annoying internet logins and anticipating the advent of Apple ID. Since just about everything on the Internet is insecure, the obvious way to improve the security of end applications is to (essentially) ignore the Internet completely in security terms. Just assume that everything sent across the Internet has no defence whatsoever against even the most basic assaults on integrity, confidentiality and availability. In planning terms, assume that the Internet is owned and operated by your nemesis! Thus, everything that goes across the Internet must be encrypted and digitally signed.

If we are going to do this then we need a place to store the private keys that are needed to make the encryption and signing work properly. We can’t store them inside PCs because by and large PCs are just as insecure as the Internet. But since everyone has smart phone, a rather obvious thing to do is to store keys inside the tamper-resistant storage that the handsets provide. After all, if the “secure enclave” (Apple’s name for the ARM Trusted Execution Environment, TEE) inside your Apple iPhone is safe enough to store payment tokens then it is safe enough to store a variety of the virtual identities that I need to operate in the online world. I’ll blog about how this might work in the banking case later in week, but at this point I just want to re-iterate what I told the BBC. When it comes down to it, mobile isn’t as secure as web, it’s much more secure than the web.

“Personal” computers weren’t

Kicking off the session on “Old vs. New P2P” at Mobile Banking & Payments in New York, Steve Kirsch (the CEO of Token) made the strong point that somehow the era of the PC and the Internet left the basic payment “rails” unchanged. For a long time we’ve papered over the cracks — using 3D Secure, PCI-DSS and so on — but with the arrival of the smartphone we could all see that it was time for change. What we may have underestimated is just how big that change will be.

it can still feel natural to talk of the PC as the most fully-featured version of the internet, and mobile as the place where you have to make lots of allowances for limitations of various kinds… I’d suggest that we should think about inverting this – it’s actually the PC that has the limited, basic, cut-down version of the internet.

[From Mobile first — Benedict Evans]

I couldn’t agree more. And in my framing, it’s all to do with identity. The PC was never personal: it didn’t have a SIM. My laptop isn’t mine in the same sense that my smartphone is and, as a consequence, will never be able to deliver as personal a service. Now, I suppose you could argue that it’s silly to talk about smartphones as PCs because they are, after all, phones.

The study also showed that four in ten users could manage without the call-making capability on their handset.

[From Soft cell: 40% of Brits don’t make calls on smartphones – report — RT UK]

I rarely make calls on my smartphone and I rarely answer them either. Unless it’s the police, my CEO or my wife then I’ll let it go to voicemail or hit the “please text me if it’s anything important” button. Calling it a phone is just a figure of speech, like when you say you are going to dial a number to someone who has never seen a phone dial and has no idea why the word “dial” is used in that context.

So what is the smartphone for?

We’ve all seen a thousand conference slides that show the smartphone as a Swiss army knife: calendar, watch, contact book, diary, games console, social media gateway, radio and so on. But if we go back to Benedict’s point, then we can answer the question in a different way. My smartphone is… me. Well, as good as. It’s sort of proxy me.

a smartphone knows much more than a PC did… It can see who your friends are, where you spend your time, what photos you’ve taken, whether you’re walking or running and what your credit card is.

[From Mobile first — Benedict Evans]

We can all see the what the consequences are in payments and banking. The practical result of the identity-less PC vs. the proxy-identity smartphone is that when I want to transfer some money or pay a bill, I use my excellent Barclays mobile app. I’ll only use my laptop if I absolutely have to because I have to type stuff in (like setting up a new payee). Conversely, it seems bizarre that when I phone up my bank, or my insurance company, or my airline or whatever else, I’m asked to demonstrate my identity by getting involved in (as I heard someone describe it recently) an episode of Jeopardy hosted by Kafka — OK, Franz, let’s go with “places I have lived” — when they could just ask the other me. The mini-me. The mobile-me.

Similarly when I go into a bank branch or a retail outlet or a government office, why do they ask me for bits of paper that cannot possibly be verified when they could just ping mobile-me. App pops up on the phone, you put your finger on the sensor, job done. And just as the crucial role of the smartphone in disrupting the payments industry is to take payments, not make them, so the crucial role of the smartphone in disrupting the payments industry is to validate credentials, not present them. Since my mobile-me can check that your mobile-me is real, our mobile world ought to be much safer our internet world.

Mobile payment is fun, but mobile ID might be indispensable

We hardly notice identity fraud any more. Every day the wires bring more tales of fraud, theft, mischief and mayhem. Our antediluvian identity infrastructure, still based on the pre-industrial infrastructure of paper and signatures, has shifted from being a business irritant to a fundamental barrier to progress.

To my horror, I discovered my savings were nearly wiped out. Over the previous two business days, a woman claiming to be me had used a fake photo ID to make five large, in-person cash withdrawals from different branches of my bank in two faraway states. The largest withdrawal was $4,800; the smallest was $2,400.

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

Now, you might think that this is a little odd. Surely, you would imagine, if someone walks into a bank to draw out a few thousand dollars in cash then the bank would take their identity document and authenticate it — let’s say take their secure microchip on a plastic card and get them to enter a PIN, or take their e-passport and verify via digital signature and online lookup — before doling out the dosh. But apparently not.

Why was it so easy for a petty criminal to get away with so much cash? It doesn’t take many brains to understand that data breaches have created a thriving market for confidential financial information. And modern technology apparently provides the means to create authentic-looking fake IDs… In many of today’s bank branches, it seems in-person transactions still rely heavily on paper and trust. “If the teller feels that the person standing in front of them is indeed the customer, they’ll give out the cash,” several bank employees explained to me. Am I really to believe that with more tools available than ever to detect crime, a major bank relies on employees’ “feelings” to verify customers’ identities?

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

This is indeed puzzling. Not that anyone should be using driver’s licenses as identity documents anyway, since bank tellers and bar bouncers are not anti-terrorist geniuses capable for spotting fake IDs from around the world in an instant — note that if they actually did want to verify these documents properly, they could always use technology to do it (e.g., Au10tix) — when everyone that walks into the bank or the bar is carrying a piece of technology that can easily provide the combination of identification and strong authentication that is more than adequate for business.

Mobile financial services can’t expand fast enough, in my opinion. Though nothing is foolproof, a mobile phone seems like a good starting point for verifying a customer’s identity and immediate physical location

[From Blog: Fighting Fraud Starts with Common Sense on the Front Lines – Paybefore]

If I walk into a branch of Barclays (I can’t off the top of my head imagine why I might do this, but let’s just say) then the Barclays mobile app is more than capable of telling the branch who I am. It seems like an obvious way forward. But there is another reason why a mobile app might be a better basis for establishing identity than a scrawled signature or a trivially-counterfeitable utility bill or whatever, is the principle of identity symmetry. When the bank asks your mobile app to authenticate you, your mobile app can simultaneously verify the digital signature on the requests so that it knows it is dealing with your real bank. The Secure Enclave that hosts my tokens could also validate other peoples’ tokens to close the security loop. Ah, you might think, that might apply online but why would you need that in a physical branch? Well,

A Chinese man made thousands of dollar by opening a fake branch of one of the world’s largest banks. The man, whose surname is Zhang, equipped the fraudulent China Construction Bank outlet with card readers, passbooks and three teenage girls at the teller counter. One of the girls posing at the branch near Linyi, Shandong province, was the man’s 15-year-old daughter.

[From Chinese farmer swindles thousands of dollars by opening fake BANK | Daily Mail Online]

Brilliant. I love this story. No-one spotted that this entire bank branch was fake, not until a woman who deposited $6,200 at the fake branch could not withdraw it from a real branch a month later. The managers there spotted the fake deposit and contacted the police!

We can use mobile phones to prevent this kind of thing. But who will do so? Why don’t we all have working mobile ID already given that the idea has been around for years? The key question is: will the banks and the mobile operators and the handset manufacturers and the platform providers the government be able to work together to deliver a mobile ID infrastructure just as they did not work together to deliver a mobile payments infrastructure? Assuming the answer is no, then we are relying on Apple to once again perform its sheepdog role of corralling the banks so that the next time I access my bank online, use an ATM, walk into a bank branch or phone the bank from home, I will expect my bank app to pop open on my iPhone and ask for authentication. Once I’ve used TouchID or entered my PIN then I will know that I’m dealing with my real bank web site, ATM, call centre or branch and I’ll be able to get my banking service with a minimum of fuss.

The ability to recognise each other (as I’ve written many times before) is the fundamental precursor to relationships (and therefore transactions). If there were a cost-effective and convenient mechanism to do this that could be used for governments and citizens to recognise each other, for businesses and consumers to recognise each other and for banks and their customers to recognise each other, we would see an inevitable growth in transactions and open up the virtual world to even more innovation and entrepreneurship. If my “Apple ID” provides a convenient mechanism for mutual recognition in person and on line, it will be indispensable in short order. I am heartily sick of usernames and passwords, account numbers and one-time codes, call centres and secret words and I can’t wait for my mobile to do away with them.

Mobile bypass surgery for banks

There’s something sadly inevitable about Royal Bank of Scotland’s most recent technical breakdown, as thousands of customers are once more denied access to their own money:

Royal Bank of Scotland has suffered another IT fiasco after admitting it could take until the weekend for customers to receive 600,000 payments that failed to enter accounts overnight.

[From RBS could take until weekend to make 600,000 missing payments after glitch]

It’s not a problem specific to RBS though, it’s an industry wide issue, mostly hidden by harassed technologists desperately trying to shore up unstable systems built out of myopic procurement policies and acquisition driven integration. The problem is that the majority of the retail payments infrastructure is built on foundations as stable as a British teenager on a booze cruise – and it’s equally as unlikely to be improved by simply throwing more money at it. After all, back in 2013, after the last major technical outage, RBS committed to spend:

£450m on top of its £2bn annual IT spend to replace the mainframe that failed and on new backup.

[From RBS Mainframe Meltdown: A year on, the fallout is still coming]

Partly the problem has been caused by bank executives with little or no understand of technology; which is not to say that technologists should ever be allowed to run banks, but simply to point out that to all intents and purposes banks today are technology companies. It’s a stunning inditement of regulators that it took the Great Crash of 2007 and 2008 for them to recognize that banking executives ought to possess some knowledge of banking before being allowed to take charge of our cash, but it’s a nagging concern that they don’t require technical expertise among the executive officers of our leading financial institutions.

Unfortunately, while it’s easy to sit on the sidelines and poke sticks into the frenzied ant nests of struggling fintech departments, as politicians and journalists with even less understanding of bits and bytes than the average bank executive are wont to do, it’s entirely another thing to fix the problem. The reality is that retail banking is built on innumerable legacy systems, many of them older than the people who run the banks, integrated together in ways that defy rational understanding or intelligent analysis. The people who know how to run these systems are dying of old age exacerbated, no doubt, by the stress of trying to keep these steam-powered juggernauts going.

However, there may be an answer. Currently we’re seeing an explosion of interest in mobile banking and payments solutions, backed up by tokenization – the replacement of standard card numbers by aliases that can be used only in strictly limited environments. One unintended side-effect of this is to create a parallel retail payments solution, but one that’s built on modern technology, which is designed for adaptation and upgrade, which operates in real-time not in an antiquated batch mode, and which can be maintained by people who are young enough not to know what a mainframe is, let alone have the inclination to go near one.

Of course, this won’t fix the problems overnight – retail banking systems resemble congealed spaghetti, and merely freeing one strand isn’t going to solve everything instantaneously, but it does at least provide a starting point. The problem is that the silo mentality that created these issues in the first place is failing to recognize the possibilities. Yes, mobile payments systems are a great way to drive through new business, but perhaps the real opportunity is for banks to use them to bypass the failing and incredibly expensive legacy system nightmare.

Instead, banks are outsourcing their core business activities to third-parties who are building parallel payments infrastructures – infrastructures that are far more stable and far less likely to break under load. Who would you rather rely on for reliable payment services – Apple or Google or your current bank, resting its withered laurels on an aged and creaking set of systems? Well, we may find out, and soon unless banks seize the opportunity.

Time to get rid of my dongle

I just had to quickly log in to my online banking service to transfer some money to someone who doesn’t have PingIt, yawn. So I had to enter my sort code, account number and name and then use my bank’s 2FA dongle with my chip and PIN card to get a security code to enter in to the web site to log in to create a new payee and then send the money. I have to say that it all worked OK, but in an age of touchID it’s beginning to feel a little tired. While I was doing it, I started to think about the way that I could log in to my USAA account just by looking at my phone.

Biometric log-on is the latest effort by USAA to offer novel solutions to its members. The app is designed to heighten security as well as to improve the overall member experience.

[From Biometrics in Banking – PaymentsJournal]

Logging in by looking at your phone is, just as touchID is, about convenience before it is about security but it  certainly does enhance the latter. The way in which different biometrics are combining with the smartphone to create a new security landscape is starting to shape the mass market and it is really interesting to be working with our clients on bringing the technology to market and exploiting it effectively in different sectors.

Voice biometrics, fingerprints, iris scans, and other authentication options are beginning to replace passwords as a means to verify a user’s identity and simplify the login process when banking online or via a mobile device. The key is to provide enhanced security against hackers while improving the overall user experience.

[From Biometrics: Fighting Fraud and Protecting Identity In Banking]

If you are interested in this sort of thing, there’s a terrific lunchtime roundtable on biometrics in banking coming up. It’s organised by the Centre for the Study of Financial Innovation at SWIFT in the City on 11th May. The panelists will be:

  • Rick Swenson, the USAA Executive responsible for Fraud Operational Excellence and Strategic Initiative who will share USAA’s experiences with biometrics and explain why their approach has been so successful.
  • Oran Cummings from MasterCard, who will give an international perspective on the use of biometrics in the financial sector.
  • Keith Gold, formerly with IBM Banking and Financial Services Europe, who has been helping the CSFI to understand the requirements of an ageing population, will talk about the importance of biometrics in the useability toolkit needed to this key segment of bank customers (or, why looking at a mobile phone is easier than remember a PIN for most of us!).

The usual well-informed and wide-ranging discussion will ensue, with wine and sandwiches for all. Don’t miss this opportunity to learn from Rick while he is visiting the UK. There may be a few places left at this free event, so if you’re interested in seeing how the biometric state of the art is advancing in banking, contact for further details and to reserve your place.

It’s time to do away with my dongle

Dgwb blog white border

Banks are under pressure to do something abut security, so now that everyone has a smartphone it’s probably time to rethink the hodge-podge of measures we have now and standardise around the handset.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights