Living abroad, with tokens

digital wallet app on smartphone

Living abroad, with tokens.

I have just completed a three-month stint building our business in Australia, and expect to return for a similar period in the near future. How were payments, for me? The first thing to note (to coin a phrase) is that I used no cash whatsoever and don’t recall seeing anyone else either. All retail payments, including transport payments (don’t knock commuting if you’ve never travelled to work on the Manly ferry), were via my Apple Watch, so no PINs, either. (Australia is online PIN, so if you do use an old-fashioned card, you’re unlikely to ever have to insert it into a reader.)

Of course, virtual cards, as wielded by (for example) Apple Pay and Google Pay, present tokens (Device PANs) as an alias for the Primary Account Number (PAN). This ensures that the issuer is able to block fraudulent transactions that could present the Device PAN from somewhere other than the relevant wallet (for example, during a standard e-commerce checkout).

Living and working abroad for three months requires payments for things beyond the usual touristic or business travel items—for example, rent and utility bills. Credit cards are not particularly well suited to many of these payments, with the requirement for recurring (and, sometimes, variable) payments, returnable deposits and so forth. Further, in Australia, it is standard practice for credit card payments for these kind of transactions to attract hefty surcharges. And, of course, forex charges and spreads apply.

What would have been better, would have been to have an Australian bank account and use all the domestic money transfer facilities. The trouble was, I didn’t have much idea of eligibility criteria (such as long-term residency) or how long KYC checks would take (especially without an Australian Tax File Number or driving licence, etc). Fortunately, there is a partial solution.

A number of fintechs (I used Wise) enable you to set up an account in your home country and then create (or have created, automatically) linked accounts in many other countries. Thus, I acquired an Australian BSB (Bank-State-Branch, equivalent to UK Sort Code or US/CAN Routing Number) and Account Number, exactly as any long-term resident.

In essence, the BSB/Account Number combination is a token representing my (UK-based) relationship with Wise. Just like a Device PAN, it enables a class of transactions, using a convenient digital representation; and also limits the scope of transactions; e.g. preventing anyone misusing the token from raiding my Sterling or US dollar funds.

One current limitation is that I cannot use the Australian bank details to set up a further level of indirection, that is, to use an Australian PayID, which would enable me to use a convenient handle, such as my mobile number, in place of hard-to-remember bank details (and, in fact, enable account portability). As well as providing more convenience, like other forms of token, this improves security, by making it less likely that someone impersonating me, and requesting payment, can pass off bank details which they control.

It would be nice to go one further step, which would be to use PayTo, the service set up by Australian Payments Plus, using the New Payments Platform (NPP), to manage payment relationships via mobile apps provided by banks and fintechs. I hope Wise (and others) are working on that. Then, a digital nomad could truly fit in!

Finally, a related grouch: I was frustrated, on a number of occasions, by useful apps not being available to people, demonstrably present in the relevant country, with an Apple ID associated with a different country. One example was my mobile provider; the obvious way to top up an account would be via their app, on a phone carrying their SIM, one would have thought. It was not to be, unfortunately. The same issue occurred with a government app and a newspaper app. Conceivably, I could have created an additional Apple ID or temporarily changed my residence details on the existing Apple ID. You’ve got to me braver than me to do that!

Defending secure applications against Jedi mind tricks

man people woman connection

Here at Consult Hyperion, we are often involved in design implementation and testing of secure systems on devices such as smart cards and mobile phones for payments, banking and other applications where security is critical.

Big Tech, Financial Data … and resilience for critical infrastructure

black android smartphone showing instagram and gmail application

Victoria Saporta, BoE executive director for prudential supervision, has said recently that minimum resilience requirements should be required for the tech giants’ (and others’) hosting services, before they may process and store banking data. We strongly support these comments. We have identified this issue as one of a number of new risks arising from modern financial systems architecture, in recent Structured Risk Analyses that we have carried out for financial and retail organisations in North America, Asia-Pac and EMEA.

Building SoftPOS – not as easy as you think.

selective focus photography of person holding iphone displaying white screen

For the third year running, my colleague Gary Munro facilitated a thought-provoking debate around the use of mobile phones and tablets as contactless payment terminals during last week’s virtual Merchant Payments Ecosystem (MPE) conference. For the last three years, Gary and his panellists have tracked the progress of the SoftPOS technology and standards.  The three key messages that I took away from this year’s conversation were that:

Chip and PIN? Remember that?

three red roses

This weekend marks an anniversary. Although Consult Hyperion’s romance with smart cards had started many years before that, it will be fifteen years on Sunday that chip and PIN went live in the UK. I remember St. Valentine’s Day 2006 as if it was yesterday!

Will Brexit make stealing bank cards attractive again?

black payment terminal

A couple of weeks ago I wrote a piece for our friends at Smartex; ‘Brexit and the UK Finance’s proposed £100 contactless limit’. Perhaps a title more worthy of grabbing readers would be ‘Will Brexit make stealing bank cards attractive again?’

The pandemic has accelerated consumer behaviour that has been teetering for the last decade. The desire for contact-free (and therefore contactless) transactions, has meant a significant trend in consumers becoming comfortable with tapping their cards and perhaps more interestingly, their phones (devices/wearables). We’ve seen merchants switch from hand scribbled ‘cash only’ signs, to ‘please use cards (devices etc) wherever possible’. Some stores have completely rejected cash altogether.

Black Friday, Cyber Christmas, and a Contact-Free New Year

paper bags near wall

For most of us 2020 isn’t going to be a year to linger fondly in the memory. It’s been a monumental slog in the face of grim news and little cheer but from a payments perspective we’ve seen an unsurprising surge in interest in all things payment related.

People have moved from cash to electronic payments – contactless transaction numbers have soared. People moved from face to face purchases to online. And, there’s been a ton of stress on payment systems as people have demanded refunds for holidays and flights they couldn’t take due to various travel restrictions. It’s been a year like never before.

We can expect this to be exacerbated over what will likely be an extended Black Friday and Christmas holiday shopping period. Online payments are expected to grow even though economies are in recession. For us in Europe it’s the last hurrah before PSD2 requirements on strong customer authentication come into force on January 1st. Merchants and payment companies will be well staffed on News Year Eve as they wait and see how the systems will hold up, and what sort of abandonment figures they’ll see as puzzled customers are presented with confusing authentication screens. We can probably expect a flood of concerned calls about phishing which are actually Strong Customer Authentication requests.

Who would have ex-Spectre-d this?

At Consult Hyperion we’re always interested in the latest news in cyber security and in case you haven’t heard, 2018 has started with the news that the most processors found inside current computers, tablets, phones and cloud servers are vulnerable to a new class of attack. These attacks have been named Meltdown and Spectre, and are caused by common optimisations built into modern processors. Processors designed by Intel, AMD and ARM are all affected to varying degrees and, as it is a hardware issue (possibly dating back to 1995 if some reports are correct), it could affect any operating system. It’s likely the machine you’re reading this on is affected – whether it’s running Windows, Macs, iOS, Android or is in “the cloud”!!

At a basic level, these vulnerabilities break down the fundamental security barriers between an application and the operating system (OS). This means that a malicious application running on your processor may be able to read your, or your OS’s, secrets which may include passwords, keys or possibly payment data, present in processor caches or memory.

I’m not going to discuss how the vulnerabilities achieve what they do (there’s plenty of sites which attempt to do this), however I’d rather consider its impact on people, such as our clients, who may be handling sensitive data on mobile devices – e.g. payments, banking information. If you do want to understand the low-level details of the vulnerabilities and how they work, I suggest looking at https://spectreattack.com/ which has links to the original papers on both Spectre and Meltdown.

So, what can be done about it? The good news is that whilst the current processors cannot be fixed, several operating system patches have already been released to try and mitigate these problems.

However, my concern is that as this is a new class of attack, Spectre and Meltdown may be the tip of a new iceberg. Even over the last week, the issue has changed from it only affecting Intel processors, to now including AMD and ARM to some extent. I suspect that over the coming weeks and months, as more security researchers (and probably less savoury characters as well) start looking into this class of attack, there may be additional vulnerabilities discovered. Whether they would already be mitigated by the patches coming out now, we’ll have to see.

It should also be understood that for the vulnerability to be exploited, there are a few conditions which must be met:

1. You must have a vulnerable processor (highly likely)
2. You must have a vulnerable OS (i.e. unpatched)
3. An attacker must be able to execute their malicious code on your device

 
For point 1, most modern devices will be vulnerable to some extent, so we can probably assume the condition is always met.

Point 2 highlights two perennial problems, a.) getting people to apply software updates to their devices and b.) getting access to appropriate software updates.

For many devices, software updates are frequent, reliable and easy to install (often automatic) and there are very few legitimate reasons for consumers to not just take the latest updates whenever they are made available. We would always recommend that consumers apply security updates as soon as possible.

A bigger problem for some platforms is the availability of updates in the first place. Within the mobile space, Microsoft, Apple and Google all regularly release software updates; however, many Android OEMs can be slow to release updates for their devices (if they release them at all). Android devices are notorious for not running the latest version of Android – for example, Google’s latest information (https://developer.android.com/about/dashboards/index.html – obtained 5th January 2018 and represents devices accessing the Google Play Store in the prior 7 days) shows that for the top 81% of devices in use:

• 0.5% of devices are running the latest version of Android – Oreo (v8.0, released August 2017)
• 25% are running Nougat (v7.x, released August 2016)
• 30% running Marshmallow (v6.0, released October 2015)
• 26% running Lollipop (v5.x, released November 2014).

 
It should be noted that Google’s Nexus and Pixel devices have a commitment to receiving updates for a set period of time, and Google is very keen to encourage OEMs to improve their support for prompt and frequent updates – for example, the Android One (https://www.android.com/one/) programme highlights that these devices get regular software updates.

If you compare to iOS, it’s estimated (https://data.apteligent.com/ios/) that less than a month after it was released in December 2017, over 75% of iOS devices are already running iOS 11.

The final requirement is Point 3 – getting malicious code onto your device. This could be via a malicious application installed on a device, however, the malicious code could also come via a website as it’s been shown that even JavaScript sandboxed in a browser can exploit these vulnerabilities. As its not unheard of for legitimate websites to unwittingly serve up 3rd-party adverts which contain malicious code, a user doesn’t have to be accessing malicious websites for the problem to occur. Several browsers are receiving patches to try and prevent Meltdown and Spectre working via this route. Regarding malicious applications, we’d always recommend that applications are only ever installed from legitimate sources, however malicious apps still regularly appear in legitimate app stores, so this is not fool-proof.

Thinking specifically about mobile banking and HCE payment applications, which is what interests many of our customers – these applications should already be including protections to prevent, or at least detect, malicious attacks. These protections typically include numerous measures such as root/jailbreak detection, code obfuscation, data minimisation, white-box cryptography and so on.

If anything, these latest vulnerabilities are a useful reminder that security is not a single task within a project plan, ticked off when complete before moving onto the next sprint or task. Rather, it is an ongoing concern for the lifetime of the system – something that Consult Hyperion quietly helps its customers with. A year ago, few would have considered this class of attack to either have been possible, let alone something which needs to be actively mitigated.

The Challenge of Delivering mPOS Services through Off-The-Shelf Mobile Devices

 

The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.

Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.

Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.

The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.

Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.

So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?

There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.

So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.

People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!

Does it matter if people tap their phones or not?

How are mobile payments getting on in the UK? According to the most recent figures from Transport for London, mobile phones now account for about 8% of their contactless transactions, so clearly there are plenty of people who already use the phone in their hand rather than reach for the card in their pocket. Yet as many commentators have observed, out in the wider world — whether AndroidPay or Tesco PayQiq, PayM or Barclaycard Mobile — mobile payments seem to be facing something of a struggle to become mainstream.

With Consult Hyperion’s annual Tomorrow’s Transactions Forum coming up this week, we asked our good friends at Crescendo to use their array of clever Twitter sentiment analysis tools to give us an up-to-the-minute snapshot of the UK. They found that in conversations about mobile payments (which are dominated by Apple Pay, accounting for almost four-fifths of the conversations) there are roughly twice as many negative conversations as positive ones! Now that might be because people are quick to vent on Twitter when something doesn’t work properly but slower to praise when it does (I’m certainly guilty of this), but if we take the sentiment analysis at face value it seems to show that customers by and large like mobile payments when they work but are frustrated with the experience because it just doesn’t work the way it should and where it should.

There are a variety of reasons for this, ranging from gaps in the training of checkout staff to a failure of education (most people still don’t realise that the £30 limit that applies to contactless cards does not apply to contactless mobile payments so you can use your phone for your weekly shop) and confusion about acceptance (in some shops, for example, you can pay by contact with some cards but not pay with those same cards using mobile contactless).

Now, mobile payments is not all about mobile contactless. It’s about mobile initiated transfer of money from one account (the consumer’s) to another account (the merchant’s). And while we use cards for this now (except in Starbucks where we all use our app), with PSD2 on the horizon and MasterCard’s purchase of VocaLink we can certainly expect to see more direct-to-account credit transfers in the consumer marketplace. So we asked Crescendo to see if there’s any talk around this. They found that right now those conversations are dominated by Barclays PingIt and while the negative comments still outweigh the positive comments it is, rarther interestingly, by a much smaller margin than for mobile contactless. I wonder if this is perhaps a weak signal that mobile payment apps will be more popular than mobile contactless taps?

Does any of this matter? Perhaps the way that mobile payments work now isn’t much of a guide to the way they will work in the future. Maybe tapping on things, whether a card or a phone or a wristband or anything else is all a bit last year? Maybe it doesn’t matter whether people tap phones or cards because in time all payments will be going in-app (or in-browser) and that’s where we should be focusing for the future. The web’s standard body, the World-Wide Web Consortium (W3C), is currently working on a standard for these payments and this will likely hasten the physical and virtual convergence.

You can hear about the status of the standardisation process from the W3C themselves at the 20th annual Consult Hyperion Tomorrow’s Transactions Forum in London this week. Oh, and you’ll hear all about the status of PSD2, the future for mass market payments, financial inclusion, innovative uses of the blockchain, privacy, the Internet of Things, transit payments and much else besides. 

At this point I would normally implore you to head over to our web site to score a ticket for this unique event. But there’s no point today because all the tickets have been sold and there are no places left. If you’re one of the lucky few with a delegate place,  see you Wednesday.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.