Victoria Saporta, BoE executive director for prudential supervision, has said recently that minimum resilience requirements should be required for the tech giants’ (and others’) hosting services, before they may process and store banking data. We strongly support these comments. We have identified this issue as one of a number of new risks arising from modern financial systems architecture, in recent Structured Risk Analyses that we have carried out for financial and retail organisations in North America, Asia-Pac and EMEA.
For the third year running, my colleague Gary Munro facilitated a thought-provoking debate around the use of mobile phones and tablets as contactless payment terminals during last week’s virtual Merchant Payments Ecosystem (MPE) conference. For the last three years, Gary and his panellists have tracked the progress of the SoftPOS technology and standards. The three key messages that I took away from this year’s conversation were that:
This weekend marks an anniversary. Although Consult Hyperion’s romance with smart cards had started many years before that, it will be fifteen years on Sunday that chip and PIN went live in the UK. I remember St. Valentine’s Day 2006 as if it was yesterday!
A couple of weeks ago I wrote a piece for our friends at Smartex; ‘Brexit and the UK Finance’s proposed £100 contactless limit’. Perhaps a title more worthy of grabbing readers would be ‘Will Brexit make stealing bank cards attractive again?’
The pandemic has accelerated consumer behaviour that has been teetering for the last decade. The desire for contact-free (and therefore contactless) transactions, has meant a significant trend in consumers becoming comfortable with tapping their cards and perhaps more interestingly, their phones (devices/wearables). We’ve seen merchants switch from hand scribbled ‘cash only’ signs, to ‘please use cards (devices etc) wherever possible’. Some stores have completely rejected cash altogether.
For most of us 2020 isn’t going to be a year to linger fondly in the memory. It’s been a monumental slog in the face of grim news and little cheer but from a payments perspective we’ve seen an unsurprising surge in interest in all things payment related.
People have moved from cash to electronic payments – contactless transaction numbers have soared. People moved from face to face purchases to online. And, there’s been a ton of stress on payment systems as people have demanded refunds for holidays and flights they couldn’t take due to various travel restrictions. It’s been a year like never before.
We can expect this to be exacerbated over what will likely be an extended Black Friday and Christmas holiday shopping period. Online payments are expected to grow even though economies are in recession. For us in Europe it’s the last hurrah before PSD2 requirements on strong customer authentication come into force on January 1st. Merchants and payment companies will be well staffed on News Year Eve as they wait and see how the systems will hold up, and what sort of abandonment figures they’ll see as puzzled customers are presented with confusing authentication screens. We can probably expect a flood of concerned calls about phishing which are actually Strong Customer Authentication requests.
At Consult Hyperion we’re always interested in the latest news in cyber security and in case you haven’t heard, 2018 has started with the news that the most processors found inside current computers, tablets, phones and cloud servers are vulnerable to a new class of attack. These attacks have been named Meltdown and Spectre, and are caused by common optimisations built into modern processors. Processors designed by Intel, AMD and ARM are all affected to varying degrees and, as it is a hardware issue (possibly dating back to 1995 if some reports are correct), it could affect any operating system. It’s likely the machine you’re reading this on is affected – whether it’s running Windows, Macs, iOS, Android or is in “the cloud”!!
At a basic level, these vulnerabilities break down the fundamental security barriers between an application and the operating system (OS). This means that a malicious application running on your processor may be able to read your, or your OS’s, secrets which may include passwords, keys or possibly payment data, present in processor caches or memory.
I’m not going to discuss how the vulnerabilities achieve what they do (there’s plenty of sites which attempt to do this), however I’d rather consider its impact on people, such as our clients, who may be handling sensitive data on mobile devices – e.g. payments, banking information. If you do want to understand the low-level details of the vulnerabilities and how they work, I suggest looking at https://spectreattack.com/ which has links to the original papers on both Spectre and Meltdown.
So, what can be done about it? The good news is that whilst the current processors cannot be fixed, several operating system patches have already been released to try and mitigate these problems.
However, my concern is that as this is a new class of attack, Spectre and Meltdown may be the tip of a new iceberg. Even over the last week, the issue has changed from it only affecting Intel processors, to now including AMD and ARM to some extent. I suspect that over the coming weeks and months, as more security researchers (and probably less savoury characters as well) start looking into this class of attack, there may be additional vulnerabilities discovered. Whether they would already be mitigated by the patches coming out now, we’ll have to see.
It should also be understood that for the vulnerability to be exploited, there are a few conditions which must be met:
2. You must have a vulnerable OS (i.e. unpatched)
3. An attacker must be able to execute their malicious code on your device
For point 1, most modern devices will be vulnerable to some extent, so we can probably assume the condition is always met.
Point 2 highlights two perennial problems, a.) getting people to apply software updates to their devices and b.) getting access to appropriate software updates.
For many devices, software updates are frequent, reliable and easy to install (often automatic) and there are very few legitimate reasons for consumers to not just take the latest updates whenever they are made available. We would always recommend that consumers apply security updates as soon as possible.
A bigger problem for some platforms is the availability of updates in the first place. Within the mobile space, Microsoft, Apple and Google all regularly release software updates; however, many Android OEMs can be slow to release updates for their devices (if they release them at all). Android devices are notorious for not running the latest version of Android – for example, Google’s latest information (https://developer.android.com/about/dashboards/index.html – obtained 5th January 2018 and represents devices accessing the Google Play Store in the prior 7 days) shows that for the top 81% of devices in use:
• 25% are running Nougat (v7.x, released August 2016)
• 30% running Marshmallow (v6.0, released October 2015)
• 26% running Lollipop (v5.x, released November 2014).
It should be noted that Google’s Nexus and Pixel devices have a commitment to receiving updates for a set period of time, and Google is very keen to encourage OEMs to improve their support for prompt and frequent updates – for example, the Android One (https://www.android.com/one/) programme highlights that these devices get regular software updates.
If you compare to iOS, it’s estimated (https://data.apteligent.com/ios/) that less than a month after it was released in December 2017, over 75% of iOS devices are already running iOS 11.
Thinking specifically about mobile banking and HCE payment applications, which is what interests many of our customers – these applications should already be including protections to prevent, or at least detect, malicious attacks. These protections typically include numerous measures such as root/jailbreak detection, code obfuscation, data minimisation, white-box cryptography and so on.
If anything, these latest vulnerabilities are a useful reminder that security is not a single task within a project plan, ticked off when complete before moving onto the next sprint or task. Rather, it is an ongoing concern for the lifetime of the system – something that Consult Hyperion quietly helps its customers with. A year ago, few would have considered this class of attack to either have been possible, let alone something which needs to be actively mitigated.
The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.
Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.
Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.
The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.
Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.
So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?
There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.
So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.
People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!
How are mobile payments getting on in the UK? According to the most recent figures from Transport for London, mobile phones now account for about 8% of their contactless transactions, so clearly there are plenty of people who already use the phone in their hand rather than reach for the card in their pocket. Yet as many commentators have observed, out in the wider world — whether AndroidPay or Tesco PayQiq, PayM or Barclaycard Mobile — mobile payments seem to be facing something of a struggle to become mainstream.
With Consult Hyperion’s annual Tomorrow’s Transactions Forum coming up this week, we asked our good friends at Crescendo to use their array of clever Twitter sentiment analysis tools to give us an up-to-the-minute snapshot of the UK. They found that in conversations about mobile payments (which are dominated by Apple Pay, accounting for almost four-fifths of the conversations) there are roughly twice as many negative conversations as positive ones! Now that might be because people are quick to vent on Twitter when something doesn’t work properly but slower to praise when it does (I’m certainly guilty of this), but if we take the sentiment analysis at face value it seems to show that customers by and large like mobile payments when they work but are frustrated with the experience because it just doesn’t work the way it should and where it should.
There are a variety of reasons for this, ranging from gaps in the training of checkout staff to a failure of education (most people still don’t realise that the £30 limit that applies to contactless cards does not apply to contactless mobile payments so you can use your phone for your weekly shop) and confusion about acceptance (in some shops, for example, you can pay by contact with some cards but not pay with those same cards using mobile contactless).
Now, mobile payments is not all about mobile contactless. It’s about mobile initiated transfer of money from one account (the consumer’s) to another account (the merchant’s). And while we use cards for this now (except in Starbucks where we all use our app), with PSD2 on the horizon and MasterCard’s purchase of VocaLink we can certainly expect to see more direct-to-account credit transfers in the consumer marketplace. So we asked Crescendo to see if there’s any talk around this. They found that right now those conversations are dominated by Barclays PingIt and while the negative comments still outweigh the positive comments it is, rarther interestingly, by a much smaller margin than for mobile contactless. I wonder if this is perhaps a weak signal that mobile payment apps will be more popular than mobile contactless taps?
Does any of this matter? Perhaps the way that mobile payments work now isn’t much of a guide to the way they will work in the future. Maybe tapping on things, whether a card or a phone or a wristband or anything else is all a bit last year? Maybe it doesn’t matter whether people tap phones or cards because in time all payments will be going in-app (or in-browser) and that’s where we should be focusing for the future. The web’s standard body, the World-Wide Web Consortium (W3C), is currently working on a standard for these payments and this will likely hasten the physical and virtual convergence.
You can hear about the status of the standardisation process from the W3C themselves at the 20th annual Consult Hyperion Tomorrow’s Transactions Forum in London this week. Oh, and you’ll hear all about the status of PSD2, the future for mass market payments, financial inclusion, innovative uses of the blockchain, privacy, the Internet of Things, transit payments and much else besides.
At this point I would normally implore you to head over to our web site to score a ticket for this unique event. But there’s no point today because all the tickets have been sold and there are no places left. If you’re one of the lucky few with a delegate place, see you Wednesday.
Down at the PayExpo Middle East and North Africa (MENA) in Dubai this year, I saw an excellent presentation from Uber India. One of the most interesting things I learned was that because most Indian Uber rides are paid for in cash, the Modi government’s racial experiment in currency reform hit them hard. As cash vanished from circulation, so there was a downturn in business.
That was bad news for the Uber drivers who need to drive to survive, but I’m still of the general opinion that the Indian push for a “less cash” (as opposed to cashless) economy makes sense, even for people who are poor, as many in India are. A couple of years ago, I wrote about the misguided view that cash is good for the less well-off. It is not.
People who live on the margin get screwed by cash.
This was a comment on a story about counterfeiting, and I concluded it by noting an interesting problem that I had not previously heard about, which was about sex workers being swindled through counterfeit cash:
In a country where counterfeits are widespread, it is obviously the marginalised groups trapped in the cash economy who are the big losers.
India’s experiment with demonetisation has accelerated the evolution of the retail payments environment not only for Uber but also for those marginalised people in the less-regulated parts of the Indian economy. As you will recall, with high-value banknotes, more than four-fifths the cash in circulation, vanishing many different parts of the Indian economy have been affected and, clearly, groups dependent on cash will have been hit hardest.
From the time the notes of the denominations of Rs 500 and Rs 1000 ceased to be legal tenders, the number of customers visiting the red-light area have dwindled to negligible numbers.
The response of at least one group of such marginalised people will have gladdened the heart of Mr. Modi and other advocates of cash-free commerce (e.g., me). They moved quickly to adopt new technology.
Commercial Sex Workers offering services at Nagpur’s Redlight area Ganga Jamuna have started offering [sex] in exchange of payments made through Paytm.
Yes, mobile payments. There is no reason why mobile payments cannot step in to the breach and take over from cash and, as I constantly opine, deliver something better to the poor, since it is the poor whose money is lost and stolen, it is the poor who cannot pay remotely for better deals and it is the poor who cannot be paid efficiently.
[sex workers said] we have also adapted to the changing times and have adopted the newer mode of payments for the services. They opined that this will also prevent the customers from getting their cash looted by unscrupulous elements who dwell in this disrepute lanes (Badnaam Gali) of Ganga Jamuna area.
Note that last sentence. Getting rid of cash will make people safer. So not only will these marginalised people no longer have to worry about counterfeiting or the value of foreign currency, but their money will be stored more safely.
I was in Dubai to take part in a fun end-of-event discussion about the coming year for fintech, so I took the first three predictions from the Consult Hyperion “Live Five” for 2017 and shared these with the audience. Then I took the first three cakes, and shared them with me.
I hope I’ll back asked back next year and called to account!
We all still processing the data coming in from India’s radical experiment with money, and I still think that is way too soon to pass any judgement at all on whether the experiment has been worthwhile or successful, but it is interesting to see some of the immediate effects of the government’s policy of de-monetisation. For example, fish.
Modi’s surprise announcement wiped out 86% of the nation’s currency overnight, leaving the vendors at Panjim’s fish market to suffer heavy losses. “Nobody has cash, so they’re not buying fish.”
The headline, of course, sets up a slightly false dichotomy because the choice facing the Goan fish market traders is not cash or credit card but cash or an electronic substitute for cash. And it gives me an excuse to post a picture of me in Goa, because I just read an article that said that blog posts with pictures have more of an impact than text-only.
A completely irrelevant picture of me in Goa.
Now, as it happens, the local government in Goa have already decided that the future lies beyond cash and very shortly those fish traders (as well as absolutely everybody else) will have a substitute.
From January, Goa’s government has announced that the city will go “cashless”, meaning every street vendor, rickshaw driver and shopkeeper must offer their customers the option to pay using a debit card or mobile phone.
Is it possible to imagine Goans buying fish without cash? Well, yes. Look at Kenya, where there are now more than 33 million mobile money users and 174,000 mobile agent locations. The most recent figures from the Central Bank of Kenya (CBA) show an astonishing trend. From February 2013 until September 2016, the number of monthly M-PESA transactions almost tripled, going from 53 million to 131 million, while the number of card transactions fell from 34 million down to 18 million. Yes, you heard that correctly. While mobile money using was tripling, card use was halving. I am told by reliable sources that one of the key reasons for this, apart from M-PESA being accepted at some 150,000 retail outlets now in a country with only around 10,000 cards terminals, is that when it came time to re-issue EMV cards for Kenyan bank customers, the customers had to go their local branch, with identification, and stand in line to get their new card. Many of them just didn’t bother, especially since they had already started to use mobile money instead of cards.
Central Bank of Kenya statistics show a decline in the use of credit and debit cards, despite the number of Kenyans holding them rising.
Anyway, the point is that an astonishing 96% of Kenya household now have at least one M-PESA user. That means, to all intents and purposes, that mobile money is an alternative to cash. That’s not to say that the cards guys are taking it laying down. They can read the papers just as well as I can, and so they have begun to look at alternatives to the dip, tap or swipe at point of sale and are investigating more mobile-centric alternatives.
Visa, has entered into partnership with Ecobank, to roll out “mVisa,” an innovative mobile payment service in 33 African markets by year-end. Mvisa enables consumers to pay for goods and services for their everyday expenses from groceries to taxi services by simply scanning a QR code on a smart phone or entering a merchant identification number into their feature phones
From Mobile Money Africa
The Kenyan banks are also preparing to launch an instant payments switch so that Kenyans with bank accounts can send money to one another instantly using their mobile phones so at some point in 2017 there will be bank-account, payment-account and card-account competition in the marketplace, which should be great for users.
The Kenya Bankers Association (KBA) yesterday unveiled Integrated Payments Service Limited (IPSL) — the company that will facilitate direct transfer of money between banks without going through M-Pesa.
The M-PESA figures are fascinating and they show just how effective a mobile solution can be. So how come India didn’t have this kind of mobile infrastructure in place before the government decided to de-monetise. It’s not because Indians don’t have phones, don’t have entrepreneurs, don’t have programmers and don’t have users who would prefer mobile solutions. They have all of these. What they didn’t have, until recently, was a regulatory platform to build on. This began to change last year when the RBI licensed 11 “payment banks” to provide competition and the National Payment Corporation of India launched their Universal Payment Interface (UPI). I said at the time that I thought these moves would grow the sector.
I am sure that the competition and innovation that these non-banks will bring to the Indian market will lead to a pretty rapid increase in the use of mobile financial services there
Mobile is the future of fish purchases as far as I can see. The most commonly used mobile wallet in India, Paytm, saw its volumes pretty much double (to around 7m transactions per day) following the withdrawal of the bank notes and I’m sure new services from the payment banks will help such mobile plays to continue to grow. However, the first of those payment banks only went in to operation about a week before the de-monetisation so they didn’t really have much of chance to make an impact. Hence my thinking that it may have been better for India to have waiting until the more flexible regulatory regime had begun bear fruit before. I’m going to blog in more detail about the Indian experiment as more data comes in, but I just wanted to put down a marker here to make the point that given the appropriate regulatory infrastructure I think that the evidence is clear that mobile phones do indeed provide a viable alternative to cash.