Who would have ex-Spectre-d this?

At Consult Hyperion we’re always interested in the latest news in cyber security and in case you haven’t heard, 2018 has started with the news that the most processors found inside current computers, tablets, phones and cloud servers are vulnerable to a new class of attack. These attacks have been named Meltdown and Spectre, and are caused by common optimisations built into modern processors. Processors designed by Intel, AMD and ARM are all affected to varying degrees and, as it is a hardware issue (possibly dating back to 1995 if some reports are correct), it could affect any operating system. It’s likely the machine you’re reading this on is affected – whether it’s running Windows, Macs, iOS, Android or is in “the cloud”!!

At a basic level, these vulnerabilities break down the fundamental security barriers between an application and the operating system (OS). This means that a malicious application running on your processor may be able to read your, or your OS’s, secrets which may include passwords, keys or possibly payment data, present in processor caches or memory.

I’m not going to discuss how the vulnerabilities achieve what they do (there’s plenty of sites which attempt to do this), however I’d rather consider its impact on people, such as our clients, who may be handling sensitive data on mobile devices – e.g. payments, banking information. If you do want to understand the low-level details of the vulnerabilities and how they work, I suggest looking at https://spectreattack.com/ which has links to the original papers on both Spectre and Meltdown.

So, what can be done about it? The good news is that whilst the current processors cannot be fixed, several operating system patches have already been released to try and mitigate these problems.

However, my concern is that as this is a new class of attack, Spectre and Meltdown may be the tip of a new iceberg. Even over the last week, the issue has changed from it only affecting Intel processors, to now including AMD and ARM to some extent. I suspect that over the coming weeks and months, as more security researchers (and probably less savoury characters as well) start looking into this class of attack, there may be additional vulnerabilities discovered. Whether they would already be mitigated by the patches coming out now, we’ll have to see.

It should also be understood that for the vulnerability to be exploited, there are a few conditions which must be met:

1. You must have a vulnerable processor (highly likely)
2. You must have a vulnerable OS (i.e. unpatched)
3. An attacker must be able to execute their malicious code on your device

 
For point 1, most modern devices will be vulnerable to some extent, so we can probably assume the condition is always met.

Point 2 highlights two perennial problems, a.) getting people to apply software updates to their devices and b.) getting access to appropriate software updates.

For many devices, software updates are frequent, reliable and easy to install (often automatic) and there are very few legitimate reasons for consumers to not just take the latest updates whenever they are made available. We would always recommend that consumers apply security updates as soon as possible.

A bigger problem for some platforms is the availability of updates in the first place. Within the mobile space, Microsoft, Apple and Google all regularly release software updates; however, many Android OEMs can be slow to release updates for their devices (if they release them at all). Android devices are notorious for not running the latest version of Android – for example, Google’s latest information (https://developer.android.com/about/dashboards/index.html – obtained 5th January 2018 and represents devices accessing the Google Play Store in the prior 7 days) shows that for the top 81% of devices in use:

• 0.5% of devices are running the latest version of Android – Oreo (v8.0, released August 2017)
• 25% are running Nougat (v7.x, released August 2016)
• 30% running Marshmallow (v6.0, released October 2015)
• 26% running Lollipop (v5.x, released November 2014).

 
It should be noted that Google’s Nexus and Pixel devices have a commitment to receiving updates for a set period of time, and Google is very keen to encourage OEMs to improve their support for prompt and frequent updates – for example, the Android One (https://www.android.com/one/) programme highlights that these devices get regular software updates.

If you compare to iOS, it’s estimated (https://data.apteligent.com/ios/) that less than a month after it was released in December 2017, over 75% of iOS devices are already running iOS 11.

The final requirement is Point 3 – getting malicious code onto your device. This could be via a malicious application installed on a device, however, the malicious code could also come via a website as it’s been shown that even JavaScript sandboxed in a browser can exploit these vulnerabilities. As its not unheard of for legitimate websites to unwittingly serve up 3rd-party adverts which contain malicious code, a user doesn’t have to be accessing malicious websites for the problem to occur. Several browsers are receiving patches to try and prevent Meltdown and Spectre working via this route. Regarding malicious applications, we’d always recommend that applications are only ever installed from legitimate sources, however malicious apps still regularly appear in legitimate app stores, so this is not fool-proof.

Thinking specifically about mobile banking and HCE payment applications, which is what interests many of our customers – these applications should already be including protections to prevent, or at least detect, malicious attacks. These protections typically include numerous measures such as root/jailbreak detection, code obfuscation, data minimisation, white-box cryptography and so on.

If anything, these latest vulnerabilities are a useful reminder that security is not a single task within a project plan, ticked off when complete before moving onto the next sprint or task. Rather, it is an ongoing concern for the lifetime of the system – something that Consult Hyperion quietly helps its customers with. A year ago, few would have considered this class of attack to either have been possible, let alone something which needs to be actively mitigated.

The Challenge of Delivering mPOS Services through Off-The-Shelf Mobile Devices

 

The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.

Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.

Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.

The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.

Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.

So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?

There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.

So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.

People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!

Does it matter if people tap their phones or not?

How are mobile payments getting on in the UK? According to the most recent figures from Transport for London, mobile phones now account for about 8% of their contactless transactions, so clearly there are plenty of people who already use the phone in their hand rather than reach for the card in their pocket. Yet as many commentators have observed, out in the wider world — whether AndroidPay or Tesco PayQiq, PayM or Barclaycard Mobile — mobile payments seem to be facing something of a struggle to become mainstream.

With Consult Hyperion’s annual Tomorrow’s Transactions Forum coming up this week, we asked our good friends at Crescendo to use their array of clever Twitter sentiment analysis tools to give us an up-to-the-minute snapshot of the UK. They found that in conversations about mobile payments (which are dominated by Apple Pay, accounting for almost four-fifths of the conversations) there are roughly twice as many negative conversations as positive ones! Now that might be because people are quick to vent on Twitter when something doesn’t work properly but slower to praise when it does (I’m certainly guilty of this), but if we take the sentiment analysis at face value it seems to show that customers by and large like mobile payments when they work but are frustrated with the experience because it just doesn’t work the way it should and where it should.

There are a variety of reasons for this, ranging from gaps in the training of checkout staff to a failure of education (most people still don’t realise that the £30 limit that applies to contactless cards does not apply to contactless mobile payments so you can use your phone for your weekly shop) and confusion about acceptance (in some shops, for example, you can pay by contact with some cards but not pay with those same cards using mobile contactless).

Now, mobile payments is not all about mobile contactless. It’s about mobile initiated transfer of money from one account (the consumer’s) to another account (the merchant’s). And while we use cards for this now (except in Starbucks where we all use our app), with PSD2 on the horizon and MasterCard’s purchase of VocaLink we can certainly expect to see more direct-to-account credit transfers in the consumer marketplace. So we asked Crescendo to see if there’s any talk around this. They found that right now those conversations are dominated by Barclays PingIt and while the negative comments still outweigh the positive comments it is, rarther interestingly, by a much smaller margin than for mobile contactless. I wonder if this is perhaps a weak signal that mobile payment apps will be more popular than mobile contactless taps?

Does any of this matter? Perhaps the way that mobile payments work now isn’t much of a guide to the way they will work in the future. Maybe tapping on things, whether a card or a phone or a wristband or anything else is all a bit last year? Maybe it doesn’t matter whether people tap phones or cards because in time all payments will be going in-app (or in-browser) and that’s where we should be focusing for the future. The web’s standard body, the World-Wide Web Consortium (W3C), is currently working on a standard for these payments and this will likely hasten the physical and virtual convergence.

You can hear about the status of the standardisation process from the W3C themselves at the 20th annual Consult Hyperion Tomorrow’s Transactions Forum in London this week. Oh, and you’ll hear all about the status of PSD2, the future for mass market payments, financial inclusion, innovative uses of the blockchain, privacy, the Internet of Things, transit payments and much else besides. 

At this point I would normally implore you to head over to our web site to score a ticket for this unique event. But there’s no point today because all the tickets have been sold and there are no places left. If you’re one of the lucky few with a delegate place,  see you Wednesday.

Red lights for cash

Down at the PayExpo Middle East and North Africa (MENA) in Dubai this year, I saw an excellent presentation from Uber India. One of the most interesting things I learned was that because most Indian Uber rides are paid for in cash, the Modi government’s racial experiment in currency reform hit them hard. As cash vanished from circulation, so there was a downturn in business.

Uber India

That was bad news for the Uber drivers who need to drive to survive, but I’m still of the general opinion that the Indian push for a “less cash” (as opposed to cashless) economy makes sense, even for people who are poor, as many in India are. A couple of years ago, I wrote about the misguided view that cash is good for the less well-off. It is not.

People who live on the margin get screwed by cash.

From Cash hits the excluded | Consult Hyperion

This was a comment on a story about counterfeiting, and I concluded it by noting an interesting problem that I had not previously heard about, which was about sex workers being swindled through counterfeit cash:

In a country where counterfeits are widespread, it is obviously the marginalised groups trapped in the cash economy who are the big losers.

From Cash hits the excluded | Consult Hyperion

India’s experiment with demonetisation has accelerated the evolution of the retail payments environment not only for Uber but also for those marginalised people in the less-regulated parts of the Indian economy. As you will recall, with high-value banknotes, more than four-fifths the cash in circulation, vanishing many different  parts of the Indian economy have been affected and, clearly, groups dependent on cash will have been hit hardest.

From the time the notes of the denominations of Rs 500 and Rs 1000 ceased to be legal tenders, the number of customers visiting the red-light area have dwindled to negligible numbers.

From Commercial Sex Workers of Nagpur’s Ganga Jamuna Redlight area offer services for payments made through Paytms – Nagpur Today : Nagpur News

The response of at least one group of such marginalised people will have gladdened the heart of Mr. Modi and other advocates of cash-free commerce (e.g., me). They moved quickly to adopt new technology.

Commercial Sex Workers offering services at Nagpur’s Redlight area Ganga Jamuna have started offering [sex] in exchange of payments made through Paytm.

From Commercial Sex Workers of Nagpur’s Ganga Jamuna Redlight area offer services for payments made through Paytms – Nagpur Today : Nagpur News

Yes, mobile payments. There is no reason why mobile payments cannot step in to the breach and take over from cash and, as I constantly opine, deliver something better to the poor, since it is the poor whose money is lost and stolen, it is the poor who cannot pay remotely for better deals and it is the poor who cannot be paid efficiently.

[sex workers said] we have also adapted to the changing times and have adopted the newer mode of payments for the services. They opined that this will also prevent the customers from getting their cash looted by unscrupulous elements who dwell in this disrepute lanes (Badnaam Gali) of Ganga Jamuna area.

From Commercial Sex Workers of Nagpur’s Ganga Jamuna Redlight area offer services for payments made through Paytms – Nagpur Today : Nagpur News

Note that last sentence. Getting rid of cash will make people safer. So not only will these marginalised people no longer have to worry about counterfeiting or the value of foreign currency, but their money will be stored more safely. 

I was in Dubai to take part in a fun end-of-event discussion about the coming year for fintech, so I took the first three predictions from the Consult Hyperion “Live Five” for 2017 and shared these with the audience. Then I took the first three cakes, and shared them with me.

 Yes, you can have your cake and eat it

 I hope I’ll back asked back next year and called to account!

Fish without cash

 We all still processing the data coming in from India’s radical experiment with money, and I still think that is way too soon to pass any judgement at all on whether the experiment has been worthwhile or successful, but it is interesting to see some of the immediate effects of the government’s policy of de-monetisation. For example, fish.

Modi’s surprise announcement wiped out 86% of the nation’s currency overnight, leaving the vendors at Panjim’s fish market to suffer heavy losses. “Nobody has cash, so they’re not buying fish.”

From ‘Who buys fish with a credit card here?’ Traders scoff at Goa’s bid to ditch cash | World news | The Guardian

 The headline, of course, sets up a slightly false dichotomy because the choice facing the Goan fish market traders is not cash or credit card but cash or an electronic substitute for cash. And it gives me an excuse to post a picture of me in Goa, because I just read an article that said that blog posts with pictures have more of an impact than text-only.

Goadave

A completely irrelevant picture of me in Goa.

Now, as it happens, the local government in Goa have already decided that the future lies beyond cash and very shortly those fish traders (as well as absolutely everybody else) will have a substitute.

From January, Goa’s government has announced that the city will go “cashless”, meaning every street vendor, rickshaw driver and shopkeeper must offer their customers the option to pay using a debit card or mobile phone.

From ‘Who buys fish with a credit card here?’ Traders scoff at Goa’s bid to ditch cash | World news | The Guardian

Is it possible to imagine Goans buying fish without cash? Well, yes. Look at Kenya, where there are now more than 33 million mobile money users and 174,000 mobile agent locations. The most recent figures from the Central Bank of Kenya (CBA) show an astonishing trend. From February 2013 until September 2016, the number of monthly M-PESA transactions almost tripled, going from 53 million to 131 million, while the number of card transactions fell from 34 million down to 18 million. Yes, you heard that correctly. While mobile money using was tripling, card use was halving. I am told by reliable sources that one of the key reasons for this, apart from M-PESA being accepted  at some 150,000 retail outlets now in a country with only around 10,000 cards terminals, is that when it came time to re-issue EMV cards for Kenyan bank customers, the customers had to go their local branch, with identification, and stand in line to get their new card. Many of them just didn’t bother, especially since they had already started to use mobile money instead of cards.

Central Bank of Kenya statistics show a decline in the use of credit and debit cards, despite the number of Kenyans holding them rising.

From Which payment system is best for when you are drunk? M-PESA! | Consult Hyperion

Anyway, the point is that an astonishing 96% of Kenya household now have at least one M-PESA user. That means, to all intents and purposes, that mobile money is an alternative to cash. That’s not to say that the cards guys are taking it laying down. They can read the papers just as well as I can, and so they have begun to look at alternatives to the dip, tap or swipe at point of sale and are investigating more mobile-centric alternatives.

Visa, has entered into partnership with Ecobank,  to roll out “mVisa,” an innovative mobile payment service in 33 African markets by year-end. Mvisa enables consumers to pay for goods and services for their everyday expenses from  groceries to  taxi services by simply scanning a QR code on a smart phone or entering a merchant identification number into their feature phones

From Mobile Money Africa

The Kenyan banks are also preparing to launch an instant payments switch so that Kenyans with bank accounts can send money to one another instantly using their mobile phones so at some point in 2017 there will be bank-account, payment-account and card-account competition in the marketplace, which should be great for users.

The Kenya Bankers Association (KBA) yesterday unveiled Integrated Payments Service Limited (IPSL) — the company that will facilitate direct transfer of money between banks without going through M-Pesa.

From Banks launch firm to take on M-Pesa’s mobile cash dominance – Money Markets

The M-PESA figures are fascinating and they show just how effective a mobile solution can be. So how come India didn’t have this kind of mobile infrastructure in place before the government decided to de-monetise. It’s not because Indians don’t have phones, don’t have entrepreneurs, don’t have programmers and don’t have users who would prefer mobile solutions. They have all of these. What they didn’t have, until recently, was a regulatory platform to build on. This began to change last year when the RBI licensed 11 “payment banks” to provide competition and the National Payment Corporation of India launched their Universal Payment Interface (UPI). I said at the time that I thought these moves would grow the sector.

I am sure that the competition and innovation that these non-banks will bring to the Indian market will lead to a pretty rapid increase in the use of mobile financial services there

From An Indian summer for mobile payments | Consult Hyperion

Mobile is the future of fish purchases as far as I can see. The most commonly used mobile wallet in India, Paytm, saw its volumes pretty much double (to around 7m transactions per day) following the withdrawal of the bank notes and I’m sure new services from the payment banks will help such mobile plays to continue to grow. However, the first of those payment banks only went in to operation about a week before the de-monetisation so they didn’t really have much of chance to make an impact. Hence my thinking that it may have been better for India to have waiting until the more flexible regulatory regime had begun bear fruit before. I’m going to blog in more detail about the Indian experiment as more data comes in, but I just wanted to put down a marker here to make the point that given the appropriate regulatory infrastructure I think that the evidence is clear that mobile phones do indeed provide a viable alternative to cash.

Don’t judge mobile payments by the way they work now

A few people tweeted and e-mailed to point out how app-centric commerce can be perversely annoying, citing the example of car parking given in this recent British newspaper piece.

The competitive marketplace for cashless parking has resulted in a fragmented and rather irritating experience for motorists

From Cashless parking was meant to make life easier for drivers but our phones are awash with competing apps | Features | Lifestyle | The Independent

Well, I don’t know if I’d go so far as to say “awash”, but I take the point. I’ve got RingGo and PayByPhone on my iPhone right now. I use RingGo the most. It’s super easy and convenient, except for the hello-2013 bit about paying. Although it’s on an iPhone, it doesn’t use Apple Pay. So I had to sod about typing in my credit card details when my new card arrived and every time I use RingGo I have to remember the three digit code from the back of the card (which I do, to be fair, a good four times out of five). If you want to know how an app should work, check out the new Trainline app.

Trainline Pay

Select Apple Pay, thumbprint, done. Why isn’t all in-app purchasing like this. Come to that, why isn’t all purchasing like this. Actually, it soon will be…

Apple Pay is already available to use in stores and on your phone in apps where it’s supported. Now it looks like the service could be expanding to Apple’s Safari browser, making it possible for pretty much any website to add the mobile payment service as a checkout option.

From Apple Pay said to hit the Web soon

I share the writer’s frustration that when you load a new app to do something straightforward like buy a bus ticket or park a car you have to mess about typing in all of your details, getting out your credit card and typing your financial information back into the phone for the 100th time, searching for the app when you need it and all the rest of it. But that’s because all of this stuff is currently built on yonks old web crap. Look at this screen, for example. Why is the Arriva app asking me for this? Why doesn’t it ask my Barclays app? Or use Apple Pay? Or just remember what I typed in last time?

Untitled

As the example of the Trainline shows, when you build an app properly using the infrastructure that is growing up in the mobile world then it’s a different story. What should happen when you walk up to the car parking machine is that the app should be fired up automatically either because of Bluetooth beacons in a car park or some other kind of geolocation service, and if you don’t have the app you should be given the option of downloading it quickly and conveniently there and then. When you run the app for the first time it should just look and see if you have Apple Pay or Android pay or Barclay Pay or Chase Pay or Walmart Pay or Lego Pay or PayPal or whatever else pay and ask you which one you want to use. End of. And when you want to use the app you should never have to put up with the sort of nonsense I do buying a bus ticket, standing in bus queue trying to type a PAN into a small screen using a tiny keyboard.

“But if you are an online service provider of any kind – whether you are Waitrose or Airbnb – you want to provide the best experience for the customer. “The bit that’s currently the pain is the customer having to fish out their card and look for the number on the back to complete a payment, and these services avoid the need for that.”

From Google to expand Android Pay digital wallet to UK – BBC News

My point, as I said in that BBC news report, is that that apps deliver a better and more personalised service to the customer and allow the service provider to deliver a better customer experience around their purchase. What’s more, some of those customers won’t even download apps for casual purchases, they’ll just use bots sitting behind WhatsApp or Facebook Messenger whatever else it is that the kids of today are using. Imagine going to the car park at Woking station and instead of running RingGo just using Messenger are to send a message to RingGo instead. The grammar of a car park is pretty limited so is not that hard to construct a bot to manage the interaction. You don’t need Alpha Go to recognise an end time or “day” or “week” or whatever.

Mobile payments are going to be huge. Don’t visualise the commerce of the future as the half-baked agglomeration of cut-down web interfaces that you have on your phone right now, but the constellation of interacting apps on the infrastructure of the future.

Operators and mobile payments, the one millionth blog post

There was an interesting article in the August edition of E-Finance & Payments Law & Policy from Carlo de Meijer and Jonathan Bye at RBS. It looked at the possibilities for different players in the mobile wallet world, exploring the potential for retailers, banks and handset manufacturers. I couldn’t help but notice that it doesn’t mention mobile operators. Mobile operators, by and large, are finding mobile payments tough.

Norwegian mobile payments service Valyou has been shut down, with owners Telenor, DNB and SpareBank 1 blaming a lack of NFC-enabled payment terminals and support from their fellow banks and telcos for their project’s failure.

[From Finextra: Finextra news: Norwegian mobile payments service Valyou shuts down]

Then I read John Stewart’s article “Dropped Call” in the October Digital Transactions magazine. He writes that many people think that the balance of power in mobile payments has already shifted away from the operators. They still have some power (he uses the example of Verizon Wireless holding out on Samsung Pay) but it is really just negotiating power. He also quotes Juniper Research saying that it is “rather sad if the operator role is to be defined as an inhibiting factor on service providers rather than an enabler”. Incidentally, they also note that “the minute the banks got the opportunity to pursue a model cut out the operators, which was what host card emulation offered, they took that chance”.

So that’s it for mobile operators then? Well, no. At least, not necessarily. As that Digital Transactions piece goes on to say, the operators might not be done in payments after all. There may be a role for them in critical businesses such as transaction security and user authentication (my emphasis). And some observers argue they could expand their stake in carrier billing as well, so they still have opportunities to do something in the mobile transactions world.

Of these there opportunities, I would say that if you can authenticate the device and authenticate consumer then you can help everyone else in the value chain to deliver a more secure transaction infrastructure, and that has some value. Now, I rather agree with this line of thinking, and I’ve made similar points before.

The key question is: will the banks and the mobile operators and the handset manufacturers and the platform providers the government be able to work together to deliver a mobile ID infrastructure just as they did not work together to deliver a mobile payments infrastructure?

[From Mobile payment is fun, but mobile ID might be indispensable | Consult Hyperion]

Maybe I was being a little unkind to the banks and the operators. It could be that in the case of identity, the dynamics will be different and the banks and the operators will find more common ground, where the operators provide the identity infrastructure (i.e., the digital identities and at least one of the virtual identities bound to them, namely the operator identity) and the banks provide the identities (i.e., the binding between the digital identities and mundane identities). Back in 2012, commenting on the GSMA Operator Connect proposal, I said that:

I don’t understand why MNOs don’t provide this service already

[From Mobile identity on the move | Consult Hyperion]

The reason I said that was because in the preceding couple of years, Consult Hyperion had been commissioned, more than once, to look at the potential for mobile operators in the identification and authentication space and we had been involved in a number of discussions on the topic, so I’d already formed the opinion that mobile ID would make sense. In fact, back in 2006, commenting on the Norwegian BankID scheme, I observed that mobile identity was more of an long term play than mobile payments (because I thought there would be more competitors in the mobile payment space), and went on to note “I said a long time ago that ‘SimID’ might be more profitable than Simpay (*)”.

Well, I don’t want to sound like a broken record but nine years on this is what I’ll be talking about again at the GSMA’s informal workshop on Financial Services in London on Thursday 26th November. Look forward to seeing you there!

(* Note to younger readers: Simpay was an attempt by mobile operators to build their own pan-European low-value retail payment scheme.)

Contactless limits

So the “contactless limit” (i.e., the maximum amount that a contactless no-PIN transaction can be for) went up to £30 today. This is a reflection of the popularity of contactless in the UK. The latest month for which figures are available (June 2015) shows continued strong growth in such transactions.

  • 81.2m contactless transactions were made this month. This is an increase of 9.6% on the previous month and 240.9% over the year. The volume is split between debit (£70.7m) and credit / charge cards (£10.5m).
  • 259,074 bank-owned terminals are available in the UK where contactless cardholders can make a contactless transaction. This is an increase of 5.6% on the previous month and 35.9% over the year.
  • On average, each contactless transaction is for £6.98. This is split £7.02 on a debit card and £6.73 on a credit / charge card.
[From Contactless statistics]

More was spent on contactless in the first half of this year than the whole of 2014 and that comes after a 300%+ growth in contactless numbers through 2014 itself. The growth is strongest in food and quick-service retail (QSR) as you would expect.

Other sectors leading to the growth in contactless includes supermarkets and food retailers, which accounts for 46% of all contactless transactions, the hospitality sector is close behind with 38% taking place in bars, coffee shops and takeaways. However, the rest of the retail sector has a long way to go, however, accounting for just 13% of contactless transactions across the UK.

[From Contactless payment transactions pass the magical 1bn mark – Retail Gazette]

One of the reasons for the rise to £30 is that use in supermarkets, where the average basket size is (as I understand it) over the existing £20 limit. Just for comparison, in Australia where the contactless limit is $100 (about £50), more than two-thirds of all supermarket transactions are now contactless, so we still have plenty of room for growth.

Note also that London alone accounts for more than a third of all contactless transactions in the UK and this is largely because of TfL’s decision to accept contactless credit and debit cards at the gate. That’s also had a knock-on effect for wider usage. I think the dynamic was that lots of people has contactless cards that they hadn’t used but once they’d used them to get on the bus then they began to use them for cups of coffee and then sandwiches and then the supermarket and such like.

According to Barclaycard data, 30% of card payments in London in 2014 were contactless,

[From Contactless payments taking off in the UK in 2015 | Mobile Transaction]

I use my contactless card (well, the contactless sticker on the back of my phone actually) all the time and so I’m very happy to see the limit rise as I find it super convenient to pay in Marks & Spencer with the phone that is already in my hand.

Stickers are the future

It’s fascinating to me that over the last decade that it has taken contactless to get to the mainstream (the first contactless product that Consult Hyperion worked on was in the US more than ten years ago) the relationship between contactless and mobile has always been strong but convoluted. I think we’re now seeing it stabilise though and the path from tap-and-pay to app-and-pay is becoming clearer. With Apple Pay strengthening, Android Pay and Samsung Pay launching and the boom in in-app solutions, the limit to contactless growth is no longer inherent conservatism, press scare stories or the continued use of chip and PIN but its replacement by mobile solutions (for whom the £30 limit doesn’t apply anyway).

The user experience will make, or break, mobile payments

Being a keen consumer of baked pastry goods, and having a firm desire to see the pieces of plastic & cardboard in my wallet transferred to my phone, you can understand my excitement when the award-winning Greggs Rewards app was released early in 2014. The app combines the processes of payment, loyalty, and rewards into a single interaction at the point of sale, with a prepaid payment account which can be automatically topped up via credit card or PayPal. In eager anticipation of a tasty lunchtime treat, I therefore ventured out of the office and off to the town centre.

My first expedition ended in disappointment. In order to perform a transaction the customer opens the app, presses the ‘spend now’ button, and receives a dynamically generated token (an eight digit number) which is to be presented to the POS in the form of a QR code. But… in order to receive the token, I had to have a network connection. Now, whilst there is a very good network connection all the way up to the front door of the store, once through the doors my phone decided to connect to “The Cloud”.  For some reason, my phone has an on-off relationship with “The Cloud” and, it appears, its relationship with this particular hotspot appears to be more ‘off’ than ‘on’.  No matter, I can turn WiFi off. But what’s this? It appears that my mobile network didn’t share my longing for a sausage roll and decided to only let the GPRS signal through the door. It turns out that GPRS, whilst a revelation 15 years ago, does not appear to offer a particularly suitable channel for today’s mobile apps. Unable to obtain a token, I resorted to my plastic card.

Armed with this knowledge, I anticipated a successful second visit. This time, not only did I press the button to obtain the token before I got anywhere near the store, but I also took a screenshot of the QR code just in case. Ready to pay, and having got past the inevitable learning curve for the checkout operator who hadn’t been shown what to do with this new scheme, I was ready to finally scan my code – except that this store didn’t have any scanners at that time. So instead, I had to enter the 8 digit number on the keypad of the card reader. Happily, once the POS had my token, everything else went smoothly. I had redeemed an offer for a free item, paid for the outstanding items, and had a coffee loyalty purchase recorded all in a single interaction.

“But hang on,” I remember thinking, “they already accept contactless cards.  And I have an NFC phone which can talk to their readers. Wouldn’t it be great if the app could do NFC?”

Well, sixteen months later, and Greggs Rewards has now quietly added support for contactless in its Android app. Full of even more excitement than last February (well, I have been waiting for two years to pay for something by NFC) I headed out.

Having informed the operator that I would be paying with my phone, I was interested to note that she enabled the terminal for ‘card’ payment and not ‘rewards’ payment. Having seen that the app requires at least Android 4.4, and so concluding that it must be using Host Card Emulation (HCE), I was hopeful that this meant that it was seamlessly integrated into the ‘normal’ payment process.

Alas, the terminal was actually expecting a payment card and so the transaction failed. The operator told me that, when I had waved my phone at her, she had automatically assumed it was a contactless payment (which, as an aside, is actually good news for this month’s Apple Pay launch.)  It turns out that trying to integrate everything into a more seamless experience means impacting the existing card payment certifications, so for now they’re stuck with having to tell the POS what type of payment it should be expecting in advance.

Using the rewards app, even over contactless, still requires the operator to press the a special “rewards” button on the POS. This she did, and the contactless reader was ready to read my phone, the barcode reader was ready to scan my QR, and the terminal was ready for me to type in the number.

Unfortunately, this was the moment my phone decided it no longer wanted to play. With me having accidentally switched apps, on re-opening the Greggs app it decided it needed to connect back ‘home’ again. Because I hadn’t disabled WiFi, I was at the mercy of my phone’s long-term “It’s Complicated” relationship with The Cloud and so unable to provide the token. After disabling the WiFi, restarting the app (which for some reason was complaining that the 4G connection my phone now had was ‘too slow’), inwardly cringing at the complaints from the lengthening queue behind, and ignoring my colleague’s offer to just hand over some cash to get us out of there, I finally performed my first real world NFC transaction and was the proud owner of a free doughnut.

So what can we take away from all this?  Firstly, the mobile app must not rely on hardware or OS services that are not absolutely critical. Reliance on network connections is understandable for e-commerce, or for refreshing the app content, but for a POS transaction the app must be able to work without one – even if it is using dynamic tokens. The card schemes have already worked this out and catered for it in their HCE specifications.

Secondly, the payment experience must be seamless. It is frustrating to be a customer trying to explain a company’s mobile offering to the checkout operator, especially when the payment terminals are adorned with collateral advertising that very scheme. “Why,” I ask wearing the hat of a less well-informed member of the public, “can the till not work out for itself what payment method is being presented to it?  I don’t know about payment certifications and the resulting workarounds; I only care that the process is more complicated than it seems it should be.”

Only those of us with an unnatural interest in mobile payments (or a hearty appetite for pasties) will put up with a poor user experience more than once.  Normal people will give up and uninstall the app if it doesn’t work flawlessly; the people waiting in the resulting queue – such as the woman behind me who observed that “this is ridiculous” are unlikely to try it even that once.

App and pay is where it’s at

A few weeks ago, I said that Apple Pay isn’t disruptive (for retail payments) and I made the point that its real impact will be “in-app”. I want to explore and emphasis this point in the light of more recent developments. Specifically…

The big news is that it will expand to the UK market next month

[From Apple Pay to be available in UK – Business Insider]

Apple Pay is coming to the UK. Now, when Apple Pay was first announced in the USA, our basic analysis of it for our clients was that it was an incredibly important development in the payment world, but not because of the use of the NFC. The fact that Apple had decided to use tokenisation, we told people, makes tokenisation as big a deal as chip and PIN. It will change the way business gets done, because it brings chip and PIN security to online and mobile transactions. In fact, I bored a number of people on this topic, to the point where it became part of my spoof write-up of Money2020 in Las Vegas last year

“Well, for the big merchants it’s not about tap-and-pay it’s about app-and-pay” he told Osama Bedier from Poynt.

[From Casino Royale-with-Cheese, Part 7]

At the end of the year, we made “in-app” one of our “live five” areas for our clients to explore in 2015 (along with the blockchain, as it happens) and started trying to persuade people to pay attention to it as area of massive opportunity.

Much of the discussion around ApplePay, tokenisation, NFC and retail has naturally focused on the “tap and pay” simplicity of the proposition. However, there are lots of reasons for thinking that this will be a sideshow rather than the main event.

[From Live Five for Fifteen]

The good people of the GSMA invited me to Mobile World Congress in Barcelona earlier in the year to explain this point to a general audience, where I predicted that tokenisation would accelerate a shift away from the check out and the conventional POS terminal as the nexus between the consumer and the merchant drifts away from physical space and into the mobile phone.

while much of the talk at the Congress was about what I’ve previously called the “last millimetre” using NFC, RFID (and now Loop) to link the phone to the point of sale (POS) in the store, the really disruptive impact of the Apple Pay, tokenisation and strong authentication via mobile would be away from the “traditional” POS because bringing chip-and-PIN levels of security and convenience to in-app transactions will change the way that we pay pretty quickly.

[From In-app and on-message in Barcelona]

I made exactly this point again a couple of weeks ago, when I was interviewed by the BBC in connection with the UK Apple Pay launch [audio, starts at 30 minutes in]. On the whole, I think. Consult Hyperion got a consistent message out to our clients and then to the wider marketplace. But is it the right message?

It is. I was interested to note some comments by people far more important and influential than I, comments that might be taken to mean that I may have perhaps been too conservative in my proclamations, around the announcement of Apple coming to the UK.

John Collison, one of the cofounders of $3.5 billion (£2.25 billion) payment processing startup Stripe, says this feature, not the contactless mobile payments, is getting businesses most excited… John Lunn, senior global director for the mobile-payment company Braintree, which was bought by Paypal for $800 million (£512.18 million) in 2013, also thinks Apple Pay’s in-app element is the most exciting thing about it.

[From Apple Pay in-app purchase power could be its most important feature, say Stripe, Braintree – Business Insider]

Well when people like John Lunn, who I can personally testify is a very smart guy, go on to say that “everybody’s talking about the in-store stuff, but actually when you look at the presentation when they launched it, the merchants that were sitting behind Tim Cook were online” I think that tell us the direction of travel pretty accurately.

As my colleague Tim Richards pointed out earlier in the week, tokenisation is a really big deal. App-and-pay changes industry dynamics in a way that tap-and-pay does not.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.