Tag: mobile

News from the bunker

17th May 2011by Consult HyperionLeave a comment

The government is battening down the hatches and repelling all boarders, even if they have e-tickets. And not before time!

Foreign intelligence agencies are carrying out sustained cyberattacks on the UK Treasury, targeting it with malicious emails and programs designed to steal information, the Chancellor, George Osborne, has revealed. He said that government systems are the target of up to 20,000 malicious emails every month
[From Osborne: Treasury under sustained cyberattack | Technology | guardian.co.uk]

And that’s not counting the ones from taxpayers, I imagine. Setting aside how ludicrous and meaningless this figure is, there is nonetheless a serious point. If Son-of-Stuxnet crashes the Treasury, that might well be a net benefit to the economy, but if it crashes the electricity distribution network, even I won’t be laughing. We need effective cyberdefences. So what should the authorities do to bolster these defences? I would have thought that have some kind of working identity infrastructure might be a first step, and in that respect things haven’t been going to well in the UK.

The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.
[From Henry Porter – Home Office suppressed embarrassing ID cards report]

The report says that there were no specifications for usage or verification (which we knew – this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that “it is likely that European travel” will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed, what the Identity & Passport Service (IPS) delivered was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it “Passport Plus” and selling it to frequent travellers (eg, me) as a convenience, and idea that really should have been taken more seriously by the coalition administration.

As an aside, the report also says (in section 5.5) that the “significant” number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.

The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).
[From Home Office suppressed embarrassing ID cards report – 1/7/2011 – Computer Weekly]

How did it all go do wrong? Liam Byrne was supposed something about IT as he used to work for Accenture, as did the James Hall (Joan Ryan was a sociology teacher who later became famous for claiming more than £170k/annum in expenses). All in all, it was a pretty disastrous period for those of us who think that identity infrastructure is crucial to the future of UK plc, let alone the UK government. This is not to say that, despite all of the evidence (including today’s fascinating FT piece on the UK government’s equally disastrous NHS infrastructure project), that the UK is uniquely hopeless at developing identity infrastructure for the 21st century.

Thai citizens who applied for their first national identity card or who applied to have their ID card renewed, have been issued with a yellow slip instead of the new microchip-embedded “smart” cards. The reason behind the problem is that the Interior Ministry refused to accept the new “smart” cards which were supplied by the Ministry of Information and Communications Technology, claiming that they did not meet the prescribed specifications stipulated in the ministerial regulation.
[From Bangkok Post : The silly saga of ‘smart’ cards]

Now, this may seem funny, but I ought to point out in the interests of international balance that there are, right now, in 2011, many people walking around branches of the British government with printed pictures of smart cards hanging around their necks. Yes, that’s right: pictures of smart cards, rather than actual smart cards. I’m afraid our cyberdefences are more a cyber home guard at the moment.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

I see your 14443 and raise you 18092

12th May 2011by Consult Hyperion1 Comment

A couple of people asked yesterday about the comments from Google concerning “card emulation” in Android phones. The twitterverse had noticed these remarks from Nick Pelly, the Android lead for NFC, concerning the lack of API support for NFC card emulation.

The problem is that the hardware out there today, you know, if you buy an NFC controller, it typically is only going to be able to emulate one of those RF-level technologies. So as an application developer, you don’t know which — when it’s getting deployed to a phone, which one is on the phone. So I guess until we see the industry standardize around maybe one RF-level technology or until we see NFC controllers able to support multiple of those
[From Google raises concerns over the viability of NFC card emulation mode for mobile payments • NFC World]

At first I just thought… wow, that’s smart. If Android phones won’t allow ISO 14443 card emulation (which is part of the NFC standard) then that means that Visa and MasterCard won’t be able to use them for payments, thus locking them out of the POS terminals that Google is developing for retailers. As I thought about it, however, and actually read what Nick had said, I realised that I couldn’t understand his comments, since phones are perfectly capable of dispatching to different applications depending on which card they read, so I thought I’d go and ask a couple of the world’s leading experts on implementing secure NFC applications in mobile phones. Fortunately Stuart Fiske and Neil Livingston both work for Consult Hyperion, so it was easy to find them. They told me…

We know that NXP and Inside Secure NFC controller devices support A, B, B’ and Mifare, all on the same chipset. GP provides mechanisms to manage protocol conflicts, etc., when multiple applets relying on incompatible protocols are trying to be active on the interface at the same time.

I thought this must be true, since I had in my office a Nokia handset with NFC that supports both contactless EMV transactions and contactless Oyster (ie, MiFare) transactions and it worked perfectly. I read a little further, and once again became confused. Due to my lack of experience, I was unable to determine what this means:

Typically, the hardware is set up to do card emulation through the secure element. Right now, we don’t have any APIs to talk to the secure element. And we think that we probably won’t be getting APIs to do that anytime in the near future in the SDK.

There are a bunch of different reasons. Again, the secure element is a very limited resource. It can’t hold a large amount of data in there. And if we open it up to any third-party application, there’s going to be a huge resource contention over the secure element.

Additionally, to talk to the secure elements, even from applications on the phone, you need to authenticate yourself properly.

And if you improperly authenticate yourself a certain number of times, there are secure elements out there that will physically destroy themselves and can never be recovered. So that’s something that we really think would be a bad experience for users
[From Google raises concerns over the viability of NFC card emulation mode for mobile payments • NFC World]

I have absolutely no idea what he’s talking about. I have never heard of a handset secure element (SE) that will physically destroy itself if authentication fails. I’ve checked the SmartMX data sheet this morning and I can’t see any such logic.

If I put the wrong PIN into an EMV application in the secure element three times, it will lock and then require an over-the-air PIN unlock from the application issuer, but that’s a good thing. It’s certainly true that there’s a problem with secure applications controlling the screen and keyboard during authentication, but that’s because the Nexus doesn’t have any form of trusted execution mode and this is a well-known and well-understood (at least it’s well-known and well-understood by Consult Hyperion) constraint that feeds into the kind of risk analysis that we do for organisations who are thinking about developing transactional applications. The authentication itself is done within the SE, naturally, but you may have a virus that’s capturing the PIN, for example.

Meanwhile, I was thinking about the SE more. If I buy a Nexus S, how would an application provider request a Security Domain (SD) from Google? How would it be provisioned? Is Google building a Trusted Service Manager (TSM) to sell such a service? I haven’t got a clue. The guys told me (these are edited highlights, by the way)…

In J2ME, it’s typically the SE issuer (ie, Google, in this instance) that decides who can access the SE from apps in the phone, and sets up the access conditions on the SE to manage this (the ACF file). Essentially, what we need the Android stack to do is deliver what J2ME (and it’s JSRs) have been doing for several years now. That is, include APIs that provide the app with a mechanism to access an applet in the SE, and for Android to interact with the SE to manage access condition verification. You can’t block the SE if you can’t access it!…

…These comments from Google make it sound like Google won’t be doing anything with card emulation any time soon. If that’s the case, then what’s with all these stories about Google trialling contactless card payments in SF with MasterCard and Citibank, uing Verifone and Ingenico POS terminals? These POS terminals implement 14443 to read contactless cards, and I doubt that Google are going to develop custom terminals that implement P2P ISO 18000 instead. But who knows – it would be cool if they did…

…Perhaps the Android stack doesn’t need to implement card emulation mode if the underlying hardware implements it, i.e. if the NFC controller and SE together support 14443 and card emulation mode, then they can talk to the reader via the antenna independent of the Android stack. The stack needs to provide an access API to allow phone apps to access applets over the contact interface (if there is one, e.g. SIM), or the wired interface for embedded, or via the SD interface….

…So perhaps there is no need for a card emulation stack in Android after all? But we still need ot be able to switch the PN544 into card emulation mode and an SE access API supporting a decent access control mechanism…

That’s the actual problem, then. Developers can get to the SE interface but they can’t do anything with it (eg, load a payment card into it).

As of the 2.3.3 release of Gingerbread the Secure Element functionality has been enabled (but the API Hidden). You can confirm that there is a Secure Element (SmartMX) in the Nexus S just by looking at the debug log using adb logcat and switching on NFC via settings… That said I’m assuming that the keys etc are controlled by Google so actually doing anything with the embedded SE will be difficult/impossible at the moment.
[From Secure Element – SmartMX – seek-for-android | Google Groups]

What has happened is that Google used an NXP NFC stack when building the Android operating system image for the Nexus S, but switched off the card emulation using compiler switches. (There’s nothing to stop you, by the way, from recompiling the stack with those switches set to allow card emulation.) My interim conclusion is, then, that I have no idea what is going on. I don’t understand what Google mean and I don’t see how they can stop anyone from accessing secure elements. Sure, they can stop you for doing anything with the embedded SE (theirs) by not giving out any keys, but if there’s a UICC SE (from the operator) you can access that and if there’s an external SE (eg, a DeviceFidelity SD card) you can access that. If there’s no Google Android API elements for any of these, someone else can simply add their own.

After all, Google ordered the Nexus S with embedded secure chips, the PN65 from NXP Semiconductors, which can store applications. The NFC controllers in the phones also support applications for card emulation on SIM cards.
[From Card Emulation Expected Soon Despite Doubts from Google Engineers | NFC Times – Near Field Communication and all contactless technology.]

Indeed. So why the fuss? What does it matter whether Google want to provide card emulation APIs or not? The things is that Google’s opinions about NFC have taken on more and more significance recently as it has become clear that whatever mobile operators and banks may think about NFC, Google thinks that it is important and will drive it into the marketplace.

Google has obviously made a decision that NFC is an opening into something more interesting and lucrative than transforming a phone into a payment card– advertising and marketing opportunities at the point of sale – the physical point of sale. And, it has done a deal with VeriFone that takes the economic sting away from the merchants who need to buy into their vision to make it work – and who have by and large turned their noses up at NFC up to this point. Layer on top of that their Google Checkout asset and their newly launched One-Pass wallet application and you have the makings of an interesting new payments player.
[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

Karen is, as usual, spot on with this analysis. But I’m not so sure about this…

What’s amazing is that Google was the first to connect all of these dots
[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

This doesn’t seem amazing to me, because I’ve been involved in numerous attempts to develop mobile proximity payments for banks and operators. A month before the Google announcement, I wrote on Quora that “I’m sure [loyalty and rewards] will be Google’s strategy too. Payments are not an interesting enough application to persuade people to go out an get an NFC phone.” Years ago, I made a presentation (I think at NFC World but I can’t find it!) in which I said that no consumers will go into retail outlets and buy an NFC phone because of payments. They will buy the NFC phone so that they can read tags, swap Facebook profiles or (now, it seems) play proximity Angry Birds. But once they have that handset, then we need to make it easy and attractive for them to use it for payments.

Incidentally, Dean Bubley, who is in my opinion one of the very best analysts out there, called these non-payment applications “valueless” in a twitter exchange. He’s referring to things like “0-click” checkins and similar.

Starting tomorrow, just tap your NFC-enabled phone (most newer Android devices have it) against the poster, it’ll check you in with foursquare
[From Experimenting with NFC check-ins for Google I/O | Foursquare Blog]

I’m convinced that valueless is the wrong word. If Google (or Apple) or whoever track where you are via mobile location and then send you special offers, it’s creepy. But if you reach out tap when you enter the shop, or restaurant, or hotel, or office, that’s what advertising folk label “a call to action” that gives them permission to send you things, to steer you, to deliver added value. That’s what retailers will pay for — they’ll get the payments part for free — and that’s why the ecosystem will deliver real value.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

25% increase in authentication

10th May 2011by Consult Hyperion2 Comments

I had an annoying problem with my PayPal account that ended up with me being posted a password, all quite tedious and strangely manual. As I observed at the time, it seemed odd that in 2011 we hadn’t got anything figured out when it comes to authentication. Why couldn’t I use my Barclays 2FA PINSentry to prove who I was to PayPal? In fact, why couldn’t I use it for 2FA in general, since moving from passwords to 2FA involving tamper-resistant hardware would be a simple way to improve security across a range of services. We don’t use 2FA, and we should.

But that might be changing [recently] Google launched two-factor authentication for Google Accounts—the credentials you use to log in to all Google services, including Gmail.
[From Two-factor authentication: Gmail’s new system offers more security than just a password. – By Farhad Manjoo – Slate Magazine]

This is a good step. I use gmail, and I’d actually prefer to use it with 2FA than without, provided that the 2FA is based on something I already have, such as my phone, because I don’t want to carry another dongle. Unfortunately, my mobile operator doesn’t provide any sort of identity management or authentication services, so I can’t use my phone. I do already have a tamper-resistant chip that I have with me most of the time, and that’s in my bank card. Why not use that in some way?

Alternatively, you could slide your credit card through your phone’s card reader—or simply wave your credit card so that it can be recognized by the “near-field communication” chip in your phone.
Are these things too far out?
[From Two-factor authentication: Gmail’s new system offers more security than just a password. – By Farhad Manjoo – Slate Magazine]

I’d say not really, especially since I’ve seen SecureKey‘s system for doing just this work perfectly with Google, using a USB key NFC reader and the customer’s contactless bank card to provide the second factor. Today I read about someone pitching iris recognition via USB device as a potential third factor as well. But are three factors enough?

I saw a discussion over at the Identity Management Specialists Group on LinkedIn that set me wondering about authentication factors. Traditionally, us experts have referred to three authentication factors: something you know, something you have and something you are (or, as Ben Laurie once told me, something you’ve forgotten, something you’ve lost and something you were). The LinkedIn discussion was about whether location might be a fourth authentication factor, because it is independent of the other three and can be determined in isolation.

So does this make sense? Is location an alternative third factor, another kind of “something you are” or is it genuinely something new that adds an additional degree of authentication power. The conclusion in the group discussion was (I think!) that location isn’t an authentication factor because where you are doesn’t change who you are, but that it is an authorisation factor because you may wish to assign different capabilities to an identity depending on where the physical person is (ie, are they in the office or at home?). I’m not so sure about this: it seems to me that corroborating your location obtained from your mobile phone with, say, a password, does indeed strengthen authentication. There are plenty of options, so a workable strong authentication scheme must be getting closer. right?

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Innovation is technology-enabled

26th April 2011by Consult HyperionLeave a comment

Around the world, when faced with new products in the payments space, banks naturally crank up their innovation departments and produce super new products and services to wow customers back. I’m joking, of course. What they actually do in many countries is to going whining to the regulator and force competitors to use the banks’ legacy infrastructure. This is what just happened in India, which really ought to be a huge and dynamic market for e-, m- and new payments of many kinds.

Consequently, from 1 March, the eBay unit says merchants in India cannot receive payments from abroad of over $500 per transaction. In addition, merchants will no longer be able to use any balance in their PayPal accounts to buy goods or services. Instead all payments must be transferred into Indian bank accounts first.
[From Finextra: RBI forces PayPal to restrict payments to Indian merchants]

Now, I’m not saying that banks are the only people who react to innovation in this way: that is, by trying to stop it. This goes on all the time.

For the last fifty years, hard disks have been increasingly super-charged gramophone records: at their heart, there is still a real disk rotating very fast on a real spindle. That’s not the only way to store data, as the memory stick revolution shows, but until now, solid state drives (which have no moving parts) have been too small and expensive to replace traditional hard disks as the main storage device for a computer. Now that’s changing, with real advantages for users as a result… Seagate’s response is to threaten to sue all the new entrants for patent infringement, while insisting that their existing market is not threatened.
[From Public Strategy: Innovator’s irony]

At the dawn of the industrial revolution, the steam engine delivered the fundamental business school case study in this topic, something that I wrote about when I was invited to speak at the European Patent Forum back in 2009.

In his keynote address, the Czech Prime Minister Mirek Topolanek said that we had to find a balance in the intellectual property system, that it was right to let Stevenson patent his steam engine but not the screwdriver he used to build it (he didn’t explain why..).
[From Patent error | 15Mb: yet another blog from Dave Birch]

In fact, as I discussed in this post, history teaches the opposite lesson because the patent system held back the evolution of the steam engine for a generation! But back to our business. What kind of innovation is relevant to the payments industry? This is not clear to me. On the one hand, it seems reasonable to say that…

What would be refreshing is if the focus of innovation could be pegged to the value that it delivers to the entire ecosystem, not just the engineers who get a kick out of building cool new toys.
[From Payment Gadgets at The Catalyst Code]

But is this true? When Apple put together the iPod, it didn’t benefit the “entire ecosystem”. The disruptive innovations in fact devastate parts of the ecosystem, like forest fires that allow new shoots to grow. I hate to harp on about the M-PESA example, but I think it illustrates this point well. The banks complained about M-PESA and tried to stop it but fortunately failed. Now that M-PESA has 13m customers and 20,000 agents, the banks are able to deliver new services to new customers using the platform. Were they devastated by the forest fire? No: it gave them space for new shoots as well.

Where do we look for the next new shoots then? Not in banks, generally speaking, but elsewhere in the ecosystem. The payment innovations to come will be technology-enabled, which is why it’s important for businesses throughout that ecosystem to understand the new technologies relevant to payments and, just as importantly, understand the business model ramifications of seemingly dreary technology architecture decisions being made by nerds right now. While they will be technology-enabled, though, it’s the sustainable new business model that is the key. A good example of this is Square.

..if Square can provide just enough added-value with their app to get traction in the small business sector (they are already processing a million dollars a day), then when new payment technologies come along (eg, NFC phones that can accept payments from contactless cards) the merchants will just expect Square to handle them for them. We have long been advising clients that the key disruptive role of mobile phones in the payments world is the ability to take payments, not to make them.
[From Digital Money: Hip to be Square]

And we still do, in fact. I think Square is an interesting innovation case study. It does not compete with existing acquirers, but opens up the market so that more people can accept card payments.

So where is Square seeing the most traction? Without a doubt, small businesses, independent workers and merchants comprise most of Square’s rapidly growing user base. The technology only requires its tiny credit card scanner that fits into your audio jack and Square’s app. The device and the software are free, but Square takes a small percentage of each transaction (2.75% plus 15 cents for swiped transactions).
[From Square Now Processing Millions Of Dollars In Mobile Transactions Every Week | TechGoo]

In a way, this is a real-world PSP and an fascinating niche play in a large volume-driven acquiring market, one that can be seen to adumbrate mobile disruption and our projection that the mobile-phone-as-POS meme will be more revolutionary than the mobile-phone-as-card meme. But there’s something else to it as well. Conventional acquirers use conventional methods to assess applications.

Square’s qualification rules are more relaxed than those of standard credit card processors, There are no initiation fees, monthly minimums, and when merchants apply for a reader, Square doesn’t just focus on a credit check, but also takes into account the influence a company holds on Yelp, Twitter or Facebook.
[From Square Now Processing Millions Of Dollars In Mobile Transactions Every Week | TechGoo]

That, it seems to me, is more of a window into the coming economy based on the reputation interweb (or web 3.1, as I propose to call it, to avoid clashing with web 3.0). Can you imagine Barclays Business or Streamline giving you a merchant acquiring account according to the number of twitter followers you have rather than your trading history or bank references?

By the way, I can’t remember if I’ve blogged this before but one of my favourite stories about accepting merchants for acquiring accounts goes back more than a decade to the hazy days before the LastMinute flotation. I was doing some work over at what was then NatWest Capital Markets, who had invested millions in Lastminute, when they went beserk because NatWest Streamline wouldn’t give LastMinute a credit card acquiring account because it didn’t have two years’ trading history!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Mexican standoff

20th April 2011by Consult HyperionLeave a comment

At last year’s conference on The Macroeconomics of Mobile Money held at Columbia University in April 2010, Carol van Cleef (a partner at Paton Boggs LLP in Washington) gave a presentation on the “Opportunities and Dangers of E-Payments”, in which she noted that the Mumbai terrorists used mobile phones and “showed themselves to be part of the mobile phone generation” (as, I imagine, they showed themselves to be part of the mass transit generation and the automatic weapons generation). She notes that the attackers were using their own phones (so the IMEIs could be tracked, making the life of law enforcement easier) and that they had purchased more than 37 SIMs in different names using false identification (so the compulsory SIM registration was shown to be pointless — although some of the SIM card sellers were arrested). She also says that the most critical tool for drug traffickers in Canada is the prepaid phone (I’m sure she’s wrong: I’ll bet it’s either cash or cars).

I remember thinking when I read this at the time that this continued law enforcement focus on the prepaid phone and the prepaid card, both of which are critical tools for financial inclusion, would end up with restrictions on both that would make no difference to criminals but would make life much harder for the financially excluded, because of the strong link between identity and money.

Why do I think that? Well it is just not clear to me that demanding strong proof of identity for prepaid products will help. In Mexico there is a national registry for prepaid phones and all purchasers are recorded and fingerprinted, the operators keep calls logs, texts and voice mail for a year (in a database only accessible with a court order — or by criminals, I’d wager). All prepaid phones not in the registry were supposed to be turned off this month, although a quick round of googling and searching couldn’t tell me whether this is actually happening or not. As I wrote a couple of weeks ago, in the context of the Mexican government’s reward scheme for people who call in reports of money laundering:

Good luck to anyone who decides to report in person, or by telephone. SIM registration is mandatory in Mexico, which means that the money launderers will find you before the police do
[From Reputation does not depend on “real” identity]

If we focus on phones, for a moment, is it reasonable to assume that demanding identity in the purchase of phones (prepaid or otherwise) will do anything to reduce crime (or will it simply shift the crime to acquiring identities and actually raise the criminal premium on those identities?).

Eight men and one woman have been arrested on suspicion of conspiracy to defraud… calling expensive premium-rate numbers owned by the fraudsters that charge up to £10 a minute… O2 had a total of £1.2m stolen through premium phone lines throughout July, with police claiming that a West African gang bought the phones from high street stores using false identities.
[From British police arrest iPhone scam gang | News | TechRadar UK]

Like many similar scams, this isn’t a mobile fraud or a payment fraud or any other kind of fraud: it’s basic identity fraud, yet again. To some extent, therefore, one has to be a tiny bit unsympathetic to O2. Clearly, if they make everyone jump through hoops to get an iPhone then they won’t sell very many of them. On the other hand, allowing people to take out contracts without really proving who they are or (and this is the commercial arrangement that is lacking) providing an identity that is underwritten by someone who will take liability for it being wrong, means accepting risk. Remember, it’s not the mobile operators, handset manufacturers or criminals who pay for the police raids, the court system, the prison time: it’s us, the taxpayer. So the distribution of risks is not aligned with the distribution of liabilities, as is so often the case in the world of identity fraud. This isn’t a UK-only problem. It is very clear that in countries without secure national identity registers (ie, almost all countries), requiring mobile operators to determine the identity of subscribers (contract or prepaid) will solve nothing. This does not, by the way, mean that it is impossible to catch criminals. Far from it.

Deputy District Attorney Mena Guirguis said that after Manunga and her former boyfriend stopped dating in 2008, she took out a pre-paid cell phone in his sister-in-law’s name, and started sending the threatening text messages to her regular cell phone… Her scheme was uncovered when the victims went to the phone store, talked with the salesman and learned that Manunga had bought the pre-paid phone under the sister-in-law’s name, Guirguis said.

They reported that information to a Costa Mesa police detective, but by then a third arrest warrant had been issued for the sister-in-law. During a follow-up investigation, the detective discovered that most of the threatening text messages were sent when the pre-paid cell phone was in close proximity to Manjunga’s home or work.
[From Woman jailed for making threats – to herself | sister, law, manunga – News – The Orange County Register]

What this story shows is that actual police work is helped by the perps using mobile phones, even if you don’t know the identity of the person using the phone, because phones mean tracking and tracing and location. We read today that iPhones keep a complete record of everywhere they’ve been…

Apple iPhone users’ movements are being tracked and stored without their knowledge in a file that could easily be accessed by a snooping employer or jealous spouse, security researchers have found.
[From Apple iPhone tracks users’ location in hidden file – Telegraph]

Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.

Licensed operators

13th April 2011by Consult Hyperion1 Comment

France has been in the forefront of the NFC revolution, with an early commitment to cross-industry co-operation, considerable work on standards and models and an aggressive timetable for getting phones into the market. Remember this?

A dozen French cities plan to launch wide-scale contactless payment and information service on mobile phones with the backing of the ministry of industry, reports Les Echos. The city projects approved under the initiative will receive state assistance for consultancy and engineering, but no other subsidies are planned at this stage.
[From Aid from French Ministry of Industry for mobile contactless cities. « Contactless & NFC City League]

You will undoubtedly recall that a few months later, the French mobile operators decided to get together with a processor and form a mobile payments proposition to launch a serious assault on the banks’ retail payment franchise.

Orange, SFR, Bouygues Telecom et Atos Origin créent une société commune pour proposer une plate-forme unique de paiement en ligne, sécurisée par le mobile.
[From Union sacrée des opérateurs mobiles dans le paiement sur Internet – OPERATEUR DE TELECOMMUNICATIONS SERVICES INFORMATIQUES ATOS ORIGIN FRANCE TELECOM SFR BOUYGUES TELECOM]

Well they’ve made their first assault on the enemy positions and have been granted a PI licence. Why would they bother, you might wonder, when polls show that the majority of consumers don’t want to use mobile payments?

The 59% of consumers who were against the idea, meanwhile, gave their reasons as: Security (79%)
[From Most French consumers not in favour of mobile payments • NFC World]

The answer is, of course, that consumers don’t know what they are talking about and it’s a waste of time asking them about anything new. Whatever they might say a priori, in all of the pilots and trials that we have been involved in, they really, really, liked mobile proximity.

But there are some real issues, and we need to address them.

Dead phone batteries. Wrong merchant terminals. Terminals turned off. Terminals unrepaired. No terminals at all.

These and other, less obvious glitches suggest contactless technology may not be the mobile payments panacea for tattered magnetic stripes and other problems with plastic cards.
[From Mobile Payments Inheriting the Problems of Contactless – American Banker Article]

Well, yes and no. (I am a consultant, after all). Let’s have a look at these

Dead phone batteries. NFC is interoperable with the existing contactless payments and ticketing systems. As you may have noticed, your Oyster card doesn’t have a battery in it: that’s because it is powered through the electromagnetic field of the terminal you touch it to, and the same is true for the NFC interfaces in phones: if the phone has no battery you may not be able to access your m-wallet to check your transactions, redeem coupons and so on, but you will be able to to use it pay in a shop and ride the subway.

Wrong merchant terminals. I don’t think this will an issue. Right now there are some problems with some cards not being accepted in some terminals, but this is the result of standards problems three or four years ago. The contactless EMV standard should interoperate seamlessly. Some of the terminals are certainly “wrong” from the point of view of consumer experience, but that’s a different thing.

Terminals turned off. Fair enough, I do see this from time-to-time. But it’s a teething problem. There is a problem with terminals being turned off after the merchant has rung up the purchase and then having press some more buttons to turn it on, but that’s an implementation issue.

Terminals unrepaired. I don’t think this is a long term problem. Contactless terminals (since they have no slot or contacts) are considerable more reliable in practice than contact or stripe terminals. Experience from other sectors suggests to me tha tthe cost of maintaining an estate of contactless terminals is less than half the cost of maintaining an estate of conventional terminals.

No terminals at all. This, I think, is the real problem. When I was last in the US, I saw contactless terminals in places where they didn’t really have much impact, like in CVS. But in the places where contactless would have really helped and speeded things up — BART machines, airport carts, Coke machines and so on — nothing.

The point is, that those are real issues that do need dealing with, whereas what the public says are their concerns, such as about the security are, in my opinion, not real issues and it should be handled through marketing communications. Oh, wait…

85% of users said they considered the protocols for operating with the NFC system to be sufficiently secure.
[From Sitges trial results: Consumers pay more often and spend more with NFC phones than with cards • NFC World]

This must be a translation from Spanish, because I’m not sure that “protocols for operating with the NFC system” translates properly in English, but it’s good news all the same. I’m not saying that everything is perfect in the NFC world. Even in France, where progress has been slow despite the commitment of major banks and operators. It’s still a new technology.

The problems are one of the main reasons bank Crédit Mutuel-CIC has held back on launching its m-payment service, according to Patrice Hertzog, payment systems manager for Crédit Mutuel-CIC. He said it has been difficult for the bank’s trusted service manager, Gemalto, to set up and manage the bank’s PayPass application on SIM cards produced by other vendors, such as Oberthur Technologies.

The problems have occurred despite much standards work by the French Association Française du Sans Contact Mobile, or AFSCM, and prior trials involving multiple French banks, mobile operators and vendors.
[From ‘Open’ Battles Break Out Among NFC Vendors Over Android | NFC Times – Near Field Communication and all contactless technology.]

To be honest, this suggests that vendors are not building TSMs from scratch based on the new standards but are putting wrappers around their existing card personalisation systems. That sort of thing is, to me, more of a real issue than incorrectly worrying about what the public think, but whatever. Things are moving. Even in the US, the new technology is getting a foothold and there will soon be TSMs there too.

The joint venture formed by U.S. mobile carriers to launch NFC-based mobile payment… has selected France-based Gemalto to download and manage payment and other secure applications on NFC phones to be used in pilots expected to be held in three to four cities during the second half of 2011
[From U.S. Carrier Joint Venture Chooses a Trusted Service Manager | NFC Times – Near Field Communication and all contactless technology.]

There’s plenty of activity in the US as elsewhere, and since I’ve been looking at the US for clients recently I was interested to read about the work done by the Federal Reserve Banks of Atlanta and Boston. This work suggests that the success factors for the US will rest on the evolution of an open eco system for NFC.

The mobile infrastructure would likely be based on Near Field Communications (NFC) contactless technology resident in a smart phone and merchant terminals.

Ubiquitous platforms for mobile should leverage existing rails, including the ACH network for non-card payments, and support new payment types that meet emerging needs.
Some form of dynamic data authentication would be at the heart of a layered mobile payments security and fraud mitigation program.

Standards would be designed, adopted, and complied with through an industry certification program to ensure both domestic and global interoperability, including a standard to ensure that devices used to facilitate mobile payments do not create any electronic interference problems.

A better understanding of a regulatory oversight model should be developed in concert with bank and non-bank regulators early in the effort to clarify compliance responsibilities.

Trusted Service Managers should oversee the provision of interoperable and shared security elements used in the mobile phone.
[From Mobile Payments in the United States Mapping Out the Road Ahead – Boston Fed]

On that final point, things are already moving.

The joint venture formed by U.S. mobile carriers to launch NFC-based mobile payment… has selected France-based Gemalto to download and manage payment and other secure applications on NFC phones to be used in pilots expected to be held in three to four cities during the second half of 2011
[From U.S. Carrier Joint Venture Chooses a Trusted Service Manager | NFC Times – Near Field Communication and all contactless technology.]

So there’s plenty of activity in the US as elsewhere and plenty of organisations are looking at how the move to mobile proximity may impact their businesses.

A white paper that outlines the survey findings, including how the most forward-thinking financial institutions are building a business case for mobile payments, is available at http://www.fiserv.com/mobilestrategy.
[From Forward-Looking Financial Institutions Focused on Mobile Payments Business Case, Says Fiserv Survey – pymnts.com]

I couldn’t help but think, as I read this, that the very act of building a business case for something like this is fundamentally backward-looking, trying to shoehorn something that is the basis of a new value network into the existing business models. The report says that the factors that the FIs evaluated across these business lines included customer retention and profitability, cost reduction, revenue generation and retention, increased customer engagement and competitive parity. When I looked at the revenue generation part of it, though, it only referred to revenue generation in terms of debit card transactions and keeping the connection to the DDA. This isn’t how forward-looking organisations are thinking about revenue generation from mobile payments, they are thinking about delivering entirely new products and services that are simply not possible in conventional (ie, card) environments, generating revenue from things that banks don’t do.

Google is to run tests of mobile payments at stores in New York and San Francisco in the summer, according to anonymous sources cited by Bloomberg. The search engine giant will pay for installation of thousands of NFC cash-register systems from VeriFone Systems at merchant locations, one source told the wire.
[From Finextra: Google to run commercial trials of NFC at the POS – Bloomberg]

Well, well. So while financial institutions are agonising over the business case, Google is giving out the terminals for free. It’s not hard to see why: they don’t care about the miniscule margins on the payment transaction and arguing about how to slide and dice the merchant fee, they care about building new business around knowing who is buying what and where. So leadership in the NFC space is may well shift away from the payment incumbents. Perhaps the answer to the age-old question about whether banks or operators would control the mobile payments space is… neither.

“We already have a perfectly fine way to make non-cash payments”

2nd April 2011by Consult Hyperion3 Comments

On “Slate” there was an article entitled “Paying With Your Phone Is Awesome, Because … Because” with a sub-headline

We already have a perfectly fine way to make non-cash payments.
[From Paying by phone is insecure and unnecessary. – By Farhad Manjoo – Slate Magazine]

Really? That didn’t seem to be the case in my household this morning when my wife was hunting for the chequebook because she needed to pay for a school trip and settle a dentist bill. I wanted to pay my son’s school £20 on Thursday morning because he was going on a school trip, and I turned the house upside down looking for the chequebook, which I couldn’t find. I couldn’t pay them with a debit card, or cash (I didn’t have £20), or credit card, or bank transfer or any of the other “perfectly fine” ways to make the payment. Which boring tale illustrates the real point, that is, not that…

We already have a perfectly fine way to make non-cash payments.
[From Paying by phone is insecure and unnecessary. – By Farhad Manjoo – Slate Magazine]

…but that we don’t have a perfectly fine way to take non-cash payments. Mobile payments will be a disruptive force because the devices will serve both roles. Richard Johnson of Monitise made this point very well at the Intellect Payments Workstream meeting that I chaired last week. But it isn’t only the cheque that is set for extinction because of mobile. Anthony Jenkins, the chief executive of Barclaycard (Britain’s biggest card issuer), said that

“In 50 or maybe even 10 years’ time, we will still be using cash but I don’t think we’ll have plastic. It is comparable to the move from CDs to MP3 music files,” he said. “If I had said 10 years ago that you couldn’t pay with a cheque at the supermarket, you wouldn’t have believed me. That is now the reality, and we see plastic cards going the same way.”
[From End of the road for flexible friend as Barclaycard goes ‘contactless’ – Telegraph]

Now this seems a little far-fetched on first reading. But perhaps, once mobile payments cross the cusp into the mainstream (at, I would guess, around a 25% penetration in the consumer market), the move away from plastic could take place in a generation, much as the move into plastic did from the introduction of the magnetic stripe in the early 1970s.

Coins, paper money and plastic cards are going to be the next casualties. Don’t believe me? Then visit Korea. The only people who own a plastic credit card there are the ones who travel abroad; everyone else uses their mobile phone.
[From Peter Cochrane’s Blog: Near-field tech edges closer | CIO Insights | silicon.com]

The combination of mobile and contactless seems to accelerate the transition: individually they are great, but together they are something special. Mobile payments by themselves have been around forever and have made little impact in the physical world (except for special niches like car parking). I still can’t use my mobile to buy a bottle of cold water from a machine in the Tube.

The first case of a mobile phone being able to be used to handle a payment was in 1998 as an experiment in Espoo Finland just outside of Helsinki, where two Coca Cola vending machines were installed with a mechanism to accept payment by SMS text messaging
[From Communities Dominate Brands: End of Cash? First blog in a series examining the pending doom of minted coins and printed banknotes]

Adding contactless transforms the proposition from fiddling about sending text messages to a quick tap. As far as I can tell, from the pilots that we have been involved in, customers are not a barrier. They like it. So why doesn’t my phone have NFC in it right now, and why doesn’t the drinks vending machine on the Tube have a reader?

Why is it taking so long? As with Faster Payments, the problem lies with the marketing teams in the major banks.
[From The innovative world of UK payments]

I disagree. I’m no fan of marketing departments, but the problem with mobile payments is different. Banks have never had to deal with payments in this way before: they can control ATMs and POS terminals, EMV cards and FPS. But they don’t control mobile, and in particular they don’t control the Secure Element (SE), the tamper-resistant hardware that transforms mobile phones from being content devices to transaction devices. There are different ways of dealing with this, but I think it is fair to reflect that the specific tension between banks and mobile operators remains problematic. In some countries they are joining forces, in others they are forging bilateral agreements, in others they are going their own.

while credit card companies might need the carriers to get into mobile payments, they might soon learn that the carriers don’t need them.
[From In mobile payments, credit card companies might be a third wheel | Econsultancy]

Indeed they don’t, but that has no relevance to the Isis initiative that is the subject of that post because

Verizon, T-Mobile and AT&T are entering into an agreement to let customers pay for products with their smartphones… they are not working with Visa, MasterCard, or American Express on this venture. They’re not working alone either, instead partnering with Discover and Barclays on this venture.
[From In mobile payments, credit card companies might be a third wheel | Econsultancy]

Hhmmm. So in this particular case, the carriers are partnering with a credit card company and a bank. So do they have somewhere to go? Well, let’s return to the point. We don’t have a perfectly fine way of taking non-cash payments, but soon we will because of mobile phones. And there are some dynamic go-ahead organisations that have already recognised this.

the local Girl Scout group there has teamed up with Intuit to accept credit cards using the company’s GoPayment app (and accompanying card reader) for iOS and Android
[From Teh Gay Geek: GIRL SCOUTS IN OHIO TAKING MOBILE PAYMENTS FOR COOKIES]

Back in the 1980s, there were people who said that mobile phones would never sell because there were payphones everywhere (eg, McKinsey). The POS terminal of 2011 is the payphone of 1981.

NFC in the real world

22nd March 2011by Consult HyperionLeave a comment

Nick Holland from Yankee Group made a good point in their recent webinar on “NFC Not Just for Cards“. I’m probably only saying it’s a good point because it’s a point that I make too, but nevertheless the addition of an NFC interface to a mobile does change the relationship between the real and virtual worlds.

Put the two things together, in the form of near-field communication (NFC) handsets, and you have something special… Over the coming decade, the mobile phone will shift from being a network end-point to being a pivot between local and global environments, an indispensable and personal security token that bridges physical and virtual commerce.
[From Digital Money: Ten more years of technology]

Nick talked about this “hyperlinking” to the physical world and made the sensible point that while dull persons such as myself are obsessed with payments, the use of NFC will be far wider. This is perfectly correct, and I happened to see an excellent illustration of this general point in NFC World this very morn.

Some 35,000 households in Haiti are receiving ‘clean water’ buckets — which consist of a chlorine solution and an RFID-tagged five-gallon bucket to treat and store water — from the charity Deep Springs International (DSI). On each bucket is an RFID tag which is read during regular visits by community-based health workers who carry NFC-equipped Nokia 6212 phones. Just holding the phone up to the bucket reads the tag and records the visit, then they measure the amount of chlorine in the water and key it in to the handset
[From NFC phones help provide clean water to Haiti earthquake victims • NFC World]

In fact we have consistently advised clients that payments will be a niche. Anyway, Nick is correct, and on the Digital Identity Blog I’ve repeatedly made the point that the use of NFC to support digital identity applications will, in the long run, be far more important than digital money applications. A big step forward in assembling this infrastructure went almost unnoticed last year when the NFC specifications were extended to include the digital signing of data.

The Signature RTD candidate technical specification helps users verify the authenticity and integrity of data within NDEF messages by specifying the format to be used when signing single or multiple NDEF records. It defines the required and optional signature RTD fields, and also provides a list of suitable signature algorithms and certificate types that can be used to create the signature
[From NFC Forum : NFC Forum Announces Specifications to Support Peer-to-Peer Device Communication and Verify Data Authenticity ]

This is important, because if you want to go round touching real world things and have them connect to virtual world things, you need to be sure that they are what you think they are and they are part of the right infrastructure. When I tap on the poster in the restaurant window, I want to be sure that it is a legitimate hyperlink that will take me to a menu and not to a porn site. With this infrastructure in place, all sorts of new businesses become possible (and desirable). It means that someone if going to have organise how exactly the key, certificates and signatures are going to work and interoperate and that someone probably won’t be the mobile operators but a new entrant.

These “pivot” functions, that link the local and remote environment will, I firmly predict, lead to some incredible new applications. Fortunately, some of them will involve payments, which will be really good news for some of our clients.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

The fraud trajectory

25th February 2011by Consult Hyperion2 Comments

There’s no doubt that chip and PIN is one of the key planks in the industry strategy to reduce card fraud to manageable levels (which is not the same as eliminating card fraud, note). One of the reasons why it is so secure is that is uses offline PIN verification, where the chip on the card checks that the PIN input at POS is the correct one. And since the PIN is known only to the cardholder, and they never divulge it, this provides validation that… no, wait…

Despite the strict recommendations from card providers about keeping your PIN confidential, research by shopping website VoucherCodes.co.uk has revealed that over half (59pc) of Brits are flouting the rules by sharing their bank card PIN codes and are putting their personal finances in jeopardy.
[From More than half of card users share their PIN – Telegraph]

Uh oh. But come on – anyone out there in the real world will know that it’s impossible to get through life without giving your spouse your PIN. What happens when (to pick a hypothetical example) she can’t remember what the hell she’s done with her handbag and needs to get to Homebase to buy some paint? Or (to pick a hypothetical example) a husband may have stupidly left his wallet in his desk at work but needs to get cash out at an ATM on the way to a football game. Come on – we’ve all done it (except me, I should point out to the terms and conditions chaps at Barclaycard).

The poll of 3,000 people revealed that Brits are most likely to entrust their partners with this security information, but a surprising one in twenty (5pc) adults feel that it is safe to divulge this information to their children.
[From More than half of card users share their PIN – Telegraph]

What? Not in my house they don’t. We have a Visa prepaid card for “house” use, so if the kids need to get some shopping, stuff for school or other supplies, they use that one, and I top it up online when necessary. It’s a simple way to manage money, so I’m surprised more people don’t do this: and it has the added benefit that it doesn’t have a name on it, so if it gets lost or stolen it can’t be used to start identity fraud.

Incidentally: 3 per cent of the people surveyed said that they wrote their PIN on a piece of paper and kept it in their wallet, which may account for at least some of the incidence of the ATM and POS chip and PIN fraud more plausibly than complex attacks on the unencrypted messages between the card and terminal.

There are plenty of other initiatives aimed at improving the overall level of card security. 3D-Secure has taken a long time to get traction but is now widely used in e-commerce. PCI-DSS is costing a fortune, but may reduce the industrial-scale counterfeiting of the magnetic stripe cards still widely used for retail payments in less-developed parts of the world.

In raids conducted Feb. 1, agents seized $300,000 in cash, three firearms and ammunition as well as equipment to make fake credit cards from the gang… The credit card details and stolen identity information was purchased from “online data traffickers via Web-based portals, and the purchasers would store the stolen credit card information in shared e-mail accounts, allowing several defendants to begin creating counterfeit credit cards,” prosecutors said.
[From US indicts 27 in Apple product credit-card fraud ring | MP3 Players | Macworld]

Anything that stops card details like these from falling into criminal hands so easily must be worth the money, right? Actually, on the costs of PCI-DSS, there may be some relief in sight for European retailers.

Visa last week announced a new programme which means European merchants will no longer need to prove they adhere to PCI DSS regulations on an annual basis, as long as 75 percent or more of their transactions originate from EMV-enabled chip and pin terminals. The programme will be introduced on 31 March, 2011
[From Visa PCI DSS exemptions send out mixed messages to merchants | Business Computing World]

So come on, it’s not all bad. In fact the bottom line is that the fraud figures have been improving, and I expect them to improve further still over the next couple of years as we begin the integration of cards and mobiles. This is because even simple integration (eg, texting unusual transactions) delivers good returns and the impending integration of payments with handsets means that issuers will be able to go even further with 24/7 access to the “card”. I won’t rehearse the basic arguments, but I think there are many reasons for thinking that the mobile is a means to manage card fraud down, and line of thinking that we have presented frequently over the years.

So, are mobile payments safe or not? It’s not a “yes” or “no” question, as we hope this discussion has shown. Let’s ask another question instead: Can we make the risks of mobile transactions manageable? The answer to that is “yes”. In fact, in the particular case of mobile proximity payments, we happen to believe that there is more security overall in using a mobile than in using a card payment
[From TM Forum – Article: Mobile Payments – Safer than Cards?]

For one thing, as noted, we can use the mobile to provide information and as communication channel to report on and detect suspicious activity. Potentially more interesting, though, there are techniques that take advantage of the characteristics of the mobile channel, primarily location There are some practical problems to be overcome though.

ValidSoft [has] direct access to mobile networks, tables, and services around the globe and can provide mobile based location services without requiring that users opt in. Many financial institutions are interested in using these services for fraud detection but are concerned about the privacy implications and don’t want their customers thinking they are following them around.
[From Visa Europe sets trend with mobile location-based fraud detection]

Actually, I might well want my issuer to follow me around, but I might also want it to stop other people from following me around. Anyway, I’ll be talking about this kind of thing — including lessons from our practical experience advising leading payments organisations around the world and some of the things we are learning from the Ph.D in mobile handset security that Consult Hyperion is funding at the University of Surrey — at the excellent UK Card Fraud Conference on 29th/30th March 2011 in London.

The magnificent people at DT Conferences have given me a delegate pass for the event — worth an amazing ONE THOUSAND TWO HUNDRED POUNDS plus VAT — to give away on this blog as a competition prize! So if you are going to be in London on those dates and you’d like to come along to meet some of the leading thinkers in the UK’s fight against card fraud (and me) then all you have to do is be the first person to comment on this post with the name of the doomed precursor to 3D-Secure, the PKI-based online card payment security system developed in the 1990s: full name, please, not just the TLA!

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been gritted for your safety. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.

Mobile payments are good for mobile banking

23rd February 2011by Consult HyperionLeave a comment

Mobile payments and mobile banking are not the same thing at all and, as I have long maintained, there is no reason to think that mobile payments should be provided by banks, nor that mobile operators want to get in to banking. This is why I maintain the much of the comment around these topics is misleading. For example:

Geo-strategic and political consultant at Nova-Comm Strategy Group, Brett Goldman, says: “With M-Pesa… Essentially, what you are doing is eliminating the need for a bank,”
[From Near field comms: How are mobile payments changing traditional banking? – 2/22/2011 – Computer Weekly]

Well, up to a point. They are not eliminating the need for a bank, they are eliminating the need for banks to run payment services. And this is not bad for banks, or customers, because M-PESA don’t need to eliminate banks in order to improve the banking infrastructure as it demonstrates with the example of the M-KESHO service, launched with Equity Bank, that allows M-PESA customers to transfer money to and from savings accounts.

With the M-Kesho Account, customers will be able to get pre-qualified personal accident insurance, access to short-term loan facilities ranging from KES 100, and interest on the mobile account from as little as KES 1. The application is built with the ability to score a customer’s credit rating using a six-month history of his M-Pesa balances.
[From Safaricom, Equity Bank launch M-Pesa bank account – Telecompaper]

How interesting is that? The transaction history built up inside M-PESA provides a straightforward mechanism for financial inclusion, simply not available in a cash economy, and an apparently entirely viable alternative to credit history. The service has been tremendously successful.

He noted that some 21 percent of M-PESA users in Kenya now use the service simply to store money and earn interest. The savings service – branded as M-KESHO and in partnership with Kenya’s Equity Bank – has effectively set-up 750,000 new bank accounts in Kenya since launching in May with deposits totalling KES900 million (US$10.7 million).
[From Vodafone, Telenor To Expand Their Financial Services | Telecom Recorder]

Scatchamagowza! They’re on their way to creating a million new bank accounts. Far from taking customers away from banks, M-PESA is bringing customers to them! As far as I can see, this is pretty conclusive proof that banks are wrong to lobby regulators to insist that mobile payments can only be provided by banks and that regulators are wrong to listen to them. (In Europe, fortunately, this is not true because of the Payment Services Directive: O2 have applied for a payments licence in the UK, for example). So, an efficient and effective mobile payments platform adds value to mobile financial services by making those financial services more accessible at lower cost. And while stimulating this, operators can make money too.

Aite says mobile payments will account for $214 billion in gross dollar volume by 2015, up from only $16 billion in 2010
[From The Smartphone Payments Train’s Leaving the Station – Bank Technology News]

That means lots of transaction fees. It’s interesting to note how M-PESA’s transaction fee income has held up.

As the use of M-Pesa spread, Kenyans started using it for smaller and smaller transactions. The average amount sent through M-Pesa declined from the equivalent of about $50 in March 2007 to less than $30 by March 2009.
[From Fascinating Stat and Lesson for the US About Mobile Payments in Africa]

So Kenyans are sending smaller amounts and are paying transaction fees that amount to larger fraction of the transaction (around 7%) because they still find it more convenient to do this than to use any of the alternatives. Once again, we see the mobility premium in action and a new value network that enables mobile operators to provide profitable payment services (because of that mobility premium) while simultaneously enabling bank, insurance companies and others to provide profitable financial services using mobile payments as a conduit.
More important than the mobile payments business itself will be the businesses that it enables. Just like M-KESHO, there will be new financial services businesses that only make sense on the mobile payments platform. In the UK, initiatives such as O2 Mobile Money and Orange Cash should provide some useful early indications as to how the market might evolve: if third-party financial services offer new products using these payments (eg, SME payments, media subscriptions, that kind of thing), then I think that will show that the pie will get bigger instead of getting sliced.

P.S. By way of an experiment in the service of readers, I have instructed no.1 son to go mystery shopping for an Orange Cash card and will report here in a couple of weeks.