Is your mobile banking app exposed by someone else’s software?

This post was written in collaboration with Neal Michie, Director, Product Management, Verimatrix.

Banks are facing massive disruption and change from many directions. The rise of app-only banks has made the need for traditional banks to have compelling app services an imperative. Banks have of course been building mobile apps for several years. If not already, they will soon be the most important channel for engaging with and serving customers. However, mobile banking apps will also become the primary focus of hackers, intent on getting access to other people’s information and money.

TLS, DSS, and NCS(C)

As I was scanning my list of security-related posts and articles recently, my eye was drawn by the first sentence of an article on (Google security engineer) Adam Langley’s blog, indicating that Her Majesty’s Government does not understand TLS 1.3. Of course, my first thought was that since HMG doesn’t seem to understand the principles of encryption itself, it’s hardly surprising that they don’t understand TLS. However, these aren’t the thoughts of an understandably non-technical politician but instead those of Ian Levy, the Technical Director of the National Cyber Security Centre at GCHQ – someone you’d hope does understand encryption and TLS. Now normally, I would read this type of article without feeling the need to comment. So what’s different?

Well, following the bulk of the article discussing how proxies are currently used by enterprises to examine and control the data leaving their organisation, by in effect masquerading as the intended server and intercepting the TLS connection, is the following throwaway line:

For example, it looks like TLS 1.3 services are probably incompatible with the payment industry standard PCI-DSS…

Could this be true? Why would it be true? The author provided no rationale for this claim. So, again in the spirit of Adam Langley, “it is necessary to write something, if only to have a pointer ready for when people start citing it as evidence.”

Adam’s own response – again following a discussion about how the problem with proxies is their implementation, not with TLS – is that

…the PCI-DSS requirements are general enough to adapt to new versions of TLS and, if TLS 1.2 is sufficient, then TLS 1.3 is better. (Even those misunderstanding aspects of TLS 1.3 are saying it’s stronger than 1.2.)

which would seem to make sense. Not only that, but

[TLS 1.3] is a major improvement in TLS and lets us eliminate session-ticket encryption keys as a mass-decryption threat, which both PCI-DSS- and HIPAA-compliance experts should take great interest in.

In turn, Ian follows up to clarify that it’s not TLS itself that could present problems, but the audit process employed by organisations

The reference to regulatory standards wasn’t intended to call into question the ability of TLS 1.3 to meet the data protection standards. It was all about the potential to affect (badly) audit regimes that regulated industries have to perform. Right or wrong, many of them rely on TLS proxies as part of this, and this will get harder for them.

So that’s alright. TLS 1.3 is not incompatible with PCI DSS. So what is the problem?  Well, helpfully, Simon Gibson outlined this in 2016:

…regulated industries like healthcare and financial services, which have to comply with HIPAA or PCI-DSS, may face certain challenges when moving to TLS 1.3 if they have controls that say, “None of this data will have X, Y, or Z in it” or “This data will never leave this confine and we can prove it by inspecting it.” In order to prove compliance with those controls, they have to look inside the SSL traffic. However, if their infrastructure can’t see traffic or is not set up to be inline with everything that is out of band in their PCI-DSS, they can’t show that their controls are working. And if they’re out of compliance, they might also be out of business.

So the problem is not that TLS 1.3 is incompatible with PCI DSS. It’s that some organisations may have defined controls with which they will no longer be able to show compliance. They may still be compliant with PCI DSS – especially if the only change is to upgrade to TLS 1.3 and keep all else equal – but cannot demonstrate this. So what’s to be done?

Well, you could redefine the controls if necessary. If your control requires you to potentially degrade, if not break, the very security that you’re using to achieve compliance in the first place, is it really suitable? In the case of the two example controls above, however, neither of them should actually require inspection of SSL traffic.

For the organisation to be compliant in the first place, access to the data must only be possible to authorised personnel on authorised (i.e. controlled) systems. If you control the system, you can stop that data leaving the organisation more effectively by prohibiting its access to arbitrary machines in the external world. After all, you have presumably restricted access to any USB and other physical storage connectors, and you hopefully also have controls around visual and other recording devices in the secured area. It is difficult in today’s electronic world to think of a situation where a human (other than the cardholder) absolutely must have access to a full card number without (PCI DSS-compliant) alternatives being available.

So TLS 1.3 is a challenge to organisations who are using faulty proxies and/or inadequate controls already. It certainly doesn’t make you instantly non-compliant with PCI DSS.

Given this, we, as humble international payments security consultants, are left puzzled by the NCSC’s line about TLS 1.3 and PCI DSS compatibility. At worst, organisations need to redefine their audit processes to use the enhanced security of TLS 1.3, rather than degrade their security to meet out of date compliance procedures. But, of course, this is the type of problem we deal with all the time, as we’re frequently called in to help payment institutions address security risks and compliance issues. TLS 1.3 is just another tool in a complex security landscape, but it’s a valuable one that we’re adding to our toolkit in order to help our clients proactively manage their cyber defences.

Who would have ex-Spectre-d this?

At Consult Hyperion we’re always interested in the latest news in cyber security and in case you haven’t heard, 2018 has started with the news that the most processors found inside current computers, tablets, phones and cloud servers are vulnerable to a new class of attack. These attacks have been named Meltdown and Spectre, and are caused by common optimisations built into modern processors. Processors designed by Intel, AMD and ARM are all affected to varying degrees and, as it is a hardware issue (possibly dating back to 1995 if some reports are correct), it could affect any operating system. It’s likely the machine you’re reading this on is affected – whether it’s running Windows, Macs, iOS, Android or is in “the cloud”!!

At a basic level, these vulnerabilities break down the fundamental security barriers between an application and the operating system (OS). This means that a malicious application running on your processor may be able to read your, or your OS’s, secrets which may include passwords, keys or possibly payment data, present in processor caches or memory.

I’m not going to discuss how the vulnerabilities achieve what they do (there’s plenty of sites which attempt to do this), however I’d rather consider its impact on people, such as our clients, who may be handling sensitive data on mobile devices – e.g. payments, banking information. If you do want to understand the low-level details of the vulnerabilities and how they work, I suggest looking at https://spectreattack.com/ which has links to the original papers on both Spectre and Meltdown.

So, what can be done about it? The good news is that whilst the current processors cannot be fixed, several operating system patches have already been released to try and mitigate these problems.

However, my concern is that as this is a new class of attack, Spectre and Meltdown may be the tip of a new iceberg. Even over the last week, the issue has changed from it only affecting Intel processors, to now including AMD and ARM to some extent. I suspect that over the coming weeks and months, as more security researchers (and probably less savoury characters as well) start looking into this class of attack, there may be additional vulnerabilities discovered. Whether they would already be mitigated by the patches coming out now, we’ll have to see.

It should also be understood that for the vulnerability to be exploited, there are a few conditions which must be met:

1. You must have a vulnerable processor (highly likely)
2. You must have a vulnerable OS (i.e. unpatched)
3. An attacker must be able to execute their malicious code on your device

 
For point 1, most modern devices will be vulnerable to some extent, so we can probably assume the condition is always met.

Point 2 highlights two perennial problems, a.) getting people to apply software updates to their devices and b.) getting access to appropriate software updates.

For many devices, software updates are frequent, reliable and easy to install (often automatic) and there are very few legitimate reasons for consumers to not just take the latest updates whenever they are made available. We would always recommend that consumers apply security updates as soon as possible.

A bigger problem for some platforms is the availability of updates in the first place. Within the mobile space, Microsoft, Apple and Google all regularly release software updates; however, many Android OEMs can be slow to release updates for their devices (if they release them at all). Android devices are notorious for not running the latest version of Android – for example, Google’s latest information (https://developer.android.com/about/dashboards/index.html – obtained 5th January 2018 and represents devices accessing the Google Play Store in the prior 7 days) shows that for the top 81% of devices in use:

• 0.5% of devices are running the latest version of Android – Oreo (v8.0, released August 2017)
• 25% are running Nougat (v7.x, released August 2016)
• 30% running Marshmallow (v6.0, released October 2015)
• 26% running Lollipop (v5.x, released November 2014).

 
It should be noted that Google’s Nexus and Pixel devices have a commitment to receiving updates for a set period of time, and Google is very keen to encourage OEMs to improve their support for prompt and frequent updates – for example, the Android One (https://www.android.com/one/) programme highlights that these devices get regular software updates.

If you compare to iOS, it’s estimated (https://data.apteligent.com/ios/) that less than a month after it was released in December 2017, over 75% of iOS devices are already running iOS 11.

The final requirement is Point 3 – getting malicious code onto your device. This could be via a malicious application installed on a device, however, the malicious code could also come via a website as it’s been shown that even JavaScript sandboxed in a browser can exploit these vulnerabilities. As its not unheard of for legitimate websites to unwittingly serve up 3rd-party adverts which contain malicious code, a user doesn’t have to be accessing malicious websites for the problem to occur. Several browsers are receiving patches to try and prevent Meltdown and Spectre working via this route. Regarding malicious applications, we’d always recommend that applications are only ever installed from legitimate sources, however malicious apps still regularly appear in legitimate app stores, so this is not fool-proof.

Thinking specifically about mobile banking and HCE payment applications, which is what interests many of our customers – these applications should already be including protections to prevent, or at least detect, malicious attacks. These protections typically include numerous measures such as root/jailbreak detection, code obfuscation, data minimisation, white-box cryptography and so on.

If anything, these latest vulnerabilities are a useful reminder that security is not a single task within a project plan, ticked off when complete before moving onto the next sprint or task. Rather, it is an ongoing concern for the lifetime of the system – something that Consult Hyperion quietly helps its customers with. A year ago, few would have considered this class of attack to either have been possible, let alone something which needs to be actively mitigated.

China’s PSD2 SCA

QR codes are everywhere because anyone can read them, anyone can use them, anyone can write them. This is in part because there is no security infrastructure. The result in China, where there was little card infrastructure in place beforehand, was the near-ubiquity of QR in the world’s biggest mobile payments market.

“Ogilvy & Mather and Ipsos concluded in a survey of China’s mobile payment market that ‘[Chinese] mobile payment has permeated all aspects of life and changed basic, everyday habits.’”

From “How Chinese Mobile Payments Are Quietly Conquering the World“.

It seemed to us that fraud would be an inevitable consequence of this QR-centric approach, that is indeed what happened. Last year, for example, the South China Morning Post reported that in March 2017 some 90m Yuan were stolen via QR code scams in Guangdong alone (a suspect in one case was found to have replaced merchants legitimate bar codes with fake ones that embedded a virus to steal personal information) and that in China as a whole, a quarter of viruses and trojans were coming in via QR.

Now, while even the man who invented QR codes says that they are an interim technology, there’s no denying that they are here to stay. Hence it makes sense to find a way to make them more secure, and the obvious way to do this is two-factor authentication (2FA). It turns out that the Chinese regulators have come to the same conclusion and have implemented the equivalent of the European Union (EU) Second Payment Services Directive (PSD2) Regulatory Technical Standards (RTS) on Secure Customer Authentication (SCA).

“Under new rules released by the People’s Bank of China [in December 2017], all transactions over 500 yuan (US$76) will be subject to additional levels of verification. As the transaction value passes each trigger point – 1,000 yuan, 5,000 yuan and unlimited – so the security checks will increase.”

From “China’s central bank tightens security“.

Introducing further authentication methods makes obvious sense. Just as in the UK we have contactless for low-value payments but 2FA for higher-value payments (ie, chip and PIN for cards or CDCVM for mobile), QR will be used for low-value payments but 2FA will be required for higher-value payments. Of course, in the Chinese system, QR works just as well on-line as in-person whereas in our system we don’t use chip and PIN online.

This is where we (ie, the industry) should focus our efforts in 2018, since card-not-present fraud is currently growing at 9% per annum in the UK. So what is the way to use chip and PIN online? Well, we already know – it’s the combination of web and mobile browsing with mobile wallets for transactions. When I see a web form asking me to type in my card details – in 2018 already! – my heart sinks. I’ve used ApplePay in-browser a couple of times now (which is the equivalent of using chip and PIN online, as it uses the token in the wallet on the iPhone to complete a web transactions) and I’m already frustrated that more web sites don’t use this kind of solution. If we put our minds to it, we can have online payments that are as ubiquitous as in China, but more secure.

At last, NDEF

A decade ago I remember writing that one of the problems with QR codes is that there is no security. Some years later I wrote an article pointing out that NFC ought to be safer than QR codes because NFC included a standard for digitally-signing tags (although I did also note that no-one used it) whereas anyone could easily create bogus QR codes.

Well, I might not go so far as to call [QR codes] evil, but they certainly have the potential to enable person or persons unknown to act with evil intent.

From A quick response to the problem | Consult Hyperion

I suggested, in connection with a couple of projects we were working on at the time, that the mobile operators do something about this by creating a digital signature standard for QR codes so that phones could be set by default to ignore unsigned codes. None of this happened, as I’m sure you are aware and QR codes became popular precisely because any app could read any code anywhere.

The security problem never went away though. I notice in the South China Morning Post that in March 2017 some 90m Yuan was stolen via QR code scams in Guangdong alone (a suspect in the case replaced merchants’ legitimate bar codes with fake ones that embedded a virus to steal personal information) and that in China as a whole, a quarter of viruses and trojans come in via QR. Despite the incredible success of QR there, we need to do better.

Even the man who invented QR codes says that they are an interim technology.

From Never mind the last mile, what about the last millimetre? | Consult Hyperion

Now, also back in the day, I had originally assumed that Apple would add NFC to the iPhone. I was wrong about this for years, so eventually I assumed that they were going to bypass the technology and go to Bluetooth. Yet what I said at the time still holds: NFC is undeniably convenient.

NFC is a convenience technology, and Apple loves convenience

From Quick response | Consult Hyperion

I wasn’t just guessing about this, I was drawing on Consult Hyperion’s early experiences with NFC (remember the Nokia 6131?) of tag reading and writing, including not only the usual payments and ticketing stuff but also such fun applications as getting information about clothes at London Fashion Week. I also noted surveys at the time that showed that NFC generated better results for merchants, but only once consumers could get it working. As my good friend Osama Bedier, then head of Google Wallet, pointed out, this is was some barrier because of the amount of “futz” it took to get NFC working.

But there was another reason that I was so interested in NFC as QR alternative back in this days.  To go back to the security point, I was interested in thestandard for adding digital signatures to NDEFs (the “NFC Signature RTD Technical Specification”) to build a safe tag infrastructure. After hawking this around a few different projects, to general disinterest, I figured that the telcos weren’t interested in using it to deliver secure infrastructure, so I said…

“Someone else will build this business (Apple? They seem to be getting all sorts of NFC-related patents at the moment) and then the operators will once again complain about being pipes. Is Tom Noyes right to say that “…Apple and Google will be further ahead in coordinating value in new networks”

You don’t know ‘jack | Consult Hyperion

Well, well. Tom was right as usual, even if it took a few years for the hand to play out. At WWDC, Apple announced that IOS11 will indeed include the ability to read NDEF data from tags.

“Using Core NFC, you can read Near Field Communication (NFC) tags of types 1 through 5 that contain data in the NFC Data Exchange Format (NDEF).”

via Apple adds support for NFC tags to iPhone 7 and Apple Watch • NFC World

So now, more than a decade after our first NFC experiments, both IOS and Android can read standard tags and action them. I want to make a couple of quick points about this before I head off down to our Hyperlab and see what our developers make of the new toolkit.

First of all, this technology will inevitable be used for triggering in-app payments that work in a very convenient way for consumers. Instead of having to open your Tesco Payqwiq app and then scan a code from the POS, the POS will function as a tag (and remember it can potentially rewrite a dynamic tag on the fly): you can just tap the phone on the POS and the operating system will automatically open the Payqwiq app and route the data to it.

Secondly, since tags are inexpensive, they will be used for a variety of different applications. Tickets for pop concerts, information about products, name badges, all sorts of things that can be read by a phone rather than by a specialist reader, Therefore I expect new standards for NDEF content to spring up. One of my favourite apps, back in the day, was a phone number tag that men could put in their back pocket at a nightclub: admirers could wave their phone in an appropriate area to get the number and send a text message. Here we are trying experiments with different types of clothing (which turned out to have very different NFC-friendly characteristics!) a decade ago.

Lastly, note that NFC tags can be read through packaging. Unlike QR codes that need to be printed on the outside of a box, tags can be inside. Where would this matter? Well, take a current UK example. Cigarettes now have to be in plain packaging. Tobacco companies don’t like this – for obvious brand reasons – but they do have a point: plain packaging makes like easier for counterfeiters. So suppose packs had a cheap tag inside: then your phone could tell you whether you’ve got real Marlboro or a knock off. You download the Marlboro app, then from then on when you tap a pack if the app doesn’t pop up with a big green tick you know you’ve been done. I’ve written about this sort of thing before ( for example, wine and whiskey) so it’s hardly a new idea.

Note, however, that IOS11 also includes ARKit to add augmented reality. So, when you look at your pack of plain cigarettes through your app (after you’ve tapped, so the phone reads the tag and knows that they are real Marlboro) you don’t see plain packaging any more you see… well whatever.

NFC Example

All in all, Apple’s announcement – whether the culmination of a clever plan or a response to Android market share – is a big deal. I found a whole bunch of blank NFC tags in my desk drawer so I’m off to start programming them now.

Don’t bogart that iPhone

Over the years, I’ve often tried to persuade clients that the time will come when privacy will be part of the upfront consumer proposition rather than a back office hygiene factor.

privacy should be an integral part of the customer proposition that sways the choice of product or service

From The business of privacy | Consult Hyperion

This means that organisations should plan for investments in more sophisticated security infrastructure (you can’t have privacy without security) and that these should be on a roadmap that exploits this transition. I think we may be getting closer to this transition time, because I notice that Apple appear to taking quite a big step forward to improve the privacy of individuals in a networked, hyper-connected world by introducing “differential privacy” in its products.

Differential privacy provides a way to mathematically guarantee that statistics about a pool of data collected from many people can’t be used to reveal much about the contribution of any one individual. Apple has built it into the new version of its mobile operating system, iOS, for iPhones and iPads to be released this fall.

From Apple’s New Privacy Technology May Pressure Competitors to Better Protect Our Data

If you’re wondering what this means, and can’t understand the wikipedia article (I couldn’t), let me give you an example from some software that I wrote many, many years ago. I’ll use the example of recreational drug use, although this isn’t what the project I worked on was about (well, not during daylight hours, anyway).

Suppose for some reason — e.g., public health planning — the government wants to know how many people smoke dope. Imagine that there’s an app on your phone that asks you if you smoke dope. So it asks you “Do you smoke dope?”. The app sends your answer back to some survey database big data cloud thing. Now the big data cloud thing can tell other people (e.g., the government) that you smoke dope but that means that the police will know and also if hackers get into the survey database big data cloud thing they could blackmail you (or sell you dope).

But there is another privacy-enhancing way to do this.

The app asks you if you smoke dope. You answer. Then the app tosses a coin. If the coin comes down heads, then the app tells the big data cloud thing “yes”. If the coin comes down tails, then the app tells the big data cloud thing whatever your real answer was.

Let’s say 10 million people answer. In the big data cloud thing, there are seven million yes answers and three million no answers. Remember, because the coin toss is fair, then five million of the answers will be a yes anyway. So you know that five million of the yes answers were there because of the coin coming down heads, and you can ignore them because they are not the real answer. You can take away five million of the yes answers as down to random chance.

Now you are left with the remaining five million real answers. There are the two million yes answers and three million no answers that are not down to random chance. You can therefore deduce that 40% of the population smoke dope.

Now, if hackers or the police get into the database and discover a yes answer next to your phone number, they cannot tell whether it is a real yes or a yes because of the coin toss. And you don’t want to reveal that you smoke dope, you can say that’s because of the coin toss.

Thus, the statistics for the population are correct and you know that 40% of the population smoke dope but you cannot tell whether any individual person smokes dope.

Now the differential privacy used by Apple is more complex than this simple example, but you get the point, and good on them for taking practical privacy-enhancing action whether it is to advance the sum total of human privacy or to put pressure on Facebook and Google. Either way, making privacy part of the proposition that might sway the customer’s choice is a very good thing.

We might want an irreversible anonymous blockchain but not for irreversible anonymous payments

I think I’ll just read John Lanchester’s superb piece about bitcoin in the London Review of Books one more time. It’s hard to choose a favourite part of such an excellent article, but if I was pressed to do so, I suppose it would be this part:

David Birch is the author of a fresh, original and fascinatingly wide-ranging short book about developments in the field, Identity Is the New Money. His is the best book on general issues around new forms of money, and new possibilities generated by blockchain technology.

From John Lanchester · When Bitcoin Grows Up: What is Money? · LRB 21 April 2016

John is much too kind. And is a much better writer than I am, which is why his piece is so good. His basic question about where we are going next is fascinating and has been at the heart of some heated debates that I’ve been involved in recently, including a stand-up with a bunch of very clever people at the European Blockchain Congress in London.

Arguing with smart people is how I learn

 

My preferred method of accelerated learning is arguing with smart people, and the Congress delivered them in spades. But before I come back to this particular argument, let’s just frame the big picture. First of all, no-one would deny that the bitcoin blockchain is a triumph of technology and engineering and innovation and ingenuity. Statistically, almost no-one uses it, but that’s by the by.

“The total addressable market of people who want to buy bitcoin is very, very thin,”

From What a Tech Startup’s Pivots Say About Bitcoin’s Future | American Banker

Indeed. And most of them aren’t in America or any other developed market. Why? Well, bitcoin is a super-inefficient form of digital currency that was designed to solve one problem (uncensorability). If I’m trying to get my last few dollars out of Caracas before the power is shut off permanently then bitcoin might provide a rickety bridge to US Dollars, but if I’m trying to pay for a delicious burrito at Chipotle then bitcoin is pointless. However, and this is what the argument at the Congress (in the picture above) made me think about, there may be other factors that mean the bitcoin blockchain will obtain mass market traction.

What factors? Well, here are two that were touched on during the discussion pictured above, together with my more considered reflections on them.

One factor might be irreversibility. I think we all understand that you can’t build an irreversible payment system on top of a reversible payment system (such as direct debits in the UK) but you can build a reversible payment system (which is what society actually wants) on top of an irreversible one. That’s a good argument for having an fast, free and irreversible payment system that can be built on to provide a variety of different payment schemes suited to particular marketplaces. In the UK we already have this, it’s called the Faster Payment Service (FPS). Once the Payment Systems Regulator (PSR) has finished opening up access to FPS and once FPS can be accessed efficiently through the “XS2A” Application Programming Interaces (APIs) that will be put in place by the Second Payment Services Directive (PSD2), then we ought to be able to unleash some creativity in the developer community and perhaps build a reversible payment scheme on top of this irreversible infrastructure (I’m not the only genius to have thought of this: MasterCard are one of the bidders). Then it wouldn’t matter whether the scheme used the bitcoin blockchain or the FPS or NPP in Australia or TCH in the US or Ripple or anything else: the choice would come down to price and performance. Perhaps bitcoin would then be a choice, although I’m not sure about it.

Another factor might be anonymity. No-one who actually thinks about it wants anonymity. What they want is privacy. But there is a similar asymmetry as in the case of irreversibility. You can’t build an anonymous system on top of a non-anonymous system but you could build a privacy-enhancing transaction system on topic of an anonymous system and since I’m rather wedded to the idea of private payment systems, I find this an interesting combination. Again, would bitcoin be a choice for this? That’s not clear to me at all.

What if those factors turn out to be important enough to build new services, but not for creating a currency? This would support the view that a blockchain, although not necessarily the bitcoin blockchain, might well be the shared security service that society needs to anchor a new generation of online transactional services. As time goes by, this strikes me as a more and more interesting possibility. I mentioned it a couple of weeks ago.

Dr. Wright says “The mining of bitcoin is a security service that alone creates no wealth”. So to return to the point above, the sheer volume of mining going on (provided it does not become concentrated) means that there is a very, very secure piece of infrastructure out there. This infrastructure may be used to “anchor” all sorts of new services that need security as I said above. Some of them may be payments (as the Lightning folks hope) but most of them will not be.

From Mining for what? | Consult Hyperion

So, to get back to John Lanchester’s piece, where might we be going next? I’m pretty sure that we’ll soon see another more efficient blockchain that will untangle the cryptocurrency from the carrier by providing some other incentive for mining (perhaps more like Ethereum, who knows). This, the Watt blockchain that will replace the Newcomben blockchain that we have now, could well be the new supranational security infrastructure that, as some claim, will be as important as the Internet itself because it will provide the security layer that the Internet should have had in the first place.

Mining for what?

(Updated 6th May with reference to post by Dr. Craig Wright.)

As I am sure you know, the security of the bitcoin blockchain rests on a consensus protocol that includes a proof-of-work algorithm, and executing this algorithm (which is computationally very intensive) has become known as “mining” by analogy to gold mining (because of the bitcoin reward for the activity). Hence the idea of bitcoin miners.

On the edge of a tiny Chinese town is a strange building where you can get an insight into the future – and only a handful of people know what is happening inside.

From BBC – Future – We looked inside a secret Chinese bitcoin mine

By complete coincidence, on the very day that this story about a secret Chinese bitcoin mine was published on the BBC, I ran into the secret Chinese bitcoin miner himself at a not-at-all secret hotel in New York.

Secret Chinese Bitcoin Miner

Yes, it was Chandler Guo! As you may recall, Chandler won the coveted Toast D’Or at last year’s Money 2020 in Las Vegas (you can read the full story about it here) because he asked the best question from the floor.

Money2020 Toast and More

Anyway, he told me not to mention where the secret mine is, so I won’t, but it was interesting hearing him talk (as it always is) about how mining is going and the dynamics in the sector. Chandler mentions in passing in the BBC article that about three-quarters of the world’s bitcoin mining equipment is in China and that he is currently building a bitcoin mine that will produce about a third of all the bitcoins. What will happen to these bitcoins is anyone’s guess.

“The total addressable market of people who want to buy bitcoin is very, very thin,”

From What a Tech Startup’s Pivots Say About Bitcoin’s Future | American Banker

Indeed. And most of them aren’t in America or any other developed market. But what if it turns out that bitcoins aren’t useful as money at all, but as “anchors” for a variety of new and innovative cryptography-based services (one of which may be payments). The bitcoins will be useful because of the sheer volume of mining going on (since the security of the system rests of mining), not because they are coins representing any actual value.

Wait, what? Bitcoins might be valuable because they are not money? Well, yes.

I’ve said before, in my usual soundbite twitter-centric superficial and aphoristic way, that the future of money isn’t bitcoin and the future of bitcoin isn’t money. We don’t need to go into why I think this, although I will say that I think my early analysis of the technology for out clients has stood up pretty well over time. I touched on the topic again last month in a blog post “Is Bitcoin Money?” where I again said “will money as we know it be replaced by bitcoin? I sincerely doubt it” after a discussion about the functions of money. I started thinking about this again during a couple of the discussions at Consensus 2016 and then some pointed me towards a discussion thread about whether bitcoin is money or not. To be honest, I wasn’t that interested in reading it, but as I was bored on a plane I started to scroll down. It became mildly more interesting when someone mentioned John Lanchester’s piece in the London Review of Books. You remember, the one where he says “David Birch is the author of a fresh, original and fascinatingly wide-ranging short book about developments in the field, Identity Is the New Money. His is the best book on general issues around new forms of money, and new possibilities generated by blockchain technology”. (Which reminds me, I must write a blog post on John’s excellent piece…)

Anyway, while I skimmed some of the arguments, the core of the discussion was that an economic adviser to Jeremy Corbyn, the current leader of the UK Labour Party, said that money is credit and bitcoin isn’t credit so it isn’t money. I’m pretty sure he’s wrong about this (since it is easy to envisage non-credit monies), but that’s not my point. He also makes a point about trust, which is a good one and similar to a point made in a Forbes piece that I read a while back.

Why should anyone have more trust in a digital currency created by an anonymous group of coders accountable to no-one than in a democratically-elected government accountable to everyone? Why is an essentially feudal governance model “safer” than a democratic one?

From Bitcoin: In Technology We Trust (Maybe) – Forbes

So far so familiar to people I bore senseless about this stuff at parties. Then it got a lot more interesting when my old chum Izabella Kaminska from the FT stepped into the fray, pointing to something that Craig Wright (the man who may or may not be Satoshi Nakamoto) wrote on the topic.

It’s the first time anyone in the bitcoin world has actually made a compelling argument, with historical references. First, he describes bitcoin not as a currency or a commodity but as a security service.

From Tax Research UK » The problems with Bitcoin

I had not read the Wright piece before, so I had a very quick glance and then bookmarked it to read later. Unfortunately, there was no later as Mr. Wright has now canned his blog, but a correspondent found it using the wayback machine. Dr. Wright says “The mining of bitcoin is a security service that alone creates no wealth”. So to return to the point above, the sheer volume of mining going on (provided it does not become concentrated) means that there is a very, very secure piece of infrastructure out there. This infrastructure may be used to “anchor” all sorts of new services that need security as I said above. Some of them may be payments (as the Lightning folks hope) but most of them will not be. Now, while I think it unlikely that the bitcoin blockchain will be the final form of this infrastructure, that’s no reason not to experiment with it, in which case bitcoins will continue to have value even if no-one is using them to buy mundane goods or services.

We must stop solicitors from using e-mail as soon as possible

I was watching Panorama on the BBC on Monday. It was about hacking, ID theft, the usual stuff. The main takeaway for the general public was, I think, that everyone’s personal details have already been stolen and are common currency amongst criminals.

Hackers have stolen the personal details of millions of customers from companies like Talk Talk. So how do cybercriminals get hold of our data? Reporter Daniel Foggo meets the hackers who can break into any website and finds out how criminals profit from our information.

[From 

BBC One – Panorama, How Hackers Steal Your ID

]

It featured one sad case of a woman who had been misled by fraudsters. She was buying a house and got an e-mail from (she thought) her solicitor asking her to transfer the funds for the house purchase (some £50,000) to a particular bank account. She did. The e-mail was, of course, from crooks and they transferred the money out and were never seen again (so much for the KYC/AML checks we spend so much money on). With so much money at stake, I couldn’t help but wonder, wouldn’t some form of security seem appropriate?

According to the American Bar Association (ABA), only a third of lawyers use encryption to communicate with their clients and of the lawyers who claim that they do use encryption, fully a third cannot say what kind of encryption they use. Of those who could say what type of encryption they use, the most commonly identified type was general purpose software with encryption features that required the recipient to be sent a separate password. Which is perfectly acceptable: I do the same all the time, using some zip utility to encrypt with a password then texting the password to the recipient. But I can’t help but wonder: why it is that Facebook can send me e-mail that is encrypted and digitally-signed and lawyers cannot? It’s not as if there isn’t a threat model!

Mrs d’Adhemar engaged a solicitor to handle the transaction and sent all correspondence through her secure work email address, but used her personal email account for everything else, including contact with the estate agent, Chestertons.

But 10 days after the sale was completed they received a call from their solicitor, who said NatWest had flagged up a problem with their account. Alarm bells immediately rang. The couple didn’t have a NatWest account, they banked with HSBC.

[From 

Email hacking: another home-seller robbed of £270,000 – Telegraph

]

Just in case you are thinking that I’m highlighting odd or exceptional cases in order to make a point, I can assure you that I am not. This sort of thing goes on all the time in the UK.

Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into.

As millions of people do regularly and without thought, he duly replied, sending his Barclays bank account number and sort code.
The email was intercepted by fraudsters. Posing as Mr Lupton, the fraudsters swiftly emailed Perry Hay & Co again – from the same email account – and told it to disregard the previous details and send the money to a different account instead.

[From 

‘Fraudsters hacked emails to my solicitor and stole £340,000 from my property sale’ – Telegraph

]

After all these years, we still can’t make e-mail security work. Imagine the hassle that the average solicitor would face in trying to get an average customer to install GPG or something. It’s never going to happen. The solution, as Ian Grigg pointed out seven years ago when I was going on about the security of e-mail another time, is to stop trying to fix e-mail and (as my teenagers did) move somewhere else. Why not use messaging systems that are secure, like Facetime? Yes they aren’t interoperable (so you would need to know whether the customer had Skype or Yahoo or WeChat or WhatsApp or whatever) but I don’t think it would be hard to set up a few accounts. Then the fraudsters would have to take over the solicitor’s account rather than just send an e-mail. This would have two immediate benefits: first, the security of the account would be specifically the problem of the solicitor and they would fix it by using strong authentication and, second, all communications could be encrypted (I remember that we worked on a pilot system like this – for financial services rather than for solicitors – a few years ago and even then the overheads associated with encrypting and signing were negligible).

We need solicitors to stop using e-mail as soon as possible, but we need to provide a viable alternative. If not social media or messaging, then why can’t we have something like they have in Denmark, where everyone has a sort of secure government postbox?

P.S. It’s a rhetorical question. I know perfectly well why we can’t: it’s because Denmark has a national digital identity infrastructure and we don’t. But why not have it as a bank service, like the Barclays Cloud thingy? Since the solicitor knows your bank account, they would automatically know which bank cloud to send the documents to. And if you wanted to tell your solicitor to send money somewhere else or some other instruction, you would have to do it from inside your bank cloud. Surely, with a nuclear-powered robot on Mars, it ought to be possible to send documents from a postbox in one bank cloud to a postbox in another?

#IDIoT is a serious business

The Gartner hype cycle is jolly bullish on autonomous vehicles, which I’m really looking forward to. According to Jerry Kaplan’s fascinating “Humans need not apply”, switching to autonomous vehicles in the US will save thousands of lives and billions of dollars every year. Personally, I couldn’t care less if I never drive a car for myself ever again, and I hope that Woking will become an autonomous vehicle only zone as soon as possible. Sadly, this won’t be for a while.

While autonomous vehicles are still embryonic, this movement still represents a significant advancement, with all major automotive companies putting autonomous vehicles on their near-term roadmaps.

[From Gartner’s 2015 Hype Cycle for Emerging Technologies Identifies the Computing Innovations That Organizations Should Monitor]

Gartner are even more bullish on what they call autonomous field vehicles (which I think means drones, combine harvesters and such like) and predict that these will be around in 2-5 years time, just like enterprise 3D printing and cryptocurrency exchanges. I couldn’t help but notice, though, that their very same hype cycle puts digital security at least 5-10 years out. So they are forecasting that there will be vehicles running around for some years before we are able to secure them, 3D printers inside organisations printing things for years before we are able to protect them and people trading money years before we can stop hackers from looting them. Actually, I agree with Gartner’s prediction, as it’s entirely congruent with my own #IDIoT line of thinking, which is that our developments in connection technologies are accelerating past our developments in disconnection technologies. And if you don’t care what I think about it, you probably do care what Vint Cerf thinks about it.

“Sometimes I’m terrified by it,” he said in a news briefing Monday at the Heidelberg Laureate Forum in Germany. “It’s a combination of appliances and software, and I’m always nervous about software — software has bugs.”

[From Vint Cerf: ‘Sometimes I’m terrified’ by the IoT | ITworld]

We’re busy going round connecting vehicles, equipment and money to the internet with having any sort of strategy in place for disconnecting them, which is much more difficult (doors are easy, locks are hard, basically). And with chips that we don’t even understand being built into everyday devices, the complexity of managing security is escalating daily. Look at the recently-launched “21” idea.

Its core business plan it turns out will be embedding ASIC bitcoin mining chips into everyday devices like USB battery chargers, routers, printers, gaming consoles, set-top boxes and — the piece de resistance — chipsets to be used by internet of things devices.

[From Meet the company that wants to put a bitcoin miner in your toaster | FT Alphaville]

Really? Chips in everything? What could possibly go wrong? Oh wait, it already has. There’s something missing here: an identity layer. Hardly a new idea and I’m not the only person going on about it.

Everyone and everything will have an identity… We can’t scale a world that we can’t talk to, can’t control and can’t secure. Everything, including your toaster, you fridge and your car, will have an identity.

[From Facing the new Big Bang: The IoT’s identity onslaught — Tech News and Analysis]

Yet nothing much is getting done, despite that fact that we already have plenty of case studies as to how bad the situation is already. Never mind smart fridges that give away your personal details or televisions that spy on you there are issues about the maintenance and upkeep of things in the field that create an identity management environment utterly different to anything are used to dealing with in the worlds of OIX, Mobile Connect, SAML and so on. 

Did you buy a smart TV or set-top box or tablet any time before January 2013? Do you watch YouTube on it, perhaps through an app? Bad news: Google has shut down the feed that pushed content into the app.

[From You buy the TV, Google ‘upgrades’ its software and then YouTube doesn’t work … | Technology | The Guardian]

It’s issues like this that make me want to focus on identity in the internet of things (or #IDIoT, as I call it) in the near term, so I was really flattered to be asked along by the good people at ForgeRock to talk about this at their London Identity Summit tomorrow. Really looking forward to exploring some of these ideas and getting feedback from people who know what they’re talking about. What’s more, Consult Hyperion and the Surrey Centre for the Digital Economy (CoDE) will be delivering a highly interactive workshop session designed specifically for the University of Surrey’s 5G Innovation Centre SME Technology Pioneer Members on 30th November 2015. This will include “business lab sessions” interleaved with presentations and discussion. We’ll be putting forward the #IDIoT structure to explore identity, privacy and security issues using our ‘3 Rs’ of Recognition, Relationship and Reputation. The event will be an opportunity to establish contacts with companies interested in the IoT space, as well as connecting with the broader University community and a select group of large enterprises so I’m really looking forward to it and, as you might imagine, you’ll read all about it here!


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.