20 September 2014

Beyond TEDIPAY

Alexander Peschkoff - TEDIPAY

103 | posts 375,878 | views 481 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Where NatWest got it wrong

09 October 2012  |  4307 views  |  6

I had an interesting discussion with Bob Howard (BBC Money Box) this morning concerning the current situation with GetCash service by NatWest. At the end, I felt that it would be important to draw a clear line between "mobile payments are not safe" and "badly implemented mobile payments are not safe". 

Mobile-related frauds are now getting close media attention, and not without a reason. NatWest have been offering cardless cash withdrawals for years. If any fraud did occur with that service, it was of little interest to media.

Enter the mobile payments and things shifted into a different universe. Every mobile phone with GetCash app is a lucrative fraud target - find a hole in the app (for example, via malware) and get an instant reward in cash.

What did NatWest do wrong, in my opinion?

Every banking card issued by NatWest conforms to the EMV ("chip and PIN") standards. Those standards (not without some issues, though) were collectively thought-through, developed, tested and implemented by a consortium, not by a single company. The underlying architecture is sound, there is "secure element" involved, EMV protocols represent "good practice" etc - in a nutshell, EMV works, and it works well.

Why do banks, when it comes to a mobile-based version of that same card, re-invent the wheel? Why do banks think their IT departments are filled with "mobile payments" Da Vincis who can outsmart EMV? Why do banks, well familiar with the advantages of "chip", deploy mobile solutions using the equivalent of a magnetic stripe? 

Is it greed? As in "why pay mobile operators or another party for access to secure element if we can simply keep fingers crossed". Or arrogance? As in "we know better" (than Google, for example). Or ignorance? As in "we are using world-class fraud management tools that cannot be beaten even by well-funded and extremely well-organised fraudsters". What do the banks gain by going it all alone?..

Incidents like GetCash fraud are damaging to the mobile payments industry as a whole. How many times would a consumer need to be stung by a mobile-related fraud to stop even think about using a mobile phone for payments and banking?..

We need to get media on board to help us educate the consumer that it's badly implemented mobile payments that are not safe.

If it's not secure, it's not safe. And there is no "secure" without "secure element" (ask Visa or MasterCard why they don't allow PIN entry via mobile). As simple as that. Anyone doubting that will pay the price.

No 'chip'? No, thank you! TagsMobile & onlinePayments

Comments: (11)

Alexander Peschkoff - TEDIPAY - London | 10 October, 2012, 07:00 To paraphrase the saying, if it's not broken, why fix ("enhance") it?.. http://www.theregister.co.uk/2012/10/09/natwest_get_cash_removed/
A Finextra member | 10 October, 2012, 08:40

What can you do if someone has phished your bank details, and personal ID details?  Helplines dont ask for your PIN, ever.  GetCash on the mobile phone should at least have allowed the helpline to text the getcash code to a known customer phone, not a random one.   Its procedure and implementation that is wrong.

Alexander Peschkoff - TEDIPAY - London | 10 October, 2012, 10:12

Let me give you a hint: over 10bn (!) times a day, mobile phones worldwide are being reliably and securely authenticated, without any PIN.

Pat Carroll - ValidSoft - London | 10 October, 2012, 11:50

@ Alexander. I agree with you. The decision by Natwest to suspend its Get Cash app, whilst being a wise one, has cast an unwarranted bad light on mobile based transacting. Since this first came to light there has been speculation as to the cause of the fraud losses, ranging from mobile operating systems, mobile hacking and zero-day exploits. The truth, I suspect, is rather more mundane. The fraudsters were able to download the app and register it with the victim’s debit card details because there was no strong authentication at the point of registration, simply knowledge based information which we all know can be gleaned by fraudsters in a number of ways, such as phishing.

Ironically, the customers who had actually downloaded and registered the app were safe from the fraud; it was those that hadn’t who were at risk. This episode therefore had nothing to do with the medium being a smart-phone but everything to do with the process employed in deploying and activating the app. There is no real difference between this and Internet banking losses through the reliance on PINs and Passwords alone.

In this and other instances that will surely follow, we need to look at the end-to-end process rather than casting a shadow over mobile banking.

 

Note: my comment is also posted under the NatWest report at http://www.finextra.com/news/fullstory.aspx?newsitemid=24147

Michael Nuciforo - Keatan - London | 10 October, 2012, 20:50

@Alexander

Interesting article but it was a case of simple phishing and nothing more.  The only advantage to the fraudster of using GetCash was that the service allowed 'instant money laundering'.  It is nearly impossible for him to be traced versus him transfering money to another account.  The limits of GetCash are so low, and the code needs to be used within 3 hours that the service isn't that unsecure.  I can think of plenty worse implementations.

Alexander Peschkoff - TEDIPAY - London | 11 October, 2012, 09:19

@Pat and @Michael

Thank you for your comments. I agree that, perhaps, the current problem with GetCash is phishing-related.

However, there is no evidence that it cannot be exploited on the platform level: at some point the GetCash code is shown "in the clear" on the phone's screen. Get malware to intercept that stage, display a bogus code, forward the real one, get cash.

The key factor here is critical: once the code has been generated by the app, NatWest has no control over who, how and when will be using it. It's ironic that, from that perspective, the name of the service sounds more like an invitation to fraudsters...

Peter Bove - Aviso - London | 11 October, 2012, 10:14

It is the normal cycle, banks issue a product, fraudsters find holes in it, banks react with different technology.

If everyone waited until there were well developed standards for everything, then we would have zero innovation and we'd still be transacting with cheques. I attended a Visa vendor forum last year where Visa stated that they would have mobile payment standards in place by 2015.... it's just too long.

Will fraud destroy mobile commerce? It certainly didn't destroy card commerce, despite the massive fraud levels, if the customer proposition is strong then it will survive.

The fact is, we need innovation to move things forward, the fraud prevention and security side will catch up later. In this case, it does seem that obvious flaws existed, which wasn't too smart.

Alexander Peschkoff - TEDIPAY - London | 11 October, 2012, 10:25

@Peter

I agree with your viewpoint. The last paragraph summed it up well - was GetCash based on the best possible solution (irrespective of standards)? In my opinion - no. It was a commercial decision in their case, not a "technological" one.

 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 12 October, 2012, 17:04

Transaction-level frauds and account hijacking frauds are common. But this episode exposes another type of fraud where the victim / genuine customer neither put through a transaction nor even signed up for the said channel (GetCash). For the want of any standard name that I'm aware of, let me call this "Enrolment Fraud". No amount of transaction-level security will help prevent this fraud. Only a more secure enrolment process can reduce / eliminate it. It seems to me that some amount of friction - e.g. application signed in wet ink, branch visit to prove identity - and a corresponding drop in adoption rate will be an inevitable part of such a process. I don't envy banks their position of having to walk a tightrope between security and convenience on this one!

Alexander Peschkoff - TEDIPAY - London | 12 October, 2012, 17:24

@ Ketharaman

I thought you'd call it "Get cash!" fraud :)

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 13 October, 2012, 19:31

@AlexanderP: At the time GetCash was launched, you and I had concluded that this app would permit non-customers to receive money. I bet neither of us had thought that the term "non-customers" would go this far!

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Alexander

To those who still don't get it...

09 September 2014  |  2104 views  |  0  |  Recommends 1 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Cash is king, but of which kingdom?..

09 June 2014  |  2353 views  |  2  |  Recommends 1 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Checking my crystal balls

02 June 2014  |  1399 views  |  1  |  Recommends 0 TagsPaymentsInnovationGroupInnovation in Financial Services

Apple's Siri - iPhone security hole

23 May 2014  |  3070 views  |  2  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

Colonic irrigation for payments

04 April 2014  |  1640 views  |  1  |  Recommends 0 TagsMobile & onlineInnovationGroupInnovation in Financial Services
name

Alexander Peschkoff

job title

CEO

company name

TEDIPAY

member since

2012

location

London

Summary profile See full profile »
I am the co-founder and CEO of TEDIPAY, the company that is bringing to the market a game-changin...

Alexander's expertise

What Alexander reads
Alexander writes about

Who is commenting on Alexander's posts

Richard Sanders
Brett King
S S
Matt Scott
Sian Bentley
Bjorn Soland
Bo Harald
Martin cox
Andrew Smith
Daniel Smith
Ketharaman Swaminathan