22 July 2014

Beyond TEDIPAY

Alexander Peschkoff - TEDIPAY

102 | posts 366,974 | views 461 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Look, Ma, No Hands!

15 January 2013  |  3674 views  |  9

Finextra ran an article today about the UK banking sector "gearing up for the introduction of an industry-wide mobile payments". Which industry? There is no "payment" industry as such. Are we talking about banks? Or mobile operators? Or card schemes?

The article stated that "the new service will enable secure payments to be made [...] by simply using a mobile phone number as a proxy."

Wait a second. If my sort code and account number is a sensitive information, why do we hide it behind something known to hundreds of people? Perhaps because a malicious attacker cannot "simply" use my phone number to make a "secure" payment. He would need something else to do so. Something "secure".

The mystery was finally revealed: "the group can also take heart from the success of Pingit". Hm, that's where things are getting really interesting.

Pingit is an app. There is nothing secure about an app (unless it runs inside "trusted execution environment" which is not the case with Pingit). Now, the banks have been educating us for decades about the wonders of "chip" cards. The industry has been educating us about EMV standards and certifications. The industry is pointing its accusing finger at the US where hard-to-die magnetic stripe is wide open to fraud. 

Why, then, all of a sudden you can stick an app onto a phone and magically have a "secure payments solution"?..

When it comes to mobile phones, "secure" means some form of a Secure Element (SE), typically a protected memory or "trusted execution environment" (TEEs) inside a (secure) microcontroller - in layman's terms, a "chip". Currently, such "chips" inside the phones are controlled either my handset OEMs or, mainly, by mobile operators. Hence, any "industry-wide" solution would need to bed every single operator in the UK (including virtual ones). Was the word "operator" mentioned in that article at all? Take a wild guess.

"With security the main concern for potential users, the Payments Council says it will make sure that, at minimum, a passcode or similar feature will be required to authorize payments." A passcode. Is that the same passcode which can be easily read by a simple virus sitting undetected on my phone (and controlling my "secure" app too)? I now understand why security is the "main concern" only for the "potential users". The industry doesn't give a damn. 

Banks couldn't make a deal with the operators and decided to cut corners by introducing dual standards: "chip" for card payments vs a piece of software code on a phone for mobile payments; secure PIN encryption and secure PIN delivery channels in case of ATM and POS vs a "passcode" entered on a (non-EMV compliant) phone. Genius!

What's next? Let's wait and see...

TagsMobile & onlinePayments

Comments: (12)

Nick Collin - Collin Consulting Ltd - London | 16 January, 2013, 16:18

Nice blog Alexander - you raise a serious concern.  Presumably this new service is a form of "push" payment running on top of Vocalink's Faster Payments.  But as you point out, if authentication is via mobile phone number plus a static passcode entered into the mobile phone, with no equivalent of an EMV chip, then that's completely insecure.

Does anyone know if the Payments Council is working on any stronger form of authentication?  Anyone like to comment?

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 16 January, 2013, 18:47

We already have different authentication standards for different modes of payments: With cash, you just hand it over with no authentication; with cheque, you authenticate by wet-ink signature. Just like cash and cheque, mobile payment is yet another MOP and there's no reason why it must have the same authentication standard as cards, which is a different MOP. The real problem would be if there were dual / multiple standards for the same MOP viz. some people have to sign cheques, others have to sign and place fingerprint on cheques and still others have to sign, fingerprint and show proof of ID with cheques. On second thoughts, maybe not: I remember that, a few months ago, when I wrote a high value cheque to fund a demand draft for a home purchase, my bank did ask me for my passbook and proof of ID. For 'normal' cheques, signature alone would've sufficed, but for this high value cheque, it did not.

Another way of looking at it is, with the hindsight gained over almost a decade of EMV, the industry has perhaps realized that EMV wasn't worth it, so why repeat the mistake with mobile payments.

Personally, as long as the mobile payment app has a PIN - and does not rely solely on the lockscreen password - I'd feel that it's secure enough.

Alexander Peschkoff - TEDIPAY - London | 16 January, 2013, 19:09

Good argument, Ketharaman. I am not against non-EMV security solutions when it comes to payments (since we use some on our platform). As you pointed out, one should compare EMV fraud rate to the alternatives to see if indeed EMV makes commercial sense in that respect.

I objected to inter-bank A2A fund transfers (i.e. banks' internal affairs) being labelled as (secure) "mobile payments".

Nick Collin - Collin Consulting Ltd - London | 17 January, 2013, 11:12

Yet another way of looking at this method of payment is that it's just a conventional A2A credit transfer using a mobile phone rather than a PC to log on to your bank to initiate the transfer.  As far as I'm aware every UK bank now uses strong, two-factor, EMV-based Remote Chip Authentication (or its equivalent in the case of HSBC) to authenticate this type of payment.  For example Barclays' PIN Sentry.  Some, Nat West, for example, go further and insist on Transaction Data Signing by getting you to enter the beneficiary's account details in the card reader.  So it just would not be logical to have less security simply because you're using a mobile phone rather than a PC.

You don't really believe "EMV wasn't worth it" do you Ketharaman?

Alexander Peschkoff - TEDIPAY - London | 17 January, 2013, 11:20

@Nick

Spot on - exactly the "dual standards" I was referring to. Well, in case of mobile phones, there are technologies (used by Pingit, for example) that rely on a device "fingerprint". Yet, they are not as secure as chip-based solutions.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 17 January, 2013, 15:33

'Mobile Order - Telephone Order' has been virtually wiped out after 2FA was made mandatory for card payments made on the channel - erraneously called MOTO locally - just because card payments made online were subject to 2FA in India. Therefore, I'm in favor of viewing each MOP-Channel as having its unique trifecta of functionality-security-convenience and adjusting each attribute in such a way that the CX is maximized. To me, this is the only way to boost customer adoption of any MOP-Channel. Taking A2A, if Mobile-PIN-DeviceAuthentication is deemed less secure than Online-2FA, I'd advocate mitigation of the security risk by pushing the functionality lever on the former by, say, limiting its maximum daily transfer figure. My personal experience warns me that imposing the latter's security mechanism on the former ignores the unique and different characteristics of the former and will likely cause so much friction that the former will never reach mainstream adoption.

As for whether EMV is worth it or not, I was referring to the industry's view. But, since I now have the chance to weigh in with my personal opinion, here it is: I've been trying hard to get hold of the following two metrics for EMV and non-EMV markets (likewise for 2FA and non-2FA markets): (1) Fraud as a % of Revenue, and (2) Revenue Loss caused by False Positives as a % of Revenue. Only when these figures are available can the benefit of EMV be compared with its cost and a logical decision arrived at as to its worth. Despite reaching out to many sources, including EMV (and 2FA) solution providers, my efforts have failed to bear fruits so far. Therefore, at this point, I'd lean on the side of EMV-skeptics who hold that EMV may be worth it in markets like Europe where card payment authorizations (reportedly) happen offline but not in markets like USA where they (reportedly) happen online.

Matt Scott - Wincor Nixdorf International GmbH - Wokingham | 24 January, 2013, 12:39

I think there is a misconception between "Offline" and "Online" here.  In the UK - the Cardholder Verification Method (CVM) is provided generally by Offline PIN Verification (I say generally because some Chips are issued to allow Signature as the CVM but that is another story…).  Financial Authorisation very very rarely occurs offline - most Issuers configure the Chip to Force the Authorisation online.  In EMV's conception there was a view that predicted exponential rises in Transaction volumes could be cataclysmic and as a result the potential for a Chip to self-authorise within define Floor Limit parameters was scoped in.  In America – Debit Card Transactions use Online PIN Verification at the POS – therefore the CVM (Online PIN) and Financial Authorisation are both performed online – whilst the UK performs PIN Verification (for POS) Offline with Financial Authorisation performed Online.  Hope this clarifies the Online VS Offline debate…

 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 24 January, 2013, 13:05

More like miscommunication rather than misconception: I've added CLARIFICATORY NOTES IN UPPERCASE to make my previous comment more clear about what I meant: "EMV may be worth it in markets like Europe where card payment authorizations IN THE MAGSTRIPE ERA  (reportedly) USED TO happen offline AND HENCE REQUIRED EMV TO MAKE THEM HAPPEN ONLINE but not in markets like USA where they (reportedly) happen online EVEN WITH MAGSTRIPE.

Matt Scott - Wincor Nixdorf International GmbH - Wokingham | 24 January, 2013, 14:47

Well if we are going to go back in time... EMV was not introduced to suddenly bring transactions online - Magstripe Transactions were already being authorised online (in the majority) for many years before EMV's introduction.  The main drivers for EMV: (i.) An attempt to defend against Card Cloning; (ii.) The ability to perform Risk Management before Authorisation is attempted online; and (iii.) with a view to enabling multi-application uses per card.  I would argue that point (iii.) has not be successfully achieved in general.  Whilst there have been a few loopholes and exploits documented in the Academic world there have been few actual instances of these occurring in the wild.  I would like to see more cooperation between Software Suppliers, the Financial Services Industry, International Governments and the world of Academia.

 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 25 January, 2013, 07:58

TY for the clarification but my understanding is different. According to this Finextra article quoting a Visa exec, "...in the US, we can rely on online processing where transactions are transmitted in real-time to the issuer for approval ... there's no need for the offline authentication that was the genesis of chip-and-PIN". A few years ago, I remember reading other articles from independent analysts saying the same thing. If I manage to locate them, I'll post hyperlinks to them. Anyway, with all the buzz around mobile payments, which will NOT be EMV-compliant, this point is moot anyway. 

Alexander Peschkoff - TEDIPAY - London | 25 January, 2013, 08:17 In 2013, what is the point of offline (authorisation or authentication)? How many places are off the grid completely (i.e. cannot be serviced by fixed telecom or a femtocell)? Offline authentication with online authorisation sounds especially illogical.
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 25 January, 2013, 11:15

@AlexP:

At the risk of going off the track here, I can't help recalling my experience with a leading bank in Germany when I read your reference to network connectivity: After withdrawing cash from a Frankfurt-based ATM of a Top 5 German bank headquartered in Frankfurt, the account balance displayed on the ATM doesn't change. To see the latest balance, I'd have to insert my debit / ATM card into a separate statement printing machine. The ATM shows the latest balance only on the next day.

This disconnect was caused not because of lack of connectivity - the ATM was on the grid 24/7 - but because the bank's accounting system sent out account balances to the ATM switch only at midnight. 

Lest we rule out such disjointed behavior of disparate systems in 2013, even today the Twitter widget on my WordPress blog often takes several hours to display tweets posted by me via a popular social media dashboard. Surprising, considering that all the involved systems are actually resident on the cloud and, hence, available on the grid 24/7. But true. 

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Alexander

Cash is king, but of which kingdom?..

09 June 2014  |  2053 views  |  2  |  Recommends 1 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Checking my crystal balls

02 June 2014  |  1166 views  |  1  |  Recommends 0 TagsPaymentsInnovationGroupInnovation in Financial Services

Apple's Siri - iPhone security hole

23 May 2014  |  2742 views  |  2  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

Colonic irrigation for payments

04 April 2014  |  1556 views  |  1  |  Recommends 0 TagsMobile & onlineInnovationGroupInnovation in Financial Services

What Steve Jobs knew back in 1984 and why that matters today

10 March 2014  |  1980 views  |  1  |  Recommends 0 TagsPaymentsInnovationGroupInnovation in Financial Services
name

Alexander Peschkoff

job title

CEO

company name

TEDIPAY

member since

2012

location

London

Summary profile See full profile »
I am the co-founder and CEO of TEDIPAY, the company that is bringing to the market a game-changin...

Alexander's expertise

What Alexander reads
Alexander writes about

Who is commenting on Alexander's posts

Richard Sanders
Brett King
S S
Matt Scott
Sian Bentley
Bjorn Soland
Bo Harald
Martin cox
Henry Young
Andrew Smith
Daniel Smith
Ketharaman Swaminathan