Peter Bove - Aviso - London 30 April, 2008, 08:46 0 likes Er.... the majority of UK fraud is CNP .... which is down to the card not being present.  Not sure how your plan overcomes this obstacle.  Also, given that SIMs are already being counterfeited and phones are easily lost or stolen would you not just move fraud to a new token?

A Finextra member 30 April, 2008, 10:52 0 likes

Pete for remote purchases there are mobile solutions which can make it securer than at present.

Otherwise Dean is absolutely correct and mobile can be safer. However it's not yet so secure to use only RFID in phones - they can still be 'unofficially/illegally' read. But, meantime mobile and optical reading is a real and secure alternative to cards. 

For example, once set up, the ability to cancel the phone is as easy as a (lost or stolen) credit card - just call the bank - but the difference is, the majority would quickly notice if their often used mobile disappears, far more quickly than their relatively lesser used card.

Security is also better with mobile re- password protection/encryption etc. so I agree with Dean and the banks need to look a bit farther -  at either combining Optical Reading  or Optical Reading + RFID chips for NFC. That will be progress and greater security and functionality will become a reality.

Mark Hendriksen

CEO UpCode Mobile Solutions - www.upcode.solutions.com

A Finextra member 30 April, 2008, 12:58 0 likes

To say we have a novel approach which prevents fraud is an understatement.

Our solution is not vulnerable to theft of the phone.

We are examining the options of providing a guarantee against any losses if the user follows the simple rules. We wouldn't be able to consider that option if we were vulnerable to simple attacks like spoofing and SIM forgery. We are pretty confident that fraud will be the least of our concerns.

Our solution works with any and every phone on any network, without requiring expensive data services, and I don't believe anyone else makes that claim.

We can incorporate some of our security features into other solutions to make them immune too, and we can use software on the phone etc as well, but it's not required for our basic service.

To give you some idea of where we are, our mobile phone guru who has provided some of the worlds biggest mobile deployments with their IP, stated that our solution is the 'end game', before he signed up to work for us. We are sure it is. A recent visit and project in India reinforced that belief.

We are very familiar with the Scandinavians and what they are doing, but even our java and SIM based systems are better than what's coming out of Scandinavia, but they aren't good enough by themselves to provide the privacy and security that consumers require, so we don't promote them.

We can even afford to sit back and wait until the alternatives are compromised, because they will be, and we'll probably be able to charge even more for ours. We have had discussions and 'examinations' with one of the worlds biggest banks and passed all tests and have since come up with even more applications.

The response has been overwhelming. The last time I went to an advertising agency for advice I left with a cheque... Our first 'investor' was the numbers and risk guy for a major bank and he signed a cheque without seeing a business plan.

We are just deciding whether to sell it to, do it for, or be the bank. 

We live in interesting times. 

A Finextra member 30 April, 2008, 13:33 0 likes

Our solution excels at card not present transactions, after all I didn't even have the card in mind when I invented it. 

The world I live in right now is one where the mobile phone is a useful tool for ID, transactions and information in more ways than you might imagine.

In my world we can be driving in the car, or watching TV and hear or see something we either want to buy, or just want more information about, and we can use our phone to instantly get what we want, how we want, with no fears of hackers, fraud, ID theft or violation of our privacy. No talking, no card numbers and it works on every station or channel, cable TV Radio, free to air, every network, already tested.

We only developed the secure transactions because nobody else could provide what is required, and they still can't. 

We think that everyone will like our mobile future.

A Finextra member 02 May, 2008, 19:37 0 likes Perhaps until then you could just have a slot in your phone and stick your ID card in it?

Stephen Wilson - Lockstep Consulting - Sydney 07 May, 2008, 00:02 0 likes

In thinking about these problems, let's remember that "card fraud" is a bit of a misnomer. Much card fraud is a special case of ID theft or 'identity takeover', it just happens that the identity data concerned is usually carried on a magnetic stripe card.  And therein lies the problem -- the data in this form is exposed to takeover and replay.

Ditching the cards to stop card fraud would be like getting rid of all windows to stop break-and-enter.  It's not the windows per se that matter, but their security.

The way to deal with "card fraud" is not necessarily to get rid of cards, but rather make them more secure.  Cards are such a universal form factor they just couldn't disappear overnight. 

Chip-and-PIN goes a long way.  The next step -- and it's getting urgent -- is to leverage Chip-and-PIN cards online to fight CNP fraud.  I advocate using the chips to notarise (digitally sign) cardholder details transmitted from browsers in e-commerce, to thwart replay attack on 'naked' card details. 

The same approach could be implemented in 2.5G SIMs, if there is a trusted process for translating credit card details from the issuing bank into the SIM. 

 

A Finextra member 08 May, 2008, 03:14 0 likes

The issues at hand are many and card fraud is merely one. I won't go on to list them all but it isn't practical to take too narrow a view. I am proposing a paradigm shift, but in this case it is one which does not require everything to change or everyone to change the way they do things - except:

• we could use our mobiles to identitfy ourselves

• we could also use it to confirm our transactions

• be notified of transactions and credit applications in our name.

Is that too difficult to comprehend?

What I have spoken about in my blogs is the merest hint of the possibilities we are already trialling or have trialled successfully since we started this project many years ago. 

If Joe wants to use his new Plutonium Card or whatever - he can.

If he wants to be notified when someone else does - he can - by mobile.

There is no requirement for anyone to give up their precious cards apart from all the sensible reasons one might do so when they can use the mobile. If you feel there is status in a particular colour of credit instrument then by all means carry on - just don't expect me, or our bank, or our merchants to carry the fraud risk or the much higher costs to service your relic from 1950. You play - you pay.

What I am proposing is a seamless interchange of money between connected individuals and businesses, and information between patients and doctors, citizens and governments and person to person - with privacy, security and ease.

The tool to enable this is a mobile phone. Why? -  because we can, and there are a lot of you out there with mobile phones. You can choose to participate or not.

Those who choose to will benefit from:

• no online fraud

• no ID theft fraud

• no carrying reams of plastic

less fees, lower government costs, more safety, more privacy, more convenience...

We are assembling the infrastructure to enable this for hundreds of countries so that when you travel it's the same wherever you go. When you want to pay for something or transfer funds to someone else or make sure the local doctor has your medical records and your insurance entitlements quickly and accurately and securely - you can.

The fact is that we can do it at such low cost and governments will save countless billions, citizens will not be robbed of countless billions, and everyone will be a little bit safer in everything they do. The alternatives are oppressive,unpopular, unmaneagable systems involving cards, scanners, readers, biometrics, weak security, are inflexible, impersonal and they are unaffordable.

Anywhere in more than 150 countries. Ubiquity. 

I'm passionate - but don't get all emotional about losing the card - it's going to happen - just like your dummy when you were a child, one day it'll just be gone because you don't really need it anymore.

There is one thing that I am sure of - nothing on earth can stop it from happening. We're closer than any of you might imagine and if you knew what I know - it really is  the end game and your descendants will probably be doing it the same in a thousand years time.

Stephen Wilson - Lockstep Consulting - Sydney 08 May, 2008, 04:50 0 likes

Dean wrote: "don't get all emotional about losing the card - it's going to happen". 

Um, I'm not emotional about cards myself, I just don't see how mobile payments solutions will get rid of them.  There are many transaction settings which will not move away from cards quickly: ATMs, EFTPOS, over-the-counter banking, and human readable proof of entitlements (from driver licences and health insurance all the way to airline lounge membership cards). At the same time, the card form factor is being embraced by Microsoft and PC manufacturers for identity management. 

And you might lampoon precious metal coloured cards but nevertheless, the physicality of plastic offers a tangible marketing and branding medium for banking products that cell phone displays do not.  A simple but effective example: nobody at the British Airways Executive Club desk is going to let me in based on a picture of a BA card on my phone, even if it were a fancy iPhone (come to think about it, especially if it were an iPhone).  For more on the non-technology issues here, I like Bruce Schneier's elegant account of the problem with single multipe-purpose cards; see below. 

So it seems to me that cards will be around for ages.

Mobile commerce and payments might be great, and they might indeed displace some online transactions, but they will live alongside cards; they won't replace them.  

What I don't buy is that mobile technologies offer a unique class of security services compelling enough to obsolete smartcards. 

[In fact, the dominant transaction security method using mobile phones today -- SMS one time passwords -- is a pretty klunky stop-gap measure that has found a temporary niche in the ecosystem because on its own, the Internet channel is vulnerable. I don't think there is a strong long term argument for two channel authentication in addition to two factor. I say make the main channel more secure and the attractiveness of SMS goes away.]

If there were to be a single convergent approach to transaction security, I would put my money on cards, because smartcards work in both web and bricks-and-mortar settings, whereas phones don't.  We probably agree that in general, chips, in one form or another, offer the sort of systemic breakthrough for identity safety that is needed to address whole categories of fraud, including card-not-present fraud.  What I like about chips in cards is they can be used across many more channels than chips in mobile phones can: web (when integrated readers become standard) as well as ATM, POS and counter, using today's terminal infrastructure.

[I will grant you smartcards on their own are still not quite enough.  FOr example, we still need to work on hardening PIN capture in PCs, but I think TPM will help with that.  And in any event, PIN capture by telephone keyboard isn't immune to tampering and sniffing; indeed the whole issue of malware on cell phones is set to blossom.]  

Dean -- I am interested in the Transinteract work (and I am sure it's in a league all of its own, not to be compared with SMS one time passwords).  Are there any whitepapers or case studies available? 
 

 

 

Attachment: Extract from Bruce Schneier on Multi-Use ID Cards (2006)

"You don't -- and won't -- have a single card in your wallet for everything. It has nothing to do with security.

"My airline wants a card with its logo on it in my wallet. So does my rental car company, my supermarket and everyone else I do business with. My credit card company wants me to open up my wallet and notice its card; I'm far more likely to use a physical card than a virtual one that I have to remember is attached to my driver's license number. And I'm more likely to feel important if I have a card, especially a card that recognizes me as a frequent flier or a preferred customer"

 

A Finextra member 08 May, 2008, 10:59 0 likes

Hi Joe,

I don't see cards disappearing in a puff of smoke especially seeing that we can make those safer too, but there are just too many advantages in the mobile.

It's great to say cards can do this or that, but in reality it's card + a reader plus a whole lot of back end infrastructure which isn't there. Short of buying everyone a reader or installing one in every communication device in use, this is not a realistic solution.

Cards may be able to be multi-purpose but in the process are less brand friendly than what we propose for the mobile - and people don't have them yet.

Our mobile solution is built on a solid foundation we and can tailor the experience to exactly what the customer wants within the capabilities they possess and choose to use.

The whole card concept was conceived in the 1950's within the limits of what was available. It has been adapted to overcome continued shortcomings, unfortunately at great expense due to the architecture and it's time to move on. We can't afford to replace readers and technology in millions of stores every time it's compromised. We don't need to.

Joe I don't really think you want to have to carry a card and have to stick it in your phone every time you want to do a non face to face transaction or interaction, and put it in every other device you use to communicate.
Why wouldn't you need to prove identify in any trusted communication and prove you are the card holder in any transaction? I just don't see people doing all that card reading and carrying when they won't really need to.

The customer experience can evolve without limits using the mobile phone and people will continue to buy newer better ones enabling the experience to be even richer. 

This is the reality - Mobile phones 4 billion live by 2009 - Nothing else is in the race.

A Finextra member 08 May, 2008, 15:07 0 likes

For CAP :  you can personalize a SIM with payment application and CAP profile,and you may activate it and enter your pin thru your mobile keypad.Which sounds fantastic ! well, of course there are many "if"s in that stament.

But what i think is the not only those "techincal if" s but also, the ecenomy of the payments landscape and players and their roles. I agree that migration to a new form/platform is coming but it will not and "should" not be quick.

Let's take it a bit more extreme :

Imagine a world that a mass number of banks are not issuing cards: what would silicon/plastic/antena/ manufacturers will do, or perso machine/system vendors...you can add as many as you like.

This will affect even bank call center calls, if you can think you are holding a smart/self-service device and could be reached and updated any time anywhere.

 

 

A Finextra member 08 May, 2008, 21:06 0 likes

Hi Can,

If I keep telling everyone what it isn't ....

I foresee no shortage of call centres in the future, sure there will be less calls with problems and complaints, but there'll be a whole lot more calls enquiring about and activating new services, which is potentially more lucrative for good quality call centre personel.

We are in the unique position of having a whole suite of disruptive technologies, and the payments industry is the least of it. It's big business and there is a lot of money to be made doing it easier, better and cheaper. 

As for the plastic, well I suppose they'll find something else to do with it, hopefully more constructive. Imagine a mountain of 4 billion 'smart cards' to dispose of every few years when their sealed unit batteries run out, and all those readers. If the dumb card alternative comes about, we'll have to dispose of billions of readers too. I certainly won't feel guilty about reducing that. I think a 12 year old can see the sense in ditching that idea.

The solution we propose for payments is the absolutely 'greenest' solution anyone will ever come up with - so think about that.

The credit card business looks really attractive to us too. The average US petrol retailer pays more than their before tax profits to the card companies, would you like to see cheaper petrol?  Convenience store owners pay more than their wages bill to credit card services.

Anyone want to play in that market? Mobile credit, no cards to issue, thousands of willing marketers and businesses willing to accept them. Why not double the staff wages, have happy customers, cheaper petrol and improved customer experiences? I'll be on the phone to them in a minute.

Think of all the people who won't be defrauded - the maths are such that the governments should be forcing us to do it for everyone. All that money to criminals isn't my idea of constructive financial services. 

We aren't adverse to integrating into existing systems and will do it where efficient, but why would we bother to rely on that for success? If some people need to be dragged kicking and screaming into the 21st century so be it, at least it won't be the consumers, and Rome wasn't built in a day so it's not like it's going to be an overnight thing.

It could be quite fast though.