Risk and privacy implications of consumer payment innovation
1 / 24

Risk and Privacy Implications of Consumer Payment Innovation - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Risk and Privacy Implications of Consumer Payment Innovation . Ross Anderson Cambridge University . Overview. Competition – Sofort, Pingit Background on payment service regulation Cyber-crime patterns and trends in 2012 Mobile payment trends Mobile wallets Carrier billing

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Risk and Privacy Implications of Consumer Payment Innovation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Risk and Privacy Implications of Consumer Payment Innovation

Ross Anderson

Cambridge University


  • Competition – Sofort, Pingit

  • Background on payment service regulation

  • Cyber-crime patterns and trends in 2012

  • Mobile payment trends

  • Mobile wallets

  • Carrier billing

  • Remittance services, social, credit

  • Ways forward for payment service regulators

Buying a plane ticket (1)

Buying a plane ticket (2)

Buying a plane ticket (3)

It’s fronting for this:


  • Rapidly-growing low-cost payment service

    • Merchant website redirects to Sofort

    • Sofort asks for bank account # and tries to logon

    • Relays the authentication challenge to customer

    • Uses credit transfer to pay for purchase

  • Middleperson attack on online banking!

  • Fee 0.75% + 10c instead of 2.5%

  • Banks’ law case against Sofort failed after Federal competition authorities intervened


  • Barclays product for phone-based payment; mobile number as proxy for account number

  • Phase 1: Barclays customers only; peer-to-peer payment limit £300

  • Phase 2: any bank’s customer can use it, following a one-off direct-debit authorisation

  • Background: banks want to abolish cheques

  • Could mobile be a mould-breaker like Sofort?

Possible roadblocks

  • Mobile payments are really successful in Kenya, Pakistan, South Africa… and bring significant social gains

  • In developed countries it hasn’t taken off! Mobile payment predictions of 1bn users, $1trn turnover “within five years” since 2002

  • Innopay 2012 report: need speed, security, functionality

  • But it may actually be about cost…

Possible roadblocks (2)

  • Consumer protection better on credit cards than PIN debit (discount 2.5% vs 1.5%)

  • If we move to phone / Sofort at 0.75% there will be pressure to cut this

  • Also, fraud is about 30 basis points online versus 5 face-to-face

  • Protection now good in USA, OK in Fi, Nl, bad in GB, Spain, Latvia – affects online confidence

  • Will Reg E / Reg Z be circumvented?

Possible roadblocks (3)

  • The EU do-not-track directive is already causing grief to online businesses

  • Privacy tussles will get worse with mobile – cellsite location history is sensitive data

  • Controversy already: path.com, flurry.com

  • Also: interaction with malware

  • Now that the bad guys can steal money they are targeting smartphones (so far mostly dialers, SMS stealers, and mostly in China, but just wait!)

Future regulation?

  • Payment regulation has always been dynamic – 130 years of tussles over forgery, cheque crossing, settlement, liability, interchange fees, …

  • Things are getting ever faster and more complex!

  • Ever more of the players are nonbanks

    • First Data, IBM, …

    • FICO, Experian, …

    • Nokia, Blackberry, Google, eBay, Microsoft, …

  • Governance is going to be hard

Cyber-crime patterns

  • Cyber-crime now defined in EU as just about every bad thing done with IT! But four basic types

    • Traditional stuff like tax fraud and welfare fraud

    • Offences with rapidly changing modus operandi like card fraud

    • Novel offences like fake antivirus scams

    • Platform offences such as running botnets

  • As you work down the list, the indirect cost ratio (costs in anticipation and consequence versus direct losses) rises sharply from < 10-1 to > 102 – like the indirect costs of a mosquito bite

Whither payment fraud?

  • Nilson 2010: card fraud $7.6bn (US $3.6bn)

  • Our 2011 figures: card fraud costs $9.2bn direct and $2.4bn indirect

  • Online bank fraud costs $690m direct, $1bn indirect (and rising sharply thanks to Zeus)

  • Opportunity costs are greater still (maybe $30bn)

  • The move online, and the move to mobile, may increase fraud losses (even double them)

  • ‘Fraud Inc’ might have a market cap over $100bn

  • But don’t panic: this may still increase welfare

Existing mobile payment systems

  • Biggest success in less developed countries

  • Kenya, South Africa: PIN encrypted in the SIM card, transaction via traditional bank network

  • Others send PINs in the clear via USSD, and take the risk

  • Peer-to-peer payments being built out into peer-to-agent and even agent-to-agent

  • Growing ecosystem includes access to government services and much else

Existing mobile payment systems (2)

  • NFC payments started in Japan 10 years ago

  • 2011: launch of the Google Wallet (an app that does tap-and-pay via an SE/ NFC chip)

  • 2012: NFC payments being promoted for the Olympics; TV fear about possible card cloning

  • Technical risks include easier relay attacks and a series of engineering problems with EMV

  • Governance problems include reprovisioning

Existing mobile payment systems (3)

  • Carrier billing (e.g. premium rate SMS) in pain

  • Android malware leading to chargebacks in excess of 20% in some countries / sectors

  • We’ve been here before (modem diallers)

  • Fixes:

    • remove bad apps quickly from app stores

    • instrument the network to spot malware quickly

    • delay payment to suppliers

  • Industry hopes the SE will fix this, but PBX fraud is also rising very rapidly

Other sources of disruption

  • Low-cost remittance services like oanda.com

  • Off-the-wall entrants like Bitcoin

  • Facebook credits (but has a 30% merchant discount, like carrier billing!)

  • P2P such as zashpay and popmoney

  • Innovations in credit, from ‘crowd’ (zopa.com, smaba.de) to ‘surveillance’ (Telrock)

  • Merchant-side innovation such as Tesco Bank

‘Bad’ payment systems

  • Cyber-crooks want irrevocable payments (watch the UK’s Faster Payments scheme!)

  • eGold got raided: Western Union now handles most of the cashout from core cybercrime

  • Webmoney is used internally by crooks

  • Porn payments: two-sided adverse selection

  • High-yield investment programs (‘postmodern Ponzi schemes’) have a number of PSPs

Outcomes best avoided

  • Could catastrophic fraud close a channel?

  • Pessimist: once cash, keys and tokens are all phone apps, we have a huge target and an intractable governance problem

  • Optimist: if an attack’s big enough attack to disrupt, where do you send all the money?

  • Alternative bad outcome: pervasive carding that undermines confidence and imposes large opportunity costs on economy

What might governments do?

  • See our paper ‘Security Economics and the Single Market’, ENISA, 2008

  • Better stats on both fraud and malware, start to fix liability rules, require network-attached consumer electronics to be secure by default, better police cooperation …

  • Many of these are now being worked on (e.g. Eurozone fraud stats from this year)

  • What should the Fed’s priority be?

What might the Fed do?

  • Esther: the Fed must be prepared for crisis!

  • The Fed should set up a Fraud Analysis Centre to collect information from banks, online service companies, PSPs, CRAs and others

  • Someone has to process data to get actionable intelligence (NCFTA? NACHA?) But someone also needs to track the big picture – a role for the Fed

  • If the Fed wants to do a P2P payment service it should first study what goes wrong …

Next steps

  • Workshop on the Economics of Information Security, Berlin, June 2012

  • Our web page on bank fraud: http://www.cl.cam.ac.uk/~rja14/banksec.html

  • Other current research:

    • Econometrics of online crime

    • Mobile malware

    • Next-generation platform components

  • Login