Risk and privacy implications of consumer payment innovation
1 / 24

Risk and Privacy Implications of Consumer Payment Innovation - PowerPoint PPT Presentation

  • Uploaded on

Risk and Privacy Implications of Consumer Payment Innovation . Ross Anderson Cambridge University . Overview. Competition – Sofort, Pingit Background on payment service regulation Cyber-crime patterns and trends in 2012 Mobile payment trends Mobile wallets Carrier billing

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Risk and Privacy Implications of Consumer Payment Innovation' - destiny

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


  • Competition – Sofort, Pingit

  • Background on payment service regulation

  • Cyber-crime patterns and trends in 2012

  • Mobile payment trends

  • Mobile wallets

  • Carrier billing

  • Remittance services, social, credit

  • Ways forward for payment service regulators

It s fronting for this
It ’s fronting for this:

Sofort berweisung

  • Rapidly-growing low-cost payment service

    • Merchant website redirects to Sofort

    • Sofort asks for bank account # and tries to logon

    • Relays the authentication challenge to customer

    • Uses credit transfer to pay for purchase

  • Middleperson attack on online banking!

  • Fee 0.75% + 10c instead of 2.5%

  • Banks’ law case against Sofort failed after Federal competition authorities intervened


  • Barclays product for phone-based payment; mobile number as proxy for account number

  • Phase 1: Barclays customers only; peer-to-peer payment limit £300

  • Phase 2: any bank’s customer can use it, following a one-off direct-debit authorisation

  • Background: banks want to abolish cheques

  • Could mobile be a mould-breaker like Sofort?

Possible roadblocks
Possible roadblocks

  • Mobile payments are really successful in Kenya, Pakistan, South Africa… and bring significant social gains

  • In developed countries it hasn’t taken off! Mobile payment predictions of 1bn users, $1trn turnover “within five years” since 2002

  • Innopay 2012 report: need speed, security, functionality

  • But it may actually be about cost…

Possible roadblocks 2
Possible roadblocks (2)

  • Consumer protection better on credit cards than PIN debit (discount 2.5% vs 1.5%)

  • If we move to phone / Sofort at 0.75% there will be pressure to cut this

  • Also, fraud is about 30 basis points online versus 5 face-to-face

  • Protection now good in USA, OK in Fi, Nl, bad in GB, Spain, Latvia – affects online confidence

  • Will Reg E / Reg Z be circumvented?

Possible roadblocks 3
Possible roadblocks (3)

  • The EU do-not-track directive is already causing grief to online businesses

  • Privacy tussles will get worse with mobile – cellsite location history is sensitive data

  • Controversy already: path.com, flurry.com

  • Also: interaction with malware

  • Now that the bad guys can steal money they are targeting smartphones (so far mostly dialers, SMS stealers, and mostly in China, but just wait!)

Future regulation
Future regulation?

  • Payment regulation has always been dynamic – 130 years of tussles over forgery, cheque crossing, settlement, liability, interchange fees, …

  • Things are getting ever faster and more complex!

  • Ever more of the players are nonbanks

    • First Data, IBM, …

    • FICO, Experian, …

    • Nokia, Blackberry, Google, eBay, Microsoft, …

  • Governance is going to be hard

Cyber crime patterns
Cyber-crime patterns

  • Cyber-crime now defined in EU as just about every bad thing done with IT! But four basic types

    • Traditional stuff like tax fraud and welfare fraud

    • Offences with rapidly changing modus operandi like card fraud

    • Novel offences like fake antivirus scams

    • Platform offences such as running botnets

  • As you work down the list, the indirect cost ratio (costs in anticipation and consequence versus direct losses) rises sharply from < 10-1 to > 102 – like the indirect costs of a mosquito bite

Whither payment fraud
Whither payment fraud?

  • Nilson 2010: card fraud $7.6bn (US $3.6bn)

  • Our 2011 figures: card fraud costs $9.2bn direct and $2.4bn indirect

  • Online bank fraud costs $690m direct, $1bn indirect (and rising sharply thanks to Zeus)

  • Opportunity costs are greater still (maybe $30bn)

  • The move online, and the move to mobile, may increase fraud losses (even double them)

  • ‘Fraud Inc’ might have a market cap over $100bn

  • But don’t panic: this may still increase welfare

Existing mobile payment systems
Existing mobile payment systems

  • Biggest success in less developed countries

  • Kenya, South Africa: PIN encrypted in the SIM card, transaction via traditional bank network

  • Others send PINs in the clear via USSD, and take the risk

  • Peer-to-peer payments being built out into peer-to-agent and even agent-to-agent

  • Growing ecosystem includes access to government services and much else

Existing mobile payment systems 2
Existing mobile payment systems (2)

  • NFC payments started in Japan 10 years ago

  • 2011: launch of the Google Wallet (an app that does tap-and-pay via an SE/ NFC chip)

  • 2012: NFC payments being promoted for the Olympics; TV fear about possible card cloning

  • Technical risks include easier relay attacks and a series of engineering problems with EMV

  • Governance problems include reprovisioning

Existing mobile payment systems 3
Existing mobile payment systems (3)

  • Carrier billing (e.g. premium rate SMS) in pain

  • Android malware leading to chargebacks in excess of 20% in some countries / sectors

  • We’ve been here before (modem diallers)

  • Fixes:

    • remove bad apps quickly from app stores

    • instrument the network to spot malware quickly

    • delay payment to suppliers

  • Industry hopes the SE will fix this, but PBX fraud is also rising very rapidly

Other sources of disruption
Other sources of disruption

  • Low-cost remittance services like oanda.com

  • Off-the-wall entrants like Bitcoin

  • Facebook credits (but has a 30% merchant discount, like carrier billing!)

  • P2P such as zashpay and popmoney

  • Innovations in credit, from ‘crowd’ (zopa.com, smaba.de) to ‘surveillance’ (Telrock)

  • Merchant-side innovation such as Tesco Bank

Bad payment systems
Bad’ payment systems

  • Cyber-crooks want irrevocable payments (watch the UK’s Faster Payments scheme!)

  • eGold got raided: Western Union now handles most of the cashout from core cybercrime

  • Webmoney is used internally by crooks

  • Porn payments: two-sided adverse selection

  • High-yield investment programs (‘postmodern Ponzi schemes’) have a number of PSPs

Outcomes best avoided
Outcomes best avoided

  • Could catastrophic fraud close a channel?

  • Pessimist: once cash, keys and tokens are all phone apps, we have a huge target and an intractable governance problem

  • Optimist: if an attack’s big enough attack to disrupt, where do you send all the money?

  • Alternative bad outcome: pervasive carding that undermines confidence and imposes large opportunity costs on economy

What might governments do
What might governments do?

  • See our paper ‘Security Economics and the Single Market’, ENISA, 2008

  • Better stats on both fraud and malware, start to fix liability rules, require network-attached consumer electronics to be secure by default, better police cooperation …

  • Many of these are now being worked on (e.g. Eurozone fraud stats from this year)

  • What should the Fed’s priority be?

What might the fed do
What might the Fed do?

  • Esther: the Fed must be prepared for crisis!

  • The Fed should set up a Fraud Analysis Centre to collect information from banks, online service companies, PSPs, CRAs and others

  • Someone has to process data to get actionable intelligence (NCFTA? NACHA?) But someone also needs to track the big picture – a role for the Fed

  • If the Fed wants to do a P2P payment service it should first study what goes wrong …

Next steps
Next steps

  • Workshop on the Economics of Information Security, Berlin, June 2012

  • Our web page on bank fraud: http://www.cl.cam.ac.uk/~rja14/banksec.html

  • Other current research:

    • Econometrics of online crime

    • Mobile malware

    • Next-generation platform components