Sunday, 31 December 2017

POST The headline should be "the law of entirely preditable condequences"

Our Prime Minister, Mrs. Theresa May, has gone a bit Trump and posted a tweet. Cool. And here it is.

 The odd thing about this is that every single part of it is manifestly and demonstrably untrue. I’m genuinely baffled as to why Mrs. May (who spent 12 years working at the Association of Payments and Clearing Services, the precursor to UK Payments) should make such a transparently false claim to obtain credit for something that she should be against. To be clear: the charges were not hidden, the ban is not only on credit and debit card surcharges, it won’t help millions of people to avoid rip-off. Let me explain, starting with what I saw on 13th January when I went to pay for a flight on British Airways…

My first "no surcharge" purchase

Now normally when I use my BA Amex card to book a flight, I have to pay a credit card surcharge. I don’t mind paying the surcharge because I want the protections that the use of credit cards give me as a consumer and also because I want the frequent flier points I get for using this card. As of 13th January, I don’t. I get all this stuff for free. Happy days. Thank you Mrs. May!

"New rules which will come into effect on 13 January 2018 will mean you cannot be penalised for choosing to pay by card, either online or in-store."

Government to ban ALL charges for paying by credit or debit card

Unfortunately, the entirely predictable result of the government’s ban on card surcharges is that prices will go up.  For the press to say that ban has “backfired” is laughable. The ban has worked entirely in accordance with the laws of economics.

Consumers face higher prices and new ‘service charges’ as retailers and businesses plan to circumvent the Government’s ban on credit card fees.

Credit card fees ban backfires as consumers face new 'service charges' and higher prices

So let’s delve into to Mrs. May’s bizarre social media message. First of all, the ban on card surcharges is not because of Mrs. May or the British government. It is because of the European Union’s Second Payment Services Directive (PSD2), although in the UK the government has gone further than PSD2 by, essentially, banning surcharges for all electronic payments not just the “four party” schemes.  

Now, just a quick recap on Economics 101. If the government passed a law that (for example) health care is free, that wouldn’t mean that doctors would start working for nothing. It would mean that doctors would have to paid in some other way (out of general taxation, for example). Similarly, passing a law that retailers cannot surcharge for cards doesn’t mean that everyone at Barclaycard is now working for free.

OK. The government has stopped retailers for charging for cards. However, the costs are not going to go away. Chip and PIN terminals, 3D Secure gateways and Section 75 chargeback guarantees don’t grow on trees. What will happen?

Suppose you are an online merchant selling, oh I don’t know, let’s say Dungeons and Dragons miniatures. Let’s say your card service comes from a top quality merchant service provider who charges you 25p per transaction. From 13th January...

  1. Well, they could stop taking cards. But that would mean they lose business.

  2. They could have a loyalty scheme (spend £50, get £5 off your next purchase) but only for people who pay with cash.

  3. If half their sales are cash and half on card, then they could put the price of the average basket up by 10p. This is a nice simple solution and it’s good for me, since the customers who pay with cash are now subsidising my John Lewis cashback (since I’m only paying the extra 10p not the full 25p).

  4. Or they could try it on and add a service charge of 25p to all orders. This is what, for example, Just Eat have done.

But why should these dastardly people be allowed to get away with any of these options? Why shouldn’t they be forced to simply accept lower profits and a reduced standard of living?

The Telegraph has learned that some retailers and other companies are planning measures to ‘sneak’ around the rules. These include: refusing credit card payments; increasing shelf prices; introducing new ‘service charges’ across the board.

Credit card fees ban backfires as consumers face new 'service charges' and higher prices

This is absolutely shocking coming from The Telegraph. Refusing to accept cards because the government has made it uneconomic is not sneaking around the rules, it is responding to the rules. And unless The Telegraph is proposing to step in and pay the cost of accepting cards for all merchants, neither is increasing shelf prices. In fact, I absolutely guarantee that prices will rise in accordance with basic laws of economics that The Telegraph should be familiar with. Unlike government ministers, apparently. The Economic Secretary to the Treasury, Mr. Stephen Barclay, said "these small charges can really add up and this change will mean shoppers across the country have that bit of extra cash to spend on the things that matter to them". How? I have no idea. The UK travel industry, for example, pays around £150m per annum in card charges. Who does Mr. Barclay think is going to pay for the cards, terminals, fraud, bad debt, guarantees and all the rest of the infrastructure in the future? 

The result of banning card surcharges (ie, price-fixing for payment services) will be two-fold. First, it will push retailers into having their own apps that exploit open banking and use instant payments instead of cards. I can assure you that I won’t book a holiday or buy and expensive sofa this way: I want the legal protections that come with credit cards. However, the costs of accepting cards gives these merchants plenty of margin of to play so they will be able to incentive customers away from the existing rails. Second, it will transfer money from poor consumers who are trapped in the cash economy to people like me with cashback and airmiles cards.

Even those paying cash are set to lose out, as some companies – including food delivery firm Just Eat – plan to apply the cost increases to all customers.

Credit card fees ban backfires as consumers face new 'service charges' and higher prices

Yep. Exactly as predicted. In fact, the result may be even more perverse. Since debit cards cost merchants less than credit cards, consumers switching to credit cards to get the rewards will mean the merchants overall bill for accepting cards will go up.

"'We estimate that removing the surcharge will result in a significant shift away from payments by debit card and bank transfer so the increase [in extra costs] will be greater than the current credit card surcharge.'"

Consumers hit with new credit card 'service charges' and higher prices as fees ban flops

Not my words. “Greater than the current credit card surcharge”. So prices will rise by more than the current surcharge, despite Mr. Barclays odd prediction that shoppers around the current will have “that bit of extra cash”. No, shoppers around the country won’t. But certain shoppers (eg, me) will.

Consumer experts have called for regulatory enforcement to ensure businesses cannot dodge the rules.

Credit card fees ban backfires as consumers face new 'service charges' and higher prices

This is absolutely hilarious. Who are these experts? What Soviet-style commission is going to take control of Just Eat’s pricing policy and decree what level of service charge, if any, is to be allowed? The whole situation is nonsensical. If the government, merchants or anyone else thinks that the costs of accepting cards are too high, then they are free to create an alternative that is less expensive. And if they want to know how *cough* open banking *cough* then they should feel free to call us.

Saturday, 30 December 2017

POST Digital != crypto != virtual

Interesting news about the future of our national currency arrives. According to The Daily Telegraph, the Bank of England "could green light its own Bitcoin-style digital currency”. I’m pretty sure that the Bank of England would never use “green light” as verb, but putting that to one side, I was left wondering what they mean by “Bitcoin-style” digital currency since this is not made clear in the article.  "Bitcoin-style" means what? Uncensorable? Mined in China? 7 transactions per second? High transactions fees? Using more electricity than Poland? Oh wait...

The article actually says that a research unit set up by the Bank is investigating the possible introduction of "a crypto-currency linked to sterling”. So not a digital currency, a crypto-currency. The presumably means that the value will be determined by mathematics, not by the Bank of England. Now it all makes sense, except that I cannot imagine why the Bank of England would want to give-up control of Sterling. Oh wait...

Further down, the article says that “a virtual currency issued by the bank” might lead to a revolutionary shake up of high street banking. Ah, now I get it. It will be a virtual currency only used in the internet tubes and not for mundane transactions.

It’s all about confusing this future of our national currency stuff.

I suspect that the confusion may have arisen because of the tendency amongst management consultants (and others) to conflate the two entirely different kinds of electronic money: a crypto currency and a digital currency are very different things. If Mr Carney were genuinely suggesting that one of the scenarios under consideration by the Bank of England is that it abandons its responsibility for managing the creation of money and instead turns to a crypto currency, even if it is a crypto currency that is produced as a byproduct of a double permissionless shared ledger spawned by the Bank of England itself, then the value of that currency would not only be beyond political control it would be beyond the Bank’s control and one might imagine the Bank to be somewhat redundant in such circumstances.

The Bank of England is absolutely right to be exploring this new technology and I certainly think that it has something to offer. But that does not mean that the Bank of England is going to start using Bitcoin as a settlement system or that bitcoins will replace Sterling!

From RTGS NBG OMG SOS SLT PDQ SLAP | Consult Hyperion
On the other hand if Mr Carney were genuinely suggesting that one of the scenarios under consideration by the Bank of England is that it creates a digital currency, then I say more power to him. I cannot think of a single reason why such a digital currency would be a crypto currency or why it would be in any way related to the shared ledger used to process  the payments, but that doesn’t mean it wouldn’t be a cracking idea. A digital currency platform with right APIs in place (providing risk-free, genuinely instant and zero-cost transfers between accounts with final settlement in central bank balances) would be an amazing platform for a Digital Britain. 

 

 

 

Here’s a handy table I made last year to clarify the differences.

dnb slide  

xxxx

 

Note also that Marilyne is clearly describing a digital currency not a cryptocurrency, but that’s by the by. Right now, money reaches the public through commercial banks, a practical structure that stems from the banks role in providing payment services. In response Marilyne’s hypothetical example, I might observe that not only is there no fundamental economic reason why banks should be the dominant providers of payment services, there is no fundamental economic reason why they provide them at all — see, for example, Radecki, L., Banks’ Payments-Driven Revenues in “Federal Reserve Bank of New York Economic Policy Review”, no.62, p.53-70 (Jul. 1999) — and there are many very good reasons for separating the crucial economic function of running a payment system to support a modern economy and other banking functions that may involve systemic risk. Marilyne goes on to note 

The conflation of broad and base money, and the separation of credit and money, would allow the CB to control the money supply directly and independently of credit creation

From Central bank digital currency: the end of monetary policy as we know it? | Bank Underground
As far as I can tell, this would be a good thing. But we must recognise that impact that it will have on commercial banks. According to the management consultancy McKinsey (2016), global payment revenues are around $1.7 trillion (and will be $2 trillion by 2020) and these account for around 40% of global bank revenues! So if payments go away, banks are going to have to think of something else to do instead.

I have a suggestion (you know what’s coming, don’t you) and I think it’s a practical one. The Security Printers panel was actually called “the future of banknotes and identity” which I think shows us the way forward… If you can move money from anyone to anyone else, instantly and for free with final settlement in central bank money, and this is provided as a utility service provided by the central bank, then the fraudsters who are plaguing the Faster Payments Service (FPS) in the UK will have a field day.  Perhaps, then, the role for the central bank is to issue the digital currency and run the digital currency payment platform that will (in a fairly short time I would think) replace commercial bank (and all other) payment services. Not so much CBCoin as CBPesa, since it would manage balances not coins. 

However, the central bank doesn’t want to do KYC on millions of people, run mass-market authentication services, perform AML checks, manage black lists and run interfaces with law enforcement and so on. Just like Bitcoin, the central bank accounts would be pseudonymous. The central bank would know that account no. 123456789 belongs to a retail consumer, but not which consumer. It would know that account no. 987654321 belongs to a retailer, but not which retailer. This way the central bank could generate a dashboard of economic activity for the Chancellor to look at when he wakes up, but not routinely monitor what you or I are up to.

It would be the commercial banks provide the services linking the pseudonymous accounts to the “real” world (and get paid for them). Then your Sterling bank account will just be a pass-through API to a central bank digital currency account (what Marilyne calls the “CBCoin Account”) because my Barclays current account and your Lloyds current account are just skins on the Bank of England UK-PESA platform and the commercial banks can chuck away their legacy payment systems and focus delivering services that add real value.

 

Commercial banks will then have an important function as the vaults that look after identity, not money. As I told the panel in Seville, money and identity look like very different topics, but in reality they are the same.

POST Open banking and GDPR

The combination of OAuth 2.o and OpenID Connet is a good way to balance the demands of open banking and GDPR.

POST China clearing

As was explained to me on a trip to Shanghai in 2017, Alipay built bilateral relationships with individual banks, in effect becoming a clearing centre. Other “third party” systems followed so the Chinese central bank required them to create a single central clearing system. So now there is Unionpay for debit and the “Internet Association” for mobile payments.

Friday, 29 December 2017

Blockchain and Voting | Benlog

xxx

"It’s possible we use just simple Merkle trees and hash chains, but we call them Blockchain"

From "Blockchain and Voting | Benlog".

xxx

ICOs: The Beauty, the Beast and JFK - CoinDesk

xxx

"ICOs need a competent legal framework and until governments allocate resources to modernize outmoded laws, ICO teams will follow the path of least resistance and raise funds in the most friction-free manner possible."

From "ICOs: The Beauty, the Beast and JFK - CoinDesk".

xxx

POST Hard BRICS

I was interested to read (albeit in the Russia Today Business News) that an initiative to create a joint digital currency for BRICS countries and the Eurasian Economic Union (EEU) has been proposed by the Central Bank of Russia, according to its First Deputy Governor Olga Skorobogatova. She is reported as saying that “The introduction of a national digital currency seems to us not entirely justified from the point of view of macroeconomics” (presumably because as Russia is still quite cash-intensive the costs might not be justified and the benefits too concentrated). I can see why a cross-border digital currency set up between trading partners would have much wider benefits. This is not a new idea. As I discuss in my recent book "Before Babylon, Beyond Bitcoin", some years ago the then-Chancellor John Major proposed a similar concept as an alternative to the euro. This was labelled the "hard ECU"

Many years ago, dear old John Major proposed an extremely sensible alternative to the euro, which at the time was labelled the hard ECU (and ignored). The hard ECU would have circulated alongside existing national currencies. It would be used by businesses and tourists. It would never exist in physical form but still be legal tender (put to one side what that actually means) in all EU member states. Thus, businesses could keep accounts in hard ECUs and trade them cross-border with minimal transaction costs, tourists could have hard ECU payment cards that they could use through the Union and so on. But each state would continue with its own national currency -- you would still be able to use Sterling notes and coins and Sterling-denominated cheques and cards -- and the cost of replacing them would have been saved.

Thus, businesses could keep accounts in hard ECUs and trade them cross-border with minimal transaction costs, tourists could have hard ECU payment cards that they could use through the Union and so on. But each state would continue with its own national currency -- you would still be able to use Sterling notes and coins and Sterling-denominated cards -- and the cost of replacing them would have been saved. After writing about this last year, I subsequently discovered that the proposal goes back well into the early days of Margaret Thatcher's government.

(As an aside, it wasn’t John Major’s idea. It had it’s origin a few year before in a 1983 report of the European Parliament on the European Monetary System, the EMS. The proposal was supported at the time across the political and national groups in the parliament.)

The idea of an electronic currency union to facilitate international trade has new resonance. While Bitcoin captures the media attention, there are a great many possibilities: new community currencies, brand-based plays, commodity baskets and goodness knows what else. All of these make it an exciting time to be in the electronic money business, but they also make it unpredictable, which is why it is fun. As I say in the book, we're not looking at a world in which some kind of new currency takes over, but a world in which a great many communities choose the currencies that are most efficient for themselves. At is happens, one of those communities could be the European Community! Noted political theorist Marine le Pen herself has said that she could see the EU setting up another currency "like the ECU”. I’m sympathetic, obviously, because the idea of restoring the Franc while simultaneously creating a new pan-European currency actually makes sense.

If anything, Ms. le Pen is not being that radical. Why have nation-state control over money? Why not allow regions to have their own currencies? Why not use Normandy Money? Or Islamic e-Dinars? I’m on the same page as “The Futurist Magazine” here. In September 2012, as part of a compilation of pieces about life in 2100, they it is quite likely that we will still have money in 2100, but it may not be issued by governments any longer. I couldn’t agree more, hence my interest in Madame Deputy First Governor Skorobogatova’s comments.

She is, incidentally, far from alone in wondering about new digital currencies at this level. Christine Lagarde, head of the International Monetary Fund (IMF), gave a talk on “Central Banking and Fintech” in September last year in which she said that digital currencies (of the kind proposed by Madame Deputy First Governor) could actually become more stable than fiat currencies. She says that they could be issued against "a stable basket of currencies” but I would extend that suggestion to a basket of commodities (or, indeed, a mixture of both) or some other “root” with long-term stability.

Thursday, 28 December 2017

China’s central bank tightens security in US$5.5 trillion QR code payment services | South China Morning Post

xxx

"As well as the changes to the verification requirements, the new rules, which come into force on April 1, stipulate that all companies providing bar code-based payment services must obtain both an online payment licence and a bank card receipt business licence, and that all cross-bank transactions involving bar codes must be channelled through the PBOC’s or other approved clearing system."

From "China’s central bank tightens security in US$5.5 trillion QR code payment services | South China Morning Post".

xxx

Brokering Identity - Part 1 - Noyes Payments Blog

Back in 2014, Tom Noyes (who I always take very seriously on this kind of thing) put it another way. He said...

"Yes it would be completely wierd to launch a consumer brand called AppleIdenityBroker.. But ApplePay doesn’t quite capture the #1 retailer challenge: knowing WHO their consumers are"

From "Brokering Identity - Part 1 - Noyes Payments Blog".

xxx

Wednesday, 27 December 2017

Zcash: Meet Zooko Wilcox, the Man Building a Better Bitcoin | Fortune

xxx

"‘Personally, I think zk-SNARKs are a hugely important, absolutely game-changing technology,’ Buterin tells Fortune. ‘They are the single most under-hyped thing in cryptography right now.’"

From "Zcash: Meet Zooko Wilcox, the Man Building a Better Bitcoin | Fortune".

xxx

Dunkirk sort of review

Dunkirk is a good movie. It's not a great movie, but it is a good movie and I didn't resent paying to go and see it on the big screen. It made me think about my grandad (my mum’s dad) a lot. 

 

WO2 (RQMS) Acting WO1 Supt Clerk Walter William Page DCM, Royal Signals

This WO is Superintending Clerk to SO in C. He was sent from Premesques late on 26th May in charge of 10 other ranks to report to an officer at Dunkirk. For various means the rendezvous miscarried and RSM Page tried to reach the Signal office in Dunkirk. Being prevented by burning buildings in this object, he went to the docks in search of an officer. There he found an officer of the Merchantile Marine in command of a supply ship to be unloaded. He collected about 150 men of various arms and departments in the dock area and kept them at work unloading through the 27th under heavy bombing attacks, until an ammunition ship alongside was bombed and set on fire about 2200hrs. He showed resource, initiative and determination to a high degree.

Gazetted 11.7.40

That’s my Grandad, Walter William “Pip” Page. There were around eight million British and Commonwealth soldiers who served in World War II and between them they won 1900 DCMs, so he was part of a pretty select group It was a medal awarded to non-commissioned officers (NCOs) and other ranks for “distinguished, gallant and good conduct in the field”.

The Distinguished Conduct Medal was instituted by Royal Warrant on 4 December 1854, during the Crimean War, as an award to Warrant Officers, Non-Commissioned Officers and men. For all ranks below commissioned officers, it was the second highest award for gallantry in action after the Victoria Cross, and the other ranks' equivalent of the Distinguished Service Order, which was awarded to commissioned officers for bravery. Prior to the institution of this decoration, there had been no medal awarded by the British government in recognition of individual acts of gallantry in the Army

When I was a kid, staying at my grandparents house for the summer in the 1960s, VE Day was only 20 years back. That’s as far back from now is the death of Princess Diana and I can remember that. It never occurred to me when I was little that my parents and grandparents could actually remember what it was like during an actual war.

DCM Parade

Well I devoured Victor (my favourite comic time) and ploughed through the commando picture library, I don’t remember being at all mind for that to my grandad (and my dad) these were not distant events with fresh memories stop fresh and pretty horrible memories.

 

Now that I’m old and realise all of this, I was in two minds about whether to go and see the movie or not, because I didn’t want to disrespectful to my grandfather’s memory by enjoying the film (if you see what I mean). After all, Dunkirk must have been pretty horrible for the people who were there.

Saturday, 23 December 2017

Take On Payments - Federal Reserve Bank of Atlanta

snippet

We need a more robust pipeline of available workers to support the growth in the industry.

[From

Take On Payments - Federal Reserve Bank of Atlanta

]

snippet

Japan Airlines falls victim to email fraud, paying out ¥384 million to Hong Kong accounts | The Japan Times

snippet

Japan Airlines Co. said it has been defrauded out of ¥384 million ($3.4 million) after receiving emails earlier this year that called for the payments of lease fees and commissions into bank accounts in Hong Kong.

[From Japan Airlines falls victim to email fraud, paying out ¥384 million to Hong Kong accounts | The Japan Times]

snippet

Thursday, 21 December 2017

POST Realistic visions of the next money

xxx

"If Estonia succeeds with its plan to create a token for its e-residents to trade in, it could be the monetary glue to hold its ‘digital nation’ together. Electronic payments specialist Dave Birch theorized in his book, Before Babylon, Beyond Bitcoin, that the future of money is one where ‘community is no longer geography,’ and it’s communities who will have the most to gain from issuing their own, customized forms of money."

From "Estonia's planning an ICO for estcoins despite Mario Draghi's warning — Quartz".

It’s very kind of 

Tuesday, 19 December 2017

Casualties of the Cashless Society: Those Who Get Seasonal Tips - The New York Times

xxx

“These guys, they don’t tip like they used to, because they don’t have the cash in their pockets like they used to,” said Mark, an elevator operator at an upscale Manhattan co-op, talking about his building’s tenants.

From Casualties of the Cashless Society: Those Who Get Seasonal Tips - The New York Times

xxx

Why you can’t cash out pt 1: Why Bitcoin’s “price” is largely fictional | Attack of the 50 Foot Blockchain

xxx

"‘Market cap’ is even worse. It’s literally just whatever the last price was, multiplied by the number of tokens in existence. This is a bogus number that’s not actually applicable to anything — it’s not money that was put into the crypto, it’s not a realisable value like a company market cap, it doesn’t affect prices — it’s just an easily-calculated splashy-looking number that looks good in a headline. Trading is so thin in any crypto, even Bitcoin, that you could never realise a fraction of the number. It is literally just marketing."

From "Why you can’t cash out pt 1: Why Bitcoin’s “price” is largely fictional | Attack of the 50 Foot Blockchain".

xxx

How do you want banks to protect you from scams?

xxx

"Update, 11 December: The Payments Strategy Forum has outlined plans for a new payments system architecture in the UK… The Forum has outlined that customers wishing to make a bank transfer will have to now enter the exact name on the account, as well as the other details."

 

From "How do you want banks to protect you from scams?".

xxx

xxx

The system will be available from December 2018, although it will be voluntary as to whether your bank offers it to you when you make a payment"

From "How do you want banks to protect you from scams?".

 

xxx

Thursday, 14 December 2017

Connected Rental Cars Leak Personal Driver Data - Infosecurity Magazine

xxx

Your name and navigation history is valuable personal information. The UK Metropolitan Polices’ 'Digital Control Strategy' identifies infotainment systems in cars, which store this information, as a new forensic opportunity.

From Connected Rental Cars Leak Personal Driver Data - Infosecurity Magazine

xxx

Wednesday, 13 December 2017

Food app calls off ICO after SEC declares its tokens are unregistered securities

xxx

Munchee, a San Francisco-based company, had told investors that they were buying a “utility” token, because the digital coin could be used within the app to buy goods and services at a later stage.

In a whitepaper, Munchee had also told investors that the token “does not pose a significant risk of implicating federal securities laws.”

But the SEC said that the company led investors to believe that the value of tokens would increase and be traded on secondary markets — thereby classifying them as securities, which must be registered with the regulator.

From Food app calls off ICO after SEC declares its tokens are unregistered securities

xxx

Monday, 11 December 2017

Discover announces that it will do away with signatures by April 2018

xxx

"Discover has become the latest credit card company to get rid of signatures as a means of verifying a cardholder’s identity… it’s becoming increasingly rare for consumers actually sign real letters when signing at check-outs"

From "Discover announces that it will do away with signatures by April 2018".

xxx

To be honest I think I’ll miss signing for purchases in America.

Money 2020 Signature

xxx

Bitcoin tells us nothing about the long term

xxx

"Technology is changing every industry and it is impossible for me to believe it won’t change our financial system. That’s particularly true because our current system—while stable—is imperfect. Cryptocurrencies can be more secure and more efficient to exchange. They can be inflation-proof and are easier to settle and easier to interoperate. "

From "Start Up: China’s LinkedIn friends, notching Huawei?, gender pay improbability, bitcoin redux, and more | The Overspill: when there's more that I want to say".

xxx

xxx

"While certainly a disruptive idea, evolving our current financial system to take advantage of cryptocurrencies is not a crazy one."

From "Start Up: China’s LinkedIn friends, notching Huawei?, gender pay improbability, bitcoin redux, and more | The Overspill: when there's more that I want to say".

xxx

Sunday, 10 December 2017

POST Banks and digital IDs again*

In CapGemini’s “Top 10 Trends in Retail Banking 2018”, they highlight "banks leveraging digital IDs beyond authentication” as the third most important trend.

Now I suppose to a great many of you this really won’t be any surprise since anybody who thinks about the mechanics of commerce in a connected age must already have come to the conclusion that digital identity is core to the new economy. That’s a superficial and almost trivial point to make, but it masks great complexity because choices that are being made right now about how digital identity is going to work in the future will have a profound impact on the shape and nature of all of society.

Of course, I don’t what identity is going to look like in the future any more than anybody else does (even if I do flatter myself that I’ve made some reasonably well-informed guesses on the topic) but I do think we ought to apply a kind of precautionary principle here. Since we don’t know how digital identity going to work, surely we should want it do develop under the auspices of institutions that society can constrain and influence. This is why I’m so convinced that banks should be the institutions to play the leading role as we evolve the tools, techniques and even the etiquette of a reputation economy.

An obvious first step, and one that has been apparent for many years, is to federate bank identity so that it can be used in multiple places. We have many years of experience now and have seen how schemes ranging from bank ID in the Nordics to Aadhar in India (and our own dear gov.verify) have performed in practice so we can make some informed decisions about how digital identity ought to work. We shouldn’t start from the technology, from blockchains and biometrics, and then work backwards to see what the technologists will allow us to have or what corporations will impose given the technological constraints of the day. Right now we should be discussing what society wants from a digital identities and then working out what the best way to implement them might be.

So let’s make a list.

3DID Basic Colour ID Taxnomy Picture

Let’s start with the basic “three domain identity” (3DID) model to create a straightforward framework for understanding and discussion digital identity. BBVA, for example, this kind of model to map “real”, virtual and digital identities to identification, authentication and authorisation processes. BBVA describe the domains as follows (I've added my interpretation of what they mean with reference to a standard Public Key Cryprography (PKC) implementation):

  • Identification: definition of the attributes that confirm, beyond any shadow of a doubt, that the user is who they say they are and not someone different pretending to be them. BBVA mean this in terms of Know-Your-Customer (KYC) of course, so what this means is the the private key must be bound to the correct individuals.

  • Authentication: verification through credentials that the user is the customer they say they are (username and password, OTP, digital certificates and others).  Obviously with PSD2 this means implementation some form of 2FA to comply with the RTS on SCA.

  • Authorization: the financial service providers (TPP) with a license to operate must be given authorization by the customers before they can access their accounts. They need to have proof of consent, which can be obtained through access tokens. I would generalise this point away from banking, as per the CapGemini comments, to talk about tokens for access to a wider range of services than simply bank accounts.

Now, since we are interested in electronic transactions, transactions that take place between virtual identities (that is, identities that exist only in the imagination of computers) we are primarily interested in the Authorisation Domain. I’ll come back to this in a moment, but for now let us assume that that Authentication Domain is essentially a solved problem and we don’t need to come back it in this discussion. That is, we will assume that banks have strong authentication in place and that they use appropriate standards (eg, FIDO) so that they have device independence. In practical terms, in the world as it is now, this means that I can authenticate my Barclays Digital Identity (that is, I can demonstrate ownership of that private key) using any smartphone.

 

* Again.

On Fascism, Identity, Cryptoassets and the Future of Censorship

xxx

"Bloomberg estimates only 1,000 individuals own 40% of available bitcoin, while the majority of bitcoin creation (mining) itself is also a tight-knit oligopoly."

From "On Fascism, Identity, Cryptoassets and the Future of Censorship".

xxx

POSY Quantum

I saw a fascinating presentation by Ursula Schilling on Infineon on “Securing the Quantum Computer World” in which said was talking about the need to develop cryptography that will be resistant to attacks from quantum computers. It’s a live topic, because if the figures she presented are approximately correct and there will be quantum computers capable of making practical attacks on RSA/ECC with 15-20 years, that means that information currently being secure using asymmetric cryptography (eg, Bitcoin) is essentially being put into the public domain!

Saturday, 9 December 2017

How to Price Hard Forks – Jill Carlson – Medium

xxx

"‘To explain that, one needs investors who are (in our specific case) irrational, woefully uninformed, or endowed with very strange preferences.’"

From "How to Price Hard Forks – Jill Carlson – Medium".

xxx

Data, oil, pipes

I was amazed to hear at Vendorcom that 30% of population's income doesn't get reconciled at HMRC and DWP for reasons such as they only handle RTI from BACS and lots of people use faster payments.

Now I understand! Having recently had occasion to send money to HMRC, I was very surprised to receive a threatening letter from them a month or so later. I can't remember exactly what it said, but it was something along the lines of "we've giving up on chasing Google and Richard Branson, so if you don't send us tenner the boys are coming round to sort you out". Shocked, I logged on to my HMRC business account to see that it said that a) I owed them the tenner and b) I'd sent them a tenner that was sitting there "unallocated". I phoned up and the nice woman up North somewhere said that she would "allocate" the tenner to the money I owed them and it was all good. Afterwards, I did wonder why they thought I'd sent them a tenner (ie, was it for no reason, as they seem to have assumed, or was it in payment for the tenner I owed them).

Thursday, 7 December 2017

Will you let a stranger look deep into your bank account?

xxx

People may baulk at sharing access to personal data yet millions are happily using online banking and enjoying the functionality of their bank’s online app. Millions more are content to share all kinds of personal data with Google and Facebook, which already offers debit card-linked payments in the UK via its Messenger app.

From Will you let a stranger look deep into your bank account?

xxx

Tuesday, 5 December 2017

Cranking it up

Felix Martin, writing in the Daily Telegraph (5th December 2017) says that "We will end by thanking the monetary cranks for inducing some policy sanity – and making our national financial systems fit for purpose once again", meaning (if I understand him correctly) that while bitcoin may not in the long run prove to be a viable alternative to the existing fiat currency infrastructure, it will stimulate the development of things that are and thus make money more suited to the new economy.

The Father of the ICO Is All About Identity Now - CoinDesk

xxx

ERC-725 specifically defines and standardizes the actions all identity implementations need to take, such as adding claims to the smart contract and the mechanism for obtaining those claims later.

From The Father of the ICO Is All About Identity Now - CoinDesk

xxx

Monday, 4 December 2017

Venezuela will start its own digital currency to beat sanctions

xxx

The "petro" will be backed by Venezuela's key natural resources (diamonds, gas, gold and oil) and, in theory, will help it get around the "financial blockade" imposed by the US and other nations.

From Venezuela will start its own digital currency to beat sanctions

xxx

Saturday, 2 December 2017

UK banks prepare to share customer data in radical shake-up

xxx

But there is a risk for banks that customers move away from their own apps or online services, weakening their relationship and thwarting their ability to cross-sell. It could leave banks as the plumbing behind the scenes, used to facilitate the movement of money.

From UK banks prepare to share customer data in radical shake-up

xxx

San Francisco Rail System Hacker Hacked — Krebs on Security

xxx

truthfully answering secret questions is a surefire way to get your online account hacked

From San Francisco Rail System Hacker Hacked — Krebs on Security

xxx

Design of new Hong Kong smart identity card revealed | South China Morning Post

xxx

Why Hong Kong has Mao to thank for ID cards

From Design of new Hong Kong smart identity card revealed | South China Morning Post

Well, we can’t testify to any input from Mao, but we certainly can testify to the great job that Consult Hyperion did helping to design this, the world’s first smart national identity card, all those years ago!

Amazon Pay Comes To Alexa Skills | PYMNTS.com

xxx

Amazon Pay is coming soon to apps developed for Amazon’s Alexa by third-party developers… A developer preview made available yesterday also indicated that Alexa’s Amazon Pay-powered skills will expanded more dramatically in 2018.

From Amazon Pay Comes To Alexa Skills | PYMNTS.com

xxx

San Francisco Rail System Hacker Hacked — Krebs on Security

xxx

On Nov. 20, hacked emails show that he successfully extorted 63 bitcoins (~$45,000) from a U.S.-based manufacturing firm.

From San Francisco Rail System Hacker Hacked — Krebs on Security

xxx

Tuesday, 28 November 2017

POST 2FA SMS

Thanks to Richard van Arnholt for pointing out to me that

NIST now states that if authentication is used via sms (out-of-band), ‘the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device. […] Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.’

xxx

Monday, 27 November 2017

Blockchain: the future of the passport? | Reform

xxx

Blockchain could become the future of the passport. It is a transparent and tamper-proof ledger, which can be used to verify a person’s identity.

From Blockchain: the future of the passport? | Reform

This sounds like typical magical thinking, but if you look at the diagram in their report, what it actually shows is something not entirely crazy. The idea would be to have some form of government shared ledger (let’s call it the UKLegder) that is validated by a number of public bodies.

Consumers Want Tech Firms to Take On the Banks - Bloomberg

xxx

Instead, du Toit predicts, banks will partner with Amazon and others. Lenders would manufacture financial products, and tech giants would serve as distribution and servicing channels. In other words, what Amazon already does with consumer goods.

Yet because distribution accounts for two-thirds of banking profits, according to a McKinsey & Co. report, banks may not love being relegated to mere factories for mortgages and credit cards.

And because Amazon wouldn’t have to pay to lure customers -- it already has millions of them -- it could afford to set up digital accounts without “all the nuisance fees and relatively high minimum balances” that lenders impose

From Consumers Want Tech Firms to Take On the Banks - Bloomberg

xxx

POST Well, yes, banks are technology companies

The “meme” that banks are, essentially, a special kind of technology company (special because they are granted special privileges that other companies do not have, such as the ability to create money) is common.

Here's what Christian Edelmann and Patrick Hunt said in the Harvard Business Review: "Technology specialists will play a greater role in allocating investments, working alongside senior management from a more traditional background". From my early experiences as an advisors to boards, I can see the dynamics at work here. To pick an obvious topic, some financial organisations' early response to open banking was to see Application Programming Interfaces (APIs) as something to do with technology and therefore not strategic. This left them on the back as

 

xxx

Instead, du Toit predicts, banks will partner with Amazon and others. Lenders would manufacture financial products, and tech giants would serve as distribution and servicing channels. In other words, what Amazon already does with consumer goods.

Yet because distribution accounts for two-thirds of banking profits, according to a McKinsey & Co. report, banks may not love being relegated to mere factories for mortgages and credit cards.

From Consumers Want Tech Firms to Take On the Banks - Bloomberg

xxx

xxx

And because Amazon wouldn’t have to pay to lure customers -- it already has millions of them -- it could afford to set up digital accounts without “all the nuisance fees and relatively high minimum balances” that lenders impose

From Consumers Want Tech Firms to Take On the Banks - Bloomberg

xxx

Facebook rolls out AI to detect suicidal posts before they’re reported | TechCrunch

xxx

Facebook’s new “proactive detection” artificial intelligence technology will scan all posts for patterns of suicidal thoughts, and when necessary send mental health resources to the user at risk or their friends, or contact local first-responders.

From Facebook rolls out AI to detect suicidal posts before they’re reported | TechCrunch

This is admirable, of course. No-one would say otherwise. But it must be transparently obvious that the same technology could detect all sorts of other patterns as well.

Banks need to swipe their 'social media' cards to pay up for Person...

xxx

The advancements made in social media analytics empower deciphering social media data to forecast impending life events… The ability to discern such events in advance can certainly help retail banks in targeting customers – current and future, with personalized products and offerings that are most relevant to them.

From Banks need to swipe their 'social media' cards to pay up for Person...

xxx

Number of young people acting as 'money mules' doubles - BBC News

xxx

The number of young people caught acting as "money mules" has doubled in the past four years, according to the UK's fraud prevention service, Cifas

From Number of young people acting as 'money mules' doubles - BBC News

xxx

Friday, 24 November 2017

China Reports Breaking Up Gang That Moved $3 Billion Abroad - Bloomberg

xxx

The group in Shaoguan is accused of moving money illegally using 148 bank accounts opened in 20 provinces with stolen identity cards, according to Xinhua.

From China Reports Breaking Up Gang That Moved $3 Billion Abroad - Bloomberg

xxx

Sunday, 19 November 2017

POST It's going to get worse before it gets better

Identity fraud is absolutely out of control in the UK and there is, so far as I can see, no prospect of any form of infrastructure coming into place to deal with the problem. Whether we look at scammers going through Facebook to perpetrate dating fraud or going through LinkedIn to perpetrate invoice fraud or going through the Land Registry to perpetrate property fraud or going through Companies House to perpetrate corporate fraud, we can draw only one conclusion: identity is broken. Until we fix identity, we can’t attack fraud. And since it’s going to take a while to fix identity, even if we start now, that means that fraud is going to carry on getting worse. Don’t believe me? Then listen to a bank:

[Barclays] is predicting that online festive fraud will be at its highest ever levels in December 2017 and could cost shoppers more than £1.3bn.

From Barclays warns of unprecedented online fraud this Christmas

Well, here’s wishing you a Happy New Year! The truth is that we are under attack. It isn’t script kiddies and casual card counterfeiters any more, it’s organised crime. The Callcredit Annual Fraud & Risk Report surveyed over a hundred fraud professionals and found that more than three-quarters of them rated organised cybercrime as the biggest fraud threat to their organisations in the coming year. Given that current projections are that the damage from cybercrime will double from $3 trillion last year to $6 trillion in 2021, their fears are well-founded. I don’t need to labour the point: in the long term someone will fix the identity problem but in the short term we will continue to lose vast amounts to identity fraud.

Yet when those same fraud professionals were asked what their priorities were for the coming year, nearly nine in ten put regulatory compliance at the top of their list. At a time when organisations need to invest in defending themselves by using new types of dynamic data in combination with “traditional” identity verification and strong authentication techniques, the spend is going on compliance (which clearly isn’t working - if it was identity fraud wouldn’t be out of control). Surely the ROI on bringing in new and actionable data is such that it deserves a separate line in the budget? After all, the investment should be measured against the fraud in a couple of years’ time not the fraud of a couple of years ago.

Why do I focus on data in this way? The answer is that if there is any light at the end of the tunnel right now, it’s coming from the world of Artificial Intelligence (AI). If we look at what kinds of AI are being deployed in the banking sector and what they are being used for, we see that machine learning tops the list of technologies and fraud detection and prevention tops the list of applications. Companies will be able to use new forms of varied and dynamic data for fraud prevention precisely because it will be AI consuming that data and making effective use of the wider range of inputs. As more accomplished bankers than me have noted, the battleground for banks is data, and this is one of the key reasons why. Without data, you can’t do decent risk management and if you can’t do decent risk management… then why have the bank in the loop?

 

Tuesday, 14 November 2017

Central banks should embrace digital currencies, Axel Weber says

xxx

Less clear cut, however, are likely to be arguments over digital currencies issued by central banks. Like cash, which they could eventually replace — but unlike bitcoin — they would be backed by monetary authorities, so they would also act as a store of value as well as widely accepted means of payment.

From Central banks should embrace digital currencies, Axel Weber says

xxx

Sunday, 12 November 2017

net.wars: Regulatory disruption

xxx

The financial revolution due to hit Britain in mid-January has had surprisingly little publicity and has little to do with the money-related things making news headlines over the last few years. In other words, it's not a new technology, not even a cryptocurrency. Instead, this revolution is regulatory: banks will be required to open up access to their accounts to third parties.

From net.wars: Regulatory disruption

xxx

Tuesday, 7 November 2017

Apple plans to share some iPhone X Face ID data. Uh oh.

xxx

Police can’t force you to turn over your passcode, but they can, theoretically, force you to unlock the phone with your face.

From Apple plans to share some iPhone X Face ID data. Uh oh.

xxx

Flaw crippling millions of crypto keys is worse than first disclosed | Ars Technica

xxx

On Friday, Estonia's Police and Border Guard suspended an estimated 760,000 ID cards known to be affected by the crypto vulnerability.

From Flaw crippling millions of crypto keys is worse than first disclosed | Ars Technica

xxx

xxx

The country is now issuing cards that use elliptic curve cryptography instead of the vulnerable RSA keys, which are generated by a code library developed and sold by German chipmaker Infineon.

From Flaw crippling millions of crypto keys is worse than first disclosed | Ars Technica

xxx

Monday, 6 November 2017

Shanghai shops refusing cash are illegal: authority - Global Times

xxx

Reporters found that, in Shanghai, some shops even ask consumers to apply for a membership card if consumers want to use cash, and others hang "no cash" signs on their doors, Laodong Daily reported Thursday.

From Shanghai shops refusing cash are illegal: authority - Global Times

xxx

NFC drivers | Consult Hyperion

xxx

modesty forbids me from noting Consult Hyperion’s role in the project, so I’ll let Finextra do it instead

From NFC drivers | Consult Hyperion

xxx

Authoritarian Cryptocurrencies Are Coming - Bloomberg

xxx

To those who believe bitcoin's main innovation is the exclusion of a central authority -- a peer-to-peer system in which transactions are validated by "miners" -- the interest of China and Russia is baffling. But those governments aren't looking to give up control to the blockchain. On the contrary, they are trying to figure out how to lower the cost for a centralized issuer to control everything that's going on in the financial system. 

From Authoritarian Cryptocurrencies Are Coming - Bloomberg

xxx

RBC CEO Dave McKay: Battleground for banks is data - Article - BNN

xxx

Royal Bank of Canada's chief executive says data is the battleground for banks that will determine the future success of financial institutions.

From RBC CEO Dave McKay: Battleground for banks is data - Article - BNN

xxx

Nationwide customers 'bank cards suddenly stopped working' after technical glitch

xxx

FURIOUS Nationwide customers had their payments declined and were locked out of their accounts when the bank's system went down yesterday.

From Nationwide customers 'bank cards suddenly stopped working' after technical glitch

The system went down. But what if there was no system to go down? Imagine that each ATM is a node in a shared ledger. Suppose a bank has a million customers, and each customer’s transaction record is 1Kb. A balance, last few transactions, that sort of thing. No need to store the whole transaction history in the ledger. That’s 1Gb. Maybe 10Gb for all of the bank customers in the UK. I have a flash drive in my bag with 128Gb on it and it cost like $50. Now, when someone draws money from an ATM the ledger is updated over a few minutes at all of the other ATMs (remember, ATMs are doing nothing most of the time). If an ATM goes down, so what? Just go to another one. When an ATM comes back, the ledger will update.

Sunday, 5 November 2017

POST Blockchain, disease and

xxx

While individual organizations in the public health network share the same overall mission, a complex mishmash of data usage agreements and government privacy rules dictate which members can access information and which ones can modify it.

From Why the CDC Wants in on Blockchain - MIT Technology Review

A blockchain, I guarantee, won’t make any difference to this. Those privacy rules don’t depend on whether you store the data in a spreadsheet or a database and they don’t depend on whether the data is in a shared ledger of some form either.

How should identities, not only patient IDs but also the IDs of public health organizations, be managed on the blockchain?

From Why the CDC Wants in on Blockchain - MIT Technology Review

If Open Banking is a success, then banks are going to fail. One viable picture of the future is of a few giant megabucks sitting in the background, like PG&E or British Gas, while other banks go to the wall and consumers obtain their financial services from Amazon and Facebook.

One Year After Rollout, Banks Are Bullish on Zelle | Bank Innovation | Bank Innovation

xxx

The banks’ response to the growth of the Zelle network follows positive statistics from the service itself, which reported 100 million transactions in September 2017 totaling $33.6 billion.

From One Year After Rollout, Banks Are Bullish on Zelle | Bank Innovation | Bank Innovation

xxx

Saturday, 4 November 2017

POST Bitcoin and crime on a street corner near you

According to the Daily Mail, the police have seen an "explosion in the use of digital currency by criminals who are strolling into cafes, newsagents and corner shops to dump their ill-gotten gains in virtual currency ATMs". Well, let’s hope so because Bitcoin isn’t fungible (unlike the £50 notes so helpfully provided to the criminal fraternity by the - yes, couldn’t make this up - Bank of England) which means that the money can be traced from wallet to wallet so that should make it easier for these detectives to get a handle on where the ill-gotten gains are heading.

While I remain concerned about the rise of Bitcoin for reasons of consumer protection, I am much less concerned about its use in crime. First of all, if the demand for Bitcoin were about crime (and not speculation) is would actually be worth far less than it is today. There just isn’t enough crime. Calculations based on the use of Bitcoin in this sector of the economy put its value at something like one-twentieth of the current price. Now, I think these kinds of calculations are highly spurious, for two main reasons. First of all, I have yet to see any evidence that criminals are adopting Bitcoin at scale. And the reason for this is obvious: it’s not anonymous enough. Wallet addresses are pseudonyms, and once any of these pseudonyms has been linked to a mundane identity in anyway, the identities can be connected, monitored, tracked and traced. This is why ransomware rogues convert their Bitcoins out into something more suited to the less-regulated corners of the economy. The people behind the famous “WannaCry”, which hit more than 300,000 computers in over 150 countries, took their rewards and converted them into Monero, a privacy-focused cryptocurrency that has seen some growth in its popularity over the last year or so.

The second reason why I think such calculations are spurious is that it is they are often based the value of the global market in illegal drugs. Now, while no-one can be sure of the exact size, this is undoubtedly a vast market. But it is a market that is conducted almost entirely in cash. Were these transactions to be converted to digital money, the sums involved are so vast that it would be almost impossible to create to an AI machine-learning transaction monitoring services to ignore them.

POST Mystic Dave on the blockchain use case that may actually make sense

When I was kindly invited to be part of the panel at Scotchain 17 in Edinburgh, I have to say I did not anticipate such a big, interesting and stimulating event. So, once again, well done to all of those involved. 

Now, the panel session was recorded, so you can relax and enjoy it here, but I just want to pick up on one particularly interesting point that came up. During the panel, we were asked where blockchain might gain traction in a mass market. I said that I was sceptical about financial services being the first, for two reasons: most “blockchain” efforts I have seen involve shoehorning some form of shared ledger solution into the shape created by an existing (optimised) system and second because it is, thankfully, a heavily regulated sector and therefore marketplace participants will be naturally wary about betting the house on a radical new technology. Instead, I chose e-sports on the basis that it is a big business where the trading of virtual assets is core to the attraction. I wonder if that sounded a little outlandish to the audience. I hope not, because now I read that…

Now, there’s a whole new type of sports memorabilia about to become available – in-game assets won by elite esports athletes. One company is paving the way for what could be an incredibly lucrative in-game esports memorabilia marketplace – and it has investors both inside and outside the gaming industry paying close attention.

From The esports memorabilia scene is big -- and blockchain may make it huge | VentureBeat

xxx

The system will utilize smart contracts and blockchain technology to provide a unique signature and history of any virtual item in-game item earned. For example, when elite esports athlete Michael “Flamesword” Chavez earns a flaming sword of mega-death in his latest league battle, that item will have the ability to become a valuable – and easily tradable – asset. In other words, you could be using the unique item your favorite player had equipped in their biggest matches.

From The esports memorabilia scene is big -- and blockchain may make it huge | VentureBeat

IS_A_PERSON and IS_A_LEGAL_PERSON

xxx

Alt-right blogger Jenna Abrams (@Jenn_Abrams) enjoyed a large following in Twitter, and her tweets were cited by Buzzfeed, the NY Times, and other news agencies. It turned out "she" was another creation of the Internet Research Agency, the Russian government-funded troll farm in St. Petersburg.

From An alt-right Tweeter with 80k followers is a fictional entity created by Russian troll farm / Boing Boing

xxx

Thursday, 2 November 2017

The evolution of gift card fraud » PaymentEye

xxx

Criminals are exploiting the gift card loophole to commit financial fraud for a myriad of reasons, including money laundering, and as a way of moving illicit funds by drug cartels and terrorists.

From The evolution of gift card fraud » PaymentEye

xxx

Wednesday, 1 November 2017

One in five ATMs set to close over next four years

xxx

One in five cash points will disappear from Britain's high streets within four years, according to the ATM industry body. 

From One in five ATMs set to close over next four years

xxx

Monday, 23 October 2017

Identity in the UK is a gas

From time to time, when making presentations about identity and related topics, I have to stop to explain to baffled foreigners that the United Kingdom has no national identification scheme or identity card or any other such symbol of continental tyranny, so our gold standard identity document is the gas bill. I understand that these are notoriously difficult to forge and that the skilled artisans behind the North Korean $100 bill “supernote” threw down their tools in frustration when faced with the multiple layers of security that are part of the British Gas quarterly statement for residential users. Hence our gas bill is a uniquely trusted document, and the obvious choice of platform for anyone concerned about fraud.

(By the way, if for some reason you do not have a gas bill to attest to your suitability for some purpose or other, you can buy one here for theatrical or novelty use only.)

No wonder identity fraud is an epidemic in the UK. Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as I’ve been saying for time, the UK has only gaps and no actual infrastructure. I am very sorry to say it, but our system based on the gold standard of gas bills is no longer fit for purpose.

Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To's mailbox.

From Stockport identity fraud victim's £500k home put on market - BBC News

"Having forged his signature, they then transferred the deeds to his house into Ghani's name". Yes, I know I know, I'm sure the blockchain will put a stop to this, but in the meantime... should a homewoner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from gas bills and forging your signature, shouldn’t you be within your rights to expect the powers-that-be to do something?

But what?

Well, for a start, we can stop using sort codes and account numbers and choose more meaningful identifiers when it comes to money. You shouldn’t be sending money to me at XX-XX-XX 99999999, you should be sending it to @dgwbirch. I defy anybody to carry around the six digit sort code and nine digit account number of their correspondents in their heads or to be able to spot their solicitor's real payment details from some fake payee details when reading an email. If you are expecting to send money to $dgwbirch (please go ahead, but the way, as, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski then you might be a little suspicious, but if you get an e-mail using to switch from sort code 12-34-56 to 34-56-78 its less obviously a fraud.

 And which actual payment account I choose to associate with that identifier should be up to me: it’s none of your business whether I’m with Barclays, Amazon or my brother-in-law. Personal information should be kept of transactions where it is not needed. You send the money to @dgwbirch and that’s it.

(In fact, it’s not all obvious to me that you should know my “real” name at all, since that’s just an invitation to identity theft.)

xxx

Lloyds, which took eight hours to make the payment, did not carry out any checks to ensure the name of the firm to which the payment was to be made matched the account numbers,

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

Neither Lloyds, nor any other bank do this. That’s just how the system works: the account name is an attribute, not an identifier.

The UK’s new payment architecture includes a directory service to map a variety of identifiers to bank accounts.

Chinese Government rolls out trust ratings to combat corruption | World Finance

xxx

According to research published in the Journal of the European Economic Association, the level of trust in cultures today can be informed by events that occurred hundreds of years ago. The research shows that Italian states that became free cities in the Middle Ages – a process that required mass cooperation – exhibit higher levels of trust today than those that didn’t.

From Chinese Government rolls out trust ratings to combat corruption | World Finance

xxx

Chinese Government rolls out trust ratings to combat corruption | World Finance

xxx

The Chinese Government’s new tool to generate trust is known as ‘social credit’, and is currently in the process of being rolled out. The plan is to generate a score for every citizen based on how trustworthy they are. The system will aim to instil trust by combining carrot and stick: those with a good score will reap rewards, while a bad score will lead to punishments, such as public blacklisting and restrictions.

From Chinese Government rolls out trust ratings to combat corruption | World Finance

Now, in one way, this is a back to the future thing. When we all lived in clans and roamed the savannah, the social credit score of each and every one of us was stored in the “shared ledger” of the memories of the clan members.

Sunday, 22 October 2017

‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

xxx

the regulations that govern this area. These state that a bank has to “have made clear to their customer how a Chaps payment will be processed” and that the bank “will make a payment solely on the basis of a unique identifier and will not execute it on the basis of the intended recipient’s name”.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

xxx

‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

xxx

Lloyds, which took eight hours to make the payment, did not carry out any checks to ensure the name of the firm to which the payment was to be made matched the account numbers,

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

Neither Lloyds, nor any other bank do this. That’s just how the system works: the account name is an attribute, not an identifier.

POST Payments are the not problem, identity is

There's a huge amount of payment fraud going on in the UK at the moment. The fraudsters intercept legitimate requests to transfer money from one account to another, often from solicitors in relation to house purchases but also from tradespersons such as builders) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will monitor e-mails coming from a solicitor and when that solicitor sends an email to a customer asking for money (e.g., for a house purchase), the fraudsters replace solicitor's legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow. In the first half of this year there were about 20,000 such frauds with some £100m lost (and only £25m subsequently recovered). This is the second largest category of payment fraud behind card fraud (which is about six time larger) because the numbers are low but the average values involved are high.

Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before I go ahead and transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase. As Hannah Nixon, head of the UK’s Payment System Regulator (PSR), put it toward the end of last year, “tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”. Indeed they have. And, in fact, still are. 

An Essex couple have lost £120,000 after sending the money to what they thought was their solicitor’s bank account, but which instead went to an account in Kent that was systematically emptied of £20,000 in cash every day for the next six days.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

This isn’t a payments problem, it’s an identity problem. So just whose fault is it when someone gets scammed in a sector with no effective identity infrastructure? The couple at the centre of this story sent the money via the Clearing House Automated Payments System (CHAPS) and the CHAPS regulations are unequivocal.

the bank “will make a payment solely on the basis of a unique identifier and will not execute it on the basis of the intended recipient’s name”.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

I’ll sure the couple have an e-mail or a piece of paper pointing this out, but it clearly didn’t help. As I wrote earlier in the year, fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure.

Meanwhile, the security or otherwise of Steed & Steed’s email system is also likely to be investigated. In December 2016, regulatory body the Solicitors Regulation Authority warned that email hacks of conveyancing transactions had become the most common cybercrime in the legal sector.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

This reinforces my theory that solicitors who use e-mail to send important information to customers are, essentially, negligent. They should be using WhatsApp or Signal for this sort of thing. If it was the solicitor’s e-mail server that got hacked, then they should be responsible for compensating the customers, shouldn’t they? If I tell my bank to send £10,000 to the Nat West in Barnsley by mistake - whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever - and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?

Anyway, my reason for going over this old ground again is that the PSR response to the “super complaint” about this type of fraud came up in discussion at the Payment Strategy Forum. In addition to education, guidelines and that sort of thing, they were talking about three substantial initiatives to do something about what they called Authorised Push Payment (APP) fraud, but that I call Authorised Credit Transfer (ACT) fraud because I think “app” is a confusing sobriquet. These are:

  • KYC Sharing, to try to prevent fraudsters from opening accounts. The PSF's earlier consultation document on the "Blueprint for the Future of UK Payments" includes a detail discussion of this issue and also highlighted one of my pet peeves, which is the "poor customer experience for good actors". In other words, the UK’s stringent and expensive KYC procedures don’t stop criminals from opening accounts but do massively inconvenience honest working folk, your author included. The PSR has handed the baton over to the trade association on this one, so we’ll have to wait and see what they come up with.

    The Forum handed over to UK Finance the development of best practice guidelines for PSPs when verifying a user’s identity. The guidelines will also cover how identity verification is managed across different types of payments.

    My guess is what they won’t come up with is a comprehensive and cost-effective solution using some sort of “financial services passport”, much discussed here and elsewhere. (I was part of the techUK working group on this three years ago.)

  • Payee Confirmation, to try to prevent malicious redirection scams by matching the name as well as the sort code and account number. So the idea here is that when you set up David G.W. Birch as a payee, the destination bank will match the name against the name of the destination account (which is what they don’t currently do) and will reject the payment is they do not correspond. I have mixed feelings about this, because I would rather just scrap the use of sort codes and account numbers and use the directory services in the new National Payments Architecture (NPA) to replace them with e-maill addresses, mobile phone numbers or (my preferred solution) “paynames”. Instead of typing in meaningless numbers, you would just tell your bank to send the money to £dgwbirch or accounts@dgwbirch.com or whatever.

  • Contingent Reimbursement (this is what got the media attention) which would require PSPs to reimburse victims when they could not have reasonably prevented an ACT scam but either the customer's PSP or the destination PSP "has not met the required standards". The consultation notes that "there was very limited support from PSPs for a full chargeback-like process" (apart from anything else, this would cost a fair amount to run) so you can see why it's important to find an alternative. The proposed solution rather hinges on whether the victims of fraud took the "appropriate" level of care. For me, this would be sending a quid and checking it went to the right place before I send the other £499,999 of the house purchase.

xxx

7 Thoughts On Blockchain, Cryptocurrency & Decentralization After Another Three Months Down The…

xxx

"While most of the ICOs to date have been Utility Tokens, because of the massive advantages that Security Tokens have over traditional capital raising, I think the total market cap of all security tokens will be much larger than the total market cap of all utility tokens."

From "7 Thoughts On Blockchain, Cryptocurrency & Decentralization After Another Three Months Down The…".

xxx

Wednesday, 18 October 2017

POST Risk

xxx

NEW YORK, NY--(Marketwired - May 03, 2016) - SmartMetric, Inc. (OTCQB: SMME) -- According to a research report conducted by the research organization The Nilson Report, for 2015 through 2020, card fraud worldwide is expected to total $183.29 billion. In 2020, global card fraud is projected to exceed $35.54 billion. Fraud, grew by 19%, and outpaced volume, which grew by 15%. Fraud losses by banks and merchants on all cards issued worldwide reached $16.31 billion in 2014 when global card volume for the same period totaled $28.844 trillion.

From Annual Global Card Fraud to More Than Double Reaching Over $35 Billion in Four Years

My general sense of the industry, without giving away anyone’s figures, is that not only is fraud growing faster than volume, but that merchants are annoyed because declines are growing faster than fraud. We need a sea change in tackling fraud and I think there are two parts to this: changing the security vs. convenience model at the front end and changing the transaction validations model at the back end.

POST Open banking, breaking banks and

As the former governor of the Bank of England, Meryvn King, has eloquently pointed out, banks are institutions that pre-date modern capitalism and “owe much to the technologies of an earlier age” (The End of Alchemy, 2016). There is no reason to expect them to continue in this form under the technological, regulatory, social and business pressures for change that are about to overwhelm them. If that sounds like waffle futurism that does not need to be taken seriously, you could not be more wrong. In the UK, those changes are going to begin in January when the world of “open banking” is created by the implementation of the Competition and Markets Authority (CMA) “remedies”. That is, the nine largest banks are compelled to provide Application Programming Interfaces (APIs) for third-party applications to access bank accounts, a milestone in a long journey to bring a revolutionary degree of competition to the sector.

This all rooted in the frustration of the regulators to see more competition. They tried forcing the banks to spend a billion or so quid on an account switching services and that didn’t work, so they decided that they had to look to more radical solutions.

The CMA reports a study by one of the very few new entrants, Tesco Bank, which found that a clear majority of account holders agreed with the statement “I cannot be bothered to switch accounts as I do not believe I would get better service/value for money elsewhere”.

[From John Kay - Competition in banking does not necessarily benefit consumers]

In the UK, the regulators’ determination to change this situations means that we are about to see major disruption in the space. I called this before a “crossing of the streams” (in an hommage to Ghostbusters!) because there are three different initiatives coming together.

The first stream is the PSD2 provisions for access to payment accounts. As you may recall, these include a set of proposals that are due to come into force in 2018. A group of those proposals are what we in the business call “XS2A”, the proposals which force banks to open up to permit the initiation of credit transfer (“push payments”) and account information queries. Even at a pure compliance level these PSD2 regulations pose significant questions for the structure of the existing payments industry. While PSD2 does not mandate APIs (I think - it’s all gotten a bit complicated but as far as I know the screen-scrapers have fought d a decent rearguard action) an open banking API is the obvious way to implement the PSD2 provisions.

The second stream is Her Majesty’s Treasury’s push for more competition in retail banking. This led to the creation of the Open Banking Working Group (OBWG), which published its report in 2016.  It set out was a four part framework, comprising:

  • A data model (so that everyone knows what “account", "amount", "account holder" etc means);
  • An API standard.
  • A security standard.
  • A governance model. 

The third stream is the CMA report that triggered the remedies mentioned above. This envisages APIs to improve competition in retail banking by focusing on the use of APIs to obtain access to personal data that can be shared with third-parties to obtain better, more cost-effective services.  These streams are coming together to create an environment of what is now called Open Banking. And it’s a big deal.

Open Banking makes it possible to pay with lightning speed directly from a bank account – in effect, creating an Amazon “One Click” for the entire internet.

From To change how you use money, Open Banking must break banks | WIRED UK

I think the use of Amazon in this example is far more disruptive than the author may have intended. Amazon Payments is, in my opinion, precisely the kind of business that will benefit from open banking. It won’t be fintech startups who eviscerate the existing payments industry, it will be the heavy hitters who are able to gain access to the bank account and merge that ability with their colossal resources and gigantic data reservoirs to create a new customer experience. Indeed, in that Wired article, Rowland Manthorpe says plainly that open banking is a new way of dealing with the twenty-first century’s most sought-after resource, personal data. This point was recently echoed by the Dave McKey, the CEO of RBC, who said “data is the battleground for banks that will determine the future success of financial institutions”.

All of which reinforces my opinion that banks need get into the business of identity, reputation and trust pretty quickly.

Tuesday, 17 October 2017

In a Cashless World, You'd Better Pray the Power Never Goes Out - Slashdot

Puerto Rico

"Cash only," said Abraham Lebron, the store manager standing guard at Supermax, a supermarket in San Juan's Plaza de las Armas. He was in a well-policed area, but admitted feeling like a sitting duck with so many bills on hand. "The system is down, so we can't process the cards. It's tough, but one finds a way to make it work."

From In a Cashless World, You'd Better Pray the Power Never Goes Out - Slashdot

xxx

xxx

If I was the manager of Waitrose after the Woking earthquake, then I would simply accept payment by writing down card numbers, or photocopying driving licences, or taking pictures of customers, or whatever. The core of the issue is identification and trust, not the payment instrument. As many media commentators noted, society in Japan did not collapse. My conclusion: natural disasters are not a convincing argument for cash.

From The disaster in Japan has lessons for payments | Consult Hyperion

xxx

Monday, 16 October 2017

Jewelers Rally After India Anti-Money-Laundering Rule Reversal - Bloomberg

xxx

Shares of jewelers climbed in India after the government withdrew an order that brought the industry under anti money-laundering legislation, a move that comes just as gold buying improves before the Hindu festival of Diwali, the peak season for demand.

Jewelers were included in the Prevention of Money-Laundering Act in August, increasing compliance requirements. Buyers have been shying away from making purchases as they had to provide their income tax identity for transactions above 50,000 rupees ($766), hindering high-value deals.

From Jewelers Rally After India Anti-Money-Laundering Rule Reversal - Bloomberg

xxx

POST Identity at the sharp end

A few years ago, I appeared on a programme about internet dating on one of the more obscure satellite TV channels. They wanted a security expert to comment on the topic and since no-one else would do it, eventually the TV company called me. I agreed immediately and set off for, if memory serves, somewhere off the M4 in West London. The show turned out to be pretty interesting. I didn’t have much to say (I was there to comment on internet security), and I can’t remember much of what was said, but I do remember very clearly that the psychologist at the heart of the show made a couple of predictions. While interviewing a couple who had met online, she said (and I am paraphrasing greatly through the imperfect prism of my recollections) that in the future people would think that choosing a partner when drunk in bar is the most ludicrous way of finding a soulmate, and that internet dating was a better mechanism for selecting soulmates. Now it seems that this prediction is being confirmed by the data.

“Our model also predicts that marriages created in a society with online dating tend to be stronger,”

From First Evidence That Online Dating Is Changing the Nature of Society - MIT Technology Review

Her other prediction was that internet dating gave women a much wider range of potential mates to choose from and allowed them to review them in more detail before developing relationships. Of course, internet dating also increases the size of the pool for men, but her point was that men don’t seem to make as much use of this a women do. Anyway, the general point about the wider pool now seems to be showing up in the data, assuming that interracial marriages are a reasonable proxy for the pool size. When researchers from the National Academy of Sciences looked at statistics from 1967 to 2013, they found “spikes” in interracial marriages that coincided with the launch of online matchmaking sites.

My point is that internet dating is mainstream and that is it having a measurable impact on society. Why am I talking about this? Well, because internet dating is a use case at the sharp end of identity. It is rife with fraud, it is a test case for issues around anonymity and pseudonymity, it is a mass market for identity providers and it is a better test of scale for an identity solution that logging on to do taxes once every year. Now, I am not the only person who thinks this and there are already companies exploring solutions. And you can see why they want to: online dating is a huge business. A third of the top 15 iOS apps (by revenue) were datings apps.

 

So. How to bring the benefits of digital identity to this world. One way not to do it is the OKCupid way.

Earlier this month, OKCupid announced it would ask users go by their real names on the online dating platform, instead of by sometimes-goofy usernames. It was a move meant to control harassment and promote community on the platform, but not everyone was excited about the idea… After a bit of backlash for the OKCupid community, this week the site backtracked, saying that users don’t have to use their legal name, and instead could use the name, nickname, or initials they want to be known as on OkCupid.

From "OKCupid Backtracks on Its New 'Real Name' Policy | Fortune".

 

So-called “real” names are a dumb way to try to fix these problems. There are a couple of reasons for this. First of all your real name is not an identifier is just an attribute and it’s only one elements that would need to be collected to a certain the identity of the corresponding real-world legal entity anyway. Secondly, the need to present real names will actually make identity problems worse rather than better sigil real name is essentially nobody’s business and is not necessary in order to engage in the kinds of transactions that are being discussed here. Thirdly, in cases such as Internet dating, the necessity to present a real name will actually prevent transactions from taking place at all, because the key issue isn’t names, it’s reputation. Knowing that I’m a real person is probably the most important element of the reputational calculus is central to online introductions, but after that? Your name? Your social media footprint? Look at the approach of “Blue”, a dating service for Twitter-verified-users-only.

“In an era of catfishing and fake identities, authenticity is key,” says the accompanying press release, “which is why we’re leveraging Twitter’s world-class verification system to make dating safer.”

From In the online dating jungle, unverified by Twitter doesn’t mean undesirable | Sam Diss | Opinion | The Guardian

I don’t think this is a solution, because if I were to be on an internet dating site, I would want the choice of whether to share my name, or Twitter identity, or anything else with a potential partner. I certainly would not want to log in with my “real” name or anything information that might identify me. In fact, this is an interesting example of a market that does not need “real” names at all.