Friday, February 28, 2003
Iris recognition in ATM's?
For this to become reality in the payments industry however, we will need much better computers that allow the error rates (false rejection rate etc.) to be reduced to almost zero. I'd give it 20 years from now on, before we use biometrics in payments.
Posted by Simon on 11:58 AM | link
Thursday, February 27, 2003
Preventive fraud measures
Posted by Simon on 12:03 PM | link
Monday, February 24, 2003
Bank ATM Security Not So Secure ... ???
The case concerns a South African couple that claims someone used their Diners Club card to make 190 withdrawals at ATMs all over the U.K. while they were in South Africa. The card's issuer says that's not possible, because their ATM network is secure, and is suing the couple to recover the nearly $80,000 that was charged against the card.
As part of the defense, Bond has been asked to testify about the ATM-related weaknesses he and Zielinski address in their paper. However, the plaintiffs, Diners Club SA Ltd., have asked for a secrecy order around the testimony of Bond and other security experts, saying that the publication of the ATM issues described in the paper would harm their business and open their networks up to attack.
The register has some more detail:
Mike Bond and Piotr Zielinski have published a paper detailing how a complex mathematical attack can yield a PIN in an average of 15 guesses. and provide the reference to the original paper:
Decimalisation table attacks for PIN cracking, by Mike Bond and Pietr Zielinski of Cambridge University. One can learn that the attack is one that needs to be performed by internal bank employees with a considerable amount of knowledge and access to resources.
Now the one-million or $ 80.000 question is of course. Is this paper on an internal employee attack relevant to the court-case? In my view it may not be. The essential questions to be asked by the judge are:
- when did the couple first discover the illegitimate ATM-withdrawals?
- where did they use their card in the months before these withdrawals occured; could their pin have been detected/observed at those instances, whilst also skimming took place?
- are there any more similar fraud-occurances with other account holders that may imply an organised crime which involves the technial attack as described in the paper?
- are there other indicators for perhaps a less sophisticated but similarly effective internal procedural fraud (internal employees orders and intercepts a regenerated pin-code; ordered because account holder 'forgot their pin')?
- do the couple know each others' pincode?
- when did they report the losses to their bank?
- who did actually make the withdrawals and was it always one individual or does the pattern imply an organised multi-atm attack (foto's at ATM=sites)?
- when did Diners start becoming aware of the irregularities in withdrawal pattern (repeated withdrawals may point to fraud)?
- did the couple use their card regularly for this purpose ?
- did the couple extend their credit-line recently?
As for the Netherlands, this attack may not be immediately relevant to our ATM-security. The technical attack involved is also rather unlikely. Any situation in which a corrupted programmer would have access to the operational ATM infrastructure and autorisation protocols would be a breach of the strict requirement to separate development and operational ICT-environments.
Then again. Even if such an attack occured, the detection and logging application should be able to detect corrupted polling the HSM to obtain more detailed information. All that the bank needs to do is to summarize the HSM-logs of the past years and match whether anomalies exist with respect to sudden increase of verification requests. If not, it is rather unlikely that the described attack in the paper is the basis for the illegitimate ATM transactions. And that's what the court case was all about.
Still, this is an interesting case. I'm curious if we get more details on it in the future.
Posted by Simon on 11:37 AM | link
The interactive organisation...
Dutch readers may download the text here.
Posted by Simon on 10:31 AM | link
Sunday, February 23, 2003
Homeshopping with RTL and Yorin
I bet they'll use mobile phones / credit-cards for payments.
Posted by Simon on 2:52 PM | link
Spam for stolen credit-card numbers...
From: cvv.ru - admin [mailto:firstname.lastname@example.org]
Sent: Friday, February 21, 2003 3:27 PM
Subject: Stolen Credit Card Numbers - for SALE!
Hello dear X@BY.COM
We have opened a discussion forum at http://www.cvv.ru
We sell stolen credit card numbers - only $2 for each number (Visa or Master Card)! Only $124.95 for bulk order of 100 credit card numbers. We sell fake ids (Driver Licenses).
Write me - email@example.com
Contact me by ICQ - 319319
Come at - http://www.cvv.ru
Posted by Simon on 2:45 PM | link
Friday, February 21, 2003
Dutch Bankers' Association presents annual report
- cost of supervision
- taking along the same account number when moving to another bank.
See also previous entries on this blog.
The NVB explained that it could not imagine that consumer would welcome the practical consequences of keeping the same account number. If a consumer would wish to keep his/her account number, it would require that, during a number of weeks, the new bank will need to reissue credit-cards, debit-cards and also adaptation should take place of network tables to route the card-transactions to the proper issuing bank. The NVB also explained that the measures announced (listed below) to facilitate transfer to another bank would most likely cover the problems experienced (or perceived).
1. Credit transfers to the old account will be rerouted (for 13 months) to the new account
2. Direct debits of the old account will be debited from the new account. The company involved will be informed on the fact that the account number of the customer has changed
3. Banks will stop periodic/regular payments and provide the full list to the consumer
4. The customer will receive a number of postcards to inform companies/organisations on the new account number
5. Banks will provide a brochure with practical tips
6. Procedural support for transferring other payment flows (creditcards debitcards etc.).
All the customer needs to do is send in a account transfer form, two weeks before the date that the transfer is desired. Of course some minor operational problems may be expected upon introduction of this Interbanc Moving the Account Service, but I'm not aware if any other country does it the same.
Posted by Simon on 2:00 PM | link
SSB contract win for processing Dutch/Belgian credit-card
Posted by Simon on 11:08 AM | link
Wednesday, February 19, 2003
Solving the problem of micropayments with a statistical solution: Peppercoin
The service will be free to consumers, who sign up with Peppercoin and provide a credit card number. Now the user can go to any Peppercoin retailer and purchase a single, very cheap item -- an MP3 song priced at 50 cents, for instance. By clicking on a link, the music gets downloaded to the customer's computer. The merchant gets a Peppercoin -- a sort of electronic token that's got the customer's digital signature embedded in it.
What's the token worth to the merchant? It depends. Peppercoin uses an algorithm that assigns a value to the token. Actually it assigns one of two values. Either the token is worth some preset amount -- say, $10 -- or it's worth nothing at all. When the token is worthless, the merchant throws it away. When it's not, the merchant collects $10 from Peppercoin, even if the customer only spent 50 cents.
It seems utterly nutty until you apply this method to millions of 50-cent transactions every month. Maybe 5 percent of these transactions will be sent to Peppercoin, which processes them through the credit card system. The rest are thrown away. This keeps transaction costs way low. And the transactions that are processed have a value of $10 apiece, which brings in cash to make up for the 95 percent that were thrown away. Spread over millions of purchases, it all averages out
For those interested in the original sources:
-the presentation by Rivest at RSA 2002,
-the technical paper (math!).
Posted by Simon on 9:42 PM | link
Ministry of Finance establishes working group for cost control and payment of supervision
Interestingly, the letter of the Ministry is published while this same morning a socialist MP (Norder) is quoted in the Financieele Dagblad:
.. undemocratic. ....In contradiction with a proper separation of duties the financial supervisors each establish their own wagon load of detailed regulations, meanwhile also operating as compliance officer and judge. The trias politica in the financial sector has been delegated all into a single hand.... The supervisors are monopolists that determine their own price....
Posted by Simon on 4:25 PM | link
Tuesday, February 18, 2003
Robbery at Brink's money dispatch office
It looks as if soon also the Netherlands will be in the situation of Belgium a couple of years ago. Money transport were halted due to the safety risk and people moved to increased debit-card use at the point of sale.
Posted by Simon on 4:02 PM | link
Hacker breaches credit card security of third party processor
I would also like to note that this information could be placed in different contexts for different types of use. Visa and Mastercard will probably once again stress that this technical threat is the reason why new and safer products are developed and should be used. Law enforcement officials would do the same I guess. And I would not be suprised if this issue will spring up in the legal batlle between Visa and third party processors about being allowed to switch transactions. As such the incident would suggest that it's best to not use third party processors....
Let's see where we stand in a years time.
Posted by Simon on 3:58 PM | link
Monday, February 17, 2003
Japanese Smart Cards Keep Looking for Smarter Ideas
Posted by Simon on 10:27 PM | link
Postbank teams up with SPAR to provide cash-service-counters
Posted by Simon on 6:05 PM | link
Debts on current accounts...
Posted by Simon on 6:02 PM | link
ABN Amro e-banking usage figures
Posted by Simon on 5:58 PM | link
Ten Banks End Online Gambling With Credit Cards
In New York, as in most states, promoting or facilitating unauthorized betting and gambling is illegal -- whether it occurs online or off. However, because Internet gambling businesses usually operate offshore in foreign locations, beyond the enforcement power of local authorities, they often avoid prosecution. Yet, in this case, the banks are all in the US.
The credit card transactions are "coded" by merchants and their merchant banks to indicate to credit card issuing banks (the lenders) what is being purchased. By blocking certain of these codes, issuing banks can avoid extending credit for much gambling activity that occurs on the Internet.
Posted by Simon on 5:54 PM | link
Congestion charges in London: payment by mobile and SMS
My guess would be that the anti-congestion effect is temporary. In two years, traffic will be jammed once again. But the funny thing may be that by then, many cities have adopted the London model (as it appeared to work in the beginning....).
Facts of today:
Transport for London said
-traffic was about 25% lighter than normal and that there was no evidence of significant congestion problems but a spokesman conceded: "It's still very early days."
-that 66,000 people had paid the charge by 3pm and it expected more would do so on the way home.
-website of congestion charing London
Posted by Simon on 5:53 PM | link
Friday, February 14, 2003
Account number portability: Minister of Finance says more than was agreed to.....
In the debate with the Committee Hoogervorst said that Dutch banks would introduce account number portability. Both his own staff and members of the Committee were suprised. Everyone knows that the banks are now introducing a account transfer service to ease the transfer for those that move accounts. The cost are considerable lower, while the same goal is achieved. Even when urged to be more specific, the Minister repeated his answer, but with the addition that he meant that it would be introduced in the long run, being 8 years (the point in time where all Dutch bank probably plan to use a uniform 10-number system for account numbering).
The Dutch Association of Banks was asked for comment and the spokesmen denied that banks had agreed on this Account Number Portability. The banks have only the agreement to first introduce the account transfer service and then evaluate if that was sufficient. Further debate and agreements will take place in the Maatschappelijk Overleg Betaaldiensten (Payment Council that serves a the Dutch public platform for discussions on payment services).
Source: Het Financieel Dagblad
Posted by Simon on 10:27 AM | link
Thursday, February 13, 2003
Visa reports increased on-line usage
Total Visa transactions
Q4 2001: 14.5 million
Q4 2002: 31.1 million
Q4 2001: 1.1bn euros
Q4 2002: 2.6bn euros
Fastest growing sector: Tourism/Entertainment, +531%
Slowest growing sector: Services, +57%
See also the Visa website for more statistics.
Posted by Simon on 1:05 PM | link
Nipo reports user will pay extra for 3G services
Posted by Simon on 12:54 PM | link
Wednesday, February 12, 2003
OFT's preliminary conclusion on Mastercards' Multilateral Interchange Fee
report in which it essentially explains that the MasterCard agreement, containing a multilateral interchange fee for credit-cards does not comply with competition law. It is a preliminary statement, but if the OFT does the same as the Reserve Bank Australia, their position will have an impact on the UK and European market.
Download the full OFT report.
Posted by Simon on 4:08 PM | link
Tuesday, February 11, 2003
Minister Hoogervorst starts bank BUS-tour for the elderly
The initiative of ABN AMRO should be viewed against the background of a considerable reduction of bank branches and the complaint of interest groups that service of banks is being reduced too much. It is also relevant to note that a draft law is in preparation (MP Crone) that would prescribe banks to open branches in certain areas. As a result all banks are active to ensure proper service delivery. Rabobank focuses in the segment of the elderly on further introduction of the Chipknip as the payment instrument in the residencies for elderly. And Postbank has started in November 2002 to introduce so called money withdrawal service points (franchise service for small shopkeepers).
Posted by Simon on 3:56 PM | link
Monday, February 10, 2003
Paying for supervision.. who's auditing?
1-a percentage of 15 % of the supervision budget will be paid out of public funds, the rest is to be paid by the supervised organisations,
2-all expenses will be paid by the supervised organisations but an overseeing budget council will monitor the development of these expenses.
One option, not in public discussion is to assign the budget monitoring role to the Algemene Rekenkamer (the national audit institution). This organisation will need to visit the central bank/supervisor anyhow, as De Nederlandsche Bank is a very hybrid organisation that combines the provision of public/private services and also recieves considerable income (seigniorage on bank notes). Any such organisation must be audited, if only to maintain a level playing field vis a vis the private sector. So DNB has a strong need to establish proper internal accounting and expense allocation systems that allow their private services to be competitively priced and their public services to be properly monitored. And the national audit institution is the appropriate organisation to audit this.
Posted by Simon on 9:51 AM | link
Saturday, February 08, 2003
Secoin is testing system for micropayments
Posted by Simon on 8:13 PM | link
Billing: a profession in itself
Which goes to show that billing is a profession in itself. See also the oration of George Huitema (here available in Dutch) and the website of the Global Billing Association.
Posted by Simon on 7:07 PM | link
Friday, February 07, 2003
SWIFT preparing for the future...
Posted by Simon on 9:16 PM | link
Wednesday, February 05, 2003
France prepares nationwide launch of purses and smart cards
See also the earlier agreement of French banks and enterprises to move to a new generation of chip applications.
Posted by Simon on 3:54 PM | link
Joint accounts targeted for bank fraud
Posted by Simon on 12:04 PM | link
Tuesday, February 04, 2003
Telco's will be banks... or are they already?
Nach der Beteiligung an Paybox austria am 13. Juli 2001 gründete mobilkom austria im Jänner 2002 als erster Mobilfunkbetreiber weltweit eine Bank. Die A1 Bank hält die Banklizenz für die Durchführung des Zahlungsverkehrs. „Wir haben mit der Kombination – mobile Zahlungslösung und Bankenlizenz – alle notwendigen Kompetenzen, um innovative m-commerce Anwendungen für unsere Kunden zu entwickeln. Das sind Micropayment-Lösungen, Prepaid-Lösungen und Garantieleistungen gegenüber österreichischen Händlern. Gleichzeitig etablierten wir einen Standard, der allen Handykunden in Österreich den Zugang zu Services bietet und sichere Zahltransaktionen garantiert“, so Ametsreiter.
Posted by Simon on 10:15 AM | link
Paybox, wasn't that a mobile payment thing.... once...?
Posted by Simon on 9:57 AM | link
Monday, February 03, 2003
Survey on direct debits by consumer union
- wrong amount debited,
- banks too slow to respond and reverse the direct debit,
- amount debited without authorisation of the customer.
The Consumer Union has called upon the Dutch Association of Banks to improve the situation as far as the banks are concerned. See also the list of 40 complaints of the Union, in which it becomes clear that utility companies (bulk users of direct debits) make a mess of their billing/administration.
In my view, the solution for this problem would be to improve the feedback loop for individual banks and create a financial stimulus to improve a reduction of operational errors. See this link.
Posted by Simon on 10:23 AM | link
New currency in the Netherlands... : Raam
The Raam (see Ceejee for image) is issued by an organisation founded by Maharishi Yogi. The Raam is printed by Johan Enschede (printer of numerous bank notes all around the world, including the Euro) and is issued in denominations of 1, 5 and 10 raam. One Raam is worth 10 euro.
The Raam was issued on 19 October 2002, with Limburgs Dagblad having the first article:
Vlodrop. The Fortis-bank issues the new currency of the Maharishi- the name is Raam- only at the Roermond branch. This was emphasized by Fortis yesterday, a day on which collectors and those interested from all over the country started to learn how to become owners of the new Raam notes.
According to spokesman M. Bongaerts of Fortis Nederland, the bank only sells the notes in Roermond as a service to Maharishi, an important customer of Fortis. The Maharishi wants to use the currency to supply Third-World countries with a strong inflation-resistant currency. The notes will be used primarily to finance organic agriculture projects.
Posted by Simon on 10:19 AM | link
Current weblog List of publications
Retail payments are still very much influenced by local conventions, regulations etc.....
Readers should not base any decision on the basis of the information provided in this weblog.
This weblog serves as an archive of public events in retail payments. It is an individual account which should not be construed as a formal viewpoint of any organisation.
Copyright Simon Lelieveldt
Feel free to copy, paste or use this log but always mention the author and URL (http://www.simonl.org/blogger.htm)