Risk and Privacy Implications of Consumer Payment Innovation

Ross AndersonCambridge University

Overview

• Competition – Sofort, Pingit• Background on payment service regulation• Cyber-crime patterns and trends in 2012• Mobile payment trends• Mobile wallets• Carrier billing• Remittance services, social, credit• Ways forward for payment service regulators

Buying a plane ticket (1)

Buying a plane ticket (2)

Buying a plane ticket (3)

It’s fronting for this:

Sofortüberweisung

• Rapidly-growing low-cost payment service– Merchant website redirects to Sofort– Sofort asks for bank account # and tries to logon– Relays the authentication challenge to customer– Uses credit transfer to pay for purchase

• Middleperson attack on online banking!• Fee 0.75% + 10c instead of 2.5%• Banks’ law case against Sofort failed after

Federal competition authorities intervened

Pingit

• Barclays product for phone-based payment; mobile number as proxy for account number

• Phase 1: Barclays customers only; peer-to-peer payment limit £300

• Phase 2: any bank’s customer can use it, following a one-off direct-debit authorisation

• Background: banks want to abolish cheques• Could mobile be a mould-breaker like Sofort?

Possible roadblocks

• Mobile payments are really successful in Kenya, Pakistan, South Africa… and bring significant social gains

• In developed countries it hasn’t taken off! Mobile payment predictions of 1bn users, $1trn turnover “within five years” since 2002

• Innopay 2012 report: need speed, security, functionality

• But it may actually be about cost…

Possible roadblocks (2)

• Consumer protection better on credit cards than PIN debit (discount 2.5% vs 1.5%)

• If we move to phone / Sofort at 0.75% there will be pressure to cut this

• Also, fraud is about 30 basis points online versus 5 face-to-face

• Protection now good in USA, OK in Fi, Nl, bad in GB, Spain, Latvia – affects online confidence

• Will Reg E / Reg Z be circumvented?

Possible roadblocks (3)

• The EU do-not-track directive is already causing grief to online businesses

• Privacy tussles will get worse with mobile – cellsite location history is sensitive data

• Controversy already: path.com, flurry.com• Also: interaction with malware• Now that the bad guys can steal money they are

targeting smartphones (so far mostly dialers, SMS stealers, and mostly in China, but just wait!)

Future regulation?

• Payment regulation has always been dynamic – 130 years of tussles over forgery, cheque crossing, settlement, liability, interchange fees, …

• Things are getting ever faster and more complex!• Ever more of the players are nonbanks– First Data, IBM, …– FICO, Experian, …– Nokia, Blackberry, Google, eBay, Microsoft, …

• Governance is going to be hard

Cyber-crime patterns

• Cyber-crime now defined in EU as just about every bad thing done with IT! But four basic types– Traditional stuff like tax fraud and welfare fraud– Offences with rapidly changing modus operandi like

card fraud– Novel offences like fake antivirus scams– Platform offences such as running botnets

• As you work down the list, the indirect cost ratio (costs in anticipation and consequence versus direct losses) rises sharply from < 10-1 to > 102 – like the indirect costs of a mosquito bite

Whither payment fraud?• Nilson 2010: card fraud $7.6bn (US $3.6bn)• Our 2011 figures: card fraud costs $9.2bn direct

and $2.4bn indirect• Online bank fraud costs $690m direct, $1bn

indirect (and rising sharply thanks to Zeus)• Opportunity costs are greater still (maybe $30bn)• The move online, and the move to mobile, may

increase fraud losses (even double them)• ‘Fraud Inc’ might have a market cap over $100bn• But don’t panic: this may still increase welfare

Existing mobile payment systems

• Biggest success in less developed countries• Kenya, South Africa: PIN encrypted in the SIM

card, transaction via traditional bank network• Others send PINs in the clear via USSD, and

take the risk• Peer-to-peer payments being built out into

peer-to-agent and even agent-to-agent• Growing ecosystem includes access to

government services and much else

Existing mobile payment systems (2)

• NFC payments started in Japan 10 years ago• 2011: launch of the Google Wallet (an app

that does tap-and-pay via an SE/ NFC chip)• 2012: NFC payments being promoted for the

Olympics; TV fear about possible card cloning• Technical risks include easier relay attacks and

a series of engineering problems with EMV• Governance problems include reprovisioning

Existing mobile payment systems (3)• Carrier billing (e.g. premium rate SMS) in pain• Android malware leading to chargebacks in

excess of 20% in some countries / sectors• We’ve been here before (modem diallers)• Fixes: – remove bad apps quickly from app stores– instrument the network to spot malware quickly – delay payment to suppliers

• Industry hopes the SE will fix this, but PBX fraud is also rising very rapidly

Other sources of disruption

• Low-cost remittance services like oanda.com• Off-the-wall entrants like Bitcoin• Facebook credits (but has a 30% merchant

discount, like carrier billing!)• P2P such as zashpay and popmoney• Innovations in credit, from ‘crowd’ (zopa.com,

smaba.de) to ‘surveillance’ (Telrock)• Merchant-side innovation such as Tesco Bank

‘Bad’ payment systems

• Cyber-crooks want irrevocable payments (watch the UK’s Faster Payments scheme!)

• eGold got raided: Western Union now handles most of the cashout from core cybercrime

• Webmoney is used internally by crooks• Porn payments: two-sided adverse selection• High-yield investment programs (‘postmodern

Ponzi schemes’) have a number of PSPs

Outcomes best avoided

• Could catastrophic fraud close a channel?• Pessimist: once cash, keys and tokens are all

phone apps, we have a huge target and an intractable governance problem

• Optimist: if an attack’s big enough attack to disrupt, where do you send all the money?

• Alternative bad outcome: pervasive carding that undermines confidence and imposes large opportunity costs on economy

What might governments do?

• See our paper ‘Security Economics and the Single Market’, ENISA, 2008

• Better stats on both fraud and malware, start to fix liability rules, require network-attached consumer electronics to be secure by default, better police cooperation …

• Many of these are now being worked on (e.g. Eurozone fraud stats from this year)

• What should the Fed’s priority be?

What might the Fed do?

• Esther: the Fed must be prepared for crisis!• The Fed should set up a Fraud Analysis Centre to

collect information from banks, online service companies, PSPs, CRAs and others

• Someone has to process data to get actionable intelligence (NCFTA? NACHA?) But someone also needs to track the big picture – a role for the Fed

• If the Fed wants to do a P2P payment service it should first study what goes wrong …

Next steps

• Workshop on the Economics of Information Security, Berlin, June 2012

• Our web page on bank fraud: http://www.cl.cam.ac.uk/~rja14/banksec.html

• Other current research:– Econometrics of online crime– Mobile malware– Next-generation platform components

NATO meeting October 10 2011