Friday, February 28, 2003

Iris recognition in ATM's?

A famous Dutch humourist (Wim de Bie) had a visionairy view on the use of biometrics in banking. Already in 1988 he predicted in his book Schoftentuig (pages 22-24) that banks would implant the magstripe under the skin of the forehead, would tattoo the pincode in the top of the pointing finger and would implant a proximity token in the tongue of their customers (while surcharging the consumer a fee of 50 % per transaction). Now, Erwin Boogert sent me this Australian article on the use of Iris recognition in ATM's.



For this to become reality in the payments industry however, we will need much better computers that allow the error rates (false rejection rate etc.) to be reduced to almost zero. I'd give it 20 years from now on, before we use biometrics in payments.



Thursday, February 27, 2003

Preventive fraud measures

Very silently, Dutch banks are taking a number of protective measures to prevent debit-card pin-fraud from ocurring. Debit-cards are being reissued through a number of strategies (that differs per bank). One customer actually saw its debit-card disappear into the ATM of a large bank. Upon request the bank informed the customer that this was a preventive measure as the card had been used in an infected payment-terminal. Within 4 days a new debit-card was issued.



Monday, February 24, 2003

Bank ATM Security Not So Secure ... ???

Both the Volkskrant and OSNews.com report that Cambridge researchers have found flaws that may have an impact on ATM-security. An article in e-week explains more. It turns out that as a part of a court case, scientific evidence is used to back a claim of a South African couple.



The case concerns a South African couple that claims someone used their Diners Club card to make 190 withdrawals at ATMs all over the U.K. while they were in South Africa. The card's issuer says that's not possible, because their ATM network is secure, and is suing the couple to recover the nearly $80,000 that was charged against the card.



As part of the defense, Bond has been asked to testify about the ATM-related weaknesses he and Zielinski address in their paper. However, the plaintiffs, Diners Club SA Ltd., have asked for a secrecy order around the testimony of Bond and other security experts, saying that the publication of the ATM issues described in the paper would harm their business and open their networks up to attack.




The register has some more detail:

Mike Bond and Piotr Zielinski have published a paper detailing how a complex mathematical attack can yield a PIN in an average of 15 guesses. and provide the reference to the original paper:

Decimalisation table attacks for PIN cracking, by Mike Bond and Pietr Zielinski of Cambridge University. One can learn that the attack is one that needs to be performed by internal bank employees with a considerable amount of knowledge and access to resources.



Now the one-million or $ 80.000 question is of course. Is this paper on an internal employee attack relevant to the court-case? In my view it may not be. The essential questions to be asked by the judge are:

- when did the couple first discover the illegitimate ATM-withdrawals?

- where did they use their card in the months before these withdrawals occured; could their pin have been detected/observed at those instances, whilst also skimming took place?

- are there any more similar fraud-occurances with other account holders that may imply an organised crime which involves the technial attack as described in the paper?

- are there other indicators for perhaps a less sophisticated but similarly effective internal procedural fraud (internal employees orders and intercepts a regenerated pin-code; ordered because account holder 'forgot their pin')?

- do the couple know each others' pincode?

- when did they report the losses to their bank?

- who did actually make the withdrawals and was it always one individual or does the pattern imply an organised multi-atm attack (foto's at ATM=sites)?

- when did Diners start becoming aware of the irregularities in withdrawal pattern (repeated withdrawals may point to fraud)?

- did the couple use their card regularly for this purpose ?

- did the couple extend their credit-line recently?



As for the Netherlands, this attack may not be immediately relevant to our ATM-security. The technical attack involved is also rather unlikely. Any situation in which a corrupted programmer would have access to the operational ATM infrastructure and autorisation protocols would be a breach of the strict requirement to separate development and operational ICT-environments.



Then again. Even if such an attack occured, the detection and logging application should be able to detect corrupted polling the HSM to obtain more detailed information. All that the bank needs to do is to summarize the HSM-logs of the past years and match whether anomalies exist with respect to sudden increase of verification requests. If not, it is rather unlikely that the described attack in the paper is the basis for the illegitimate ATM transactions. And that's what the court case was all about.



Still, this is an interesting case. I'm curious if we get more details on it in the future.

The interactive organisation...

was the title of the inaugurational speech of Prof. Han Gerrits, last friday. It contained some interesting statements on the effect of interactive media for the provision of bank services. Prof. Gerrits stated for example that some of the work that used to be done by banks, shifts to the consumer. Yet, those banks that still charge customers for the data-entry work done by themselves (instead of their bank) still have some more thinking to do with respect to the topic of interactive media.



Dutch readers may download the text here.

Sunday, February 23, 2003

Homeshopping with RTL and Yorin

Peter Olsthoorn reports that as of April 7, 2003 , the Holland Media Groep (HMG) will introduce homeshopping on their tv-channels. This service is offered in cooperation with Home Shopping Service (HSS), also a company of the RTL Group.



I bet they'll use mobile phones / credit-cards for payments.

Spam for stolen credit-card numbers...

... actually looks like this:





From: cvv.ru - admin [mailto:admin@cvv.ru]

Sent: Friday, February 21, 2003 3:27 PM

Subject: Stolen Credit Card Numbers - for SALE!



Hello dear X@BY.COM

We have opened a discussion forum at http://www.cvv.ru

We sell stolen credit card numbers - only $2 for each number (Visa or Master Card)! Only $124.95 for bulk order of 100 credit card numbers. We sell fake ids (Driver Licenses).



Write me - admin@cvv.ru

Contact me by ICQ - 319319

Come at - http://www.cvv.ru





Friday, February 21, 2003

Dutch Bankers' Association presents annual report

Yesterday the Dutch Bankers' Association (NVB) presented its annual report. Two regulatory topics were specifically addressed:

- cost of supervision

- taking along the same account number when moving to another bank.

See also previous entries on this blog.



The NVB explained that it could not imagine that consumer would welcome the practical consequences of keeping the same account number. If a consumer would wish to keep his/her account number, it would require that, during a number of weeks, the new bank will need to reissue credit-cards, debit-cards and also adaptation should take place of network tables to route the card-transactions to the proper issuing bank. The NVB also explained that the measures announced (listed below) to facilitate transfer to another bank would most likely cover the problems experienced (or perceived).



1. Credit transfers to the old account will be rerouted (for 13 months) to the new account

2. Direct debits of the old account will be debited from the new account. The company involved will be informed on the fact that the account number of the customer has changed

3. Banks will stop periodic/regular payments and provide the full list to the consumer

4. The customer will receive a number of postcards to inform companies/organisations on the new account number

5. Banks will provide a brochure with practical tips

6. Procedural support for transferring other payment flows (creditcards debitcards etc.).



All the customer needs to do is send in a account transfer form, two weeks before the date that the transfer is desired. Of course some minor operational problems may be expected upon introduction of this Interbanc Moving the Account Service, but I'm not aware if any other country does it the same.



SSB contract win for processing Dutch/Belgian credit-card

European Card Review reports in their January/February issue that SSB, the Italian 'Interpay' may win the contract of Banksys/Interpay for processing Dutch and Belgian credit-cards. The other contestants for this bid are thought to have been First Data and TSYA.



Wednesday, February 19, 2003

Solving the problem of micropayments with a statistical solution: Peppercoin

Boston Globe Online has a very nice article on a payment technique that is based on statistical characteristics (and thus requires a lot of payments to work). It is interesting enough to quote and let your mind wander...



The service will be free to consumers, who sign up with Peppercoin and provide a credit card number. Now the user can go to any Peppercoin retailer and purchase a single, very cheap item -- an MP3 song priced at 50 cents, for instance. By clicking on a link, the music gets downloaded to the customer's computer. The merchant gets a Peppercoin -- a sort of electronic token that's got the customer's digital signature embedded in it.



What's the token worth to the merchant? It depends. Peppercoin uses an algorithm that assigns a value to the token. Actually it assigns one of two values. Either the token is worth some preset amount -- say, $10 -- or it's worth nothing at all. When the token is worthless, the merchant throws it away. When it's not, the merchant collects $10 from Peppercoin, even if the customer only spent 50 cents.



It seems utterly nutty until you apply this method to millions of 50-cent transactions every month. Maybe 5 percent of these transactions will be sent to Peppercoin, which processes them through the credit card system. The rest are thrown away. This keeps transaction costs way low. And the transactions that are processed have a value of $10 apiece, which brings in cash to make up for the 95 percent that were thrown away. Spread over millions of purchases, it all averages out




For those interested in the original sources:

-the presentation by Rivest at RSA 2002,

-the technical paper (math!).



Ministry of Finance establishes working group for cost control and payment of supervision

The Ministry of Finance has released a letter in which it states that a separate working group will further investigate the options that are available to ensure a proper financing and cost control system for supervision of banks. The problem is that until now, banks did not have to pay for their supervision, but other financial institutions (insurance companies etc) did have to. Banks are rather unwilling to pay however, as they fear to finance an uncontrolled expansion of supervisors. Therefore the working group will also investigate how cost control of supervisors may be achieved.



Interestingly, the letter of the Ministry is published while this same morning a socialist MP (Norder) is quoted in the Financieele Dagblad:

.. undemocratic. ....In contradiction with a proper separation of duties the financial supervisors each establish their own wagon load of detailed regulations, meanwhile also operating as compliance officer and judge. The trias politica in the financial sector has been delegated all into a single hand.... The supervisors are monopolists that determine their own price....



Tuesday, February 18, 2003

Robbery at Brink's money dispatch office

Crime has now shifted from attacking money transport vans to attacking the dispatch office of those vans. De Telegraaf reports that the second car, used to flee from the crime scene, has now been found.



It looks as if soon also the Netherlands will be in the situation of Belgium a couple of years ago. Money transport were halted due to the safety risk and people moved to increased debit-card use at the point of sale.



Hacker breaches credit card security of third party processor

The BBC reports that a computer hacker has gained access to more than 5 million Visa and Mastercard credit card accounts in the US. Consumers do not need to worry as both Mastercard and Visa apply so-called zero-liability policies. Visa and Mastercard have already contacted the banks involved and will work together with the third party processor to solve the intrustion problem. Do note that this is a US-issue.



I would also like to note that this information could be placed in different contexts for different types of use. Visa and Mastercard will probably once again stress that this technical threat is the reason why new and safer products are developed and should be used. Law enforcement officials would do the same I guess. And I would not be suprised if this issue will spring up in the legal batlle between Visa and third party processors about being allowed to switch transactions. As such the incident would suggest that it's best to not use third party processors....



Let's see where we stand in a years time.



Monday, February 17, 2003

Japanese Smart Cards Keep Looking for Smarter Ideas

Ron Onrust tipped me on this informative article on Tokyo's/Japanese lightweigth public transport payment methods.



Postbank teams up with SPAR to provide cash-service-counters

Het Financieele Dagblad reports that Postbank will open up 'service-counters' in the SPAR supermarket. This is a part of the ongoing debate on service level of banks. The goal is to place these counters in 400 supermarkets. On Friday the first service point was opened in Esch. The idea is that customers can withdraw a maximum of 250 euro per day at the counter.



Debts on current accounts...

..are a real profit maker for banks. Het Financieele Dagblad reports that consumer credit in the Netherlands has increased with 3 % to 16,4 billion euro. Two thirds (10,3 billion euro) is the regular consumer credit, the remaining third is actualy debt on current accounts (6,1 billion). Credit card debt (mostly 4 months outstanding) amounts to 820 million euro.



Source: CBS.



ABN Amro e-banking usage figures

E-merce reports that ABN AMRO started in April 2001 with banking via the Internet. Right now, 20 % of its 4,5 milion consumers and its 45.000 business clients have got the application. And 85 % of the consumers are actually using it.



Ten Banks End Online Gambling With Credit Cards

New York State Attorney General Eliot Spitzer publishes this press statement that explains that ten banks end online gambling with credit cards.



In New York, as in most states, promoting or facilitating unauthorized betting and gambling is illegal -- whether it occurs online or off. However, because Internet gambling businesses usually operate offshore in foreign locations, beyond the enforcement power of local authorities, they often avoid prosecution. Yet, in this case, the banks are all in the US.



The credit card transactions are "coded" by merchants and their merchant banks to indicate to credit card issuing banks (the lenders) what is being purchased. By blocking certain of these codes, issuing banks can avoid extending credit for much gambling activity that occurs on the Internet.



Congestion charges in London: payment by mobile and SMS

Planet Multimedia reports that congestion charging has started in London. Payment of the 5 pounds charge may take place by using SMS or the Internet.



My guess would be that the anti-congestion effect is temporary. In two years, traffic will be jammed once again. But the funny thing may be that by then, many cities have adopted the London model (as it appeared to work in the beginning....).



Facts of today:

Transport for London said

-traffic was about 25% lighter than normal and that there was no evidence of significant congestion problems but a spokesman conceded: "It's still very early days."

-that 66,000 people had paid the charge by 3pm and it expected more would do so on the way home.



See also:

-website of congestion charing London

-BBC article.

Friday, February 14, 2003

Account number portability: Minister of Finance says more than was agreed to.....

Yesterday the parliamentary Commitee that discusses finance issues, spoke with the (demissionair) Minister of Finance, mr Hoogervorst on the topic of number portability; the possibility to use the same account number, regardless of the bank you're with. This is an issue that is already longer debated but leads to a lot of confusion. Banks state that it is too costly; different pieces of research show that the consumer is not waiting for it, nor willing to pay for such a service, but a small group of policy makers still view it as the solution for increased competition in the market.



In the debate with the Committee Hoogervorst said that Dutch banks would introduce account number portability. Both his own staff and members of the Committee were suprised. Everyone knows that the banks are now introducing a account transfer service to ease the transfer for those that move accounts. The cost are considerable lower, while the same goal is achieved. Even when urged to be more specific, the Minister repeated his answer, but with the addition that he meant that it would be introduced in the long run, being 8 years (the point in time where all Dutch bank probably plan to use a uniform 10-number system for account numbering).



The Dutch Association of Banks was asked for comment and the spokesmen denied that banks had agreed on this Account Number Portability. The banks have only the agreement to first introduce the account transfer service and then evaluate if that was sufficient. Further debate and agreements will take place in the Maatschappelijk Overleg Betaaldiensten (Payment Council that serves a the Dutch public platform for discussions on payment services).



Source: Het Financieel Dagblad

Thursday, February 13, 2003

Visa reports increased on-line usage

This BBC article states that on-line sales in the UK have increased:



Total Visa transactions

Q4 2001: 14.5 million

Q4 2002: 31.1 million



Sales volume

Q4 2001: 1.1bn euros

Q4 2002: 2.6bn euros



Fastest growing sector: Tourism/Entertainment, +531%

Slowest growing sector: Services, +57%



See also the Visa website for more statistics.



Nipo reports user will pay extra for 3G services

Nipo-research shows that consumers may be willing to pay an extra 6 to 10 euro per month for 3G/UMTS services. Examples are mobile e-mail, MMS, location based service etc.



Wednesday, February 12, 2003

OFT's preliminary conclusion on Mastercards' Multilateral Interchange Fee

The UK Office of fair trading has released a press statement and

report in which it essentially explains that the MasterCard agreement, containing a multilateral interchange fee for credit-cards does not comply with competition law. It is a preliminary statement, but if the OFT does the same as the Reserve Bank Australia, their position will have an impact on the UK and European market.



Download the full OFT report.





Tuesday, February 11, 2003

Minister Hoogervorst starts bank BUS-tour for the elderly

Today at 1.30 pm, mr Hoogervorst, Minister of Finance, officially started using the ABN AMRO - ANBO Service bus. This is a bus in which ABN AMRO provides bank services (for the elderly clients/customers in remote and rural areas) and in which the Union of the Elderly (ANBO) also provides its services. The bus will start touring as of February 24 and will visit 12 locations (6 per week) in two weeks. See also this press release.



The initiative of ABN AMRO should be viewed against the background of a considerable reduction of bank branches and the complaint of interest groups that service of banks is being reduced too much. It is also relevant to note that a draft law is in preparation (MP Crone) that would prescribe banks to open branches in certain areas. As a result all banks are active to ensure proper service delivery. Rabobank focuses in the segment of the elderly on further introduction of the Chipknip as the payment instrument in the residencies for elderly. And Postbank has started in November 2002 to introduce so called money withdrawal service points (franchise service for small shopkeepers).



Monday, February 10, 2003

Paying for supervision.. who's auditing?

Het Financieele Dagblad reports that Dutch banks will soon have to pay for the cost of the supervisor. Yet, in exchange the banks demand a tighter control on the expenses (as they believe these expenses are too high). Two models are now being discussed:

1-a percentage of 15 % of the supervision budget will be paid out of public funds, the rest is to be paid by the supervised organisations,

2-all expenses will be paid by the supervised organisations but an overseeing budget council will monitor the development of these expenses.



One option, not in public discussion is to assign the budget monitoring role to the Algemene Rekenkamer (the national audit institution). This organisation will need to visit the central bank/supervisor anyhow, as De Nederlandsche Bank is a very hybrid organisation that combines the provision of public/private services and also recieves considerable income (seigniorage on bank notes). Any such organisation must be audited, if only to maintain a level playing field vis a vis the private sector. So DNB has a strong need to establish proper internal accounting and expense allocation systems that allow their private services to be competitively priced and their public services to be properly monitored. And the national audit institution is the appropriate organisation to audit this.



Saturday, February 08, 2003

Secoin is testing system for micropayments

Planet multimedia reports that Secoin is starting test with its system for micropayments. Apparently (and despite clear explanation by the central bank) Secoin is the opinion that it is not an electronic money institution. Given that the system involves attracting deposits from the public, the only regulatory alternative would then be to consider Secoin a regular credit-institution......



Billing: a profession in itself

I just received a letter from my ISP (dated 5th of February), stating I had to pay my bill. The letter was really unfriendly with threats of knocking me out of their systems. So I checked my bank statement to find out if I missed something, but I had paid properly on January 31. So I mailed the people at creditcontrol@planet.nl to inform their of their rather untimely and incorrect letter. And suggested them to bill their three different bills in one time, using a direct debit.



Which goes to show that billing is a profession in itself. See also the oration of George Huitema (here available in Dutch) and the website of the Global Billing Association.



Friday, February 07, 2003

SWIFT preparing for the future...

Het Financieele Dagblad wrote an article last week on the position of Swift. It was noted that Swift is turning to non-banc customers as well, in order to expand their operations. The article also notes that Swift is moving to an IP-based infrastructure. See also the website of SWIFT.



Wednesday, February 05, 2003

France prepares nationwide launch of purses and smart cards

Mercury News reports that France prepares nationwide launch of e-purses. Also in Paris, the use of the e-purse for parking appears ot be a killer application.



See also the earlier agreement of French banks and enterprises to move to a new generation of chip applications.

Joint accounts targeted for bank fraud       

This morning De Financiële Telegraaf reports a new fraud method. Robbers send in a form in which they become the joint owner of an account. Not an easy fraud, as it requires forgery of identity papers, obtaining account information/signature of the legitimate account owner as well as control over the delivery/receipt channel. Yet, a number of incidents occured where fraudsters received a debit-card and pin-code on the 'joint account' that was then plundered. Procedures at the Postbank (where the fraud has first been observed) have now been tightened.



Tuesday, February 04, 2003

Telco's will be banks... or are they already?

John Caspers pointed out that Mobilkom Austria has, as the first telco company worldwide, chosen to obtain a bank license in order to provide the full spectrum of pre-paid and postpaid billing solutions. Its bank is called A1 Bank.



Nach der Beteiligung an Paybox austria am 13. Juli 2001 gründete mobilkom austria im Jänner 2002 als erster Mobilfunkbetreiber weltweit eine Bank. Die A1 Bank hält die Banklizenz für die Durchführung des Zahlungsverkehrs. „Wir haben mit der Kombination – mobile Zahlungslösung und Bankenlizenz – alle notwendigen Kompetenzen, um innovative m-commerce Anwendungen für unsere Kunden zu entwickeln. Das sind Micropayment-Lösungen, Prepaid-Lösungen und Garantieleistungen gegenüber österreichischen Händlern. Gleichzeitig etablierten wir einen Standard, der allen Handykunden in Österreich den Zugang zu Services bietet und sichere Zahltransaktionen garantiert“, so Ametsreiter.



Paybox, wasn't that a mobile payment thing.... once...?

Economic historians may still grab the opportunity and use Google's cache to download the Paybox demo or browse the older pages. But this window of opportunities will most probably disappear quickly.



Monday, February 03, 2003

Survey on direct debits by consumer union

The Dutch Consumer Union reports that a survey (1700 participants) shows that 20 % of the respondents have at some time experienced operational problems with the product direct debit. The problems are:

- wrong amount debited,

- banks too slow to respond and reverse the direct debit,

- amount debited without authorisation of the customer.



The Consumer Union has called upon the Dutch Association of Banks to improve the situation as far as the banks are concerned. See also the list of 40 complaints of the Union, in which it becomes clear that utility companies (bulk users of direct debits) make a mess of their billing/administration.



In my view, the solution for this problem would be to improve the feedback loop for individual banks and create a financial stimulus to improve a reduction of operational errors. See this link.



New currency in the Netherlands... : Raam

David Post reports in Het Financieele Dagblad about the issuing of a new currency called "Raam" (which translates as Window). The central bank DNB said it would launch an investigation into possible legal violations.



The Raam (see Ceejee for image) is issued by an organisation founded by Maharishi Yogi. The Raam is printed by Johan Enschede (printer of numerous bank notes all around the world, including the Euro) and is issued in denominations of 1, 5 and 10 raam. One Raam is worth 10 euro.



The Raam was issued on 19 October 2002, with Limburgs Dagblad having the first article:

Vlodrop. The Fortis-bank issues the new currency of the Maharishi- the name is Raam- only at the Roermond branch. This was emphasized by Fortis yesterday, a day on which collectors and those interested from all over the country started to learn how to become owners of the new Raam notes.



According to spokesman M. Bongaerts of Fortis Nederland, the bank only sells the notes in Roermond as a service to Maharishi, an important customer of Fortis. The Maharishi wants to use the currency to supply Third-World countries with a strong inflation-resistant currency. The notes will be used primarily to finance organic agriculture projects.