The Financieele Dagblad reports that the processing time for inpayments and credit-transfers of the Postbank is lengthening due to the introduction of new work automated work methods. What usually takes one day (encoding the payment) now requires two to three days. On average a number Postbank processes 400.000 of these payment orders a day. The delay is now three to 4 days.
The Postbank also informs its customers on the website and underlines that the delay is only related to payment orders via the regular mail. Payments through its e-banking system (Girotel) and IVR (Girofoon) are not affected.
Monday, March 10, 2003
Friday, March 07, 2003
Focus-in and payment with Switchpoint
Planet Multimedia reports about the failure of dating site Focus-in to apply the payment product Switchpoint with succes. The business model required single-payment for each reacting to other candidates. Other dating sites use a different model in which candidates need to apply for at least one month and pay using a direct debit.
I guess this 'failure' is more about business models than about payment issues.
I guess this 'failure' is more about business models than about payment issues.
Ministry of Finance responds to questions on cost and price of cash distribution..
The Minister of Finance today published his reply to questions of MP Crone. These questions were asked because banks increased their fees for depositing coins. And their reason for doing so was that the Minister of Finance stopped subsidizing the coin distribution in the Netherlands.
In the reply to MP Crone it becomes clear that in the future we will be confronted more and more with European rules that specify that government bodies that are active in the market, may not be subsidised and must use cost-+ based pricing models. The result will often be an increase of fees and prices for the intermediairy and end users.
This may sound negative. But the benefit is that any market player that knows how to do it cheaper, may step up to offer its services, without undue/false competition of a government sponsored entity.
In the reply to MP Crone it becomes clear that in the future we will be confronted more and more with European rules that specify that government bodies that are active in the market, may not be subsidised and must use cost-+ based pricing models. The result will often be an increase of fees and prices for the intermediairy and end users.
This may sound negative. But the benefit is that any market player that knows how to do it cheaper, may step up to offer its services, without undue/false competition of a government sponsored entity.
Tuesday, March 04, 2003
Increase the trust in e-commerce by quality labels..
At a workshop on quality labels, Haitze Siemers, European Commission, Deputy Head of Unit, DG SANCO held a talk with the title:
Trustmarks for e-commerce - ensuring consumer confidence – Proposal for a Commission Recommendation
It turns out that the Commission may be recommending common guidelines for trustmarks. If these recommendations are not sufficiently followed up by market players, a directive may follow. But then again, let's first await the recommendation.
Trustmarks for e-commerce - ensuring consumer confidence – Proposal for a Commission Recommendation
It turns out that the Commission may be recommending common guidelines for trustmarks. If these recommendations are not sufficiently followed up by market players, a directive may follow. But then again, let's first await the recommendation.
Another pin-fraud ...
Trouw and Volkskrant report today that 72 customers of a gas station in Doetinchem have become the victim of another skimming attack (that took place on 5 and 6 February). Banks will pay the damages and have replaced the cards. The police goes for the thieves.
An earlier article by the Volkskrant tells about a conviction for a thieve that swiped the cards in April last year. The criminal, an employee of the gas station, only got convicted to sit 4 months in jail (of which 2 on probation), 60 hours of working punishment and 2 years conditional freedom (if he does it again he will be punished tougher...).
Now that seems to me too much of a light-weigth approach to prevent these annoying crimes.
An earlier article by the Volkskrant tells about a conviction for a thieve that swiped the cards in April last year. The criminal, an employee of the gas station, only got convicted to sit 4 months in jail (of which 2 on probation), 60 hours of working punishment and 2 years conditional freedom (if he does it again he will be punished tougher...).
Now that seems to me too much of a light-weigth approach to prevent these annoying crimes.
Mobile Mokum desires e-money parking in Amsterdam
Het Parool reports that one of Amsterdam's local political parties (Mobiel Mokum) suggests the introduction of e-money payments for parking. The political party refers to examples in Nijmegen and Rotterdam and proposes the introduction of separate pre-paid cards for parking. As for the financial element: Mobiel Mokum believes that cost of terminal management may go down and also that some money can be made by sponsorship logo's on the face of the card.
I am not sure if I understand the proposal correctly. Cities are already in a position to buy pre-paid chipcards from Interpay and sell these to the public. So I assume the proposal is to make cash payments impossible. Yet, city regulations make it hard to impose a single payment system throughout the city. So there may be some more discussion and negotiations ahead before this suggestion becomes reality.
I am not sure if I understand the proposal correctly. Cities are already in a position to buy pre-paid chipcards from Interpay and sell these to the public. So I assume the proposal is to make cash payments impossible. Yet, city regulations make it hard to impose a single payment system throughout the city. So there may be some more discussion and negotiations ahead before this suggestion becomes reality.
On the air... direct debit via Internet
Local news station RTV Noord Holland had a customer complaint with respect to an unjustified direct debit. Mw Dobbe found that an unknown company debited her account. Instead of phoning to her bank she phoned the company (Volat BV Kadopost... for 0,45 euro per minute....). They promised a payment reversal but did not live up to their promise.
RTV Noord Holland phoned the company to enquire. The company explained that the payment was made as a result of an Internet-direct debit and that the Postbank had made an error. Also on the phone line was Gijs Boudewijn of the Dutch Association of Banks. He explained that no such thing as an Internet direct debit existed (yet), because it turns out that such systems may be error prone. RTV Noord Holland made Volat promise to reverse the payment, which they did.
Later on another customer complained about a similar debit off their account. The direct debit was, upon request, reversed immediately. So, this was an example were the direct debit procedure worked fine. Still RTV and the customer felt that banks should not have designed the direct debit system that it requires consumers to take action if anything goes wrong. Mr Boudewijn continued to explain that with almost 1 billion payments via the direct debit procedure, the costs were as low as possible. But banks will be seeking for improvements and a solution for direct debits over the Internet.
See also my proposal to solve this: 3D-liability shift for acquiring banks. And maybe it is an idea to charge companies that make errors in these procedures, an administrative fine of 25 euro for the payment reversals/chargebacks. It helped for credit-cards, should also work for other products.
RTV Noord Holland phoned the company to enquire. The company explained that the payment was made as a result of an Internet-direct debit and that the Postbank had made an error. Also on the phone line was Gijs Boudewijn of the Dutch Association of Banks. He explained that no such thing as an Internet direct debit existed (yet), because it turns out that such systems may be error prone. RTV Noord Holland made Volat promise to reverse the payment, which they did.
Later on another customer complained about a similar debit off their account. The direct debit was, upon request, reversed immediately. So, this was an example were the direct debit procedure worked fine. Still RTV and the customer felt that banks should not have designed the direct debit system that it requires consumers to take action if anything goes wrong. Mr Boudewijn continued to explain that with almost 1 billion payments via the direct debit procedure, the costs were as low as possible. But banks will be seeking for improvements and a solution for direct debits over the Internet.
See also my proposal to solve this: 3D-liability shift for acquiring banks. And maybe it is an idea to charge companies that make errors in these procedures, an administrative fine of 25 euro for the payment reversals/chargebacks. It helped for credit-cards, should also work for other products.
Monday, March 03, 2003
60 customers' a day...
... line up at the offices of the central bank to deposit their guilders. And another 60 letters per day are being sent with the same request: exchange these old notes for new euro's. Newspapers inform us that these 60 customers need to wait quite long when they are in the queue....
Saturday, March 01, 2003
It's all about money....
... was one of the records in the radioprogramme Boei made by the local news station Rijnmond. Being Rotterdam born/bred I had the pleasure to visit my hometown to participate, together with Bart Jacobs, in a one hour discussion about payments, security, the future of money. Of course in one hour, we could only scratch the surface of these topics, but I hope it was as enjoyable for the audience as for us in the studio.
Friday, February 28, 2003
Iris recognition in ATM's?
A famous Dutch humourist (Wim de Bie) had a visionairy view on the use of biometrics in banking. Already in 1988 he predicted in his book Schoftentuig (pages 22-24) that banks would implant the magstripe under the skin of the forehead, would tattoo the pincode in the top of the pointing finger and would implant a proximity token in the tongue of their customers (while surcharging the consumer a fee of 50 % per transaction). Now, Erwin Boogert sent me this Australian article on the use of Iris recognition in ATM's.
For this to become reality in the payments industry however, we will need much better computers that allow the error rates (false rejection rate etc.) to be reduced to almost zero. I'd give it 20 years from now on, before we use biometrics in payments.
For this to become reality in the payments industry however, we will need much better computers that allow the error rates (false rejection rate etc.) to be reduced to almost zero. I'd give it 20 years from now on, before we use biometrics in payments.
Thursday, February 27, 2003
Preventive fraud measures
Very silently, Dutch banks are taking a number of protective measures to prevent debit-card pin-fraud from ocurring. Debit-cards are being reissued through a number of strategies (that differs per bank). One customer actually saw its debit-card disappear into the ATM of a large bank. Upon request the bank informed the customer that this was a preventive measure as the card had been used in an infected payment-terminal. Within 4 days a new debit-card was issued.
Monday, February 24, 2003
Bank ATM Security Not So Secure ... ???
Both the Volkskrant and OSNews.com report that Cambridge researchers have found flaws that may have an impact on ATM-security. An article in e-week explains more. It turns out that as a part of a court case, scientific evidence is used to back a claim of a South African couple.
The case concerns a South African couple that claims someone used their Diners Club card to make 190 withdrawals at ATMs all over the U.K. while they were in South Africa. The card's issuer says that's not possible, because their ATM network is secure, and is suing the couple to recover the nearly $80,000 that was charged against the card.
As part of the defense, Bond has been asked to testify about the ATM-related weaknesses he and Zielinski address in their paper. However, the plaintiffs, Diners Club SA Ltd., have asked for a secrecy order around the testimony of Bond and other security experts, saying that the publication of the ATM issues described in the paper would harm their business and open their networks up to attack.
The register has some more detail:
Mike Bond and Piotr Zielinski have published a paper detailing how a complex mathematical attack can yield a PIN in an average of 15 guesses. and provide the reference to the original paper:
Decimalisation table attacks for PIN cracking, by Mike Bond and Pietr Zielinski of Cambridge University. One can learn that the attack is one that needs to be performed by internal bank employees with a considerable amount of knowledge and access to resources.
Now the one-million or $ 80.000 question is of course. Is this paper on an internal employee attack relevant to the court-case? In my view it may not be. The essential questions to be asked by the judge are:
- when did the couple first discover the illegitimate ATM-withdrawals?
- where did they use their card in the months before these withdrawals occured; could their pin have been detected/observed at those instances, whilst also skimming took place?
- are there any more similar fraud-occurances with other account holders that may imply an organised crime which involves the technial attack as described in the paper?
- are there other indicators for perhaps a less sophisticated but similarly effective internal procedural fraud (internal employees orders and intercepts a regenerated pin-code; ordered because account holder 'forgot their pin')?
- do the couple know each others' pincode?
- when did they report the losses to their bank?
- who did actually make the withdrawals and was it always one individual or does the pattern imply an organised multi-atm attack (foto's at ATM=sites)?
- when did Diners start becoming aware of the irregularities in withdrawal pattern (repeated withdrawals may point to fraud)?
- did the couple use their card regularly for this purpose ?
- did the couple extend their credit-line recently?
As for the Netherlands, this attack may not be immediately relevant to our ATM-security. The technical attack involved is also rather unlikely. Any situation in which a corrupted programmer would have access to the operational ATM infrastructure and autorisation protocols would be a breach of the strict requirement to separate development and operational ICT-environments.
Then again. Even if such an attack occured, the detection and logging application should be able to detect corrupted polling the HSM to obtain more detailed information. All that the bank needs to do is to summarize the HSM-logs of the past years and match whether anomalies exist with respect to sudden increase of verification requests. If not, it is rather unlikely that the described attack in the paper is the basis for the illegitimate ATM transactions. And that's what the court case was all about.
Still, this is an interesting case. I'm curious if we get more details on it in the future.
The case concerns a South African couple that claims someone used their Diners Club card to make 190 withdrawals at ATMs all over the U.K. while they were in South Africa. The card's issuer says that's not possible, because their ATM network is secure, and is suing the couple to recover the nearly $80,000 that was charged against the card.
As part of the defense, Bond has been asked to testify about the ATM-related weaknesses he and Zielinski address in their paper. However, the plaintiffs, Diners Club SA Ltd., have asked for a secrecy order around the testimony of Bond and other security experts, saying that the publication of the ATM issues described in the paper would harm their business and open their networks up to attack.
The register has some more detail:
Mike Bond and Piotr Zielinski have published a paper detailing how a complex mathematical attack can yield a PIN in an average of 15 guesses. and provide the reference to the original paper:
Decimalisation table attacks for PIN cracking, by Mike Bond and Pietr Zielinski of Cambridge University. One can learn that the attack is one that needs to be performed by internal bank employees with a considerable amount of knowledge and access to resources.
Now the one-million or $ 80.000 question is of course. Is this paper on an internal employee attack relevant to the court-case? In my view it may not be. The essential questions to be asked by the judge are:
- when did the couple first discover the illegitimate ATM-withdrawals?
- where did they use their card in the months before these withdrawals occured; could their pin have been detected/observed at those instances, whilst also skimming took place?
- are there any more similar fraud-occurances with other account holders that may imply an organised crime which involves the technial attack as described in the paper?
- are there other indicators for perhaps a less sophisticated but similarly effective internal procedural fraud (internal employees orders and intercepts a regenerated pin-code; ordered because account holder 'forgot their pin')?
- do the couple know each others' pincode?
- when did they report the losses to their bank?
- who did actually make the withdrawals and was it always one individual or does the pattern imply an organised multi-atm attack (foto's at ATM=sites)?
- when did Diners start becoming aware of the irregularities in withdrawal pattern (repeated withdrawals may point to fraud)?
- did the couple use their card regularly for this purpose ?
- did the couple extend their credit-line recently?
As for the Netherlands, this attack may not be immediately relevant to our ATM-security. The technical attack involved is also rather unlikely. Any situation in which a corrupted programmer would have access to the operational ATM infrastructure and autorisation protocols would be a breach of the strict requirement to separate development and operational ICT-environments.
Then again. Even if such an attack occured, the detection and logging application should be able to detect corrupted polling the HSM to obtain more detailed information. All that the bank needs to do is to summarize the HSM-logs of the past years and match whether anomalies exist with respect to sudden increase of verification requests. If not, it is rather unlikely that the described attack in the paper is the basis for the illegitimate ATM transactions. And that's what the court case was all about.
Still, this is an interesting case. I'm curious if we get more details on it in the future.
The interactive organisation...
was the title of the inaugurational speech of Prof. Han Gerrits, last friday. It contained some interesting statements on the effect of interactive media for the provision of bank services. Prof. Gerrits stated for example that some of the work that used to be done by banks, shifts to the consumer. Yet, those banks that still charge customers for the data-entry work done by themselves (instead of their bank) still have some more thinking to do with respect to the topic of interactive media.
Dutch readers may download the text here.
Dutch readers may download the text here.
Sunday, February 23, 2003
Homeshopping with RTL and Yorin
Peter Olsthoorn reports that as of April 7, 2003 , the Holland Media Groep (HMG) will introduce homeshopping on their tv-channels. This service is offered in cooperation with Home Shopping Service (HSS), also a company of the RTL Group.
I bet they'll use mobile phones / credit-cards for payments.
I bet they'll use mobile phones / credit-cards for payments.
Spam for stolen credit-card numbers...
... actually looks like this:
From: cvv.ru - admin [mailto:admin@cvv.ru]
Sent: Friday, February 21, 2003 3:27 PM
Subject: Stolen Credit Card Numbers - for SALE!
Hello dear X@BY.COM
We have opened a discussion forum at http://www.cvv.ru
We sell stolen credit card numbers - only $2 for each number (Visa or Master Card)! Only $124.95 for bulk order of 100 credit card numbers. We sell fake ids (Driver Licenses).
Write me - admin@cvv.ru
Contact me by ICQ - 319319
Come at - http://www.cvv.ru
From: cvv.ru - admin [mailto:admin@cvv.ru]
Sent: Friday, February 21, 2003 3:27 PM
Subject: Stolen Credit Card Numbers - for SALE!
Hello dear X@BY.COM
We have opened a discussion forum at http://www.cvv.ru
We sell stolen credit card numbers - only $2 for each number (Visa or Master Card)! Only $124.95 for bulk order of 100 credit card numbers. We sell fake ids (Driver Licenses).
Write me - admin@cvv.ru
Contact me by ICQ - 319319
Come at - http://www.cvv.ru
Friday, February 21, 2003
Dutch Bankers' Association presents annual report
Yesterday the Dutch Bankers' Association (NVB) presented its annual report. Two regulatory topics were specifically addressed:
- cost of supervision
- taking along the same account number when moving to another bank.
See also previous entries on this blog.
The NVB explained that it could not imagine that consumer would welcome the practical consequences of keeping the same account number. If a consumer would wish to keep his/her account number, it would require that, during a number of weeks, the new bank will need to reissue credit-cards, debit-cards and also adaptation should take place of network tables to route the card-transactions to the proper issuing bank. The NVB also explained that the measures announced (listed below) to facilitate transfer to another bank would most likely cover the problems experienced (or perceived).
1. Credit transfers to the old account will be rerouted (for 13 months) to the new account
2. Direct debits of the old account will be debited from the new account. The company involved will be informed on the fact that the account number of the customer has changed
3. Banks will stop periodic/regular payments and provide the full list to the consumer
4. The customer will receive a number of postcards to inform companies/organisations on the new account number
5. Banks will provide a brochure with practical tips
6. Procedural support for transferring other payment flows (creditcards debitcards etc.).
All the customer needs to do is send in a account transfer form, two weeks before the date that the transfer is desired. Of course some minor operational problems may be expected upon introduction of this Interbanc Moving the Account Service, but I'm not aware if any other country does it the same.
- cost of supervision
- taking along the same account number when moving to another bank.
See also previous entries on this blog.
The NVB explained that it could not imagine that consumer would welcome the practical consequences of keeping the same account number. If a consumer would wish to keep his/her account number, it would require that, during a number of weeks, the new bank will need to reissue credit-cards, debit-cards and also adaptation should take place of network tables to route the card-transactions to the proper issuing bank. The NVB also explained that the measures announced (listed below) to facilitate transfer to another bank would most likely cover the problems experienced (or perceived).
1. Credit transfers to the old account will be rerouted (for 13 months) to the new account
2. Direct debits of the old account will be debited from the new account. The company involved will be informed on the fact that the account number of the customer has changed
3. Banks will stop periodic/regular payments and provide the full list to the consumer
4. The customer will receive a number of postcards to inform companies/organisations on the new account number
5. Banks will provide a brochure with practical tips
6. Procedural support for transferring other payment flows (creditcards debitcards etc.).
All the customer needs to do is send in a account transfer form, two weeks before the date that the transfer is desired. Of course some minor operational problems may be expected upon introduction of this Interbanc Moving the Account Service, but I'm not aware if any other country does it the same.
SSB contract win for processing Dutch/Belgian credit-card
European Card Review reports in their January/February issue that SSB, the Italian 'Interpay' may win the contract of Banksys/Interpay for processing Dutch and Belgian credit-cards. The other contestants for this bid are thought to have been First Data and TSYA.
Wednesday, February 19, 2003
Solving the problem of micropayments with a statistical solution: Peppercoin
Boston Globe Online has a very nice article on a payment technique that is based on statistical characteristics (and thus requires a lot of payments to work). It is interesting enough to quote and let your mind wander...
The service will be free to consumers, who sign up with Peppercoin and provide a credit card number. Now the user can go to any Peppercoin retailer and purchase a single, very cheap item -- an MP3 song priced at 50 cents, for instance. By clicking on a link, the music gets downloaded to the customer's computer. The merchant gets a Peppercoin -- a sort of electronic token that's got the customer's digital signature embedded in it.
What's the token worth to the merchant? It depends. Peppercoin uses an algorithm that assigns a value to the token. Actually it assigns one of two values. Either the token is worth some preset amount -- say, $10 -- or it's worth nothing at all. When the token is worthless, the merchant throws it away. When it's not, the merchant collects $10 from Peppercoin, even if the customer only spent 50 cents.
It seems utterly nutty until you apply this method to millions of 50-cent transactions every month. Maybe 5 percent of these transactions will be sent to Peppercoin, which processes them through the credit card system. The rest are thrown away. This keeps transaction costs way low. And the transactions that are processed have a value of $10 apiece, which brings in cash to make up for the 95 percent that were thrown away. Spread over millions of purchases, it all averages out
For those interested in the original sources:
-the presentation by Rivest at RSA 2002,
-the technical paper (math!).
The service will be free to consumers, who sign up with Peppercoin and provide a credit card number. Now the user can go to any Peppercoin retailer and purchase a single, very cheap item -- an MP3 song priced at 50 cents, for instance. By clicking on a link, the music gets downloaded to the customer's computer. The merchant gets a Peppercoin -- a sort of electronic token that's got the customer's digital signature embedded in it.
What's the token worth to the merchant? It depends. Peppercoin uses an algorithm that assigns a value to the token. Actually it assigns one of two values. Either the token is worth some preset amount -- say, $10 -- or it's worth nothing at all. When the token is worthless, the merchant throws it away. When it's not, the merchant collects $10 from Peppercoin, even if the customer only spent 50 cents.
It seems utterly nutty until you apply this method to millions of 50-cent transactions every month. Maybe 5 percent of these transactions will be sent to Peppercoin, which processes them through the credit card system. The rest are thrown away. This keeps transaction costs way low. And the transactions that are processed have a value of $10 apiece, which brings in cash to make up for the 95 percent that were thrown away. Spread over millions of purchases, it all averages out
For those interested in the original sources:
-the presentation by Rivest at RSA 2002,
-the technical paper (math!).
Ministry of Finance establishes working group for cost control and payment of supervision
The Ministry of Finance has released a letter in which it states that a separate working group will further investigate the options that are available to ensure a proper financing and cost control system for supervision of banks. The problem is that until now, banks did not have to pay for their supervision, but other financial institutions (insurance companies etc) did have to. Banks are rather unwilling to pay however, as they fear to finance an uncontrolled expansion of supervisors. Therefore the working group will also investigate how cost control of supervisors may be achieved.
Interestingly, the letter of the Ministry is published while this same morning a socialist MP (Norder) is quoted in the Financieele Dagblad:
.. undemocratic. ....In contradiction with a proper separation of duties the financial supervisors each establish their own wagon load of detailed regulations, meanwhile also operating as compliance officer and judge. The trias politica in the financial sector has been delegated all into a single hand.... The supervisors are monopolists that determine their own price....
Interestingly, the letter of the Ministry is published while this same morning a socialist MP (Norder) is quoted in the Financieele Dagblad:
.. undemocratic. ....In contradiction with a proper separation of duties the financial supervisors each establish their own wagon load of detailed regulations, meanwhile also operating as compliance officer and judge. The trias politica in the financial sector has been delegated all into a single hand.... The supervisors are monopolists that determine their own price....
Tuesday, February 18, 2003
Robbery at Brink's money dispatch office
Crime has now shifted from attacking money transport vans to attacking the dispatch office of those vans. De Telegraaf reports that the second car, used to flee from the crime scene, has now been found.
It looks as if soon also the Netherlands will be in the situation of Belgium a couple of years ago. Money transport were halted due to the safety risk and people moved to increased debit-card use at the point of sale.
It looks as if soon also the Netherlands will be in the situation of Belgium a couple of years ago. Money transport were halted due to the safety risk and people moved to increased debit-card use at the point of sale.
Subscribe to:
Posts (Atom)