Add to collection(s) Add to saved
  1. Business
  2. Economics

slides

advertisement 
Risk and Privacy Implications of
Consumer Payment Innovation
Ross Anderson
Cambridge University
Overview
•
•
•
•
•
•
•
•
Competition – Sofort, Pingit
Background on payment service regulation
Cyber-crime patterns and trends in 2012
Mobile payment trends
Mobile wallets
Carrier billing
Remittance services, social, credit
Ways forward for payment service regulators
Buying a plane ticket (1)
Buying a plane ticket (2)
Buying a plane ticket (3)
It’s fronting for this:
Sofortüberweisung
• Rapidly-growing low-cost payment service
– Merchant website redirects to Sofort
– Sofort asks for bank account # and tries to logon
– Relays the authentication challenge to customer
– Uses credit transfer to pay for purchase
• Middleperson attack on online banking!
• Fee 0.75% + 10c instead of 2.5%
• Banks’ law case against Sofort failed after
Federal competition authorities intervened
Pingit
• Barclays product for phone-based payment;
mobile number as proxy for account number
• Phase 1: Barclays customers only; peer-topeer payment limit £300
• Phase 2: any bank’s customer can use it,
following a one-off direct-debit authorisation
• Background: banks want to abolish cheques
• Could mobile be a mould-breaker like Sofort?
Possible roadblocks
• Mobile payments are really successful in
Kenya, Pakistan, South Africa… and bring
significant social gains
• In developed countries it hasn’t taken off!
Mobile payment predictions of 1bn users,
$1trn turnover “within five years” since 2002
• Innopay 2012 report: need speed, security,
functionality
• But it may actually be about cost…
Possible roadblocks (2)
• Consumer protection better on credit cards
than PIN debit (discount 2.5% vs 1.5%)
• If we move to phone / Sofort at 0.75% there
will be pressure to cut this
• Also, fraud is about 30 basis points online
versus 5 face-to-face
• Protection now good in USA, OK in Fi, Nl, bad
in GB, Spain, Latvia – affects online confidence
• Will Reg E / Reg Z be circumvented?
Possible roadblocks (3)
• The EU do-not-track directive is already causing
grief to online businesses
• Privacy tussles will get worse with mobile –
cellsite location history is sensitive data
• Controversy already: path.com, flurry.com
• Also: interaction with malware
• Now that the bad guys can steal money they are
targeting smartphones (so far mostly dialers, SMS
stealers, and mostly in China, but just wait!)
Future regulation?
• Payment regulation has always been dynamic –
130 years of tussles over forgery, cheque
crossing, settlement, liability, interchange fees, …
• Things are getting ever faster and more complex!
• Ever more of the players are nonbanks
– First Data, IBM, …
– FICO, Experian, …
– Nokia, Blackberry, Google, eBay, Microsoft, …
• Governance is going to be hard
Cyber-crime patterns
• Cyber-crime now defined in EU as just about
every bad thing done with IT! But four basic types
– Traditional stuff like tax fraud and welfare fraud
– Offences with rapidly changing modus operandi like
card fraud
– Novel offences like fake antivirus scams
– Platform offences such as running botnets
• As you work down the list, the indirect cost ratio
(costs in anticipation and consequence versus
direct losses) rises sharply from < 10-1 to > 102 –
like the indirect costs of a mosquito bite
Whither payment fraud?
• Nilson 2010: card fraud $7.6bn (US $3.6bn)
• Our 2011 figures: card fraud costs $9.2bn direct
and $2.4bn indirect
• Online bank fraud costs $690m direct, $1bn
indirect (and rising sharply thanks to Zeus)
• Opportunity costs are greater still (maybe $30bn)
• The move online, and the move to mobile, may
increase fraud losses (even double them)
• ‘Fraud Inc’ might have a market cap over $100bn
• But don’t panic: this may still increase welfare
Existing mobile payment systems
• Biggest success in less developed countries
• Kenya, South Africa: PIN encrypted in the SIM
card, transaction via traditional bank network
• Others send PINs in the clear via USSD, and
take the risk
• Peer-to-peer payments being built out into
peer-to-agent and even agent-to-agent
• Growing ecosystem includes access to
government services and much else
Existing mobile payment systems (2)
• NFC payments started in Japan 10 years ago
• 2011: launch of the Google Wallet (an app
that does tap-and-pay via an SE/ NFC chip)
• 2012: NFC payments being promoted for the
Olympics; TV fear about possible card cloning
• Technical risks include easier relay attacks and
a series of engineering problems with EMV
• Governance problems include reprovisioning
Existing mobile payment systems (3)
• Carrier billing (e.g. premium rate SMS) in pain
• Android malware leading to chargebacks in
excess of 20% in some countries / sectors
• We’ve been here before (modem diallers)
• Fixes:
– remove bad apps quickly from app stores
– instrument the network to spot malware quickly
– delay payment to suppliers
• Industry hopes the SE will fix this, but PBX
fraud is also rising very rapidly
Other sources of disruption
• Low-cost remittance services like oanda.com
• Off-the-wall entrants like Bitcoin
• Facebook credits (but has a 30% merchant
discount, like carrier billing!)
• P2P such as zashpay and popmoney
• Innovations in credit, from ‘crowd’ (zopa.com,
smaba.de) to ‘surveillance’ (Telrock)
• Merchant-side innovation such as Tesco Bank
‘Bad’ payment systems
• Cyber-crooks want irrevocable payments
(watch the UK’s Faster Payments scheme!)
• eGold got raided: Western Union now handles
most of the cashout from core cybercrime
• Webmoney is used internally by crooks
• Porn payments: two-sided adverse selection
• High-yield investment programs (‘postmodern
Ponzi schemes’) have a number of PSPs
Outcomes best avoided
• Could catastrophic fraud close a channel?
• Pessimist: once cash, keys and tokens are all
phone apps, we have a huge target and an
intractable governance problem
• Optimist: if an attack’s big enough attack to
disrupt, where do you send all the money?
• Alternative bad outcome: pervasive carding
that undermines confidence and imposes
large opportunity costs on economy
What might governments do?
• See our paper ‘Security Economics and the
Single Market’, ENISA, 2008
• Better stats on both fraud and malware, start
to fix liability rules, require network-attached
consumer electronics to be secure by default,
better police cooperation …
• Many of these are now being worked on (e.g.
Eurozone fraud stats from this year)
• What should the Fed’s priority be?
What might the Fed do?
• Esther: the Fed must be prepared for crisis!
• The Fed should set up a Fraud Analysis Centre to
collect information from banks, online service
companies, PSPs, CRAs and others
• Someone has to process data to get actionable
intelligence (NCFTA? NACHA?) But someone also
needs to track the big picture – a role for the Fed
• If the Fed wants to do a P2P payment service it
should first study what goes wrong …
Next steps
• Workshop on the Economics of Information
Security, Berlin, June 2012
• Our web page on bank fraud:
http://www.cl.cam.ac.uk/~rja14/banksec.html
• Other current research:
– Econometrics of online crime
– Mobile malware
– Next-generation platform components
NATO meeting
October 10 2011
Related documents
SmartVista Product Development 2011
SmartVista Product Development 2011
A Closer Look at Fraud - Bank Card Insurance
A Closer Look at Fraud - Bank Card Insurance
Grant Fraud Prevention
Grant Fraud Prevention
Notes - College of Business
Notes - College of Business
Consumer Rights and Responsibilities
Consumer Rights and Responsibilities
Marubeni v Mongolia
Marubeni v Mongolia
Internet Fraud - Baltimore County Public Schools
Internet Fraud - Baltimore County Public Schools
Chapter 1
Chapter 1
Dr Lydia Dsane –Selby
Dr Lydia Dsane –Selby
Chapter Outlines
Chapter Outlines
Action against fraud - Insurance Institute of India
Action against fraud - Insurance Institute of India
2-250 Audit Risk Assessments at Transit Agencies (KPMG)
2-250 Audit Risk Assessments at Transit Agencies (KPMG)
2014 CYBERCRIME ROUNDUP
2014 CYBERCRIME ROUNDUP
Download
advertisement