Repairing the Apple Pay Vulnerability

The Apple Pay architecture works; financial institution (FI) validation of its users once again fails miserably. FI must protect all their customers better and Apple Pay users far better. There is no excuse for retail FI to continue to live in the stone ages. There is no excuse for FI not evolving with continuously changing attacks on accounts in their care. The FI approach: “this vault worked for our founders and we will not change it now” is bankrupt. FI need to continuously review their security posture and create architectures that evolve with attacks or everyone will pay increased fees to cover FI unnecessary losses.

The Apple Pay vulnerability allows thieves to enter stolen payment card data to use as payment. FI receive an initial request to validate the user of the payment card data. FI need to improve their validation techniques for this preliminary non-financial transaction and use these techniques for all their varied cardholders, regardless of the payment initiation methods they use. 

  

At a minimum if FI customers plan to use a personal electronic device (PED), then the FI needs to send a text message or an email to their customer on receipt of a validation request. If the card holder does not respond appropriately to the validation request within reasonable time then the FI denies the validation request. FI cardholders with greater value at risk need better protection. FI should store a picture taken while the customer is present in the FI and compare it to the same picture stored in the customer’s PED during the initial validation of  payment card data stored on a PED.

These techniques in today’s  Wild West require that Apple and its competitors create standards for validation of cardholders and the PED applications. Once again greed prevents the development of standards to protect the paying public so FI fees increase to cover preventable losses. Government cannot create laws to protect users from FI incompetence without creating significant greater costs to FI. Perhaps a patchwork of differing FI techniques to validate its users will serve until the techniques becomes routine and therefore non-proprietary and therefore ripe for a standard.

Regardless of the uniformity of approach, FI, and financial application developers need to consider vulnerability posture before releasing payment solutions to the paying public. Whether the validation request comes from Samsung Pay, Apple Pay, or Google Pay, FI need to prove the request comes from their customer and not an impostor. FI know how to compare data from a transmission to one stored on their processing platform. FI know how to create response transmissions. FI know how to set a timer to expire if there is no response from a cardholder. Knowledge is worthless however if FI continue to think that a physical vault protects their customers from attack.

Next Blog: Removing the Security Standard Development Obstacles

Samsung Pay Changes Everything

The Samsung Pay application gives retailers the chance to control their destiny in the payment space. However, big block retailer predilection for restricting consumer choice instead of expanding consumer choice, likely will let this great opportunity pass by them unused. It is difficult to imagine the logic of angry retailer executives under siege by the payment services industry but their actions show their infantile understanding of something typically right in their wheel house: pricing.

The Samsung Pay application allows consumers to pay for purchases by sending a magnetic wave to the reader heads of a point of sale (POS) device. Thus a well designed POS device can process a wide range of transmissions including allowing consumers to choose a method of payment other than a payment card. Simple code changes within current deployed base of POS devices has the possibility of allowing consumers to change their method of payment to an e-check or ultimately a crypto currency and require their customers to pay them for more expensive payment choices.

The payment services industry will not sit idly if retailer surcharges soak cardholders, but the payment industry allows retailers to offer discounts for customers using cheaper methods of payment such as cash.  If retailers announce a convention such as track 2 beginning with digits not used by payment cards (such as 000) followed by financial data such as a routing and account numbers then  a POS device can originate a real time authorization request followed by fast settlement, without swipe fees, charge backs, or liability for the theft of a consumer account.

The best retailers will present a POS device that allows consumers to enter data that establishes proof of identity as a form of protection that separates a retailer from its competitors. Consumers though will ultimately react to lower prices for cheaper payment methods. If there is not a percentage plus fixed fee attached to the price of a purchase (such as a donut dipped in chocolate and peanuts accompanied with Hawaiian coffee with real sugar and cream) then all (including hospitals specializing in cardiac services), but the payment services industry, will rejoice and pay lower prices by using non-proprietary methods of payment.

Of course Samsung Pay presents the same risks of attack as Apple pay (see http://paymentnetworks.blogspot.com/2014/09/review-of-iphone-payment-initiation.html ) and there is no antidote for electronic theft at the least secure point of its transmission, however the price of admission for electronic theft continues to increase and the Samsung payment application raises the bar higher.  Fraud will decrease because of the ubiquity of magnetic stripe readers and not from the EMV boondoggle.

Will retailers use the capabilities of magnetic transmission to their advantage? Perhaps retailers will use pricing to combat the torment of the payment services industry. Perhaps financial institutions will offer portals for e-check approvals without acquirers. Perhaps pigs will fly.

Next Blog: POS architecture for Magnetic transmission

A Retailer Strategy for the Payment War

Retailers need to help themselves in the payment wars. The solution to high swipe fees; charge backs; reversals, and monopolistic practices of the financial services industry is creating a new form of payment acceptance that retailers control. Some national chains attempted to do this with the CurrentC approach, a disaster in the making because it limits consumer choice (see http://paymentnetworks.blogspot.com/2014/10/why-retailers-cant-build-payment-systems.html). Retailers must let consumers choose their payment method but let the marketplace influence consumer payment choice by controlling the pricing of payment methods.  If retailers let the payment services industry cram the EMV boondoggle in their places of business then they acquiesce to increased costs and lower margins after spending precious capital improvement budgets deploying the boondoggle or a haphazard response to the boondoggle.

Retailers now let the payment services industry dictate the equipment to originate payments in stores.  Retailers need to design payment equipment with payment system architects and point of sale (POS) manufacturers.  With custom built devices and new standards created by retailers and given as specifications to the POS equipment manufacturers, plastic with a stripe or a chip will be an overly expensive device that consumers rapidly abandon.

Retailers can piggy back the current requirements and specifications to their new device and surcharge for plastic (or discount for non-plastic) card payment by use of easy configurable settings on their custom POS device. Further, the POS device must easily allow or disallow certain payment options all together. If acceptance of credit card transactions is too expensive then retailers can configure the device not to originate payment without a personal identification number (PIN).

Configuring the device to accept the currently accepted methods of payments though will not give retailers the real advantage in the payment wars. The design of the POS device must accommodate payment evolution and not just telephone currency, digital currency, and e-checks. The device needs to accept non-chained based digital currency issued by independent issuers of digital currency. The device must be configurable to lower risk of payment acceptance by authenticating various elements of the payment data in real time.

For example a customer uses an e-check application on their phone. The POS device communicates the amount of the purchase to the e-check application. Once the phone user authorizes the use of the e-check application (by a method dictated by the phone and its user) then the payer application creates an electronic signature on top of the e-check already signed with the issuing bank’s public key. Interception of this data by an attacker is worthless because the payer signature uses hashed data built from data within the phone (also stored at the financial institution), the geo-code, and the local time (sent unencrypted with the message).  The FI accepts the check in real time (after validating the signature) and settles the money to the retailer bank on the same day. The FI notifies the retailer of the action in real time. The FI does not need an acquirer, merchant number, or to pay a swipe fee. The POS device routes using the routing number stored within it (just like use of the bank identification number (BIN) used by payment cards acceptance devices today).

If retailers architect a good solution then a POS device and electronic wallet soon will negotiate the cheapest payment option for both the retailer and the consumer (based on the configuration of both devices) and the retailer or the customer may not necessarily know what method originated the payment especially if actually resides in the same consumer account.

Next Blog: White Elephants roaming the Payment sphere

Is a Retailer Revolt from EMV in the Near Future?

Bad group thinking created EMV and now bad group thinking is trying to cram it down the throats of reluctant retailers. Threats of fines, charge backs, increased fees, and the rest of the arsenal wielded by the major players of the payment services industry does not seem to have yielded the expected results. “Wait until fall”, say the bad group thinkers; but an unexpected reaction may revolutionize the retail payment industry.

Small retailers, such as the bodegas, convenience chain stores, and others making rapid small value sales may refuse to originate credit card transactions.  Patrons will start entering their PINs so these retailers do not have to pay for counterfeit card transactions. This natural evolutionary response creates a remarkable consequence, on-line retailers that accept EMV cards will take the brunt of fraud attacks because EMV has no protection against card not present (CNP) fraud.  The EMV boondoggle thus moves the smaller retailers to a more secure solution than EMV at a fraction of the cost. Use of a PIN accompanied by derived unique key per transaction (DUKPT) encryption is the heart of the Chip and Pin solution (the British EMV application).  Small US retailers will employ the exact same technique.

The unintended consequence of bad group thinking creates focused attacks against on-line retailers. Amazon and the rest will bear the brunt of new costs based on issuer losses and thus level the costs for on-line and traditional retailers. People will swarm to Main Street in droves.

Maybe the coming small retailer revolt will have other consequences. Since smaller retailers will not bear the costs of upgrading their point of sale (POS) equipment, and will not pay obscene fines for payment industry stupidity, they will become competitive again with the large national chains. If a hammer costs the same at Joe’s as it does in the Humongous, why not buy it at Joe’s. Walking down the street is healthier than a 20 minute car ride anyway.

Payment technology has advanced beyond the plastic solution and the knee-jerk response to adopt the EMV boondoggle sounds the final death knell for an obsolete solution. Vested interests cannot prevent the Federal Reserve (the US central bank) from creating a modern small value payment solution, much as the lobbyists may try. Maybe if the politicians could stop the Fed as they stopped single payer health solution then EMV would succeed in the US. But the Fed is independent, and lobby proof (although they do seem receptive to new and creative ideas).  Internet and phone companies soon will become the infrastructure providers for payments and the retail world rejoices with lower fees and increased sales.

Next Blog: The new payment system attacks

8583 is Obsolete; So Why Don’t Payment Networks Replace It

Using a bit mapped data protocol in an HTML world is a bit like using candles to light a house. The candles only light parts of the interior; the occupants must carry a candle around from room to room; and wax drips on every surface with the slightest breeze. ISO 8583 similarly requires data remain in a precise location; requires a maximum length; cannot allow different data attributes; and does not allow the growth of new fields easily. In today’s rapidly evolving payment infrastructure, the use of such a dinosaur as 8583 increases transaction costs, increases the risks of badly formed messages, and slows innovation.

There is a good reason why the payment services industry does not use a tagged based data protocol (such as 20022); it may make many players in the industry obsolete.  If a data protocol can be accessed easily and free from anywhere on the net; have fields added by anyone that needed to add one (by use of schema links attached to messages); and use HTML; then payment messages to issuers need not originate from acquirers, forwarders, or gateways. Any personal device has the ability to transmit a payment order using a common tagged based protocol and it is simple for financial institutions (FI) to write sending and receiving applications using the data protocol.

Enhanced security may cause this shift away from the current status quo. All transactions will need approval in real time, originate from a known device, use a derived encryption key unique to the device, and contain a meaningful origination location. Issuers can create many varied security methods using different logic for validating users. This diversity of approach minimizes the gain from any one successful attack.

There will be no difference in paying a person, or a business, or a government.  Payers can pay the fees associated with use of such a system, which issuers may waive to encourage the use of their institutions, especially for large value accounts. Issuers also may be able to collect sales taxes depending on the interpretation of the data and immediately move the money to the government entities benefitting from a particular transaction.

Apple Pay and the grousing about interchange fees may also start the move to a better data protocol. How long will it take before the internet industry gets tired of moving payment data through the likes of First Data? When will Google negotiate with the big issuers, create their own links, use their own modern data protocol, and become their own authorizing agents?  FIs can stop worrying about courts limiting their interchange fees and make any deals they want until true competitors force fees south.  The first step: create the data protocol and place it on an easily accessible site and see what happens.

Next Blog: What happened to the anticipated data scraping attacks over the holidays, shhhh

Importance of Anonymity For Accounts Used By Students

There are numerous studies linking good nutrition and education (see for example:  http://www.nal.usda.gov/fnic/pubs/learning.pdf,  http://www.cdc.gov/HealthyYouth/health_and_academics/,  and http://www.nature.com/nrn/journal/v9/n7/abs/nrn2421.html )

Linking nutrition to intellectual growth does little good however if access to a needs based nutrition account creates stigma for the users. Stigma prevents poor students from participating in nutrition programs (see for example: Mirtcheva, D. M. and Powell, L. M. (2009), Participation in the National School Lunch Program: Importance of School-Level and Neighborhood Contextual Factors. Journal of School Health, 79: 485–494. doi: 10.1111/j.1746-1561.2009.00438.x; Found at http://onlinelibrary.wiley.com/doi/10.1111/j.1746-1561.2009.00438.x/abstract ). 

Anonymity prevents stigma, and any payment token masks its funding source, or at least has the capacity to do so. Giving everyone in a community equal access to the necessities required for public education including access to nutritional foods, books, and transportation increases the pool of educated people needed to lead and serve their societies in future generations.  That makes creating a payment token that masks the origin of its funding source and making that token the sole medium of exchange for all purchases made while in the loco parentis of a school system vital for social mobility and a strong middle class.

Each independent school system typically issues a student identification card associating a unique number with a student enrolled in the system. School systems can map that unique number to a payment token in ubiquitous use within the same local area as the school.  Diagram 31 depicts the concept.

Diagram 31; Masked Funding for Student Payment Systems

The flow of funds from the student to the points of purchase must be the same for all students, regardless of the funding source. A school payee can only accept one form of payment which is the token issued by the school system. If (inevitably, when) an ID is lost, or stolen then manual entry of the ID must be available (accompanied by a real-time check for last use).

The standardization of payment for access to all the necessities of education will eliminate stigma of needs based recipients permanently and societies will benefit from the growing confidence of the next generation.

Next Blog: Busting Retail Payment Monopolies

Will the New US Relationship with Cuba Create the First Cashless Society

Looking at the new rules for US citizens traveling to Cuba prompts questions about what a remittance is or if access to money is the same as money. Can a US traveler to Cuba give a potential local business associate a payment card with an associated large value limit? Can a US traveler create an account on an African phone and fund it with large value and give it to a Cuban national for business development purposes? Do US citizens need to take such steps at all since US banks can now create Cuban correspondent accounts and thus effectively create gross real time payment access (although “real time” may be a bit optimistic in this case)? Will the Cuban tourism industry now accept payment cards issued by US financial institutions (FI)?

The Cuban Government intends to unite its dual currency system and make other reforms. However, requiring Cuban FIs to comply with BASEL II, instituting a large value real time payment system, or a deferred netting system (regardless of the periodicity of settlement), and generally providing a financial infrastructure allowing Cuban citizens to amass wealth from outside sources will not sit well with revolutionaries in Havana. Perhaps the distrust of the capitalist system that fomented the Castro Government will lead to the development of a new type of fiat currency and a new type of payment system that will resolve several issues at once.  

Instead of forcing business to exchange foreign currency to Cuban Convertible Pesos the government may allow their citizens to keep the currency in their original denominations if the government can pool that money into an account and issue digital currency strictly backed with the foreign reserves. Effectively such a system will give Cuba three types of currency, but likely not for long. The limiting factor of such a system is the availability of modern cell phones and other like equipment capable of storing, transmitting, and receiving digital currency securely. If the Cuban government promotes the ubiquitous flow of digital currency backed with hard fiat currency then the creation of a cashless society may be a step away. The Cuban central bank issues and redeems the digital currency; there is no foreign exchange (since the issuance is in the currency pooled at the central bank); the other two Cuban currencies will quickly fail to be used and be converted to the digital currency as fast as the foreign currency is amassed.

The Cuban Central bank redemption activities will soon dwindle to nothing and once both versions of pesos move into a digital form then there will be no impetuous to keep any non-digital currency at all. Certain activities such as insuring that all Cuban citizens have access to a personal electronic wallet; making clear transparent regulations on the audit of foreign currency pools; and limiting the power of the government severely to revoke the certificates embedded in digital currency will ensure the success of the endeavor and make the Cuban cashless society the envy of modern governments worldwide.

Next Blog: Contraband: the destroyer of a cashless society