Beware the “experts”

In today’s New York Times there is an article (http://nyti.ms/ms4F9K)
about the recent Citigroup breach.  It contains a twisted bit of logic about credit card fraud that is equal parts disturbing, irresponsible, and laughable.  The article points out that according to the annual report put out by Verizon and the Secret Service, in 2008 360 million personal records were stolen, mostly credit and debit files.  In 2010 the number decreased to 3.8 million.  Is this due to better early identification of fraud?  Or, perhaps that fraud has moved to other areas?  No, according to a forensics “expert” quoted in the article, fraud is going to jump in 2011 as the accounts compromised in the “vast 2008 thefts expire.”  The logic, if it can be called that, is that fraudsters hold on to and presumably continue to use compromised cards from the moment they are issued until they expire.  In other words, no bank or customers notices the fraud for three years.

Full disclosure here: I was once responsible for fraud analysis and reporting for one of the two large card brands.  But I don’t think that such experience is required to be stunned at just how wrong-headed such a statement is or that it makes its way into the media.  At a high level fraud is either “friendly” or criminal.  By friendly I mean nice, otherwise clean living people, who take advantage of circumstances to commit a crime of opportunity.  Think of the person who finds the card of a previous user on top of a gas tank and thinks to themselves, “Jesus loves me and must want me to have free gas today.”  Or, as I saw once, a woman’s card had been compromised and four pieces of jewelry purchased; each for around $1,200.  She then went and purchased a similarly priced piece of jewelry for herself and claimed it was fraudulent as well.  She must have felt it was owed her for the inconvenience.  I caught her when I happened to be reviewing the signed authorization slips and noticed that the signature on her fraud claim matched one of the receipts and was wildly at variance from the signature on the receipts for the four fraudulent charges.

I was once told by a very large issuer that their policy was that every customer was entitled to one “free” fraud claim.  For example, think of the business man whose wife happens to pay the credit card bill when he is away on a particularly long trip.  She may call the card company to complain that her husband would never spend $500 on porn or gambling and dispute such charges.  All the while the bank representative is looking at a history of such charges on his/her computer screen.  What is customer service told to do?  Eat the charge and tell the spouse something to the effect of, “Oh yes miss, your husband would never do such a thing.  I will back the charge out right away.”  The bank will then gladly process next month’s porn related charges, make its money, and not lose a solid customer.

I have done studies of the behavior involved in true criminal use of credit cards and friendly, or opportunistic, fraud.  The results showed two very clear but different patterns that turned out to be exactly what you would expect if you sat down to think about the problem.  Crimes of opportunity are generally low dollar, are for staples (food, gas, etc), low volume (just one to three things) and short term (all over the course of a few hours).  The pattern fits someone who is nervous, inexperienced, doesn’t want to get caught, and does not understand the law and card processing as well as a professional criminal.

On the other hand the criminal wants high dollar purchases, high volume, purchases different type of items (instead of staples the criminal wants jewelry and electronics that they can fence) and will space their purchases over days as they know fraud detection techniques better than the average consumer who just happened to find someone else’s card.  But the time between a first purchase on a compromised card and the last purchase is never, ever, more than thirty days.  To claim it is three years is ludicrous.

My point is that maybe this “expert” is just stupid or maybe very poorly informed, but what is scary is that he is out there spreading this type of foolishness that is not productive to fighting fraud issues.  The real issue at Citigroup is poor coding.  There is just too little emphasis on proper code review vs. time and cost.  The PCI DSS does call for code review, but IT too often views the control as something to work around and not as a good practice to follow.

Posted in Uncategorized | Leave a comment

Starbucks takes transactions from phone – 1997 MasterCard chip test

I’ve wanted to talk about the Starbucks Card Mobile app for weeks but work kept getting in the way. I have a one-day break between engagements so here goes…..

The Starbucks Card Mobile app is certainly not NFC, but it is a big deal that it is phone based. There are now close to 7,000 stores that allow purchases by phone. On its face it looks like a great step for payment by phone. The thought is that once a consumer buys their coffee this way they will demand to buy other products by the same method. However, there have been some bumps in the execution that were avoidable and reminded me of the total nightmare the smart card trial was in 1997.

I agree with those that see promise in Starbucks’ plan. At $30 per reader it was an easy way to achieve the goal of transaction by phone. But have you been to Starbucks yet? Have you seen people handing their phones to the barista to complete the purchase? No, you’re not supposed to do that, and the transaction will work fine without having to hand your phone over. Unfortunately like the general that sees the battle plan fall apart shortly after the real battle commences, good ideas often fall apart due to bad execution. My overall conclusion is that the more people exposed to transactions via phone the better. I have seen some regrettable slip ups at the stores. If Starbucks does not get what should be a simple thing right they risk turning more people off to the phone pay experience than encouraging the embrace of a new payment paradigm.

What bothers me is why don’t we learn from our mistakes and pass on knowledge from corporate generation to the next generation. A generation of people develops skills and are then promoted to other positions. The next generation of rollouts occurs and again, it is the company’s youngsters in charge. What has to happen is a bit of knowledge transfer so that the youthful missteps of today’s middle management are not repeated by today’s corporate up-and-comers. But that would be management. Like security, management and employee development are not practices that corporations want to pay for unless to appease regulators. Once I saw the phone pass from customer to barista I saw a failure in execution that, made me fear that the Starbucks rollout would be remembered as insignificant. While I think they are not communicating and promoting the app as well as they could. They have avoided many of the problems I saw years ago during a chip card trial by MasterCard and Visa in 1997.

Back then I was working for one of the large credit card companies (you only get one guess). I was at the stage of my career where I was transitioning from up-and-comer to staid middle management. I had been promoted to Vice-President and was imagining spending the next 30 years in Mad Men like bliss. I was 10 years with the company and still remembered my first interview in 1987 where I sat in a reception area waiting for an interview and was thrilled by reading an annual report about the impending chip card release. I was going to join a company that was going to change the world! But time went on by and it took a decade before the chip card was finally going to be tested.

In the fall of 1997 Citibank, Chase, MasterCard and Visa introduced a chip card in a trial conducted in Manhattan’s Upper West Side. The trial ran 15 months (it was supposed to run for six months) and was a debacle. In March of 1998 Information Week delivered a conclusion on the situation in an article entitled, Smart Cards Not Yet Welcome. Here’s a list of some of what went wrong:

1) Merchants and their staff were not trained and, in some cases, merchant staff did not even know of the pilot being run in their store. Consequently some merchants refused to accept the cards or did not know how to conduct the transactions.
2) The trial started right before the Jewish holidays. That’s forgivable in St. Louis, but in New York, the Upper East Side, that’s a major blunder. Why was the timing a big deal? Read on.
3) When the trial started many of the needed card readers (execution, execution, execution) had not been shipped or malfunctioned. Only 225 of 660 stores (NY Times 10/7/97) had working readers when the trial started. If you want to impress people with your cool new technology it needs to work. My point about the Jewish holidays? Merchants did not want to use the fixed or late readers when they came on-line because now the timeline took them into what was the busiest time for food merchants resulting in more momentum lost. (Oh, you haven’t lived until you’ve been to Zabar’s. My uncle Jim was out of his mind about the place.)
4) Cardholders found that the cards took as long as a normal credit card transaction.
5) Take up by cardholders was disappointingly low. Cards were mailed to about 50,000 account holders in the area between 60th and 96th streets from Central Park West to Riverside Drive. This is an exclusive area. This area defined the word ”yuppie” in the ‘90’s. So these people were to schlep (Yiddish -New Yorkism) themselves to their local branches or ATMs for $5 of free money and a chance to get $25 if lucky. Earth to card companies: this demographic is not motivated to wait on another line just to get $5.

In the end communication to the merchants and staff was poor. Execution was poor. The timeframe was not well thought out. The selected demographic was not a good fit. The technology being promoted showed no advantage (in this case, user convenience) over the technology it was to replace.

Now Starbucks, from what we know so far, does not fail on all of these points. But I have seen them foolishly repeat the mistake of not having their staff ready at the start of the rollout. While there were more balls to be juggled in the chip trial it felt as if all of them wound up falling to the ground. Starbucks seems to have the operational pieces working fine, so I wish them luck and will be interested to see where they turn up in a few months.

How did things work out after the chip trial? There was more bad news as during the course of the trial Paul Kocher cracked the digital code designed to make the smart cards tamper proof. Yet in February of 1998 MasterCard’s CEO, Robert Selander, announced that chip cards would “Literally rocket the payments industry into the next century.” (Card News 2/16/1998) Well it is the next century. About 10 years into it Bob, and where are our chip cards?

Posted in Uncategorized | Leave a comment

Adding MIFARE to UICC Cards

Just announced today –  NXP and Gemalto Sign Licensing Agreement for Adding MIFARE to UICC Cards.  Here is a link to the press release: http://bit.ly/hQHi7A

This will be a huge addition to the supply of UICC cards that incorporate the MIFARE standard.  NXP sees this as setting “a new target of 5 billion mobile phone users.”  As I said in a post last month: NXP claims to have sold over 1 billion smart card chips with the majority being MIFARE.  Gemalto will now be able to integrate the dominant, but poorly secured, MIFARE standard into its UICC cards.  The hope is that this cooperation spurs “the usage of NFC mobile devices in the MIFARE infrastructure.”

UICC is the Universal Integrated Circuit Card, it is the smart card used in mobile terminals in GSM and UMTS networks.

The first thing that comes to mind is that this is another sign of European dominance in this area.  Secondly, as I said last month, MIFARE has very poor encryption.  This area is a strength for Gemalto.  This is a good combination.  Gemalto is a strong company with plenty of engineers (people who understand the technologies they are managing not MBAs like at their American counterparts) in senior positions.   They make the secure chips in passports for several countries.

This can lead to developments that provide much better security to a protocol already in wide release.  More to come I’m sure.

Posted in Uncategorized | Leave a comment

NFC Reminds Me of ’73

What a busy couple of weeks it has been in the NFC space:

  • 13 French cities applied for NFC test zone funding.
  • Google announced that the next generation OS, “Gingerbread,” will support NFC.
  • Nokia announced it will switch on the NFC functionality built into its C7 smartphone.
  • Startup Bling Nation is set to bring its mobile payment service nationwide at the beginning of next year and go international soon after that.  The service pairs RFID-enabled stickers with a back-end system that charges purchases to credit cards (via PayPal) and sends text-message receipts to cellphones.
  • AT&T, T-Mobile and Verizon have teamed up to create Isis – a pay-by-NFC architecture.
  • Google and Apple are in talks to acquirer, or partner with, mobile online payment company BOKU.

For all the convergent events I listed above, there have been some troubling events.

  • As reported by the WSJ, Andrew Hoog of viaForensics showed that PayPal (and some banks) had HUGE security flaws in their smart phone apps.
  • InfoWorld reported that Driods may be lying about their compliance with EAS’s encryption policy.
  • And who is Michael Abbott the new CEO of Isis?  I don’t know about him.  He’s got to be good.  Is he just a marketing hack?

What I am seeing is that as NFC rushes to reality there could be a chance for major security issues.  There has been too much reliance on NFC’s requirement for physical proximity.  Is it because any fraud is projected to be a small percentage of the transactions to be made?  Oh well, that will make work for us security guys.

On the other hand, maybe it is just a form of buyer’s remorse on my part.  For years payment via mobile just seemed too “right” not to happen.  Now that it looks like NFC is here I feel like when your favorite band makes it big.  One part of you wants the validation of the world getting to know your secret, but another part of you wants to keep things intimate and close.  Like back in ’73.  I had a glorious night you only have when very young and very emotional.   Straight from basketball practice after bumming a ride from a senior, long hair, two forms of ID, mandatory Vietnam era military jacket, and facing a very long walk home.  It seems hard to belive, but there really were only about 50 people in the audience that night for the Bruce Springsteen show at My Father’s Place in Roslyn.  He made promises to his audience back then and over time broke a lot of them, but I guess so have I.  By some miracle parts of the show are on YouTube.  Just like any choice made in early days, not all our choices are recorded, but none of them can be erased.  Let’s hope we see some good decisions made now as mobile payments begins to take its first self assured, hopeful, yet unsteady first steps.  Just like me and Bruce, in ’73.

Posted in Uncategorized | Leave a comment

Rijkspas Impact on Near Field Communication

The prior posting discussed that the stars may be in alignment for transactions via Near Field Communication (NFC) to become reality.  One of the events that I pointed to as evidence was that, “Last week, the three largest banks (ING, Rabobank and ABN Amro) and three largest mobile operators in the Netherlands announced a joint venture to launch mobile payment, using full NFC phones.”

Two interesting points have been raised on this issue.  The first is that NFC transactions are “inherently” secure because the phone and reader have to be so close to each other physically.   The second issue is that one of the lynch-pins of my argument for NFC’s positive momentum is a sophistry as NFC will fail in the Netherlands because there are currently few contactless point-of-sale terminals in the Netherlands which will impact acceptance.

Let me address these two points begining with security of contactless transmissions and then why the Dutch are best poised to address this issue which will overcome the lack of contactless point-of-sale terminals.

What is the biggest application currently using contactless terminals?  It is not merchants, yet, it is the access badges used for building security throughout the world and transport systems in cities such as London, Boston, Taipei, and Rio De Janeiro.  Most of these cards are made by NXP Semiconductors.  NXP claims to have sold over 1 billion smart card chips and 10 million reader modules.  NXP is a former devision of Philips based in Eindhoven, the Netherlands.  The majority of these are a type marketed as the MIFARE “Classic.”  Not surprisingly, these cards are the cheapest of a range of cards manufactured by NXP under the MIFARE brand.  The most most well know rollout of the Classic is Transport for London’s Oyster card.

The Oyster cards were cracked in 2008 by students from Radboud University Nijmegen. Where is Nijmegen?  In the Netherlands, where there are some of the best university level computer science, information security, and encryption programs.  NXP moved to suppress the University’s publication of the vulnerability.  Fortunately a Dutch court ruled that the damage to NXP was from the product; not from someone’s pointing out its problems.  The Classic uses a proprietary encryption algorithm: Crypto-1.  At the time Bruce Schneier described Crypto-1 as “kindergarten cryptography.”

The Dutch government has responded by creating the Rijkspas standard.  (Rijks is the Dutch word for state or government, so in a sense Rijkspas means state access pass standard.)  The Rijkspas standard is not simply for contactless access.  The standard provides for the card to be used in combination with a PIN and / or biometrics, and to provide secure access to shielded areas but also for secure PC logon and secure e-mail.  It is a very comprehensive contactless standard.  The Dutch Foreign Ministry has selected Siemens IT Solutions and Services (SIS) to design a card management system based on software from Bell ID.  Bell is based in Rotterdam and SIS is just a few miles away in Germany.

To summarize: Most contactless cards are manufactured by a Dutch company.  The most secure and complete standard has been designed by the Dutch government.  A shoddy standard was exposed by a Dutch university and supported by a Dutch court.  And now the software for the new standard will be designed by a Dutch company.  It is obvious from the experience with the Oyster card that there are substantial security issues that could arise around contactless cards.  YouTube is full of videos showing exploits of RFID cards. But, despite the lack of contactless POS terminals in the country, the Dutch are uniqly poised to control the future global standard for contactless cards and this works perfectly in concert with the mobile payments initiatives sponsored by the largest Dutch banks.

Posted in Uncategorized | Leave a comment

Near Field Communications is Here!!

It is one of those mergers of finance, technology, and customer service that do not come along very often.  Since I first saw Bluetooth on a cell phone I’ve been waiting for when I would go to the supermarket and, instead of reaching for my wallet, I would just point my cell phone and pay.  I had a built in keyboard and much more computer power than a chip card.  It seemed natural.  Well 10 years later we are getting there.

The answer hasn’t come from Bluetooth but from Near Field Communication (NFC).  NFC is based on RFID.  It is a very short-range radio technology.  With a NFC chip the phone can be used as an RFID tag, as an RFID Reader, and for peer to peer (P2P) communication with another NFC-enabled phone.

MasterCard and Visa had the chance to advance this new method of payment but stalled for three reasons:

  1. Bluetooth was not secure.
  2. Concerns that the technology would be used for money laundering.
  3. Management given responsibility were operations people and lacked vision.

NFC solved issue #1.  Issue #2 is still unresolved and will work against NFC enabled phones in the US and Western Europe for some time.  But issue #3 has been resolved by banks taking matters into their own hands.

What are the events that have recently come together to make me excited that we are going to see the emergence of payment by smartphone?

  • Last week, the three largest banks (ING, Rabobank and ABN Amro) and three largest mobile operators in the Netherlands announced a joint venture to launch mobile payment, using full NFC phones.
  • In August Apple hired Benjamin Vigier, an expert in near field communication technology, as its new product manager for mobile commerce.
  • Apple has been posted a glut of new patents revolving around a phone with an NFC chip including: iPay, iBuy, and iCoupons.
  • “Nokia Money” was rolled out in India in February.
  • Wells Fargo, Bank of America, and US Bank have joined Visa and DeviceFidelity in a trial of payments via phones with NFC chips in the memory card slot.

There’s a lot going on.  We will look back two years from now and see that we are in a very different place than where we are now.

Stay tuned.  The world of payments is in for some radical changes.

Shortly I’ll post on why the DeviceFidlity trial will fail, have more on the technical differences between NFC and Bluetooth, explain why the NFC chip works well for the Dutch banks, why payments by NFC are particularly interesting in the India and other rural markets, the money laundering problems, and why we will soon see a realignment of the credit card companies that we have grown so used to for the past 50 years.

Posted in Uncategorized | Leave a comment