The Financial Services Club is a unique service designed for Senior Executives and Decision Makers from any firm interested in understanding and planning strategies for the future of banking and finance.
Biometrics isn’t discussed that much at banking conferences these days.
Most of the time, when I raise the topic, there’s a groan from the banking audience.
“Oh, been there, done that.”
The usual view is that biometrics doesn’t work. It’s too flakey. Too many false positives and false negatives, as in it doesn’t read the finger, eyeball or voice correctly.
And yet, we now have things like Siri voice recognition on the iPhone and fingerprint PC access that is commonplace.
Voice and fingerprint recognition has come a long way.
India has now identity tagged every citizen with a biometric ID, and most governments are doing the same via passport and cross-border programs.
So why are banks so reticent about biometrics for identity?
Because of the past trials or the future costs?
Probably a mixture of both.
Certainly, the idea of biometrics in banking has been around for a long time.
I was involved in rolling out iris recognition ATMs in the 1990s and engaged actively with the Japanese program of deploying palm reading ATMs in the 2000s.
At airports, I regularly pass through the fast track line with an eyeball to a screen, banks have rolled out iris recognition on smartphones and Apple has even patented a fingerprint recognition as you swipe your iPhone to unlock it.
Yet I still look for biometrics in banking and find it hard to uncover anything worthwhile.
“It seems like an innocuous piece of kit to have inspired such annoyance, but the new HSBC ‘secure key’ has already garnered six Facebook pages plotting its demise, while Twitter is all aflutter with people explaining just why they don't want to use it. So why has the bank decided to introduce this seemingly unpopular gadget.”
No, they don’t like it one bit.
Things will change and biometrics will be deployed instead of additional tokens and devices over time.
Much of this market increase will come from large government ID and security programs, which will then ripple over into financial applications.
For example, Companies and Markets predicts that the global biometrics market will hit $12 billion by 2015, up from $5 billion in 2010, thanks to these government security programs.
The report believes fingerprints will see the major focus, although citizens don’t’ like fingerprint recognition.
The reason is that fingerprints are mucky.
Wiping your finger over a terminal touched by hundreds or thousands of others, with no cleansing or wipe in-between.
Yeuch.
That’s why the Japanese moved into palm or vein reading, as you don’t actually need to touch the terminal.
But the most intuitive of all biometrics has to be voice surely?
With mobile being so ubiquitous, voice makes sense as it’s something you can easily verify via mobile.
Voice is a proven technology and voice recognition is resilient, accurate and reliable enough to overcome accents or influenza.
With voice you don’t even realise you’re being biometrically read necessarily, and you can even use voice to detect lies.
This is why Opus Research predicts that the global number of registered voiceprints will increase from 10 million today to over 25 million in 2015, and much of this will be driven by the payments markets.
Mind you, you need to beware of voice a little bit.
Talking about iris recognition and passwords recently, I got a note from Spanish Bank, Bankinter, which has just launched an app that identifies clients through iris recognition on the phone.
The way it works is that customers access their brokerage accounts by blinking into their smartphone’s camera.
The app has algorithms built-in that look for eye movement, to ensure it's not just some picture of the eye, and there is no need for any additional hardware or external sensors.
The technology is new and was developed for Bankinter by Mobbeel Solutions, a Spanish start-up based in Caceres, Extremadura, Spain.
Today, it works with just the iPhone4 – over half (55%) of Bankinter’s customers have an iPhone – but could be extended to Android in the future.
Bankinter is also thinking about using this as an authentication mechanism for other remote channels, such as ATMs, internet and mobile banking.
Like everyone, I’m completely fed up with passwords and online security.
It just doesn’t hack it anymore, or is that makes it easiest to hack.
The system is thirty years old – I used to use passwords to get onto the company network back in the 1980s. In fact, it’s even older than that. Polybius recorded the use of passwords back in the Roman Military days two millennia ago.
And now the system is broken.
I mean, even back in the 1980s it was more secure because the company made me change my password every four weeks. Today, I am rarely forced to change a password and I’ve just got too darned many of them.
There’s a password for iTunes, a password for email, a password for Amazon, a password for the bank, a password for my airline, a password for my mobile, a password for Google, a password for the credit cards, a password for the lottery …
Yep, there’s a password for everything.
And, like everyone, we’re told to not write the things down but how can you remember so many passwords?
You can’t.
So you put them all in a notepad or secure them somewhere on your PC or put them into some online password manager, but it’s all just crass stupidity.
Even with these secure systems, you just end up making all your passwords variations of the same thing. Even that doesn’t work as some sites use capital and lowercase letters, some are just lower case, some demand numbers whilst others want a minimum of 8 characters … can you ever remember which site demanded which format?
What you end up with is a mess of passwords that you can’t remember.
So you then use the same one for everything, but that has dangers too.
“Barr and some of his colleagues, Anonymous then discovered, had committed computer security's biggest sin: They used the same password on multiple accounts. The hackers commandeered Barr's Twitter and LinkedIn accounts, lacing both with obscenities. One of the passwords also opened the company's corporate Google account. Jackpot. In less than 48 hours, the hackers had the keys to the kingdom.”
And then it gets worse.
So how do you create a secure signon?
If you’re a bank, you force customres to logon to the bank with a password and a PIN, and then demand that they put their PIN in again on another device in order to generate a one-time passcode. You then enter the passcode, get another code back, enter online and off you go.
It is ridiculous, and none of it is easy or intuitive.
So what’s the solution?
IP address?
Pattern recognition?
Biometrics?
DNA testing?
It’s a question that’s been asked for a while and has no good answer, although I'm sure lots of password alternative solutions firms will be posting answers to this blog post.
But if there were a solution then some academic would have it nailed by now and the Register recently summarised two such research papers on alternative to passwords.
Neither has a good alternative to passwords.
What they do say is the same thing I’m saying:
“From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.”
Come on folk, give me an alternative.
Here’s my suggestion.
When signing on, you enter your mobile telephone number.
You receive a text with a passcode.
You enter the passcode.
Off you go.
Obviously for more secure sites, you might add a PIN, but nothing as complex as three thousand passwords that are all variations of “123456”.
Last year, a major security breach at RockYou.com resulted in the release of 32 million passwords. With such a large data set available, security firm Imperva Application Defense Center (ADC) analyzed and found that, when given the chance, most users will choose a simplistic password.
Imperva found that nearly a third of users chose passwords whose length is equal or below six characters and almost 60 percent of users chose their passwords from a limited set of alpha-numeric characters. Almost half of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on), with the most common password being "123456".
Here are the most popular passwords from the RockYou.com leak.
We had a meeting of the Financial Services Club last week that looked at fraud and mobile malware with the Serious Organised Crime Agency and the International Systems Security Association (ISSA).
It was an interesting meeting, as I’m particularly intrigued by stories about mobile as this is our hot space right now.
Every bank is getting into mobile payments, mobile billpay, mobile balance checks, mobile banking ... it’s a huge opportunity as I’ve written about so many times.
I’m not writing much about the issues with mobile that banks are experiencing as many are yet to come into the public domain.
One that is in public domain is the coordinated ZeuS attack from Q4 last year:
“According to S21sec, the new variant of the ZeuS trojan first infects the victim’s PC. Then a web application purporting to be from a bank asks the victim to input their mobile phone number and details of their device. Third, the victim is asked via text message to install an application on to the phone. This application can then be used to intercept any text messages the victim sends.”
But I have a little bit more interest in what’s happening today and Joshua Pennell from ISSA talked through a whole load of new man-in-the-middle and mobile malware attacks that are growing by the day.
What concerned me more is the mobile hi-jacking capability where you think you are on your mobile carrier’s network but you’re not.
The idea is that a cybercriminal places a signal box near to the location of the person they are targeting.
The person then sees their mobile signal disappear and come back stronger. Something that happens all the time in my part of town.
What the mobile user does not realise is that their mobile service has now been hijacked and all of their texts, apps and downloads are being filtered by the cybercriminals service.
Sounds difficult?
I thought so until someone mentioned to me that this was just an example of using the Sure Signal Service.
Then the penny dropped as I use that service!
Sure Signal is for mobile customers who live in an area that is too weak to get a decent mobile service from their carrier.
This happens to many customers who move home and the result is that they cannot actually use the mobile carrier’s service and want to leave.
The box works off the broadband network of the house and the result is five bars for calls plus 3G.
Oh, and of course, the same is true for anyone else in that vicinity.
Good idea...
... and then there’s the other illustration of mobile that adds a further dimension to this.
The mobile tracker.
We all know that your geolocation is always on when you have a mobile signal, but who has a right to know about this?
In Germany, where spying is rife, apparently it’s a hot issue right now ever since German politician Malte Spitz discovered that his mobile operator was tracking his every move.
And the issue is that they were storing this information for months ... in fact, they had his whole life mapped out over a period of six months. Every move from every day for 180 days.
Here’s how it looks over just two days...
... hot stuff and a real topical issue therefore is: what is the security of mobile and, if compromised, who is at fault: the carrier, the handset manufacturer, the retailer, the customer, the bank, the regulator...
I regularly write about fraudulent aspects of finance, and it’s getting worse.
As I say in my presentations: “with five billion points of data breach, how can you keep secure?” and this is a key question, as every mobile device is now a point of payment or sale.
Equally, as everyone is loosely leaking their private information online socially, can anything remain secret?
It seems not in the age of Wikileaks, Twitter and Facebook.
Now most of the headlines about fraud are grabbed by Sophos in my circle of radar.
I guess it’s because they’re pretty good at monitoring this stuff and capturing the headlines before anyone else.
But I did see a couple of other interesting reports used recently.
Fraud Attack Rate: 56% of businesses reported experiencing payments fraud or attempted payments fraud in the last 12 months. 75% of businesses have experienced account takeover and fraud in the online channel. These rates are the same as they were in 2010, indicating banks and businesses are struggling to make progress on the issue.
Fraud Detection Rate: In 78% of fraud cases, banks failed to catch fraud involving the illegal transfer of funds or other nefarious practices such as information identity theft.
Responsibility and Liability: 41% of respondents said that in their opinion, the bank would not cover any losses if their company’s bank assets were stolen and not recovered. This perception increased from 26% in 2010. Despite this increased awareness, 70% of businesses still feel that their institution should be ultimately responsible for securing online accounts.
Customer Churn: 43% of businesses said they have moved their banking activities elsewhere after a fraud incident. 10%of businesses that have experienced fraud have terminated their banking relationship following fraud attacks, and additional 33% said they did not fully terminate their relationship, but moved their primary cash management services to another institution.
The key line for me from the above is “43% of businesses said they have moved their banking activities elsewhere after a fraud incident” … it’s probably higher for consumers as moving a business account is actually more challenging than moving a personal account.
You need to move all your supplier and customer data across and you no doubt have some form of relationship with the bank. This may be a relationship of some depth if the business has factoring, invoicing, treasury, cash management and other matters handled by the bank.
So for more than two out of five firms to leave if fraud occurs is a substantial exposure.
And such exposures are becoming more often and more frequent. For example:
“The FBI said that between March 2010 and April 2011, it identified twenty incidents in which small to mid-sized organizations had fraudulent wire transfers to China after their online banking credentials were stolen by malicious software.”
Small beans today … big trees tomorrow … especially when you see stories like the one I told recently about Aaron Barr, Head of Cybersecurity for the Federal Division of HBGary who got cyberpwned by the @Anonymous twitter group.
Perhaps, even more interesting, is that many of the presentations I’ve seen recently have been referring to the Verizon “2011 Data Breach Investigations Report”.
Why?
Because of this key paragraph from page four:
“We are often asked whether “the Cloud” factors into many of the breaches we investigate. The question is both easy and difficult to answer. The easy answer is ‘No—not really . We have yet to see a breach involving a successful exploit of a hypervisor allowing an attacker to jump across virtual machines (VMs), for instance. On the other hand, we constantly see breaches involving hosted systems, outsourced management, rogue vendors, and even VMs (though the attack vectors have nothing to do with it being a VM or not). In other words, it’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud.”
So this paragraph is used to say that Cloud Computing is not a risk. It is secure. It can be trusted.
No wonder all the cloud providers have this paragraph in all of their PowerPoint decks now, something I’ll come back to in the future.
However, it may be more important to note that of the 761 data breaches Verizon examined in 2010, equivalent to nearly the whole number that occurred between 2004 and 2009, most were attacking retail hospitality and financial services.
This chart explains why (double click image to see chart clearly) …
… in other words, you wanna get money? The easiest place to compromise is a merchants’ terminal.
These are all groups coming from different directions – government, police, retailers, financial services, regulators – to try to lockdown the fraudsters.
It’s a tough job though, as there are so many points of leakage.
Five billion and growing.
HT to Kamran Meer, Chief Information Security Officer at Habib Bank, for his references and support in writing this article.
The next meeting of the Financial Services Club, London takes place at Speechly Bircham's Conference Centre, 6 New Street Square, London EC4A 3LX from 6.00 p.m. on Thursday 9th June 2011.
The subject will be: Technology Trends: Fraud and Risk, and Mobile Device Insecurity
This Meeting will be based on two presentations.
How SOCA tackles organised crime with Andy Baker, Deputy Director, SOCA
Andy will outline SOCA’s approach to tackling organised crime in the field of financial technology. He will look at intellectual property crime (IPC), cybercrime and fraud, and take you through how this Executive Non-Departmental Public Body (NDPB) of the Home Office is working to prevent and solve these crimes.
Fraud and Risk, and Mobile Device Insecurity with Joshua Pennell of ISSA UK
They watch you sleep, they watch you work, they hold all your personal and professional data, and they sacrifice security for performance and usability. Your mobile devices present attackers with a 24/7 threat surface (and don't think the hackers haven't noticed). This presentation will dive into the world of mobile device security based on research performed by the IOActive team. It will address common threats, ways to better protect devices and show a demo of an attack in the wild.
If you wish to attend please register as follows: Memberor Non-Member
For a long, long, long, long, long, long time, I’ve talked about biometrics taking off in banking … and it hasn’t.
The biometrics market has picked up and tailed off in fits and starts, but there is no real mainstream biometric program out there that I’ve spotted to date.
The nearest I got was some things in Mexico with Banco Azetca’s fingerprint system in the mid-2000s, pay-by-touch which self-imploded shortly after and the Indian identity card which will give a billion people a biometric ID.
But it’s still all bunkum as no mainstream bank has rolled out a client focused biometric system that I’ve seen … until now.
At the exhibition here in Abu Dhabi I got a surprise when wandering the exhibit hall and bumping into a wee firm called Irisguard.
Now my aim here is not to advertise this firm, but just to say that they showed me their sign up and recognition system for iris scans, which are used by Dubai airports, and it seemed pretty good.
Having used iris systems before, this was far easier than any I’ve seen before and remember, iris is the most secure biometric.
So here’s their advert for banking, showing the system used in branches and ATMs …
Oh, and they are telling me they’re now also offering a simple home PC version for online transactions too.
No, not the state benefits version, but the online version.
I've been blogging a lot lately about cybercrime, identity theft and the do's and dont's of social networking. This was in part due to a seminar that took place this week where we were debating the risks related to social networking and mobile finance.
There is a risk.
The risk is this: as we proliferate devices and provide more and more identity information online that can be accessed and shared by all friends, foreigners and strangers, we are in a position where the world of financial management is potentially compromised. In fact, it's fatally flawed.
Our keys in the past to holding our identity were a card, a PIN and, more recently, a password.
None of these work anymore, as they are too easy to find, compromise and break.
Other keys were our date of birth, mother's maiden name and similar personal information.
That doesn't work anymore either.
So how can we protect ourselves.
With two-factor authentication, one-time password machines, biometrics and more.
Possibly.
But it's getting harder and harder to manage this all the time, and the views of the panellists in our debate were intriguing.
They all felt that the concerns we were airing were irrational.
Yes, there are worries - but we had the same worries about email leakage and internet banking and yet we're all happily using email and online finance today, so what's the big issue?
It's just a case of evolution and, over time, social networking and sharing via mobile devices and more will just become the fabric of how we do things, including mobile banking and payments.
It sounds like it makes sense.
But it doesn't.
The reason it doesn't is that email was controllable.
You can monitor email easily.
It's harder to monitor all the ways we communicate these days from facebook chat to skype chat, and from text messages to tweets.
This point was actually made by one panellist who one minute was saying "it's not an issue", and was then saying how his children had evolved from text messages to using facebook chat.
What he didn't realise is that they do this, not because facebook chat is cheaper and easier but because it's not auditable.
After a facebook conversation, it disappears. Parents can't audit the conversation therefore.
They can with texts, if the kids forget to delete them.
That's the point.
So sure, conversations can be tracked but, by cleverly using personal and company mobiles at work and loading them both with apps that allow quiet communication, you create a real minefield for data leakage.
Data leakage is the key issue.
Data leakage used to be controlling emails and chatrooms; then it was policies for laptops, home working and devices that cross-over work and play from mobiles to blackberries; then it was issues related to using USB ports and portable hard drives ...
... now it's the data leakage points exploding by channel - facebook, twitter, skype - and by device - mobile, blackberry, laptop and tablet.
The fact is that data leakage points are out of control.
For example, add all the ways we can communicate then layer on top of that the ubiquity of devices.
We have moved from a few hundred thousand data device leakage points to several billion, and from a few channels of leakage to channels that leverage the strengths, and weaknesses, of each device.
And we have then layered on top of this all the social communication online that allow us to be socially engineered by any criminal fraternity into being socially manipulated to do things that are antisocial.
So there is no social security in our socially networked world and it's not just a controllable evolution, as the panellists proferred.
It's a mad explosion of mess that mixes our social with our work, our personal with our professional, our online with our offline. Mix that with the billions of channels and devices and you have a melting pot of data leakage that will mandate a number of new roles within a bank.
The Data Risk Officer.
The Chief Leakage Officer.
The Social Police Officer.
The No Idea How To Stop This Mess Officer.
Oh, and if you don't believe this is a mess, you have to read this story ...
Banks miss a trick in not advising customers how to network socially with safety, so here’s my top do’s and don’ts for social networking. It’s not exhaustive, but just those that are top of mind and banks would do well to send such advice to their customers in writing, online and always when they logon to their bank accounts (in an engaging user experience way – not just by cut and pasting the words below).
Do
clear any sensitive information from all of the electronic devices that you use, especially your mobile
use all the tools you can to be safe online such as free antivirus software like AVGfree, and plugins to browsers such as NoScript
share your life and lifestream, but restrict this to only those who deserve to know you and who you really know
keep everything private and think that anything you’re posting to a website could be seen by your parents, partner or boss
watch what your children are doing online and that they are not giving away information about themselves or the family that could be sensitive or dangerous – examples would include “going on holiday for two weeks” and connecting with adults they don’t know
consider that everyone online is the equivalent of everyone you meet offline, as would you really trust “Bitcha Armoff”, the gorgeous and mysterious person who just poked you, in real life?
think about opening two accounts on all social sites: one where you link to work colleagues and another where you link with friends and family – that way you can manage the work/life balance and keep personal separate to professional
make sure that your privacy settings in both sites are set correctly and remember that by joining groups no matter how innocuous can result in many strangers seeing your profile, status updates and lifestream
Don’t
use passwords and usernames similar to your bank logon details anywhere other than with the bank
store your password and username on devices such as your mobile, netbook or laptop, or keep such information anywhere near them
click on any links from people you don’t know or to something that sounds exciting but could be fishy, such as a Facebook link to see “Justin Bieber Gets Boner” can often link to a download of malware
accept an invitation to link with just anyone – it may make you feel more popular, but any of those so-called ‘friends’ may be gangsters and murderers
use location co-ordinates in your status updates as that’s asking someone to rob your house when you’re out
mix work and play on your profile or social network
put your birthday, telephone number, email address and particularly your work situation on any social networking site, as that’s a real giveaway
link with mum and dad or most family members in any network with potential non-family or work members, as parents particularly post crap on your updates and might give away your mother’s maiden name or similar information
talk about what you’re doing in the future except with those you trust, as this gives a perfect opportunity to ‘groom’ you for crime, e.g. “going to be at the Dog & Duck for Joe’s stag do is a real invitation”
Why do I say the above?
Because the number of times I’ve targeted people to coerce them into doing something they don’t want to do by knowing where to find them and when; who their friends, family and work colleagues are; what their tastes in music, books, films and sushi are; and more … oh, did I just say that?
On a more serious note, Facebook is being blamed for one in five divorces in the USA, and employers and potential employers are using these sites to see how fit for work you are. If your partners and employers are checking up on you, do your really believe that criminals aren’t?
I would urge every bank to post some sort of advice on their website, mobile and internet service, as it seriously worries me that customers aren’t getting this education and are probably giving away their identities as we speak.
I would also, as a bank, underscore that if a customer is found NOT to have followed these policies and procedures then they may not be covered for fraudulent account access and identity theft.
That way, the bank has protected itself, helped the customer and moved our new Bank 2.0 world a step forward.
Whilst banks ignore such perils, their customers are at risk.
After my note about identity theft the other day, I got a nice note from Barry Marshall at Identity Intelligence (IDI), who run a database about fraud. Their numbers are staggering, and they define the issue today is not about Card Not Present (CNP) fraud, but Card Not Necessary (CNN).
They noted that over 61,000 stolen credit cards were being used fradulently on the internet during 2010, a decrease of 10% on 2009 (68,000)*.
However, the IDI database held 58 million records of individual personal data that were sold on the internet during 2007 and 2008.
By the beginning of December 2009 the figure had grown to 138 million related to over 60 million individuals, as many people are either phished or have their personal data sold and purchased more than once by criminals.
By December 2010 the database had grown to over 270 million records representing approximately 115 million individuals.
Should we be worried about the end of privacy?
Maybe groundwork for a CNN news report ...
* these stolen credit cards were reported to the Dedicated Cheque and Plastic Credit Card Unit (DCPCU) a joint operation between the Metropolitan Police, City of London Police and UK Payments: http://www.dcpcu.org.uk/. In total, over 325,000 stolen credit cards have been reported by Identity Intelligence to the DCPCU.
So, there are a lot of things we’re juggling around with in the payments arena, from real-time to TARGET2 to SEPA to SWIFT ISO20022 to mobile to contactless to biometrics and more.
I guess I can summarise this area best by using the results from this year’s payments survey because the last section of the survey asked people what's hot, hot, hot in payments this year.
EUROPEAN PAYMENTS
What was not hot is the world of the Single Euro Payments Area (SEPA) and the Payment Services Directive (PSD). Interest in these areas due to stagnation and indecisiveness had, to be honest, become flatter than the Flat Earth Society's annual party. In fact, an indication of how much euro interest exists was articulated well in an insight article on CNBC that claims that: “The European Union Is Over”.
I wouldn’t go that far but, in reviewing the developments of this year, I would say that everything in the Eurozone got a bit tired, tainted and tense.
Thank goodness therefore that the SEPA end-date is in sight, with the European Commission approving the forced migration of national instruments to SEPA credit transfer and direct debit schemes 12 and 24 months after the new regulations for migration are approved.
So that puts SEPA to bed (lol), and leaves me to hone in on other key areas such as mobile and contactless payments.
MOBILE CONTACTLESS
Often breathed in the same breath, these are distinctly different areas even though they are converging as we speak.
For example, Orange has just committed to rollout contactless payments and NFC capabilities across all of their European network next year, whilst Google and Apple are committed to incorporate NFC into Android and iPhones.
So we’re definitely in the era of simple mobile payments.
This was voted the #1 item of interest amongst those responding to the survey this year, and is top of mind with everyone.
What’s surprising is that mobile contactless may be top of mind, but it’s transient.
We’re already into using NFC tags everywhere and the mobile operators’ movements will simply decimate the NFC stick-on tag business (sorry taggo, bling nation et al).
Meanwhile, the fundamental issue is still not addressed: where can you use an NFC chip?
Barclaycard have been pushing Visa Paywave for a couple of years now, and yet I hardly ever get a chance to use it.
Sure, we may now have a few London taxi’s wirelessly enabled, but it’s hardly dense terminal acceptance or usability.
And there’s the rub: we need more terminals.
Maybe they could learn something from Zapa in Ireland, where AIB Merchant Services have worked closely with them to rollout terminals that can use the tags.
Half of all AIB’s merchant terminals are now Zapa ready: that’s 40,000 of their 90,000 terminals, with over 1.5 million contactless transactions in the year to September 2010.
Compare that with Barclaycard who have rolled out just 42,500 merchant terminals to date and processing just over a million transactions by November 2010, and you can see the challenging dimensions they face.
Hmmm ... but there’s no doubt that this will grow ... except that by the time it does, technology will have moved on and direct mobile-to-mobile, or M2M payments, will be the order of the day.
Ah well, we always roll out three-year old technologies to meet three-year ahead needs.
Behind mobile contactless, real-time payments is the next big deal.
REAL-TIME PAYMENTS
Real-time payments are big news because everything is moving into real-time, a point I’ve made often.
What real-time really means is real-time information transfer. Information about money moving worldwide in real-time. Not the money itself, which will still be gated and subject to the laws and barriers required to ensure money moves at the pace of AML, KYC, repudiation and revocation needs.
But real-time is a game changer, as real-time information, risk, cash and enterprise management is delivering real differentiation for corporates and clients worldwide.
That’s why banks need to focus upon it.
For example, in corporate treasury, real-time information that consolidates all the knowledge about a corporation's cash positions across all of their operations, geographies and subsidiaries would be invaluable. In fact, it amazes me that most companies do not have this capability.
That is because they are multi-banked and multi-country.
Banks that focus upon aggregation of information in real-time to provide additional knowledge about money will win business.
That's why real-time is important.
OPERATIONAL MANAGEMENT
After these big ticket items, everything becomes a bit more mundane with new pricing models for European payments post-SEPA, SWIFT MX and ISO20022, payments processing hubs, liquidity management and such like being on the ‘must-do’ list.
It’s all about standards, cost reduction and ensuring efficient processing. In other words, good operational management focus.
I could write a lot more about this, but it's covered pretty well elsewhere by SWIFT and other forums, so I'm not going to get all techie today (phew!).
The only point that’s really worth noting on the ‘new for 2010’ model from my side is the fact that there are a lot of new payments institutions appearing out there.
NEW PAYMENTS INSTITUTIONS (PIs)
PIs are new, non-bank payments processors taking out licences across Europe to process payments instead of, or on behalf of, banks.
Funnily enough, when we mention PIs, most people normally think of institutions like PayPal except that PayPal respond by saying: “we are a bank”.
First Data, Western Union, Mobile Telecom firms are also keen PIs, with over 70 licenses registered with EU authorities so far this year to offer payments services in this form.
But the most intriguing new PI for me is Voice Commerce.
Not because they were the first non-bank PI to register with the EU after the implementation of the Payment Services Directive (PSD).
Nor because they were the first PI to become a Visa and, more recently, MasterCard Principle Member.
No, the reason for Voice Commerce being of interest is that they use the idea of the human voice biometric being an identity authentication method.
Bearing in mind that yesterday, all things were moving to mobile and today, all payments are moving to mobile, the idea of using a human voice biometric on mobile seems to be a non-brainer.
And yet, according to our survey, voice biometric fraud management is the least interesting aspect of 2010s innovations.
Amazing how short-sighted we can be when it comes to seeing what may be the most disruptive developments sitting right in front of our eyes or, in this case, right in front of our mouths.
I mentioned that I spent last Friday morning with card fraud and security experts. The conversation began with a wide view of what’s happening, and a focus upon PCI DSS Standard 2.0, which is yet to be published.
The Payment Card Industry (PCI) Securities Standards Council (SSC) have developed new versions of the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS) for release at the end of October, which will then last three years in implementation.
After that period, there will be a one-year sunset before the next generation of PCI standards take over.
This is based upon the new agreement in the cards markets which means that every three years a new standard is released to keep up with market and technology change, with a year to implement the new standards and phase out the old one.
The fact that the new standard appears to be an evolution of the old standard, with no changes to merchant technology, is a good thing some say, as it means no major budget changes to card machines.
However, it’s not a good thing as it ignores many key areas of technological development within the card community, such as server and desktop virtualization, tokenization of regulated data, end-to-end encryption (E2EE) of card holder information and the use of cloud-based applications.
This is interesting as card processors, such as Visa, are offering guidelines in these areas, such as Visa’s best practices for tokenization.
Tokenization is a relatively recent practice whereby credit card data is changed to ensure data thieves cannot steal it, for example by only communicating the last four digits of the credit card. The view being that if the data’s not there, it cannot be stolen.
Their report makes an interesting read:
“In October 2009, Visa published the Visa Best Practices for Data Field Encryption to promote the proper encryption of sensitive card data that is transmitted, processed or stored by stakeholders throughout the payment system. As part of these best practices, Visa recommended that entities use tokens (such as a transaction ID or a surrogate value) to replace the Primary Account Number (PAN) for use in payment-related and ancillary business functions.
“Tokenization can be implemented in isolation or in concert with data field encryption to help merchants eliminate the need to store sensitive cardholder data after authorization. Entities that properly implement and execute a tokenization process to support their payment functions may be able to reduce the scope, risks and costs associated with ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS).
“How Tokenization Works
“Tokenization defines a process through which PAN data is replaced with a surrogate value known as a ‘token’. The security of an individual token relies on properties of uniqueness and the infeasibility to determine the original PAN knowing only the surrogate value. As a reference or surrogate value for the original PAN, a token can be used freely by systems and applications within a merchant environment.
“Where properly implemented, tokenization allows merchants to limit the storage of cardholder data to within the tokenization system, potentially simplifying an entity’s assessment against the PCI DSS. As a reference or surrogate value for the original PAN, a token can be used by systems and applications within a merchant environment without having to consider the security implications associated with the use of cardholder data.
“The security and robustness of a tokenization system is dependent upon the secure implementation of four critical components, and the overall management of the system and any historical data:
Token Generation: Defines the process through which a token is generated.
Token Mapping: Defines the process for associating a token to its original PAN value.
Card Data Vault: Defines the central repository of cardholder data used by the token mapping process.
Cryptographic Key Management: Defines the process through which cryptographic keys are managed and how they are used to protect cardholder and account data.”
I’ve placed most of this explanation here, to ensure the dialogue is clear in these areas, with the other big discussion area being E2EE. End-to-end encryption (E2EE) ensures sensitive credit and debit card data is protected from the card being used at a PIN Entry Device (PED) or other card reader, throughout its transmission via the network to the payment processor.This is achieved by using the latest card readers, which scan and encrypt the cardholder information prior to performing an electronic payment transaction. These sophisticated devices use Triple Data Encryption Algorithm (DES) Encryption with a Derived Unique Key per Transaction (DUKPT) to encrypt and transmit cardholder data securely over any network. The terminals also use tokenization to ensure that the encrypted cardholder data transmitted is not the same as the original cardholder data in any way. This means that even if the encrypted data were to be intercepted and somehow compromised, it would be useless to data thieves.So why is that the PCI SSC is producing a new standard that appears to ignore areas the key areas of tokenization and E2EE, when these clearly help to get to the dream of fraud proofing card payments?According to the conversation with the guys last week: cost and bias.The cost issue is an easy one: it would cost a lot of money to upgrade all terminals to be compliant with a mandate for tokenization and E2EE. Think of the UK’s investment in Chip & PIN and make that global, and you get the picture. After all, these standards are mandates, and this is why the SSC is clarifying and making recommendations rather than mandating for these changes to be incorporated.The bias one is more interesting for me however.The bias exists in two forms: first, geographic and second, who sets the standards.The geographic bias exists in the form of many of the key decisions being made to cater for US markets which lay way behind the worlds’ markets. The fact that most card fraud is now emanating from US markets is because they are so far behind.In fact, it does amaze me that the world’s most advanced economy and undisputed internet and technology leadership should be stuck in the 20th century model of cheque payments and mag stripe card readers. What is all that about?Cost and laziness.I mean, come on America, get with the 21st century and start thinking about Chip & PIN and EMV.Or maybe not.As PCI Guru sees it: “EMV will save US banks and merchants a total of around $394 million dollars annually. Given the estimated ten billion it will cost to convert totally to EMV, is it any wonder why banks and merchants have no incentive to convert?”OK, but the SSC still has some questions of bias based upon who sits on the Council, which includes firms such as Cisco, First Data, PayPal and Verifone, alongside banks, merchants and the EPC.The accusation made by those over here, who have to follow their directions, is that some of these organisations are more there to promote and protect their own systems and solutions, rather than the promotion of best practice in the industry.Not sure I agree with that accusation, but it was an interesting one.Maybe this means there should be more interface, dialogue, discussion and cooperation between gropus such as the PCI SSC and the MRC (Merchants Risk Council).In fact, the most surprising outcome of my dialogue with securities assessors, card encryption firms, and PCI DSS experts last week, is that they had not heard of, or were even aware of, the MRC.Whoops.
“The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments globally. The MRC was formed when two entities decided to join forces: the Merchant Fraud Squad and the Internet Fraud Round Table.
“The Merchant Fraud Squad was founded in September of 2000 by American Express, ClearCommerce and Expedia. The membership quickly grew and, by the end of 2002, the primary focus was to educate online merchants on how to prevent fraud.
“In 2001, HP and ClearCommerce founded the Internet Fraud Round Table, a grassroots group of large retail merchants, to share best practices through twice a year face-to-face meetings and monthly conference calls. By the end of 2002, the Internet Fraud Round Table had grown to over 60 marquee e-Commerce retailers.
“At the end of 2002, the two groups teamed up to form the Merchant Risk Council.”
Just spent most of today talking about PCI DSS compliance issues with QSAs focused upon E2EE.
What?Yea, you heard me right. Delving into an area that I talk a lot about at higher levels usually, but rarely at these levels.Today, I was plumbing the depths of the Payment Cards Industry (PCI) Data Security Standards (DSS) and evolution towards End-to-End Encryption (E2EE) standard. This is basically all to do with fraud and risk in merchant terminals from point-of-sale to virtual terminals for online payments.Merchants are tiered, based on card volumes and values, from Levels 1 to 4, and assessed for compliance through the use of Qualified Securities Assessors (QSA).As there was so much to discuss, I’ve had no time to write up a blog entry today.Instead, for those of you interested in cards, security, authentication, identification, verification, identity management and so on, here’s the list of questions I took into the room for discussion:
New PCI-DSS v2.0 - Adjustment or Major change?
The Payment Card Industry Data Security Standard (PCI DSS) has been one of the strongest drivers for investment in IT Security in the past years. Why do we need a new version?
What is changing and how to prepare to the new PCI DSS v2.0? Is it about rewording to adapt to new technologies, or does it bring a new approach to IT Security?
What’s really driving PCI DSS – Is the US government motivated to stem the flow of money to illegal narcotics and arms industries?
How have the long-term consequences of the Heartland data breach on the PCI SSC and the behaviour of QSAs impacted the PCI DSS programmes of merchants?
How can merchants better understand and process the demands made by QSAs in order to maximise the benefits of implementing requests by meeting key security as well as compliance requirements?
Do businesses understand the importance of PCI DSS compliance?
Why is becoming compliant so costly to businesses?
Can all merchants be categorised together when there is great diversity in terms of operating, sales and fulfilment channels?
Tick-box compliance vs. risk-based security: it is said that PCI DSS is based on security best practices, but does it really constitute a risk-based approach?
Are the regulations able to keep up with emerging trends, such as virtualization, cloud computing and mobile technology
PCI compliance and Virtualisation: what are the key differences between the traditional “physical” computing model and virtualised computing models, and what does that mean for your compliance strategy?
Adapting security models to a dynamic, “instant-on” environment: what dynamics must be considered as regards virtual machines and the risk of mixed trust-level virtual machines when striving to reduce security risks to both cardholder, and other sensitive data?
While the adoption of Chip & Pin has been successful in reducing card fraud, it has led to an increase in data compromises in the Card Not Present (CNP) space, what measures might be taken by merchants and acquirers to curb this trend?
What new challenges do mobile payment platforms present us and how can they be overcome? For example, how can we stop merchants from using applications that process CNP payments for transactions where the card and customer are present?
We have seen increasingly that criminals have deployed new methods such as man-in-the-middle attacks that exploit areas that the PCI DSS does not currently cover; what counter measures can be taken to combat them now and in the future and does the standard need to change to account for these exploits?
How do modern banking Trojans inject themselves into systems to overcome security provided by PIN, TAN (Transaction Authentication Number), and iTAN (Indexed Transaction Authentication Number) http://en.wikipedia.org/wiki/Transaction_authentication_number to steal and manipulate transaction data 'on the fly', and how do they cover up their tracks?
What techniques do criminals use to distribute malicious Browser Helper Modules and, why is it so difficult to detect compromised browsers, and what risks do they expose to the end user?
If companies rely on SSL (Secure Sockets Layer) as an effective last line of defence against Trojans that embed themselves into the browser, are they offering any real protection to their end users?
What steps can businesses operating in the online commercial environment take to protect their customers from these threats?
Reducing scope – is E2EE the holy grail? Where are the weak links in the E2EE chain?
The PCI Securities Standards Council (SSC), what have they done well? What could they have done better?
What are the key points on which the PCI SSC need to provide clarification that would help large merchants both secure their data and meet compliance, and by which avenues can merchants lobby for such change
PCI SSC has set up working groups to better understand End to End Encryption and tokenisation –what are the pro’s and cons of working group?
What guidance will merchants need with new regulations on E2EE and tokenisation?
Do merchants focus on wrong areas? Do merchants approach compliance in the wrong way, spending too much time on money on something which only secures a small piece of the whole project?
Why are merchants not always 100% forthcoming to auditors, and what are the top ten things merchants don’t tell their acquirer?
What will the payment security compliance landscape look like in the future and what should merchants do to ensure they stay ahead of the curve?
There’s a whole load more where that lot came from, and I’ll blog a simplistic overview of what the dialogue was all about next week ... bet you can’t wait can you?
I continue to be stunned by how Facebook and other social media allow me to see things in other people’s lives that should not be seen.
For example, all of my friend’s friends photographs.This is a feature of Facebook I particularly dislike, and I’m not sure people are even aware of it, although the furore over Facebook’s privacy settings has been well documented.The feature I’m referring to is the ability to see anyone’s private photographs purely because you are linked to them via someone else.
For example, here’s someone I don’t know:
His name is Mark, and he’s a friend of a friend.
He’s very private and doesn’t share information with me, as is his right.
But here’s Mark at Jeff’s wedding.
I don’t know Jeff either, but this is him and his gorgeous new wife.
Now I could have used many other photos from friends to show how to abuse the system, but will stop there as I already feel I've abused my friends enough by posting these private pictures.
The point is that they are not private though, and not many folks realise that Facebook’s privacy settings change all the time, allowing those you don't want to see you to see you.
Even CEO of Facebook Mark Zuckerburg realised how much of an issue this could become when private photos on his Facebook profile were acccessed, such as this one of him and his girlfriend relaxing:
For example, the Mark I don’t know I could just as easily find through LinkedIn or other social media.And that’s the point: to be found.But here’s where it gets nasty because, by being so easily accessible, anyone can be found and potentially compromised.
For example, some enterprising Dutch folks created pleaserobme.com a wee while ago:
The site was designed to pick up all location updates on twitter, foursquare and other social networking sites to show when you were not at home.
What better time to rob you?Equally, I used to illustrate how nasty this could become by talking about a bank employee whose family details were found on Facebook, and the information was used to blackmail her. I stopped telling the story when one bank told me that had happened in reality, mine was fictional, and the criminals had killed her son to get access to the bank. That’s where it gets nasty. Is there any point to this blog entry?Yes.Bearing in mind that our reckless social world of networking is going to mean that customers will willingly give away name, address, telephone number, birth date, mother’s maiden name, friends, location, habits and more, banks must:
Find some other way to authenticate than personal information
Educate customers on the dangers of divulging such information and show them how to protect themselves
Make clear that where information is made available by a customer through social media that, if this information is used to access their account, then they are liable for any losses
You may say it’s the job of the government or the customer to be aware of this.Well they’re not. Nor are the banks. For example, I regularly cite First Direct as the best bank in Britain who ‘get’ social media.So I go onto their website and look at the security section, which explains how to keep yourself protected.Like most banks, they tell you about viruses and firewalls – as in protecting your computer – but nothing about social media and networking – as in protecting your identity.This is a major oversight in all banks, and it must change and change fast.After all, over 500 million are using Facebook alone!p.s. in case you wondered why I picked on First Direct, it is because they are voted Britain’s best bank in regular polls of UK consumers. In addition, their CEO, Matt Colebrook, will be our guest of honour as speaker at the FSClub London on Monday night. More details here, if you want to come along.
During the past week, the US Magazine Global Post published an amazing series of articles about the insider truth of being a private banker with UBS in Switzerland.
The five article series charts the operations of one Bradley Birkenfeld - a Boston-born, high-flying, cross-border banker - at Switzerland’s premier financial institution, UBS. In this role, he had access to secret account information that law enforcement officers can only dream of.
Here are a few extracts from the series that made my eyebrows raise a little:“At UBS, clients’ names and their account information are divided irreconcilably between separate computer servers in secret locations. Even for a world-class hacker with free roam of electronic bank records, identifying the owner of a numbered account is literally ‘Mission: Impossible’ ... the only seam of vulnerability resided in nothing more advanced than the kind of old-school card catalog you might find in a local library. At the start of business each morning, private bankers like Birkenfeld, then a director in the wealth management division of UBS, would check in at combination vaults to pull their ‘racks’ — wooden trays of 4x5 paper index cards that are the Achilles heel of Swiss secrecy. Printed on each confidential client card — in plain, unencrypted typeset — is the client’s name, account and safety deposit box numbers, the fees paid, and home addresses and unique passwords — secret challenge phrases known only to the banker and the client that are used to verify identity on the phone (‘Rose and Eagle’ on a surreptitiously photocopied card Birkenfeld showed me). ‘If I was really devious ... I would have just taken my gym bag, slid them in, walked out the door, hopped on a plane,’ Birkenfeld laughed during our interview.”Of course, these leaks are now becoming more common (see HSBC).“The bank had held training sessions for cross-border bankers on how to elude FBI and U.S. Customs scrutiny when traveling with sensitive bank documents; how to obscure client information on PDAs and encrypted laptops; and various other evasive trade craft not usually associated with honest banking ... The bank would admit to intentionally subverting U.S. tax laws and defrauding the U.S. government by sending dozens of unregistered bankers, Birkenfeld among them, to the United States on thousands of illegal trips to facilitate tax evasion schemes for wealthy U.S.-based clients — a fraud hiding as much as $20 billion in secret undeclared accounts and earning UBS up to $200 million a year in ill-begotten profits.”And these are law-abiding citizens?Oh yes, they are:“To avoid criminal prosecution, and potential ruin, the bank would agree to pay a $780 million fine and, most controversially, agree to turn over names of thousands of American account holders to the IRS, a betrayal on par with original sin in Switzerland. The move was approved by the Swiss parliament in June, clearing the way for the release of the documents and what could be thousands of pending cases. Eventually, the Swiss government itself would bow under the weight of the evidence accumulated against UBS and, in high-level settlement discussions with the U.S. State Department, concede to new treaty terms to prevent Switzerland’s leading bank from losing its licenses to do business in the U.S. Meanwhile, the investigations sent nearly 15,000 American tax offenders, the vast majority with undeclared UBS accounts, into the arms of a new IRS amnesty program ...”Actually, just realised that I could quote the whole lot. Instead, I just suggest you read it.Click here for Part One
What a funny old week it’s been. Having blogged a lot about identity in the past, the week began with two peak time TV viewing programs about identity on Monday: Who do you think you are? on the BBC and Identity on ITV.
These programs are all about finding out about you and then keeping your you-ness your own.In the case of the Beeb, celebrities trace their family history and find out what skeletons, heroes and rogues they have hiding in the cupboard.
In the case of ITV's Identity, these descriptions give away the idea:
Identity is a new series following an elite police unit working on identity crime. In the first episode, a man arrested for shooting a police officer claims he has been set up by an identity thief. In episode two, the team are brought in on a murder investigation when a young British woman is killed abroad - and her passport used by another woman after her death. And in last Monday’s episode, a woman is in the witness protection scheme when her name is leaked online.
Why am I blogging about this?
Because identity is now entertainment.
Take the new exhibition being advertised all over London at the Science Museum with the theme: Who am I?
Who am I? invites you to explore the science of who you are through intriguing objects, provocative artworks and hands-on exhibits.Discover what your voice sounds like as a member of the opposite sex, morph your face to see what you’ll look like as you age, or collect DNA to catch a criminal in our brand-new interactive exhibits. Investigate some of the characteristics that make humans such a successful species, such as personality, intelligence and language. Reflect on the big questions that new techniques in science are raising, and explore how your genetics and brain combine to create your unique identity.
This exhibition is on every billboard on the London train network ...
... right next to this one from Experian ...
What all of this tells us is that our uniqueness is important. Our identity is our key to unlocking the riches of the world or losing them. Our identity is so intrinsic to access and ownership, that it is our most important asset.
Our identity is us.
You are you and me is me thanks to this unique code.
In other words, we are all individuals. We are all different ...
And there are a number of blogs dedicated to identity management issues, such as Dave Birch’s Digital Identity Blog and Kim Cameron’s Identity Blog. There’s even a film called Identity, although it has nothing to do with identity management and is far more related to being schizophrenic.So what is the problem with identity?Maybe it is related to the latter – not being schizophrenic but certainly having multiple identities. That’s the issue.We need a way to uniquely identify people for governmental purposes and for financial matters.From a government perspective, it’s all to do with taxation and benefits, with far too many people being able to buck the benefits systems and claim multiple benefits for multiple identities when all the money is flowing to a single claimant.The same is true in finance, where it is too easy to create multiple accounts with multiple names and addresses. We may say, with all the AML rules about account opening, that this is not true today ... not true.Students learn the benefit of multiple overdrafts early in life. For example, a comment from Sam Sam in the Student Room:Re: Opening multiple student accounts “In the blurb that you have to agree to, the banks often want to know that the account with them will be either your 'only' or your 'main' student account. loads of people have several different accounts though, people just tell porkies. If you need to provide a previous bank statement or something, you could just take a statement from a regular/solo account. just don't tell them.”But do they do this with different names and addresses ... probably not. For example, I have multiple bank accounts – business and personal – but they all come back to a single, unique person and address.And what happens to that single, unique person and address?They give it away on Facebook:"The days of you having a different image for your … co-workers and for the other people you know are probably coming to an end pretty quickly … Having two identities for yourself is an example of a lack of integrity." Mark Zuckerberg, founder and CEO of Facebook
Yea right.
So here’s my lack of integrity: I’ve got two Facebook accounts, three bank accounts, four Twitter accounts, five credit cards, several land addresses and many more email addresses and yes, you’ve guessed it, about ten different personalities.
Shucks!All of the above makes it clear how it is possible to defraud or disappear, if you know how.Case in point: Jason Bourne.In the excellent series of films about Bourne, which began with the Bourne Identity (there's that word again), we learn that he’s a lost man. What is his identity? Who is he? How can he find out? How can he prove he is Jason Bourne?Living under a pseudonym with memory loss means the original person has been lost.Good film ... but it is all fiction isn’t it?Nope.The proof reader of Neil Strauss’s latest book, Emergency (March 2009), talks about how to be a Jason Bourne in real life, through the creation of multiple bank accounts and holding several passports. “If you wanted to withdraw your entire life savings and move it to a bank in Switzerland, what would you do? Now that I’d decided to hide my assets offshore, the information from the Sovereign Society conference about the government tracking withdrawals and transfers of more than $10,000 applied to me. It seemed impossible to get the money from my American bank to the Swiss bank Spencer recommended without ringing alarm bells. Even if I moved it in small increments, there would still be a paper trail detailing exactly how much money I’d transferred. So I did what any resourceful American would do: I bought a book on money laundering.”Oh, so simple ... if you want to do this. I'm not advising that btw, but the potential and possibilities are clear and, whilst we have these gaps in the system for those who want or need to leverage and crack them open, identity management will always be an issue for governments and banks.So what’s the solution?An identity card with biometric recognition? A DNA database of all citizens?Nah. The UK has tried both and the first thing the new UK government has shut down is the biometric identity card programme, because it’s too expensive, and their efforts to keep a DNA database are severely challenged.So what is the solution?I personally don’t think there is one. A bit like fraud, there will always be an ‘acceptable level’ of fraudulent identity usage.The question then is what is that ‘acceptable’ level and how do you minimise money laundering, fraud and other underhand activity?Probably through some sort of government and bank shared identity tracking system.That would be my best guess anyway.
Meanwhile, must disappear now as I need to put some money into my very private Swiss bank account.
Some years ago, I delivered a presentation as a keynote with the title: “All Bankers are Criminals”.
I actually didn’t mean “all”.
The chicken feed, battery farmed, commercial, transactional and retail bankers are pin-stripe suited, humble pie, nice guys.
I was talking about the evil animals of Wall Street and the City.
These jungle animals hunt you down, rip out your wallet and tear your money apart note-by-note.
OK, I exaggerate a little, but you get the idea.
The first time I gave this presentation was back in Summer 2005 at a European Conference, and repeated it again in Spring 2006, as an Associate Director of TowerGroup.
The theme of the presentation mainly came from Frank Partnoy’s excellent book Infectious Greed, which traces the growth of weapons of financial destruction: derivatives, as named by Warren Buffett in his 2002 shareholder letter.
It is quite clear from this book that unchecked investment markets will run free of scruples and morals. This is what happened with Frank Quattrone of Credit Suisse and the dotcom boom and bust, along with many other examples through history.
It is not necessarily as true when we talk about arbitrage strategies and the John Meriwether’s of this world. However, these people are far more dangerous because they create financial markets systemic risk that can bring down companies and countries.
For example, in case you are wondering who John Meriwether is, he was one of the first arbitrage players and built Salomon Brothers into the big swinging dick master of the universe world so brilliantly depicted in Michael Lewis’s book Liar’s Poker.
With his colleagues, the use of arbitrage instruments led to the downfall of Salomon Brothers – they were subsequently merged into Citigroup – and Meriwether went on to create Long Term Capital Management (LTCM).
In 1998 LTCM lost $4.6 billion in less than four months and became the leading case study for how systemic risk created by derivatives products, combined with massive leverage
and arbitrage risk-models, creates a financial deck of cards. A deck that can rise and fall in the blink of an eye, with the latter potentially ruining companies, markets, countries and governments, as happened in the most recent crisis.
Anyways, not to be dissuaded from his cause, Meriwether went on to found JWM Partners, another highly leveraged "relative value arbitrage" firm. Yet again, he built leverage through this hedge fund from its opening with $250 million under management in 1999 to a massive $3 billion firm by 2007. Of course, it was all just on paper as the latest crisis battered the fund, losing almost half of its value between September 2007 and February 2009. The deck of cards strikes again. It closed in late 2009 and guess what? Meriwether’s about to launch yet another hedge fund, based upon just the same concepts.To me, this is the criminality of the financial system in action. Firms that build highly leveraged derivatives instruments for short-term arbitrage, with unproven skills and massive risk.Not that I’m calling Meriwether a criminal, as it’s all perfectly legitimate under SEC and FSA Rules.Or it was.It may be that the Goldman Sachs furore will change all this.You see, Goldman Sachs, like Meriwether, is very good at taking leverage and risk and managing the markets to gain short-term profit. Like Meriwether, Goldman Sachs succeeded in using these tools and instruments to generate massive profits. They achieved a record 131 trading days last year, in which the bank made at least $100 million net trading revenue each day.
Unlike Meriwether, Goldman Sachs managed to offload and hedge their risks back to others, such as AIG and IKB, such that when the markets collapsed their clients, suppliers and partners got burnt, but not them.Nothing wrong with that, as it’s all perfectly legitimate under SEC and FSA Rules. Unless the SEC and FSA find Goldman Sachs guilty of fraud.But how can they be guilty of a crime that was not a crime at the time it was committed?There’s the rub.I’m sure the SEC will aim to build a bulletproof case, and their cause is a worthy one: clean up the financial system. Is it worthy to do this so publicly?Not sure.Is it worthy to name the defendant up front, when the burden of proof has yet to be proven?Not sure.The Goldman Sachs case is actually more like watching a rape trial in action, where the defendant is a shifty looking guy who probably seems guilty whether guilty or not.For example, if you name someone like Jack Tweed in the UK, you might still associate him with being a rapist even though he was found not guilty.The guilt sits there, and that’s what will happen with Goldman Sachs.Whether guilty or not – and they’ve hired the best team possible to defend themselves, including “Master of Disaster” Mark Fabiani – we will always associate Goldman Sachs with something smelly for the foreseeable years to come.Ho-hum.At least all of this seems to inspire some humour. For example, in an April episode of hit comedy US TV series This American Life (TAL), they tell the story of a hedge fund that comes up with an elaborate plan to make money. It sponsors the creation of complicated and ultimately toxic financial securities while, at the same time, betting against the very securities it helped create. TAL commissioned a Broadway song to go along with the story:
The only thing that really gets me, in finishing this blog entry, is Warren Buffett.The Sage of Omaha has made his billions through prudent focus upon ‘value investing’. That means investing in strong and robust businesses like Coca-Cola, American Express, Gillette and the Washington Post. So when he referred to derivatives as ‘weapons of financial destruction’ in his shareholder letter of 2002, I respected the man and his integrity of thought.Now, having found Goldman Sachs under attack, he has stepped up to their defence, and I wondered why.Warren Buffett is an intriguing character, as we all know. The friend of kings and kingmakers, he walks a path separate to most.He knows the dangers of arbitrage, derivatives and leverage, because he had to step into Salomon Brothers in 1991 to clean up Meriwether and his colleagues mess.An extract from Carol Loomis’s in-depth review of Buffett’s experience at Salomon’s:
“You may reasonably ask what was going on in Salomon's stock while all of this was transpiring. It was emphatically down, from above $36 per share on Friday to under $27 on Thursday, when the second press release rocked the market. But the stock was only the facade for a much graver matter, a corporate financial structure that by Thursday was beginning to crack because confidence in Salomon was eroding. It is not good for any securities firm to lose the world's confidence. But if the firm is "credit dependent," as Salomon was to an extreme, it cannot tolerate a negative change in perceptions. Buffett likens Salomon's need for confidence to a mortal's need for air: When the required good is present, it's never noticed. When it's missing, that's all that's noticed.
“Unfortunately, the erosion of confidence was occurring in a company grown enormous. Salomon in August of 1991 had bulged up to $150 billion in assets (not counting, of course, huge off-balance-sheet items) and was among the five largest financial institutions in the U.S. Propping the company on the right-hand side of the balance sheet was--are you ready?--only $4 billion in equity capital, and above that was about $16 billion in medium-term notes, bank debt, and commercial paper. This total of about $20 billion was the capital base that supported the remaining $130 billion in liabilities, most of these short-term, due to run off in one day to six months.”
The result meant that Warren Buffett had to actually take over physically as manager of Salomon Brothers for a nine-month period, and it was emotionally exhausting for him.
Switch to 2010.
Warren Buffett invested heavily in Goldman Sachs in September 2008 – when Lehman Brothers, Merrill Lynch and Morgan Stanley were all imploding – buying $5 billion of preferred stock at a 10 percent dividend. These investments earn him $950 a minute, or $500 million a year today. No wonder he claims to be in love with that investment.
Trouble is that the alleged fraud at Goldman Sachs has really hit their share price. For example, Standard & Poor's downgraded Goldman
shares to "Sell" and lowered their target price by $40 to
$140 the other day.
Thinking back to Salomon's - if the firm is "credit dependent," as Salomon was to an extreme,
it cannot tolerate a negative change in perceptions - Buffett must be seriously worried about Goldman Sachs losing its credit worthiness, especially as it depends on good credit.
Oh yes, and having called derivatives ‘weapons of financial destruction’, guess what? Berkshire Hathway, Warren Buffett’s investment firm, has a massive portfolio of derivatives investments. From the Wall Street Journal last week: “Democrats took a step toward their goal of overhauling financial regulation, reaching a tentative deal to set restrictions on trading in exotic financial instruments known as derivatives. Among the considerations still in the balance: A big provision being sought by Warren Buffett in recent weeks ... the provision, sought by Berkshire and pushed by Nebraska Senator Ben Nelson in the Senate Agriculture Committee, would largely exempt existing derivatives contracts from the proposed rules. Previously, the legislation could have allowed regulators to require that companies such as Nebraska-based Berkshire put aside large sums to cover potential losses. The change thus would aid Berkshire, which has a $63 billion derivatives portfolio, according to Barclays Capital.”
Hmmm ... maybe that greed is infectious, although Morningstar Analyst Bill Bergman supports Mr. Buffett's exemption by stating that: "claiming Berkshire poses a risk to the financial system is a difficult
case to make."
Either way, the US movement towards an approval of a Financial Reform Bill to handle the issues of banks that are 'too big to fail' yesterday, takes it one step nearer to the American system taking a lead role towards a new financial architecture.
Derivatives are next ... and Warren Buffett, like Lloyd Blankfiend at Goldman Sachs and all of those current and former bankers and brokers who dealt in toxic derivatives across the world, must be worried.
Postnote: here is Berkshire Hathaway’s full commentary on derivatives from that shareholder letter back in 2002:
Charlie and I are of one mind in how we feel about derivatives and the trading activities that go with them: We view them as time bombs, both for the parties that deal in them and the economic system.Having delivered that thought, which I’ll get back to, let me retreat to explaining derivatives, though the explanation must be general because the word covers an extraordinarily wide range of financial contracts.Essentially, these instruments call for money to change hands at some future date, with the amount to be determined by one or more reference items, such as interest rates, stock prices or currency values. If, for example, you are either long or short an S&P 500 futures contract, you are a party to a very simple derivatives transaction – with your gain or loss derived from movements in the index. Derivatives contracts are of varying duration (running sometimes to 20 or more years) and their value is often tied to several variables.Unless derivatives contracts are collateralized or guaranteed, their ultimate value also depends on the creditworthiness of the counterparties to them. In the meantime, though, before a contract is settled, the counterparties record profits and losses – often huge in amount – in their current earnings statements without so much as a penny changing hands.The range of derivatives contracts is limited only by the imagination of man (or sometimes, so it seems, madmen). At Enron, for example, newsprint and broadband derivatives, due to be settled many years in the future, were put on the books. Or say you want to write a contract speculating on the number of twins to be born in Nebraska in 2020. No problem – at a price, you will easily find an obliging counterparty.When we purchased Gen Re, it came with General Re Securities, a derivatives dealer that Charlie and I didn’t want, judging it to be dangerous. We failed in our attempts to sell the operation, however, and are now terminating it.But closing down a derivatives business is easier said than done. It will be a great many years before we are totally out of this operation (though we reduce our exposure daily). In fact, the reinsurance and derivatives businesses are similar: Like Hell, both are easy to enter and almost impossible to exit. In either industry, once you write a contract – which may require a large payment decades later – you are usually stuck with it. True, there are methods by which the risk can be laid off with others. But most strategies of that kind leave you with residual liability.Another commonality of reinsurance and derivatives is that both generate reported earnings that are often wildly overstated. That’s true because today’s earnings are in a significant way based on estimates whose inaccuracy may not be exposed for many years.Errors will usually be honest, reflecting only the human tendency to take an optimistic view of one’s commitments. But the parties to derivatives also have enormous incentives to cheat in accounting for them.Those who trade derivatives are usually paid (in whole or part) on “earnings” calculated by mark-to-market accounting. But often there is no real market (think about our contract involving twins) and “mark-to-model” is utilized. This substitution can bring on large-scale mischief. As a general rule, contracts involving multiple reference items and distant settlement dates increase the opportunities for counterparties to use fanciful assumptions. In the twins scenario, for example, the two parties to the contract might well use differing models allowing both to show substantial profits for many years. In extreme cases, mark-to-model degenerates into what I would call mark-to-myth.Of course, both internal and outside auditors review the numbers, but that’s no easy job. For example, General Re Securities at yearend (after ten months of winding down its operation) had 14,384 contracts outstanding, involving 672 counterparties around the world. Each contract had a plus or minus value derived from one or more reference items, including some of mind-boggling complexity. Valuing a portfolio like that, expert auditors could easily and honestly have widely varying opinions.The valuation problem is far from academic: In recent years, some huge-scale frauds and near-frauds have been facilitated by derivatives trades. In the energy and electric utility sectors, for example, companies used derivatives and trading activities to report great “earnings” – until the roof fell in when they actually tried to convert the derivatives-related receivables on their balance sheets into cash. “Mark-to-market” then turned out to be truly “mark-to-myth.”I can assure you that the marking errors in the derivatives business have not been symmetrical.Almost invariably, they have favored either the trader who was eyeing a multi-million dollar bonus or the CEO who wanted to report impressive “earnings” (or both). The bonuses were paid, and the CEO profited from his options. Only much later did shareholders learn that the reported earnings were a sham.Another problem about derivatives is that they can exacerbate trouble that a corporation has run into for completely unrelated reasons. This pile-on effect occurs because many derivatives contracts require that a company suffering a credit downgrade immediately supply collateral to counterparties. Imagine, then, that a company is downgraded because of general adversity and that its derivatives instantly kick in with their requirement, imposing an unexpected and enormous demand for cash collateral on the company. The need to meet this demand can then throw the company into a liquidity crisis that may, in some cases, trigger still more downgrades. It all becomes a spiral that can lead to a corporate meltdown.Derivatives also create a daisy-chain risk that is akin to the risk run by insurers or reinsurers that lay off much of their business with others. In both cases, huge receivables from many counterparties tend to build up over time. (At Gen Re Securities, we still have $6.5 billion of receivables, though we’ve been in a liquidation mode for nearly a year.) A participant may see himself as prudent, believing his large credit exposures to be diversified and therefore not dangerous. Under certain circumstances, though, an exogenous event that causes the receivable from Company A to go bad will also affect those from Companies B through Z. History teaches us that a crisis often causes problems to correlate in a manner undreamed of in more tranquil times.In banking, the recognition of a “linkage” problem was one of the reasons for the formation of the Federal Reserve System. Before the Fed was established, the failure of weak banks would sometimes put sudden and unanticipated liquidity demands on previously-strong banks, causing them to fail in turn. The Fed now insulates the strong from the troubles of the weak. But there is no central bank assigned to the job of preventing the dominoes toppling in insurance or derivatives. In these industries, firms that are fundamentally solid can become troubled simply because of the travails of other firms further down the chain.When a “chain reaction” threat exists within an industry, it pays to minimize links of any kind. That’s how we conduct our reinsurance business, and it’s one reason we are exiting derivatives.Many people argue that derivatives reduce systemic problems, in that participants who can’t bear certain risks are able to transfer them to stronger hands. These people believe that derivatives act to stabilize the economy, facilitate trade, and eliminate bumps for individual participants. And, on a micro level, what they say is often true. Indeed, at Berkshire, I sometimes engage in large-scale derivatives transactions in order to facilitate certain investment strategies.Charlie and I believe, however, that the macro picture is dangerous and getting more so. Large amounts of risk, particularly credit risk, have become concentrated in the hands of relatively few derivatives dealers, who in addition trade extensively with one other. The troubles of one could quickly infect the others.On top of that, these dealers are owed huge amounts by non-dealer counterparties. Some of these counterparties, as I’ve mentioned, are linked in ways that could cause them to contemporaneously run into a problem because of a single event (such as the implosion of the telecom industry or the precipitous decline in the value of merchant power projects). Linkage, when it suddenly surfaces, can trigger serious systemic problems.Indeed, in 1998, the leveraged and derivatives-heavy activities of a single hedge fund, Long-TermCapital Management, caused the Federal Reserve anxieties so severe that it hastily orchestrated a rescue effort. In later Congressional testimony, Fed officials acknowledged that, had they not intervened, the outstanding trades of LTCM – a firm unknown to the general public and employing only a few hundred people – could well have posed a serious threat to the stability of American markets. In other words, the Fed acted because its leaders were fearful of what might have happened to other financial institutions had the LTCM domino toppled. And this affair, though it paralyzed many parts of the fixed-income market for weeks, was far from a worst-case scenario.One of the derivatives instruments that LTCM used was total-return swaps, contracts that facilitate100% leverage in various markets, including stocks. For example, Party A to a contract, usually a bank, puts up all of the money for the purchase of a stock while Party B, without putting up any capital, agrees that at a future date it will receive any gain or pay any loss that the bank realizes.Total-return swaps of this type make a joke of margin requirements. Beyond that, other types of derivatives severely curtail the ability of regulators to curb leverage and generally get their arms around the risk profiles of banks, insurers and other financial institutions. Similarly, even experienced investors and analysts encounter major problems in analyzing the financial condition of firms that are heavily involved with derivatives contracts. When Charlie and I finish reading the long footnotes detailing the derivatives activities of major banks, the only thing we understand is that we don’t understand how much risk the institution is running.The derivatives genie is now well out of the bottle, and these instruments will almost certainly multiply in variety and number until some event makes their toxicity clear. Knowledge of how dangerous they are has already permeated the electricity and gas businesses, in which the eruption of major troubles caused the use of derivatives to diminish dramatically. Elsewhere, however, the derivatives business continues to expand unchecked. Central banks and governments have so far found no effective way to control, or even monitor, the risks posed by these contracts.
Charlie and I believe Berkshire should be a fortress of financial strength – for the sake of our owners, creditors, policyholders and employees. We try to be alert to any sort of megacatastrophe risk, and that posture may make us unduly apprehensive about the burgeoning quantities of long-term derivatives contracts and the massive amount of uncollateralized receivables that are growing alongside. In our view, however, derivatives are financial weapons of mass destruction, carrying dangers that, while now latent, are potentially lethal.
It fascinates me when we talk about ‘identity’ that we always seem to think of identity management as being a single thing ... but it’s not.
First, there’s the use of identity for identification; second for authentication; third, for verification; and fourth for fulfilment. Then there are the many instances of providing and proving identification: at a bank, at an airport or border control, at a vehicle hire firm or other high cost rental, when opening a telephone account or similar service, when picking up tickets for a concert, etc. Finally, there are the many reasons for needing identity checks, from tracking money laundering and politically exposed persons (PEPs) to fraud and identity theft issues to just checking that you are who you say you are.Although these all sound the same, they have distinct differences and is the reason why there are so many identity solutions out there. Generally, such solutions fall into a catchment of being for an anti-fraud focus or for a verification process, with the process being based upon:
Something you know, such as a PIN, Password or Personal Fact
Something you have, such as Card, Token or Telephone
Something you are, such as a Fingerprint, Voice or other Biometric
Somewhere you are, based upon GPS location or similar proximity analysis
Some way you behave, such as your general activities, channel usage and location
Obviously the five areas above are also inter-connected, as you could use a PIN, Biometric and Telephone along with location services to verify a user based upon five-factor authentication rather than two. But we don’t do that today, and some banks struggle with even one factor authentication.You cannot be serious I hear you cry, but no, it’s true.Ring your bank and pretend to be someone else.I’ve done it.I had to pretend to be my father-in-law and it was easy once you got the bravado together to claim to be someone you’re not.So the question of identity for authentication and verification is still not good enough.What are the potential solutions out there?Generally, further variations on the above.For example, I recently went to a presentation by a number of firms that use the words identity in their company name. Both firms were focused upon improving password security by offering easier password access and control.I then got a call from another firm with identity in their name, and they wanted to talk to me about biometrics.A third firm offered to provide mobile-based authentication services.So let’s look at these variations in a little more depth.First, the something we have.This is the most basic form of identification – a document, validated by an authority, that says: “yes, it’s you”.
Often a card and sometimes a card with your photograph on it, this identification has been around since the war.
The trouble with this form of identity is that it can be forged, copied, stolen and easily used by another card holder.
Therefore, we introduced the something you know.The idea here is that there is a secret code that goes with the card to show that not only is the person presenting the card the owner, but they can prove it.The most common something you know is a Personal Identification Code, or PIN. PINs are generally allocated by the bank but can be changed to whatever you want.Although secure therefore, it’s easy to second guess or, due to Chip & PIN, shoulder-surf and steal.Equally, PINs can be hacked and compromised via intelligent machine-in-the-middle attacks and so banks introduced a four-digit PIN password enhancement by asking things like date of birth and mother’s maiden name.It soon became obvious that criminals could find out such information from public record and so we are now in a world of much more complex codes and secrets.For example, GrIDsure offer a pattern-based PIN so that criminals cannot predict your PIN numbers. Equally, RSA security offer lots of tokens and keys to generate one-time passwords on top of basic identity information, to ensure that a criminal is foiled.
Unfortunately, in the latter case, many of these efforts just add to the effort required for the customer every time they are trying to make a payment or access the bank service. For example, we have the Chip Authentication Program (CAP) and Personal Card Readers (PCR) in the UK for online payments processing.
The trouble is that you have to have the terminals with you and, even if you do, people use them so infrequently that they often forget the process. As a result, their use of online payments falls whilst PayPal goes from strength to strength.
The reason? PayPal is simple, easy and convenient, but PCRs are not.Equally, what is really interesting in the two instances above, is that these things are already being side-tracked by the mobile telephone, which offers something you have that is unique – your SIM card and telephone number – along with an interactive dialogue for access to PINs and One-Time Passwords.In addition, it offers an easy way to track where you are, and hence can be a good way of triangulating information for a bank. For example, if someone tries to withdraw cash or make a payment in New York when their mobile telephone GPS signal is being picked up in San Francisco, the bank could immediately question such transactions.Therefore, I wholly expect the mobile telephone to become the key to most forms of identification.
The mobile can even play directly into the biometrics field, thanks to fingerprint recognition and even apps under discussion that will use the mobile telephone’s camera for iris or face recognition. In particular, the work of Voice Commerce to create voice biometric payments is of interest here.
Voice Commerce is now a PSD-approved Payments Institution and Visa Partner, all based upon mobile voice biometric services.
So where does that take us?The mobile telephone becomes the unique identity management system for future financial services?Sure, it provides a clear capability to track behaviour and location, along with easy verification and validation of something you have and something you know and potentially something you are.But is that it?What happens if you lost the telephone? What happens if you forget the codes or passwords? Is Voice Biometrics really ready for prime time? What I am really asking is: what is the process on the other end of the telephone that’s required?This still therefore mandates a clear bank identity management system, shared across multiple institutions, which can allow the user to access finance with just a single sign-on rather than multiple sign-ons.That’s the thought for next generation financial services. A simple multibank, cross-border identity system that can work easily and simply and conveniently behind the mobile bank interface.Hmmmm ... I wonder what system that could be?Whichever system it is has to have a number of key features.First, it will not just be a technology solution, as there must be clear and recognised policy, legal and operational rules which allow the shceme to operate across bordres and banks.Second, an identity scheme cannot just be a “number”. Numbers are too easy to break, and you therefore must have a name specified and associated with the number in order for the identity management system to allow transactions to be truly non repudiable, as in legal.Third, solutions have to be massively scalable, which means cloud-based today.Fourth, it must be capable of supporting multiple applications across multiple geographies and multiple industry silo’s. And, whilst achieving all of the above, it needs to be simple to use but unbreakable.
Gamestation has discovered that more than 88% of the British public do not read the terms and conditions of a website before they make a purchase online.
As a result of the research, Gamestation has announced that on April 1st, in a test of its customers, it will include a clause in the terms and conditions stating that the customer grants the retailer the right to 'claim their immortal soul'. The online customer will be offered the opportunity to opt out of forgoing their soul by ticking a box in the small print. As a reward for their vigilance, they will receive a GBP5 discount voucher.
90% of customers agreed to the terms and conditions without reading them (either that or they were happy to surrender their souls). They then received an email stating: “Little did you realise that upon your last purchase from Gamestation.co.uk you also granted us a right to claim your humanity [...] To avoid future fatalities, always check the terms and conditions.”
Download
Recent Comments