Risk and Privacy Implications of Consumer Payment Innovation Ross Anderson Cambridge University

Overview Competition – Sofort, Pingit Background on payment service regulation Cyber-crime patterns and trends in 2012 Mobile payment trends Mobile wallets Carrier billing Remittance services, social, credit Ways forward for payment service regulators

Buying a plane ticket (1)

Buying a plane ticket (2)

Buying a plane ticket (3)

It’s fronting for this:

Sofortüberweisung Rapidly-growing low-cost payment service – Merchant website redirects to Sofort – Sofort asks for bank account # and tries to logon – Relays the authentication challenge to customer – Uses credit transfer to pay for purchase Middleperson attack on online banking! Fee 0.75% + 10c instead of 2.5% Banks’ law case against Sofort failed after Federal competition authorities intervened

Pingit Barclays product for phone-based payment; mobile number as proxy for account number Phase 1: Barclays customers only; peer-to- peer payment limit £300 Phase 2: any bank’s customer can use it, following a one-off direct-debit authorisation Background: banks want to abolish cheques Could mobile be a mould-breaker like Sofort?

Possible roadblocks Mobile payments are really successful in Kenya, Pakistan, South Africa… and bring significant social gains In developed countries it hasn’t taken off! Mobile payment predictions of 1bn users, $1trn turnover “within five years” since 2002 Innopay 2012 report: need speed, security, functionality But it may actually be about cost…

Possible roadblocks (2) Consumer protection better on credit cards than PIN debit (discount 2.5% vs 1.5%) If we move to phone / Sofort at 0.75% there will be pressure to cut this Also, fraud is about 30 basis points online versus 5 face-to-face Protection now good in USA, OK in Fi, Nl, bad in GB, Spain, Latvia – affects online confidence Will Reg E / Reg Z be circumvented?

Possible roadblocks (3) The EU do-not-track directive is already causing grief to online businesses Privacy tussles will get worse with mobile – cellsite location history is sensitive data Controversy already: path.com, flurry.com Also: interaction with malware Now that the bad guys can steal money they are targeting smartphones (so far mostly dialers, SMS stealers, and mostly in China, but just wait!)

Future regulation? Payment regulation has always been dynamic – 130 years of tussles over forgery, cheque crossing, settlement, liability, interchange fees, … Things are getting ever faster and more complex! Ever more of the players are nonbanks – First Data, IBM, … – FICO, Experian, … – Nokia, Blackberry, Google, eBay, Microsoft, … Governance is going to be hard

Cyber-crime patterns Cyber-crime now defined in EU as just about every bad thing done with IT! But four basic types – Traditional stuff like tax fraud and welfare fraud – Offences with rapidly changing modus operandi like card fraud – Novel offences like fake antivirus scams – Platform offences such as running botnets As you work down the list, the indirect cost ratio (costs in anticipation and consequence versus direct losses) rises sharply from 10 2 – like the indirect costs of a mosquito bite

Whither payment fraud? Nilson 2010: card fraud $7.6bn (US $3.6bn) Our 2011 figures: card fraud costs $9.2bn direct and $2.4bn indirect Online bank fraud costs $690m direct, $1bn indirect (and rising sharply thanks to Zeus) Opportunity costs are greater still (maybe $30bn) The move online, and the move to mobile, may increase fraud losses (even double them) ‘Fraud Inc’ might have a market cap over $100bn But don’t panic: this may still increase welfare

Existing mobile payment systems Biggest success in less developed countries Kenya, South Africa: PIN encrypted in the SIM card, transaction via traditional bank network Others send PINs in the clear via USSD, and take the risk Peer-to-peer payments being built out into peer-to-agent and even agent-to-agent Growing ecosystem includes access to government services and much else

Existing mobile payment systems (2) NFC payments started in Japan 10 years ago 2011: launch of the Google Wallet (an app that does tap-and-pay via an SE/ NFC chip) 2012: NFC payments being promoted for the Olympics; TV fear about possible card cloning Technical risks include easier relay attacks and a series of engineering problems with EMV Governance problems include reprovisioning

Existing mobile payment systems (3) Carrier billing (e.g. premium rate SMS) in pain Android malware leading to chargebacks in excess of 20% in some countries / sectors We’ve been here before (modem diallers) Fixes: – remove bad apps quickly from app stores – instrument the network to spot malware quickly – delay payment to suppliers Industry hopes the SE will fix this, but PBX fraud is also rising very rapidly

Other sources of disruption Low-cost remittance services like oanda.com Off-the-wall entrants like Bitcoin Facebook credits (but has a 30% merchant discount, like carrier billing!) P2P such as zashpay and popmoney Innovations in credit, from ‘crowd’ (zopa.com, smaba.de) to ‘surveillance’ (Telrock) Merchant-side innovation such as Tesco Bank

‘Bad’ payment systems Cyber-crooks want irrevocable payments (watch the UK’s Faster Payments scheme!) eGold got raided: Western Union now handles most of the cashout from core cybercrime Webmoney is used internally by crooks Porn payments: two-sided adverse selection High-yield investment programs (‘postmodern Ponzi schemes’) have a number of PSPs

Outcomes best avoided Could catastrophic fraud close a channel? Pessimist: once cash, keys and tokens are all phone apps, we have a huge target and an intractable governance problem Optimist: if an attack’s big enough attack to disrupt, where do you send all the money? Alternative bad outcome: pervasive carding that undermines confidence and imposes large opportunity costs on economy

What might governments do? See our paper ‘Security Economics and the Single Market’, ENISA, 2008 Better stats on both fraud and malware, start to fix liability rules, require network-attached consumer electronics to be secure by default, better police cooperation … Many of these are now being worked on (e.g. Eurozone fraud stats from this year) What should the Fed’s priority be?

What might the Fed do? Esther: the Fed must be prepared for crisis! The Fed should set up a Fraud Analysis Centre to collect information from banks, online service companies, PSPs, CRAs and others Someone has to process data to get actionable intelligence (NCFTA? NACHA?) But someone also needs to track the big picture – a role for the Fed If the Fed wants to do a P2P payment service it should first study what goes wrong …

Next steps Workshop on the Economics of Information Security, Berlin, June 2012 Our web page on bank fraud: Other current research: – Econometrics of online crime – Mobile malware – Next-generation platform components

NATO meeting October