Snippings

xxx

All drinks, snacks, and team merchandise at the Tottenham Hotspur Stadium have to be purchased by apps like Apple Pay or on a card.

From Scoring With Apple Pay: Tottenham Hotspur Prepare to Open Doors at First Fully Cashless Stadium – The Mac Observer.

xxx

xxx

The Cabinet Thursday approved the promulgation of an Ordinance to allow voluntary use of Aadhaar as identity proof for opening bank account and procuring mobile phone connection

From Aadhaar: Cabinet approves Aadhaar Ordinance to allow its use as ID proof for bank accounts, SIM connection.

xxx

xxx

This, I think, is the kind of architecture that Cambridge Blockchain explained to me when I bumped in them last year and it seems a reasonable starting point, congruent with our ideas about the kinds of transactions that might be entered into a shared ledger.

From Putting “identity” on the “blockchain”. Part 1: Find a problem | Consult Hyperion.

xxx

xxx

“In Australia, the note of choice for hoarding and bulk cash smuggling is the A$100 note, known affectionately as ‘the Melba’ (the note features the face of operatic legend Dame Nellie Melba).

In Australia, there is A$76 billion in near-indestructible polymer banknotes in circulation. That equates to around A$3,000 for every man, woman and child in the country. This raises the question: where are Australia’s missing ‘Melbas’?”

From “Dark economy: Inside the $76 billion mystery of Australia’s missing ‘Melbas’​ | LinkedIn”.

xxx

xxx

“The [HMRC Report] found widespread infiltration of government agencies, to obtain false identities and ‘sensitive information’. From one company investigators found ’20 potential internal fraud cases including [gang] members in government agencies’, one intelligence summary said. Another said two Post Office employees seemed to be helping falsify documents, concluding: ‘infiltration is widespread’.”

From “Gangsters with links to the 7/7 London bombings stole £8billion from British taxpayers | Daily Mail Online”.

xxx

xxx

“Russian police are searching for a plastic surgeon with ‘fake qualifications’ who left her patients ‘disfigured,’ say reports.”

From “Russian police hunt ‘Frankenstein’ plastic surgeon who ‘left her patients disfigured’ | Daily Mail Online”.

xxx

I notice that in the considerable press comment concerning the possible introduction of a Facebook payment system and perhaps even a Facebook currency of some kind, commentators continually refer to a Facebook “stablecoin”. I am certain that they are wrong to use this term, because it does not mean what they think it means. I may well be facing a losing battle about this, but I am stickler for correct currency terminology.

So. Stablecoin. What?

In the Bank of England’s excellent “Bank Underground” blog, there was a post on this topic that said “The chances of a stablecoin keeping a stable price depends on its design. There are generally two designs of stablecoin: those backed by assets, and those that are unbacked or ‘algorithmic’”. They are right, of course, but I have slightly more granular classification of designs:

1. Algorithmic Currencies, in which algorithms manage supply and demand to obtain stability of the digital currency. This is what a stable cryptocurrency is: since a cryptocurrency is backed by nothing other than mathematics, it is mathematics that manages the money supply to hold the value of the steady against some external benchmark. This is what is meant by stablecoin in the original crypto use of the term.

2. Asset-backed Currencies, in which an asset or basket of assets are used to back the digital currency. I don’t know why people refer to these a stablecoins, since they are stable only against the specific assets that back them. An asset that is backed by, say, crude oil is stable against crude oil but nothing else.

3. Fiat (aka Currency Boards), similar to a asset-backed currencies but where the assets backing the digital currency are fiat currencies only. There are mundane versions of these already: in Bulgaria, for example, where the local currency (the Lev) is backed by a 100% reserve of US dollars. 

As for that last category, this is effectively what is currently defined as electronic money under the existing EU directives, and therefore already regulated. Those coins backed by fiat currency, such as JPM Coin, simply provide a convenient way to transfer value around the internet without going through banking networks.

Predictions are of course difficult, but my general feeling is that it is the asset-backed currencies that are most interesting and most likely to succeed in causing an actual revolution in finance and banking. Algorithmic stablecoins and fiat “stablecoins” exist to serve a demand for value transfer, but this is increasingly served well by conventional means. I notice this week, for example, that Transferwise can now send money from the UK to Hong Kong in 11 seconds, a feat made possible by their direct connection to the payments networks of both countries. Why would I use a fiat token when I can send fiat money faster and cheaper?

Of course, you might argue that a digital currency board might allow people who are excluded from the global financial system to hold and transfer value but I am unconvinced. There plenty of ways to hold and transfer electronic value (eg, M-PESA) without using bank accounts. Generally speaking, people around the world are excluded because of regulation (eg, KYC) and if we want to do something about inclusion we should probably start here. If you are going to require KYC for the electronic wallet needed to hold your digital currency they customers may as well open a bank account, right?

(I’ve written before about how the need for an account hampered Mondex. When it was first launched, I went to a bank branch with £50 expecting to walk out with a Mondex card with £50 on it. What I actually walked out with was a multi-page form to open a bank account so that I could get a Mondex card which arrived some time later. And since I had to put my debit card into the ATM in order to load the Mondex card, I did what most other people did and drew out cash instead.)

I suppose there are some people who think that the anonymity and pseduonymity of cryptocurrencies might make them an attractive alternative to certain sectors, but this is probably a window. If cryptocurrencies were used for crime on a large scale then efforts would be made to police them. Bitcoin, in particular, is not a good choice for criminals since it leaves a public and immutable record of their actions but you can imagine a future in which the mere possession of an anonymous cryptocurrency becomes a prima facie cash of money laundering.

Looking at the “stable” stable, I’ll put my money on the middle way: there is a real marketplace logic to the trading of asset-backed currencies and I expect to see an explosion of different kinds.

xxx

I have no idea why my debit card has either a magnetic stripe or embossing, and it’s not clear to me why it has my name and bank account number on it either, and I don’t know why it has a signature strip on the back when I don’t want to use it for signature transactions under any circumstances.

From Counterfeit card fraud in the US will fall, eventually | Consult Hyperion.

xxx

xxx

Why doesn’t my bank put a token in my Apple Pay that doesn’t disclose my name or any other personal information, a “stealth card” that I can use to buy adult services online using the new Safari in-browser Apple Pay experience? This would be a simple win-win: good for the merchants as it will remove CNP fraud and good for the customers as it will prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the value, give me blank card to top shopping with – a simple use case that will test the viability of the concept.

From Tired: Banks that store money. Wired: Banks that store identity | Consult Hyperion.

xxx

Crazy Cards

Six years  I said that “I have no idea why my debit card has either a magnetic stripe or embossing, and it’s not clear to me why it has my name and bank account number on it either, and I don’t know why it has a signature strip on the back when I don’t want to use it for signature transactions under any circumstances”.  Then in 2014, I asked “Why is there a magnetic stripe on my card at all?” as I could not see even then why my debit card had a magnetic stripe on it and I had no intention of ever using my debit card (the subject of the discussion) in a POS terminal at all, let alone a POS in the USA where there was no chip. It’s all different now, of course, because the US has gone over to chip and PIN as well.

//embedr.flickr.com/assets/client-code.js 

Putting numbers and signatures on cards helps criminals. There’s no need for it. A couple of years later, I asked in “Tired: Banks that store money. Wired: Banks that store identity” why my bank didn’t put a token in my Apple Pay that doesn’t disclose my name or any other personal information, a “stealth card” that I can use to buy adult services online using the new Safari in-browser Apple Pay experience? This would be a simple win-win: good for the merchants as it will remove CNP fraud and good for the customers as it will prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the vault, give me blank card to to go shopping with.

A blank card?  Crazy.

Brazil Nuts

Some years ago, when my colleagues at Consult Hyperion were testing  Static Data Authentication (SDA) “chip and PIN” cards in the UK, we used to make our own EMV cards. To do this, we essentially we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.

You might call these cards pseudo-clones. They act like clones in that they work correctly in the terminals, but they are not real clones because they don’t have the right keys inside them. Naturally, if you make one of these pseudo-clones, you don’t want to be bothered with PIN management so you make it into what is called a “yes card” – instead of programming the chip to check that the correct PIN is entered, you programme it to respond “yes” to whatever PIN is entered. We used these pseudo-clone cards in a number of shops in Guildford as part of our testing processes to make sure that issuers were checking the cryptograms properly. Not once did any of the Guildford shopkeepers bat an eyelid about us putting these strange blank white cards into their terminals.

I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this he made a similar white plastic pseudo-clone card and went into a shop to try it out.

When he put the completely white card into the terminal, the Brazilian shopkeeper stopped him and asked him what he was doing and what this completely blank white card was, clearly suspecting some misbehaviour.

The guy, thinking quickly, told him that it was one of the new Apple credit cards!

“Cool” said the shopkeeper, “How can I get one?”.

Titanium Dreams

I wrote up that Brazil story back in 2014!There was no white Apple credit card, of course, at that time but it was interesting that the shopkeeper expected an Apple credit card to be all white and with no personal data on display, just as I had suggested in my ancient ruminations on card security. So imagine my total lack of surprise when the internet tubes delivered the news of the new actual Apple credit card launched in California last week. Apple CEO Tim Cook said that the new  Apple Card would be the biggest card innovation “in 50 years” [FT].  This seems a little rough on the magnetic stripe, online authorisation, chip and PIN, debit cards, contactless interfaces and so on,  but it is certainly an interesting  development for people like me.

The story gathered the usual media interest. I saw a couple of reports on the web reporting on “Apple going into banking” which, obviously,  they are not.  Far from it. The Apple Card issuer is Goldman Sachs (it’s their first credit card product) and the card product is wholly unremarkable. The card looks pretty cool though, no doubt about that. I still don’t know why they put the cardholder name on the front (instead of their Apple ID), since there you go. Apple Card is launching into an interesting environment. The US POS is a confusing place but Apple know their stuff and I am sure that they think they can use the 2% cash back on ApplePay purchases vs. the 1% on chip/stripe to push people toward the habit of using their phones at POS instead of cards. Judging by the sign I saw in an Austin gas station, they may be right.

//embedr.flickr.com/assets/client-code.js 

The Apple Card adds security, there’s no doubt about that. The card-not-present PAN and CVV displayed by the app (which can be refreshed) are not the same as the PAN and CVV on the stripe, so you can’t make counterfeit stripe cards with data from the app and Apple uses the Mastercard token Account Update service, so if you give (say) Spotify the CNP PAN/CVV and then refresh it, you don’t need to tell Spotify that you’ve changed anything because Mastercard will sort it out with Spotify. That’s security for the infrastructure and convenience for the customer.

Now You See It

While I was jotting down some notes about Apple Card, I was thinking about David Kwong, the illusionist. He gave an entertaining talk at Know 2019 in Las Vegas and I was privileged to MC his session. I was sitting feet away from him and I couldn’t figure out how he did it. That’s because he is a master of misdirection!

//embedr.flickr.com/assets/client-code.js 

I can’t help feeling that there’s a bit of misdirection going on with Apple Card. The press are reporting about the card product, but it’s really not that earth shattering. It seems to me that what is really important in the announcement isn’t extending Goldman Sachs’ consumer credit business or that bribe to persuade apparently reluctant  consumers to use Apple Pay at contactless terminals instead of swiping their card, but the attempt to get people to use Apple Cash. Cognisant of how Starbucks makes out by persuading citizens to exchange their US dollars that are good anywhere into Starbucks Dollars that are not, and of Facebook’s likely launch of  some kind of Facebook Money, Apple are hoping to kick-start an Apple Cash ecosystem.

You may have noticed that as of now,  you can no longer fund person-to-person Apple payments (in Messages) using a credit card. You can still fund your Apple Cash via a debit card. You can pay out from your Apple Cash to a Visa debit card for a 1% fee or via ACH to a bank account for free. They want to reduce the costs of getting volume into Apple Cash and make it possible for you to get it out with jumping through hoops. Given that you can do this, you’ll be more relaxed about holding an Apple Cash balance and that means that next time you go to buy a game or a song or whatever, Apple can knock it off of your Apple Cash balance rather than feeding transactions through the card rails. 

And why not? In this ecosystem Apple would carry the float, which might well run into millions of dollars (Starbucks’ float is over a billion dollars), and if it could persuade consumers to fund app, music and movie purchases from Apple Cash instead of cards it would not only save money, but anchor an ecosystem that could become valuable to third-party providers as well. With Facebook’s electronic money play on the horizon, I think Apple are making a play not for a new kind of card to compete with my Amex Platinum and my John Lewis MasterCard but for a new kind of money to compete with BezosBucks, ZuckDollas an Google Groats.