A library of snippets
xxx
“Britain is a financial-crime-fighting trailblazer. In a bid to crack down on shell-company abuse, in 2016 it became the first G20 country to introduce a public register for company owners. However, submitted information is not systematically checked. Recent analysis by Global Witness, an NGO, found thousands of ‘highly suspicious’ entries, including firms creating circular structures where they appear to own themselves.”
xxx
xxx
“Once the app is activated with a face scan, a QR code is generated, which is scanned by the person who needs the identification. The person being identified can decide what information is revealed. So if you want to get into a bar, for example, you can decide to only show your name and age.”
From “Netherlands using face tech with digital ID pilot | Planet Biometrics News”.
xxx
It’s that time of year again. I’ve had a chat with my colleagues at Consult Hyperion, gone back over my notes from the year’s events, taken a look at our most interesting projects around the world and brought together our “live five” for 2019. Now, as in previous years, I don’t expect you to pay any attention to our prognostications without first reviewing our previous attempts, otherwise you won’t have any basis for taking us seriously! So let’s begin by looking back a couple of years and then we’ll take a shot at the future!
This was the “live five” of technology-driven changes in the secure transactions field that we thought would have a real business impact over the previous year. In the spirit of openness and honesty and disclosure that we are famed for, let’s see how those predictions fared.
Not bad. In fact, pretty good. So now let’s take a look at how we did last year. We thought that you’d agree with four out of the five…
This was the “live five” for last year. Let’s see how we did…
As we said, 2018 saw disruption because the shift to open banking, starting in the UK, means the reshaping of financial services while at the same time the advance of AI into the transaction space (transactions of all types, from buying a train ticket to selling corporate bonds) begins to reshape the way we do business.
This year we are organising our “live five” in a slightly different way, listing them by priority to our clients rather than as a simple list. So here are the four key technologies that we think will be hot throughout the coming year together with the new technology that we are looking at out of the corner of our eyes, so to speak. The mainstream technologies are authentication, cross-sector digital identity, digital wallets for ticketing and secure IoT in the insurance sector. The one coming up on the outside is post-quantum cryptography.
So here we go…
With our financial services customers we are moving from developing strategies about open banking to developing implementation plans and supporting the development of new systems and services. The most important technology at the customer interface from the secure transactions perspective is going to be the technology of Secure Customer Authentication (SCA). Understanding the rules around which transactions need SCA or not is complicated enough, and that’s before you even start working out which technologies have the right balance of security and convenience for the relevant customer journeys. Luckily, we know how to help on both counts!
As it happens, better authentication technology is going make life easier for clients in a number of ways, not only because of PSD2. We are already planning 3D Secure v2 (3DSv2) and Secure Remote Commerce (SRC) implementations for customers, and preventing “authentication friction” (using eg FIDO) is central to the new customer journeys.
In the identity space we are moving from PowerPoint to implementing new approaches to know your customer (KYC), anti-money laundering (AML), counter-terrorist financing (CTF) and the management of a politically-exposed person (PEP) risks bringing together a basket of new technologies including machine learning, shared ledgers and self-sovereign identity. The skewed cost-benefit around regtech and the friction that flawed digitised identity systems cause mean that there is considerable pressure to shift the balance and in the coming year I think more organisations around the world will look at the cross-sector digital identity initiatives coming out of forward-thinking jurisdictions such as Canada and Australia as a vector for beneficial change and our experience in both will help such organisation to move quickly.
In our work on ticketing around the world we see a renewed focus on the deployment of real digital wallets. Transit (and other forms of ticketing, such as the sporting events) are the effective anchor tenants of the digital wallet, not payments. In the UK and in some other countries there has been little traction for the smartphone digital wallet because of the effectiveness of the deployment and use of contactless cards. If you look in your real wallets, most of what your find isn’t really about payments. In our markets, payments alone do not drive consumers to digital wallets, but take-up might be about to accelerate. It’s one thing to have xPay to put cards into a digital wallet but putting your train tickets, your sports rights and your concert passes into a digital wallet makes all the difference to take-up and means serious traction. Our expertise in using the digital wallets for applications beyond payments will give our clients confidence in setting their strategies.
In the insurance world we see the business cases building around the Internet of Things (IoT). The recent landmark decision of John Hancock, one of the oldest and largest North American life insurers, to stop selling traditional life insurance and instead sell only “interactive” policies that track fitness and health data through wearable devices and smartphones is a significant step both in terms of business model and security infrastructure. We think more organisations in this space will develop similar new services this means securing IoT system becomes a priority. Fortunately, our very structured risk analysis for IoT and considerable experience in the practical assessment of countermeasures deliver as cost-effective approach.
In our core field of security, we think it’s time to start taking post-quantum cryptography (PQC) seriously not as research topic but as a strategic imperative around the development and deployment of new transaction systems. As many of you will know, Consult Hyperion’s reputation has been founded on the mass-market deployments of new transactions systems and services and this means we understand the long-term planning of secure platforms. We’re proud to say that we have helped to develop the security infrastructure for services ranging from the Hong Kong smart identity card to the Euroclear and from contactless payments to open loop ticketing in major cities. Systems are going into service now may well find themselves overlap overlapping with the first practical quantum computer systems that render certain kinds cryptography worthless, so It’s time to add PQC to strategies for the mass market.
There you go then! Brexit does not mean the end of SCA (since PSD2 has already been transcribed into UK law) and SCA means that secure digital identities can anchor digital wallets, and those digital wallets will contain things other than payments. They might also start to store health and fitness data for your insurance company. Oh, and all of that data will end up in the public sphere unless the organisations charged with protecting it start thinking about post-quantum cryptography or, as Adi Shamir (one of the inventors of public key cryptography) said five years ago, post-cryptography security.
xxx
“‘We shouldn’t worry much about post-quantum cryptography but we should think about post-cryptography security,’ added Shamir. ®”
From “Prepare for ‘post-crypto world’, warns godfather of encryption • The Register”.
xxx
xxx
“Then, on match days, iPhone users who have added their ticket to Apple Wallet receive a notification on their lockscreen as they approach the stadium, with an instruction to tap on it to select their contactless ticket in Wallet.”
From “Los Angeles Football Club rolls out NFC ticketing on Apple Watch and iPhones • NFC World”.
xxx
xxx
Ms Nokes also revealed the system for EU citizens to register for settled status still didn’t work on Apple phones. The US tech giant “won’t release the upgrade we need in order for it to function”, she told MPs.
From No-deal Brexit: Employers to check EU migrants’ status – minister – BBC News.
What “upgrade” is she talking about? To the best of my knowledge, Apple have never once even hinted that they may open their NFC interface up to third-parties.
xxx
The report notes that as a result, revenues increased from $113 million in 2016 to $143 million in 2017 to $42 million in the first quarter of 2018.
From Regulation of Somalia’s Mobile Money Market Can Spur Innovation in Financial Sector Development.
This means hhkhjgui
Danny Gilligan, co-founder and managing director of the Westpac-backed Reinventure Group in Australia put forward a similar criticism recently, saying that “the fundamental flaw of the UK’s open banking model is to stipulate the flow of raw, sensitive transaction data from high security banks to low security fintechs” arguing that that is building systemic risk into the UK’s digital economy.
xxx
Late last week, about 60 percent of the conversation was driven by likely bots. Over the weekend, even as the conversation about the caravan was overshadowed by more recent tragedies, bots were still driving nearly 40 percent of the caravan conversation on Twitter.
From Here’s How Much Bots Drive Conversation During News Events | WIRED.
xxx
I remember when Alex Tapscott wrote an op-ed for The New York Times in which he said that “using blockchain technology, online voting could boost voter participation and help restore the public’s trust in the electoral process and democracy”. As I said at the time, he was wrong. It’s got nothing to do with the blockchain. It’s because online voting is a bad idea, even if you did implement it with blockchain.
I wrote about this back in 2015, noting that politicians don’t understand the Internet (or, indeed, technology in general) and expressing some surprise that they don’t ask people who do (e.g., me) to provide some input to their plans. If, for example, the Speaker of our House of Commons had asked me about online voting back in 2015, I would never have advised John Bercow to say that people should be allowed to vote online in the 2020 general election (assuming the current government lasts that long, of course).
Alex writes that “as citizens, we can trust the outcome of such a voting system: voters can check the blockchain to verify that their vote was counted correctly” (as presumably could the person with a gun to the voter’s head). And I can see how this might work: voters could look in a database to see that their vote was counted correctly, and then check some companion blockchain to see that the record concerning their vote had not been changed. But does this really help or would it just make voting under duress more common?
I remember discussing this at the Tomorrow’s Transactions UnConference 2015 when voting came up in a discussion session about about non-financial demands for identity and authentication technologies. I emphasised the point that voting online is a mad idea that doesn’t fix any actual problem, and I was hardly a lone voice. Let me stress that I was not saying that we could not use modern technology to improve the voting system. As I wrote the previous year, “we live in a Venmo world now, so if the under-30s want to vote using an app that tells their friends that they voted, or perhaps even how they voted, or perhaps allows them to add a funny picture or an acute comment, well so be it. But make it secure, and make them go down to the polling station to use it”.
The guys and gals in that Unconference discussion session came up with a rather interesting idea: Democracy Monkey. Think Survey Monkey but with the strong two-factor authentication and appropriate Customer Due Diligence (CDD). The idea is this: make Democracy Monkey a public utility that can be used by central and local government for all sorts of public purposes and sell it to business so that they can use it for votes for shareholder meetings and such like. I also thought that it could be used for “Britain Hasn’t Got Talent”, “The Why Factor” and “I Used to be a Celebrity Get Me Out of Here” and so on as a way to socialise the use of the technology.
We developed our plan using Chaumian blinded tokens as the core technology. The broad marketecture was that you use your gov.verify identity provider to register with the Democracy Monkey and to indicate which elections you want to take part it. The system sends you tokens for those elections at the appropriate time. The Democracy Monkey app on your mobile phone could store the tokens in a tamper-resistant secure element and then when you want to “spend” the vote you can run the app or tap to make it happen. For some voting, such as General Elections, you would be required to tap as that sort of voting is a public act, but for other voting (e.g., “Strictly Come Trampolining”) you could use the in-app “spend” to vote remotely.
I still think this is worth a try and stand ready to answer the nation’s call should the powers that be decide to move forward. And if you want to store the destination of the blinded votes on a blockchain somewhere, that would deliver transparency and accountability so that’s good too.
Snippings