A library of snippets
xxx
The banks’ response to the growth of the Zelle network follows positive statistics from the service itself, which reported 100 million transactions in September 2017 totaling $33.6 billion.
From One Year After Rollout, Banks Are Bullish on Zelle | Bank Innovation | Bank Innovation
xxx
According to the Daily Mail, the police have seen an “explosion in the use of digital currency by criminals who are strolling into cafes, newsagents and corner shops to dump their ill-gotten gains in virtual currency ATMs“. Well, let’s hope so because Bitcoin isn’t fungible (unlike the £50 notes so helpfully provided to the criminal fraternity by the – yes, couldn’t make this up – Bank of England) which means that the money can be traced from wallet to wallet so that should make it easier for these detectives to get a handle on where the ill-gotten gains are heading.
While I remain concerned about the rise of Bitcoin for reasons of consumer protection, I am much less concerned about its use in crime. First of all, if the demand for Bitcoin were about crime (and not speculation) is would actually be worth far less than it is today. There just isn’t enough crime. Calculations based on the use of Bitcoin in this sector of the economy put its value at something like one-twentieth of the current price. Now, I think these kinds of calculations are highly spurious, for two main reasons. First of all, I have yet to see any evidence that criminals are adopting Bitcoin at scale. And the reason for this is obvious: it’s not anonymous enough. Wallet addresses are pseudonyms, and once any of these pseudonyms has been linked to a mundane identity in anyway, the identities can be connected, monitored, tracked and traced. This is why ransomware rogues convert their Bitcoins out into something more suited to the less-regulated corners of the economy. The people behind the famous “WannaCry”, which hit more than 300,000 computers in over 150 countries, took their rewards and converted them into Monero, a privacy-focused cryptocurrency that has seen some growth in its popularity over the last year or so.
The second reason why I think such calculations are spurious is that it is they are often based the value of the global market in illegal drugs. Now, while no-one can be sure of the exact size, this is undoubtedly a vast market. But it is a market that is conducted almost entirely in cash. Were these transactions to be converted to digital money, the sums involved are so vast that it would be almost impossible to create to an AI machine-learning transaction monitoring services to ignore them.
xxx
Alt-right blogger Jenna Abrams (@Jenn_Abrams) enjoyed a large following in Twitter, and her tweets were cited by Buzzfeed, the NY Times, and other news agencies. It turned out “she” was another creation of the Internet Research Agency, the Russian government-funded troll farm in St. Petersburg.
xxx
xxx
Criminals are exploiting the gift card loophole to commit financial fraud for a myriad of reasons, including money laundering, and as a way of moving illicit funds by drug cartels and terrorists.
xxx
xxx
One in five cash points will disappear from Britain’s high streets within four years, according to the ATM industry body.
xxx
xxx
According to research published in the Journal of the European Economic Association, the level of trust in cultures today can be informed by events that occurred hundreds of years ago. The research shows that Italian states that became free cities in the Middle Ages – a process that required mass cooperation – exhibit higher levels of trust today than those that didn’t.
From Chinese Government rolls out trust ratings to combat corruption | World Finance
xxx
From time to time, when making presentations about identity and related topics, I have to stop to explain to baffled foreigners that the United Kingdom has no national identification scheme or identity card or any other such symbol of continental tyranny, so our gold standard identity document is the gas bill. I understand that these are notoriously difficult to forge and that the skilled artisans behind the North Korean $100 bill “supernote” threw down their tools in frustration when faced with the multiple layers of security that are part of the British Gas quarterly statement for residential users. Hence our gas bill is a uniquely trusted document, and the obvious choice of platform for anyone concerned about fraud.
(By the way, if for some reason you do not have a gas bill to attest to your suitability for some purpose or other, you can buy one here for theatrical or novelty use only.)
No wonder identity fraud is an epidemic in the UK. Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as I’ve been saying for time, the UK has only gaps and no actual infrastructure. I am very sorry to say it, but our system based on the gold standard of gas bills is no longer fit for purpose.
Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To’s mailbox.
From Stockport identity fraud victim’s £500k home put on market – BBC News
“Having forged his signature, they then transferred the deeds to his house into Ghani’s name”. Yes, I know I know, I’m sure the blockchain will put a stop to this, but in the meantime… should a homewoner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from gas bills and forging your signature, shouldn’t you be within your rights to expect the powers-that-be to do something?
But what?
Well, for a start, we can stop using sort codes and account numbers and choose more meaningful identifiers when it comes to money. You shouldn’t be sending money to me at XX-XX-XX 99999999, you should be sending it to @dgwbirch. I defy anybody to carry around the six digit sort code and nine digit account number of their correspondents in their heads or to be able to spot their solicitor’s real payment details from some fake payee details when reading an email. If you are expecting to send money to $dgwbirch (please go ahead, but the way, as, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski then you might be a little suspicious, but if you get an e-mail using to switch from sort code 12-34-56 to 34-56-78 its less obviously a fraud.
And which actual payment account I choose to associate with that identifier should be up to me: it’s none of your business whether I’m with Barclays, Amazon or my brother-in-law. Personal information should be kept of transactions where it is not needed. You send the money to @dgwbirch and that’s it.
(In fact, it’s not all obvious to me that you should know my “real” name at all, since that’s just an invitation to identity theft.)
xxx
Lloyds, which took eight hours to make the payment, did not carry out any checks to ensure the name of the firm to which the payment was to be made matched the account numbers,
From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian
Neither Lloyds, nor any other bank do this. That’s just how the system works: the account name is an attribute, not an identifier.
The UK’s new payment architecture includes a directory service to map a variety of identifiers to bank accounts.
xxx
the regulations that govern this area. These state that a bank has to “have made clear to their customer how a Chaps payment will be processed” and that the bank “will make a payment solely on the basis of a unique identifier and will not execute it on the basis of the intended recipient’s name”.
From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian
xxx
There’s a huge amount of payment fraud going on in the UK at the moment. The fraudsters intercept legitimate requests to transfer money from one account to another, often from solicitors in relation to house purchases but also from tradespersons such as builders) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will monitor e-mails coming from a solicitor and when that solicitor sends an email to a customer asking for money (e.g., for a house purchase), the fraudsters replace solicitor’s legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow. In the first half of this year there were about 20,000 such frauds with some £100m lost (and only £25m subsequently recovered). This is the second largest category of payment fraud behind card fraud (which is about six time larger) because the numbers are low but the average values involved are high.
Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before I go ahead and transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase. As Hannah Nixon, head of the UK’s Payment System Regulator (PSR), put it toward the end of last year, “tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”. Indeed they have. And, in fact, still are.
An Essex couple have lost £120,000 after sending the money to what they thought was their solicitor’s bank account, but which instead went to an account in Kent that was systematically emptied of £20,000 in cash every day for the next six days.
From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian
This isn’t a payments problem, it’s an identity problem. So just whose fault is it when someone gets scammed in a sector with no effective identity infrastructure? The couple at the centre of this story sent the money via the Clearing House Automated Payments System (CHAPS) and the CHAPS regulations are unequivocal.
the bank “will make a payment solely on the basis of a unique identifier and will not execute it on the basis of the intended recipient’s name”.
From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian
I’ll sure the couple have an e-mail or a piece of paper pointing this out, but it clearly didn’t help. As I wrote earlier in the year, fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure.
Meanwhile, the security or otherwise of Steed & Steed’s email system is also likely to be investigated. In December 2016, regulatory body the Solicitors Regulation Authority warned that email hacks of conveyancing transactions had become the most common cybercrime in the legal sector.
From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian
This reinforces my theory that solicitors who use e-mail to send important information to customers are, essentially, negligent. They should be using WhatsApp or Signal for this sort of thing. If it was the solicitor’s e-mail server that got hacked, then they should be responsible for compensating the customers, shouldn’t they? If I tell my bank to send £10,000 to the Nat West in Barnsley by mistake – whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever – and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?
Anyway, my reason for going over this old ground again is that the PSR response to the “super complaint” about this type of fraud came up in discussion at the Payment Strategy Forum. In addition to education, guidelines and that sort of thing, they were talking about three substantial initiatives to do something about what they called Authorised Push Payment (APP) fraud, but that I call Authorised Credit Transfer (ACT) fraud because I think “app” is a confusing sobriquet. These are:
KYC Sharing, to try to prevent fraudsters from opening accounts. The PSF’s earlier consultation document on the “Blueprint for the Future of UK Payments” includes a detail discussion of this issue and also highlighted one of my pet peeves, which is the “poor customer experience for good actors”. In other words, the UK’s stringent and expensive KYC procedures don’t stop criminals from opening accounts but do massively inconvenience honest working folk, your author included. The PSR has handed the baton over to the trade association on this one, so we’ll have to wait and see what they come up with.
The Forum handed over to UK Finance the development of best practice guidelines for PSPs when verifying a user’s identity. The guidelines will also cover how identity verification is managed across different types of payments.
My guess is what they won’t come up with is a comprehensive and cost-effective solution using some sort of “financial services passport”, much discussed here and elsewhere. (I was part of the techUK working group on this three years ago.)
Payee Confirmation, to try to prevent malicious redirection scams by matching the name as well as the sort code and account number. So the idea here is that when you set up David G.W. Birch as a payee, the destination bank will match the name against the name of the destination account (which is what they don’t currently do) and will reject the payment is they do not correspond. I have mixed feelings about this, because I would rather just scrap the use of sort codes and account numbers and use the directory services in the new National Payments Architecture (NPA) to replace them with e-maill addresses, mobile phone numbers or (my preferred solution) “paynames”. Instead of typing in meaningless numbers, you would just tell your bank to send the money to £dgwbirch or accounts@dgwbirch.com or whatever.
Contingent Reimbursement (this is what got the media attention) which would require PSPs to reimburse victims when they could not have reasonably prevented an ACT scam but either the customer’s PSP or the destination PSP “has not met the required standards”. The consultation notes that “there was very limited support from PSPs for a full chargeback-like process” (apart from anything else, this would cost a fair amount to run) so you can see why it’s important to find an alternative. The proposed solution rather hinges on whether the victims of fraud took the “appropriate” level of care. For me, this would be sending a quid and checking it went to the right place before I send the other £499,999 of the house purchase.
xxx
xxx
“While most of the ICOs to date have been Utility Tokens, because of the massive advantages that Security Tokens have over traditional capital raising, I think the total market cap of all security tokens will be much larger than the total market cap of all utility tokens.”
From “7 Thoughts On Blockchain, Cryptocurrency & Decentralization After Another Three Months Down The…”.
xxx
Snippings