Snippings

From time to time, when making presentations about identity and related topics, I have to stop to explain to baffled foreigners that the United Kingdom has no national identification scheme or identity card or any other such symbol of continental tyranny, so our gold standard identity document is the gas bill. I understand that these are notoriously difficult to forge and that the skilled artisans behind the North Korean $100 bill “supernote” threw down their tools in frustration when faced with the multiple layers of security that are part of the British Gas quarterly statement for residential users. Hence our gas bill is a uniquely trusted document, and the obvious choice of platform for anyone concerned about fraud.

(By the way, if for some reason you do not have a gas bill to attest to your suitability for some purpose or other, you can buy one here for theatrical or novelty use only.)

No wonder identity fraud is an epidemic in the UK. Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as I’ve been saying for time, the UK has only gaps and no actual infrastructure. I am very sorry to say it, but our system based on the gold standard of gas bills is no longer fit for purpose.

Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To’s mailbox.

From Stockport identity fraud victim’s £500k home put on market – BBC News

“Having forged his signature, they then transferred the deeds to his house into Ghani’s name”. Yes, I know I know, I’m sure the blockchain will put a stop to this, but in the meantime… should a homewoner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from gas bills and forging your signature, shouldn’t you be within your rights to expect the powers-that-be to do something?

But what?

Well, for a start, we can stop using sort codes and account numbers and choose more meaningful identifiers when it comes to money. You shouldn’t be sending money to me at XX-XX-XX 99999999, you should be sending it to @dgwbirch. I defy anybody to carry around the six digit sort code and nine digit account number of their correspondents in their heads or to be able to spot their solicitor’s real payment details from some fake payee details when reading an email. If you are expecting to send money to $dgwbirch (please go ahead, but the way, as, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski then you might be a little suspicious, but if you get an e-mail using to switch from sort code 12-34-56 to 34-56-78 its less obviously a fraud.

 And which actual payment account I choose to associate with that identifier should be up to me: it’s none of your business whether I’m with Barclays, Amazon or my brother-in-law. Personal information should be kept of transactions where it is not needed. You send the money to @dgwbirch and that’s it.

(In fact, it’s not all obvious to me that you should know my “real” name at all, since that’s just an invitation to identity theft.)

xxx

Lloyds, which took eight hours to make the payment, did not carry out any checks to ensure the name of the firm to which the payment was to be made matched the account numbers,

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

Neither Lloyds, nor any other bank do this. That’s just how the system works: the account name is an attribute, not an identifier.

The UK’s new payment architecture includes a directory service to map a variety of identifiers to bank accounts.

xxx

the regulations that govern this area. These state that a bank has to “have made clear to their customer how a Chaps payment will be processed” and that the bank “will make a payment solely on the basis of a unique identifier and will not execute it on the basis of the intended recipient’s name”.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

xxx

There’s a huge amount of payment fraud going on in the UK at the moment. The fraudsters intercept legitimate requests to transfer money from one account to another, often from solicitors in relation to house purchases but also from tradespersons such as builders) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will monitor e-mails coming from a solicitor and when that solicitor sends an email to a customer asking for money (e.g., for a house purchase), the fraudsters replace solicitor’s legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow. In the first half of this year there were about 20,000 such frauds with some £100m lost (and only £25m subsequently recovered). This is the second largest category of payment fraud behind card fraud (which is about six time larger) because the numbers are low but the average values involved are high.

Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before I go ahead and transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase. As Hannah Nixon, head of the UK’s Payment System Regulator (PSR), put it toward the end of last year, “tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”. Indeed they have. And, in fact, still are. 

An Essex couple have lost £120,000 after sending the money to what they thought was their solicitor’s bank account, but which instead went to an account in Kent that was systematically emptied of £20,000 in cash every day for the next six days.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

This isn’t a payments problem, it’s an identity problem. So just whose fault is it when someone gets scammed in a sector with no effective identity infrastructure? The couple at the centre of this story sent the money via the Clearing House Automated Payments System (CHAPS) and the CHAPS regulations are unequivocal.

the bank “will make a payment solely on the basis of a unique identifier and will not execute it on the basis of the intended recipient’s name”.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

I’ll sure the couple have an e-mail or a piece of paper pointing this out, but it clearly didn’t help. As I wrote earlier in the year, fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure.

Meanwhile, the security or otherwise of Steed & Steed’s email system is also likely to be investigated. In December 2016, regulatory body the Solicitors Regulation Authority warned that email hacks of conveyancing transactions had become the most common cybercrime in the legal sector.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

This reinforces my theory that solicitors who use e-mail to send important information to customers are, essentially, negligent. They should be using WhatsApp or Signal for this sort of thing. If it was the solicitor’s e-mail server that got hacked, then they should be responsible for compensating the customers, shouldn’t they? If I tell my bank to send £10,000 to the Nat West in Barnsley by mistake – whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever – and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?

Anyway, my reason for going over this old ground again is that the PSR response to the “super complaint” about this type of fraud came up in discussion at the Payment Strategy Forum. In addition to education, guidelines and that sort of thing, they were talking about three substantial initiatives to do something about what they called Authorised Push Payment (APP) fraud, but that I call Authorised Credit Transfer (ACT) fraud because I think “app” is a confusing sobriquet. These are:

• KYC Sharing, to try to prevent fraudsters from opening accounts. The PSF’s earlier consultation document on the “Blueprint for the Future of UK Payments” includes a detail discussion of this issue and also highlighted one of my pet peeves, which is the “poor customer experience for good actors”. In other words, the UK’s stringent and expensive KYC procedures don’t stop criminals from opening accounts but do massively inconvenience honest working folk, your author included. The PSR has handed the baton over to the trade association on this one, so we’ll have to wait and see what they come up with.

  The Forum handed over to UK Finance the development of best practice guidelines for PSPs when verifying a user’s identity. The guidelines will also cover how identity verification is managed across different types of payments.

  My guess is what they won’t come up with is a comprehensive and cost-effective solution using some sort of “financial services passport”, much discussed here and elsewhere. (I was part of the techUK working group on this three years ago.)

• Payee Confirmation, to try to prevent malicious redirection scams by matching the name as well as the sort code and account number. So the idea here is that when you set up David G.W. Birch as a payee, the destination bank will match the name against the name of the destination account (which is what they don’t currently do) and will reject the payment is they do not correspond. I have mixed feelings about this, because I would rather just scrap the use of sort codes and account numbers and use the directory services in the new National Payments Architecture (NPA) to replace them with e-maill addresses, mobile phone numbers or (my preferred solution) “paynames”. Instead of typing in meaningless numbers, you would just tell your bank to send the money to £dgwbirch or accounts@dgwbirch.com or whatever.

• Contingent Reimbursement (this is what got the media attention) which would require PSPs to reimburse victims when they could not have reasonably prevented an ACT scam but either the customer’s PSP or the destination PSP “has not met the required standards”. The consultation notes that “there was very limited support from PSPs for a full chargeback-like process” (apart from anything else, this would cost a fair amount to run) so you can see why it’s important to find an alternative. The proposed solution rather hinges on whether the victims of fraud took the “appropriate” level of care. For me, this would be sending a quid and checking it went to the right place before I send the other £499,999 of the house purchase.

xxx

xxx

“While most of the ICOs to date have been Utility Tokens, because of the massive advantages that Security Tokens have over traditional capital raising, I think the total market cap of all security tokens will be much larger than the total market cap of all utility tokens.”

From “7 Thoughts On Blockchain, Cryptocurrency & Decentralization After Another Three Months Down The…”.

xxx

xxx

NEW YORK, NY–(Marketwired – May 03, 2016) – SmartMetric, Inc. (OTCQB: SMME) — According to a research report conducted by the research organization The Nilson Report, for 2015 through 2020, card fraud worldwide is expected to total $183.29 billion. In 2020, global card fraud is projected to exceed $35.54 billion. Fraud, grew by 19%, and outpaced volume, which grew by 15%. Fraud losses by banks and merchants on all cards issued worldwide reached $16.31 billion in 2014 when global card volume for the same period totaled $28.844 trillion.

From Annual Global Card Fraud to More Than Double Reaching Over $35 Billion in Four Years

My general sense of the industry, without giving away anyone’s figures, is that not only is fraud growing faster than volume, but that merchants are annoyed because declines are growing faster than fraud. We need a sea change in tackling fraud and I think there are two parts to this: changing the security vs. convenience model at the front end and changing the transaction validations model at the back end.

As the former governor of the Bank of England, Meryvn King, has eloquently pointed out, banks are institutions that pre-date modern capitalism and “owe much to the technologies of an earlier age” (The End of Alchemy, 2016). There is no reason to expect them to continue in this form under the technological, regulatory, social and business pressures for change that are about to overwhelm them. If that sounds like waffle futurism that does not need to be taken seriously, you could not be more wrong. In the UK, those changes are going to begin in January when the world of “open banking” is created by the implementation of the Competition and Markets Authority (CMA) “remedies”. That is, the nine largest banks are compelled to provide Application Programming Interfaces (APIs) for third-party applications to access bank accounts, a milestone in a long journey to bring a revolutionary degree of competition to the sector.

This all rooted in the frustration of the regulators to see more competition. They tried forcing the banks to spend a billion or so quid on an account switching services and that didn’t work, so they decided that they had to look to more radical solutions.

The CMA reports a study by one of the very few new entrants, Tesco Bank, which found that a clear majority of account holders agreed with the statement “I cannot be bothered to switch accounts as I do not believe I would get better service/value for money elsewhere”.

[From John Kay – Competition in banking does not necessarily benefit consumers]

In the UK, the regulators’ determination to change this situations means that we are about to see major disruption in the space. I called this before a “crossing of the streams” (in an hommage to Ghostbusters!) because there are three different initiatives coming together.

The first stream is the PSD2 provisions for access to payment accounts. As you may recall, these include a set of proposals that are due to come into force in 2018. A group of those proposals are what we in the business call “XS2A”, the proposals which force banks to open up to permit the initiation of credit transfer (“push payments”) and account information queries. Even at a pure compliance level these PSD2 regulations pose significant questions for the structure of the existing payments industry. While PSD2 does not mandate APIs (I think – it’s all gotten a bit complicated but as far as I know the screen-scrapers have fought d a decent rearguard action) an open banking API is the obvious way to implement the PSD2 provisions.

The second stream is Her Majesty’s Treasury’s push for more competition in retail banking. This led to the creation of the Open Banking Working Group (OBWG), which published its report in 2016.  It set out was a four part framework, comprising:

• A data model (so that everyone knows what “account”, “amount”, “account holder” etc means);
• An API standard.
• A security standard.
• A governance model. 

The third stream is the CMA report that triggered the remedies mentioned above. This envisages APIs to improve competition in retail banking by focusing on the use of APIs to obtain access to personal data that can be shared with third-parties to obtain better, more cost-effective services.  These streams are coming together to create an environment of what is now called Open Banking. And it’s a big deal.

Open Banking makes it possible to pay with lightning speed directly from a bank account – in effect, creating an Amazon “One Click” for the entire internet.

From To change how you use money, Open Banking must break banks | WIRED UK

I think the use of Amazon in this example is far more disruptive than the author may have intended. Amazon Payments is, in my opinion, precisely the kind of business that will benefit from open banking. It won’t be fintech startups who eviscerate the existing payments industry, it will be the heavy hitters who are able to gain access to the bank account and merge that ability with their colossal resources and gigantic data reservoirs to create a new customer experience. Indeed, in that Wired article, Rowland Manthorpe says plainly that open banking is a new way of dealing with the twenty-first century’s most sought-after resource, personal data. This point was recently echoed by the Dave McKey, the CEO of RBC, who said “data is the battleground for banks that will determine the future success of financial institutions”.

All of which reinforces my opinion that banks need get into the business of identity, reputation and trust pretty quickly.

xxx

The Riksbank governor, Stefan Ingves, called for new legislation to secure public control over the payments system, arguing that being able to make and receive payments is a “collective good” like defence, the courts, or public statistics.

From “Being cash-free puts us at risk of attack”: Swedes turn against cashlessness | World news | The Guardian.

xxxPuerto Rico

“Cash only,” said Abraham Lebron, the store manager standing guard at Supermax, a supermarket in San Juan’s Plaza de las Armas. He was in a well-policed area, but admitted feeling like a sitting duck with so many bills on hand. “The system is down, so we can’t process the cards. It’s tough, but one finds a way to make it work.”

From In a Cashless World, You’d Better Pray the Power Never Goes Out – Slashdot

xxx

xxx

If I was the manager of Waitrose after the Woking earthquake, then I would simply accept payment by writing down card numbers, or photocopying driving licences, or taking pictures of customers, or whatever. The core of the issue is identification and trust, not the payment instrument. As many media commentators noted, society in Japan did not collapse. My conclusion: natural disasters are not a convincing argument for cash.

From The disaster in Japan has lessons for payments | Consult Hyperion

xxx

xxx

Shares of jewelers climbed in India after the government withdrew an order that brought the industry under anti money-laundering legislation, a move that comes just as gold buying improves before the Hindu festival of Diwali, the peak season for demand.

Jewelers were included in the Prevention of Money-Laundering Act in August, increasing compliance requirements. Buyers have been shying away from making purchases as they had to provide their income tax identity for transactions above 50,000 rupees ($766), hindering high-value deals.

From Jewelers Rally After India Anti-Money-Laundering Rule Reversal – Bloomberg

xxx

xxx

Mass cash stashing might signal a widespread fear of a looming apocalypse – or, more prosaically, it could signal rampant illegality.

From In the contactless payment era, why is cash making a comeback? | Business | The Guardian

xxx

I’m not sure if you’re supposed to have a favourite supply chain fraud or not but I do, and it is the famous case of the vegetable oil that almost bankrupted American Express (and went some way toward making Warren Buffet a multi-billionaire). The essence of the story is that a conman, Anthony “Tino” De Angelis, discovered that people would lend him money on the basis of commodities in the supply chain. His chosen commodity was vegetable oil (see How The Salad Oil Swindle Of 1963 Nearly Crippled The NYSE). Amex had a division that made loans to businesses using inventories as collateral. They gave De Angelis financing for vegetable oil and he took the Amex receipts to a broker who discounted them for cash. So he had tanks of vegetable oil and Amex had loaned him money against the value of the oil in those tanks, the idea being that they would get the money back with a bit extra when the oil was sold on. Now as it happened, the tanks didn’t much contain oil at all. They were mostly water with a layer of oil on top so that when the inspectors opened the tanks and looked inside they saw oil and signed off whatever documentation was required. Eventually the whole scam blew up and nearly took Amex down, enabling the sage of Omaha to buy up their stock and make a fortune.

Fortunately for us and unfortunately for conmen like Tino, the supply chain is one of the many industries that the blockchain is going to disrupt. As my good friend Michael Casey and his co-author Pindar Wong explain in their recent Harvard Business Review piece on the topic (Global Supply Chains are about to get Better, Thanks to Blockchain in HBR, 13th March 2017), blockchain technology allows computers from different organisations to collaborate and validate entries in a blockchain. This removes the need for error prone reconciliation between the different organisation’s internal records and therefore allows stakeholders better and timelier visibility of overall activity. The idea discussed in this HBR piece (and elsewhere) is that some combination of “smart contracts” and tagging and tracing will mean that supply chains become somehow more efficient and more cost-effective.

An aside. I put “smart contracts” in quotes because, of course, they are not actually contracts. Or smart. Bill Maurer and DuPont nailed this in their superb King’s Review article on Ledgers and Law in the Blockchain (22nd June 2015), where they note that smart contracts are not contracts at all but computer programs and so strictly speaking just an “automaticity” on the ledger. (Indeed, they go on to quote Ethereum architect Vitalik Buterin saying that “I now regret calling the objects in Ethereum ‘contracts’ as you’re meant to think of them as arbitrary programs and not smart contracts specifically”.)