A library of snippets
xxx
Interbank co-operative Swift has confirmed that it has experienced a number of recent instances of hackers compromising network interface devices at client banks to send fraudulent payment messages over the global banking network.
From Swift confirms multiple cases of fraudulent message traffic
May as well use Bitcoin then.
xxx
Maj Gen Gerstner, the deputy commander for operations and intelligence for the US-led operation against IS, said under 20 air strikes targeting the group’s stores of money had been conducted… While it was difficult to know precisely how much money had been destroyed in total, estimates put the figure at between $500m and $800m, he said.
From Islamic State: Up to $800m of funds ‘destroyed by strikes’ – BBC News
xxx
xxx
The prize is huge. If you know where people have been, what sites they visit, what apps they download, and also their spending habits, you know a massive amount about them – much more than their bankers, the credit and debit card companies, and more than their mobile phone operators.
xxx
xxx
The jury at Bristol Crown Court was told the scheme went unnoticed until after the buyers had left, despite the word Monopoly written in huge letters down the middle of the bills.
The paper cash bears a slight resemblance Euro notes but the colour scheme is much lighter and the images on the bills are out of focus compared to the real deal.
From Fake MONOPOLY money which Gianni Accamo ‘used to scam dealers out of diamonds’ | Daily Mail Online
xxx
My good friend Wendy Goodman was kind enough to write about her experiences at Tomorrow’s Transactions this year (our 19th annual Forum!!) referring to it as
Tomorrow’s Transactions Forum, Dave Birch’s quirky annual event where ideas about the future of money are smashed together like particles to see what happens.
xxx
Earlier in the week I blogged about mobile banking security, and I said that in design terms it is best to assume that the internet is in the hands of your enemies. In case you think I was exaggerating…
The thieves also provided “free” wireless connections in public places to secretly mine users’ personal information.
Personally, I always use an SSL VPN when connected by wifi (even at home!) but I doubt that most people would ever go to this trouble or take the time to configure a VPN and such like. Anyway, the point is that the internet isn’t secure. And actually SMS isn’t much better, which is why it shouldn’t really be used for securing anything as important as home banking.
The report also described how gangs stole mobile security codes – which banks automatically send to card holders’ registered mobile phones to verify online transactions – by using either a Trojan virus in the smartphone or a device that intercepted mobile signals up to a kilometre away.
Of course, no-one who takes security seriously wanted to do things this way in the first place (which is why, for example, we used a SIM Toolkit application for M-PESA). This is hardly a new opinion.
I saw Charles Brookson, the head of the GSMA security group, make a very interesting point recently. Charles was talking about the use of SMS for mobile banking and payment services and he made the point that SMS has, to all intents and purposes, no security whatsoever.
In case you’re interested, that blog post comes from 2008 and if I remember correctly I’d made a presentation around that time drawing on a story from 2007 to illustrate that the mass market use of SMS for secure transactions might prove to be unwise despite the convenience.
Identity theft and a fraudulent SIM swap cost a children’s charity R90 000.
These are all symptoms of the fact that nobody listens to me about mobile banking security. Well, sort of. I’m sure other people have made the same point about keeping private keys in tamper-resistant hardware so that all bank-customer communications are securely encrypted and digitally-signed at all times, but since I’ve been making the same point for two decades (back to the days of the proposed “Genie Passport” at BT Cellnet) and despite the existence proof of M-PESA nothing much seems to be happening. Or at least it wasn’t. But perhaps this era is, finally, coming to an end. Here is what the US Department of Commerce’s National Institute of Standards and Technology (NIST) say about out-of-band (OOB) text messaging in their latest Digital Authentication Guideline (July 2016):
OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
I looked up “deprecated” just to make sure I understood, since I assumed in meant something other than a general disapproval. According to my dictionary: “(chiefly of a software feature) be usable but regarded as obsolete and best avoided, typically because it has been superseded: this feature is deprecated and will be removed in later versions”. So: as of now, no-one should be planning to use SMS for authentication.
The NIST guideline goes on to talk about using push notifications to applications on smart phones, which is how we think it should be done. But how should this work in the mass market? The banks and the telcos and the handset manufacturers and the platforms just do not agree on how it should all work. But surely we all know what the answer is, which is that all handsets should have a Trusted Execution Environment (like the iPhones and Samsungs do) and third-parties should be allowed access to it on open, transparent and non-discriminatory terms. The mobile operators should use the SIM to offer a basic digital identity services (as indeed some are beginning to do with the GSMA’s Mobile Connect). The banks should use standard identity services from the SIM and store virtual identities in the TEE. There you go, sorted.
So… when the Barclays app loads up on my phone it would bind the digital identity in my SIM to my Barclays identity and use the TEE for secure access to resources (e.g. the screen). Standard authentication services via FIDO should be in place so that Barclays can request appropriate authentication as and when required..
Now… when Barclays want to send me a message they generate a session key and encrypt the message. Then they encrypt the session key using the public key in my Barclays identity. Then they send the message to the app. The only place in the world where the corresponding private key exists is in my SIM, so the app sends the encrypted session key to the SIM and gets back the key it can then use to decrypt the message itself. In order to effect the use of the private key, the SIM requires authentication, so the TEE takes over the screen and the fingerprint reader and I swipe my finger or enter a PIN or whatever.
If the bank needs step-up authentication for, say, a high-value transaction or the addition of a new payee, it can use FIDO to obtain additional authentication for input to its own authorisation processes.
Why is this all so hard? Why don’t I have an “Apple ID” on my iPhone right now?
It seems to me that there is little incentive for the participants to work together so long as each of them thinks that they can win and control the whole process. Apple and Google and Samsung and Verizon and Vodafone all want to charge the bank a dollar per log in (or whatever) and the banks are worried that if they pay up (in what might actually be a reasonable deal at the beginning) then they will be over a barrel in the mass market. Is it possible to find some workable settlement between these stakeholders so that we can all move on?
xxx
Why should anyone have more trust in a digital currency created by an anonymous group of coders accountable to no-one than in a democratically-elected government accountable to everyone? Why is an essentially feudal governance model “safer” than a democratic one?
xxx
xxx
Innovative banks are increasingly seeing their future as the stewards of identity
From How Blockchain Fits into the Future of Digital Identity | American Banker
xxx
xxx
xxx
“The total addressable market of people who want to buy bitcoin is very, very thin,”
From What a Tech Startup’s Pivots Say About Bitcoin’s Future | American Banker
Indeed. And most of them aren’t in America or any other developed market.
Over at the Ron Paul Liberty Report they are in doubt as to who is behind this sort of thing.
The War on Cash is a favorite pet project of the economic central planners. They want to eliminate hand-to-hand currency so that governments can document, control, and tax everything.
xxx
Snippings