Researchers claim potentially serious flaw in Visa contactless payments cards in the UK

 

This morning a BBC report showed researcher claims of a potentially very serious vulnerability in Visa contactless payments. It is still not clear enough to what extent this could open the door for fraudsters around the world to use the flaw but from what was presented it seems this could be an expensive problem, most unwelcome at this time.

image

 

Contactless payments cards allow people to make purchases below a certain value by just touching the card against a Point of Sale (POS) terminal. People do not need to enter a PIN except when prompted, after a certain number of transactions.Visa and MasterCard have been active in rolling out these cards across the UK, and indeed world-wide this trend has progressed strongly this year.

 

Spend on contactless cards in the UK is expected to rise to £6.4 million a week in 2014, up from £3.2 million in 2013. UK is a leader in contactless payments world-wide, making the latest discovery a point for people around the world to consider and take into account in their own projects and testing involving contactless payments.

 

Today, a demonstration on BBC showed a mobile based contactless payment card meant to block transactions higher than £20 actually allowed an amount of $ 999999.99 to be put through as it was in a foreign currency. The claim was that the flaw is with Visa contactless cards, and not just payment via mobile phones, although the demonstration was of a mobile initiated transaction. Prof AAD Van Moorsel of Newcastle University made a statement about the research and vulnerabilities they found.

 

Due to the widespread roll out of these cards in the UK, it is possible that people have these cards without being aware of it. There are 48 million contactless cards in the UK today.

 

image

 

Visa Europe responded to the BBC on this to say the research does not take into account the multiple safeguards put into place and in practice it would be difficult to complete such a transaction. Of course, the amount would go through only if the account had the money. They were already updating their system anyway to make this kind of attack difficult.

image

 

This could be a potentially very big issue, but found by researchers before it was exploited by criminals.  BBC states that so far in the UK contactless card fraud was only £51,000  in the first half of 2014, but then most people have not actually begun to use the contactless functionality on the  cards.

This is an unfortunate setback at a time when contactless payments was at last set to take off. In the UK, with new rules having come into effect in July 2014, contactless cards were to be the mainstay of payments on London buses where cash is no longer accepted.

 

The question this raises for me is to what extent this flaw may be present in other cases of  contactless payments in Europe and world-wide. The reports so far do not make it conclusively clear at what level this flaw exists – whether only for dematerialised cards on mobile phones or for all Visa contactless payments cards.

 


A digital wallet-fuelled disruptive model disrupts London traffic

Around the world the way people pay for travel is changing as people pay without pulling out a wallet. But does this work for everyone? In London this month chaos reigned as the London black cabs protested over the Uber app. This app works so well for passengers and for the new breed of private vehicles that use it that it cuts to the heart of the London back cab model, a business model that dates back to 1834. Although incumbents know that change is on the cards, it is not always easy to adjust.

 

London, UK – June the 11th 2014. The height of the tourist season in historic London. But I’m glad I was not out on the town that day. Here is what tourists generally enjoy.

By Arriva436 (Own work) [GFDL (http://www.gnu.org/copyleft/fdl.html) or CC-BY-3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons

 

Sadly this picture of tourist heaven was rudely shattered when the black cabs went on strike. Who were they protesting against and what were they protesting about? Why did they have to strike to get their voices heard?

Horses disrupted

Back in 1834, London black cabs themselves disrupted horse drawn carriages, the first hackney-carriage licenses that date back to 1662. UK regulations define a hackney carriage as a taxicab allowed to ply the streets looking for passengers to pick up. The Uber app targets their competitors, the private hire vehicles (sometimes called minicabs), which may pick up only passengers who have previously booked or who visit the taxi operator's office.

The coming of the digital wallet

At Shift Thought we term 2011 as the year of the digital wallet. In the transport world we saw the launch of digital hailing applications for cabs in many parts of the world, including USA, India, China, Canada and even Azerbaijan. These operate through smartphones and include not just Uber, but a number of other such services GetTaxi and Hailo. Many of these applications also facilitate payment and tracking of the taxicabs. They are made possible because of the new access that consumers have through smartphones and digital wallet payment mechanisms.

The Uber App

The Uber App provided to private minicabs aims to provide a seamless experience to travellers, to enhance the experience of travelling through London. You can see how much a trip is expected to cost and book it with your smartphone app. You can see who will pick you up and when, on a map. Yet you don’t need to pull out your wallet to pay.  It’s a card-on-file application that means no cash changes hands. Just one of the ways in which travel is going cashless in London.

A marketplace for cabs

Just as eBay created a marketplace for buyers and sellers on the Internet, and Amazon lets us sell those books we no longer need, the Uber App and others like it empower a new category of providers, lowering the entry barrier and letting the new entrants create massive value for customers.

Let’s relook at the framework of the “7 Cs”, a model we at Shift Thought created back in 2011, to consider how to build services that please both consumers and merchants.

image

 

The Uber app ticks many of the boxes for the consumers and for the new set of cabbies it serves. A journey across London cost a mystery passenger from the Express.co.uk half the price of a black cab. For private cabs, it requires much less knowledge of streets as there is an app for that.  It makes it easy for passengers to get a cab, trust a cab and make payments. I wondered if tips were down. Perhaps the new app does not make it easy to tip? But no, in actual fact a default tip of 20% is automatically added by the intelligent designers of this app. Here is what Uber advises on Tipping :

image

 

So merchants and happy. And customers are happy: Well those who travel regularly enough to use the app and have a payment card that they can register. The Uber app is like Oyster-on-steroids as it is tightly linked to an inexhaustible supply of real money. Created by Travis Kalanick and Garrett Camp, Uber now operates in 37 countries.

Unfortunately it leaves the incumbent merchants, our existing highly experienced London black cabs feeling “short changed”.

So what can those disrupted do?

There are no easy answers. The immediate course of action London black cabs are taking is to argue that calculating the final cost only after the journey is complete is a metered ride, only allowed for black cabs. This does not unfortunately address the issues at the heart of what’s really causing them pain. And this is the case in the 36  other countries where Uber operates. Will we see the demise of the talented cab driver who knows London like the back of her hand? Like horse carriages, will these be the “premium rides” we only take as a treat, and to remember the good old days? 

Come join our Digital Money (open) group on Linked in to have your say on this. Are you the disruptor or the disrupted in the Digital Money Game that’s being played out around the world? Check out the 1900+ examples of new payment methods that we share on this portal.

If you’d like to know more about the Shift Thought Digital Money model and framework just pop us a note at contact@shiftthought.com . We shared our recent research through presentations just delivered at the London PayExpo 2014:

(1) Digital Money in Retail

(2) Mobile Money around the world

Let us know if you would like a copy!

RBS – the role for digital banking in establishing the most trusted bank in UK

 

As Ross McEwan (Chief Executive of RBS since October 2013) sets out to cut 1 billion pounds of cost this year, this post sheds light on how digital channels are likely to support this plan. The plan involves removal of duplication and complexity by rationalising functions currently duplicated across divisions.

With the backdrop of these plans, and the context of the UK launch of Paym last week, Charmaine Oak (CO) caught up with Terry Cordeiro (TC), Head of Mobile, RBS, to understand how his vision plays out in terms of mobile banking and payments. He shares with us his expert insights into the UK payments market, and how he hopes to create a seamless consumer interface that hides implementation details and simply solves the consumer needs.

But first there is the imperative to sort out the systems behind recent high-profile outages. RBS reportedly plans to reduce technology platforms by over 50%, slashing the number of core banking systems from 50 to 10 and the number of payment systems from 80 to 10.

imageCO: Terry, what services do RBS/NatWest customers currently enjoy with respect to mobile banking and payments services?

TC: Our mobile app supports a range of everyday banking needs including statement history for the last 90 days across all accounts, payments and transfer services. Our award-winning NatWest and RBS GetCash service has evolved from an emergency cash service to much more casual, every-day use, “money for treats without your wallet”.

SMS services have been around for a while, and can sometimes be taken for granted, yet we find increasing numbers of our customers signing up for these. From their use as alerts and notifications regarding payments, they have evolved into ways in which we can help our customers save money, by reminding them about upcoming thresholds beyond which they may incur penalty charges.

CO: How about contactless payments? Do you plan a follow-up on your TouchPay trial of 2012-2013 that allowed consumers to pay for £20 or less from their current accounts?

TC: The TouchPay trial proved to be a useful learning exercise for us. Customers told us they want more than just going from paying with plastic to paying with mobile. We’re currently in the process of designing that “something extra” experience which will incentivise customers to overcome the inertia of changing their habit of paying with a card. This could include location awareness, loyalty points and incentives that come from the new data points such services can provide.

CO: What about domestic transfers? Why is RBS not in the first tranche of banks supporting Paym?

TC: We’ve supported payment to mobile phone number for the last 12 months, via our Pay your contacts service and it has been incredibly successful. This is a P2P service that runs on our internal systems for on-us payments, and leverages Visa Europe Personal Payment services for payments to anyone holding a valid UK to Visa card and UK mobile number. We expect to first manage some of the rationalisation projects, recently announced by Ross McEwan, before we implement Paym later this year.

CO: Talking about rationalisation, it seems UK customers are now spoilt for choice with respect to mobile payment services. Your own bank services have now been joined by those from the schemes, and now interoperable services such as Paym and Zapp, not to mention operator based services from Weve and individual mobile operators. Don’t you think there is a danger of confusing the consumer into an “analysis paralysis” almost?

TC: That is exactly where we come in. Our goal is to simplify the experience for the consumer – just give them increasingly easier ways to pay. As the alternatives become available they just provide more options for the 2.5 million to 3 million UK consumers who currently use our mobile banking services. It’s great that these new services are helping to increase the awareness of new ways to pay.

CO: Terry, thanks so much for sharing your vision and these insights with us. I wish you the very best in taking your strategy forward, and hope to learn more about it as it evolves further.

 

image