Look, Ma, No Hands!

Nice blog Alexander - you raise a serious concern.  Presumably this new service is a form of "push" payment running on top of Vocalink's Faster Payments.  But as you point out, if authentication is via mobile phone number plus a static passcode entered into the mobile phone, with no equivalent of an EMV chip, then that's completely insecure.

Does anyone know if the Payments Council is working on any stronger form of authentication?  Anyone like to comment?

We already have different authentication standards for different modes of payments: With cash, you just hand it over with no authentication; with cheque, you authenticate by wet-ink signature. Just like cash and cheque, mobile payment is yet another MOP and there's no reason why it must have the same authentication standard as cards, which is a different MOP. The real problem would be if there were dual / multiple standards for the same MOP viz. some people have to sign cheques, others have to sign and place fingerprint on cheques and still others have to sign, fingerprint and show proof of ID with cheques. On second thoughts, maybe not: I remember that, a few months ago, when I wrote a high value cheque to fund a demand draft for a home purchase, my bank did ask me for my passbook and proof of ID. For 'normal' cheques, signature alone would've sufficed, but for this high value cheque, it did not.

Another way of looking at it is, with the hindsight gained over almost a decade of EMV, the industry has perhaps realized that EMV wasn't worth it, so why repeat the mistake with mobile payments.

Personally, as long as the mobile payment app has a PIN - and does not rely solely on the lockscreen password - I'd feel that it's secure enough.

Good argument, Ketharaman. I am not against non-EMV security solutions when it comes to payments (since we use some on our platform). As you pointed out, one should compare EMV fraud rate to the alternatives to see if indeed EMV makes commercial sense in that respect.

I objected to inter-bank A2A fund transfers (i.e. banks' internal affairs) being labelled as (secure) "mobile payments".

Yet another way of looking at this method of payment is that it's just a conventional A2A credit transfer using a mobile phone rather than a PC to log on to your bank to initiate the transfer.  As far as I'm aware every UK bank now uses strong, two-factor, EMV-based Remote Chip Authentication (or its equivalent in the case of HSBC) to authenticate this type of payment.  For example Barclays' PIN Sentry.  Some, Nat West, for example, go further and insist on Transaction Data Signing by getting you to enter the beneficiary's account details in the card reader.  So it just would not be logical to have less security simply because you're using a mobile phone rather than a PC.

You don't really believe "EMV wasn't worth it" do you Ketharaman?

@Nick

Spot on - exactly the "dual standards" I was referring to. Well, in case of mobile phones, there are technologies (used by Pingit, for example) that rely on a device "fingerprint". Yet, they are not as secure as chip-based solutions.

'Mobile Order - Telephone Order' has been virtually wiped out after 2FA was made mandatory for card payments made on the channel - erraneously called MOTO locally - just because card payments made online were subject to 2FA in India. Therefore, I'm in favor of viewing each MOP-Channel as having its unique trifecta of functionality-security-convenience and adjusting each attribute in such a way that the CX is maximized. To me, this is the only way to boost customer adoption of any MOP-Channel. Taking A2A, if Mobile-PIN-DeviceAuthentication is deemed less secure than Online-2FA, I'd advocate mitigation of the security risk by pushing the functionality lever on the former by, say, limiting its maximum daily transfer figure. My personal experience warns me that imposing the latter's security mechanism on the former ignores the unique and different characteristics of the former and will likely cause so much friction that the former will never reach mainstream adoption.

As for whether EMV is worth it or not, I was referring to the industry's view. But, since I now have the chance to weigh in with my personal opinion, here it is: I've been trying hard to get hold of the following two metrics for EMV and non-EMV markets (likewise for 2FA and non-2FA markets): (1) Fraud as a % of Revenue, and (2) Revenue Loss caused by False Positives as a % of Revenue. Only when these figures are available can the benefit of EMV be compared with its cost and a logical decision arrived at as to its worth. Despite reaching out to many sources, including EMV (and 2FA) solution providers, my efforts have failed to bear fruits so far. Therefore, at this point, I'd lean on the side of EMV-skeptics who hold that EMV may be worth it in markets like Europe where card payment authorizations (reportedly) happen offline but not in markets like USA where they (reportedly) happen online.

I think there is a misconception between "Offline" and "Online" here.  In the UK - the Cardholder Verification Method (CVM) is provided generally by Offline PIN Verification (I say generally because some Chips are issued to allow Signature as the CVM but that is another story…).  Financial Authorisation very very rarely occurs offline - most Issuers configure the Chip to Force the Authorisation online.  In EMV's conception there was a view that predicted exponential rises in Transaction volumes could be cataclysmic and as a result the potential for a Chip to self-authorise within define Floor Limit parameters was scoped in.  In America – Debit Card Transactions use Online PIN Verification at the POS – therefore the CVM (Online PIN) and Financial Authorisation are both performed online – whilst the UK performs PIN Verification (for POS) Offline with Financial Authorisation performed Online.  Hope this clarifies the Online VS Offline debate…

More like miscommunication rather than misconception: I've added CLARIFICATORY NOTES IN UPPERCASE to make my previous comment more clear about what I meant: "EMV may be worth it in markets like Europe where card payment authorizations IN THE MAGSTRIPE ERA  (reportedly) USED TO happen offline AND HENCE REQUIRED EMV TO MAKE THEM HAPPEN ONLINE but not in markets like USA where they (reportedly) happen online EVEN WITH MAGSTRIPE.

Well if we are going to go back in time... EMV was not introduced to suddenly bring transactions online - Magstripe Transactions were already being authorised online (in the majority) for many years before EMV's introduction.  The main drivers for EMV: (i.) An attempt to defend against Card Cloning; (ii.) The ability to perform Risk Management before Authorisation is attempted online; and (iii.) with a view to enabling multi-application uses per card.  I would argue that point (iii.) has not be successfully achieved in general.  Whilst there have been a few loopholes and exploits documented in the Academic world there have been few actual instances of these occurring in the wild.  I would like to see more cooperation between Software Suppliers, the Financial Services Industry, International Governments and the world of Academia.

TY for the clarification but my understanding is different. According to this Finextra article quoting a Visa exec, "...in the US, we can rely on online processing where transactions are transmitted in real-time to the issuer for approval ... there's no need for the offline authentication that was the genesis of chip-and-PIN". A few years ago, I remember reading other articles from independent analysts saying the same thing. If I manage to locate them, I'll post hyperlinks to them. Anyway, with all the buzz around mobile payments, which will NOT be EMV-compliant, this point is moot anyway. 

In 2013, what is the point of offline (authorisation or authentication)? How many places are off the grid completely (i.e. cannot be serviced by fixed telecom or a femtocell)? Offline authentication with online authorisation sounds especially illogical.

@AlexP:

At the risk of going off the track here, I can't help recalling my experience with a leading bank in Germany when I read your reference to network connectivity: After withdrawing cash from a Frankfurt-based ATM of a Top 5 German bank headquartered in Frankfurt, the account balance displayed on the ATM doesn't change. To see the latest balance, I'd have to insert my debit / ATM card into a separate statement printing machine. The ATM shows the latest balance only on the next day.

This disconnect was caused not because of lack of connectivity - the ATM was on the grid 24/7 - but because the bank's accounting system sent out account balances to the ATM switch only at midnight. 

Lest we rule out such disjointed behavior of disparate systems in 2013, even today the Twitter widget on my WordPress blog often takes several hours to display tweets posted by me via a popular social media dashboard. Surprising, considering that all the involved systems are actually resident on the cloud and, hence, available on the grid 24/7. But true.