Community

You make a good point Alister - in fact several good points.  Faster Payments is indeed a solid achievement which can now be used as the platform for a whole range of new added value services.  It's surprising Vocalink haven't made more out of it - I'm assuming they're the main driver behind the project.  Maybe they need consultants!  What's Tietoenator's role in this?  Are you active in this space?

Yes it will.  See my post: https://www.finextra.com/blogs/fullblog.aspx?blogid=1518

Check out the articles by Claus Nehmzow on "Branding in Virtual Worlds" at http://method.com/#/thoughts/all/ .  An excellent series on what does and doesn't work in environments such as Second World.  Claus has himself done some very interesting work in this field and I'm sure he'd be happy to share his insights with Finextra.

I'm not an expert in this area so I'd welcome informed comment too.  My understanding was that a mobile phone, like a PC, is inherently insecure, so your account number, PIN and security questions would be logged by spyware within the phone then broadcast to the fraudster who would use them to clean out your account by whatever means he chose.  In other words he doesn't need to steal the phone first.  Is this plausible?

You can also protect against man-in-the-middle attacks by using the Transaction Data Signing facility with Remote Chip Authentication (RCA) approaches such as MasterCard's CAP and Visa's DPA.  You insert your chip card in the handheld reader and enter the account number of the beneficiary, and the payment amount, as well as your PIN, then press the "Sign" button or its equivalent on the reader.  The chip on the card then uses all this information to generate a one-time-password which you enter into the PC, effectively signing the transaction.  Any attempt by a fraudster to change the transaction is immediately apparent.  This is the approach used by, for example, ABN AMRO and the many other banks which now routinely use RCA for secure remote banking.

In my view, using a second channel such as a phone line is expensive, inconvenient and unfamiliar compared with this "Chip & PIN at Home" approach.

Totally agree with Nick Green.  Maybe I'm the wrong generation but I've just never understood why mobile payments excites so much interest.  OK, I can see that you might use a phone to pay for stuff which is actually to do with the phone itself, like top-ups and ring tones, but the idea of using it at the physical point of sale instead of a payment card I just don't get.  Why would you want to do that?  As Nick Green says, if you're using the phone as a contactless device that's another matter altogether - you may as well talk about "key fob payments" or "wristwatch payments" - and in any case a contactless payment card is much better because it can be used in contact mode every so often for greater security - that's the idea of the London Launch as I understand it.  Which leaves us with remote payments.  The mobile phone industry has been announcing pilots of "m-commerce" solutions for about 10 years now but they never seem to catch on.  It seems to me that fundamental issues to do with security and infrastructure mean we're still many years away from a commercial mass-market product.

I'm surprised that HSBC is lukewarm about "Chip & PIN at Home".  This approach has been successfully adopted by several major European banks such as ABN AMRO, Rabobank, KBC and Nordea, to name but a few, and has now been launched by RBS and Barclaycard in the UK, supported by APACS.  Contrary to the previous blogs it is not vulnerable to man-in-the-middle attacks provided transaction data signing is used - typically the user enters the beneficiary's account number on the reader as well as the PIN which means fraudulent attempts to transfer money to another account are foiled.  Chip & PIN at Home is highly secure, cost-effective, familiar, and works across any remote channel (ie phone as well as internet; remote payments as well as remote banking).  By contrast HSBC's phone-based approach sounds highly expensive, inconvenient, applicable only to e-banking, and unproven.