Peter - Par for the course I'm afraid, by which I mean that it is a patch to address a problem that causes inconvenience whilst not addressing the problem, merely moving the attack. Prevent phishing? Er, no, just means it has to be done in real time, which may alter the current criminal supply chain a tad, but I'm sure they'll cope.
Rob/Alan, yes Barclays was first off the blocks with implementing this, which is an APACS (as was) standard, and it has indeed won awards - such as the 2008 Nominet Best Security Initiative - judged by none other than Richard Martin of, er, well that will be APACS. Reminds me of Monty Python's 'Award Winning' book*.
Yes it will force fraudsters to migrate in the short term, just like Chip and PIN did, but the migration is equally obvious here.
Happy New Year!
Andrew
* Winner, Monty Python Awards for their own material
08 Jan 2010 08:43 Read comment
That will really help defend against attacks won't it, because obviously, during the (contactless) attack, one will notice an LED flickering in a wallet or purse when minding one's own business!!
To follow soon, I shall set up a blog to debunk much of this nonsense - working title 'Special subject, the bleedin' obvious' ...
05 Nov 2009 17:48 Read comment
Mike,
I hadn't noticed this blog until you'd flagged it, so thanks for pointing out some of the glaring errors.
Title - hacked via a botnet or phished
Para 1 - they're phished -good old social engineering!
Para 2, line 1 - they're hacked, but some were very weak!
Para 2, line 3 - now they're stolen (so not UK victims, as you can't steal information, merely exploit it for other unlawful purposes)
Para 2, line 5 - back to hacking, and only insecure passwords can be hacked, clearly
Para 3 - strong passwords are on the compromised list.
So, actually back to para 2 because, in itself (over and above the truism that those who are using stronger passwords are likely to be security aware and hence have anti-virus, et al, and not fall for Dear Mister emails) anyone using an insecure password is no more likely to be a victim of hacking or phishing.
If you've an insecure machine and you're gullible then the security of your password makes not the slightest difference (besides the chances of a friend or colleague logging in as you).
Final paras are valid, but hardly news, so I'm afraid to say the only 'laziness and less than sophisticated approach to security' rests with the author.
19 Oct 2009 23:32 Read comment
Why only worry about contactless m-payment fraud, not card based? And Jon, why have m-payments and e-ticketing for 2012 (transport ticketing consultation was out last week)? Surely m-payments, with m-ticketing (as the Barlcaycard/Oyster/O2 pilot), so then why not take advantage of the mobile (a computer) as an integral part of the security process? Some of the current pilots do seem rather unimaginative!
31 Aug 2009 14:24 Read comment
Nick,
Comment moving onto new thread on Home office m-payment announcement as I want to draw the two issues together ...
31 Aug 2009 13:13 Read comment
Go on then, I'll bite - transport ticketing is universal - EMV/Chip & PIN is not. EMV/Chip & PIN have many security flaws ....
26 Aug 2009 18:14 Read comment
You're getting about aren't you Heinrich!! Not sure which of your blog posts led me to the site, but thanks as it was fun. I've commented on another string, but in case you miss that one ...
I must admit I do like Heinrich's WebLookOn, and think it could catch on. Not as a security solution, mind you, as it fails for the same reason as all the other OTP generating systems, but as a new super-fiendish Su Doku. Too many of the grid based systems coming through at the moment are far too easy to find the known secret and just aren't fun to crack. As the site says 'have fun' and I'll confess I did - it took over an hour to find the secret given three data sets (though if you wish to play at home you'll have to get a friend to set it up, else you'll know the images you're after), but I've got bored of all the Su Doku Ken Kens in the newspapers, so this was a breath of fresh air (though, if I'm splitting hairs, from the initial 'select the picture of a reptile' I'd point out that a frog is actually an amphibian).
27 Jun 2009 11:01 Read comment
Stephen,
A good piece, and I agree with your conclusion that we wouldn't need a second channel if we could make the main channel tamper resistant (and unable to be actively intercepted or passivley monitored). Not sure how on earth one proposes to do that in a workable manner, though!! So I think we're stuck with multiple channels as the way forward, as everything else ends up boiling down to single factor 'what I can intercept' and pass on.
Lots of work underway on securing mobile data transfer at the moment, in particular because of the advent of mainstream mobile payments and the subsequent interest to organised crime.
27 Jun 2009 10:49 Read comment
Some fascinating examples that made me do a little research into life in 21st Century Britain.
I was surprised to learn that in 2008 7% of UK milk was still delivered by a milkman (note for overseas readers - milkmen are a historic UK institution who deliver milk to your doorstep daily, some of whom like to accept cheques). That said, 7% is a sharp decline from over 20% in 1999 - similar in the drop off in cheque use when you come to think of it.
Tempted by the thought of paying a huge premium (around 50%) for having my milk delivered I thought I'd have a look at their service - hmmm, note to self - huge premium for continuing outdated and inefficient model. Suggest to bank. Anyway, the UK's largest milkman, Dairy Crest has a higly inconvenient system of taking online orders and accepting payment by card or direct debit, as does Cravendale the second largest (www.internetretailing.net/news/now-even-the-milkmans-getting-into-ecommerce). Irritatingly, neither seem to offer me the option of being woken up first thing in the morning, but then it appears they don't accept cheques either.
So enough about milk - onto takeaways. Less scientific this one (many thanks to Defra's marvellous Dairy Supply Chain Forum and their 2008 Milk Road Map for much of the above), but a raid on the kitchen produced a clutch of Indians, Chinese and three Pizzas. Indians and Chinese are all straightforward - no surcharges for credit or debit, but they won't take cheques at all. Italians less so clear cut. - all three are happy to accept plastic, of course, though two would charge 50p to cover costs. But only one would accept a cheque, again with a 50 pence surcharge.
Card payments obviously have the disadvantage of not allowing any credit period [are you sure? -Ed], unlike cheques, which do give you a couple of days extra interest, but there we go.
But cheque lovers will be pleased to know that I have come up with a genuinely unique advantage of cheque use, at least in the UK - Cheque Guarantee cards. I can't think of any other payment system that offers me the ability to write a string of numbers along the back to guarantee clearing and fraudulently make use of up to £250 per time - there's 25 cheques in each of my chequebooks, so that's £6250 per book for free. And with extra books easily ordered, its a potential goldmine. I did point this out to the Payments Council in my submission last year, as I am concerned that the industry may be neglecting the criminal community, but they've not got back to me for some reason.
08 Mar 2009 16:10 Read comment
Clearly there is a romantic element to some of receiving a cheque, but as this is essentially a financial technology newswire, lets rule that one out as a reason to keep them. If one wants the little dears to have something to open physically with a birthday card then print off the sent receipt! But what about the recipient?
So to your example, it's your nephew's birthday coming up and you don't happen to have gift card (obviously) but you do have the card and stamp. It's 20:30 so the shops have closed and you can't think of a present- excellent idea I'll give him cash - that'll piss him off. Oh, sorry, he lives in a dodgy neighbourhood so you don't trust cash in an envelope - good point. So write a cheque, pop it in the post and two days later (if you're lucky, but you've missed the last post) it arrives.
So as it's his birthday, off to the pub he goes for a drink on uncle Roger ... er no, that'll be a trip to the bank, assuming he's an account, oh no sorry the local branch has closed down in cost cuttings so the banks don't have to deal with cash/cheques, so drive to the next town for the bank (topping up with petrol en route), park (another couple of quid), get there to deposit it (with or without queueing, point taken Marite) and then ... wait typically four working days for it to clear, etcetera. And then to the pub for a half as, generous though he is, uncle Roger's stuck in the 70s.
That's why every birthday I end up carrying half a dozen cheques around for the next fortnight until I can actually get in to deposit the damn things.
So what should replace the paper cheque?
Gift/prepaid card - points already well made and taken. Thanks for spending the £30 uncle Roger, I look forward to spending the £25.
Credit transfer or mobile phone - 20:30 in evening phone sibling to ascertain where little Johnie banks nowadays and get account number. Hopefully get correct answer but then enquire as to whether monies sent will be swallowed by Johnie's overextended overdraft. Happy birthday, I paid a few bank charges for you. Much quicker and he can gain instant access, but you've no idea where he wants to deposit the money (if at all).
The cheque has an advantage of sorts, therefore, in that Johnie can choose where to deposit it, but at the expense of a logistical obstacle course that's hardly worth it for £25. You also need to know where they are to receive it, which isn't always convenient/possible (i.e. abroad on holiday).
That leaves us with a couple of innovative options I've seen being mooted recently, mostly using the mobile or internet as a medium, where you only need to know their mobile or email (and you can save yourself the cost of postage and card (sorry, Marite you're right, save the planet) to boot with an electronic card) but where the recipient gets to choose what they do with the funds thereafter.
So, Marite's hit the nail on the head - a 'virtual' cheque with no charges for payer or payee would appear to be the appropriate replacement.
Looking forward to it, and well before Payment Council drop dead date.
05 Mar 2009 18:05 Read comment
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.