INCSR getting involved

I didn't know that the US Department of State pay good money for people with complex names like the Bureau of International Narcotics and Law Enforcement Affairs to produce reports like the International Narcotics Control Strategy Report (the INCSR). I cannot comment on the rest of the report, but the section that talks about "mobile payments - a growing threat" triggered my interest and I read it with attention.

I must say that the sentiments expressed and the conclusions reached is so far removed from the practices or the intention of the mobile payment and remittance industry. Very few of the statements regarding risks and lack of controls have been verified or tested against the existing practices employed by mobile payment vendors. Compliments to the authors for publishing the report on the Internet. (Read it here). Unfortunately, I could not find any feedback mechanism that would have enabled me to communicate with the authors in order to rectify many of the inaccuracies.

In practice, great care is taken to ensure that subscribers are enrolled with proper KYC compliance. The implications of the Patriot act and FinCEN are carefully researched and deployed to ensure compliance. Most of the vendors in the industry (and I know most) have a genuine intent to build an accessible electronic financial infrastructure for the poor, but that will also eliminate (and block) the actions of criminals and terrorists. These vendors work with the Worldbank and associated agencies (like CGAP) and reputable banks and other financial organisations to try and build well-governed solutions to the massive problem of the poor that is effectively eliminated from modern financial services.

The statements in the report not only harm the delivery of financial services worldwide, but also delay the deployment of electronic tools that would enable legit agencies to monitor transactions and to identify fraudulent and illegal activities. I would like to urge the author of the above report to contact representatives from the mobile payment industry so as to clarify mis-understandings, but also to assist the industry to build better (for all) financial instruments.

Who can see your PIN

Researchers claim to have found flaws in some famous brand PIN entry devices - certified by Apacs and Visa. These devices have loopholes that can enable fraudsters to access unencrypted PINs and account numbers.

The "tapping" techniques to capture unsuspected cardholder's PINs require little technical know-how and fraudsters can easily attach to the PED a "tap" that records PIN and account details as they are transmitted between the card and the PIN pad. Criminals can then use this data to create counterfeit cards that can be used to withdraw cash at ATMs in countries where Chip and PIN hasn't yet been implemented. (Read more)

In another report, a British criminologist has warned that the new security card technology could actually increase, rather than solve, the problem of identity theft and fraud. The researcher said that identity cards and chip and pin technology for credit cards were unlikely to alleviate the problem, as fraudsters react with more creative responses and individual vigilance and knowhow, which remains the best protection against fraud and identity theft will decrease. (Read more).

The biggest exposure to fraudulent transactions in my view is the lack of control that a subscriber have on what can be done with his/her PIN. How is the PIN dealt with, can it be intercepted or is it stored anyway along the line. Any third party device or transmission line that the subscriber does not have control over is a possible source of attack. PIN entry devices that are not under the direct control of the subscriber is the weak point. It is possible to utilise these devices to capture a PIN fraudulently without the knowledge of the subscriber.

Techniques are available that enable a subscriber to enter their PIN on a mobile phone in a secure way that can also be certified by banks and credit card associations. The difference with this approach is that the PIN is entered on a personal device that is (usually) under the control of the subscriber and tampering in order to capture a PIN fraudulently is much more difficult.

Administration Module

It is actually relatively easy to demonstrate a mobile banking transaction. To connect a phone channel to a banking system and to demonstrate the transaction being initiated by a phone subscriber is by far the easiest problem to solve in mobile banking.

Far more complex but much more important is to also provide robust administrative support for the mobile banking solution. This is an essential component to deliver a commercially sound and a production ready mobile banking system.

In evaluating a deployment ready solution one should expect to find the following components in a well designed Administrative module:

• Support staff access is important as it is probably the biggest risk factor in the operations of the system. Statistics have shown that fraud is more often perpetrated by internal staff and the exposure is also much bigger. Well-designed systems should cater for defined responsibility matrix, with segregation of duties. Techniques like dual authorisation, limits and exception reporting should be available. Proper logging of support staff activities is important so as to ensure that activities can be tracked and audited.
  
• Most of the administration activities are made available by means of suitable procedures. Systems should support standard procedures and workflow for the key functions (like registration of a new subscriber, renewal of a PIN, reversal of a transaction to name a few). In addition the workflow component should be flexible enough to accommodate changes and to add new procedures.
  
• The tasks within the procedures should include Client support functions that would enable a client support staff member to handle queries, set new limits, change personal information etc. Support should be given to search the data by means of surnames, identification numbers etc. in addition to mechanisms to authenticate clients.
  
• Administrative support could include the ability to raise interest and fees. To run reconciliation tasks, to change system parameters or to send communications to support staff or clients.
  
• The availability of Management Information is critical not only to be able to operate a mobile banking system effectively, but also to be able to improve the service.
  
• A well-designed system should cater for External administration functions. This would enable third party suppliers to possibly register clients or to pay commissions. It is preferably to have a defined interface to build customised access to the Administrative functions.
  

Administrative support is often delivered as an afterthought, or not based on a well-architected design. It is often inflexible, limited in its functionality, open to mis-use and expensive to change. It often does not provide sufficient management information support or caters for the exceptions. One should evaluate alternatives carefully on the basis of their administrative support, as this is usually the most expensive element to add or modify later.