Smartcard News Blog

It is the Age of Combining Business and Pleasure

2011-06-30T22:18:00.001+01:00

We are in a new world, just this week I was standing behind a guy who was using his new iPad 2 as you or I might use a camera. Photos of his girl friend with Trafalgar Square in the background, I don't know why it just seemed so strange and of course although it was a cloudy day you could barely see the screen, well from where I was anyway.

What has this got to do with smart cards, identity and security I expect you're wondering? Well it's because things like smart phones and tablet computers have become a part of our life. A few weeks ago we were doing the tourist bit in Paris, at the Moulin Rouge the doorman was busy searching for cameras, why waste your time, just about everybody there had a smart phone and have you ever seen a smart phone without a camera?

The thing is that these smart phones and tablets have confused the boundary between business and domestic life. Everybody wants to use their phone (or tablet) as a tool to do both. Please can I have my corporate email on my iPad so that I can check my email while playing Tap Zoo? You haven't got it yet? Oh boy it's addictive, the email that is!

Now to the more serious side, so here we have it, industry leaders combining business and pleasure on their mobile phones and tablets. Should they (we) be worried? You bet they should because malware can exist just as well in this portable world as the old fashioned PC or even desk top if you still have one. I keep on asking the question, if these mobile devices are so insecure why don't we hear a lot more about malware?

The truth is that it is just starting to happen, Google over the last few months has had to withdraw about 50 infected Android applications but not before they had been downloaded 10s of thousands of times. There is a fundamental law here, if you allow an open system it will get malware. The IT departments of course know this and they are hanging on to executive control of the phone for dear life, the user meanwhile wants to do his thing whatever that might be.

So where is all this going to end up? It is clear that unless you have spent the last couple of years on some desert island that the user is going to win this game. Do you remember on inauguration that Barack Obama was told to give up his Blackberry by the security service specialists? He kept his phone so it can be done it's all about behaviour. They all say it, don't keep sensitive data on your phone, don't do things with it that might expose your work (or your private life come to that). Actually all these things are actually quite easy to achieve and you can do wonders with a cryptographic MicroSD card, secure email, secure data storage, the list is endless. Ah yes I was forgetting that the iPhone doesn't have a MicroSD card but there are other ways.

The thing is that the most vulnerable part of most information systems are the users, it's no good having 12 digit passwords if people have to write them down. You have to create a security culture, people have to want to get it right and apply just the basic techniques well. If sensitive data is encrypted for storage and communications with a sensibly chosen password then really you don't have to worry.

Then you just have to ask why is it so many people lose their laptop or memory stick with some unbelievable data base stored in plain text, medical records, HR records, Prison records, you name it because its all happened in the last couple of years.

So part 2 of the plan has to challenge where the aggregated data is stored, surely not on the iPad, roll on Cloud Computing. I know it's a buzz word but you know what I mean! And then dear readers we get around to it, how do you adequately authenticate a user with an iPad? A MicroSD card will do nicely thank you, oh but we haven't got a slot!

Should Human Beings be Chipped to Avoid Identity Crisis? What's Your Say

2011-05-31T21:10:00.001+01:00

What is identity? Everybody seems to be talking about it as if it was some process where we can just verify some artefacts and bingo we know who you are.

I think the definition is rather easy. It is the measurable properties of an object that are adequately unique to distinguish a given object from the total population of objects.

So if I were to put 5 £20 notes on the table you could tell the difference between them and easily recognise a particular note if I presented it again in a different set of £20 notes. We would of course do this just from the number printed on the note which we know to be unique.

Taking the matter further if I printed a number on everybody's forehead with non removable ink at birth then I could always identify the person. At the same time of course in my database, I would probably record some more information about the person such as their name, parents, date of birth, etc. In fact, not too different from what we do in a birth certificate.

You can see where we're going, in today’s world you turn up at the bank or whatever clutching your birth certificate and you say that's me, as described on this bit of paper. The trouble is there is absolutely nothing to connect you with the bit of paper. The bank representative cannot possibly tell if it's you on that bit of paper or not. Even then you don't even really know if the document is authentic, if somebody gave you a birth certificate document how would you know it's genuine?

Well, we're not going to stop there, please bring two utility bills with you, does this really offer any value? With today's technology, I would have said it's the easiest thing in the world to produce a couple of fake utility bills.

Then of course you can get somebody to vouch for you, as for a passport application some trusted professional who has known you for at least 2 years will sign your application form. Excuse me, what value does that have? A reference point of 2 years is meaningless on any normal scale assuming a life span of 80 years, just a couple of percent!

Several people have suggested that you should take somebody's DNA at birth and use that as the reference point. It sounds a little impractical right now, but in the future who knows? At least you are starting to measure the properties of the subject you are trying to identify or more usually verify.

Biometrics must have a place here somewhere. This at least measures some properties of the subject, but to make any sense it has to start from birth. Can anybody think of any biometric you can apply to a baby that will follow their complete life cycle reliably? The truth is we can't really do it successfully for much shorter parts of our human life cycle at least not in a way that can cover the complete population.

Dog owners will see where this is going, we have no problem in chipping our dog at birth and it stays with them for their complete life cycle. Could we apply this to humans? I don't see a problem there but how about those people who want to change their identity, you can imagine re-chipping stations popping up all over the place. However, the fraudsters would still need to get hold of an authentic chip and what that should mean is that they would have to rely on removing chips from those no longer with a need (trying not to be too gruesome here).

Probably, we just need to close the loop. When you get chipped at birth your DNA is also taken and entered on the chip suitably protected with cryptography of course.

So there you have it, a working identity system reliable for the life of the subject that can be used anywhere from setting up bank accounts to claiming social services.

Do we really think that is going to happen any time real soon? No, but you could apply it to a subset of the population that need it the most, so to speak!

Patsy & David

Age of Tablets

2011-04-30T08:45:00.004+01:00

The media this month is full of stories on smart phones and tablets all seemingly competing with Apple. Just at the end of the month however we have heard the problems that Sony has had with ntruders on their network revealing the personal details of 77 million users as described in our lead article. And not to be overlooked Nokia is now facing those difficult decisions necessary for re-engineering the organisation, today they have announced 7000 people will be leaving the company.

The tablet revolution is interesting. I always felt that a small light touch screen device was the ideal portable computer. The other half of the household is even more gadget mad and has been experimenting for the last 10 years or more, the NEC Versa comes to mind as one of the early candidates for Microsoft's tablet software. We have gone through many incarnations including a more recent HP touch device with Windows 7 but none of them really captured the imagination. Then came the iPad, I can honestly express a totally unbiased view, perhaps even a little cynicism but hey this device is great. It is what you always wanted as a really useful PDA (I'll bet you've forgotten – Personal Digital Assistant, do you remember the Palm Pilot?). Anyway it seems like I'm to get the iPad one when he upgrades to the iPad 2. Apparently you have to have a camera – why?

Not only does it do email, calendar and web browsing but you can even read books under the Amazon Kindle banner. There really isn't a problem carrying 20 books around with you and unlike the Kindle they can be in colour. OK hands up I admit that in the full midday sun that screen is a bit hard to read but in the shade with a gin and tonic its shear bliss, just waiting for my own machine, sharing is a pain!

Now watching the others trying to catch up is interesting, Google's Android OS is of course gaining momentum but there is no obvious challenger to give Apple a problem just yet. With the iPad 2 people complain, the camera is not good enough, there is no Flash and much more, but let's not kid ourselves this device works with a vengeance. Everything is more than fit for purpose and I've long since been educated this is the way to think in business.

The Flash argument seems to cause the most excitement but it's really not a problem, if you want to watch Flash videos there are browsers like Skyfire and iSwifter that can handle that plus applications from many content providers that handle their content directly such as the BBC for example. What I hadn't fully appreciated was the problems that you can have with Flash animation on a touch screen where you have to decide what to do between hovering and touching, apparently this is going to be a problem with all touch screens when trying to work with Flash animation.

Back at the ranch we have been having lots of security discussions about these new smart phones and tablets, they are of course going to have problems, I think we all agree that but actually we think the biggest understated problem is lost (and stolen) phones and laptops/tablets. Both Apple and RIM have their enterprise solutions for security and without arguing the finer points we really wonder why Nokia has missed this angle. Clearly they miscalculated the explosion of smart phones and should have reacted much quicker but where is the enterprise offering, presumably it's going to be Windows? I suspect a lot more people are going to jump ship than the 7000, and somehow or other Nokia's strategy just seems like too little too late.

Mobile Phones To Do Anything!

2011-03-30T10:57:00.011+01:00

David Birch is starting a war on cash and this was the theme behind this year's Digital Money Forum held in London on March 2nd/3rd and arranged by Consult Hyperion. A report of the event is given elsewhere in the Newsletter.

At times it was hard to hear a good word about cash, vitriolic reverberations would tell you that cash is bad and is the invention of governments to control the economy and to surreptitiously devalue the assets of its citizens as and when required. It must be a crusade because it wasn't obvious exactly how mobile payments are going to solve this and yet it seemed with few exceptions to be the general view of the room that mobile payments will be the saviour of mankind.

I must confess that the Digital Money Forum has brought about its fair share of excitement over the years but this year it was quieter, the odd spat but actually none of the battles that perhaps the organisers might have hoped for. There was to me a strange acceptance that cash is going to be replaced, not totally you understand, and that the mobile phone is everything. Look no further the future is clear.

I want to argue that both assumptions may be wrong, and there is no evidence that I can think of that would prove that physical cash will continue to exist. Do we really believe that cash as it currently exists will still be around in 50 years time? The protagonists here assume that the products from Visa and MasterCard will move into the cash space and will mop most of it up leaving just the very bottom end behind which is totally uneconomic to process. This of course assumes that nobody puts forward a real cash alternative.

The second argument is to think about how the mobile phone might develop over the next 50 years, will it be a fundamental part of our life? Of course it will be an integral part of our day, just as much as the computer is today but with an even wider capture of the population. The thing is that you need to just stop and think what's going on here. The mobile phone or at least the smart incarnations now dominating the mobile phone sales are capable of providing a voice channel as and when required and here's the new bit (well relatively new) it can also store, process and communicate data.

Now here is my argument, the mobile phone could do anything, take my electronic toothbrush, it's pretty sophisticated, it has Bluetooth, with data and processing ability to ensure I get the right amount of brushing but I wouldn't actually want my mobile phone to act as my tooth brush. When necessary I'm quite happy to carry a separate object in my bag. The main argument of the mobile futurists is that we the citizens only want to carry one object, the mobile phone, because it can do everything. In addition they can show through market research that we never forget our phone whilst other objects like our wallet might well get left behind.

Of course, I deliberately picked an obscure situation with the toothbrush but I think the assumption that you must have your wallet and by inference all your payment items in the mobile phone is equally flawed. At the very least surely we want to distribute risk?

Security is one of those subjects that many find easy to ignore, as long as it hasn’t happened to me then it will be alright. I remember once a good friend explained to me that selling security was like trying to sell a bad smell, you certainly don’t get long queues. In the news today there are stories of Google removing malicious applets from the Android market and the Zeus Trojan infiltrating the Blackberry phone and effectively taking control, there have been earlier reports of it attacking both Symbian and Windows Mobile phones as well.

My next proposition is that Mobile phones will become the prime target for malware (actually they probably already are the target) and it will not be easy to stop. Any device that allows the user to download executable code is going to have a problem that is not going away any time real soon. You might imagine that it would be possible to security audit software before allowing the modules to be downloaded, that’s a problem that people have been looking at on PCs for at least the last 20 years with no silver bullet in sight. Of course you could restrict the software to do very little but then nobody would want it.

But it’s a fun world ahead of us,
David (on behalf of Patsy)

Mobile World Congress - Joint Stand On NFC

2011-02-28T09:08:00.005Z

Well the weather in Barcelona for the annual Mobile World Congress (MWC) may have been a little disappointing but the mobile phone weather barometer inside was anything but, and yes I do have an app on my phone that does this. Our lead story this month surrounds the happenings at Nokia and the announcement of their tie up with Microsoft. A problem for Nokia perhaps but an incredibly positive picture from the industry as a whole.

Smart phones and mobile apps were the order of the day along with tablet objects to compete with Apple's iPad. Apple was nowhere in sight but I guess they argue they don't need a stand and whoever has heard of Barcelona in sunny Cupertino California, site of the Apple headquarters. However they still won the best mobile device award for the Apple iPhone 4. I'll bet you're desperate to ask so I'll let you in, the best mobile app award overall on all platforms went to Angry Birds (and yes I've got that on my phone as well).

There were queues everywhere, my activity barometer is based on the length of the queues for the toilets and oh they were long. So although the organizers provide the facts and figures on their web site I can tell you it was a busy year.

The last few trips to Cartes in Paris have been disappointing, I think the atmosphere has been dull. People are not really interested in smart cards as such it's much more the application business and people struggle to fill in the bits. I almost hesitate to say it but I think people may have forgotten what the smart cards are for, perhaps I'll ask that question in Paris later this year.

But the MWC conference was really quite different, the stands were m
anned by people who were anything but bored, it's an exciting world and the smart phone opens up avenues for all parts of the industry.

There were lots of things going on but I know you would want me to keep you informed on NFC. Well I think we have passed some tipping point, NFC in the phone was pretty well a given. Everybody agrees that lots of smart phones will have NFC over the next few years but that mass applications have still got some way to go. The huge signs all over the place for the Samsung Galaxy S II just kept reminding you that NFC was now in the forefront. But here was the interesting point, even though perhaps 50 million or more NFC phones will appear on the market this year (yes I believe it, the chips are being made) nobody for one minute tried to suggest that we will all be paying with our phone at the end of the year.

In fact I actually obtained an unbelievable consensus from those most closely involved in the industry. Location and social network services, that's where it is all going to happen. The location bit is referring to the idea of having RFID tags dotted around all over the place so that you can tap your phone on them to get more information on a particular historical site, some advertised event or just plain goods for sale on some advertising hoarding.

The social networking angle is even more interesting, the location bit is old hat really and I'm sure it will happen but bumping into somebody or I guess more politely bumping our phones together to exchange contact information (or anything else I guess) now that sounds interesting. Do you remember the early days of mobile phones, there was the advert of the boy meets girl, she was in one train he in the other and their eyes met. Well you can guess what happens, they both get out their phones and point them at each other to line up their infra-red link. Of course the train moved at the wrong moment so the link was lost before the vital information was passed from phone to phone. Actually I'm not sure if NFC would solve this problem but I'm sure there are many more.

Anyway the consensus from the conference was this year will produce between 50 and 100 million NFC phones. It is also pointed out that the only standard agreed is for the Single Wire Protocol (SWP) which is the connection from the NFC chip to the SIM which then acts as the secure element. But it was also agreed that we are still years away from having any general agreements between network operators and the sharing of the SIM with application providers such as financial institutions.

So all this was really quite consistent, the move to NFC is now really under way but it will be several years yet before we see any mass applications. Samsung is hedging its bets as to whether you need a separate secure element in the phone (to the SIM card). The Nexus S has the NXP PN65K NFC chip which includes the SmartMx as a secure element while the latest Galaxy S II has the PN544 SWP chip without the secure element.

If I were a betting girl my money would be on the separate secure element not the SIM card, this will give more power to the phone manufacturers, but this will also take time because it is currently devoid of standards.

Patsy (from a very wet Barcelona)

Update A Person’s Biometric Every Hour!

2011-01-31T05:51:00.007Z

Well it’s nearly time for the GSM conference in Barcelona now renamed as the Mobile World Congress. For those of you thinking to attend it’s from the 14th to the 17th of February.

I would have to say it has been a particularly interesting month with conversations wandering into the realm of science fiction. It all started with the mobile phone now an essential part of everyday life but which might have been looked on by many as ‘sci-fi’ back in the 70’s or even 80’s. In fact I even know a few people who didn’t expect it to take off even in the 90’s. So we started off imagining what phones would look like in 50 years time, same sort of thing really but with a more modern fashion statement, perhaps some snazzy wrist band and of course speech recognition and all that, there was no need to press buttons or even play around with touch screens.

Now here comes the first run up against biometrics, do we believe that in 50 years time that our electronic gizmos are going to have near perfect speech recognition? I think we do and in my snapshot of family, friends and colleagues this was not seriously in doubt. I would just mention that people have been actively working on this for the last 30 years and in various ways for at least the 20 years before that. So in the last 50 years we haven’t got there, so what’s going to make it happen in the next 50 years?

It is the advances in technology, we are moving much faster than we have ever moved before and at the end of the day there is no fundamental breach in the law of physics. Starting at home we often have this conversation, if it can happen it will happen and if people realise they need it then it just comes a bit faster. So from the novice side of the counter, will speech recognition be perfect (i.e. without errors) in 50 years time. Well again I think we all agree that it won’t be perfect but near it and maybe just 1% error or less. But as my friendly bank manager used to remind me, if you take instructions from 100,000 people in a day that means on average 1000 people are going to have a problem! This was when we wanted to use finger prints for authentication at an ATM.

Now the thing is that this may not matter, in practice the English language has enormous redundancy. There are many examples but here is one,

Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, olny taht the frist and lsat ltteres are at the rghit pcleas. The rset can be a toatl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed ervey lteter by ilstef, but the wrod as a wlohe.

And so to our speech recognition, if we can start handling this form of redundancy in spoken context then why not 100% for comprehension and that’s all that really matters.

So then we move to identity, a fundamental necessity for payments.

In 50 years time we are not going to have smart cards and the like. It’s all going to be in the phone and then we just need identity on the assumption that our money is in some form of a bank account. Now do we believe that will be true in 50 years time? Anyway assuming in the sci-fi world we need to prove our identity in order to get our ration of kwala powder, how do we do it?

Back to biometrics, not speech recognition this time but voice or speaker recognition. This is a totally different problem to the speech recognition that we referred to earlier. I remember once at a seminar hearing the words of wisdom from one of the leading luminaries. I won’t name him because he might be embarrassed but anyway he said that biometrics can only ever be a compromise because the human body is dynamic, it is constantly changing and therefore our biometrics are also changing. Unless you can update a person’s biometric every hour or so then you are likely to have additional errors to the intrinsic measurement error that you will get whether you like it or not.

In the world of sci-fi you can put your hand or finger on the plate and bingo in you go. I guess it’s going to happen in 50 years time, I’m just not sure how?

See you in Barcelona,

Patsy.

Has NFC Got A Little Closer This X-mas?

2010-12-20T12:34:00.004Z

It hardly seems possible but the end of the year is upon us once again. Those of you in the UK will know what I mean when I say we are all looking forward to a White Xmas….

This month NFC is hot on the table again with the latest news of the Samsung Android phone with NFC built in. I’ve looked back through my notes and discovered we’ve been saying this for the last 8 or 9 years, the NFC bit, not the Android which has appeared very suddenly and is already zooming up the charts in the smart phone world. Who would want to be in the shoes of Nokia with both NFC and Android to worry about? If one were to have a Xmas punt it would probably be the thought of Nokia giving up on Symbian now exclusively theirs with all the other smart phone manufacturers (except Apple and Blackberry of course) moving over to Google’s Android smart phone offering.

So has NFC got a little closer, will it go zooming up the charts like Android? Well there can be no doubt that there has been a lot going on in the background and all the major players including Apple and RIM (Blackberry) making sweet noises about their support for NFC. However I am reminded of those heady days in the late 80’s when we were all convinced that the world was going to be flooded with smart cards. Our own publication started in 1992 because we knew that smart cards were going to be the new technology revolution for every application you could possibly imagine and of course all financial payment cards were going to have a chip in them.
I would be the first to admit that I didn't see it coming, those early mobile phones, did somebody say they were portable? How big a battery pack can you carry on your back? In fact originally they were promoted for in car use where you have a mighty big battery to call on. How wrong can you get, who would have imagined in 1990 that by the end of the decade children would be taking a mobile phone with them to school.

Suddenly smart cards took off largely in the form of mobile phone SIM cards and about a decade later the banks followed along with the now well known chip and PIN, the rest of course is history.

So here’s the thing what’s going to make NFC take off? For those enthusiasts who would want to assure me that very soon every phone will have NFC I would remind them that every phone had Bluetooth long before anybody really started using it and even now it’s very much a minimal application probably because of the drain on the battery. Just for the record I actually don’t think we are going to see NFC in every phone for some time to come but let’s go the other way and try to see where the tipping point might be.

For years everybody said it was payments, NFC was going to be the way to do contactless payments on your mobile phone but if you think about it in most retail environments it doesn’t really make a difference. If the value of the payment is high enough to need a PIN, £10 or £20 wherever the risk limits are set then you are most likely to use the contact interface anyway. For low value payments without a PIN such as mass transit well then yes, contactless is the way to go but will you use your phone? We’ve talked about it before but there is also the issue of user convenience. Is it easier to get out your phone, select the payment application (I need convincing on the viability of defaults) and wave your phone or is it easier to just get the contactless card out of your pocket? Do we really want to have everything on our phone or might we just like a little bit of variety, a sort of back up you might imagine. I admit this quietly but I also have a few problems with the phone being charged, just at the wrong moment the battery seems to go flat. Am I unique in this?

Well for me the case for NFC in unproven, not the technology you understand, I wouldn’t dare argue about that but what is the killer application? Many argue that it won’t just be one application but instead the richness of a number of applications. You can call me old fashioned if you like although I Twitter with the best of them, but for me there has to be ‘The Application’ and as of Xmas 2010 I can’t see what it is.

Happy Xmas to all our readers and best wishes for a happy and prosperous New Year.

Patsy.

CARTES Calling...

2010-11-18T08:12:00.002Z

Cartes 2010 is now upon us and you can’t help thinking about the years gone by. Several people have told me that this year they are not sure if they are going. It’s a mature market and most companies are trying to keep the expenses down, if you’re coming from the USA then it’s not an insignificant cost.

In the early days of Cartes it was exciting because there would always be something new and often inspirational but in more recent years you knew before you got there what you were going to see. Now is this because we are so much better informed through the internet or is it that there really isn’t anything that new. This is going to be my mission for 2010 to find something new and exciting, it’s a bit like the projects they give on ‘The Apprentice’ a UK BBC program designed to find a new recruit for Lord Alan Sugar’s business empire. The potentials on the TV usually screw up and it’s fun to watch so I’ll try and do a little better, at least I’ll listen to what people have to say.

But of course that’s not the main reason for going, it’s really all about meeting friends new and old to chat about what’s happening in the industry. I guess from our stable we’re still quite intrigued by NFC, will it end up in every phone, will Apple adopt NFC? We hear so much talk about stickers (i.e. contactless labels) that you attach to the back of your phone to do payments. Everybody seems to see it as an intermediate step on the way to full NFC, call me dumb but I can’t see it, I’d just as soon have a contactless card in my purse. Anyway we shall be there as always to wrestle with these issues in the bar, please feel free to join us.

Oh and I forgot to mention it but at the moment there are no strikes with the RER in Paris forecast for the duration of the show, that will be a change, a normal Metro service to the exhibition.

Our lead article this month is all about the competition in smart mobile phones between the main operating systems including the latest rumours about Apple and Gemalto working on a super SIM. This is to allow users to make their choice of network operator when they buy their phone (or iPad). The suggestion is that the SIM might not be removable it could even be a virtual SIM buried in the memory of the iPhone although the security experts have told me that is unlikely because somewhere you need to securely manage the cryptographic keys that authenticate your phone for billing purposes.

So here’s the thought, how much do you value the removable SIM that can be changed from phone to phone? Of course in the early days everything was stored in the SIM card including your SMS messages and contact lists. Today most of it goes into the phone memory so the SIM plays a small role in the applications. I know we have SIM Toolkit but does anybody use it?

The next problem of course is that the phone is usually locked to the network operator that has subsidised the purchase of the phone so although you can change phones, changing operator is more bother.

Technically I’m assured that you could have a chip built into the phone and it could be configured over the air waves. Now what would that do for the business profile of the likes of Gemalto and Oberthur Card Systems? I wouldn’t dismiss it Apple seem to be hovering in an area that could lead to just that….

See you at Cartes.

USBs, SIM Cards and Memory Cards: Different Standards, Different Formats

2010-10-28T12:40:00.009+01:00

Is it just me that gets confused? What I can’t understand is standards, well what I mean is why do I need so many? Just take charging up your mobile phone they all look so different. Don’t worry I’ve been told there is a new standard based on micro USB or is it mini USB? I do pride myself on having reasonably modern phones and I can assure you the charging pods are all different. The reason for the annoyance, you know there is going to be one and that being that I took the wrong charger for my phone on holiday. They all look the same and the difference between mini and micro USB is for the electronics buffs amongst you. Why can’t I have colour coded plugs, blue for mini and red for micro, well that’s what my mother used to say about dresses anyway? Something about red for danger apparently.

Now it doesn’t stop there because the joy carries on with memory cards, just about every device I have seems to have a different format for the memory card. It’s hard to believe there are so many, I really don’t know what they all are but my card reader boasts of being a 19 in 1 card reader, I’m not going to bother you with the names because I don’t think I could tell one from the other. All I know is that when I take the memory card out of the camera I go round each slot in the reader until I find one that it fits. It sounds horrendous but does anybody do anything different?

Closer to home I have been totally bemused by mini and micro SIM cards. The other half impatient to the end clutching an iPhone 4 in one hand and an iPad in the other has entered the world of micro SIMs. Now we could all get bored about how many people ever used a full sized credit card for a phone SIM, I thought I was old enough but I certainly don’t remember them. In fact a SIM card was a SIM card, who ever called them a mini SIM? But anyway we now have the micro SIM. And of course you can’t change it from phone to phone or iPad to phone and all the other combinations you can think of unless they are all the latest models from Apple.

This may not be a problem you might think? Well the holiday was a technological extravaganza because the back fell off his iPhone 4. It looks like it never had the two bottom case screws inserted but according to O2 it’s now a write off as uneconomical to repair. Can you believe that, 2 miniature screws or micro screws or what have you and they’re more expensive to put in than the £430 O2 have demanded for a replacement phone? Apparently we’re off to Maplins this weekend to buy some of these screws for a DIY repair. I hope there aren’t too many standards involved here. I’d hate to think that two screws that look the same are totally different.

Anyway the fun didn’t stop there, the Channel Islands (Jersey in our case) are interesting and recommended to all for a few days at least (I never realised the average rainfall is 16 days per month, it makes the UK seem positively dry) but the Island is devoid of Wi-Fi (except in St Helier but that’s a permanent traffic jam) you really are dependent on your mobile broadband. There was a good 3G signal all round the Island but that doesn’t help you when you can’t carry your phone around and apparently it’s difficult to stick it together with sticky tape when you’ve only got a touch screen. So here we are, buy a disposable phone and pop the SIM card in it. I can still remember the look on the guys face in the mobile phone shop (only in St Helier of course) when he looked at the micro SIM, you would have thought it could only have come from Dr Who’s Tardis. So you can’t easily buy mobile phones that use a micro SIM and surprise number 2 was that if you have a UK pay as you go SIM you can’t have cellular data in the Channel Islands. Apparently the islands are foreign territory although Wikipedia thinks they are a Crown protectorate. Apparently the only way you can have cellular data in foreign lands and the Channel Islands is to have a contract SIM – just make sure it’s not a micro SIM unless you have a spare phone with a micro SIM socket. Perhaps we could have adaptors, a 19 in 1 do everything – just joking.

Don’t forget, Paris strikes permitting that Cartes 2010 is just around the corner for 7th to 9th of December.

Patsy.

Is Virtual World The Latest Crime Centre?

2010-09-30T10:04:00.001+01:00

This month there was a magnificent article in the Guardian by Josh Klein entitled ‘Coins of the online realm’ http://www.guardian.co.uk/commentisfree/2010/sep/21/internet-computing it was particularly interesting to me because it raised two important issues,

The virtual economy (for swords, laser guns, and even virtual flowers)
Identity, Authentication and Reputation in the virtual world

I have long puzzled over internet games and their virtual armaments and even more at the thoughts of buying virtual guns with real money but this is a serious economy worth some $5bn today (this is just an estimate because nobody really knows the exact size but what everybody does agree is that it is already billions, $1bn in South Korea alone) and still accelerating.

Now I’m not going to get hung up on the exact size of this virtual economy but if we accept it’s in the $billions what does that suggest to you? Yes, it’s crime, where there is money the criminal will not be far away. What’s the old saying, if you’re looking for the crooks then follow the money.

Now I’ve always been bemused by how many €500 euro notes you can stuff into a cornflakes packet, apparently some €300,000 or at least that was what they found when they captured Eftychia Symeonidoy who stood outside a London apartment, casually holding the box under her arm. Part of a 13 strong money laundering gang offering a service to the UK criminal underworld they were caught by the HMRC and were duly prosecuted and jailed. The article http://news.bbc.co.uk/1/hi/8678979.stm goes on to describe the problems of moving money when in its £20 note form compared with the €500 note form. Just for those that can’t wait, £1million in 20 pound notes would weigh some 50 Kg while the same amount in €500 notes would only weigh about 2Kg. Apparently these guys were handling between £1million and £4 million per month.

But now the world has changed, who needs to stuff cornflake boxes when you have got virtual cash? Why not move money around in the form of Linden dollars (from ‘Second Life’) or perhaps in the form of virtual spaceships, there can be no bounds to the imagination. I would just offer a little note of caution to those thinking about a career change, don’t forget you have to get the money in and out of the virtual system which in general is regulated (read monitored). Of course you could continue your life totally within the virtual world of ‘Second Life’ or similar, perhaps the crims will no longer feel the need to move to the South of Spain, they could set it all up in their back bedroom with sun lamps.

Anyway on to the other issue of who you are in this virtual world, what is your persona? Now the interesting thing here is that on the internet in general people like to be anonymous. Visit the crime centre of the virtual world (its called eBay) and you will struggle to identify any of the players, sellers and bidders alike. The way that all these virtual environments work is on authenticated pseudonyms, you are dealing with some constructed user name or email address. When you trade you do so based on the reputation of the handle being used by the participants. Does this matter, well yes it does because your legal redress is more difficult and in the case of eBay we know that PayPal (now owned by eBay) spends most of its time (I’ve heard as much as 80%) resolving disputes. I can’t see that people are going to start using identities on the internet so what is currently missing is an accepted way of handling reputations that can be locked to an internet persona. We have so far to go, did you know you can’t leave negative feedback on eBay and of course the practiced fraudsters artificially set up a reputation before they have their fleecing spree.

I must admit I do shop on ebay but nervously and never for high value goods.

Patsy

Is Your Password Easily Accessible?

2010-08-30T10:18:00.005+01:00

Is it just me or do other people have problems with passwords? One of the side effects of the internet is that we now need a vast array of passwords to access the different sites from Amazon to PayPal and everything in between.

Now here’s the thing can you have one password for accessing all these different sites? Of course not, can’t you hear the security experts screaming in your ear but actually you really don’t want that many. I have a simple strategy that I don’t mind sharing with you, there is the very secure password for the bank and PayPal and then there is the floppy password for all those sites that really don’t matter. If you can break into my wine account (no credit card stored) and change my preferences then frankly I really don’t care.

However you know what I’m about to say, real life is not like this. All these different web sites have different password strategies, no less than 8 characters, must have a number, must have a non alpha/number character, must be numeric only, it goes on and on. Well just last week I met the ultimate condition, no consecutive numbers, even just 2, up or down. Now I think my brain is starting to hurt, what nutcase decided that? In any random sequence of numbers there are bound to be consecutive numbers in one direction or the other, for my mathematical friends what are the odds in a sequence of 8 digits that at least 2 digits are consecutive? So of course you end up having to write them down, somewhere that you can lay your hands on in a hurry.

In the old days we all used to carry around those little booklet things called diaries, but now relegated to the museum we have electronic diaries in the form of mobile phones. Do you remember the Palm Pilot? Oh I felt so up to date when I first got one of those but now it’s the iPhone (just wanted to drop that in, it’s only the iPhone 3, you can guess who’s upgraded to iPhone 4).

I wouldn’t want my phone to be stolen, it stores far too much personal data. Probably all the data should be encrypted which is of course only as good as the password. But very few people seem to have their phones in encrypted mode?

Anyway all this came to mind this week when reading about the iTunes and PayPal hack with lots of people complaining about having their PayPal accounts emptied. There is not absolute clarity on exactly what has happened but the stories seem to be consistent that the hack has happened through iTunes and that somehow the fraudsters have managed to get hold of a number of iTunes account details/passwords and have then gone around doing loads of downloads funded through iTunes against PayPal. Both PayPal and iTunes have denied their systems are broken, PayPal has specifically stated that they are unaware of any account breaches on their system. iTunes have been a little more cautious suggesting that if your password has been stolen you should change it right away. Others have suggested that maybe the iTunes users were subject to some Phishing scam that resulted in the loss of their account details including the password.

Now what ever happened to 2-Factor Authentication? Just a few years ago it was on everybody’s lips it was only a matter of time before we would all be carrying a smart card or token that acted to give us secure authentication into whatever sites we were registered. It’s all gone quiet and yet the problems with passwords have never been more rampant. Just think about it, one smart card or token, one password for access to the smart card and hey presto you can log in securely to any web site. But more to the point the hacker without access to your smart card and password is permanently locked out, no more Phishing!

Am I missing something here?

Patsy

Is making Payments on the Internet Safe and Secure?

2010-08-03T11:26:00.006+01:00

I couldn't help but chuckle reading in the paper today about the unemployed lorry driver who sold the Ritz hotel in London for £250 million when it's worth two or three times that price. He was so successful that he even managed to get £1 million popped into his bank account before the fraud was discovered.

Remember the old saying that if it sounds too good to be true it probably isn't so good! You can't help wonder about the people who are duped by such offers, are they not perhaps just as dishonest as the fraudster in thinking they can make a quick buck to somebody's disadvantage.

So how does this work in the antiques trade? If I pop into a shop with an old plate from mother's collection and get offered £300 to hear later that it was worth £100,000 who is wrong? Is an antique dealer obliged to pay the potential market value for which of course he is on risk? He might have made a mistake or an expert further down the road might throw it out as a copy. How would you mark his reputation? Arguably you could say he is paying you what it is worth to him at that moment in time, is he obliged to tell you it might be worth £100K?

And what happens if you are an expert and see some artefact in a shop marked up for $50 that you know is worth $50,000, should you tell the shop keeper about his error? Perhaps I'll cause an uproar here but it seems to me that many antique collectors are out to discover just such an opportunity.

So down to basics, what happens if you get given a £1 coin that you subsequently discover is a counterfeit? We have been hearing this month that 1 in 36 £1 coins in circulation are counterfeit. Now I'm sure you all know that as soon as a coin accepted in good faith is found to be counterfeit, it is immediately rendered worthless. Attempting to pass it on is an offence.

I'm sure we all hand our counterfeit coins in to the bank so that they are taken out of circulation. I still remember as a youngster getting foreign coins in change and not being too excited about it when discovered. Not me of course but some of my friends developed an art for passing them on undetected to the next person.

Now I'm not setting out to cause any unnecessary guilt complexes but only want to raise some fundamental issues of today’s society and it's all about reputation and trust which are closely related. So in our previous scenarios do we trust antique dealers and what is their average reputation? Of course they are going to differ but how can I tell the reputation of a particular individual?

Now imagine the same antique dealer going to his bank for a loan, can the bank trust him (or her)? The basis of trust and reputation are really quite different, you could be very good at spotting a bargain making large profits but particularly bad at repaying loans. So the bank is only interested in your reputation in that one area and that's not straightforward because your reputation can change overnight, an unforeseen event perhaps (maybe somebody has defrauded you) and you can no longer pay your bills.

You may be wondering where all this is leading, well dear subscribers lets enter the wild, wild, West or to put it another way the internet. Here the system of reputation and trust is even more on trial. Last week a friend was telling me about her experiences on an on-line dating site, she met up with a great guy and they seemed to have so much in common and then out of the blue came the call for money. The details don't matter but this is really common and many innocent people are robbed of all their savings.

We all do it, yes, eBay can be great fun and you can get some bargains but this really is the haven for every fraudulent idea ever invented by man and there are new ones occurring every day. So how do you pay for your purchases? PayPal of course, in most cases at least but this doesn't stop you from getting involved in fraud whether the seller or the purchaser. The goods were never sent or never arrived give me my money back depending on which party is the fraudster. Disputes like this are legion and it's not too difficult to get your PayPal account frozen and it's often very difficult to get it released.

So the question I'd like to leave you with this month is when making payments on the internet who do you trust and what will your bank or PayPal do in the event of a dispute. Do we need a better way to pay?

Happy holidays,

Patsy.

Authenticating people: Arent' there any better way out?

2010-07-06T08:06:00.005+01:00

Do you ever have one of those weeks when everything just seems twice as hard as it should be? I don’t know about you but I dread having to call my bank for whatever reason, having gone through all the automated, please enter your account number rig morale, we eventually get to a human being and then it gets worse.

Please can you tell me what transaction you did on the 16th day of last month? It goes on and eventually you get so confused and flustered you begin to wonder if it’s actually your account let alone bank and who exactly is the customer here. I don’t know if this has ever happened to you but then sometimes you are told, not always politely, that you have failed security and they are unable to help you, good bye!

There has to be a better way, authenticating people has just become too difficult. The first problem is that each organisation has a slightly different approach to how they authenticate you, there may be passwords or PINs involved a check on recent transactions or perhaps a check on previously shared personal information. Don’t we need a standard way of authenticating people?

Then there are those PINs and passwords, sometimes they are numeric, sometimes they are alpha based, sometimes there must be a number, sometimes at least 9 digits, oh and successive digits in a sequence are not allowed. I could go on and on but what a ridiculous state to be in. We can debate whether it is advisable to have a common password but dear friends tell me who can remember 10 different passwords unless they are used everyday, so then we have to write them down, is that safe? Any way all these different systems prohibit a common password by their weird and wonderful rules of acceptability. Has anybody ever examined the reaction of users to all these different systems?

Well I can hear you thinking what is the solution then? So let’s gently wander through the garden to see what might be acceptable to both the prover and the verifier (don’t worry this is just about the extent of my technical knowledge). In everyday use we need to prove our identity in both the physical and virtual worlds. In the former case a photo identity card like a driving license is widely accepted, now I have no problem with this but how about those people who don’t have a driving license? Well why don’t they just go and get one! So I guess the thing here is that we have a common document that does involve a registration process. Now here is the test, if I went to the bank and on presentation of the photo ID I (previously registered with the bank) was allowed to empty my bank account would that be OK? Well who would be on risk here in the event of fraud? What is the probability that someone could counterfeit my photo ID and look sufficiently like me to be accepted by the bank teller? Doesn’t this just make you feel a little nervous?

It all sounds a bit like single factor authentication so we just need something else. Now I can speak with authority here, the other part of the family has spent at least 30 years trying to persuade people to carry widgets not too different to the gizmos the banks are currently providing to be used in conjunction with your debit or credit card for on-line banking. However in this case, you don’t need to carry them around at all because normally you would be doing the banking at home in the evening.

There is light at the end of the tunnel, everybody these days does carry a widget around with them, usually in the disguise of a mobile phone. So what I need the teller to do is to authenticate the phone in my purse as the one belonging to me and previously registered with the bank. They could send some code by SMS which I just replay to them, probably wouldn’t take more than 10 seconds. Still remembering minutes or what seemed like hours of previous exasperation it would be pretty good for me and would also do the business in the online world although we would also need a virtual driving license or something to get back the two factor authentication!

This may seem like a rant but is it really that difficult to authenticate people?

Patsy.

There is no ID Card or Identity Register, what Next? Driving Licence!

2010-06-03T10:00:00.009+01:00

Well we knew it was going to happen if the Tories got into power and yes in the Queens Speech this month the ID card is top of the list of things to go. Now of course, can you believe it, people are actually saying it won’t save much money but human rights and all that will be preserved. There are even plans to reduce the number of CCTV cameras around the land but I’m personally far more interested in those yellow boxes and more particularly the camera tripods operating out of the back of a van. Not for one minute would I suggest breaking speed limits but sometimes, change that too often, they are just in the wrong place. Sited to catch you unawares with little danger to others, in fact the last one I saw was literally 50 yards before the end of speed limit sign on a hill well past the occupied land. It was only 36 miles an hour but that was enough to get the summons and I’m sure my other half now appreciates better the dangers of speeding. He elected for the speed awareness course and did actually come back saying it was worth while albeit it took the best part of a day to get there and back.

But now there is no ID card or Identity Register what next? Well for some time we have preached about the humble driving licence, in the UK at least and probably still in America now that they have the counterfeits under better control, it is a pretty basic but none the less effective ID card. In fact I don’t know about you but in general this is the document that I use the most when somebody asks for proof of identity and that is not just in the UK but also Europe more generally and North America. It’s a convenient size and provides all the information the challenger requires and if you were to put a chip on it (sorry probably in it) then what else would you need? The last time I raised this at a dinner party there were screams from the non drivers around the table, am I unique in knowing so many people that like to be driven by others? Anyway sanity ruled even after a delicious bottle(s) of Chianti and eventually it was agreed that there was no difficulty in applying for a driving license whether you drive or not. I’ve notched that one up for posterity! And when it happens, not if, just remember you read it here first and just for the record my optimism is flavoured by the fact that the DVLA is in my view one of, if not the most effective service centre in the UK government! Perhaps it has something to do with living in Wales?

The other bit of interest this month was the excitement surrounding the Oyster card, which bit I can hear you saying. Well the BBC decided to do a Freedom of Information attack on Transport for London (TfL) and shock horror they discovered that TfL have £30 million stashed under the carpet every year from unclaimed or lost card value. Apparently a total of 16.5 million cards sat idle during the financial year 2009/2010 with an average amount on each card of £1.80. There’s more, last year 31,000 Oyster Pay as you Go (PAYG) were issued and topped up but never used with a total value of £246,000. What would you do without the tourists?

Now the really interesting point here is that the wheel keeps going around, when the family and I first got involved with smart cards (yes it was and still is a family affair) the electronic purse was all the rage and this was back in the late 70s and early 80s. The business case was all about the Float, that pot of gold accrued from the total prepaid and unspent value that the operator could invest to his financial advantage. This is of course true for any prepaid scheme Oyster card, iTunes card etc. But the other thing we knew all those years ago is that not all the value would be taken back, people would lose the cards, tuck them under their pillow or do all those other things we can’t mention. In fact we predicted back in those golden days that 2 – 4% might be an expected and that this escheat as it was called could be a lucrative business. However there is one little snag, unless you have an expiry date on the card you can’t really claim it because the liability always exists. Guess what? There is no expiry date on an Oyster card, who on earth left that out?

Patsy

The UK ID Cards System: Still A Misty Affair

2010-05-03T12:44:00.007+01:00

Well it’s time for another general election in the UK but not perhaps with the same enthusiasm as for a general erection which was overheard at the dinner table with some Japanese colleagues earlier this month. However at such a time ones thoughts are raised into what is happening to all those little projects so close to our heart. The UK national ID card is always top of the agenda and so quiet recently, the government still mentions the cards given to foreign migrants but for distribution to the nation as a whole, Mmm… I don’t think so.

Just scanning the various election manifestos is always fun, joking really, I don’t think I’ve got the patience but any way those that do such as the London School of Economics (LSE) academics Dr Edgar Whitley and Dr Gus Hosein are happy to tell me that only the Labour Party manifesto has a commitment to deliver ID cards. According to Mark Ballard a fellow journalist The Identity and Passport Service (IPS) is so shady about how they are building the ID cards system that nobody actually knows what’s coming or going, if anything that is.

More precisely we are sure that both the conservative party and the Liberal Democrats are on record that they will cancel the national ID card project and a lot that goes with it including the National Identity Register. The LibDems at least have also promised to scrap the next generation of biometric passports that were to include fingerprints. All the current chip passports include a photograph and those of you zooming through Gatwick will have seen the new gates that look at you compared with the picture in the chip. I would have to say that my initial experiences suggest that this works far better than the Iris scan which has been removed and also seems to be more reliable as the old Iris scan gates often seemed to be out of action.

But let’s not stop the fun here how about getting on the buses? Are we going to have anything more than a flash card? A piece of cardboard would be far cheaper here than the latest smart card gizmo. Will ITSO rule the waves and end up as the transport card of choice? Positively running out of breath here but then we have stories that maybe the next government in saving money will have to quash all these travel concessionary cards anyway. That of course would be the end of the buses in anything but the centre of the major cities, rural bus travel would rapidly come to an end because those of you that have tried will know it’s made up almost entirely of concessionary fare riders. Somebody once told me that half of them do it just to keep warm and the other half just to have somebody to chat to. On such grounds alone buses provide an essential social service.

You may remember that Michael Leach was appointed interim CEO of ITSO back in February for a couple of months. Can I really believe you would appoint a CEO for a couple of months? I must have got that wrong? Anyway rumour has it that his contract has now been extended for a couple of years so at least there is time to make a mark.

Now what would we like to see him do? I’ve no doubt if I threw this out for public opinion that the skies would be as misty as ever. However I’ll offer a view that may not go down very well but is sadly needed. ITSO is based on backward compatibility; it has been the problem from day one. Whatever you put in place for interoperable fare payments must interoperate with what already exists. If you take this as a starting point it would be OK as long as you had a future migration path into something better, this is what ITSO has never done concentrating instead on patching the system and floating around to try and optimise integration with the Oyster card scheme in London. In both camps we see a move toward the Mifare DESFire in replacement for the Mifare Classic which has been successfully hacked a few times recently. I’ve even heard there have been problems with the DESFire cards in that lots of the underground gates can’t read the cards correctly. Somebody even told me the other day that the Oyster cards don’t even have an expiry date?

So message to ITSO, stop what you are doing and create a realistic 5 year plan for the future and just to give you encouragement remember the banks managed to change from magnetic stripe cards to chip cards not perhaps without problems but as I’m sure everyone will agree to a far better technical solution. Oh and by the way the technologies are not interoperable they do quite different things!

Patsy

Cash or Cards: The Battle Continues..

2010-04-01T10:09:00.014+01:00

It’s Spring, the daffodils are out and at long last the sun is starting to shine. Mixed in with a little rain I know but then this is the English weather we are talking about. Anyway at this time of the year people start to smile and everything just seems to be that much nicer.

However that doesn’t stop gloom and despondency from wandering around the marketplace, this time it’s chip security as discussed in our lead story this month. Otherwise the chip manufacturers seem to be busy with little slack in their fab lines. What I find so fascinating is the different views you get from people on a subject when we are all faced with the same facts. On this chip security I have got everything from I don’t care (i.e. don’t believe it’s a problem) right the way through to this is a show stopper for smart cards. Curiously the Tarnovsky attack has not made the big headlines even though by just about anybody’s estimation it’s a pretty fair achievement.

Actually the Digital Money Forum (Hyperion’s annual event at the Charing Cross Hotel) caused most of the in house discussion this month. The full story is reported separately but it was the tales from James Allan that stirred the emotions. After one of those late night foolish wagers James bet his friends that he could live in London for a year without cash, just cards. Now you could be cynical and say what a good way of scrounging from your friends but I don’t think James is that sort and anyway it’s interesting to think about those things that cause you a problem. At the end of the day there is that question, can you get rid of cash?

Well it was actually meetings with friends that caused most of the problems, those little P2P payments that we never think about. How about ‘Putting a fiver in the glass’ to pay the kitty for a night out at the pub? Then there’s paying a couple of pounds for those raffle tickets. Then there is the contribution, Jane is sick so let’s buy her a card and some flowers, give me a fiver. I could go on, the truth is we never think about those little P2P payments but our whole social life is based on them. Any cash replacement system that can’t handle P2P and that really means person to person in the street, pub, office, etc, seems doomed to failure. At the other end of the scale and caught a little bit by surprise is that there are some higher value transactions where cash is still the order of the day. Putting down a deposit on a flat for instance is often met by a demand for cash on the grounds that cash is irrevocable, which is clearly not the case with credit and debit cards. So there’s another one for the pot, any cash replacement system has to be irrevocable. I feel I’ve just made the list of contenders pretty small.

Anyway the other interesting story is of course to turn the argument around and ask if you can live in London for a year without cards, just cash. Now I’m probably biased here but cash seems pretty powerful to me, I’ve never forgotten the bank manager who explained to me that he lived on cash because he always got a discount, there was nothing personal here but he then proceeded to get the biggest wadge of notes out of his pocket that I have ever seen. Perhaps this was all before the day of the mugger or bag snatcher which I have experienced firsthand. That’s when you end up with no cash or cards.

So what happens if you haven’t got a card? Well just about every form of remote payment goes out the window and more and more of the machine payments, rail tickets and parking are now moving to cards. No more waiting in the queue for somebody at the machine to find they’re a £1 coin short and it won’t accept the £10 note, in fact it’s a game of bluff to see who else in the queue blinks first and hands over a £1 coin. Perhaps this is what the bank manager meant, a neat way of getting a discount.

This is of course a particular problem of the poor also discussed at the Forum that they tend not to have cards and it’s really our new world of the internet and mobile phones where we are increasingly buying our goods and services. No more going down to the shop, testing it out, and then buying it on Amazon. Not me I hear you say.

Happy Easter!

Patsy.

Smart Phones: How Secured Are They?

2010-02-03T11:15:00.005Z

Well the Global Mobile conference in Barcelona has come and gone again. I don’t know whether it’s just me but I do still miss the event when it was held in Cannes. There was something about the location and all those intimate parties on the boats. C’est la vie but perhaps even more so is the move from technology to the joys of understanding the consumer proposition. Applications are the name of the game and I must admit that even I am getting a bit excited with all these iPhone gizmos. There is something quite fascinating standing in the supermarket waving your mobile phone over the barcode of products to see how much that item might cost down the road. For those of you interested the application is called RedLaser and costs just $1.99.

To me the theme this year was very much about smart phones and how everybody is expecting this market in particular to really pick up in 2010. And yet there wasn’t very much about the security of these smart phones but we know from the PC world that when you have multi application devices connected to the internet that security problems will follow. You may have gathered from our lead article this month that the security of payment systems for example has moved from the smart card to the terminal or in this case the mobile phone.

It was brought home to me this month when I came to upgrade my mobile phone, it’s a bit like an electronic handbag as it contains all my personal data and dare I admit it not that well protected. So what would happen if you lose your phone? I think most of us would need to worry. I couldn’t resist asking David Everett about this problem and after getting somewhat bored about Cloud Computing and keeping everything in the sky the discussion came to a short end when I reminded him about how often he seems to have a flat battery.

Anyway where does that leave most of us? Where do you store the data on your phone, is it in the SIM card, the mobile phone memory or the SD memory card plugged in the side? It turns out and I don’t think I ever really knew that it’s in the mobile phone main memory, where the phone goes is where my data goes and I can’t just take it out when I come to change phones.

So I’ve come to the conclusion that the SIM doesn’t seem to be doing very much for most people apart from the basic phone operations. And yes you’re dying to ask me, how about NFC, surely that means all the applications will be going in the SIM card. Well sorry to disappoint you but as far as I can see NFC is still stuck on the commercial issues about how you might share the SIM card which is the only bit in the phone the Network Operator controls and they don’t seem to be rushing to make it available. I saw somewhere that Nokia has cancelled its planned 6216 NFC phone. Lots of talk about how the proposition needs to be improved but I wonder if it has anything to do with the SWP (Single Wire Protocol) which I gather means that the SIM card has to be shared – surely not?

Patsy Everett

You can check the link for more information: http://www.smartcard.co.uk/articles/TerminalDeclineinCambridge.php

Is it safe to Shop Online?

2010-01-04T09:52:00.021Z

Well now that Xmas is over it’s interesting to talk to friends to see how much shopping they actually did over the internet. Hands up I did about half my shopping on the internet, gadgets for guys are best bought this way far less hassle and nowhere near so boring. I just can’t believe how excited these men get over toys (I can’t call them gadgets) that seem to have no other purpose in life than making strange noises or flashes. I got a Cajon drum from Father Xmas which I’m sure was negotiated over the internet but I’ve no idea what happened to my leather boots that I was rather hoping for? Perhaps they’re not so easy to buy on the internet.Anyway the general consensus seems to be that most people are doing a large part of their shopping on the internet, probably more than me. So the question is ‘are you worried about the security?’ do you have a moment to hear the results?

In every case they were using either a credit or debit card but often with the card information stored at the seller (e.g. Amazon) but nobody was using the security widgets discussed in the Newsletter this month. So the first question surrounded the choice of card.

Would you prefer to use a credit or debit card for your purchases on the internet? The answers were all about the free credit with a credit card or the financial planning offered by a debit card. Nobody seemed to think about the fact that your current account is effectively exposed by the use of a debit card as we discussed last month, I really must get my friends reading this blog!

Do you have any reservations about the merchant holding your card information? Again it was interesting, just about everybody was happy with Amazon. They really do have an enviable reputation probably better than any bank. Also they clearly are a (the?) major player in the internet.

I couldn’t resist it so I had to ask ‘do you use eBay and how do you pay?’ Pretty unanimous again and as for payment it was of course PayPal. So clearly people don’t mind PayPal holding their card or bank account information.

So back to the core subject ‘are you happy to pass your card details over the internet to an unknown merchant?’ Again it was interesting, just about everybody was a little concerned but they all do it.

Pursuing this further what became clear was that people (my friends at least) were confident that in the event of fraud that they would be covered by the bank who would sort everything out. Interesting to note here that a few people thought the credit card company would sort it out, they hadn’t fully appreciated that the cards are issued by some bank that is responsible for any problems with the card. An interesting brand discussion could be had here but we’ll leave that for another day.

Identity theft was a big issue, people were concerned about some villain using their identity in some fraudulent way but that wasn’t directly associated with using the debit or credit card, not until you point out of course that large merchants have been known to lose this information on rather a large scale which can be used for more than just fraudulent payments on the card, more on this in the Newsletter.

Well we’ve got there, how about the widget I said, you know the calculator type device that makes your payments more secure like when you are doing electronic banking? You know when you have said something particularly boring when people’s eyes glaze over and they immediately change the subject. I had several goes at this but the best I got was what a jolly good idea but perhaps I won’t need to use it!

Now we all know the problem is getting worse but who is going to blink first? There are two approaches, either we have to have a more secure way of accessing the internet with software or we have to insert a security widget into the payment chain that the consumer finds effectively transparent. There’s an opportunity here for someone. Just as a note one friend has a service from his bank that sends him an SMS when he makes a payment over £25, he loves it and I think I could become quite attached.

See you in Barcelona at the Mobile conference.

Good bye

Patsy

To find out more, please click on: http://www.smartcard.co.uk/articles/GemaltoCountsCostOfNewYearBug.php

Happy Xmas and Best Wishes for the New Year

2009-12-21T10:23:00.011Z

Well it’s that time of the year again and before you know it Xmas will have come and gone. But just thinking about the run up there are many interesting aspects to occupy the mind and for us girls and you guys (eventually) shopping turns into a frenzy. So of course the $64,000 question, do we shop on-line? It’s interesting that a number of my friends have over the last year or so become more and more concerned about the security of using their debit or credit card over the internet to the point at which they have minimised their use to the essentials. As I’ve always pointed out to friends think twice about using a debit card linked to your bank account, the criminal may end up emptying your bank account before you know it. Having a special low value account or a low value credit card significantly reduces your risk against heavy losses and really it goes without saying that getting the bank to put money back into your account is somewhat more difficult than arguing a credit card statement.

It is has been reported by the financial institutions that while online transactions account for about 4% of the total card transactions 50% of card fraud is due to these transactions. It should be noted that the fraud figures really relate to Card Not Present transactions (not cardholder – one hope’s he is actually there) and that of course includes telephone orders.

The trouble is we suffer from ‘Click’ mania, one of my friends compares it to unprotected sex, instant gratification from a friend and it’s only afterwards that we start to worry about the consequences. The email arrives, particularly at this time of the year, from a friend, close or maybe even casual containing a link to something apparently exciting, click here and you will be entertained. The trouble is that all too often we do just that and before you know it some malware has zoomed over the wires/airwaves into your machine. This malware may be frivolous but it can also take over your machine and logging your credit card numbers, bank account details, user names and passwords is just run of the mill stuff for the hacker who sits at home waiting for all the details to arrive.

Of course that's only the half of it we also have professional hackers setting up Phishing and Spearing attacks where they aim emails at all and sundry or some times as in the latter case targeted to specific people, the Spearing attacks are much harder to detect because they can be made substantially unique and operate under the malware detection systems.

Now just think about it for a minute, there is a real risk and it’s already happening to a lot of people that your machine is hosting an alien piece of software that can intercept and override every thing you do and worse, yes it really gets worse, you may be totally unaware of what’s happening.

So where is all this going, well to start with just a recognition that we have a serious problem that’s not going to be fixed any time real soon. We have all heard about the authentication widgets provided by various financial institutions that set out to provide 2-Factor authentication and even a form of transaction signature. The latter is really quite good from a security point of view, they use your financial card to do the cryptography but oh they are so painful to use and I’m not surprised by the negative user reaction. The big advantage is that the keyboard and display form a separate channel to the PC and hopefully have not been attacked by malware.

I want to put it on your Xmas list so here for the gadget zeeks amongst you are some portable USB card reader devices, one for contact smart cards and one for contactless.

They are a joy to hold (please contact our shop if you need one for Xmas) and of course they could be used instead of the calculator sized widget although some trust in the PC is still required but not to the same extent.

Once again, Happy Xmas and best wishes for the New Year from all of us at Smart Card News,

Patsy

Does NFC ring any bells?

2009-11-16T11:39:00.008Z

Once again Cartes has come and gone, no rail strike and perfect weather. In a way it seems to reflect the industry as a whole. The technology is hidden away and now we are only presented with the business propositions, the icing on the cake. Not a complaint just a realisation that the industry is now truly mature. It’s funny really but when you are following the technology everybody is busy telling you that it’s all going to happen next year and of course it never does. When people stop evangelising then suddenly it’s all done and dusted.So are there any loose ends? Well you wouldn’t want to be disappointed would you? Does NFC ring any bells? Now here’s the interesting thing the evangelists have gone, no more ramming it down your throat, a sort of acceptance that it will probably happen but no time real soon and that there probably isn’t a killer application. It’s all a matter of an instrument that gives you a better way of life. In other words the phones will eventually have NFC and people will find things to do with it.

Now it’s taken a little time but I’ve got there, the phone is an instrument of social networking, either to talk, text or email and just about everything else pails into insignificance. Most phones have Bluetooth but it’s not really a part of everyday life, I suspect most people never use it. The camera, oh yes that’s a biggy because it fits into our social networking by providing a means of sharing experiences. Don’t laugh even I take pictures on my mobile phone, in fact I was persuaded by my other half to upgrade my phone just to improve the camera. It takes a little longer but on a good day I can even get the pictures off the phone and onto the PC.

So here’s the question does NFC help with my social networking? Payments – no, mass transit – no, security – no, information – no, connecting with my network - ? Now we’ve got to the Achilles’ heal, does NFC help me communicate? By definition NFC, remember Near Field Communications, and according to he who knows about these things that means magnetic fields operating over a few centimetres or to use the buzz words Person to Person (P2P) but almost with physical contact. So what does NFC allow me to do that I can’t physically do given that the other person is standing next to me? And before some bright spark emails me it’s not about shaking hands with the Queen without touching her.

Let’s be more practical, I can pass data stored in my phone to the phone of the other person. But I can do that today with Bluetooth and most people don’t bother they usually send a text or an email. Smart phone users send emails and everybody else sends text messages, well that’s my observation anyway. Ah ha they tell me but look how much easier it will be to do this with NFC, there’s no pairing required which you need to do with Bluetooth when two devices first meet. The trouble is you are still going to have to set up the application that uses NFC so I can imagine people will still use text or email.

But it’s free, there are no network costs to communicate by NFC, I don’t think anybody cares. Those with smart phones will already have a data contract and those with text messaging just seem to see that as a part of life.

Now let’s not give up, the Apple iPhone has a huge cult following of which a big part is the world of iPhone applications. Can you imagine developers producing applications that use NFC? That’s assuming Apple decide to include NFC of course but I’m told by insiders they are seriously considering their options. But I’m stuck again, what could you do with NFC that you can’t do with Wi-Fi or Bluetooth? In fact those few centimetres seem to be a problem unless I want to make sure nobody can over hear me, now what thought does that put in your mind?

We seem to say it so often but if you don’t need security don’t use smart cards, that has been our mission statement for years. NFC is based around a secure element, the SIM card or some other chip. Nobody has shown me an application for NFC other than payments that needs security and everybody now tells me that payments are not a major driver – so where do we go next?

Patsy.