Nigel's Eyes

20230626 The Nazification of Financial Services

Yes, the headline is designed to shock. It could equally have mentioned Stalin, Mao, Pol Pot or any dictator or ultra-authoritarian figure from any side of politics or religion - or those who take the teachings of religious figures to extremes. Under the guise of protecting something, they all imposed flawed demands and policies to the detriment of those they claimed to be protecting, just as we are seeing in the unilateral imposition of a single - but wrong - approach to access to financial services as banks and others force users to use mobile apps under the fictitious premise that it improves account security.

[Long Read]

Mobile phones are not secure. In fact, their avenues of insecurity create a far more vulnerable approach than those of using a desktop computer.

Cracking a passcode is not difficult. Phones and other mobile devices are easily lost, stolen or even broken. Or for other, inevitable reasons, become unusable as a token.

Cracking encryption is harder - the first time. Then it's never easy but it's not so difficult. But surprisingly, it's not necessary to break encryption for some of the actions of phone-hackers and, even more worrying, many apps have inherent weaknesses in their security.

Mobile apps add little to users' experience beyond payment cards and web banking.

What do users want to do? They want to not carry substantial amounts of cash and they want to not spend their precious time hunting for an Automated Teller Machine, which banks have steadily withdrawn from service leaving the countryside largely without such service and many urban areas with only a handful for large populations.

The means of identification for users of ATMs began by using the same technology as the first credit cards. However, magnetic stripe cards had very weak security. The introduction of holograms didn't work as well as was hoped, it being reported that cards with fraudulent holograms were circulating in Hong Kong within six months of the introduction of the technology. Magnetic stripe cards, with or without a hologram were an open invitation to cloning: indeed, the first devices to fraudulently read and store card data appeared in the 1980s and with them the trade in stolen card data. Reprogramable cards were easy to buy and easy to reprogram.

In 2018, after one might have expected that the heyday of cloning physical cards was past, a man was arrested in Chelmsford, England, with 200 blank cards in his possession. Two years earlier, police in Malaysia broke up a credit card counterfeiting ring they had been hunting for several years. 19 people, all men, were arrested. Police seized 2,371 fake credit cards and three credit card processing machines.

While blank cards are easy to buy, one often used technique was to reprogram mag stripe hotel keys. Another was to steal credit cards and to reprogram them with data from "clean" cards then "mules" would travel to purchase expensive items in physical shops. You might think that shop assistants would notice inconsistencies but no, they don't for the most part. And worse, attempts to provide data that would help any alert shop assistant have been blocked by campaigners raising politically correct arguments: when there was a proposal that cards issued in California should have a photograph of the authorised card holder, the American Civil Liberties Union kicked up a fuss arguing that it was racially divisive. The plan was withdrawn. The next step was that campaigners have argued that the "Mr" "Mrs" or (usually) "Ms" should be removed from cards. Banks, under pressure from extremist wokes are, in some cases, acceding to their demands.

It wasn't even necessary to use a plastic card: a piece of cardboard, of the correct dimensions, with a piece of video tape glued in place could be programmed and used and often was. How did the criminals get the data? It's always been the same: a skimming machine attached to an authorised reader, a skimming machine under the counter or in a waitress's pocket or, of course, the good old standby of shoulder surfing by a person or a camera.

The epidemic of cloned cards was significantly reduced by the introduction of chip n pin but the USA was far behind in the adoption of that technology.

What was worse was the determination, in some countries, to permit - even encourage - double dipping where a card used with a PIN would then be swiped "for accounting purposes." This was in clear breach of the conditions of use set by e.g. VISA and MasterCard but the practice persisted for years, extending the life of mag-stripe related credit card fraud.

Ideas promoted as convenience eroded awareness of security

People got used to the idea that if they kept their cards in their pockets and inserted them into card readers themselves, entering their PIN and making sure the card did not, physically, pass to the merchant, cards were actually pretty secure.

The pattern of fraudulent use of cards changed with the advent of on-line and telephone shopping. Now the physical security aspects of card use had no value. This had two consequences:

a) card information could be obtained by criminals without possession of the card;
b) purchases could be made without possession of the card.

Card companies had long monitored patterns of spending and identified and blocked suspicious transactions and often, provided the card holder established that proper security had been adopted, refunded fraudulent transactions.

The most effective method of ensuring on-line transactions were authorised was the introduction of two factor authentication.

Two factor authentication is a nuisance and, perhaps most importantly, it depends on technology: that of the mobile phone and the Short Messaging Service.

The technology is old and, mostly, trusted. It works on any mobile phone made in the past 40 years or so. And those phones have long battery life, they are small and they often receive a signal in weak signal areas. But those old phones fell out of fashion in favour of smartphones, a development that was much less sudden than many people think: there was a transitional period where old style phones had applications for games, recording, web access, document editing, diaries and reminders and more and, even touch-screens. And they had encrypted messaging.

The material difference was the development of the iPhone and Android which allowed the development, distribution and installation of software developed by random third parties.

A generation of people thought the little box in their hand was magic and as all those who witness magic, they became enthralled with it and bought into the biggest and most risky illusion imaginable.

But I am jumping forward: there's something very important to look at first. One single technology marketed as the ultimate in convenience simultaneously undermined the security of cards and reduced the awareness of the need for security in the hands of card users. That technology is Near Field Communication VISA called it Wave.

That technology was the prime mover behind "contactless payments" and it's been built into mobile phones since 2006 when it was introduced by Nokia not as a payments mechanism but for file transfer that had to be turned on rather than set up as with Bluetooth. Its first major success was with an app called "Bump" on the iPhone in 2009. Bump was a global phenomenon and a media darling and it has been said in various quarters that it was the buzz around Bump that drove the initial acceptance of the iPhone - and that and other apps such as music cemented the relationship between more than one generation and their phones. What it definitely did was begin the concept that a phone can be part of a person's identity or, even, define it.

And it led to cards being read by criminals with a card reader in hand standing close to someone with, for example, their wallet in their back pocket. Another industry was spawned - wallets with anti-RFID linings. The most fascinating aspect of this is that, even today, very few people carry their cards in such a protective wallet.

Houses built on sand: the mobile phone as a form of verification of identity.

Sometimes, often if we are honest, policy makers and regulators believe their own PR. Or worse, they think that they know everything and that their conclusions are correct and will always be correct.

Let's think back to the early 1990s when money laundering laws were, mostly, new and their supporting regulations were in their first version. The FATF and the EU had required that those applying to do business with a regulated business must be identified and that the information provided by the customer must be verified. "How exactly," said banks etc., "do you expect us to do that?" "Use utility bills", came the answer.

Why? Because utility bills are forms of credit and therefore anyone who has a utility bill has been through a credit check. It will surprise most people in financial crime risk and compliance that, in the 1980s, it was a complex and time consuming task to get a mobile phone account. So, an electricity bill, a driving licence, a check on the electoral roll (if there is one) and a mobile phone bill were actually pretty conclusive evidence that the person making the application for a bank account, etc. had collected a set of documents with consistent information. Of course, it did not prove that the documents were real or that the person presenting them was who he said he was.

That initial difficulty in obtaining a post-paid mobile phone account led to a mythical assumption that, over time, resulted in the mobile phone being used for verification of identification and, of course, for two factor authentication.

But it's easy to bypass that. For example, in the 1990s, a company in India advertised that it could produce utility bills using the same inkjet machines as the utilities companies in the UK. Each document, containing whatever information was requested, cost GBP7 delivered to any address in the UK. At the same time, Westminster Borough Council undertook a cost assessment process and determined that the actual cost of every letter sent out was GBP11.

Today, there are dozens of companies advertising that they will produce such documents for your amusement and as a novelty item.

Once it became mandatory for mobile phones, including prepaid, to be registered, a thriving market grew up in second-hand cards that were already registered. Incredibly, in the USA, it is still completely legal to walk into a shop and walk out with an unregistered, fully operational, 4G phone for calls, SMS and even, for about USD50, a smartphone with Android 11.

But you don't even need that: if the purpose of collecting the phone number is to receive an SMS confirmation, there are free services around the world that publish numbers you can use. Incredibly, despite the fact that the inbound messages are visible to all on a webpage, people have their two factor authentication messages sent to them.

This demonstrates that SMS is not secure as a means of identification - but it doesn't demonstrate that it's useless for all purposes. In particular, it doesn't demonstrate that it is unsuitable for two factor identification. Why? Because the code in the SMS is useless in isolation. So, provided the access to the financial service and the SMS are not on the same device, there is, in fact, a reasonable level of security.

The detractors say that it is insecure because the SMS can be spoofed. So what? If the account holder did not ask for the code, then the code is useless.

Where there is a problem with SMS is where fake links or fake phone numbers are sent. This is an entirely separate issue and does not concern us here.

So began, in the 2020s a hunt for some kind of "token" that could be used instead SMS. But this, too, started from a false premise.

SMS v "Tokens."

The false premise was that the idea of tokens is new. It isn't, as these HSBC tokens from the early 2000s prove.

I don't know how the bank communicated with the token. It worked as follows: I pressed a button and a number appeared in a screen and I entered that number into the website to gain access. The tech was developed by Vasco which provides updated versions of its product. The security it provides is independent of a banking app meaning that online, web, users don't need to expose their accounts via a mobile app.

The claims for security of mobile apps began with a lie.

It all started with what seemed to be a fact but which was only a lie waiting to be discovered.

As e-mail and websites' security buckled under the torrent of attacks of many colours, it was noticed that these attacks happened to, mostly, computers using the Windows operating system from Microsoft. Apple suffered less and, it was said, Linux barely at all. But then someone announced that mobile phones were immune to attack and, because attacks had not been reported, the world took that idea and ran with it.

That was not true and today malware attacks on phones are far from rare. Worse, that malware comes with the presumed security feature of having been approved by Google and/or Apple.

In December 2022, McAffee discovered malware in apps in the Google Play store. More than two million people had installed a variety of apps that included the malware. In April, a different form of malware was found in 60 otherwise legitimate apps with 100 million downloads. Bleeping Computer wrote: "According to McAfee's research team, which discovered Goldoson, the malware can collect data on installed apps, WiFi and Bluetooth-connected devices, and the user's GPS locations."

That, for your information, is data used by your banking app.

And in one amazing irony: VISA is running TV ads for its mobile wallet - the user waves it at the terminal. Just like the RFID card. The complexity has taken us precisely nowhere.

So to summarise.

The world is being told that a handful of people know what it good for everyone and that everyone must fall into line or end up disenfranchised. In a world where attention is paid to the "unbanked," no one is paying attention to the "banked" who are being forced into systems that are unreliable, insecure and often inaccessible.

"India is expected to face a shortage of around 3 million cybersecurity professionals by the end of 2023. " True, that's from a partisan OpEd in an Indian Newspaper but even so, given the amount of online and telephone fraud, especially banking fraud, that originates in India, this is doubly worrying.

There are millions of people around the world who don't have a smartphone or who have a smartphone that is not compatible with their bank's app and who are, because the App is required even to access the bank account on the 'web, locked out of their accounts. Moreover, as banks move the two factor authentication for card purchases over the web from SMS to the App, they cannot use their cards online.

There are millions of people who don't have a mobile signal (I am one of them and I live in the heart of a capital city).

There are many people who lose their phone only to find that providers are at best unhelpful as they impose their own interpretation of best practices for security. An iPhone left in the back of a taxi on Hong Kong could not be reactivated by its Chinese owner for a week. And then while some services, such as the airtags that the owner's children wear, were reactivated, Apple has said that the 7000 + images in iCloud cannot be recovered. Such inconsistencies are another reason why depending on mobile phones as banking terminals is a terrible idea.

As the HSBC tokens and their more recent development shows, it is possible to use an app for authentication and for that app to be divorced from any form of access to accounts.

So, it's a ridiculous concept but if a bank really insists on using an app to receive an authentication code, then do it entirely separately from the actual banking app. All the shortcomings will remain but at least the security issues can be distanced from the risks created by mobile banking. Then let web users use the web with the existing risks they know and understand and already take steps to protect against.

It's not Nazification, totalitarianism or other extremist takeovers, of course, but there is enough in common with those to give us cause for concern. There is a sudden and rapid implementation of change in a massivly immature technology (and/or culture) where security is demonstrably not the primary concern. Adding features and building a customer base is. Nor, other than in the most superficial way, is it for the convenience of the masses. The techniques - of removing the familar and the redefinition of language are classic techniques of revolutionaries.

We are being swept along on a current of half-truths and downright lies to a future that doesn't benefit the consumers of banking, etc. services much if at all and often exposes them to financial risk.

It's time to stop, take stock and work out exactly what we want, why we want it and how to achieve that with minimum risk and disruption.

What it isn't is that we are forced to labour under a technology that is, often, not fit for the purpose that the consumer thinks it's for.

Further Reading:

Bleeping Computer:…

Current Vasco Digipass information:…