"As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol - the dominant card payment system worldwide - does not produce adequate evidence for resolving disputes. We propose five principles for designing systems to produce robust evidence. We apply these to other systems such as Bitcoin, electronic banking and phone payment apps. We finally propose specic modications to EMV that could allow disputes to be resolved more eciently and fairly."
"Mobile banking is undergoing tremendous growth as customers increasingly choose smart devices over bank tellers. This has resulted in banks closing branches and investing in online services. However, while banks are profiting from online banking and mobile banking, so too are the cyber criminals that target these services with highly specialized financial malware. In order to defend themselves from the man in the browser (MITB) attacks that are plaguing online banking, financial institutions are depending more and more on mobile devices as secondary authentication factors."
"Many thousands of articles have been written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss over crucial points. My aim in this post is to explain the major ideas behind the Bitcoin protocol in a clear, easily comprehensible way. We’ll start from first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw data in a Bitcoin transaction."
"Bitcoin is broken. And not just superficially so, but fundamentally, at the core protocol level. We’re not talking about a simple buffer overflow here, or even a badly designed API that can be easily patched; instead, the problem is intrinsic to the entire way Bitcoin works. All other cryptocurrencies and schemes based on the same Bitcoin idea, including Litecoin, Namecoin, and any of the other few dozen Bitcoin-inspired currencies, are broken as well. Specifically, in a paper we placed on arXiv, Ittay Eyal and I outline an attack by which a minority group of miners can obtain revenues in excess of their fair share, and grow in number until they reach a majority. When this point is reached, the Bitcoin value-proposition collapses: the currency comes under the control of a single entity; it is no longer decentralized; the controlling entity can determine who participates in mining and which transactions are committed, and can even roll back transactions at will. This snowball scenario does not require an ill-intentioned Bond-style villain to launch; it can take place as the collaborative result of people trying to earn a bit more money for their mining efforts."
"Bitcoin. Everybody’s talking about it. What’s true, and what’s hype? Perhaps the only thing that’s clear about Bitcoin is that it’s not going away anytime soon. Who am I to say? I’m not an economist; I’m a hacker, who has spent his career exploring and repairing large networks. And networks may very well be how the world works — financial, social, electronic, even physical. I’m on neither ‘Team Bitcoin’ nor ‘Team Global Financial System.’ I’m on ‘Team Lets Fix This Thing.’"
"[T]he use of mobile payments raises significant privacy concerns, due to both the high number of companies involved in the mobile payments ecosystem and the large amount of data being collected. In addition to the banks, merchants, and payment card networks present in traditional payment systems, mobile payments often involve new actors such as operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators. When a consumer makes a mobile payment, any or all of these parties may have access to more detailed data about a consumer and the consumer’s purchasing habits as compared to data collected when making a traditional payment."
"Overall, we find that 26% of the 1,001 participants in the study identified at least one potentially material error on at least one of their three credit reports. Although 206 consumers (21% of the participants) had a modification to a least one of their credit reports after the dispute process, only 129 consumers (13% of participants) experienced a change in their credit score as a result of these modifications. Each affected participant may have as many as three score changes. Of the 129 consumers with any score change, the maximum changes in score for over half of the consumers were less than 20 points. For 5.2% of the consumers, the resulting increase in score was such that their credit risk tier decreased and thus the consumer may be more likely to be offered a lower auto loan interest rate."
"The criminal market of payment card fraud (PCF) within the European Union (EU) is dominated by well structured and globally active organised crime groups (OCGs). Criminal networks have managed to affect non-cash payments in the EU to the extent that protection measures are very expensive and need to be implemented on a global level. Consequently, the use of payment cards can be inconvenient and no longer fully secure for EU cardholders."
"Virtual currency schemes differ from electronic money schemes insofar as the currency being used as the unit of account has no physical counterpart with legal tender status. The absence of a distinct legal framework leads to other important differences as well. Firstly, traditional financial actors, including central banks, are not involved. The issuer of the currency and scheme owner is usually a non-financial private company. This implies that typical financial sector regulation and supervision arrangements are not applicable. Secondly, the link between virtual currency and traditional currency (i.e. currency with a legal tender status) is not regulated by law, which might be problematic or costly when redeeming funds, if this is even permitted. Lastly, the fact that the currency is denominated differently (i.e. not euro, US dollar, etc.) means that complete control of the virtual currency is given to its issuer, who governs the scheme and manages the supply of money at will."
"In this paper we develop an approach for x-payments. An x-payment is a payment between a remote debtor and creditor established by using any channel (hence the x) to move funds between the debtor account and the creditor account. We address two related issues: one on the debtor side and the other on the creditor side. Firstly, the issue of access to bank accounts of debtors where the problem is who may have access to such accounts and under which conditions. Secondly, the issue of time-critical payment guarantees to creditors (merchants) which is the area where nowadays most of the innovations in retail payments take place. The dual consent approach reconciles both issues by allowing various degrees of access to bank accounts by third parties and a varying quality of the payment guarantee to the merchant based on the degree of assurance from the debtor’s bank for an appropriate fee. It is proposed in this paper to use the dual consent approach to regulate the class of x-payments in the retail payment sphere."
"This At a Glance provides an example of a [Point-to-Point-Encryption (P2PE)] solution that leverages a mobile device’s display and communication functions to secure mobile payments. Central to the example is the use of an approved hardware accessory in conjunction with a validated P2PE solution. Combining a validated P2PE solution with mobile devices such as phones or tablets helps to maintain data security throughout the payment lifecycle."
”[…] The Pew Internet Project and Elon University’s Imagining the Internet Center invited experts and other Internet stakeholders to offer their predictions on the future of mobile payments, and what people’s “wallets” might look like in 2020. Overall, a majority of these respondents supported the scenario that by 2020 most people will have embraced and fully adopted the use of smart-device swiping for purchases they make, nearly eliminating the need for cash or credit cards. These experts feel that the explosive growth in the use of smartphones and other mobile devices, combined with the convenience, security, and other affordances of mobile payments systems, makes these systems an obvious choice to replace established modes of payment in day-to-day commerce.”
"Payment systems that allow people to pay using their mobile phones are promised to reduce transaction fees, increase convenience, and enhance payment security. New mobile payment systems also are likely to make it easier for businesses to identify consumers, to collect more information about consumers, and to share more information about consumers’ purchases among more businesses. While many studies have reported security concerns as a barrier to adoption of mobile payment technologies, the privacy implications of these technologies have been under examined. To better understand Americans’ attitudes towards privacy in new transaction systems, we commissioned a nationwide, telephonic (wireline and wireless) survey of 1,200 households, focusing upon the ways that mobile payment systems are likely to share information about consumers’ purchases."