A 21st Century government needs 21st Century regulation. The key is not to predict the future. It is to have flexible rules and processes that do not lock us into a particular technology. It also means fighting the vested interests who will oppose change to protect their own profits. Don’t we already have 21st Century regulation? To see the problem look no further than Bitcoin. The banks are refusing to deal with Bitcoin traders. The traders claim that this is co-ordinated, anti-competitive conduct. This sounds likely and the competition regulator, the ACCC is investigating. The Australian Bankers Association, however, claims that the banks are simply following anti-money laundering rules. And given the impossibility of tracing Bitcoin flows, this sounds pretty reasonable as well. So the problem is clashing laws. This is not an isolated case. Think of labour and tax laws and on-demand contractors, taxi laws and ride-sharing, or road rules and driverless vehicles. Indeed, think of a new technology and there is probably a legal hurdle. Good laws can adapt to new technology. Bad laws lock out new technology. Should we leave it to the regulators? Sometimes regulators can solve the problems within the current laws. But this can lead to poor outcomes. For example, in the UK in 2014, the Office of Fair Trade (OFT) had a dilemma. Online travel agents, like Expedia, require ‘most favoured customer’ status with hotels. A hotel cannot offer a cheaper price on its own website than the online agent can offer. The online agents argue that this stops consumers free-riding: using the agent to decide which hotel they want to stay at then booking directly with the hotel and not paying the agent’s commission. The hotels argue that it is anti-competitive. Why shouldn’t they be able to discount directly to customers? Both sides have a point. So the OFT crafted a compromise. Hotels can discount, but only for repeat visitors who join a “club”. Membership of the club may be free, but consumers can only join after staying at least one night at the relevant hotel chain. Hotels cannot price below the online travel agents for consumers who are not in their club. Like most compromises, this is likely to satisfy no-one. Frequent travellers will quickly become members of a variety of clubs, and they can then free-ride on the online agents. And the online agents can legally rip off consumers – but only once for any particular hotel chain! If the rules are inadequate, we can’t just leave it to regulators to muddle along. Government needs to design better rules. Give us some examples Ride-sharing needs existing taxi laws to be changed. This is easier said than done as existing taxi-owners will fight to keep their profits. Driverless trucks need modified road rules. Governments can work with logistics companies and technology firms to trial these vehicles. Night-time on the dual carriageway between Melbourne and Sydney seems a good place to start. And build up slowly, with the eventual aim of driverless linked trucks operating at high speed between Campbellfield and Campbelltown. Credit card surcharging is not working, as the 2014 Financial Services Inquiry (FSI) recognised. Some surcharges are too high, some are too low and many merchants are reluctant to put on any surcharge at all despite the fees they pay when they accept your card. The FSI suggested solution is to increase regulation. See recommendation 17. This is the wrong way to go. We already have a solution. Australia was a world leader in direct charging for ATMs. Consumers are informed of any charge by the ATM and can continue or cancel as they choose. Why not investigate the same solution for credit cards? If you use a credit card at a merchant and there is a fee, then you are informed electronically before you commit. The merchant sets the same price for everyone. It is up to the card company and your bank if they want to sting you. And if they do, you can swap to cash, EFTPOS or switch card providers. This article was first published on The Conversation.
We all need some kind of authentication process if we are to access information systems at work or at home. We know why we need to do it: to make sure we have access to our data and unauthorised people don’t. So why do we routinely ignore such advice, particularly given the constant advice from cyber security professionals about the need for strong passwords that are changed frequently? It seems there is a significant disparity about what we do and what we want: is it security or is it usability? Most authentication we encounter today is typically implemented in one (or more) of three ways: Something you know (such as the humble password) Something you have (a smart card) Something you are (a fingerprint). Many systems use a username/password pair for access control, largely because the interfaces to most systems have typically been some sort of keyboard. Some smart phones use a PIN or fingerprint and bank ATMs use a combination of something you have (a card) and something you know (a PIN). The trouble with passwords Having a long random password is good advice. It provides a measure of security for guarding access to important information, such as your online banking account. Unfortunately, when faced with having to remember several random fifteen character passwords (characters being A to Z, a to z, 0 to 9 and an assortment of other printable characters such as ! @ # $ and %), most users apply a judgement to the value of the information protected by the password and act accordingly. Some accounts may have a relatively weak password, because of the cost of undue information leakage or harm to the owner if the account is compromised. Other accounts might have a stronger password, because users don’t want their money siphoned off by a cyber-criminal. These are judgements about the perceived value of the information. How safe is your password? If you must use a password, what makes a good one? How fast can a password be cracked? There are several websites that publish lists of common passwords. I have used a list of 14 million passwords as a test with a local science discovery centre in Perth. Attendees at the centre (mostly high school students) were asked to enter what they thought was a secure password and this was checked against the list. If not found on the list (a rare occurence), the password was sent to a fast computer for further processing. This computer could crack a random six character password in under two seconds, using a brute-force attack by trying to match “aaaaaa”, then “aaaaab”, then “aaaaac” and so on through all combination of six characters. It was surprising how little the fast computer had to do. Many users assume that words or phrases taken from well-established literature are somehow secure. They are not (forget anything from Lord of the Rings or War and Peace). A longer password takes longer to crack. A random 15-character password might take a week, but then the argument comes back to the time value of information. If a cyber-criminal has to wait a week, your account will still be there and will you change your random 15-character password every week? One way to add an extra level of security to your password is to enable any two-step authentication, whereby another code is sent to a device, such as your mobile phone, after a password is entered. Plenty of online services already offer this service. We need some other authentication If the humble password is not suitable due to usability issues, then there are alternatives such as the popular pay wave contactless payment system for bank cards and travel cards, with no password required for small transactions. The risk is that if your wallet or purse is stolen, small amounts can be siphoned from your account before it is blocked. Nonetheless, tapping a card is proving to be popular with consumers and with retailers, so convenience wins over security. Biometric methods, based on some physical property of the human body, are attractive because a person doesn’t need to remember a password or carry a card. Smartphones and computer operating systems already use fingerprint scanners to provide a simple and effective means of authentication. Other biometric devices in use include retinal scanners, iris scanners and voice recognition. Despite what is seen in popular movies, no-one likes having a laser shined into their eyes, so voice recognition might be the way forward. But there are known issues with biometric technology. But those issues are the same for any authentication system. Current error rates for single-fingerprint devices are approximately 2% at best – not good enough to be used on their own yet. Some systems don’t rely on matching the actual fingerprint, but match other behavioural properties of a user. For example, the angle and velocity of fingerprint scanning, which are properties that are different for each person, are measurable and repeatable. This defeats a physical attack such as removing a person’s finger in an effort to impersonate someone. Returning to the ATM example: for now, we are bound to cards and PINs due to their low maintenance and production costs. From a customer’s point of view, it would be simpler to speak to an ATM and ask it for cash, once your voice print linked to your account has been confirmed. This is a much more user friendly (and safer) future. Ultimately, until more robust security alternatives are widely accepted (and implementable at low cost), those who continue to ignore the advice on passwords must seriously ask what balance of security and usability they prefer, and what price they’re prepared to pay for weak security? Mike Johnstone is Security Researcher, Senior Lecturer in Software Engineering at Edith Cowan University This article was originally published on The Conversation. Read the original article.
A BlueChilli startup is looking to make it easier for customers to pay for items even if they have left their wallet at home. Zwype is a virtual wallet and payment system that allows users to buy items at participating venues – such as cafes, restaurants and bars – without the need to swipe their credit card or pay by cash. Co-founder Matthew Bond says one of his co-founders works in the hospitality industry and “jumped at the idea” because his customers were always forgetting their credit cards in the first place or leaving them behind at the bar. “Our app allows users to leave their credit card, wallet and cash at home,” he says. “They can simply walk into an applicable venue, open a tab, show their phone with a unique number and when they want to pay they can walk out of the venue or close the tab and it will email a receipt.” The startup currently has more than 300 businesses in Brisbane, Sydney and Melbourne onboard – with plans to launch in Perth, Adelaide and Darwin shortly. “I’m a big believer that cash will be gone in about five years’ time and that in 10 years’ time credit cards will be gone,” Bond says. “You go anywhere these days and pay on credit card or go out for dinner with friends and no one has cash on them. It’s almost a chore to get cash out of an ATM. The first thing you do when you wake up in the morning is check your phone… why can’t it be a tool for paying for everything?” Bond says the Zwype system saves venues time and allows them to harness customer data to help them make smarter decisions. “It makes the relationship between the customer and venue more fluid,” he says. “When you walk into a venue and select it [on the app] your picture will turn up on their iPad as well as your name and favourite drink. So it creates more of a rapport between the customer and venue – rather than someone coming in, ordering something, paying their $5-10 and walking out.” As for what’s next for the startup, Bond says he hopes to raise some capital in the next few months once it gets some more traction. “We obviously want to spread our network and go international,” he says. “We have actually tested it at a bar in Bali to see if it would work – it proved you can pay anywhere in the world... but baby steps.” Follow StartupSmart on Facebook, Twitter, and LinkedIn.
Brisbane-based bitcoin startup Diamond Circle has opened a fundraising round via the Australian Small Scale Offerings Board, shortly after launching its bitcoin kiosk product. The bitcoin kiosk is an ATM that allows users to purchase bitcoins with a credit card. The startup also provides pay and wave bitcoin debit cards which allow distributors and merchants to accept bitcoins and earn commission by accepting bitcoins on purchases, providing cash-out facilities and for selling those bitcoin debit cards. Diamond Circle is looking to raise $1 million for 20% stake of the company. Its revenue for the 2013/14 financial year was $170,000, and it’s projecting revenue will increase to $12.7 million in 2014/15, $74 million in 2015/16 and $163 million in 2016/17. It plans to use the capital from the $1 million raise to distribute and enhance its MVP, strengthen its distributor/partner relationships, add further product lines and development, and marketing. Managing director Stephen Rowlison says the startup has solved the issue of bitcoin price volatility by linking traditional banking systems to the Diamond Circle debit card page. “Diamond Circle has developed a range of products and services that sit at the point of exchange from traditional ‘fiat’ currencies into cryptocurrencies and vice versa,” he says in the round’s offer document. “Innovations include a cashless crypto ATM (showcased at Amsterdam’s Global Bitcoin 2014 conference), merchant ready NFC-enabled PoS devices (both fixed and mobile) and a patented crypto Debit Card (“Bitwave” enabled, and designed for co-branding). “Whilst the technology behind the company may be applied to any cryptocurrency, the current marketing efforts concentrate on the best-known cryptocurrency, bitcoin…” The exit plan for the startup is for a trade sale in two to three years’ time, with a money transmission business being the likely acquirer. Follow StartupSmart on Facebook, Twitter, and LinkedIn.
How safe is Microsoft Windows? After all, the list of malware that has caused major headaches worldwide over the last 15 years is long – viruses, worms and Trojans have forced computers to shut down, knocked South Korea offline and even overloaded Google’s servers. Now, how safe do you feel knowing that cash machines across the world run Microsoft Windows? An exploit has been discovered, apparently spread across Russia, India, and China, whereby cash machines can be turned into a free money vending machine. The hack requires re-starting the cash machine – essentially a Windows terminal – from a prepared CD that injects malware into the system to circumvent the security. At set times of the week, a unique code is generated and given to a “mule” who would approach the machine, enter the code, and withdraw up to 40 notes, anonymously and without trace. From skimming to hacking Attacks on ATMs (those more sophisticated than removing the cash machine and cutting into its safe) started around 10 years ago with card reader devices containing a tiny integrated camera and card reader. As a user withdraws cash, the device reads the account details from the card’s magnetic stripe and videos the pin number entered into the keypad. Earlier generations of ATM machines were often built around computer terminals running IBM’s OS/2 operating system (which started life as a joint IBM-Microsoft venture, and which somewhat ironically spawned Microsoft’s Windows NT, the grandparent of modern Windows, and IBM’s OS/2 when that project collapsed). Due to its more esoteric and rare nature there are far fewer attacks for OS/2, but now it is standard builds of Windows, potentially vulnerable to all the usual malware and exploits, that run modern ATMs. So it is not surprising that intruders have started to find ways inside the ATM’s card processing and cash dispensing systems. Malware that can offer external control to an ATM have been reported for some years, allowing attackers to dispense cash, record and print out card details and PIN numbers. Under the hood This latest malware is Backdoor.MSIL.Tyupkin, which while running continuously will only listen for commands on a Sunday and Monday night. The criminal gangs operating the malware generate a random, unique, six-digit keycode that activates the program, which is given to the “mule” who is withdrawing the money. Like previous efforts to crack into ATMs, the malware requires physical access to the ATM, typically by booting the ATM from a CD prepared to install the malware. At present the malware has been active on at least 50 ATMs in Russia and Eastern Europe, but also in the US, China and India. The malware is the file ulssm.exe, which is copied into the c:\windows\system32 directory and which is protected and maintained on the system between reboots by modifying the Windows registry (a database of configuration settings) so that Windows automatically runs the program at startup. The program then interacts with the ATM through the Extension for Financial Services (XFS) library, MSXFS.dll. To avoid detection it will only allow access controller commands on Sunday and Monday evenings. This shows an example of malware installing itself onto a system, updating the Windows registry to autorun when started (at 25:20), and then going into hiding. Playing catch up The threat of re-booting machines from CDs or bootable USB sticks in order to install malware and abusing Windows autorun feature to sustain the program in memory, is an exploit that has been common for over a decade. It seems few lessons have been learned in terms of securing physical access to the device, and also in the privileged rights that malware can gain. Even as companies focus on improving and securing the user interface, often the debugging and diagnostic side can provide further routes into a system. Versions of Windows used in embedded control systems are now sufficiently secure, but as ATM manufacturers use standard installations of Windows they are opening themselves up to further problems – not least because it allows hackers the opportunity to simulate and craft their malware on well-known versions of the operating system. However, at the core of this attack – as with those before it – is the need for physical access to the device, which implies an insider working in the bank. That means with monitoring of who has access to the cash machine, this can be prevented. The key lesson is that the ATM operating system is a weak link in the chain which needs to be closed. *This article originally appeared on The Conversation.
Changes to how credit card transactions are handled at point-of-sale will come into effect in Australia this Friday, August 1. Magnetic stripe and signatures will no longer be the primary method for verification – instead, a chip-enabled card and PIN will be required. In order to support the new types of credit cards, merchants are required to upgrade their hardware or look at an alternate solution. There are still some situations where the customer isn't required to provide a PIN: Contactless payments under $100 in value (i.e. payWave, PayPass) Any payments $35 or under in value The credit card has been issued by an overseas bank. In this situation they will be able to sign for their purchases. Europe is already on chip and pin, however, the USA is still using magnetic stripe, but this looks to be changing. One benefit for merchants to invest in the upgrade is that the card schemes (Visa, Mastercard, AmEx) will cover the merchant for any chargebacks associated with a chip and PIN based transaction. There have been some reports industries such as hospitality are concerned about the impact this change will have on other parts of their business, like tipping. Ben Fuller from point-of-sale provider ImPOS sees an opportunity for new software systems to improve these parts of the business. “Those saying it is the death of tips for wait-staff, haven’t made themselves aware of how the transition has been successfully handled in other countries. With our POS solution we're leaving a space for the customer to ‘sign-off’ on the tip at the bottom of the bill. It is simple and if carried out correctly with the right dialogue, will result in more tips, not less,” Fuller says. Stolen at the shop, spent on the web Building a more secure payments infrastructure with chip and PIN is a positive step. However, according to the Australian Payments Clearing Association (APCA), roughly 70% of Australian credit card fraud occurs in a card-not-present environment (i.e. online, phone or mail credit-card transactions). Generally, credit cards are stolen at an ATM or checkout, then illegally used online, where a PIN is not required. These regulatory advancements may result in more fraud being driven towards contactless cards and online transactions. Software-based solutions At Pin Payments we're seeing a segment of small businesses ditching their hardware terminals in favour of our simple software-based solution. Businesses processing a small number of transactions each month can find the up-front cost and long contract terms associated with hardware card terminals don't make financial sense. Software solutions like this on the market offer a way to process card transactions on a pay-as-you-go basis, with the transaction fee being the only cost to merchants. When it comes to risk, for merchants using our mPOS at markets, pop-up stores and similar, we always recommend they take steps to reduce risk of fraud. A simple tool can be to ask for photo identification that matches with the name on the credit card provided. The move to chip and PIN is welcome, and it has the ability to significantly reduce the incidence of card “skimming” in retail environments. Skimming is the term used to describe the illegal harvesting of card details from modified ATMs and checkout terminals. Web and mobile software tools provide a larger opportunity to protect consumers, potentially eliminating sensitive card details from transactions entirely. Progressive businesses such as Clipp are using a secure card-on-file method to allow bars and restaurants to charge customers through a mobile app. Uber are doing the same for taxis and limousines. With chip and PIN hardware, skimming can be reduced. With software, skimming can be eliminated. If credit card or bank details don't need to be handled at the time of the transaction, then there's no useful information for thieves to harvest. Australia is moving ahead of some other markets (such as the US) in consumer protection practices, and these new regulations around point-of-sale hardware will benefit consumers. Still, there remains plenty of room for improvement as payments continue to go online and mobile. Chris Dahl is from Pin Payments, an Australian start-up providing businesses with simple new ways to get paid.
Online payments company Stripe is running a trial with US customers that allows them to accept bitcoin payments, but there is no definite date as to when this will be available in Australia. Still a controversial currency, bitcoin has slowly been gaining traction in Australia, with a Bitcoin Barcamp held recently and the first bitcoin ATM being installed in Sydney – at a pastry shop in Roseberry. If Stripe’s trial proves successful, they plan on making bitcoin payments available in Australia and other countries. It will be the first major online payments platform to support bitcoin. Stripe recently opened up to Australian merchants in private beta, setting up a presence here led by entrepreneur and venture capitalist Susan Wu. Stripe cofounder and president John Collison told StartupSmart the inclusion of bitcoin as a payment option won’t have an immediate impact, with some education around bitcoin still needed in the community. "People selling online aren't going to shift all their sales to bitcoin overnight, or even in the next few months,” he says. “There's some education needed on what accepting bitcoin means and what the advantages are.” He says Stripe will need to make the consumer buying experience better. “That'll take time, but we're pretty excited about this addition,” Collison says. “Breaking down economic barriers is one thing both Stripe and bitcoin have in common." According to Re/Code, once implemented, merchants who decide to use Stripe to accept bitcoin payments will automatically be paid out in the local currency of their choice. They set the price for their product or service in a local currency and Stripe automatically calculates for their customers what that will cost in bitcoin. Neither Stripe nor its customers will hold onto the bitcoin, meaning the businesses that accept bitcoin will not be subject to the volatility of its price. Local Stripe competitor Pin Payments currently has no plans to implement Bitcoin. Pin Payments Founder Grant Bissett says Bitcoin doesn't solve a real problem for their customers. "In the longer term it's likely that we would consider using Bitcoin - or one of the many other emerging cryptocurrencies, but not as a customer-facing product, " he told StartupSmart. Bissett says sites like Coinjar have a great product and are already providing Bitcoin support for local merchants. "In the relatively conservative banking environment in which Pin Payments operates, we feel that maintaining a moat between regulated and unregulated payment activities will benefit all participants in the local payments industry, in turn improving the offerings for businesses and consumers in the region," he says.
US-based start-up Pebble has confirmed it will begin shipping its ‘smartwatch’ on January 23, eight months after it smashed its $100,000 Kickstarter goal and raised more than $15 million.
The founder of drive-through coffee franchise Muzz Buzz insists there’s no difference between coffee and car washing, after announcing plans to grow the brand by way of a car wash service.
A new recycling “ATM” will take an old mobile phone and pay an agreed price on the spot, taking the concept of bartering to a new level.
I see so many start-ups that simply waste money, unintentionally (I've invested in them).
Start-ups have been urged to reassure consumers of the security of their sites, after a report revealed 95% of consumers would terminate their relationship with a company if it mishandled their data.
Eftpos Australia has applauded a move by the RBA Payments System Board, which has raised concerns about multi-network debit cards, and is calling for a voluntary agreement on the issue.
Westpac is the latest of the big four banks to launch a mobile payments app, Westpac Mobile PayWay, for small businesses. But how does it measure up to its rivals?
An LA bakery called Sprinkles has installed the world’s first cupcake ATM, answering the prayers of consumers who crave a late-night sugar hit.
The Commonwealth Bank has become the latest bank to target small businesses with its newly launched payments app, which offers near-field capabilities but is limited to iPhone users.
New research reveals more Australians do their banking online rather than visiting a branch, although industry experts say face-to-face service still resonates with small business customers.
A new report has revealed that investors are seeing increased potential in the ATM market, prompting a renewed call for a cap on ATM fees.
Eftpos fraud has almost tripled in the last financial year due to skimming and electronic forgery, according to new figures from the Australian Payments Clearing Association.
Start-up businesses could soon be provided a greater choice in their banking options following a proposed expansion by Australia Post into the financial services industry. The Future Fund is reportedly in talks with the government about rolling out new ‘financial supermarket’ services in a bid to prop up ailing Australia Post branches. David Murray, the Future Fund chairman, has been quoted as saying that Australia Post could provide services including deposits and loans, processing of financial transactions, an ATM network and even superannuation products. The potential move will be watched closely by small businesses, which have consistently complained about a lack of choice and competition in the banking market. The situation has become particularly acute in the last three years, with many lenders refusing to back start-up businesses. Although lending by the ‘big four’ banks has increased, a number of other funding sources has dried up, leaving fledgling entrepreneurs short of options in securing finance. Council of Small Business of Australia chief executive Peter Strong told SmartCompany that he broadly supported the proposal. "We've got to see the detail, but I would be supportive of that measure because it would create something new, and competition in this area is a good thing. We've mentioned our support for the portable account number before, and this is a good example of a situation where you could use it." "In some parts of cities, you still need to drive to the bank and the parking is quite bad, it's too far away from your other destinations and so on. But if you have an alternative post-office nearby, which could even be a smaller venue, you may find that it's easier for you to go there." "I also think it will make it easier for some SMEs in rural areas where there isn't a lot of competition. On terms of ease of access, this will make it much easier for a lot of SMEs."