A Safer Way to Pay — Comparing the Security & Integrity of 21st Century Payment Systems

thank you good morning everyone I apologize a few we're looking at the guide and saw my photograph and thought I was a bit younger that was before brexit in gdpr and the Trump election and many other things but I briefly talked just for a second about what I do I have a pretty interesting job at sofas and then I get to do research and come to events like this all over the world and unlike most of our folks that their research is much more directed like the focus obviously that work in our labs are reverse engineering malware and researching all the ecosystem around how that works my job is a little bit outside of that and I get to kind of

look at the bigger picture and look at a lot of other things that interact and often may finance or move forward a lot of the criminal stuff that we're trying to block with our products right so things like IOT or in this case Payment Systems in a way all have interactions with our customers and fund and fuel cybercrime often but they may not be something that we're writing software to protect or selling a product about right so my time team kind of looks at all these things around the edges that influence the stuff that we do and for me that's all this particular stop at the topic started five years ago I was doing a lot of research back then on

malware scanning with credit card skimming malware and it was a big problem especially in the United States as you know the target attack had just happened in America millions of credit cards were being posted to the dark web on a regular basis and we were seeing lots and lots of the iterations of interesting malware trying to steal credit card data now that's mostly gone away we don't really see much other than you've probably heard about mage cart I know in particular it be a here and the UK there is you know so there's a little bit of activity still out there but most of the credit card skimming malware was gone but while I was doing that research

I just ran across so many interesting things that I had to kind of go down the rabbit hole and figure out how the entire payment systems actually work from start to finish they're not very well documented there's they seem to be intentionally office gated I present on all this originally at V sides Vancouver in 2014 and just really interesting things like if you search for credit cards on Twitter it's shocking how many you can get for free people constantly post pictures of credit and debit card on Twitter including pins it's it's just weird right and we've actually seen a resurgence of old fashioned skimming like literally rubbing pencils over credit cards in taxi cabs and things

like this around the world rather than using high-tech methods so there's just all kinds of weird things going on but how do these you know payment systems work especially all these new things because we've all got you know not only do we have chip cards but we're going to tap to pay we got pay wave we got pay pass we've got you know in America they've got venmo now you can you know email people money and in China they got Ally pay a you know Ally pay and WeChat pay and there's lots of innovation happening in payments unfortunately I thought I'd start by looking at what what is the impact been of this move away from the magnetic

stripe and toward EMV as it's known euro card MasterCard and Visa that defined the chip standards and I did this presentation in Vancouver as well for our b-sides and this was the numbers in Canada it's pretty astounding the impact that moving to chip has had in Canada we adopted the new cards in 2008 so after you but long before the Americans did we can see that total fraud of all types went from 245 million dollars a year to 67 and a half million dollars a year after the introduction of the chip now card-not-present fraud though doubled which is of course what we would consider mostly all online transactions I mean I suppose a few of you may still

shop by catalog and call phone numbers and give your credit card to agents but almost all card-not-present transactions these days are Amazon and things like it and we are seeing a pretty dramatic increase in the amount of online fraud because it's gotten harder and harder to do card-present fraud and I just found there are some interesting stats so I had to do a lot of digging around we're now doing 93% of our transactions in Canada via chip cards and only 11% of fraud was people literally trying to make duplicate fake cards with like stolen data they bought from criminals now the UK publishes slightly different stats so I wasn't able to do exactly like for like but there is a government

website here that tracks financial fraud that publishes a lot in numbers so I was able to pull up a lot of it unfortunately here since the introduction of chip in 2005 which is that was one chip was mandated most of you probably got chip cards in 2002-2003 so when that banks started issuing them but it was required for merchants to accept them in 2005 and it was 427 million pounds now total fraud now is up to six hundred and seventy or 18 million pounds and card-not-present fraud like in Canada went up but not as much as it did in Canada so it's kind of kind of interesting to compare that I don't know why that says in Canada I have a typo so

I will pretend that says in the United Kingdom because that's what it means that the number is correct the the the the label is wrong as I copied the previous slide and pasted it and only 6% of fraud here was done via fraudulent or copied cards and ninety-six percent is well they don't measure UK specifically and MasterCard and Visa measure what they call Europe zone one which is pretty much a EU Member States or Europe zone two is the kind of affiliated EU states that aren't quite you so Ukraine for examples Europe zone two whereas Europe zone one is pretty much every European country that that you would think of so kind of interesting you know

here's card-present fraud so we do see the card-present part if we just take that out and not the total fraud in the UK there is a precipitous decline after the introduction of the icc chips or the EMV chips you know kind of leveled out here after about 2011 card-not-present we could see slowly increasing over time especially at the end of the chart so this is really the preferred way to commit credit card fraud these days not trying to give you ideas if you're looking to become a credit card fraud ster but online is where it's at and again the counterfeits just dropped right off once everybody expected to see a card with a chip I mean it's just it's

just - it's not that it's impossible it's just too difficult not worth it you always go for the low-hanging fruit as we learn from the malware authors and in the adoption in general it's pretty much global now all right there's almost no we're lagging behind except the United States and that's its own bizarreness and as soon as they catch up to us we'll probably see the magnetic stripe go away I'll talk about that a little bit more of a tap because there's some interesting things now one of the problems with doing research in this area is there's a lot of acronyms I mean a lot of acronyms it's just crazy amounts of acronyms and I'm not going to define all of these but

there's a few of them that are kind of interesting when you're looking at it from a security standpoint of course CMP is card-not-present PA n is the primary account number so that's 16 digit on the front is called a pan and the icc is the technical name for the chip it's an integrated circuit chip we've got CPP which is the way we usually detect that somebody's been compromised so CPP means common point of purchase so when you see suddenly a whole bunch of fraud at a given bank Santander sees all kinds of people getting complaining about fraudulent charges they go look for a common point to purchase that all their customers shopped at the same place and

then they can figure out that it was the same Sperrys on this road that must had a compromised terminal and was collecting pins or you know whatever was happening that allowed the fraud to happen I think the last really big fraud here in the UK related to this was the Shell gas station a shell pump gas station pumps in 2008-2009 that were rigged up to steal stuff and we'll talk a little bit about that too because there's been some there's been some evolution of the chip it's not the same chip that what's the same chip it's just implemented differently today than it was when it was first introduced here in the UK so a modern card if we look at

them I mean it's just a smart card right if you if you use a smart card to authenticate to a laptop I was able to buy 10 of these on Amazon for $3.99 that's all a modern card is it's the exact same chip you know if you look at it of course the same chip that's the same chip as well it's a sex same design the same concept these little chips actually run an operating system most of the operating systems that run on them are written in Java which is why they're so secure and most of them are produced by Gemalto I mean Gemalto is the largest producer of chip credit cards in the world most the credit card suppliers are

mostly banks excuse me contract with Gemalto to provide their chip that are their cards and they're quite easy to read if you have a tap card if you have a pay wave or whatever you can load up an app on your Android am the card reader there's a bunch of them out there but you'll want to be careful which one you use because it does get all the information for your credit card and if you don't know who supplied you the app you may be in for a surprise so like myself you may just be careful and use one that's been expired if you want to play around with it and that's actually my credit card information right there

and what you see there is you see it says card a ID so that's an application ID so the little operating system has a file folder structure on it and there's application IDs and those application IDs define what types of things that card does so technically a card could be a visa and an Amex at the same time it could present multiple application IDs to the payment terminal and it does that if you have one of these I don't if you have them here in the UK and oh they have them in the States we don't have them in Canada yet the ones that are credit cards and debit cards and one card from your bank it actually does

that it presents two application IDs to the payment terminal and that's why the payment terminal then prompts you and says oh do you want this to be a credit or a debit transaction because it's seeing that I've got multiple choices that I support for this transaction because this card is presented me with multiple identities if you will so if we're looking at this right you got your payment terminal the first thing the payment terminal does is query those application efforts now I've shortened this down a little bit literally this is like a four hour thing to explain if I had to go through the detail detail but I've con give you the high level it

queries for those application identifiers and then it selects the supported one and if there's more than one that's supported by that payment terminal it provides you with a with a choice this is also why if you have an American Express card which is not very usable here or in Europe if you put it in the terminals sometimes say application not supported instead of saying I don't accept Amex because it's basically looking at those application IDs and going I don't know what this one is so I can't do that so yeah it may ask you to choose it reads the application file locator to determine what kind of card details are on there and so those

files on the file system of that chip will present them the primary account number the expiration day that maybe the credit limit all kinds of other details including sometimes out some transaction counters that can be used to trigger certain situations that kind of stuff it then moves into data authentication mode right so this is not where it authenticates you with pen this is where it authenticates that the data itself hasn't been tampered with so the data on the cards are protected using different standards sometimes they're digitally signed sometimes they're encrypted depends on the the generation of card and what it supports and I'll go in a little bit of the detail there that only happens if

it's an offline transaction if it's an online transaction it assumes that the bank in that online transaction is going to confirm the details at the bank end and know that the card is valid so it doesn't bother to validate that the information on the chip hasn't been tampered with because the bank should know that if you send bogus data to them and then ultimately if all that passes it goes to cardholder verification which again is a sort of a multiple multiple choice test you can see some of the details you can get from cards what things they support when you put them into these applications because these these identifiers are rather difficult to read for humans so this app actually

interprets them at top one there is actually a Visa card on the previous one you can see it supports dynamic data authentication and issuer authentication meaning that the the price of the public key for the financial institution that issued the card is on the card that means you can validate you're actually talking to the financial institution and not not a criminal and this other one you know supports some other features we see it has terminal risk management which is a way to try to determine whether the terminal itself may be compromised that's performing the transaction so if you're offline which doesn't happen very often anymore this is one of the reasons the gas-station attack worked at Shell here they they

were doing offline authentication more and more at least in Canada than us where we mostly the Canada where we have chips and use them pretty much everything's online I don't know of anything that's really offline for a while the airlines we're doing offline data authentication when you were buying a Pepsi or whatever on a flight most of that's even online now that we have internet onboard the Jets and and everybody prefers online as it reduces fraud but if you are offline these are kind of the three stages right in the old days everything was just static data authentication so the card percent of the data to the terminal and it was digitally signed and the terminal just

looked at the data in the signature and made sure that the signature hadn't been altered and the certificate authorities were a pre-approved list issued by the card associations they later moved on to anok data authentication which pretty much every card in circulation today has nobody uses SDA any more modern cards either have DDA or CDA and in the dynamic mode there's some weird stuff like you can tell that bankers made this up as they went and then forced technical people to implement it it's some really interesting things so rather than calling it a seed or a nonce or anything like that we have an unpredictable number which i think is their way of saying random it's nothing

this should not be serial now of course if you look into credit card compromised of chips one of the things you'll find is that in fact most of the terminals don't use an unpredictable number which is means that you can actually compromise them but they're supposed to use an unpredictable number it sends that unpredictable number to the card the card hashes the data plus the unpredictable number on the chip itself using sha-1 and then signs that using a and this is in the spec again who's ever specified a key length in bytes 284 byte RSA key which if you do the math is nineteen hundred and eighty four bits it's not 2048 it's not 1024 no 1984 I'm

not sure if this is a Orwell call out there I suspect what it actually is is that 64 bytes are needed for something else and there's such limited memory in these chips that they had to cut 64 bytes out of the key to make room for something else they needed but anyway that's what they do and that makes it replay resistant right SDA you could just sit there replay transactions because it's just checking that the data was signed and hasn't been altered whereas with dynamic data because of the unpredictable number you can't replay a transaction because that number should be unpredictable when it is predictable you can replay a transaction and it's happened lastly and this is what most

things should use these days and they changed the terminology again now we don't have an unpredictable number we have a 64-bit nonce it sends that to the so the card sends that to the terminal the terminal thing generates its own unpredictable number but not a nonce because we copied and pasted from the other spec combines that with the pad at some padding original Nantes headers and Cripps it using a RSA public key and then the card decrypts the decrypts that to check that the original nonce is right to verify that the terminal has done the transaction so kind of a little more complicated then we move on to verifying you the cardholder and these are the four most

common methods so this is called CVM or cardholder verification methods we have online pin which is kind of what we prefer maybe once we go through how online pin works it's not quite as good as it sounds but nonetheless of course you collect that pin entry device collects the pin in it often encrypts it sends it to the next hop four pin verification offline pin does it in the chip and this is another vulnerability researchers hear almost all the research on this for vulnerabilities has been done at University of Cambridge and some really great stuff go out there look at they've got some YouTube videos they overplay it a little bit but it's still foundationally great research on on what

the vulnerabilities are in the chip system but offline pin of course sends the pin to the card the chip on the card and says is the pin right and of course the problem there is you can put a shim over the top of the chip and just respond yes no matter what pin was entered and the terminal goes okay and does the transaction and and the Cambridge students actually demonstrated that in the canteen at Cambridge where they they built one of these shims for a legitimate credit card for a BBC filming to show that they could just put zero zero zero zero in for the pin and it would try and do the transaction even

though that pin wasn't correct it's a little cumbersome it's a little awkward it's not believed I don't believe that there's ever been proof that it's been done in the wild there's been suspicions that some criminals may have done it it's not terribly expensive to do it's just it's complicated innit you know whenever you're doing card present fraud there's a much higher risk of ending up with handcuffs so criminals really prefer card-not-present fraud because you don't generally end up in prison and then there's offline pin encrypted so that obviously implies that the normal offline pin method isn't even encrypted literally the the terminal sends the clear text pin to the chip and goes is this right whereas in the other

mode it will actually encrypt it using RSA public key that's on the card and then the card of course keeps its private key and in in the secure element in the chip to verify that things signed with its public key were in fact and ciphered for it and lastly of course signature verification which they're still really fond of in the United States everything ultimately falls back to signature and both Visa and MasterCard now no longer require a signature for signature verification so I call it no verification because you don't actually need to sign even when it says sign they realized what a farce that is and that nobody's ever verified a signature in that people aren't handwriting experts

so they just kind of went yeah you don't have to bother with that we just we accept it so online code verification it sounds good until you start looking at how actually works you put your card into the terminal the terminal collects the pin and it basically sends it to the acquirer or often there's third parties before the acquirer that that terminal is contracted to work with so when you see the name on the terminal of the bank or the company or the financial institution usually that's the first hop right there they're considered the acquirer the problem here is you see that it's encrypting and decrypting at every single hop along the way it's not

encrypting it to the bank it's not using the bank's public key which is on the card it could but it doesn't and it will basically use a key that's hard-coded in the terminal a static key to encrypt it to send it to the acquirer then the inquirer decrypt it uses another static key to send it to the next hop to the next hop to the next hop to the next stop until gets all the way to the issuing bank that's what the CI B is card issuing Bank they verify if the pin is correct so anywhere that there's compromise anywhere in this entire ecosystem your pins toast because they all have access to it all along the way

at each hop not incredibly well designed you want more on that there's a you are I'll make all this available you might want send it please talk to me afterwards and if besides isn't providing it I'm happy to give you a link or point you to we're happy to share everything I know including the source materials for a lot of this I had to do a lot of digging they don't publish much I found like open FTP sites with white papers on them and stuff it was pretty interesting then it goes into the risk management mode right so you got processing restrictions maybe this card is only able to be used online mode I can't do offline mode or or you know

there's there's lots of different kinds of analysis that can go on here like a fuse tap cards often set where you can only tap five times before you have to enter your PIN again so if you tap twice and then you go to a chip transaction somewhere it'll just keep working but there's a risk management thing going after five taps I'm gonna make you enter a PIN somewhere because somebody might have stole your card or somebody might have tapped your card five times on the tube with a reader and that limits the fraud right because you can only do a hundred pounds per tap and that means you could really only have 500 pounds of fraud if you can

only do five taps before you require a pin verification so it's a risk there's a lot of these risk management limiters that are built into the decision-making process during a card transaction and ultimately in the end they make an online offline decision sometimes that requires you know the me the the there may be a requirement for online and if needed they do it online so this is kind of how it works if you read in the data from the the chip the encryption used is two times three does so don't confuse that with six DES and it's three its DES three times twice which has its own extra flaws and then it takes kind of

the cardholder data most of this stuff so you know transaction counter profile IDs all this stuff and combines it with some of the data from the terminal how much money is this transaction going to be what is the unpredictable number which currency code are we doing the transaction in all that kind of stuff and it combines it all into an an application request cipher so it's sort of like a little encrypted token that represents this transaction with all that data that was put into it and then it takes that the card takes that sends it to the terminal the terminal passes it to the to the acquirer and you know through that whole chain that I showed

earlier until it gets all the way up there ultimately the issuing bank gets it has to decide whether they approve the transaction usually they're going to be storing all these keys in a in a hardware security module somewhere so when you get it you know when they're minting cards they're issuing private keys you know private public key pairs to each card and then they they keep copies of the keys in their HSM at the bank so they they verify that the restrictions that make sure you're not over your credit limit they do all that kind of stuff they grab the keys to do the decryption itself to validate that yes the signed this transaction it was

definitely issued by this card they decide their response and then they do a response cipher um so they generate a response cipher encrypt that using the public key of the card and then it gets passed back through the chain so in the middle these guys have no idea what's in these ciphers they don't know what's in their requests they don't know what's in the response because it's encrypted from the bank to the card and from the car to the bank and if it's approved or denied you get two different responses here so if it's if the if the card gets it back and reads it and goes okay the bank approved this transaction it's valid it

sends a certificate to the terminal and that certificate basically is what allows the terminal to collect the money from the bank they have to have that to prove this is the you know proof that that encrypted transaction happened and you owe me twenty nine pounds seventeen or whatever the transaction was if it's denied when it decrypts it it sends a basically equivalent to the certificate that's a denial back to the terminal saying the transaction was declined now tap to pay is very similar it's mostly based on the EMV standard with some caveats and you know these are the primary in Canada we have what's called interact flash which is our debit system but mostly internationally we see pay

pass pay wave in and Amex Amex actually had a brand for a while of their tap and then they got rid of the branding I'm not quite sure why but really not a lot of other tap systems out there they're all pretty much one of these three and there's two modes again we have to accommodate Americans because we like their tourist money so we all want to accept their credit cards but they're also still in the Stone Age and refuse to use modern technology so most of us when we tap end up doing what would be the EMV version of tap but the terminals often still support something called MSD or magnetic stripe data mode because the

american cards don't have EMV chips so there's no way to do EMV because there's no processor running java so they have to do something simpler which is just hard code magnetic stripe data off the stripe into the tap chip which is exactly what it sounds like it's really being phased out quickly now though now that the u.s. officially transitioned even though their cards need the cards are all chip in America now the terminals aren't so they're kind of halfway there but that means their cards when they come here can do EMV mode now so this is slowly being phased out I wasn't able to find any data on if it's already been phased out here in the

UK I believe it has I think you guys went earlier we're so dependent on Americans spending money in Canada that we extended out our willingness to accept this insane mode of operation until this October and we're finally you know cutting the cord because most cards are there one of the the differences of course between tap and chip and pin is of course there's no non-repudiation or provides non-repudiation but there's no issue or authentication because they don't want you to have to sit there and hold the chip on the terminal while it talks to the bank and the bank responds in their request token comes back and all this stuff because you tap and walk away there's no ability to validate that

the response was signed by the bank so you do lose issue or authentication it's not known to be abused but it is a weakness in tap that's not present in a valid chip transaction I'm a big fan of tap to pay because of all the risk limiters in it and the fact that as a consumer you have zero liability no matter what goes wrong so you know it's a hundred pounds per tap and and I don't have the data in here that the CVV changes every time you tap the card so if I tap you on the subway I do get your magnetic stripe data ultimately I get the pan number I get the expiration date

I get a dynamic CVV though so even if I want to go and buy something at Tesco with the tap fraudulently I'm limited to that one tap because then the CVV changes and and I have to go tap your card again to get the next CVV so it's kind of limited based on the bank's transaction counter limit how many taps will they allow before they require a pin is kind of the limiting factor because I could go on the tube with my Android and tap your button five times get your next 5c Vivi's with the card data four tap transactions but now one I'm gonna race condition with you if you go use your card you'll skip ahead

to a more recent CVV in the banco go all those other ones are invalid so I have to do the fraud before you use your card again if you do a chip transaction anywhere I also will get locked out they'll know that and there's a high risk of being caught and I'm only going to get a hundred pounds and it's just not worth going to prison for a hundred pounds so I think that's why we don't really see much tap fraud and the convenience of it can't be beat now I prefer to Pat tap using my google pay I'm not an Apple guy but I either way they're both the same thing and they you know everybody

thought Apple just did amazing things when they launched Apple pay what Apple did was implement part of EMV that everybody else was too lazy to do the EMV spec has had Apple pay in it since like five years before Apple implemented it it's been part of the standard forever but nobody ever implemented it and Apple was the first to implement it branded as Apple pay of course Google pays the exact same technology branded as Google pay and it's a little bit a little bit different the primary thing is that middle bullet right I mean the the we haven't really seen use yet of the first but you may see it so back to the hundred pounds the theory here is

your iPhone can say I did facial recognition to unlock the phone and pass that along with the transaction or you fingerprinted the touch ID or you know you did the fingerprint on your Android or whichever you can say there was a biometric authentication you can say there was a pin authentication and the banks theoretically want to be able to increase that spending limit they want to say it's okay to buy a flat-screen TV at the electronics store via tap without a pin because you used your fingerprint to unlock your iPhone or your Android they're not doing it yet to my knowledge I'm not seeing it's certainly not on my phone I'm still at a hundred bucks and

it tells me I I have to enter a PIN or use my card but that's one of the things that supports that could be in the future more convenient again for us when we're paying with our phone devices it also uses tokenization which is the most key thing for preventing fraud and I'll explain how that works in just a second and it also communicates to the user whether it was accepted or declined kind of stopping some of this replay kind of stuff that can happen where you might fraudulently convince a terminal that something was accepted but because there's out of yank communication right the bank can talk to your phone over the internet and your phone's talking to the terminal

via tab there's sort of two separate communication channels that prevents more lying and fraud kind of things and allows more verification so if we look at it in essence when you register your card with Apple pay what you're really doing is registering a token that represents the card information that doesn't actually contain the card information and those tokens are generally now being I think initially Apple was doing some special things with certain banks and things these days any bank that wants to support Apple and Google pay basically is contracting out to MasterCard and Visa MasterCard and Visa provide this tokenization as a service and the great thing is they can issue multiple tokens for the same card

so you're you're not in this situation where your credit card gets cancelled all of a sudden all your automatic billing stops right you could have multiple tokens represent the card and if the tokens compromised for some reason you can just kill that token and maybe other tokens can continue to live with that card information and in essence so this is sort of the registration process right you put your card data on your phone your phone registers with Apple or Google pay they go get a token send the token back to the phone now I say multiple tokens if you have two iPhones you could register that card on a second iPhone you'll get another token that's distinctly

different but it still represents the same hard older information in this database that basically is just a mapping of those tokens to pan numbers from the issuing banks and then when you go to use it the terminal never gets any of your card data and that's the best part of it right the the the car the phone presents the token to the terminal and the terminal has to use the token as the identifier for the transaction in the process it you know that they the the terminal sends it to the token service provider usually visa they go look up the token figure out what card number it is send the transaction data with the card number to the issuing bank

the bank goes approved to climb it goes back and then visa signs the token sends it back and goes it's all good so the benefit of this also is issuing Bank doesn't know where you're shopping privacy the only visa the token issuer knows the issuing bank and where the transaction came from and so as long as you trust them to the tokens secure and not sell your information which so far it looks like there's going to be legislation to prevent that and they don't appear to be selling it at the moment to my knowledge you're also getting a lot more anonymization you would be surprised how much money your bank makes reselling where you shop to companies out there

when I was looking into venmo in the state's venmo it's estimated that venmo makes $400 per customer per year just selling their transaction information so that's very valuable information it's very valuable to your privacy and tokenization is your friend so a couple more things and then I'll take some questions and we'll wrap up some of the new wave of stuff I mentioned venmo some there's a water you know PayPal ultimately bought them now venmo sort of a it was meant to be a social network for payments what could possibly go wrong and it has gone wrong and in brilliant ways but some interesting things about it so that social network idea is literally you have you you share

your contact list of course with them oh why wouldn't you and then you know all your friends that are using venmo and it's like hey Harry just bought coffee at the cost a coffee shop on Warwick Road and wouldn't you want to buy a coffee there because Harry's a trendsetter this kind of thing I guess is the concept and apparently it works they make a lot of money off of the kind of social network aspect of it and sharing your payment information of course that's on by default as it would be you don't have to opt-in to do this if you subscribe to them though you broadcast to everyone you know by default everywhere you shop because

sharing is important and oddly people get frauded a lot on it because it's a ledger based system meaning until you cash out the money sort of virtual meaning let's say I owe you a hundred bucks for the beers we had last night at the speaker dinner I then mow you a hundred bucks I have a hundred bucks in my account or it won't let me but then I spend 100 bucks somewhere else or I withdraw the hundred dollars before you withdraw the hundred dollars I sent you that money's gone now you won't get it because the it's not a real-time thing where the money actually leaves or enters your account until it's it coupon and until you cash in the coupon

you don't have the money and people don't realize that they let it accumulate in there memo account and then fraud happens and mostly this is happening from I can tell through Craigslist and these types of things somebody goes yeah I'll buy your macbook hey can I then you Mon oh you're the $1,200 oh sure in the and of course the person takes the $1,200 out long before you get home and think to cash out the twelve hundred dollars out of your venmo account and the money's gone they do limit it to three thousand dollars there you know other paypal owns it they've been tightening it up a little bit the ships there's now governance involved

and it's not just six jocks in Silicon Valley running it so now that lawyers got involved it is getting a little better but there's a lot of holes in this system and I just found that that $400 a year thing about selling the social network information just fascinating right I'm guessing your bank isn't as smart as venmo I'm making money on your transactions because they were smart about marketing this to the merchants going you should accept them oh because people will know when they're other people are shopping here and it'll be a trend-setting cool kind of thing for more people to shop at your establishments and using that to market to them and do ads inside the app and

things like that for nearby establishments that your friends just frequented trying to get you to go there so there's some profit in that we'll see how it all plays out I mean the biggest user of it in America is uber uber accepts venmo a lot of people like to use use it for their burr Hoover is another topic five safety tips I found this just kind of interesting thing just basically telling people like the most important thing is only use venmo with people you trust because it's so easy to scam you and take the money out before you get it that you really shouldn't use it except with your friends people are weird with this stuff I found

apparently like it's really hip thing to do is pay your rent with venmo now in America they clearly don't live in Vancouver because you wouldn't buy the pay your rent if there's a $3,000 limit but it's just I don't quite understand it but I guess part of it is I don't know the situation here in Canada at least our banking system allows us to do we call it transfers I can eat transfer money to anybody else in Canada so I'm not quite sure why I would want to trust these guys but people are if you travel to China you won't go very far without seeing le petit le chat pay and le pay and WeChat pay or Vancouver

for that matter we have such a large Chinese population almost everybody in Vancouver accepts Ali pay or WeChat pay now just because of the huge quantity of Chinese tourists we have and interestingly last I what time I was in China homeless people have QR codes nobody has cash anymore so like literally if you want to give two dollars to the homeless guy you scan his QR code and Ali pay it kind of weird it's used for almost everything but this is also part of this social credit system right they want to buy using these things they literally can find out everything about you and you can you can use your WeChat pay as an identifier at

the doctor's office ER at the hospital to receive treatment you can pay your traffic fines your travel tickets all kinds of student loans I mean it's used for just about everything they're starting to reach out a little further now so you can't use this most people in this room unless you're a Chinese citizen or a resident or citizen of the PRC you cannot sign up at the moment so it made it rather hard to deep research because I couldn't really use it I had to kind of anecdotally look into what others have done in and particularly researchers in China they are starting to expand a little bit though I was in Hong Kong last week and it's starting to

take off a bit there a lot of these things are always seem to be filling a market gap the reason they exist is you know like around here everywhere I go I can use tap to pay and so I don't need venmo I don't need a leap a write everywhere I go I can just tap here in the UK so there's no need for these guys to rush in and fill a market thing whereas in the u.s. sending people money is really hard because the banks don't talk so this venmo thing took off because people don't have an easy way to transfer money in it and very similarly in Hong Kong it's just it's not seeming

to get much traction in Hong Kong most people use it's called Octopus card it's basically your oyster card they used for transit and you can just put $100 on your Octopus card and use it at Starbucks or McDonald's or wherever you're going it is you know use that as tap to pay in addition to credit cards so people aren't really adopting a like chat and WeChat pay in Hong Kong and Singapore even though it's launched there because there's no market gap I think and boy the privacy implications of this stuff are just astounding right and I think looking forward from my perspective any payment system the future has to be tokenized I don't really care who runs it I mean I

think MasterCard and Visa are a cartel but the fact is the tokenization that they allow Apple and Google Deducer Apple and Google pay provides me a level of privacy unrivaled to anything else next to cash so I'll take that trade-off my risk management says that's a good deal unless so with tap to pay and even less so yet with with in person merchant transactions because my bank does see everything I'm buying and has a lot of privacy implications to me and you know they're gonna monetize it unless we outlaw it it's just inevitable so you know that's we have to consider these risk management decisions no different than the terminal considers risk management when six happening a card

transaction and that's kind of how I feel about this at the moment you know I really love my privacy and I'm just not willing to give it up unless I have to and don't cash is king I mean in the end cash is king if you really want your privacy don't use any of this crap use cash and guard it carefully and if you're uncomfortable carrying one with large sums of cash I'm a big big fan of the Apple pay Google pay their equivalents I didn't talk about samsung pay they're important partner sofas and I shouldn't say things about them that aren't nice and we'll leave it at that and I've got maybe a minute or two for

questions and then we can get this back on track for timing if not I would love to have a beer with you guys later or something and have a chat I stepped into the light yes ma'am so sort of like the Amazon shops that they open in Seattle I have no idea how they're doing that I wish I knew that's actually maybe I'll come back in five years with my update again he'll know about that but I mean yes there's there are quite a few shortcuts because time is super important in fact there's a new tap to pay standard that is not very implemented yet that visa just proposed that is supposed to shave another two

seconds off of transactions even for chips so you don't have to leave the chip in the machine is long again skipping issue authentication some other things and going the fraud rates are so low we'll accept the risk level just to get customers out the door without having their chip in the terminal for five seconds we'll cut it to two seconds just satisfaction kind of stuff yes sir

this token is stored in the secure element and it's signed with the transaction data when it's sent off so even if the terminal wanted to like it doesn't have the keys to sign and the keys are stored so if the HSM were compromised at the bank that would be an issue because then all the private keys would be known and other people could sign the token but only the card has the private key and the HSM has the private key and the cards private key is stored in a secure element which is supposed to be impenetrable and I'm sure there's research showing it's not but but it's incredibly difficult I'll take one more and I want to move for the next speaker

to set up Hey sorry have I looked at an amazing M paisa oh yeah I know I haven't leapfrogged all these it's service allowed the whole is completely my reaction should suggest that no I haven't looked into it and CSU you love you put money in your bank and then you texts all our money basically sounds terrible well that's that's why I want your thoughts I mean if we're to swim swim swapping right I mean like well reading and sending someone else's text messages is not yeah and I know that I've been following the the how much you know because they've had frog for so much longer and sim swapping because of the financial transactions being done over

text message they're much more aggressive about it it's like someone that can only have like to a very changed yeah I would like to look into that I have not what example is in the police force and the average wages gone up by thirty percent because we used to be the local area chief would pass on their wages but now that they can get paid directly through in Pisa there's no longer the skimming so yeah and in the social impacts of this stuff are really interesting you know back to China as well with the bet you know Ali pay and WeChat pay and social credit system stuff like before Social Credit System people didn't see any harm in

doing this and it just accelerated everything so much compared to cash transactions everybody was in and then now that everybody's in the whole thing's been turned on its head and become this privacy monster and there's no leaving so that's another sometimes these things can be a trap if they're not designed well as well but I'll leave that for the future I'd love to chat with you later thank you very much I hope you enjoyed that and I'm happy to chat later