My Bitcoin experience

Pixelated BitcoinYou’ll have heard of Bitcoin and the possibly cryptically named cryptocurrencies that are generating some interest in financial circles, well, everywhere but the big banks.

Bitcoin and similar schema represents an alternative to “fiat” currencies such as Pound Sterling, Euro, etc. You purchase Bitcoins on an exchange with either a web site or a smartphone, you find somewhere (or somebody) that accepts Bitcoin, they flash you wish a QR code and voila, you’ve debited enough cash to purchase a smoothie.

It sounds simple, but even as an IT professional, I have to admit to struggling to understand it and the paradigm. How can a so-called “virtual currency” be trusted? What about the end user, the consumer who wants to pay for their shopping? Flashing QR codes and requiring a smartphone is perhaps too much for some (including me).

To help convince me, I was treated to lunch at Java Lounge in Douglas, one of a growing number of cryptocurrency-accepting outlets on the island. My host asked to pay by Bitcoin and was given a receipt containing a QR code which was scanned by his iPhone-app and the amount of the bill debited from his “account”. Pretty slick.

Rewind a couple of days

Which is sweet, if you’re an iPhone or Android user. As a Windows Phone user, I’m left with an abortion of an app  which on first execution leaves the user with the screen:


What am I supposed to do with that? Swipe right and I get to “log in”:


… with a GUID! Which I have to type on a smartphone keyboard!

Perhaps I should now mention that the Blockchain site I registered on briefly displayed a GUID which I struggled to later find to be able to enter in these fields. Which failed to log me in anyway.

Ok, maybe I was being dense.

Back to today

As a test, I have a small amount in my “account”. Well, it’s not an account yet, it’s just a QR code.


This was generated using the POS terminal, but is just as easily achieved using an “app”.

I now have to realise this as cash. So I go to the suggested website at Coinkite and “Sign up” to convert the voucher code on the receipt into currency in an account so I can spend it. Except, the web site “Sign up” form doesn’t work except if you use Chrome.

So far, we have a clunky replacement for a widely understood paradigm, complicated sequences of alphanumeric characters which form a check when transferring funds, a requirement to have an expensive smartphone for an optimal experience – as long as it isn’t Windows Phone and web sites which are poorly written and opinionated such that I can only use their preferred browser not my own.

All in all, a failure.

Not so fast

There is a distinct feeling of libertarianism around cryptocurrencies. As was explained to me, the blockchains are self-validating and carry greater strength than the bricks-and-mortar banks. We are going to be able to really stick it to the man, the man who has been bailed out yet continues to transgress in selling scams, rate fixing and the like. It’s certainly an honourable endeavour.

But I struggle to see how we can pitch this to the regular guy on the street. For me, QR codes, restrictions based on what smartphone you own, complexities of understanding the procedure (which QR code do I scan) and the trust people need that their money is safe creates barriers to entry. Acknowledging the evils of the banks and the iron-like grip companies like Visa have over our payment methods, it’s a well known paradigm that has lasted since the old mechanical clunk-clunk credit card “machines” that created an imprint of your card on some tracing paper. Since then we’ve had magnetic stripes, Chip and PIN, card security codes and now Near Field Communication payments – all using the same paradigm (now Apple are finally on board with this, cryptocurrencies might have an even bigger hill to climb). Hand over your card and swipe it, insert it or wave it wherever you see the “Visa” sign – which is, ahem, everywhere. Banks also have established account numbers, sort codes, IBANs, etc. I can remember these because they’re simple. 8 numeric digits is much easier than 34 mixed-case alpha-numeric characters representing my “address” (I understand one doesn’t “remember” this code, just like one doesn’t remember serial numbers on a bank note. My point is it’s displayed within apps therefore takes a slice of our attention).

Bitcoin et al. has many advantages. It is cheaper to use, it transfers the control of your money to you (or apparently, your smartphone) and it is “liberating”. But you can you really pay your mortgage using it? I look forward to seeing someone attempt to pay their mortgage (which is somewhat akin to risk) using a cryptocurrency at a bricks-and-mortar bank that it competes with. I can perhaps buy a smoothie, or a pint at some selected (though increasing) outlets. Maybe it could ultimately replace cash, considering people tend to carry small amounts of cryptocurrency around on their smartphone. Seems a similar approach to risk as carrying wads of cash. They just need to make the transaction simpler.

As I said today, we need to see the payment paradigm simplified. Requiring certain apps on certain smartphones and web sites on certain web browsers is not good enough. I was shown a debit-card style card that one can use much like a Chip-and-PIN card so the paradigm is getting closer – but I can’t use my Visa card in the Bitcoin terminal or vice-versa. Even American Express uses the same terminal as Visa!

In conclusion, I do like the idea – but it’s way too complicated.

Chip and PIN safety is just smoke and mirrors

I’m no expert on credit/debit card safety but I’m concerned enough to share my thoughts and experience based on recent “hacking” stories in the news and complacency of retailers when storing your card data.

Chip and PIN is not more secure

Chip and PIN Security abstract imageFrom 2004, Banks have been pushing the Chip and PIN “safety in numbers” campaign to encourage customers (and particularly merchants) to shift to the new Chip and PIN technology. Previously, a payment was authenticated using a signature on a receipt (either produced via swiping in a magnetic card reader or a physical imprint of the card details). This had a high rate of fraud due to the weaknesses in signature authentication and ability for cards to be cloned – the magnetic strip became a single point of failure.

On the surface, it appears more secure. France saw an 80% drop in fraud when switching to Chip and PIN. The two factor authentication of Chip and PIN (what you have, what you know) has significantly reduced card cloning; the user doesn’t have to hand over their card whilst worrying about double swiping and their PIN is shared with their ATM PIN so the usability was maintained. However, card fraud has increased in the years since, resulting in the movement of fraud attempts rather than their elimination.

Without considering the vulnerabilities, four immediate problems come to mind.

Firstly, if you don’t enter your PIN correctly, the merchant will invariably downgrade to a Chip and Signature transaction. To the consumer, this mirrors the older process of signing the receipt. The difference is that the merchant has specifically opted in to using the less secure protocol and assumes the risk of fraud. (Given the attention I’ve seen sales assistants pay to the validity of the signature, I wouldn’t put any confidence in this mechanism).

Secondly, CCTV cameras are routinely aimed at the tills, for good reason. But these also collect what users are entering in PIN pads. Of course, we’re encouraged to conceal our entry with our other hand, but we do live in a society and this creates an implication of distrust of your fellow customer. If the card is stolen or is cloned in some way by a compromised terminal, your authentication is compromised but your card is fine.

Thirdly, what confidence do we have that the terminal has not been compromised? Consider the new means of robbing a bank, from an apartment a few blocks away. Santander and Barclays were both targeted with inexpensive IT kit installed by supposed IT engineers which allowed direct access to banking systems. What’s to say the same technique hasn’t been employed, with a sales assistant being duped into allowing “upgraded systems” to be installed from “head office”? A man-in-the-middle device can trick a card into believing signature authentication was used even when an invalid PIN was entered, leaving the incorrect PIN count held in the card intact.

Finally, there is the competence of the merchant. Hotels and bars often hold cards “open” to allow for future drinks/etc. to be added to the account at the customer’s convenience. Theoretically, when the customer signs the receipt when the account is closed they would identify any anomalies (assuming they’re not drunk enough not to realise). I’ve managed to pay for two expensive cocktails in a 5-star hotel without entering my PIN or signing due to this account system being incompetently applied.

In these the weakest security is the person, and it is most often the merchant at fault. Then there are the known exploits in Chip and PIN such as man in the middle attacks (PDF), so-called “yes-cards”, offline authentication, card cloning for use abroad, electronic authentication downgrade and good old robbery.

Cardholder not present is still not secure

Cardholder not present (CNP) is a technique of authenticating the card when the merchant cannot guarantee the authenticity of the cardholder, typically when ordering online or over the phone.

There are various ways of “proving” the identity and validity of a card in this scenario.

Firstly, the Card Security Code (CSC) attempts to prove that the card is in the possession of the purchaser (note, not necessarily the cardholder) at the time of ordering. These are the three digits on the reverse of your card. The CSC is not encoded in either the chip or the magnetic strip on the card, therefore a cloned card would not contain the CSC, rendering the transaction invalid. This can authenticate the transaction (and by implication, the validity of the card, if not the purchaser) but relies on the competence of the merchant to avoid these values being compromised. For instance, the PCI standard mandates that the CSC must not be stored within a database following transaction authorisation, should the database containing card data become compromised. The recent case of StaySure having their CSC data being hacked shows that this is not guaranteed and the customer has no way of knowing. (Ask yourself, if the CSC is needed for an electronic CNP transaction, how can Amazon ask for this code only once and continue to bill your account.) This comes down to the reliability and trustworthiness of the web sites and the individuals running them. How does the company store your card data? Do they retain your data, and for how long? Are there opportunities for individuals within the company to access that data unencrypted? Are paper trails generated containing your card details? The web site is a sealed box into which you have no view of how your financial data is managed. Phone-based and mail-based orders may be written down and printed off and left in accessible piles on employees’ desks (which is why PCI mandates physical access security to cardholder processing areas).

Secondly, Visa’s “3-D Secure” authentication mechanism known under the brands “Verified by Visa” and “Mastercard SecureCode” whilst seemingly authenticating the cardholder by asking more pertinent questions directly related with the cardholder’s bank account, does not provide real assurance to the cardholder that it is indeed genuine. The technique used by the scheme requires a web commerce site to embed an IFRAME within their checkout process that acts as a “window” into the banking system, requesting extra verification data. However, the user does not necessarily know that the site within the window is genuine. A malicious web site may embed a false authentication site, the user’s computer may be infected allowing false authentication sites to be used or DNS poisoning may be used to redirect valid authentication sites to malicious parties.

The Chip and PIN programme does provide benefits to the consumer, without a doubt, though this is largely based on usability. Any argument for increased security is a smoke and mirrors marketing campaign by the card issuers. Fraud has increased, particularly in Cardholder Not Present scenarios (and coupled with weak IT security on the part of web sites) and attacks have merely shifted to alternative weaknesses as opposed to being prevented. The big winners are the banks, because they are able to transfer the risk of a fraudulent transaction from themselves to the merchant or the customer. Stringent merchant contracts allow the bank to transfer liability of fraud to the merchant should the merchant chose to downgrade their authentication or to the cardholder if it can be proved that fraud was attempted. Interestingly, if a PIN has been entered, the banks refused to accept liability until 2009 even if the user denied having used the card.