A little $40 million
bitcoin incident

SuperblockIn 1978’s Superman the Movie, Superman rescues Lois Lane in mid-fall from a helicopter. Safely depositing her on her feet, he says, “Well, I certainly hope this little incident hasn’t put you off flying, miss. Statistically speaking, of course, it’s still the safest way to travel.”

In the wake of the recent theft of over 7,000 bitcoin—about $40 million worth—from Taiwan-based cryptocurrency exchange Binance, I am inclined to say something similar: Don’t let this incident put you off Blockchain.

The recent heist was by no means the largest. According to The Washington Post, that honor goes to an incident in 2014 …

… when Japan-based Mt. Gox said that attackers stole nearly $500 million worth of the digital currency. And in 2016, hackers nabbed about $72 million in bitcoin from Hong Kong-based Bitfinex.

Yet financial institutions and fintechs are embracing, not fleeing, blockchain technology. JPMorgan Chase is expanding its blockchain project. There are some 40 central banks looking into blockchain as I write. And Medium lists 143 banks and other 87 other types of financial organizations using blockchain.

When it comes to security, it’s important to remember that bitcoin and blockchain are not the same thing. As R. R. Hauxley pointed out writing for Crytomania:

Bitcoin is built on top of blockchain technology, and so are other cryptocurrencies. Blockchain technology is used way beyond cryptocurrencies. It has a seemingly endless number of applications in various industries.

As for the recent heist, Binance said in a press release last week:

We have discovered a large scale security breach today, May 7, 2019 at 17:15:24 (UTC). Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info. The hackers used a variety of techniques, including phishing, viruses and other attacks. We are still concluding all possible methods used. There may also be additional affected accounts that have not been identified yet. 

Phishing. Viruses. Other attacks. Perhaps Binance is hinting that what the hackers hacked wasn’t so much Binance as Binance users. For all its merits, blockchain isn’t impervious to human foible. 

With all but an admiring tone, Binance continued:

The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks.

Firms like Binance store a small percentage of cryptocurrency in what’s known as a “hot” wallet, that is, the data are online, as opposed to the balance stored offline in what’s called—and I bet you saw this coming—a “cold” wallet. That makes the cold wallet an inaccessible target for hackers, and the hot wallet an irresistible one. 

The hackers found their way into Binance’s hot wallet and obtained the data with a single transaction. But, not to worry, according to Binance: “The above transaction is the only affected transaction. It impacted our BTC hot wallet only (which contained about 2% of our total BTC holdings). All of our other wallets are secure and unharmed.” Moreover, all losses are covered by insurance.

The moment Binance became aware of the problem, which was almost immediately, the company halted all deposits and withdrawals for about a week because “the hackers may still control certain user accounts and may use those to influence prices in the meantime.” On May 15, Bitcoin announced it had completed its system upgrade and would “resume all trading activity” later that day.

Not surprisingly, the value of bitcoin took a hit in the wake of the hack, but seems to have for the most part recovered. The same The Washington Post article points out that bitcoin’s value has been declining since hitting its $20,000 peak a little over a year ago:

Even cryptocurrency investors unscathed by hacks and scammers are still feeling the pain of a market that has dwindled in value. At its peak, in December 2017, bitcoin was worth nearly $20,000, igniting a buying frenzy … By February 2018, bitcoin’s value was cut in half. Then in December, a year after its peak, bitcoin had fallen below $4,000, a drop of more than 80 percent. The rest of the cryptocurrency market soon followed bitcoin’s lead … As of [May 8, 2019], bitcoin was trading at $5,901.

But the value of blockchain as a technology is strong as ever. As Marc West and I wrote for Fiserv’s The Point,

There are many types of blockchains. Most either are permissioned (private) or permission-less (public). As the names imply, a permissioned design requires pre-established and approval-based access to create, manage, transfer or seal any digital assets. Permission-less blockchains allow for self-registry and identity-less access. For financial services, the most secure and practical type is a private blockchain. Only known participants and digital assets are permitted to use that type of network design … blockchain enhances security by ensuring all parties are known, all transactions are cryptographically verifiable and no private data ever leaves the institution.

So I hope this little $40 million incident hasn’t put you off blockchain. Statistically speaking, of course, it’s still a safe way to transact.

Posted in Uncategorized by Matt. No Comments

A year of open
banking in the UK

Umpteenth BankIn 2016, The Financial Brand took a forward look at open banking, claiming that it …

… would give both customers and businesses the freedom to access all bank data in real-time, ultimately giving them more accurate and up to date information on finances … customers will be able to compare and save on their accounts and have access to more personalized resources … Additionally, customers will have access to better loan terms …

“Of course,” the article continued, “an endeavor on this scale would take years to implement and the Open Banking Standard is expected to be fully implemented by 2019.” 

Spoiler alert: It’s 2019, and open banking actually launched in the UK in January of 2018. Now, a little better than a year in, the consensus seems to be that open banking hasn’t generated much action—yet—but that it’s coming.

If you know what open banking is (I suspect most readers do), I won’t be offended if you skip this paragraph. Open banking has to do with banks making financial data accessible to third-party developers. The idea is to catalyze development of apps to give clients a more accurate view of their financial data across multiple banks, let clients compare apples to apples when shopping financial products, and force legacy banks to become more competitive.

OpenBanking.org promises a … 

… way to new products and services that could help customers and small to medium-sized businesses get a better deal. It could also give you a more detailed understanding of your accounts, and help you find new ways to make the most of your money. 

To date, the response to open banking on the part of developers, banks, and bank clients underwhelms. Were you to read only the first few paragraphs of  “resident thought provocateur” Leda Glyptis’s delightfully written piece for Fintech Futures, you might think that she has all but given up on open banking:

… despite millions spent with consultancies and many a project team working their way through tons of post-it notes, no real strategy for monetising Open Banking and the opportunities it affords has materialised.

The customers have sort of maybe used some aggregator apps, in numbers that suggest that “meh” is an accurate response to “is it working,” “how is it going,” “was it even a useful idea.” Even the startups building their USP on either facilitating Open Banking or leveraging the digital riches it opens access to, have not been as numerous as we expected.

Yet Finextra concedes open banking’s slow start but nonetheless piles on encouragement:

Despite the inevitable teething problems, the initial signs are encouraging, as banks up their game in the face of strong competition from innovative third party products and services.

… The Open Banking Implementation Entity reveals to Finextrathat it currently has 118 regulated organisations in the Open Banking ecosystem and 200 firms waiting to join. Alongside this, in addition to the nine mandated banks – also known as the CMA9 – there are 40 banks using the Open Banking Standard.

And Investopedia continues striking a positive note:

… open banking helps financial services customers to securely share their financial data with other financial institutions. Benefits include more easily transferring funds and comparing product offerings to create a banking experience that best meets each user’s needs in the most cost effective way … It forces large, established banks to be more competitive with smaller and newer banks, ideally resulting in lower costs, better technology, and better customer service.

Coming around to the positive later in her article, Glyptis herself asserts that open banking marks the end of an era …

… defined by fortress mentalities, zero-sum-game commercial models and regulators who looked at what you’ve done and the checklists you employed to ensure you did it properly. Post open banking, the consumer comes first. Plus now we have to contend with sharing economies, transparency in fees and a focus on what is possible, desirable and a bloody good idea rather than “the way we used to do things.”

To her point, in an article posted by The Balance, Justin Pritchard believes that open banking promises an end to data collection viascreen scraping; that it will create pressure on banks to be more open and competitive; and will lead to simplified accounting, business lending, and payments, and to services we may not yet know we need—which seems to be hallmark of technological innovation these days.

Even after a year of “meh,” to use Glyptis’s word, expectations haven’t diminished since Laura Brodsky and Liz Oakes wrote this for McKinsey:

The potential benefits of open banking are substantial: improved customer experience, new revenue streams, and a sustainable service model for traditionally underserved markets.

Glyptis ends on this encouraging note: 

The path is non linear. The players are learning new games. New players are turning up. Old rules are shifting. And the world will change. Without a stampede, perhaps. Without a ta-dah moment. But also without the shadow of a doubt. And that is a good thing.

As the UK gains more experience with open banking, you can bet that traditional financial institutions, fintechs, third party developers, politicians, and regulators on the American side of the pond will be paying close attention.

Posted in Uncategorized by Matt. No Comments

The “mobile-first” nuance

TMobile MONEY SpinAh, spin.  

When advertising agencies called on me in my prior job, I admired their ability to spin opposite traits as advantageous. For instance, larger agencies claimed they could better service our account because they had the needed internal resources. Smaller ones claimed they could better service our account because they were leaner, nimbler, and hungrier. Ergo, larger agencies could service better because they were larger, and smaller agencies could service better because they were smaller. Made perfect sense.

We’re seeing similar “logic” as more non-banks venture into the financial services arena. Traditional banks ride the perception that they’re better at banking because, well, because they’re real bankers, not, say, a phone company, search engine, or online retailer.  

But now, here comes T-Mobile with T-Mobile MONEY. One of their claims is that banking has gone mobile, so you’re better off banking with a mobile technology company and not a bunch of suits who rely on their elementary school-age grandkids to show them how to use their smartphones. 

I may have paraphrased T-Mobile’s position just a tad unfairly. Here’s how T-Mobile CEO John Legere put it, as quoted by Finextra: “Traditional banks aren’t mobile-first.” Definitely more professional, even though my way was funnier.  

Funny or not, Legere’s line is deviously clever in what it implies. It relies on the unstated major premise that a company’s roots determine its competence in other areas, which sounds reasonable enough provided you don’t think too hard about it. Shell gasoline, for instance, performs as well as any other brand even though the company started out as an antiques and collectibles shop specializing in, believe it or not, shells.  

And, for that matter, T-Mobile MONEY isn’t exactly bank-free. It exists in partnership with BankMobile, which is a division of Customers Bank, which happens to be—guess what—a traditional bank. The Verge describes it as “… a T-Mobile-operated face for … BankMobile.” 

Now, not every T-Mobile MONEY marketing claim is pure spin. The new entity offers some honest advantages that may have other contenders scrambling to catch up. All balances, no matter how small, earn interest at the basic rate. You needn’t be a T-Mobile wireless customer to be a T-Mobile MONEY customer—you can download the app to your computer or portable device regardless of your carrier—but if you are a T-Mobile customer there’s a seriously generous interest rate bonus in it for you.  

The interest rate bump and the “T-Mobile” in “T-Mobile MONEY” make it clear that T-Mobile wireless customers are a target market. But T-Mobile MONEY has no minimum balance requirements, charges no monthly or transfer fees, and charges no fees for overdrafts up to $50 that are paid off within a month. That may hold appeal for the roughly 8.4 million “unbanked” in the U.S., according to The Motley Fool:  

The company pointed out that Americans paid $34 billion in overdraft charges in 2017. That’s something the wireless carrier’s checking account seeks to eliminate, and that might make it a very appealing product for those who lack a checking account. 

The T-Mobile MONEY homepage bears the headline, “Not another bank. A better one.” That’s much better than, “This time we really mean it.” T-Mobile shuttered its first foray into financial services, Mobile Money, in 2016. At the time, PTMTS.com reported

The company’s Mobile Money service, which was launched in 2014, allowed customers to buy and add credit to a T-Mobile Visa card that could be used to withdraw cash at over 42,000 ATMs without a fee, Re/code reported. The service’s mobile app enabled its customers to use the account for paying bills, direct payroll deposit and depositing personal checks using their smartphone’s camera. 

T-Mobile is already of sufficient stature to become a serious contender in the financial services arena. It will be more so if (when?) the following happens, as per U.S. News & World Report

T-Mobile, the third-largest U.S. wireless carrier by subscriber count, is awaiting approval of its $26 billion deal to buy smaller rival Sprint Corp, which it has said will give it scale to compete with market leaders Verizon Communications Inc and AT&T Inc. 

Definitely a mobile-first company.

Posted in Uncategorized by Matt. No Comments

Dark marketplace for fingerprints

Stealing Prints 2I know a family that, some years ago, replaced their standard mailbox with a locking mailbox. Someone had stolen an order of checks from the mailbox and gone on a spending spree. The family, if you can imagine, didn’t care for that.

Those were the days. Now people are making a business of stealing and selling fingerprints.

recent PYMTS.com post reports that 60,000 fingerprints, complete with Social Security numbers and addresses belonging to the fingerprints’ rightful owners, are now for sale on the dark web. The dark website even has a brand name: Genesis.

Hacking fingerprint databases is not new. For as long as fingerprint databases have been a thing, bad guys have been hacking them. Nor is the volume of 60,000 records all that impressive. It’s an arguable trifle compared with the estimated 5.5 million fingerprints with Social Security numbers and addresses stolen in 2015, allegedly by Chinese hackers. 

What is new—and, I suppose, inevitable—is that a stolen fingerprint marketplace has emerged on the dark web. As you might expect, the media are reacting to the news with either panic or a yawn. 

On the panic side, there’s the what-if-someone-cuts-off-your-finger angle, which I dispatched in a post last October. But at the saner end of the panic side are some disturbing reports. According to the BBC and The Telegraph, it’s possible for thieves to capture and duplicate your fingerprints from a photo of you waving a peace sign. The latter reports:

Researchers at Japan’s National Institute of Informatics (NII) have found that fingerprints can be easily recreated from photos taken up to three metres away without the need for advanced technology. So long as the picture is clear and well-lit, prints can be mimicked.

My initial reaction was that there’s quite a gap between “can be” and “it’s happening.” That bubble did not remain intact for long. All it took was this, written by reporter Kari Paul for Marketwatch:

In a few short minutes last week, using a standard printer and materials easily purchased online, security experts from tech developer Synaptics successfully replicated my fingerprint onto a piece of paper that could unlock my iPhone’s biometric sensor. The hack could be pulled off by anyone with a “first year university student level of programming,” according to Synaptics spokesman Godfrey Cheng, highlighting a major potential flaw in biometric authentication, part of the new security solution that could someday replace passwords.

It’s a little harder to change your fingerprint than to change your password. By “a little harder,” I mean “pretty much impossible.” In his article “The Myth of Fingerprints” in the most recent issue of Smithsonian, Clive Thompson wrote:

How reliable were prints, though? Could a person’s fingerprints change? To find out, Faulds and some students scraped off their fingertip ridges, and discovered they grew back in precisely the same pattern.

Thompson also noted,

Indeed, criminals themselves were so intimidated by the prospect of being fingerprinted that, in 1907, a suspect arrested by Scotland Yard desperately tried to slice off his own prints while in the paddy wagon.

I would like to go on the record as not recommending that.

Adding to the panic side is the fact that the uniqueness of fingerprints is being called into question. That’s why an increasing number of law enforcement agencies are doing less fingerprinting and more DNA matching. But then, the assumption that “no two DNA signatures are alike except with identical twins” is also under question.

On the yawn side, using a stolen print on a device requires stealing the device at the same time, a stunt more easily pulled in a spy movie than in real life. There is also the question of stealing the right prints out of a possible ten, or twenty if you use your toes.

An appeal to spy movies may not be far from the mark. In the wake of the 2015 hack, Oliver Roeder of the ABC News’s website FiveThirtyEight took a look at the practicality of using stolen fingerprints. He concluded:

… the most likely uses of the stolen prints are more about deep spycraft than petty phone theft, according to several experts I asked to theorize on potential exploits. Combine the old grade-school truism that fingerprints, like snowflakes, are unique (or at least pretty close to it) with the fact that fingerprints can’t be changed, and you’ve got a powerful identity authentication tool that could be used to great effect by a foreign intelligence agency.

But then, that was in 2015. In technology, four years is an eternity. It was only a year ago that The Atlantic reported, “That data doesn’t appear to have surfaced on the black market yet.” Now they have. And “… if it’s ever sold or leaked,” the Atlantic article had continued … 

… it could easily be used against the victims. Last year, a pair of researchers at Michigan State University used an inkjet printer and special paper to convert high-quality fingerprint scans into fake, 3-D fingerprints that fooled smartphone fingerprint readers—all with equipment that cost less than $500.

That’s progress. I guess.

Posted in Uncategorized by Matt. No Comments

The Money Pot

PotEraseThanks in part to Scotts Miracle-Gro, the payments industry might—might—soon be able to play ball with locally legal cannabis industries.

It’s that part about “locally legal” that until now has proved the problem. Thirty-three states and Washington D.C. have decriminalized cannabis for medical or recreational purposes, but the federal government hasn’t.

CreditCards.com summed up the dilemma this way:

Marijuana may be legal in your state. Does that mean you can pay for it with a credit card? … there are two answers to this question. The first one is, maybe—some marijuana dispensaries claim to accept credit cards. The second answer, though, contradicts the first one. According to numerous experts, the major credit card networks do not allow merchants to use their cards for marijuana purchases—they do not even have a merchant code for such purposes—and will shut down any account they find out of compliance with this policy.

The result is a burgeoning, profitable industry that has a difficult time getting banks and payment systems to take them on as clients. This represents a huge lost opportunity cost for the financial services industry. As Forbes reported,

Imagine an industry with $9 billion in sales—equivalent to the entire snack market —where only 30% of businesses had a bank account. That’s the situation we face today in the legal marijuana business. Hardworking commercial operators are struggling to find banks that will work with them, forcing these entrepreneurs to conduct most business with cash.

Not just financial institutions tread lightly around the cannabis patch. According to FindLaw,

You can run into problems with the CSA even if you’re not directly involved with the marijuana industry. If you provide services to a business that operates under state marijuana laws, you may also be violating federal law and thus subject to prosecution. So if you run a janitorial service and have a client that operates a dispensary, you may be profiting from illegal drug trafficking. The CSA also makes it unlawful to “knowingly open, lease, rent, maintain, or use property for the manufacturing, storing, or distribution of controlled substances.” So landlords that have tenants involved in state-permitted marijuana industry may risk federal asset forfeiture or other criminal fines.

Forcing cannabis dispensaries to a cash-only basis ironically creates potential for the very money laundering that federal law seeks to prevent. It also hangs “Mug me—I’m carrying cash” signs on the backs of merchants and customers.

The federal government has done an excellent job of confusing matters. In 2014 the Obama administration provided guidelines for financial institutions doing business with legal cannabis industries. But banks were slow to jump on the weedwagon and, it turned out, wisely so: four years later, the Trump administration re-tightened the rules

Enough is enough, says the American Bankers Association in so many words. “While ABA takes no position on the moral issues raised by legalizing marijuana,” its policy position states,

… the time has come for Congress and the regulatory agencies to provide greater legal clarity to banks operating in states where marijuana has been legalized for medical or adult use. Those banks, including institutions that have no interest in directly banking marijuana-related businesses, face rising legal and regulatory risks as the marijuana industry grows. Current proposals in both the Senate and the House that seek to provide greater clarity and bridge the gap between state and federal law provide a solid starting point for discussion. We look forward to working with policymakers of both parties to find solutions that provide the legal and regulatory certainty banks need to best serve their communities.

As for Scotts Miracle-Gro, the company states unabashedly:

… we believe—at a minimum—Congress should honor the principles of federalism and states’ rights by passing legislation that respects the will of voters and state legislatures that have elected to adopt their own approach to authorizing the use of cannabis within their boundaries … state-licensed cannabis businesses should have access to banking and other financial services, operate with the same tax structure as other businesses and not be threatened by federal prosecution if they comply with state laws.

Scotts’s interest lies more in hydroponics than in fertilizer, which would have been my first guess. Last month, The Wall Street Journal reported,

Jim King, senior vice president of corporate affairs at Scotts, which owns the largest distributor of hydroponics equipment in the U.S., said his company doesn’t currently sell its U.S. products directly to marijuana companies. “If we tried to do that today, our banks would tell us, ‘No that’s crossing a line that we’re not comfortable with,’” Mr. King said of selling directly to the industry.

Meanwhile, the situation has spawned a host of work-around payments businesses such as NaturePayInstabillDama Financial, PayQwick, Evergreen Gateway, ZodakaCannabis CardPay, and others. 

It’s high time, no pun intended for decriminalization. (Okay, yeah, pun intended.) A $9 billion industry isn’t going away. Let’s make it safe for all participants, financial institutions and payments systems included.

Posted in Uncategorized by Matt. No Comments