Financial Cryptography

The mystery of Ireland's worst driver

Chris Walsh spotted this:

The mystery of Ireland's worst driver

Details of how police in the Irish Republic finally caught up with the country's most reckless driver have emerged, the Irish Times reports.

He had been wanted from counties Cork to Cavan after racking up scores of speeding tickets and parking fines.

However, each time the serial offender was stopped he managed to evade justice by giving a different address.

But then his cover was blown.

It was discovered that the man every member of the Irish police's rank and file had been looking for - a Mr Prawo Jazdy - wasn't exactly the sort of prized villain whose apprehension leads to an officer winning an award.

In fact he wasn't even human.

"Prawo Jazdy is actually the Polish for driving licence and not the first and surname on the licence," read a letter from June 2007 from an officer working within the Garda's traffic division.

Map showing Poland

"Having noticed this, I decided to check and see how many times officers have made this mistake.

"It is quite embarrassing to see that the system has created Prawo Jazdy as a person with over 50 identities."

The 20th Century of Central Banking is over.

If there was a post-of-the-month award, this would be it. Over on Digital Money, David Birch reports on how the banking world is waking up to the changing map:

... was [the panel's] position that technology is no longer an issue and that (first) regulation and (second) business model are the key challenges.

You've have to read the lot to get the context. Now, Dave knows all this stuff, but he reports from the center. So unfortunate truths are only allowed to be written about by fringe observers like myself, we have to wait a decade or so before the light from the writing on the wall reaches into the dull committee rooms of the central bankers.

So it transpires that the decade of unfortunate message is now drawing to a close. Bad news is piling up, a bit like a crisis of financial truths. Firstly, the above point that technology of banking is cheap and easily replaceable, if not exactly fungible. And, now the second point: Payments and banking are decidedly different beasts, and can and will be separated from each other:

Incidentally, since Robert was on the panel, I couldn't help but mention John Reed's famous statement that "one day, banking will be a line of code in a big network" when I asked a long and boring question about what is meant by "banking" and what the goal of banking about banks might be (if not something concrete like reducing the total social cost of payments). I was trying to ask whether the narrow banking meme might grow to divide the banking business even further: a kind of narrower banking that doesn't include payments, which would then be regulated separately.

(my emphasis throughout.) Which of course raises the problem for banks of lack of easy access to cheap and easy deposits. Which kind of rips the guts out of the banks' business model. Which likely causes them intense pain. Which was predicted. But predictions aren't food on the table. Now, Dave brings forth the evidence that this is precisely what has happened:

Here you have a scheme that has gone from nothing to five million users and a hundred million euros per month in interpersonal transfer in 18 months. What a fantastic success. Now, faced with this clever use of new technology to deliver a much-needed financial service in an economic and compelling manner, the local banks went to market with more innovative solutions. I'm joking, of course. What they actually did was what too many banks do when faced with a small and nimble competitor, which is to go whining to the regulator to get the competitor banned.

In the marketplace, bankers accuse M-PESA of encroaching into their turf, arguing that its exemption from Central Bank of Kenya's (CBK) stringent and costly regulations has enabled the mobile phone operator to offer "banking" services on the cheap. [From Business Daily Africa - the international window into East African business opportunities - M-Pesa success stirs banks' fury as five million subscribers enrol]

The banks have a choice. Either go to the regulator, and whine, or re-invent their business model. The first one might work, short term (read the blog to find out what happened), but unfortunately the cat is now out of the bag.

Payments as a separate business works and works well. Indeed, separated payments work stunningly better than payments as a captured subsidy for banks, but the cost of subsidies was well understood to be acceptable, at least by those who believed in banking as an industrial model. However, consumers have a different view, they have always demanded free and untied payments when available, and won't trade two bits for the concept of banking. So this new view will eventually sweep the world.

Long term, banks must now prepare for a new business model, sans payments. Now, I'd love to help them do that but cannot. Firstly, CHYP always get the fun jobs, and secondly, we still have the problem that they will make more money if they stick their head in the sand and deny it. This is a time-honoured process, and it was the one that led up to the financial crisis. It's even got a formal name: "cash cow." So the problem comes down to whether there is a bank that wishes to act strategically rather than tactically, and the betting is that they won't be looking that far ahead.

But the end result is now clear:

M-PESA has forced a realignment in the market pricing of money transfer services.

Following an aggressive expansion of M-PESA, commercial banks have been forced to eliminate charges on their customers when sending cash. [From The Standard | Online Edition :: Regulator gives M-Pesa a clean bill of health]

We must also throw a nod towards the regulators' position here. In the past, the European Central Bank(s) banked on banks and not people; they kept in place the restrictions of the E-money directive by basically (but deceptively) saying that "payments is banking." Now however the lesson of missed opportunity is clearer (again, predictions weren't food on their table). Europeans use PayPal on ebay, WebMoney continues to do well, there are others. If one cellular operator succeeds why can't others? If we can send an SMS globally, why can't we all join M-SEPA in Kenya? Dave says:

This is why the European Commission is hoping that the new regulated categories of Electronic Money Institution (ELMI) and Payment Institution (PI) will allow even banks to set up highly competitive low-cost payment services.

There are two barriers here, and they both need addressing. Firstly, the iron grip of the regulators over banks is over. Not because they don't still have that possibility, but because they've been revealed as captured by the banks (financial crisis) and the business is changing such that the model of central banking is no longer usefully relevant. The 20th century was the time when the central banks truly ruled all they surveyed, but we see little with eyes that are 100 years old.

The second barrier, this time brought clear by Dave in a way I failed to do is that of the failure of the Anti Money Laundering project. As well as failing to do any damage to ML, it is now clear that the sum result of the project was to raise costs, and as a consequence to alienate the poor. M-SEPA apparently capitalised on this stupidity, in the same way that PayPal, e-gold, WebMoney and other electronic systems did, and has now seized the marketplace in its country.

The AML project breached the laws of economics. Possibly this is best encompassed by Goodhart's law, which says that if you put a control here, the money will flow over there. So don't put the control in, the people will simply bypass it. There is a useful corollary to this law: the money belongs to the people, not to the bureaucrat. It helps to consider this carefully when thinking of putting in controls.

On the other hand, it is easy to see how to give the AML people what they can usefully use, without hurting the poor. Again, Dave nails it:

One phrase that caught my ear, in a very positive way, was "risk-based approach to know-your-customer". In other words, I think, it's time to begin to resolve the implicit tension between financial exclusion and financial inclusion agenda in a common sense way. It's one thing to recognise the legitimate law enforcement and regulatory requirements for identification and authenticaton and another to insist that these requirements are met in the tightest possible way in all circumstances. The truth is that bringing people inside the tent, given the data exhaust from electronic payments, delivers far greater overall benefits to society than trying to keep people out of the tent. In other words, stringent rules about terrorist financing and so forth mean that the poorest people stay excluded because it becomes complicated and expensive to deliver services to them. I think that we should start looking at a global exclusion for pre-paid accounts below a certain level (say 500 euros) in return for increased monitoring to patterns, transfer and behaviour.

It is massively important to follow this path, but who will understand it? Even though Dave considers it now reasonable to challenge the ivory tower of the FATF, the problem is, nobody in the AML world is going to stand up and say "we were wrong. Now what do we do?" It is far too easy to accuse detractors of supporting money laundering (!) and continue to draw salary than to learn real economics and add value to society.

I think on this point Dave is economically correct and will be eventually be totally exonerated, but this time he has gone too far, and will have to explain himself to the secret committee for economic purity. Nobody challenges the fat cats in Paris without being labelled a sympathiser of jihadists, an eater of babies, and a downright nasty chap. Meanwhile, the poor are going to have to wait at least another decade before the anti-money laundering disaster is fixed, and are invited into the world of secure payments run by deftly-regulated institutions.

Not to mention, it just isn't their decade, as the rich are a bit busy right now.

H5: Security Begins at the Application and Ends at the Mind

So much of what we do today is re-inventing what others have already done, but has been lost in the noise. Today, Ian Brown said:

EIFFEL is a group of leading networking researchers funded by the European Commission to "provide a place for discussing and exchanging ideas and research trajectories on the future of the Internet architecture and governance building as a foundation of the future networked society." I'm proud they have asked me to speak on Tuesday at their second meeting, alongside such luminaries as MIT's Dr David "end-to-end principle" Clark. You can see my presentation below — any comments (before or after Tuesday morning) most welcome!

What caught my eye, other than the grandiose goal, was the mention of an end-to-end principle. Lo and behold, Ian linked to this over on wikipedia:

The principle states that, whenever possible, communications protocol operations should be defined to occur at the end-points of a communications system, or as close as possible to the resource being controlled.

According to the end-to-end principle, protocol features are only justified in the lower layers of a system if they are a performance optimization, hence, Transmission Control Protocol (TCP) retransmission for reliability is still justified, but efforts to improve TCP reliability should stop after peak performance has been reached.

Aha! Well, that makes sense. This is very close to what I say in this unpublished hypothesis, here:

Hypothesis #5 -- Security Begins at the Application and Ends at the Mind The application must do most of the work [1]. For really secure systems, only application security is worthwhile. That is simply because most applications are delivered into environments where they have little control or say over how the underlying system is set up. #5.1 Security below the application layer is unreliable For security needs, there is little point in for example relying on (specifying) IPSec or the authentication capabilities or PKI or trusted rings or such devices. These things are fine under laboratory conditions, but you have no control once it leaves your door. Out there in the real world, and even within your own development process, there is just too much scope for people to forget or re-implement parts that will break your model. If you need it, you have to do it yourself. This applies as much to retries and replay protection as to authentication and encryption; in a full secure system you will find yourself dealing with all these issues at the high layer eventually, anyway, so build them in from the start. Try these quick quizzes. It helps if you close your eyes and think of the question at the deeper levels. Is your firewall switched on? How do you know? Or, how do you know when it is not switched on? Likewise, is your VPN switched on? How do you know? Does TLS provide replay protection [2]? These questions lead to some deeper principles.

Super hint! Now out there and published ... leaving only one more to go.

As an aside, the set of 7 hypotheses covering secure design is around 60% published. As time goes on, I find new info that I try and integrate in, which slows down the process. Some of them are a little rough (or, a mess) and some of them fight for the right to incorporate a key point. One day, one day...

Rumour: NSA offering 'billions' for Skype eavesdrop solution

A printable-quality rumour straight from El Reg:

News of a possible viable business model for P2P VoIP network Skype emerged today, at the Counter Terror Expo in London. An industry source disclosed that America's supersecret National Security Agency (NSA) is offering "billions" to any firm which can offer reliable eavesdropping on Skype IM and voice traffic.

The spybiz exec, who preferred to remain anonymous, confirmed that Skype continues to be a major problem for government listening agencies, spooks and police. This was already thought to be the case, following requests from German authorities for special intercept/bugging powers to help them deal with Skype-loving malefactors. Britain's GCHQ has also stated that it has severe problems intercepting VoIP and internet communication in general.

Read the whole article!

Skype in particular is a serious problem for spooks and cops. Being P2P, the network can't be accessed by the company providing it and the authorities can't gain access by that route. The company won't disclose details of its encryption, either, and isn't required to as it is Europe based. This lack of openness prompts many security pros to rubbish Skype on "security through obscurity" grounds: but nonetheless it remains a popular choice with those who think they might find themselves under surveillance. Rumour suggests that America's NSA may be able to break Skype encryption - assuming they have access to a given call or message - but nobody else.

The NSA may be able to do that: but it seems that if so, this uses up too much of the agency's resources at present.

"They are saying to the industry, you get us into Skype and we will make you a very rich company," said the industry source, adding that the obscure encryption used by the P2Pware is believed to change frequently as part of software updates.

The spyware kingpin suggested that Skype is deliberately seeking to frustrate national listening agencies, which seems an odd thing to do - Skype has difficulties enough getting revenues out of its vast user base at any time, and a paid secure-voice system for subversives doesn't seem like a money-spinner

Including this bit:

But corporate parent eBay, having had to write down $1.4bn already following its $2.6bn purchase of Skype back in the bubble-2.0 days of 2005, might see an opportunity here. A billion or two from the NSA for a backdoor into Skype might make the acquisition seem like a sensible idea.

Maybe it was just bad timing ... or maybe eBay hasn't got the smarts. I would dearly love to monetise that asset, and that's no secret (it will be on this blog somewhere). Either way, if eBay failed to integrate Skype, it's a solid sell signal on eBay. They are now just another cash cow. Milk on!

this one's significant: 49 cities in 30 minutes!

No, not this stupidity: "The Breach of All Breaches?" but this one, spotted by JP (and also see Fraud, Phishing and Financial Misdeeds, scary, flashmob, and fbi wanted poster seen to right):

* Reported by John Deutzman

Photos from security video (see photo gallery at left at bottom right) obtained by Fox 5 show of a small piece of a huge scam that took place all in one day in a matter of hours. According to the FBI , ATMs from 49 cities were hit -- including Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong.

"We've seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here," FBI Agent Ross Rice told Fox 5.
....

"Over 130 different ATM machines in 49 cities worldwide were accessed in a 30-minute period on November 8," Agents Rice said. "So you can get an idea of the number of people involved in this and the scope of the operation."

Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.

This lifts the level of capability of the attacker several notches up. This is a huge coordinated effort. Are we awake now to the problems that we created for ourselves a decade ago?

(Apologies, no time to do the real research and commentary today! Thanks, JP!)

Audits II: Two more scary words: Sarbanes-Oxley

In the last post on audit, I raised the possibility that we need some fixes to the audit process, rather than just following some journo's best practices list ("use a big-4 auditor"). Is it then a possibility to rewrite the regime, to create a tougher approach? If we look a little deeper in history, we find the answer:

No, we already tried it. Say hello to two more scary words: Sarbanes-Oxley. Recall that this was a huge project by the Congress of the USA to rewrite the entire auditing requirement for public companies. It was deliberately and carefully done in the aftermath of the collapse of audited-but-unauditable Enron.

In Sarbanes-Oxley, no stone was left un-turned, no leaf un-renewed. The noble profession of Financial Auditors had, post-Enron, plenty of incentive to improve their game. Sarbanes-Oxley was written at the behest of the auditing industry. They asked for it, and they got it, cost regardless. It more or less doubled the size of the public audit.

Indeed, Sarbanes-Oxley was so fierce that, by some lights, it killed the international market for Wall Street IPOs! Given all this substantial work, and substantial cost, the paying public might therefore expect that Sarbanes-Oxley must have done some good. Fair enough?

Certainly, there have been many reports of "stronger, better" but this is one of those questions that is hard to measure objectively because we cannot run proper tests. However, we do now have would could be considered to be a highly indicative test: the financial crisis.

Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?

No. Not one, not even a single one!

Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it? No, not one, known to date. At least, as far as I know, and we should probably wait a few years before writing the final judgment. Post any examples in comments! (And yes, for the record, we are ignoring all of the regulators, central banks, finance committees, rating agencies and other checks and balances that also apparently came to nought.)

Can we pronounce the financial audit as bankrupt by its own measures? In theory, the audit should have picked up these failures, all of them. Consider this case-in-point, to prove that the theory works: the enhanced audit required on public listing did in fact pick up the Refco fraud that led quickly to its failure, and the near-failure of Bawag, a big bank in Austria that participated in the fraud. (The sorry fool who found the fraud was fired for his troubles, and only later did his reports filter out and cause questions that ultimately forced the fatal result.)

The audit theory works, then, in some sense or other. Manifestly, audits didn't work for the financial crisis. And, they so didn't work after that so-huge rewrite called Sarbanes-Oxley, that we can conclude that mere improvement is completely off the agenda.

Questions arise. And, this time they are serious, more serious than post-Enron. This time the questions cannot be answered from within, but only from without. By us, the paying public. The questions before us could be considered like this:

Why did the audit not work in practice? For the financial crisis?

Are audits delivering a benefit?

Is the benefit of audits in excess of their cost?

Are audits part of the problem rather than the solution?

What do we do about it?

In order to answer that, we need more information. What is it that we really know about that audit? That's the subject of the next post.

"No, you don't understand sheep"

Sometimes I slave over a hot keyboard for an entire weekend to get a point across. With elegant arguments, carefully constructed logic, and a full path from beginning to end. Integrated across 3 separate disciplines. If I get to QED in less than 3 pages, I'm happy!

And then Gunnar comes along and says:

A teacher asks the class, 'If there are nine sheep in the pen and one jumps out, how many are left?'

A little girl says, 'None of them are left.'

The teacher shakes her head sadly and says, 'You don't understand arithmetic.'

The girls says, 'No, you don't understand sheep.'