Comments: Zuckerberg urged to go social... by hacking the lending space?

Iang,

If we ignore for the moment the economic motivation of the founder and other investors and the political issues expressed via the various regulatory mechanisms, we come down to a series of technical issues.

Of these the biggie as always is micropayments, most online systems appear to either work in a closed environment (such as the various virtual worlds such as Second Life) or in relation to an existing payment system such as the Payment Card Industry (PCI).

The former usually lacks any real security mechanism (piggybank-v-vault designs) but has negligable cost, and the latter whilst having barely adiquate security generaly costs too much via transaction charges.

The only people currently to occupie the middle ground appears to be Teleco's which act effectivly as a billing aggregater service for each "customer" within their network and thus only incur one transaction cost via the PCI at the end of the month.

If you think about it the telco's are actuallly offering the same service (billing aggregation) as the PCI thus you have to ask why their system costs are so much lower than the PCI?

And as far as I can see there are two answers obvious answers.

The first is security against fraud, unlike the telco's the PCI not having a controllable environment cannot establish "trust cost" effectivly. That is from the PCI perspective each transaction is treated in issolation prior to aggregation and has a cost attached, whilst the opposit is true for the the telco's in that the transaction cost is on setteling the agrigated bill not the individual transactions

The second is how the businesses position themselves. The PCI primary business is payment systems with a secondary interest in communications networks (for merchants only) to facilitate the primary business purpose. The telco's primary business is communications networks for all with a secondary interest in payment systems to facilitate the primary business purpose.

However in both cases the real business is moving information in the form of data in a secure way. So perhaps it is better to ask what differentiates them from each other.

Firstly the PCIs data networks are only for the merchants and industry, not for the token (card) holders, with the telco's their data network is primarily for all so includes the token (phone) holders as well as any merchants and the industry.

Secondly is transaction value the telco's only deal with micro to small values whilst the PCI deals with small to large values.

Both of these have knock on effects.

In the case of the token's for both industries the token is seen as a business enabler and both carry the cost of sourcing and supplying the tokens.

However for the PCI their tokens (cards) are seen as a necessary evil that incurs significant cost, therefore the PCI seek to minimise it's costs at all times.

The telco's however see their tokens (phones) as product's in their own right with many "value added" features which enable them to derive additional income from them.

These differing perspective on the tokens have had signifficant "knock on" effects.

The PCI does not inovate it's tokens in any way, it mearly responds very very slowly and ineffectivly when the cost of fraud rises to an unacceptable level.

The telco's however competativly market their tokens and this drives inovation from the token manufactures.

Thus all we have seen on the PCI side is anti fraud measures that usually fail for various reasons and a market where the cost of tokes increases in real terms without adding additional benifit or value to the customer. On the telco side we have seen the cost of tokens decrease in real terms whilst there has been an almost exponential rise in features adding significant additional benifit and value to customers. Based on this indicator alone the PCI longterm future is in doubt.

In the case of transaction value the primary knock on effect is fraud.

For the telcos originally fraud ment the cost of dispute resolution and only occasional loss in profitable bandwidth. That is the call got billed to a customer who might ot might not dispute it. However the actual variable cost to the telco of a fraudulant call was negligable in that the plant systems were all in place and the extra use of electricity for the call measured in millionth parts of a dollar. Thus a fraudulant call might occasionaly displace a profitable call at 50cents per minute income due to lack of available bandwidth. Even the cost of crossing into other networks was so small that it was well below the "sampling noise" on the difference in billable time units (customers got rounded up to the nearest minute @50cent/min, networks rounded down to the nearest second @3cent/sec). Thus telcos dispute resolution was brutaly simple the customer payed one way or another or had to prove they did not make the call to a judge in court. Thus the original security measures in the telco's systems where there to ensure correct call cost attribution to a handset not to prevent fraud.

For the PCI fraud involved real loss in that goods, third party services or money had been taken by the fraudsters from merchants or banks. However in many jurisdictions this was dealt with by consumer credit regulation such that the individual card holder was protected, which generaly ment the merchant had the expense of proving a valid transaction had taken place to the card issuers satisfaction... Such was the balance of power in the PCI the merchants ended up swallowing the cost not just of the losses but the dispute resolution process as well. Thus the original security measures in the PCI token was very minimal to non existant (ie an impression of the cards standard type face and the customers signiture on the same mearchent supplied "docket" that could easily be photocopied...)

Interestingly was the difference in the way fraud was dealt with after the initial legislation for both industries. The PCI was pretty much left to it's own devices, whilst the telcos got vastly improved security enforced on them by the regulatory process of the licencing of the next generation (digital) phones via the EU framework (now R&TTE) that gave rise to the various GSM standards. The result the telcos have low fraud rates and minimal despute resolution cost paid by the token holders compared to the PCI with very high rates of fraud and thus very high dispute resolution costs paid for by the merchants not the token holders.

Thus the difference in "dispute reolution" cost and by whom it was paid caused a very very marked difference in the security of the tokens in use.

This in turn has ment that the security cost of each transaction for the telcos is built into the token and is passed to the customer as part of the token cost, but the PCI token is payed for by the PCI not the customer and the PCI extract this from the merchants along with the very high cost of fraud due to minimising the security of the token.

So in an odd way trying to minimise the cost to the customer has pushed the PCI fraud costs up very high on each transaction, whilst the telcos due to regulation get the customer to pay a one off fee for the token with high security built in and thus the transaction costs for the telco are minimal.

In effect the PCI has dropped into an evolutionary culdersac almost like the saber tooth tiger and is thus in a somewhat precarious longterm state, having effectivly priced it's self out of the micro and small payment markets by it's high transaction costs.

Thus should the telcos decide to go into the payments industry and they are alowed to do so they have a very significant market advantage over the Payment Card Industry as they can cover the market from micro payments through to large payments with minimal transaction costs.

But how does all this effect the likes of online service providers?

Well as can clearly be seen their business models do not by and large involve getting involved with user transactions although they probably would like to as many other of the business models they have tried have failed.

However they have significant problems they don't own the network, they don't own the tokens (PC's etc) and would be reliant on others to provide the link between traditional customer payment systems and their own systems.

Broadly the internet has two main groups of market models, those that are selling traditional "tangable" goods and services and the new models of "intangable" goods and services based on pure data or other information such as knowledge.

The traditional or "tangable goods" market models are almost entirely based on existing well understood models where all that has changed is the "shop" or "catalog" has become virtual, the rest of the model pretty much remains the same with the goods and transaction costs being paid in the usuall way.

However the new Internet "intagable goods" market models are different they are based on moving information in the form of data from producer to consumer without involving anything other than communications. These models have taken their payment models of older information markets of, "voucher" or "subscription" and potentialy added a third of "grazing".

Untill fairly recently only the "subscription" payment model where you purchased unlimited access for a fixed time period has been used this is because of high transaction costs. More recently "voucher" systems where you pay for fixed quantities of items have been introduced, that is you buy "ten songs" and download the ten you want from the thousands on offer as and when you see fit, this spreads the high transaction costs across several items thus allowing a significantly decreased cost per item.

However both the subscription and voucher models require payment in advance and this is usually quite significant (ie more than 10 dollars) and this is seen rightly as a significant market inhibitor. Which is why other models based on giving access for no payment by the "customer" have been tried such as those based on the traditional "broadcast advertising" and "Market research" models where the service is paid for by third parties who hope to gain business advantage by better contact with the customer. By and large neither of these models have been much of a success except for one or two sites.

Thus the general trend by many sites has been just to give free access and hope it might lead to other income streams by establishing a sufficient market presence.

This is also due in many respects to the fact that subscription and voucher systems only work in limited or non competition industries such as academic or scientific journals or where there is significant original Intellectual Property (IP) that can be clearly established in works such as songs, films and some books. They do not work well in other information markets such as journalism in news, because the raw information is not owned only a derivative work is, thus anybody can produce news from the raw data and thus the market value on each item is at best very small.

It is the notion of trying to extract some very small measure of value from those browsing the Internet that has given rise to Micro and Pico payment systems. Put simply a single person might only visit you site once but there are potentialy 5billion or so visitors world wide any of whom might drop by. If you could get 0.1cents per page viewed you could at the very least pay for the cost of your site. But you cann't because of current transaction costs and no user friendly payment system.

Idealy what is needed is an aggregator service you register with and each site you visit takes payment by submiting through their "token" the fractional value to the aggregator against your "token". At the end of the month or some other billing period the individual transactions are aggregated into bills and credits with a single transaction cost on each not on the individual transactions.

Currently only the telco's have systems capable of dealing cost effectivly with micro payments and this is due in the main to the fact that the customer has purchased a token that autheticates to the telco's network and despute resolution costs are low because the token has sufficient security for the transaction values involved.

Sooner or later due to the need for Government revenues proposals for a "data tax" that have been repeatedly shelved will be put in place. This will mean that the businesses on the edge of the network that supply access will get the job of becoming tax collectors and will need the appropriate billing systems in place (a big chunk has been already done by the ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg

Posted by Clive Robinson at February 6, 2011 05:49 AM

Why does a site with 'cryptography' in it's domain-name, have an expired security certificate?

Posted by Chris at February 26, 2011 01:25 AM

Oh No! the Email Address: input box opens email addresses to the bots....please unlink my email address from my first post on this article.

Why in the heck do you have a field that publishes email addresses?

Posted by Chris at February 26, 2011 01:41 AM

Chris,

the expiry is an administrative thing, not a crypto thing. Instead of your vague and handwavy question of received dogma, perhaps we should ask what value an unexpired certificate gives you over an expired certificate? Would you have been safer in writing your comment?

That said, I suppose we need to get it re-issued, coz you'll not be the last to question the words for the warnings :)

On the email address, I have changed the details for you. I thought the instructions were clear enough, but oh well... You're probably a devotee of good practices in crypto:

There is only one mode, and it is secure.

Yes, this site doesn't follow that at all. The reason it has an email address field is because that is how the software is written. I suppose. I never asked the authors, they are called Six Apart, ask them :)

Posted by There is only one mode, and it is secure! (Iang) at February 26, 2011 02:26 AM

Doh! It expires in 2012. Probably you haven't got CAcert's root added. Go here: http://www.cacert.org/index.php?id=3

Posted by Fixing that cert at February 27, 2011 01:42 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x555d4bdd6ab0) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.