Banks Say Heartbleed Poses No Threat, But Experts Raise Doubts
Editors note: This is the free edition of Payments Insider, a newsletter on all things payments produced by BI Intelligence.
BANKS REASSURE ON HEARTBLEED, BUT QUESTIONS REMAIN: The American Banking Association says that most Internet banking websites and apps are not affected by the Heartbleed security flaw, and most major banks have issued statements to similar effect. "To date, we are not aware of any U.S. banks that have been exploited using this vulnerability," FDIC spokesman Greg Hernandez tells us. But such assurances are "meaningless," says Richard Kenner, vice president of AdaCore, the software firm that works primarily with the highly security-sensitive aerospace and defense industries. Any bank using the affected encryption software, one of two programs widely available for securing information stored on Linux servers, would have no way of knowing if it had been attacked, Kenner tells us. "Banks historically have been good at making safes, but they have not been good at securing their software," he adds. (Keith Griffith for BI Intelligence)
Meanwhile, the first confirmed reports of Heartbleed attacks have landed, from the Canada Revenue Agency, and a UK parenting website. "Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the Canadian tax agency said in a statement. Site administrators of Britain's Mumsnet were advised by hackers that their user accounts had been compromised. (CRA, BBC)
QUOTE OF THE DAY - "It was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area." Dr. Robin Seggelmann, the software programmer who wrote the code containing the Heartbleed encryption flaw. (Sydney Morning Herald)
PEER-TO-PEER PAYMENT APPS WILL SPUR MOBILE PAYMENT ADOPTION: Retailers and payments providers alike would like to see consumers use smartphones to make payments instead of cash or credit cards. For retailers the data gleaned from these services can be used to up-sell or cross-sell products to their customers. For payments companies smartphones offer an opportunity to carve out market share of an industry in flux. The problem? Consumers aren't adopting mobile payments because they don't offer compelling advantages to cash and credit cards. As we explain in a new report, an emerging category of peer-to-peer payments services that allows consumers to transfer money to one and other is going to take off across the globe, and once it does - consumers will inevitably move to other forms of mobile payments. (BI Intelligence)
MORE ON FACEBOOK'S PAYMENTS PLAY: BI Intelligence reached out to London-based online money transfer firm Azimo, which according to the Financial Times was approached with a $10 million deal from Facebook for an online payment service partnership. A company spokesman neither confirmed nor denied the Financial Times reports, except to say that Azimo preferred to keep partnership offers to itself. But Azimo was willing to say it believed deals of this type would offer huge benefits to global consumers: "It's very exciting and could be truly transformational to an industry of largely legacy players that has ripped off hard-working migrants for years," company spokesman Mike Tinmouth writes in an e-mail. Azimo's company slogan is, "Send money for less." (Keith Griffith for BI Intelligence)
CHINA'S 'BIG THREE' LOCK HORNS ON MOBILE PAYMENTS: Chinese Internet search giant Baidu yesterday launched its own mobile wallet. That means all the "Big Three" consumer web companies in China now offer competing payment products - Baidu, e-commerce titan Alibaba Group, and online media firm Tencent. The Chinese battle mirrors the five-way clash over payments between U.S. web giants, which we reported on yesterday. "If Baidu can link more offline services with online payment creatively, it can catch up with its rivals in no time," analyst Wang Weidong tells China Daily. China, a vast, emerging consumer market, has been notoriously difficult for U.S. tech giants to pierce, owing to a regulatory and consumer climate that favors home-grown alternatives. (Barrons, China Daily)
RISKING STEEP PENALTIES, RETAILERS AND BANKS LAG ON EMV: Bloomberg's Olga Kharif and Bianca Vazquez Toness explain why the majority of US retailers may miss the deadline for implementing EMV: "Credit card networks have set an October 2015 deadline for most U.S. merchants to upgrade their payment systems [to EMV chip technology] ... EMV cards create a unique code for each transaction, making them more difficult to hack or counterfeit than striped cards ... More than half of U.S. merchants will miss the cutoff ... One reason for the delay is the upgrade's high cost: $500 to $1,000 per payment terminal ... With about 1 billion cards in use in the U.S., just 20 million chip cards have been issued ... The price for not complying could be high ... Most retailers and banks will be liable for some fraudulent in-store transactions if they don't have the new system." (Bloomberg)
AMAZON SAYS 'NO' TO BITCOIN. While Overstock.com recently made waves when it announced over $1 million in purchases transacted in Bitcoin, it seems that Amazon will not be accepting the digital currency any time soon. "We're not hearing from customers that it's right for them and don't have any plans within Amazon to engage Bitcoin," says Tom Taylor, head of Amazon payments, in an interview with Re/code. (Re/code)
ANOTHER ADDITION TO VISA'S COMMON DEBIT SOLUTION: CO-OP Financial Services, a credit union service organization, announced that it would join in using Visa's EMV-compliant common debit solution. The payments industry is moving towards adopting the EMV or "chip card" security standard in the U.S. At the same time, the Dodd-Frank financial legislation requires card networks to provide retailers with the option of two unaffiliated debit card networks through which to route transactions. But the chip card security standard wasn't designed to support routing through multiple networks. That means that debit networks are partnering to use a common debit routing system to adopt the chip card standard and comply with Dodd-Frank. (MarketWatch)
The full version of this newsletter is available to BI Intelligence subscribers. Sign up for a free trial here.
Here's what else BI Intelligence subscribers are reading...