The law of entirely expected consequences case study: payment surcharges

Our Prime Minister, Mrs. Theresa May, went a bit Trump and tweeted. Cool. And here it is.


 The odd thing about this is that every single part of it is manifestly and demonstrably untrue. I’m genuinely baffled as to why Mrs. May (who spent 12 years working at the Association of Payments and Clearing Services, the precursor to UK Payments) should make such a transparently false claim to obtain credit for something that she should be against. To be clear: the charges were not hidden, the ban is not only on credit and debit card surcharges, and it won’t help millions of people to avoid rip-offs. Let me explain, starting with what I saw on 13th January when I went to pay for a flight on British Airways…

My first "no surcharge" purchase

Now normally when I use my BA Amex card to book a flight, I have to pay a credit card surcharge. I don’t mind paying the surcharge because I want the protections that the use of credit cards give me as a consumer and also because I want the frequent flier points I get for using this card. As of 13th January, I don’t. I get all this stuff for free because “new rules which will come into effect on 13 January 2018 will mean you cannot be penalised for choosing to pay by card, either online or in-store”. Happy days. Thank you Mrs. May!

Unfortunately, the entirely predictable result of this ban on card surcharges is that prices will go up.  For the press to say that ban has “backfired” because “consumers face higher prices and new ‘service charges’ as retailers and businesses plan to circumvent the Government’s ban” is laughable. The ban has worked entirely in accordance with the laws of economics.

To see why, let’s go back to Mrs. May’s odd social media message. First of all, the ban on card surcharges is not because of Mrs. May or the British government. It is because of the European Union’s Second Payment Services Directive (PSD2), although in the UK the government has gone further than PSD2 by, essentially, banning surcharges for all electronic payments not just the “four party” schemes. Thus it was the EU that banned “credit or debit card” surcharges, not the British Government, it is indeed the British Government, rather than the EU, that is making poor people pay for my air miles.

Now, just a quick recap of Economics 101. If the government passed a law that (for example) health care is free, that wouldn’t mean that doctors would start working for nothing. It would mean that doctors would have to paid in some other way (out of general taxation, for example). Similarly, passing a law that retailers cannot surcharge for cards doesn’t mean that everyone at Barclaycard is now working for free. Yes, the government has stopped retailers for charging for cards, but that does not mean that the costs are not going to go away. Chip and PIN terminals, 3D Secure gateways and Section 75 chargeback guarantees don’t grow on trees. What will happen?

Suppose you are an online merchant selling, oh I don’t know, let’s say Dungeons and Dragons miniatures. Let’s say your card service comes from a top quality merchant service provider who charges you 25p per transaction. From 13th January…

  1. Well, they could stop taking cards. But that would mean they lose business.

  2. They could have a loyalty scheme (spend £50, get £5 off your next purchase) but only for people who pay with cash.

  3. If half their sales are cash and half on card, then they could put the price of the average basket up by 10p. This is a nice simple solution and it’s good for me, since the customers who pay with cash are now subsidising my John Lewis cashback (since I’m only paying the extra 10p not the full 25p).

  4. Or they could try it on and add a service charge of 25p to all orders. This is what, for example, Just Eat have done.

But why should these dastardly people be allowed to get away with any of these options? Why shouldn’t they be forced to simply accept lower profits and a reduced standard of living as suggested by The Daily Telegraph which is upset that “retailers and other companies are planning measures to ‘sneak’ around the rules“. The dastardly plots unveiled by The Telegraph, precisely as you would expect from an analysis of the environment, are those that I outlined above: refusing card payments, increasing prices and introducing new ‘service charges’.

This is ridiculous from The Telegraph. Refusing to accept cards because the government has made it uneconomic is not sneaking around the rules, it is responding to the rules. And unless The Telegraph is proposing to step in and pay the cost of accepting cards for all merchants, neither is increasing shelf prices. In fact, I absolutely guarantee that prices will rise in accordance with basic laws of economics that The Telegraph should be familiar with. Unlike government ministers, apparently. The Economic Secretary to the Treasury, Mr. Stephen Barclay, said “these small charges can really add up and this change will mean shoppers across the country have that bit of extra cash to spend on the things that matter to them”. How? I have no idea. The UK travel industry, for example, pays around £150m per annum in card charges. Who does Mr. Barclay think is going to pay for the cards, terminals, fraud, bad debt, guarantees and all the rest of the infrastructure in the future? 

The result of banning card surcharges (ie, price-fixing for payment services) will be two-fold. First, it will push retailers into having their own apps that exploit open banking and use instant payments instead of cards. I can assure you that I won’t book a holiday or buy an expensive sofa this way: I want the legal protections that come with credit cards. However, the costs of accepting cards gives these merchants plenty of margin of to play so they will be able to incentive customers away from the existing rails. Second, it will transfer money from poor consumers who are trapped in the cash economy to people like me with cashback and airmiles cards. As the media have belatedly noticed (having not asked me about it in advance) “even those paying cash are set to lose out, as some companies – including food delivery firm Just Eat – plan to apply the cost increases to all customers

The outcome, as it happens, may be even more perverse. Since debit cards cost merchants less than credit cards, consumers switching to credit cards to get the rewards will mean the merchants overall bill for accepting cards will go up! This will hit hard in travel, for example, where “removing the surcharge will result in a significant shift away from payments by debit card and bank transfer so the increase [in extra costs] will be greater than the current credit card surcharge”. Not my words. “Greater than the current credit card surcharge”. So prices will rise by more than the current surcharge, despite Mr. Barclays’ odd prediction that shoppers around the current will have “that bit of extra cash”. No, shoppers around the country won’t. But certain shoppers (eg, me) will, because it the cost of the flight goes up by £1 but I would have had to pay a £2 service charge to use my rewards card before, I’m now saving a £1 and still getting the rewards.

I have long maintained that if you are going to regulate anything in this field then what you should do is require retailers to make the costs of payment choices clear and then let the market do the work. If the government wants to take action, it should adopt my plan to minimise the total social cost of payments and make debit cards the “zero”. In other words, companies should not be allowed to surcharge for debit cards and banks should be required to provide zero interchange debit cards as a condition of holding a retail banking licence. If companies want to surcharge for payment instruments that have a higher overall total social cost (cheques, cash, credit cards, charge cards, cowrie shells or euros) then that’s fine. And there would be a logic to it, unlike the current situation. Meanwhile, “consumer experts have called for regulatory enforcement to ensure businesses cannot dodge the rules“. 

This is absolutely hilarious. Who are these experts? What Soviet-style commission is going to take control of the taxi company’s pricing policy and decree what level of service charge, if any, is to be allowed? The whole situation is nonsensical. If the government, merchants or anyone else thinks that the costs of accepting cards are too high, then they are free to create an alternative that is less expensive. And if merchants want to know how to create an alternative lower cost option for customers *cough* open banking *cough* then they should feel free to call me and I’ll put them in touch with the right people (hint: Consult Hyperion).

Crime of the (new) century

Here’s something that I’m surprised we don’t see more of. Pavel Lerner, the CEO of the cryptocurrency exchange Exmo Finance, has been released by kidnappers after the payment of a $1 million bitcoin ransom. According to the Financial Times, the Ukrainian interior minister specifically labelled the crime “bitcoin kidnapping and extortion”. I would have asked for Monero, rather than traceable bitcoins, but there you go.

Given the number of Bitcoin millionaires wandering around — I bump into them at every conference I go to these days — you would have imagined that the more enterprising and forward thinking members of the cosa nostra (the coder nostra, as I call them) were out in force. Stand around outside Consensus or Money2020 and bundle most anyone into a van and drive them off into the desert and you’re sure of a Bitcoin, Ripple, Ether or Bitcoin Cash payday. It’s a puzzle that this doesn’t happen all the time, although it’s entirely possible that it does and that I never get to hear about it because I’m not rich enough, just like those Silicon Valley sex parties.

So is kidnapping for cyber-ransom the defining crime of the 21st century? Actually, I suspect not. What if, rather than traditional money–related crimes such as kidnapping and extortion, there were much better crypto-crimes invented in parallel to the new forms of crypto-money made available by technology? Is there such a crime that is unique to this virtual world? Not a virtual shadow of a crime that has been around since year zero, but a wholly new crime for the virtual world? Actually, one such crime was invented many years ago. It’s the “assassination market” that I wrote about in “Before Babylon, Beyond Bitcoin“.

An assassination market is a prediction market where any party can place a bet (using anonymous crypto-currency through the TOR network) on the date of death of a given individual, and collect a payoff if they “guess” the date accurately. This would incentivise the assassination of specific individuals because the assassin, knowing when the action would take place, could profit by making an accurate bet on the time of the subject’s death.

Here’s how the market works. Someone runs a public book on the anticipated death dates of public figures. If I hate a pop star or politician, I place a bet on when they will die. When the person dies, who ever had the closest guess wins all of the money, less a cut for the house. Let’s say I bet a fiver that a specific TV personality is going to die at 9am on April Fool’s Day 2018. Other people hate this personality too and they put down bets as well. The more hated the person is, the more bets there will be.

April Fool’s Day comes around. There’s ten million quid bet on this particularly personality. I pay a hit man five million quid to murder the personality. Hurrah! I’ve won the bet, so I get the ten million quid and give half to the hit man. I don’t have to prove that I was responsible for the assassination to get the money and no-one can pin the crime on me because I paid the hitman in untraceable anonymous electronic cash as well: I’m just the lucky winner of the lottery. If someone else had bet 31st March and murdered the television personality themselves the day before, then it would only have cost me a fiver, and I would have regarded that as a fiver well spent.

This is a rather an old idea that originated, as far as I know, with Jim Bell, who back in 1995 wrote an essay on “assassination politics” that brought the idea to the popular (well, amongst a nerd subgroup) imagination. I suppose it was inevitable that the arrival of digital currency would stimulate thought experiments in this area and it was interesting to me then (and now) because it showed the potential for innovation around digital money even in the field of criminality. If I hire thugs to lure a cryptobaron to a hotel room and then beat him up to get a $1m in bitcoins from him (as actually happened in Japan recently), that’s just boring old extortion. If I use Craigslist to lure a HODLer to a street corner and then pull a gun on him and force him to transfer his bitcoins to me (as actually happened in New York back in 2015), that’s just boring old mugging.

 

Now, as I explained in the FT some years ago, Bitcoin is not a very good choice for this sort of cyber-criminality. It’s just not anonymous enough for really decent crimes or the darkest darknets. Hence my scepticism about the claims that Bitcoin’s long term value will be determined by malevolent money mischief. But as I explained to students at Winchester College last week, if there were to be an actually untraceable cryptocurrency then an assassination market is a much better bet for the coder nostra than the physically demanding felony of kidnapping.

What if S.P.E.C.T.R.E. had Spectre?

Ruh roh, as they say. Google has just published a paper outlining a serious security flaw in, to all intents and purposes, all computers. They knew about it months ago, but they’ve been waiting for Apple, Microsoft and everyone else to issue patches (which, apparently, mean an unavoidable reduction in processing speeds) before making it public. The paper sets out two “exploits” that take advantage of the flaw. These are called “Meltdown” and “Spectre”. They basically allow software to read data from other software that it’s not supposed to be able to, so that one application (let’s say, the hacker) can read data from another application (let’s say, your browser) to steal secrets.

Spectre Graphic with Text      Meltdown Graphic with Text

As you can imagine, there was a great deal of media coverage about this flaw (as there should have been – it’s a huge deal). I happened to see an comment about it on Twitter, in which someone said words to the effect of “thank goodness it was found by don’t-be-evil Google and not by the bad guys”. This is a very misplaced sentiment. In the paper, the researchers clearly state that they do not know whether these exploits have been used in real attacks. Apart from anything else, Google says that the “exploitation does not leave any traces in traditional log files”.

So what if S.P.E.C.T.R.E. actually knew about Meltdown months ago and had Spectre in the Spring? How would we know? If they are really smart, then they’ll carry on stealing our secrets but cover their tracks so that we don’t know that they know. If you see what I mean.

It might be timely to remember the story of the Zimmerman telegram, a story that is mother’s milk to security experts.

You may recall that in 1917, Britain and Germany were at war. Britain wanted the U.S. to join the effort against the Axis of Edwardian Evil. The Kaiser’s ministers came up with some interesting plans: to persuade inhabitants fo the British (and French) colonies in the Middle East to launch a jihad, for example. Another scheme was to persuade Mexico to enter the war on the German side, thus dividing the potential U.S. war effort and eventually conquering it.

(At this point I thoroughly recommend historian Barbara Tuchman’s 1966 account of the affair, “The Zimmermann Telegram”.) 

To execute this dastardly plot, the German Foreign Secretary, Arthur Zimmermann, sent a telegram to the German ambassador in Mexico, Heinrich von Eckardt. The telegram instructed the ambassador to approach the Mexican government with a proposal to form a military alliance against the United States. It promised Mexico the land acquired and paid for by the United States after the U.S.-Mexican War if they were to help Germany win the war. The German ambassador relayed the message but the Mexican president declined the offer.

Naturally, so sensitive a topic demanded an encrypted epistle and it was duly dispatched encoded using the German top secret “0075″ code. And here it is…

The Zimmermann Telegram

As it happens, “0075” was a code that the British had already cracked. Thus, the telegram was intercepted and decrypted enough to get the gist of it to the British Naval Intelligence unit, Room 40. In next to no time, the decoded dynamite was on the desk of the Foreign Secretary Arthur Balfour, the teutonic perfidy laid bare.

Now the British were faced with the same dilemma that faces S.P.E.C.T.R.E. with Spectre. How can you use intercepted information without revealing that there is a security flaw and that you have exploited it? Consider the options:

  • If the British had complained to the Germans, then the Germans would know that the British had the key to their code and they would switch to another code that the British might not be able to break for months, missing much vital military intelligence along the way. What’s more, the Americans would know that the British were tapping diplomatic traffic into the U.S.

  • If they did not reveal the contents, they might miss a the chance to bring the U.S. into the war.

The codebreaker’s clever solution was to leak the information in such a way as to make it look as if the leak had come from the Mexican telegraph company: since the German relay from Washington to Mexico used a different code, that the Americans already knew to be broken, this was entirely plausible.

If you’re wondering what happened, well despite strong anti-German (and anti-Mexican) feelings in the U.S., the telegram was believed to be a British forgery designed to bring America into the war, a theory bolstered by German and Mexican diplomats as well as the Hearst press empire. However, on March 29th, Zimmermann gave a speech confirming the text of the telegram. On April 2nd, President Wilson asked Congress to declare war on Germany, and on April 6th they complied.

The point of this story is that stupid hackers would reveal their hand, but clever hackers would not. So the fact that, according to BBC Radio 4’s “Today” programme, the UK’s National Cybersecurity Centre says there is no evidence that the flaws have been exploited, that does not reassure me! These bugs are big.

“The Meltdown fix may reduce the performance of Intel chips by as little as 5 percent or as much as 30 — but there will be some hit. Whatever it is, it’s better than the alternative. Spectre, on the other hand, is not likely to be fully fixed any time soon.”

From “Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device? | TechCrunch”.

 

Maybe the way forward is to assume that all machines are compromised and not fix them but instead move the security away from the processors – so going back to the idea of having a Trusted Processing Module (TPM) in every transaction, either built in to the processors (like the “Secure Enclave” in iPhones) or as a separate chip in a PC or as a smart card that is connected to the computer when you want to do something. In this, as in so many other things, Brittany Spears is a beacon to the nations. Eleven years ago I used my Britney Spears smart card (which I still have) to log on to her fan club web site securely. You can read about it here

PesaLink ten-month fraud lessons forces cap on transaction amounts :: Kenya – The Standard

xxx

“IT Risk and Internal Control Consultant at NetGuardians John Kiptum said… 70 per cent of the fraud is usually internal where bank staff reset your pin number, do a SIM swap so you no longer receive short message notifications and after that pick your account empty.”

From “PesaLink ten-month fraud lessons forces cap on transaction amounts :: Kenya – The Standard”.

xxx