I am a strong supporter of two factor authentication (2FA), and I welcomed the idea of a one time password sent by SMS when it was introduced in India a few years ago. But gradually I have become disillusioned because SMS is not true 2FA.
Authentication is a problem that humanity has faced for centuries; and long before computers were invented, several authentication methods were developed and adopted. Two widely used methods are nicely illustrated by two different stories in the centuries old collection Arabian Nights. The first method is to authenticate with something that you know like Open Sesame in Ali Baba and the Forty Thieves. The Ali Baba story describes how the secret password is easily stolen during the process of authentication itself. What is worse is that while we would quickly detect the theft of a physical object, the theft of a secret password is not detected unless the theft does something stupid like Ali Baba’s brother did in the story.
The second method is to authenticate with something that you have, and its problems are eloquently portrayed in the story about Aladdin’s Wonderful Lamp. In the Aladdin story, the lamp changes hand involuntarily at least four times; physical keys or hardware tokens can also be stolen. The problem is that while you can carry “what you know” with you all the time (if you have committed it to memory), you cannot carry “what you have” with you all the time. When you leave it behind, you may (like Aladdin) find on your return that it is gone.
Clearly, the two methods – “what you know” and “what you have” – are complementary in that one is strong where the other is weak. Naturally, centuries ago, people came up with the idea of combining the two methods. This is the core idea of 2FA – you authenticate with something that you have and with something that you know. An interesting example of 2FA can be found in the Indian epic, the Ramayana. There is an episode in this epic where Rama sends a messenger (Hanuman) to his wife Sita. Since Hanuman was previously unknown to Sita, there was clearly a problem of authentication to be solved. Rama gives some personal ornaments to Hanuman which he could show to Sita for the “what you have” part of 2FA. But Rama does not rely on this alone. He also narrates some incidents known only to Rama and Sita to provide the “what you know” part of 2FA. The Ramayana records that the authentication was successful in a hostile environment where Sita regarded everything with suspicion (because her captors were adept in various forms of sorcery).
In the digital world, 2FA relies on a password for the “what you know” part and some piece of hardware for the “what you have” part. In high value applications, a hardware token – a kind of electronic key – is common. While it is vulnerable to MitM attacks, I like to think of this as reasonably secure (maybe I am just deluded). The kind of person who can steal your password is probably sitting in Nigeria or Ukraine, while the person who can steal your hardware must be living relatively close by. The skill sets required for the two thefts are quite different and it is unlikely that the same person would have both skill sets. The few people like Richard Feynman who are equally good at picking locks and cracking the secrets of the universe hopefully have better things to do in life than hack into your bank account.
The SMS based OTP has emerged as the poor man’s substitute for a hardware token. The bank sends you a text message with a one time password which you type in on the web site as the second factor in the authentication. Intuitively, your mobile phone becomes the the “what you have” part of 2FA.
Unfortunately, this intuition is all wrong – horribly wrong. The SMS which the bank sends is sent to your mobile number and not to your mobile phone. This might appear to be an exercise in hair splitting, but it is very important. The problem is that while my mobile phone is something that I have, my SIM card and mobile connection are both in the telecom operator’s hands and not in mine.
There have been cases around the world where somebody claiming to be you convinces the telecom operator that you have lost your mobile and need a new SIM card with the old number. The operator simply deactivates your SIM and gives the fake you a new SIM which has been assigned the old number. If you think this is a figment of my paranoid imagination, take a look at this 2013 story from India and this 2011 story from Malaysia. If you want something from the developed world, look at this 2011 story from Australia about how the crook simply went to another telecom operator and asked for the number to be “ported” from the original operator. (h/t I came across all these stories directly or indirectly via Bruce Schneier at different points of time). I have blogged about this problem in the past as well (see here and here).
My final illustration of why the SMS OTP that is sent to you is totally divorced from your mobile phone is provided by my own experience last week in Gujarat. In the wake of rioting in parts of the state, the government asked the telecom operators to shut down SMS services and mobile data throughout the state. I needed to book an air ticket urgently one night for a visiting relative who had to rush back because of an emergency at home. Using a wired internet connection, I could login to the bank site using my password (the “what I know” part of 2FA). The mobile phone (the “what I have” part of 2FA) was securely in my hand. All to no avail, because the telecom operator would not send me the SMS containing the OTP. I had to call somebody from outside the state to make the payment.
This also set me thinking that someday a criminal gang would (a) steal credit cards, (b) engineer some disorder to get SMS services shut down, and (c) use this “cover of darkness” to steal money using those cards. They would know that the victims would not receive the SMS messages that would otherwise alert them to the fraud.
I think we need to rethink the SMS OTP model. Perhaps, we need to protect the SIM with something like a Trusted Platform Module (TPM). The operator may be able to give away your SIM to a thief, but it cannot do anything about your TPM – it would truly be “something that you ” have. Or maybe the OTP must come via a secure channel different from normal SMS.
Thu, 27 Aug 2015
Before coming to India and Mauritius, let me talk about US and the Dutch Antilles in the early 1980s. It took the US two decades to change their tax laws and stop the free gift they were giving to the Antilles. If we assume India acts with similar speed, it is around time we changed our tax laws because our generosity to Mauritius has been going on since the mid 1990s.
There is a vast literature about the US and the Netherlands Antilles. The description below is based on an old paper by Marilyn Doskey Franson (“Repeal of the Thirty Percent Withholding Tax on Portfolio Interest Paid to Foreign Investors”, Northwestern Journal of International Law & Business, Fall 1984, 930-978). Since this paper was written immediately after the change in US tax laws, it provides a good account of the different kinds of pulls and pressures that led to this outcome. Prior to 1984, passive income from investments in United States assets such as interest and dividends earned by foreigners was generally subject to a flat thiry percent tax which was withheld at the source of payment. Franson describes the Netherlands Antilles solution that was adopted by US companies to avoid this tax while borrowing in foreign markets:
In an effort to reduce the interest rates they were paying on debt, corporations began as early as the 1960s to access an alternative supply of investment funds by offering their debentures to foreign investors in the Eurobond market. The imposition of the thirty percent withholding tax on interest paid to these investors, however, initially made this an unattractive mode of financing. Since foreign investors could invest in the debt obligations of governments and businesses of other countries without the payment of such taxes, a United States offeror would have had to increase the yield of its obligation by forty-three percent in order to compensate the investor for the thirty percent United States withholding tax and to compete with other issuers. This prospect was totally unacceptable to most United States issuers.
In an effort to overcome these barriers, corporations began to issue their obligations to foreign investors through foreign “finance subsidiaries” located in a country with which the United States had a treaty exempting interest payments. Corporations generally chose the Netherlands Antilles as the site for incorporation of the finance subsidiary because of the favorable terms of the United States – Kingdom of the Netherlands Income Tax Convention ... The Antillean finance subsidiary would issue its own obligations in the Eurobond market, with the United States parent guaranteeing the bonds. Proceeds of the offering were then reloaned to the United States parent on the same terms as the Eurobond issue, but at one percent over the rate to be paid on the Eurobonds. Payments of interest and principal could, through the use of the U.S.-N.A. treaty, pass tax-free from the United States parent to the Antillean finance subsidiary; interest and principal paid to the foreign investor were also tax-free. The Antillean finance subsidiary would realize net income for the one percent interest differential, on which the Antillean government imposed a tax of about thirty percent. However, the United States parent was allowed an offsetting credit on its corporate income tax return for these taxes paid to the Antillean government. Indirectly, this credit resulted in a transfer of tax revenues from the United States Treasury to that of the Antillean government. (emphasis added)
The use of the Antillean route was so extensive that in the early 1980s, almost one-third of the total portfolio interest paid by US residents was paid through the Netherlands Antilles. (Franson, page 937, footnote 30). There was a lot of pressure on the US government to renegotiate the Antillean tax treaty to close this “loophole”. However, this was unattractive because of the adverse consequences of all existing Eurobonds being redeemed. This is very similar to the difficulties that India has in closing the Mauritius loophole. Just as in India, the tax department in the US too kept on questioning the validity of the Antillean solution on the ground “that while the Eurobond obligations were, in form, those of the finance subsidiary, that in substance, they were obligations of the domestic parent and, thus, subject to the thirty percent withholding tax.” (Franson, page 939).
Matters came to a head in 1984 when the US Congress began discussing amendments to the tax laws “that would have eliminated the foreign tax credit taken by the United States parent for taxes paid by the finance subsidiary to the Netherlands Antilles.” (Franson, page 939). The US Treasury was worried about the implications of closing down the Eurobond funding mechanism and proposed a complete repeal of the 30% withholding tax on portfolio interest. This repeal was enacted in 1984. Since then portfolio investors are not taxed on their US interest income at all. Similar benefits apply to portfolio investors in US equities as well. This tax regime has not only stopped the gift that the US government was giving to the Antilles, but it has also contributed to a vibrant capital market in the US.
It is interesting to note a parallel with the Participatory Note controversy in India: “The Eurobond market is largely composed of bearer obligations because of foreigners’ demand for anonymity. Throughout the congressional hearings on the repeal legislation, concerns were voiced over the possibility of increased tax evasion by United States citizens through the use of such bearer obligations.” (Franson, page 949).
It is perhaps not too much to hope that two decades after opening up the Indian market to foreign portfolio investors in the mid 1990s, India too could adopt a sensible tax regime for them. The whole world has moved to a model of zero or near zero withholding taxes on portfolio investors. Since capital is mobile, it is impossible to tax foreign portfolio investors without either driving them away or increasing the cost of capital to Indian companies prohibitively. It is thus impossible to close the Mauritius loophole just as it was impossible for the US to close the Antilles loophole without first removing the taxation of portfolio investors. The Mauritius loophole is a gift to that country because of the jobs and incomes that are created in that country solely to make an investment in India. Every shell company in Mauritius provides jobs to accountants, lawyers, nominee directors and the like. As the tax laws are tightened to require a genuine business establishment in Mauritius, even more income is generated in Mauritius through rental income and new jobs. All this is a free gift to Mauritius provided by greedy tax laws in India. It can be eliminated if we exempt portfolio income from taxation.
On the other hand, non portfolio investment is intimately linked to a business in India and must necessarily be subject to normal Indian taxes. In the US, the portfolio income exemption does not apply to a foreigner who owns 10% or more of the company which paid the interest or dividend, and India should also do something similar. The Mauritius loophole currently benefits non portfolio investors as well, and this is clearly unacceptable. Making portfolio investment tax free will enable renegotiation of the Mauritius tax treaty to plug this loophole.
Wed, 26 Aug 2015
On October 15, 2014, after an early morning release of weak US retail sales data, the benchmark 10-year US Treasury yield experienced a 16-basis-point drop and then rebounded to return to its previous level between 9:33 and 9:45 a.m. ET. The major US regulators were sufficiently disturbed by this event to prepare a Joint Staff Report about this episode. I blogged about this report last month arguing that there was nothing irrational about what happened in that market on that day.
Now compare that with what happened to the S&P 500 stock market index on August 24 and 25, 2015 in response to bad news from China. On the 24th, the market experienced the following before ending the day down about 4%:
A fall of about 5% within minutes of the open
A rise of about 3.5% over the next hour or so
A fall of about 1.5% over the next hour or so
A rise of about 2.5% over the next hour or so
A fall of about 3.75% over the next three hours or so
The market was a little less erratic the next day, rising 2.5% before falling 4% and ending about 1.4% down.
I see similar phenomena at work in both episodes (15-Oct-2014 US Treasury and 24-Aug-2015 US Stocks): the market was trying to aggregate information from diverse participants in response to fundamental news which was hard to evaluate completely. In Hayek’s memorable phrase, prices arise from the “the interactions of people each of whom possesses only partial knowledge” (F. A. Hayek, “The Use of Knowledge in Society”, The American Economic Review, 35(4), 1945, p 530).
Sometimes, the news that comes to the market is such that it requires the “interactions of people” whose beliefs or knowledge are somewhat removed from the average, and these interactions can be achieved only when prices move at least temporarily to levels which induce them to enter the market. The presence of a large value buyer is revealed only when the price moves to that latent buyer’s reservation price. A temporary undershooting of prices which reveals the knowledge possessed by that buyer is thus an essential part of the process of price discovery in the market when fundamental uncertainty is quite high. To quote Hayek again, “the ‘data’ from which the economic calculus starts are never for the whole society ‘given’ to a single mind which could work out the implications, and can never be so given.” (p 519).
Hayek’s insights are timeless in some sense, but today seventy years later, I venture to think that if he were still alive, he would replace “people” by “people and their algorithms”. Algorithms can learn faster than people, and so sometimes when the algorithms are in charge, the overshooting of prices needs to last only a few minutes to serve their price discovery function. That is conceivably what happened in US Treasuries on October 15, 2014. Sometimes, when the evaluation and judgement required is beyond the capability of the algorithms, human learning takes over and overshooting often lasts for hours and days to allow aggregation of knowledge from people whose latency is relatively long.
Wed, 05 Aug 2015
There are many important and surprising lessons to be learned from the findings in the Kroll report on the bank fraud in Moldova. I believe that these have implications for regulators world wide.
The report is about the collapse in November 2014 of three of the largest banks of Moldova (Unibank, Banca Sociala, and Banca de Economii) which together accounted for 30% of the country’s banking sector. The missing money of more than $1 billion is over 10% of Moldova's GDP.
There are three elements in the story:
A surreptitious takeover of three of the largest Moldovan banks in 2012.
Use of interbank markets and other wholesale sources by these banks to borrow large amounts of money so that they could lend more.
Surreptitious lending of very large amounts of money to one borrower.
The crucial take away for me from the report is that it is possible to evade all the rules and regulations that banking regulators have created to prevent such actions.
For example, as in many other countries, acquisition of a stake of more than 5% in any bank requires formal approval from the National Bank of Moldova. However, shares in the banks were acquired by a large number of apparently unrelated Moldovan, Russian and Ukrainian entities none of which crossed the 5% threshold. All the entities had different addresses and do not seem to have common directors or shareholders. The Kroll report presents some circumstantial evidence that they are related based largely on the fact that they followed similar strategies around the same time and that some of the directors of these entities appear to be nominee directors. I do not believe that this could have been detected in real time. More importantly, I seriously doubt that an attempt to block the purchase of shares at that time on highly speculative grounds would have stood up in a court of law. I conclude that in a modern open economy, ownership restrictions are largely meaningless and unenforceable. They are mere theatre.
Turning to change of control, this too is not easy to establish even in retrospect. The weakest element in the Kroll report in my opinion is that it provides too little evidence that there was a major change in the management and control of the banks. In some of the banks, the management appears to have been largely unchanged. In some cases, where new senior management personnel were inducted, they came from senior positions at other large banks. It is difficult to see how the banking regulator could have objected to these minor management changes.
Finally, the fact that these banks lent such large amounts to money to one single business group (the Shor group) has become apparent only after extensive investigation. The analysis included things like checking the IP addresses from which online banking facilities were accessed by these entities. Media reports suggest that people in Moldova were taken by surprise when the Kroll report identified the Shor group as the beneficiary of massive lending by the failed banks. I am not at all convinced that regulators could have identified all these linkages in real time.
Finally, it must be kept in mind that the whole fraud was accomplished in a little over two years. Supervisory processes work far too slowly to detect and prevent this before the money is gone. I would not be surprised if much of the money left Moldova long ago, and the Shor group was just a front for mafia groups outside the country.
This example has made me even more sympathetic than before to the view that larger capital requirements and size restrictions are the way to go to make banking safer.
As an aside, the “strictly confidential” Kroll report was published in an unusual way. The report was available to only a very limited number of people in the Moldovan government because of the stipulation that:
Any communication, publication, disclosure, dissemination or reproduction of this report or any portion of its contents to third parties without the advance written consent of Kroll is not authorized.
The Speaker of the Moldova Parliament, Mr. Andrian Candu, published it on his personal blog with the following statement (Google Translated from the original Romanian):
I decided to publish the report Kroll and I take responsibility for this action. I do it openly, without hiding behind anonymous sources. ... I understand the arguments of Kroll not to accept publication, but the situation in Moldova and our responsibility to be transparent with the citizens requires us to adapt to the realities of the moment ... I think it is important that every citizen should have access to that report.
Every page of the published report contains the footer:
Private and Confidential: Copy 33 of 33 – Mr. Andrian Candu, the Speaker of the Parliament of the Republic of Moldova
This is about as transparent as one can get. Yet many sections of the media have described the publication of the report as a leak. I think the use of the derogatory word leak in this context is quite inappropriate. In fact, I wish more people in high positions display the same courage of their convictions that Mr. Candu has demonstrated. The world would be a better place if they do so.
Sat, 01 Aug 2015
The following posts appeared on the sister blog (on Computing) last month.
Tweets during the last month (other than blog post tweets):
July 25: Pozsar “there are no shadow banks, just a shadow banking system”. Good discussion on bond funds & asset management. http://ssrn.com/abstract=2558945
July 13: @lauraisreal No. We used R
July 12: Economists regain self confidence. Larry Summers in the FT: Economic laws are like physical laws; they do not yield to political will.