Keeping up with the
security arms race

Locked$ImageData breaching is big business. It is, as I wrote last week, something of an arms race. When we strengthen our armor, we don’t send the bad guys home in ignominious defeat; we send them off to upgrade their armor-piercing weaponry so they can return for another foray.

The financial fraud arms race is as old as currency itself, and there’s no reason to expect it ever to end. Last week, HEI Hotels became the latest large-scale victim, following in the footsteps of notables like MySpace, the Internal Revenue Service, The Home Depot, Target, Neiman Marcus, and others.

The above are not anomalies. If you’re in the mood for being alarmed, click here to view “World’s Biggest Data Breaches: Selected losses greater than 30,000 records. Lest bankers seek solace in the thought that breaches are more a retail than a banking problem, click “banking” in the filter box at the upper right.

But before you decide that your best option is to wait out the arms race under your desk in fetal position, I have good news. There is much that banks can do to protect themselves, merchants, and consumers.

Here are a few tips:

Keep up with security technology. Bad guys regrouping and returning notwithstanding, it turns out that we good guys are pretty good at keeping pace and, at times, a step or two ahead. To ignore the state of the art is to look for trouble. That should go without saying, but you’d be surprised how many financial institutions give data security more lip service than action. To be sure, upgrading is costly in terms of software, hardware, retraining personnel, and, sometimes, retraining consumers. But the cost of keeping current is a bargain compared with the costs—which include legal, insurance, and client confidence costs—of a serious breach.

Keep up with security news. A host of business and financial publications are available and useful. Still in the mood for a good but needful scare? Try UBM Technology’s DarkReading.com. You might also follow UBM’s blackhat blog and consider attending a blackhat® convention.

Never assume the security arms race has been won. The much-heralded credit card chip has a track record of reducing but not eliminating fraud.

If your financial institution is small, don’t fall into the trap of thinking you’re an unlikely target. Smallness may increasingly make you a more likely target. Like anyone, hackers prefer the course of least resistance. More hackers are turning their attention to smaller banks and other smaller businesses that tend not to be able to afford the best protections or not to bother with them. Which means you must bother with them and find a way to afford them.

Beware the isolation trap. Data security is its own field of expertise. Even if you employ your own, first-rate team of tech geniuses, their combined expertise cannot approach that of companies entirely focused on digital banking technology. (Note: Should you accuse me of using my blog to make a blatant, shameless pitch for the likes of my employer, Fiserv, I’m offended at the accusation—even though that’s exactly what I’m doing. I highly recommend checking out our compliance and fraud management page among others.)

Be proactive in educating your merchant and consumer clients. This is as much a marketing as a security measure. Security concerns have been known to hold people back from adopting mobile banking technology. Educating clients on security precautions increases mobile technology adoption.

For merchants, PC Magazine’s Max Eddy reported on an interesting piece of advice: Do not use chip reading terminals that still have magnetic stripe reading capability. According to Eddy, during a recent Black Hat conference, security guru Peter Fillmore showed that terminals which read both chips and stripes leave an exploitable security gap. Fillmore also demonstrated the ease of capturing data from tap cards.

For what it’s worth, Eddy reported that Fillmore had reluctant, high praise for Apple Pay:

“I want to kick at Apple Pay but I can’t,” Fillmore joked. “It’s one of the best methods for these transactions … and is generally more secure than your cards.”)

Fillmore said that Apple Pay has a lot going for it since it has a separate secure element chip and performs the transactions on that secure chip. But Fillmore reasoned that Apple Pay is susceptible to the attacks he demonstrated because the cards themselves are insecure. It would depend on the cards loaded into Apple Pay and if an attacker found a way to force someone to make a particular transaction in order to snag the data.

For consumers, U.S. News & World report contributor Anisha Sekar suggests that financial institutions advise them in the basics: only buy from websites whose URL starts with “https,” set up alerts for every card and digital transaction, sign card backs, avoid use of public Wi-Fi, and, to limit personal liability, notify the bank immediately of a lost or stolen card.

I urge you to take heed. I don’t want to see you on the next version of the World’s Biggest Data Breaches: Selected losses greater than 30,000 records. There are better ways to earn recognition.

Posted in Uncategorized by Matt. No Comments

Another casualty in the
secure data arms race

Uh oh. It seems HEI Hotels has joined the ranks of The Home Depot, Target, and other substantial “hackees.” On August 12, HEI published a Notice of Data Breach.”

Affected HEI properties

HEI Hotel properties affected by the breach
(click to enlarge)

You may not have heard of HEI, but you have certainly heard of the 20 potentially targeted properties, or at least their brands, that HEI operates. These include Marriott, Hyatt, Equinox, Intercontinental, Sheraton, Westin, and others.

From the HEI Notice:

Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.

HEI believes the malware could have affected “… payment card data—including name, payment card account number, card expiration date, and verification code—of customers who used a payment card at point-of-sale terminals at the affected properties.”

According to a DigitalTrends.com report released two days ago, the malware had its way with HEI for a whopping 15 months, from March 1, 2015 through June 21, 2016. That’s plenty of time for tens of thousands of transactions.

HEI operates high-end properties, so it may not be unreasonable to assume that the average wealth of those targeted, and their respective card limits, may be higher than, say, the average THD or Target shopper. Moreover, both business and consumer credit cards may have been hacked.

Digital security is an arms race. Each time the good guys come up with a new way to foil hackers, the hackers simply busy themselves defeating it. I don’t expect the arms race to end anytime soon, if ever. Not even chip cards will do away with fraud, although chip use in Canada and other countries has reduced it.

But we needn’t sit helpless. There is much that banks, merchants, and consumers can do to protect themselves. In next week’s post, I’ll go into that in more depth.

Posted in Uncategorized by Matt. No Comments

Apple: Falling up or down?

 

Newton - APple-Reduced

IT’S A FACT that Sir Isaac Newton set forth laws of motion and gravitation that have endured for nearly four centuries with precious little revision. It also appears to be a fact that the sight of a falling apple may indeed have catalyzed his theorizing about gravity. The part about its bonking him on the head was an embellishment that came along years later.

If Newton were to park his remarkable noggin under a tree today, there is some question as to whether he would have observed an apple—that is, Apple Pay—on its way down or up. Four weeks ago, The Street ran a piece by Brian O’Connell entitled “Apple Pay Growth Sours As Consumers Reject Digital Payments”. Two weeks ago, Business Insider ran a piece by BI Intelligence, which somehow I suspect is not the name of a real person, entitled “Apple Pay is dominating the mobile payments industry.”

O’Connell opens with the suggestion that Apple executives love to talk about the success of their technology, but prefer to dodge conversations about Apple Pay. Reasons he cites:

“In the U.S., iPhones account for about 44% of the estimated 207 million smartphones,” notes Andy Schmidt, principal executive advisor at CEB Tower Group in Boston. “Of these iPhones, approximately 29% of them are from the iPhone 6 family—the devices that support Apple Pay. That means that only about 13% of all smartphones in the U.S. are even capable of using Apple Pay.”

Vendor adoption is another issue that’s holding back Apple Pay, Schmidt says. “While 13% of U.S. smartphones are Apple Pay enabled, not all vendors accept it either at point of sale (POS) or online where the ‘buy now’ button reigns supreme, further decreasing potential adoption,” he adds.

The above reporting appears at odds with the BI Intelligence article, which opens:

In its Q2 2016 earnings call, Apple provided some new Apple Pay data that indicates the service’s ongoing steady gains.

The data indicates that as the platform expands internationally, it continues to hold its own in the US mobile payments market despite the entrance of strong competition …

BI Intelligence credits the alleged success of Apple Pay to growth of monthly active users, due largely to international growth, and popularity in the U.S., where Apple Pay accounts for a reported three out of four contactless transactions.

It’s nothing new when the same data lead to opposing interpretations. Nor is at a secret that no one, not even the most scrupulous journalist, is immune to bias. This may be a case where we must await future hindsight in order to know whether glass-half-empty or glass-half-full reporting was right. Meanwhile, it’s an exciting ride we can all enjoy.

Posted in Uncategorized by Matt. No Comments

Clay, counterfeiters,
and digital banking

Globular envelope with a cluster of accountancy tokens, from Susa. Louvre Museum (Wikipedia)

Globular envelope with a cluster of accountancy tokens, from Susa. Louvre Museum (Wikipedia)

Languages spoken in commerce-less civilizations typically have words for the numbers one through five—something to do with the fact that most of us carry around five fingers on each hand—but have no word for six or anything beyond. Instead, they make do with a catch-all word that roughly translates to “a whole bunch.”

Societies engaged in the simplest of trade needed little more. The invention of words for numbers greater than five became needful only when keeping track of trade required more than the fingers of one hand. With the unreliability of memory and the reality of human perfidy, an accurate means of recording numbers soon followed.

Here, we owe fourth century BCE Mesopotamia a debt of gratitude. It was about that time that the Mesopotamian sheep trade really took off. To keep track of payment, traders devised a small clay token, marked with a plus sign, which everyone agreed represented the value of one sheep.

Do not underestimate the importance of that plus sign. As far as historians have been able to trace, this marked the world’s first appearance of written language. The earliest writing owes its start not to artistes seeking expression, but to merchants seeking top dollar for livestock.*

One token per sheep was fine for ma-and-pa sheep merchants, but hauling around oodles of clay tokens proved impractical for big box sheep merchants. This led to the development of denominations: They devised a token for ten sheep, another for twenty, and so forth.

As fast as enterprising Mesopotamians came up with tokens, other enterprising Mesopotamians came up with ways to counterfeit them. Since security chips, holographic images, and polyester threads printed with minute letters were scarce 6,000 years ago, resourceful merchants developed other ways to foil counterfeiters. Some of them were quite ingenious. Wikipedia reports:

To ensure that nobody could alter the number and type of tokens, they invented a clay envelope shaped like a hollow ball into which the tokens on a string were placed, sealed, and baked. If anybody disputed the number, they could break open the clay envelope and do a recount.

I found this next part of particular interest:

To avoid unnecessary damage to the record, they pressed archaic number signs and witness seals on the outside of the envelope before it was baked, each sign similar in shape to the tokens they represented.

Hmm. They agreed upon the value of a token that was marked with a number; then they locked the tokens out of view and relied on authenticated markings to represent their sum total value. At least symbolically, that’s what we do today: We agree upon the value of a unit (dollar, yen, euro, what-have-you), lock it out of view, and represent the sum total of units by means of authenticated markings—except we use a screen instead of a clay ball.

Page from Precolumbian Mayan Dresden Codex (Wikipeida)

Page from Precolumbian Mayan Dresden Codex (Wikipeida)

Ironically, the very system of trade that required the invention of numbers greater than five has gone full circle. The “tokens” we use today have even allowed us to dispense with the numbers two through five. We manage quite well using only ones and zeroes.

________________

*Though writing first arose in Mesopotamia as far as historians know, writing arose independently in other locales. Mesoamericans invented writing around the first millennium BCE, and not for commerce, but for literary purposes. Chinese characters most likely arose independently as well. The earliest verified evidence of Chinese writing dates to the late Shang dynasty toward the end of the second century BCE. Literacy in China today requires knowing from 3,000 to 4,000 characters. If you didn’t grow up learning them, good luck with that. That may have interesting implications as increasingly significant numbers of Chinese adopt digital payments systems.

Posted in Uncategorized by Matt. No Comments

Welcome to India

mumbai-1370023_960_720

Mumbai, India’s capital. Population 18.4 million.

This week you will be hard-pressed to find a financial periodical, blog, or website that isn’t raving about India as the next land of opportunity for the digital payments industry.

From the tidal wave of news reports, the casual observer might conclude that, by sheer coincidence, independent reporters happened upon the same data and drew the same conclusions at exactly the same time.

In fact, nearly all of the news stories can be sourced to a joint study that Google and Boston Consulting Group undertook with Nielsen and published on Monday. You can tell they all used the same source because they all credit the study and because they all cover pretty much the same copy points. These include: 

  • Digital payments is relatively new to India.
  • People in India really dig their smartphones.
  • Convenience matters to Indians.
  • Roughly half of Indians have no banking relationship, which means they don’t have credit cards
  • 81 percent of existing Indian users like digital better than other payment forms
  • More than half of Indians are projected to use digital payments by 2020
  • The top 100 million digital payments users are projected to account for 70 percent of gross merchandise value
  • Ergo, digital payments is expected to take India by storm, to the tune of a projected $500 billion, by 2020. If I did the math right, that’s in four years.

For more information and details, the Google-BCG report is well worth a read.

Most of this week’s articles feature a quote from Rajan Anandan, Google’s vice president and managing director for Southeast Asia and India, so I suppose it’s fair game for me to reproduce it here:

“Spurred by smartphone penetration, and supported by progressive regulatory policy, the digital payments industry is at an inflection point and is set to grow 10X by 2020. It is telling that half of India’s internet users will use digital payments and that the top 100 million users will drive 70% of the GMV – a clear indicator of the growing importance of the digital consumer.”

Meanwhile, four days before the release of the Google-BCG report, Business Insider reported that in Bangalore, FlipKart will invest the equivalent of over $100 million U.S. in creating its own digitial payments business in India. 

This is all exciting news. Just a couple of cautions: 

First, the Nielsen study and the subsequent report rely on self-reported data and inference, which aren’t always reliable. You cannot assume that people will act as they predict. To wit, Harry Truman did not lose to Thomas Dewey

Second, it’s not always wise to launch big plans from one report based on one study. The wiser course would be to conduct additional studies to see if they validate or challenge the results. I realize that said wiser course can burn development time and give competitors a head start. The solution may be to conduct further study while at the same time putting plans in motion, remaining open to adapting should the data warrant. 

India may well mushroom into one of the leading happening online payments markets. My cautions mean only that, as with any study, we should consider the data and conclusions with care. In no way am I dismissing the research or suggesting we ignore it. In fact, I’m pretty psyched about it. After all, the folks at Nielsen, Google, and BCG are pretty danged bright. With the rapid advance of mobile payments throughout the rest of the world, there’s no reason to suppose its advance won’t be as dramatic or more so in India. 

India has 22 officially recognized languages. Besides those, it has over 150 unofficial languages spoken in significant numbers. Besides those, it has over 1,600 languages spoken among smaller populations. Even within one country, language differences portend cultural differences. These can be from the nuanced to the obvious. That means a marketing strategy that works with one population may not with another. Moreover, there is no such thing as word-to-word translation. Translation is more of a concept-to-concept thing, with an ever-present danger of tripping up due to connotation, idiom, or local custom. 

Marketers, your challenge awaits you.

Posted in Uncategorized by Matt. No Comments