Caution for big guys,
hope for little ones

Who will be the next giant slayer? Or the next slayed giant?

Who will be the next giant slayer?
Or the next slayed giant?

TODAY’S OBJECT LESSON begins in the mid 19th century, when a Minnesota jewelry store declined a shipment of watches.

Railroad agent Richard Sears purchased the shipment, peddled the watches, and ordered more. Knowing a good thing when he saw one, he quit the railroad and set up a mail order watch business. A year later, he moved to Chicago, partnered with Alvah Roebuck, expanded into farming equipment and supplies, and published what became a highly successful mail order catalog. That was in 1888. By the 1970s, Sears, Roebuck and Company, today simply known as Sears, had become the world’s largest retailer.

In time, Sears diversified into the financial services arena. They created Allstate Insurance Company in 1931. Later, Dean Witter and Coldwell Banker real estate fell under the Sears umbrella. Sears introduced the Discover card in 1985.

There simply was no catching Sears.

Which may come as a surprise to anyone who happens to know that things soon began going south for the once uncatchable Sears. So south that, in 2005, bankrupt Kmart was able to buy Sears outright.

Today the world’s largest retailer is a company by the name of Walmart. You may have heard of Walmart. It attained world’s-largest status in 1990.

Here I would add that there is simply no catching Walmart, except I know better. As I write, Amazon is fast catching up and may soon take over as the world’s largest retailer.

Other instances of toppled business giants abound. If you haven’t heard of WordStar, you probably weren’t doing much writing in the mid 1980s. That’s when WordStar was the dominant player in the word processing software market. There simply was no catching them. Until, that is, WordPerfect took the world by storm, and there simply was no catching them. Until, that is, Microsoft Word came along and, like many things Microsoft, took over.

Or, take Prodigy (in which Sears was a partner), which gave way to AOL, which gave way to Netscape, which gave way to Explorer, which gave way to Google, which you may also have heard of. Likewise, there was no catching Kodak, once the world’s leading film marketer and, no less, the inventor of the digital camera. They filed for bankruptcy in 2012. There once was no catching Dell, Blockbuster, and Motorola, either.

Underlying all of this is a lesson of humility and caution for giant companies and one of hope for up and coming, scrappy ones.

For the former, the lesson of caution is never assume you’re safe, that you’re uncatchable. For the latter, the lesson of hope is, who says you can’t become the next world’s largest?

Posted in Uncategorized by Matt. No Comments

Visors and digital
sleeve garters


Sleeve garters may be quaint today, but once they were quite functional.

It’s not hard to pick out the banker in a Western. Just look for someone sporting sleeve garters and a translucent visor.

This is a rare case in which Hollywood actually gets things right. In the late 19th century, sleeve garters served a practical purpose. Back then, you couldn’t walk into Nordstrom and ask for your neck size and sleeve length; if you couldn’t afford your own tailor, you made do with a one-size-fits-nobody. Shirt makers tended to err on the side of making sleeves way too long, so unless you wanted cuffs below your fingertips, you’d don garters to hoist them up where they belonged. This also helped reduce soiling from dragging sleeves over ink, dusty shelves, and musty documents.

Translucent green visors came along a little later on the heels of newfangled incandescent lighting. Clerks donned the visors to protect their eyes from the harsh overhead light of early bulbs. That’s also why green shades sit atop the traditional banker’s lamp.

Fast forward to a few decades ago …

Worsted and flannel suits in navy and charcoal gray had become all but required attire for bankers and other professionals. Suits were dark and somber for two reasons. One was that dark fabrics hide stains better than light ones. The other was that, until dry cleaning came along, the only way to make a stain “disappear” was to dye the whole suit a few shades darker.

Fast forward to today …

A growing number of banks are opting for business casual, having traded the suit and tie for khakis and sport shirts.

Assuming, that is, we’re talking about banks that still bother with physical locations. For all you know, your online banker could be in a T-shirt and blue jeans.

And that has marketing implications. Despite their practical origins, sleeve garters, visors, and, later, dark suits circled around to become symbols of professionalism. You could walk into a bank, see the attire, and—right or wrong—feel some assurance that you were dealing with competence.

table-lamp-485716_1280 retouchedThe new challenge is to convey an aura of competence absent the traditional trappings that once characterized banks. That job increasingly falls to websites and apps. More than function, they must look and feel like the kind of business to whom people would willingly entrust their funds, business and personal information, and more.

Branding isn’t going away. Like everything else, it’s going digital.

Posted in Uncategorized by Matt. No Comments

Keeping up with the
security arms race

Locked$ImageData breaching is big business. It is, as I wrote last week, something of an arms race. When we strengthen our armor, we don’t send the bad guys home in ignominious defeat; we send them off to upgrade their armor-piercing weaponry so they can return for another foray.

The financial fraud arms race is as old as currency itself, and there’s no reason to expect it ever to end. Last week, HEI Hotels became the latest large-scale victim, following in the footsteps of notables like MySpace, the Internal Revenue Service, The Home Depot, Target, Neiman Marcus, and others.

The above are not anomalies. If you’re in the mood for being alarmed, click here to view “World’s Biggest Data Breaches: Selected losses greater than 30,000 records. Lest bankers seek solace in the thought that breaches are more a retail than a banking problem, click “banking” in the filter box at the upper right.

But before you decide that your best option is to wait out the arms race under your desk in fetal position, I have good news. There is much that banks can do to protect themselves, merchants, and consumers.

Here are a few tips:

Keep up with security technology. Bad guys regrouping and returning notwithstanding, it turns out that we good guys are pretty good at keeping pace and, at times, a step or two ahead. To ignore the state of the art is to look for trouble. That should go without saying, but you’d be surprised how many financial institutions give data security more lip service than action. To be sure, upgrading is costly in terms of software, hardware, retraining personnel, and, sometimes, retraining consumers. But the cost of keeping current is a bargain compared with the costs—which include legal, insurance, and client confidence costs—of a serious breach.

Keep up with security news. A host of business and financial publications are available and useful. Still in the mood for a good but needful scare? Try UBM Technology’s You might also follow UBM’s blackhat blog and consider attending a blackhat® convention.

Never assume the security arms race has been won. The much-heralded credit card chip has a track record of reducing but not eliminating fraud.

If your financial institution is small, don’t fall into the trap of thinking you’re an unlikely target. Smallness may increasingly make you a more likely target. Like anyone, hackers prefer the course of least resistance. More hackers are turning their attention to smaller banks and other smaller businesses that tend not to be able to afford the best protections or not to bother with them. Which means you must bother with them and find a way to afford them.

Beware the isolation trap. Data security is its own field of expertise. Even if you employ your own, first-rate team of tech geniuses, their combined expertise cannot approach that of companies entirely focused on digital banking technology. (Note: Should you accuse me of using my blog to make a blatant, shameless pitch for the likes of my employer, Fiserv, I’m offended at the accusation—even though that’s exactly what I’m doing. I highly recommend checking out our compliance and fraud management page among others.)

Be proactive in educating your merchant and consumer clients. This is as much a marketing as a security measure. Security concerns have been known to hold people back from adopting mobile banking technology. Educating clients on security precautions increases mobile technology adoption.

For merchants, PC Magazine’s Max Eddy reported on an interesting piece of advice: Do not use chip reading terminals that still have magnetic stripe reading capability. According to Eddy, during a recent Black Hat conference, security guru Peter Fillmore showed that terminals which read both chips and stripes leave an exploitable security gap. Fillmore also demonstrated the ease of capturing data from tap cards.

For what it’s worth, Eddy reported that Fillmore had reluctant, high praise for Apple Pay:

“I want to kick at Apple Pay but I can’t,” Fillmore joked. “It’s one of the best methods for these transactions … and is generally more secure than your cards.”)

Fillmore said that Apple Pay has a lot going for it since it has a separate secure element chip and performs the transactions on that secure chip. But Fillmore reasoned that Apple Pay is susceptible to the attacks he demonstrated because the cards themselves are insecure. It would depend on the cards loaded into Apple Pay and if an attacker found a way to force someone to make a particular transaction in order to snag the data.

For consumers, U.S. News & World report contributor Anisha Sekar suggests that financial institutions advise them in the basics: only buy from websites whose URL starts with “https,” set up alerts for every card and digital transaction, sign card backs, avoid use of public Wi-Fi, and, to limit personal liability, notify the bank immediately of a lost or stolen card.

I urge you to take heed. I don’t want to see you on the next version of the World’s Biggest Data Breaches: Selected losses greater than 30,000 records. There are better ways to earn recognition.

Posted in Uncategorized by Matt. No Comments

Another casualty in the
secure data arms race

Uh oh. It seems HEI Hotels has joined the ranks of The Home Depot, Target, and other substantial “hackees.” On August 12, HEI published a Notice of Data Breach.”

Affected HEI properties

HEI Hotel properties affected by the breach
(click to enlarge)

You may not have heard of HEI, but you have certainly heard of the 20 potentially targeted properties, or at least their brands, that HEI operates. These include Marriott, Hyatt, Equinox, Intercontinental, Sheraton, Westin, and others.

From the HEI Notice:

Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.

HEI believes the malware could have affected “… payment card data—including name, payment card account number, card expiration date, and verification code—of customers who used a payment card at point-of-sale terminals at the affected properties.”

According to a report released two days ago, the malware had its way with HEI for a whopping 15 months, from March 1, 2015 through June 21, 2016. That’s plenty of time for tens of thousands of transactions.

HEI operates high-end properties, so it may not be unreasonable to assume that the average wealth of those targeted, and their respective card limits, may be higher than, say, the average THD or Target shopper. Moreover, both business and consumer credit cards may have been hacked.

Digital security is an arms race. Each time the good guys come up with a new way to foil hackers, the hackers simply busy themselves defeating it. I don’t expect the arms race to end anytime soon, if ever. Not even chip cards will do away with fraud, although chip use in Canada and other countries has reduced it.

But we needn’t sit helpless. There is much that banks, merchants, and consumers can do to protect themselves. In next week’s post, I’ll go into that in more depth.

Posted in Uncategorized by Matt. No Comments

Apple: Falling up or down?


Newton - APple-Reduced

IT’S A FACT that Sir Isaac Newton set forth laws of motion and gravitation that have endured for nearly four centuries with precious little revision. It also appears to be a fact that the sight of a falling apple may indeed have catalyzed his theorizing about gravity. The part about its bonking him on the head was an embellishment that came along years later.

If Newton were to park his remarkable noggin under a tree today, there is some question as to whether he would have observed an apple—that is, Apple Pay—on its way down or up. Four weeks ago, The Street ran a piece by Brian O’Connell entitled “Apple Pay Growth Sours As Consumers Reject Digital Payments”. Two weeks ago, Business Insider ran a piece by BI Intelligence, which somehow I suspect is not the name of a real person, entitled “Apple Pay is dominating the mobile payments industry.”

O’Connell opens with the suggestion that Apple executives love to talk about the success of their technology, but prefer to dodge conversations about Apple Pay. Reasons he cites:

“In the U.S., iPhones account for about 44% of the estimated 207 million smartphones,” notes Andy Schmidt, principal executive advisor at CEB Tower Group in Boston. “Of these iPhones, approximately 29% of them are from the iPhone 6 family—the devices that support Apple Pay. That means that only about 13% of all smartphones in the U.S. are even capable of using Apple Pay.”

Vendor adoption is another issue that’s holding back Apple Pay, Schmidt says. “While 13% of U.S. smartphones are Apple Pay enabled, not all vendors accept it either at point of sale (POS) or online where the ‘buy now’ button reigns supreme, further decreasing potential adoption,” he adds.

The above reporting appears at odds with the BI Intelligence article, which opens:

In its Q2 2016 earnings call, Apple provided some new Apple Pay data that indicates the service’s ongoing steady gains.

The data indicates that as the platform expands internationally, it continues to hold its own in the US mobile payments market despite the entrance of strong competition …

BI Intelligence credits the alleged success of Apple Pay to growth of monthly active users, due largely to international growth, and popularity in the U.S., where Apple Pay accounts for a reported three out of four contactless transactions.

It’s nothing new when the same data lead to opposing interpretations. Nor is at a secret that no one, not even the most scrupulous journalist, is immune to bias. This may be a case where we must await future hindsight in order to know whether glass-half-empty or glass-half-full reporting was right. Meanwhile, it’s an exciting ride we can all enjoy.

Posted in Uncategorized by Matt. No Comments