Online Privacy and Fraud is not that big a deal…eventually

I hear a lot of individuals in the financial services space expressing concerns about the risk of conducting business online, the lack of privacy in social media, the issues of identity theft and so forth. I’m not sure what these proponents of the ‘high-risk involvement’ model hope to accomplish, but if they realistically think that flagging concerns about privacy and online fraud will make ANY sort of dent in the progress of digital engagement through online, mobile, or social media – their mental health may need to be assessed. The best they can hope for is increased awareness of the issues.

Dealing with the digital landscape as far as payments and identity is inevitable. The issue becomes how to manage your online presence moving forward, and not if you should be conducting commerce digitally or participating in social networks.

It’s easier to commit fraud offline

While we hear lots about online fraud, the fact is that when it comes to things like credit card fraud, it is still far, far easier to commit fraud when a physical card or physical process is involved. Recently I was in London launching BANK 2.0, and at every restaurant where I presented my card, the waiter would come to the table with a wireless POS terminal to present my card. This is undoubtedly because of the simple risk associated with letting my credit card out of my sight. It takes just seconds to run a card through a mag reader and replicate that card physically. Even with CHIP and PIN, which is common throughout the EU, it would not be that hard to shoulder surf your PIN number if I really wanted to.

I used a foreign credit card in the UK, however, so I am not afforded the protection of PIN when I’m visiting the UK. In most instances I was actually asked to show my card to verify the signature, but in reality if someone had duplicated my card, then the signature they’d be using would be one they had created in any case. In the US , there is not even the protection of CHIP and PIN, and the physical processes allow for easy access to copy a credit or debit card.

The fact is, the weakest link when it comes to fraud is always the physical medium. Granted, phishing attacks designed to glean your account number and password for Internet banking is today a major issue, but again the weakest link is not the technology but the customer who willing submits his information to a fraudulent site.

Many markets have already solved this problem through two-factor authentication (TFA). The markets who have moved slower on this innovation, are obviously now reaping the reward for their lack of innovation. It is, in fact, not that fraud is easier online, it is that card issuers, retailers, banks and regulators simply are not keeping up with the behavioral shift to digital and have not leveraged the quite simple technologies that actually make digital more secure.

The US is only now moving to new POS infrastructures around contactless cards, and the fact that the EU still has yet to broadly adopted TFA are just examples of lack of innovation in fraud management. Customers move with innovations in the digital space, banker’s don’t and fraudsters exploit the gaps while they can.

Increasing digital interactions are inevitable – deal with it.

I find it amusing that those that are strongest in vocalizing the risks in online privacy are often those that in reality have the most to gain. For example, while check (or cheque) fraud is less frequent today, the fact is that the check in itself is an outmoded payment mechanism. It is not an efficient way to pay in almost any measure that makes sense today. Checks are cumbersome to carry, error prone, easily corrupted, costly and are increasingly difficult to handle, especially if you are trying to cash a check issued cross-border for example.

I’ve heard bankers argue till they’re blue in the face that checks are here to stay, and yet in the same breath they admit that they don’t know how they are going to continue to afford to process checks and admit data increasingly shows that in developed markets checks are in terminal decline.

So why aren’t banks rushing to embrace person-to-person payment capabilities, improving interbank connectivity, and trying to integrate better, simpler security mechanisms into electronic interactions? The only thing I can figure is that there is so much organizational inertia around traditional mechanisms like checks and TT’s that is often just seen as too hard to change.

The fact is today that no government, no bank, no threat on the planet, could viably stop the adoption of social media, mobile phones, payment technologies like P2P and other such innovations. It is simply a question of how soon – not if.

How digital will be far safer

Commercial interactions in the digital realm are instantaneous, completely auditable, measurable and can occur anytime, anywhere without the requirement of any specific physical instrument, except a browser or mobile phone. The fact that I can pay you in real-time, without any special process or instrument is ultimately the big draw-card.

So how do we make it safe. Embedding payments into the phone is the first step. The combination of the phone SIM, the ownership of the physical platform (handset) and the payment process will be safer than today’s credit card process. However, the simple incorporation of biometrics, the most promising being fingerprint, voice or facial recognition, will make such transactions magnitudes safer than current physical payment processes, including cash.

The likelihood is that Apple, Google or the handset manufacturers will likely be the ones to lead with these technologies, rather than banks working to incorporate such into the platforms. But the patents are already out there, we’re just waiting for the commercialization.

Biometrics are the ultimate solution to digital privacy

What about privacy?

The reality is, I don’t know of one individual who has stopped using Facebook, Twitter, email or their mobile phone as a result of privacy concerns. That doesn’t mean as individuals we should be complacent. The fact is, that we’ll probably end up with two distinct personas when it comes to the digital space.

  1. Our public persona, where we accept a compromised privacy level in respect to our personal details (email, profile, date of birth, etc), and
  2. A secure persona, which we will protect fiercely because of the financial implications or risk.

The biggest risk to our secure persona today is identity theft. Recent twitter hacks, facebook scams, hotmail account takeovers and other examples occur because it is still relatively easy to get someone’s credentials through an App, phishing site, or other such methods. Again, the answer here is that our secure persona needs to be linked to biometrics and not weak mechanisms around an ID and password. I don’t see anyone working on this as yet, but it is the obvious answer and the core technology is pretty much there. We just need one of the big Social Media networks like FB or say Apple with their iPhone/iPad to embed it and it will become ubiquitous fast.

But one thing that won’t happen is a mass exodus away from digital innovations through privacy concerns.

Comments

  1. Ron Shevlin says:

    You’re spot on.

    I get the sense that those who focus on pointing out all of the risks involved with new channels, new forms of payment, etc. are simply establishing and protecting their “turf”. Change is a threat to them. So they resist.

    As to your question “why aren’t banks rushing to embrace person-to-person payment capabilities?”, I think the answer is actually pretty simple: They can’t figure out the ROI on it.

    The past couple of years have seen a focus among US banks on building out expedited payment capabilities on their online platforms.

    The banks saw this as a new revenue generator. But, Brett, I can tell you that of the 74 banks I surveyed/interviewed earlier this year, not one of them said they were generating any meaningful revenue through this service.

    With that kind of experience, new services like P2P have an even harder time becoming reality.

  2. Robert Brown says:

    First of all, just wanted to say that I have your book on order and look forward to reading it.

    As a CISO at a financial institution I have a number of thoughts about this article.

    First of all, and at least in my case, I’m an avid user of social networking – but I also understand what the risks are. I could write pages about the topic but one of the biggest issues related to your post is this: the complete lack of authentication around account opening. Anyone can sign up for a Facebook account, place my name on it, and go become ‘friends’ with people I might know. Even security pros have fallen victim to imposters – have a look at this recent article.

    http://www.darkreading.com/ins.....=225702468

    If you can’t reliably know who you are dealing with, it’s hard to build any kind of payments or account validation infrastructure on top of it.

    Next problem, and you talk about it above – passwords are a really bad way to authenticate people but that’s the widely used method today. Here’s a new article, published today, that shows that 75% of individuals use the same password for social networking and e-mail.

    http://www.securityweek.com/st.....-and-email

    Of course they do, and they also use that same password for lots of other things, including their company networks. Education isn’t going to overcome this gap, either. So now you are dealing with a larger intersection of risk across banking, social media, and corporate systems. They all meet at the common point – shared passwords. Better authentication will be needed, but it MUST be easier than what we have today. Otherwise users will revolt and just not use it.

    One thing I will not so much disagree with but change the context of: offline fraud is easier to commit, but harder to scale. Here’s an example from last week:

    http://www.eweekeurope.co.uk/n.....-bank-8928

    The attacker can write a single banking trojan and e-mail it to lots of people that work for different banks. If their system is not bleeding-edge current on patching, they can be silently compromised and used to facilitate money movement. You can lose a lot in a short period of time that way. It takes more knowledge to get going but can be a lot more damaging.

    What it comes down to, at least in my case, is that I think social media and mobile are absolutely the future and we all have to get fully on board with using them. The challenge really comes down to a few things. Greatly simplifying, it’s knowing you are talking to the correct user/customer, modeling their behaviors for risk (extending what we do for credit cards today), and working under the assumption that whatever platform they are on (PC/mobile/other) is inherently insecure and could be compromised.

    It’s a tough problem, especially at a grand scale. When you see security folks like me expressing concerns, it’s because they are real and there aren’t good widely-accepted solutions to the problems yet. It doesn’t mean we don’t like or want to get on board with social media, it just means there is a bit of smart due diligence and thought needed to make sure we get it right.

    • bank2book says:

      Rob,

      Your point on scale is an excellent one, I hadn’t really considered that in the overall framework – I was more focused on modality. However, regardless – if biometrics or TFA incorporating biometrics was built into the online/mobile experience, then my view is that security is still a whole more more secure.

      A few years ago we were testing a bunch of online banking authentication methods and we tried multiple passwords, choosing the 3rd, 5th and 7th character of your password, etc and we found found that as we made the experience more complex customers were forced to employ workarounds (such as writing their passwords down) to be able to ‘remember’. Thus, the more secure we tried to make the system with authentication methods, the less secure it actually became. Thus, passwords aren’t the answer – as you’ve pointed out.

      I agree there are concerns, and I agree that there is more work to be done on the infrastructure. My point is that development of underlying infrastructure to improve authentication systems is inevitable because regardless of privacy concerns there is no slow down in take up of stuff like social media. It will be up to guys like you and I to work out simple ways to improve security. Ultimately my view is that biometrics fit that bill. Now, that may not be the easiest short-term solution, but I see it as the only ultimate solution across the board.

      BK

Speak Your Mind

*