Learning Lessons From Large Scale Breaches
At this point, there’s no ignoring it: our financial security is compromised daily. And no doubt, many reading this wouldn’t hesitate to recount all the breaches they have been a part of as consumers; merchant breaches in which replacement cards forced you to update your linked accounts, or data compromises where personal information was stolen and identity theft protection was provided, forcing you to consider freezing new credit originations.
These are only the breaches we know about — considering the residual risk of all the data breaches we’ve been exposed to, the totality of it all becomes immense. Back at the start of 2014, I suggested that we’re experiencing data breach fatigue; today it’s closer to data breach exhaustion, and consumers may now feel powerless.
We must ask ourselves as consumers, what exactly is being compromised? What information has fallen into the pocket of an attacker and how could they use it to attack me? As we are compromised once, twice, or multiple times, are we falling under greater risk? How vulnerable are we when it is revealed that personal details landed in the hands of hackers and fraudsters?
Typically, most concerning for consumers is demographic data that can be uses in authentication, illegitimate identity-theft account opening, or the use of a payment card for unauthorized spending (or potentially for account takeover) if an attacker has the relevant non-public personal information. There is a risk here to be sure, even if we, as service providers, don’t realize the impact of it. So what lessons are out there?
Zombie authenticators and static data elements are a gift to hackers
Well, for starters; why are we still using knowledge-based authentication based on third-party-issued static data elements to authenticate? Government (in the U.S. Social Security) identity numbers, home addresses and the user’s date of birth are zombie authenticators – even worse than passwords! They have been compromised so many times, or are sometimes available through public or searchable sources… still in 2017.
Fraudsters have databases to store these elements as well, and anyone who has an account on a dark website can search an underground database to see if a birthday, SSN (social security number) or home address exists for the intended target. In fact, there is already a neologism for this: “Credential Stuffing” – the act of intercepting and using as many authentication elements (e.g. account login or recovery credentials) that have been compromised to attempt to take over an account.
Biometrics and other authentication measures should be embraced
When being asked to authenticate myself, I cringe when I see these types of questions. I’d much prefer to do business with an entity that has a more rigid authentication process and does something far more clever and sophisticated to validate that I am, in fact, me. We now have biometrics if the customer can use them remotely, on a mobile app. We have dynamic account-based questions (only known internally to the service provider and customer), and we have multifactor out-of-band authentication… these can be embraced to perform a far greater authentication experience and reduce the potential for account takeover. Would I feel more secure in a world of high-frequency data breaches when I know my financial institution authenticated me with two factors? Could this actually be faster than the present authentication practices of asking multiple questions, throughout a contact center session? Of course!
I know no one wants to get a letter from their financial institution, or look themselves up on a newly-created security webpage to determine they are exposed after a large breach is revealed, but this is a reality. To sit idly by and continue to authenticate with the most static data elements that are most consistently compromised is a lesson of any breach du jour.
Related blog posts
Mobile is Transforming the Travel Sector
February in South Africa means long, hot days, and seemingly endless sunshine (interrupted only by the occasional thunderstorm). Temperatures often top 30 Celsius (that’s mid-eighties for my American friends) and nearly every day is deserving of a braai (that’s barbeque for the rest of the world). But I do spare a thought for my colleagues and friends in Boston, New York, Munich and London (amongst others) at this time of year, as they slog it out through the darkest and coldest months of winter. Who’s to blame them for seeking a bit of light escapism as they plan and book their spring and summer vacations?
“Roads? Where we’re going we won’t need Roads” - Open APIs and Financial Services
The word ecosystem is often used when discussing payments. Whether it’s to describe how a payment is made or to discuss a partnership or even understanding your place in the value chain. Though part of the issue with how we present the ecosystem is that we tend to emphasize only small portions of the overall picture, that is to say if we are discussing payments to a merchant or retailer, the picture shifts to just show eComm, mComm and POS while partially ignoring the Financial Institution, and to a lesser extent the FinTech’s domains. But those days may be coming to an end as we have begun the transition to a new payments ecosystem.
PSD2 Regulation Will Bring Down the Walls Not Build Them
The Payments Services Directive 2 (PSD2) is shaking up the industry, and for good reason. There is sometimes a tendency for the payments ecosystem to expect doom and gloom when it comes to new regulation; seeing it as restrictive, unnecessary interference, or costly. The reality is that PSD2, along with other regulatory changes across Europe and the world, offers a massive opportunity for all participants in the payments ecosystem to carve out new revenue streams.
Connected Devices are Opening Up New Forms of Payments and Partnerships
Of all the trends that are currently shaping – or re-shaping – the nature of payments, none is more significant than the rise of the Internet of Things (IoT). We often talk about the payments ‘ecosystem’ and the complexity that exists between the many participants that are part of this ecosystem, but this complexity will expand exponentially as millions – no, billions – of devices become internet capable.
Driving Toward Innovation in Digital Banking User Experience
The need for delivering on a user experience strategy necessitates the use of common and sometimes confusing lingo like CX, UX, information architecture, UX design and UI design. It introduces ways to gain deeper understanding of customers through methods like personas, journey mapping and Kano analysis. It commands phrases like customer-centric, experience-driven, and ideation/visioning. In the past 4 months, I have interviewed more than half a dozen agencies to engage one that could go beyond the buzzwords and the methods described above. I want to be convinced that great and meaningful changes can happen to UI’s. After all, talk is cheap.