Learning Lessons From Large Scale Breaches
At this point, there’s no ignoring it: our financial security is compromised daily. And no doubt, many reading this wouldn’t hesitate to recount all the breaches they have been a part of as consumers; merchant breaches in which replacement cards forced you to update your linked accounts, or data compromises where personal information was stolen and identity theft protection was provided, forcing you to consider freezing new credit originations.
These are only the breaches we know about — considering the residual risk of all the data breaches we’ve been exposed to, the totality of it all becomes immense. Back at the start of 2014, I suggested that we’re experiencing data breach fatigue; today it’s closer to data breach exhaustion, and consumers may now feel powerless.
We must ask ourselves as consumers, what exactly is being compromised? What information has fallen into the pocket of an attacker and how could they use it to attack me? As we are compromised once, twice, or multiple times, are we falling under greater risk? How vulnerable are we when it is revealed that personal details landed in the hands of hackers and fraudsters?
Typically, most concerning for consumers is demographic data that can be uses in authentication, illegitimate identity-theft account opening, or the use of a payment card for unauthorized spending (or potentially for account takeover) if an attacker has the relevant non-public personal information. There is a risk here to be sure, even if we, as service providers, don’t realize the impact of it. So what lessons are out there?
Zombie authenticators and static data elements are a gift to hackers
Well, for starters; why are we still using knowledge-based authentication based on third-party-issued static data elements to authenticate? Government (in the U.S. Social Security) identity numbers, home addresses and the user’s date of birth are zombie authenticators – even worse than passwords! They have been compromised so many times, or are sometimes available through public or searchable sources… still in 2017.
Fraudsters have databases to store these elements as well, and anyone who has an account on a dark website can search an underground database to see if a birthday, SSN (social security number) or home address exists for the intended target. In fact, there is already a neologism for this: “Credential Stuffing” – the act of intercepting and using as many authentication elements (e.g. account login or recovery credentials) that have been compromised to attempt to take over an account.
Biometrics and other authentication measures should be embraced
When being asked to authenticate myself, I cringe when I see these types of questions. I’d much prefer to do business with an entity that has a more rigid authentication process and does something far more clever and sophisticated to validate that I am, in fact, me. We now have biometrics if the customer can use them remotely, on a mobile app. We have dynamic account-based questions (only known internally to the service provider and customer), and we have multifactor out-of-band authentication… these can be embraced to perform a far greater authentication experience and reduce the potential for account takeover. Would I feel more secure in a world of high-frequency data breaches when I know my financial institution authenticated me with two factors? Could this actually be faster than the present authentication practices of asking multiple questions, throughout a contact center session? Of course!
I know no one wants to get a letter from their financial institution, or look themselves up on a newly-created security webpage to determine they are exposed after a large breach is revealed, but this is a reality. To sit idly by and continue to authenticate with the most static data elements that are most consistently compromised is a lesson of any breach du jour.
Related Blog Posts
Increasing Collections & Satisfaction: Real-Time Payments for Loan Servicing
The old adage that “cash is king” is precisely that: old. In today’s world, convenience is king and real-time payments deliver it in spades. Consider that convenient ways to pay can reduce late payments by up to 76%, while reducing call center volumes by up to 83%, and it’s no wonder lenders are expanding their offerings over time to include checks, ACH, debit cards and now real-time payments.
GDPR: Modern Wealth Is In Your Digital DNA
Hands up if you don’t really know what GDPR is… don’t worry, you’re not alone in fact, 6 in 10 people have never heard of it.
And why should the average consumer know about the General Data Protection Regulation (GDPR)? The regulation itself, which will become enforceable in May 2018, is designed to stop businesses using our data without our knowledge or consent. And that consent means complete transparency on how our data is being used. This sounds like a very reasonable expectation for consumers to have, which of course begs the question; why hasn’t this been the standard up until now?
Fintech Frenzy and Fun
I’m in vibrant Singapore for day one of the inaugural Money20/20 Asia... or is this day two? I’ve lost all concept of time this week (and didn’t realize how close Singapore is to the equator… it’s like wicked hawt outside!) And I’m joined once again by my ever-intrepid Rantings colleague to rant about what’s happening in this fun-filled world of payments.
It’s A Hard Knock Life: Digital Transformation for Payment Service Providers in the New Payments Ecosystem
Is it a hard-knock life for processors and PSPs? Margins are constantly under pressure, and there’s the need for constant innovation, not to mention rock-solid #SleepAtNightability of solutions. And if there’s even the slightest crack in the fundamentals, customers will surely let you know all about it!
Instant Payments Are at the Heart of the New Global Payments Landscape: 10 Trends to Watch in 2018
2017 was a big year for immediate payments: European Banking Association, Real-Time 1 (EBA RT1) SEPA Credit Transfer Instant, The Clearing House (TCH) Real-Time Payments in the U.S., and the Australian New Payments Platform (NPP) schemes, all either going live, or in the case of Australia, about to go live. These schemes enable real-time payment transfers across the United States, 34 European countries and Australia, with the potential to reach nearly another 1 billion people. This comes on top of the existing live schemes in the UK, China and India, so that over half of the global population now can access real-time payments solutions.
The Complexities of Cannabis: Banks, Merchants, Consumers and More
Cannabis—it’s no longer the verboten 800-pound pink elephant (though I think that might be a new strand). It’s about as mainstream as well…mainstream. And as we begin our latest Rantings Rant, it seems like the last time we (well, not you or I) experienced something like this, Al Capone and Elliot Ness were facing off during the time of Prohibition (if you’ve never seen the film The Untouchables, I highly recommend it!).
KodakCoin and Six Ways That Blockchain Could Really Be Leveraged
The newest cry in the cryptocurrency clamour? That of heritage-photography-giant-cum-new-kid-on-the-payments-block, Kodak. Unbelievably, they have managed to out-blockchain the long-island-iced-tea company in their audacity, and (more than) double their share price to boot.
Why User Engagement Matters, Even for Enterprise Applications
As a User Experience Designer at ACI, I spend a lot of time watching users interact with my designs. I need to make sure our solutions work properly, but lately I’m more interested in how they make my users feel. Engagement is a dominant concept in user interface design right now. It’s important because positive emotional experiences often lead to increased use and loyalty.
Five Payments Trends to Watch in 2018 [Part 2]
The New Payments Ecosystem Is Here. The floodgates are opening with PSD2 and UK Open Banking coming into force, bringing an onslaught of new competitors and potential partners. Whether evolution is mandated or market-driven, banks and processors are facing a critical year in their long-term success.
Five Payments Trends to Watch in 2018 [Part 1]
2018 is set to be a year of rapid change and new challenges for payments players. The floodgates are opening with PSD2 and UK Open Banking coming into force, bringing an onslaught of new competitors and potential partners. Whether evolution is mandated or market-driven, banks and processors are facing a critical year in their long-term success.