Learning Lessons From Large Scale Breaches
At this point, there’s no ignoring it: our financial security is compromised daily. And no doubt, many reading this wouldn’t hesitate to recount all the breaches they have been a part of as consumers; merchant breaches in which replacement cards forced you to update your linked accounts, or data compromises where personal information was stolen and identity theft protection was provided, forcing you to consider freezing new credit originations.
These are only the breaches we know about — considering the residual risk of all the data breaches we’ve been exposed to, the totality of it all becomes immense. Back at the start of 2014, I suggested that we’re experiencing data breach fatigue; today it’s closer to data breach exhaustion, and consumers may now feel powerless.
We must ask ourselves as consumers, what exactly is being compromised? What information has fallen into the pocket of an attacker and how could they use it to attack me? As we are compromised once, twice, or multiple times, are we falling under greater risk? How vulnerable are we when it is revealed that personal details landed in the hands of hackers and fraudsters?
Typically, most concerning for consumers is demographic data that can be uses in authentication, illegitimate identity-theft account opening, or the use of a payment card for unauthorized spending (or potentially for account takeover) if an attacker has the relevant non-public personal information. There is a risk here to be sure, even if we, as service providers, don’t realize the impact of it. So what lessons are out there?
Zombie authenticators and static data elements are a gift to hackers
Well, for starters; why are we still using knowledge-based authentication based on third-party-issued static data elements to authenticate? Government (in the U.S. Social Security) identity numbers, home addresses and the user’s date of birth are zombie authenticators – even worse than passwords! They have been compromised so many times, or are sometimes available through public or searchable sources… still in 2017.
Fraudsters have databases to store these elements as well, and anyone who has an account on a dark website can search an underground database to see if a birthday, SSN (social security number) or home address exists for the intended target. In fact, there is already a neologism for this: “Credential Stuffing” – the act of intercepting and using as many authentication elements (e.g. account login or recovery credentials) that have been compromised to attempt to take over an account.
Biometrics and other authentication measures should be embraced
When being asked to authenticate myself, I cringe when I see these types of questions. I’d much prefer to do business with an entity that has a more rigid authentication process and does something far more clever and sophisticated to validate that I am, in fact, me. We now have biometrics if the customer can use them remotely, on a mobile app. We have dynamic account-based questions (only known internally to the service provider and customer), and we have multifactor out-of-band authentication… these can be embraced to perform a far greater authentication experience and reduce the potential for account takeover. Would I feel more secure in a world of high-frequency data breaches when I know my financial institution authenticated me with two factors? Could this actually be faster than the present authentication practices of asking multiple questions, throughout a contact center session? Of course!
I know no one wants to get a letter from their financial institution, or look themselves up on a newly-created security webpage to determine they are exposed after a large breach is revealed, but this is a reality. To sit idly by and continue to authenticate with the most static data elements that are most consistently compromised is a lesson of any breach du jour.
Related blog posts
Three Ways to Build Your Business Case for Real-Time Payments
In the UK, faster payments are well established, and we have seen new innovations as well as new businesses being built since May 2008. In Singapore, which went live in 2014 with its Fast and Secure Transfers (FAST) scheme, we are starting to see similar innovations. And we can expect similar seismic shifts in payments innovation for years to come, as Instant Payment schemes in Europe and Real-Time Payments in the US go live, ubiquity increases and real-time payments become the new normal.
Security, the New Payments Ecosystem and the Need to Educate the Consumer (Or Ask Them to Unclog Your Sewer!)
When it comes to any payments ecosystem, you must remember that we are talking about MONEY. More importantly, people’s money (like yours and mine). In any conversation in this space, secure is something that is assumed. A consumer simply won’t use a new system if they don’t believe it is secure. Unless of course it’s free Wi-Fi. As we have seen, folks are willing to do almost anything to get free access on their devices, even agreeing to clean toilets! (This was a real thing… one hotspot operator added it to their Terms of Service fine print). When we talk secure, it’s important that we keep this in mind: secure is not just a piece of the Hierarchy of Payment Needs, it’s an integral part of it, which is why it sits directly on top of the foundations. Without this layer, the whole ecosystem collapses.
Three Reasons Why Corporate Banks Must Invest in New Security Measures
The New Payments Ecosystem brings great opportunities, if banks can mitigate the new risks and threats that arise. Real-time and open payments enable a wealth of new revenue streams; however, the potential for growth must be balanced against maintaining payments security. They cannot break the bank.
Zelle’s Secret to Successful Immediate Payments Adoption
As Zelle launches its standalone app, it is already very well positioned to be successful in the P2P space. The network dominates access to U.S. bank accounts and is gaining new customers at a speedy pace of 50,000 per day.
Contactless Turns Ten: The Shift to Contactless Universal Payments is Now Well Established
In September 2007, Barclaycard first introduced contactless payments to the UK. Ten years on, and many Brits would no longer want to live without a contactless card in their wallet. In fact, six out of ten Brits now pay with "touch and go," and according to the UK Cards Association 108 million contactless cards are in circulation in the UK, with volumes of transactions currently reaching £400 million per month.
How to Protect the Foundations of Transaction Banking
Scalable, Available, Reliable – #SleepAtNightability for Corporate Banking
Cómo los Ponibles están cambiando los pagos en Colombia [How Wearables Are Changing Payments in Colombia]
Available in Spanish and English
Thanks to the payment industry’s ongoing digital transformation and countless innovations adopted by banks, fintechs and retailers, it is now possible to make payments via bracelets, rings, watches, and even jackets—these are called Ponibles in Colombia. You know them as ‘Wearables.’
Pairing Payments Innovation with Security Needs in Southeast Asia
Many Asian governments – most notably those of Singapore and Hong Kong – have launched well-received initiatives to encourage collaboration rather than competition between the fintech start-up world and banks. This has enabled traditional banks to tap into the innovative solutions that fintechs offer, while the banks themselves bring to the table considerable experience with data, resilience, reliability and customer protection.
Getting a Gauge on Payment App Season
Dear Mark, this is a 100% true story (and a solid ‘Ranting’ to boot). As you know, I just returned from a lovely and relaxing vacation (or as our European colleagues call it, holiday). And as I got into my car this morning—for the first time in more than a week—I realized the gas tank was near-empty and that my low-tire indicator light was on… and I needed to get my daughter to camp en route to coming into the office.
You’d think this a minor inconvenience, right? Well…
API Stairway: The Five Steps to Open Payments
In my pre-EBAday rantings, I discussed Open APIs in the context of one of the greatest rock songs of all time (Stairway to Heaven, for the uninitiated). Waxing poetic about a topic is one thing, but marrying it to concrete steps is another. So, while our Stairway to Open API utopia was a nice background, it’s time to talk about the flights of stairs we’ll have to take to arrive at those pearly entry gates.