Brett King

Posts Tagged ‘Phishing’

Online Fraud and Privacy is not that big a deal…eventually

In Retail Banking on August 4, 2010 at 20:34

I hear a lot of individuals in the financial services space expressing concerns about the risk of conducting business online, the lack of privacy in social media, the issues of identity theft and so forth. I’m not sure what these proponents of the ‘high-risk involvement’ model hope to accomplish, but if they realistically think that flagging concerns about privacy and online fraud will make ANY sort of dent in the progress of digital engagement through online, mobile, or social media – their mental health may need to be assessed. The best they can hope for is increased awareness of the issues.

Dealing with the digital landscape as far as payments and identity is inevitable. The issue becomes how to manage your online presence moving forward, and not if you should be conducting commerce digitally or participating in social networks.

It’s easier to commit fraud offline

While we hear lots about online fraud, the fact is that when it comes to things like credit card fraud, it is still far, far easier to commit fraud when a physical card or physical process is involved. Recently I was in London launching BANK 2.0, and at every restaurant where I presented my card, the waiter would come to the table with a wireless POS terminal to present my card. This is undoubtedly because of the simple risk associated with letting my credit card out of my sight. It takes just seconds to run a card through a mag reader and replicate that card physically. Even with CHIP and PIN, which is common throughout the EU, it would not be that hard to shoulder surf your PIN number if I really wanted to.

I used a foreign credit card in the UK, however, so I am not afforded the protection of PIN when I’m visiting the UK. In most instances I was actually asked to show my card to verify the signature, but in reality if someone had duplicated my card, then the signature they’d be using would be one they had created in any case. In the US , there is not even the protection of CHIP and PIN, and the physical processes allow for easy access to copy a credit or debit card.

The fact is, the weakest link when it comes to fraud is always the physical medium. Granted, phishing attacks designed to glean your account number and password for Internet banking is today a major issue, but again the weakest link is not the technology but the customer who willing submits his information to a fraudulent site.

Many markets have already solved this problem through two-factor authentication (TFA). The markets who have moved slower on this innovation, are obviously now reaping the reward for their lack of innovation. It is, in fact, not that fraud is easier online, it is that card issuers, retailers, banks and regulators simply are not keeping up with the behavioral shift to digital and have not leveraged the quite simple technologies that actually make digital more secure.

The US is only now moving to new POS infrastructures around contactless cards, and the fact that the EU still has yet to broadly adopted TFA are just examples of lack of innovation in fraud management. Customers move with innovations in the digital space, banker’s don’t and fraudsters exploit the gaps while they can.

Increasing digital interactions are inevitable – deal with it.

I find it amusing that those that are strongest in vocalizing the risks in online privacy are often those that in reality have the most to gain. For example, while check (or cheque) fraud is less frequent today, the fact is that the check in itself is an outmoded payment mechanism. It is not an efficient way to pay in almost any measure that makes sense today. Checks are cumbersome to carry, error prone, easily corrupted, costly and are increasingly difficult to handle, especially if you are trying to cash a check issued cross-border for example.

I’ve heard bankers argue till they’re blue in the face that checks are here to stay, and yet in the same breath they admit that they don’t know how they are going to continue to afford to process checks and admit data increasingly shows that in developed markets checks are in terminal decline.

So why aren’t banks rushing to embrace person-to-person payment capabilities, improving interbank connectivity, and trying to integrate better, simpler security mechanisms into electronic interactions? The only thing I can figure is that there is so much organizational inertia around traditional mechanisms like checks and TT’s that is often just seen as too hard to change.

The fact is today that no government, no bank, no threat on the planet, could viably stop the adoption of social media, mobile phones, payment technologies like P2P and other such innovations. It is simply a question of how soon – not if.

How digital will be far safer

Commercial interactions in the digital realm are instantaneous, completely auditable, measurable and can occur anytime, anywhere without the requirement of any specific physical instrument, except a browser or mobile phone. The fact that I can pay you in real-time, without any special process or instrument is ultimately the big draw-card.

So how do we make it safe. Embedding payments into the phone is the first step. The combination of the phone SIM, the ownership of the physical platform (handset) and the payment process will be safer than today’s credit card process. However, the simple incorporation of biometrics, the most promising being fingerprint, voice or facial recognition, will make such transactions magnitudes safer than current physical payment processes, including cash.

The likelihood is that Apple, Google or the handset manufacturers will likely be the ones to lead with these technologies, rather than banks working to incorporate such into the platforms. But the patents are already out there, we’re just waiting for the commercialization.

Biometrics are the ultimate solution to digital privacy

What about privacy?

The reality is, I don’t know of one individual who has stopped using Facebook, Twitter, email or their mobile phone as a result of privacy concerns. That doesn’t mean as individuals we should be complacent. The fact is, that we’ll probably end up with two distinct personas when it comes to the digital space.

  1. Our public persona, where we accept a compromised privacy level in respect to our personal details (email, profile, date of birth, etc), and
  2. A secure persona, which we will protect fiercely because of the financial implications or risk.

The biggest risk to our secure persona today is identity theft. Recent twitter hacks, facebook scams, hotmail account takeovers and other examples occur because it is still relatively easy to get someone’s credentials through an App, phishing site, or other such methods. Again, the answer here is that our secure persona needs to be linked to biometrics and not weak mechanisms around an ID and password. I don’t see anyone working on this as yet, but it is the obvious answer and the core technology is pretty much there. We just need one of the big Social Media networks like FB or say Apple with their iPhone/iPad to embed it and it will become ubiquitous fast.

But one thing that won’t happen is a mass exodus away from digital innovations through privacy concerns.

Advertisements