Brett King

Posts Tagged ‘privacy’

Online Fraud and Privacy is not that big a deal…eventually

In Retail Banking on August 4, 2010 at 20:34

I hear a lot of individuals in the financial services space expressing concerns about the risk of conducting business online, the lack of privacy in social media, the issues of identity theft and so forth. I’m not sure what these proponents of the ‘high-risk involvement’ model hope to accomplish, but if they realistically think that flagging concerns about privacy and online fraud will make ANY sort of dent in the progress of digital engagement through online, mobile, or social media – their mental health may need to be assessed. The best they can hope for is increased awareness of the issues.

Dealing with the digital landscape as far as payments and identity is inevitable. The issue becomes how to manage your online presence moving forward, and not if you should be conducting commerce digitally or participating in social networks.

It’s easier to commit fraud offline

While we hear lots about online fraud, the fact is that when it comes to things like credit card fraud, it is still far, far easier to commit fraud when a physical card or physical process is involved. Recently I was in London launching BANK 2.0, and at every restaurant where I presented my card, the waiter would come to the table with a wireless POS terminal to present my card. This is undoubtedly because of the simple risk associated with letting my credit card out of my sight. It takes just seconds to run a card through a mag reader and replicate that card physically. Even with CHIP and PIN, which is common throughout the EU, it would not be that hard to shoulder surf your PIN number if I really wanted to.

I used a foreign credit card in the UK, however, so I am not afforded the protection of PIN when I’m visiting the UK. In most instances I was actually asked to show my card to verify the signature, but in reality if someone had duplicated my card, then the signature they’d be using would be one they had created in any case. In the US , there is not even the protection of CHIP and PIN, and the physical processes allow for easy access to copy a credit or debit card.

The fact is, the weakest link when it comes to fraud is always the physical medium. Granted, phishing attacks designed to glean your account number and password for Internet banking is today a major issue, but again the weakest link is not the technology but the customer who willing submits his information to a fraudulent site.

Many markets have already solved this problem through two-factor authentication (TFA). The markets who have moved slower on this innovation, are obviously now reaping the reward for their lack of innovation. It is, in fact, not that fraud is easier online, it is that card issuers, retailers, banks and regulators simply are not keeping up with the behavioral shift to digital and have not leveraged the quite simple technologies that actually make digital more secure.

The US is only now moving to new POS infrastructures around contactless cards, and the fact that the EU still has yet to broadly adopted TFA are just examples of lack of innovation in fraud management. Customers move with innovations in the digital space, banker’s don’t and fraudsters exploit the gaps while they can.

Increasing digital interactions are inevitable – deal with it.

I find it amusing that those that are strongest in vocalizing the risks in online privacy are often those that in reality have the most to gain. For example, while check (or cheque) fraud is less frequent today, the fact is that the check in itself is an outmoded payment mechanism. It is not an efficient way to pay in almost any measure that makes sense today. Checks are cumbersome to carry, error prone, easily corrupted, costly and are increasingly difficult to handle, especially if you are trying to cash a check issued cross-border for example.

I’ve heard bankers argue till they’re blue in the face that checks are here to stay, and yet in the same breath they admit that they don’t know how they are going to continue to afford to process checks and admit data increasingly shows that in developed markets checks are in terminal decline.

So why aren’t banks rushing to embrace person-to-person payment capabilities, improving interbank connectivity, and trying to integrate better, simpler security mechanisms into electronic interactions? The only thing I can figure is that there is so much organizational inertia around traditional mechanisms like checks and TT’s that is often just seen as too hard to change.

The fact is today that no government, no bank, no threat on the planet, could viably stop the adoption of social media, mobile phones, payment technologies like P2P and other such innovations. It is simply a question of how soon – not if.

How digital will be far safer

Commercial interactions in the digital realm are instantaneous, completely auditable, measurable and can occur anytime, anywhere without the requirement of any specific physical instrument, except a browser or mobile phone. The fact that I can pay you in real-time, without any special process or instrument is ultimately the big draw-card.

So how do we make it safe. Embedding payments into the phone is the first step. The combination of the phone SIM, the ownership of the physical platform (handset) and the payment process will be safer than today’s credit card process. However, the simple incorporation of biometrics, the most promising being fingerprint, voice or facial recognition, will make such transactions magnitudes safer than current physical payment processes, including cash.

The likelihood is that Apple, Google or the handset manufacturers will likely be the ones to lead with these technologies, rather than banks working to incorporate such into the platforms. But the patents are already out there, we’re just waiting for the commercialization.

Biometrics are the ultimate solution to digital privacy

What about privacy?

The reality is, I don’t know of one individual who has stopped using Facebook, Twitter, email or their mobile phone as a result of privacy concerns. That doesn’t mean as individuals we should be complacent. The fact is, that we’ll probably end up with two distinct personas when it comes to the digital space.

  1. Our public persona, where we accept a compromised privacy level in respect to our personal details (email, profile, date of birth, etc), and
  2. A secure persona, which we will protect fiercely because of the financial implications or risk.

The biggest risk to our secure persona today is identity theft. Recent twitter hacks, facebook scams, hotmail account takeovers and other examples occur because it is still relatively easy to get someone’s credentials through an App, phishing site, or other such methods. Again, the answer here is that our secure persona needs to be linked to biometrics and not weak mechanisms around an ID and password. I don’t see anyone working on this as yet, but it is the obvious answer and the core technology is pretty much there. We just need one of the big Social Media networks like FB or say Apple with their iPhone/iPad to embed it and it will become ubiquitous fast.

But one thing that won’t happen is a mass exodus away from digital innovations through privacy concerns.


Lessons from the failed Facebook exodus (HuffPost)

In Groundswell, Social Networking on June 2, 2010 at 07:41

See the original post on Huffington here…

The 1st of June was supposed to be “Quit Facebook Day” as a protest over Facebook’s privacy policies. But the 1st of June passed by and as far as I am aware, none of my friends quit facebook on Monday. It turned to be much ado about nothing…

Last month there was certainly a great deal of discussion about Facebook’s Privacy policies and Mark Zuckerberg’s lack of engagement with the social networking site’s community about the issue, including his apparent derision through IM messages (Business Insider). Indeed, Facebook’s Privacy Policy as released has more than 50 options and 170+ settings, make it longer and more complex than the US Constitution. The New York Times did a great infographic on the complexity of Facebook’s Privacy Policy to illustrate.

Here’s some of the highlights of the “Facebook Privacy” hullabaloo over the past few weeks:

SF Chronicle – May 6th
Facebook begs users not to Quit

AFP – May 6th
Privacy groups take Facebook to the Regulator

Business Insider – May 6th
10 reasons to delete your Facebook account

Huffington Post – May 7th
How Facebook’s privacy approach has changed over time – Interactive infographic

LA Times – May 13th
Reports Facebook staff scramble to respond to pressure on Privacy concerns

SearchEngineLand – May 13th
Claims Facebook’s Active User Growth has dropped 25-50% as a result of privacy concerns

FastCompany – May 14th
Says Facebook’s “Congress” on Privacy is an attempt to stave off disaster from disgruntled investors

The Register – May 14th
Criticism leveled at Zuckerberg over his approach to user concerns

CNN – May 25th
“How to delete, deactivate your Facebook account”

There was a bunch more too. So Facebook is now close to collapse after a mega rush by millions of users to abandon their facebook accounts? Well…not exactly.

It appears that approximately 30,000 Facebook Users joined the revolt and deleted their account. To put that in perspective that’s approximately 0.008% of the current Facebook population – hardly a threat to Facebook’s continued existence.

So what can we learn from this?

It’s Facebook – Not Internet Banking
Facebook is not exactly a mission critical cloud system for most users. It’s a fun distraction, a way of keeping in touch with friends on the move, and extending your social circle. If you post a message to your girlfriend on the site and your wife see’s it – then ok you are in trouble (see statistics re Facebook used as evidence in divorce cases), but generally speaking it’s not that big a deal.

Facebook doesn’t need heaps of security. If someone phishes your Facebook login details, about the worse thing they can do is SPAM your friends. Basically, it’s just not that big a deal.

The community helps itself
Additionally, Facebook is finding that users within communities help police such intrusions themselves – warning their friends of scams, and other such issues as they arise.

It’s the Internet stupid!
If you lose your job because you posted that you hate you boss, and you forgot you friended him last week – well that’s just stupid. Facebook can’t come up with a policy that won’t guarantee you aren’t stupid.

Y-Gen and Digital Natives don’t care
Y-Gen and Digital Natives are more relaxed about security and privacy issues. They’ve grown up in a more public forum where they’re just used to the fact that their profile, email, mobile phone number, dress size, and sexual orientation will appear on about a gazillion sites in the websphere and they are just not that fussed about it.

I saw a post on the UK Social Networking Site Ecademy last week entitled “Why are we letting a 26 year old decide what the Internet is?”. The fact is that it is 26-year olds like Zuckerberg and even younger kids who will determine how the internet of tomorrow works. We shouldn’t be fearful of such change, we should embrace it – it makes like alot more interesting in my opinion.

Interestingly, statistics show that users of Social Media are dominantly in the 35-44 age bracket for now, but clearly the innovative thinking is coming from those who don’t have hangups about traditional business approaches.

That’s why we have to get used to a different level of privacy, openness and communication. Social Media is here to stay, and with it new and exciting ways to interact, do business and share content and ideas. Sometimes it will be with friends, and sometimes with people we don’t know. We’ll need to understand that there’s privacy that matters, and then there’s participation – it’s a trade-off. In the end, it should pay dividends in all sorts of interesting ways.