Digital payments – Bridging the gap between convenience and security

Digital payments – Bridging the gap between convenience and security – London 6th May 2015

Bridging the gap between convenience and security for digital payments has long been a subject of discussion within the payments industry. Findings from an investigation undertaken by MYPINPAD into the gaps in the payment industry have identified a number of issues:
• Security concerns cause 35% of all abandoned carts in online commerce. Putting that in monetary terms, the cost to retailers is estimated to be $1.4 trillion in 2015
• Consumers want something that they can trust. If payment methods don’t appear trustworthy, they won’t be widely adopted
• Retailers want something that is both future-proofed and easy to slot into existing payment systems
• Banks want security and compliance and something that can work with their systems.

Philip King, MYPINPAD’s Executive Chairman explains what the findings mean:
“Our research indicates that both banks and retailers are ready for change and are cognisant of consumers’ demand for more intuitive and secure alternatives to current digital payment authentication solutions. However, they are unable and unwilling to start from scratch to address the issue. New alternatives must fit or integrate seamlessly into existing protocols and infrastructure without compromising security.

Read more

Is Authentication of Identity Even Possible?

Before we can answer this question, we first need to define what identity is. Too often authentication is used interchangeably with identity, but that’s like saying a bank account and money are the same thing.

In its most basic terms, authentication is the ‘what-of-you’ and identity is the ‘WHO-of you’. You can authenticate via a password to log into your computer or buy a cup of coffee, but if you want a mortgage, considerably more background information is required. I could give you 5 usernames & passwords, 5 forms of biometrics, and have 5 different hardware tokens and you would still not know to any degree of certainty if I’m good for the loan.

For example: Two people are standing in front of you, one’s a stranger and one’s a close friend. You know [for the sake of this example] that they are both who they say they are, but do you feel equally comfortable lending both of them your car?

Read more

How to Lose All Credibility in Security

The fact remains that NOTHING in information technology is 100% secure. Nothing. If someone wants something badly enough and has the necessary skill-set/support and access to resources, they are going to get it. Yet so many vendors in the information security industry are still using phrases such as:

  • 100% secure
  • Hack-Proof
  • Unbreakable
  • Fraud-Proof
  • Completely Safe
  • and so on…

Apart from being entirely unrealistic, it is also unnecessary. You don’t need 100% security – even if it was possible, what you need is security ENOUGH. Fraudsters are lazy, if you’re too difficult to breach or the benefit of gaining access is limited compared to the effort taken to achieve the breach they will move on, so just ‘build your fence’ higher than your competition. From what I’ve seen in the 15 years I’ve been consulting across the globe, this should not be too difficult.

Read more

Mobile Authentication: Exceeding Card Present Security?

Considering the sheer number of authentication factors of which a mobile device is capable, card-not-present transactions should be at least, if not more, secure than card-present transactions.

In reality, they can be as the technology is available, but the payments and mobile industries cannot seem to get out of their own way to actually utilise the technology to its full extent.

Let’s examine the card-present transaction: I walk into a shop, choose my items, then go the counter. The shop assistant rings up my stuff, I place my chip & PIN card into the terminal, enter my PIN and I’m done.

The only things ‘guaranteeing’ that I’m an authorised user of the card is that I have the card in my possession, and a 4-digit PIN number. Yes, some cards have photos on them, but they are few and far between, so the real security in a card-present environment is the difficulty of obtaining the card and the PIN from the true owner. I will not underestimate just how difficult this is, but other than the owner finding the card missing and reporting it, there are very few checks and balances.

Read more

Smartphones – A Revolution in Payments for Those With A Disability

Have you ever wondered what it would be like to go through life blind, or with a learning disability? Or what it will be like when you’re older and perhaps your mental acuity is not what it once was?

What must it be like to be almost totally reliant on loved ones, or maybe worse, the honesty and goodwill of complete strangers?

These are generally not thoughts most of us have very often, but for those with physical or mental challenges even the most menial of tasks become extremely difficult.

For the purposes of this blog we will only address how these difficulties are dealt with in the world of payments, specifically non-cash payments.

The issues faced today centre on the fact that the only widely-accepted form of non-cash payment is the branded credit / debit card (MasterCard, Visa, Amex et al), and both the cards themselves and the infrastructure necessary to accept them is geared almost entirely to those without any sort of disability. In fact, even if you wanted to make changes to the infrastructure, the effort would be entirely prohibitive given both the limited return on investment and the absence of any meaningful legislation.

Read more

EMV Liability Shift, How Mobile Authentication Can Ease the Pain

In October of this year, any merchant in the US who does not demonstrate the ability to accept EMV transactions can be deemed liable for the fraud associated with counterfeit cards.

That’s only 7 months from now.

Most people in the EU can’t really understand the confusion this has generated – we’ve had chip & PIN for well over a decade – but for the population of the US swipe & signature is as natural as handing over cash. Retailers are rightly concerned that adoption will be a slow and painful process. However, that may not be their biggest concern.

Estimates of the cost of transition from magnetic stripe to chip range from $8 – $12 Billion, and the lion’s share of the burden will fall to the retailers who must replace their existing payment entry devices (PEDs) with chip compatible ones. The chances are good that this expense was not in their long-term costings, and bringing forward the end-of-life of their PED infrastructure is simply not an option in an industry where profit margins are razor thin.

But the thing that few people realise is that while the chip alone is a positive factor in fraud reduction (anti-counterfeit), the greatest benefit of the roll-out of EMV is only achieved when deployed in conjunction with the use of a 4 digit Personal Identification Number (PIN). This effectively adds a second factor of authentication (the card is something you have, your PIN is something you know) making card present transactions significantly more secure. PIN alone would have significant positive impact as well.

Read more

Biometrics is Only PART of the Answer

The time will come when you will be able to walk into any shop, chose what you want, pay for it where you are standing, and walk out with it, without having to go through the nonsense of lining up. The same will apply to getting through airport security/immigration, into a concert, onto public transportation and so on. Each of these ‘transactions’ will happen in the background.

The time will also come when whom you are is enough to make all of these transactions happen almost seamlessly, and biometrics will be an enormous part of that. However, WHAT you are does not equal WHO you are, and that’s where biometrics vendors miss the point. No form of static authentication (of which biometrics is one, same as passwords) can encompass your entire identity. Your likes, dislikes, hopes, fears, ambitions, friends & family interactions, even your reputation. The things that make you human, and 100% unique.

Also, what biometrics cannot do is replace every other form of authentication in the near term. Certainly not the authentication of payments for example when you consider that all payment card schemes globally are united behind the PIN.

Read more

Shopping Cart Abandonment, Authentication to the Rescue

According to Business Insider, approximately $4 TRILLION worth of merchandise will be abandoned in online shopping carts this year, of which only 63% is recoverable for those retailers with the necessary “savvy”.

The reasons behind this abandonment are as myriad as the individuals making the purchases, but to truly understand the root cause, you must examine the people themselves. From an online purchasing perspective, they fall roughly into these 5 categories:

  1. Mind-Changers – People change their minds all the time, which is much easier when you’re online than when you’re face-to-face with a sales rep. The longer the purchase process, the more time retailers are leaving open for this category to have second thoughts.
  2. Distractors – For those who don’t really care about their purchase, the slightest distraction will cause them move on. Long and complicated check-out processes will see these folks following the next shiny thing.
  3. Impatient – Again, long check-out processes will see the impatient group give up fairly quickly even though it means starting again. The issue is that they will undoubtedly start again on a competitor’s site.
  4. Private – Asking a significant number of questions unrelated to the transaction itself, or forcing them to create an account first is not an option for this category.
  5. Frustrated – Too many steps and customers become frustrated and lose interest in purchasing the item.

Other reasons include hidden fees, unreasonable shipping & handling cost, loss of bandwidth and a multitude of others, but these are mostly issues with the merchant, not with the buyer.

Read more

Biometrics in Payment & Banking – an Uneasy Partnership

No form of single factor authentication has ever provided an optimal level of security. As technology moves forward, biometrics has been introduced into the world of payments to enhance security and convenience. Rightfully so, as a form of authentication, biometrics is here to stay.

Traditionally we talk about three types of authentication:

  1. Something you know (e.g. a password)
  2. Something you have (e.g. an physical token)
  3. Something you are (i.e. biometrics)

But if we want to solve the challenges in a meaningful and sustainable way we must also think about identity management in terms of static and dynamic authenticators as well as multi-multi-factor authentication.

Read more

World Mobile Congress 2015, What WE Want to See

The race for ‘mobile supremacy’ is on. It has been for some time actually – but clearly no-one has it right or we would all be using the same things. In no aspect of the move to mobility is this truer than in payments and other forms of financial transaction.

At the World Mobile Congress 2015 (WMC) next month almost 2,000 exhibitors and an expected attendance of 90,000 will descend on Barcelona in an attempt to find answers to their questions. However, both history and experience have shown that organisations rarely ask the right questions and end up spending time and money following the latest trends so as not to be left behind.

One look and WMC’s very impressive 60-page brochure and the distinguished line of keynotes speaks volumes to the unprecedented interest in everything mobile. With 7 billion mobile phones in the world (2 billion of which are smart phones) this is hardly surprising.

Read more