Mobile Fraud is on the Rise. Are You Actually Surprised?

Each day we are bombarded with headlines about successful attacks against mobile payments and the massive rise in mobile payments fraud in general. Yet none of this should be a surprise, and the reasons are simple.

First, we need to understand that the reason we read so much about the losses in the press is that negativity is often the only thing that makes the news. When was the last time you saw the headline; “Mobile Applications Work, Hackers Thwarted!”

The fact remains that for every transaction lost, thousands or even millions of transactions work just fine. However, this sells neither newspapers nor security products.

That said, mobile applications are notoriously insecure. Some of the weaknesses are entirely avoidable and others will be resolved only with a significant shift in both payment methods and the capability of authentication and identity mechanisms.

Avoidable challenges include:

  1. Poor Business Needs Analysis: Too many Fintech organisations follow the latest trends and buzz-phrases without performing both a proper business needs analysis and its subsequent risk assessment. The implementation of every new process or function must meet established business goals, and not be a result of competitive fear or a CEO’s desire for shiny things and ‘game changers’.
  2. Swiss Army Approach: The second symptom of poorly defined business needs is the desire to build in as much functionality as possible, hoping that the ‘feature rich’ app will become some kind of de facto standard. The vulnerabilities in an application are directly proportional to the complexity of it, and simple is almost always better.
  3. Insecure Coding: Often a follow-on from 1., if the business needs aren’t properly defined, it’s unlikely that the application’s function(s) will be either. When the race to market is the number one priority, things like robust software development life cycles and secure coding techniques tend to fall by the wayside.
  4. Acceptance of Payment Details: The ‘more’ secure mobile payment apps never actually touch the payment details. However, it’s still very common for apps to accept full cardholder data (credit card number, etc.) through the app itself. The better apps will only process a transaction when an e-wallet or equivalent is available in the back-end.

Unavoidable challenges include:

  1. Older Payment Technologies: There’s no getting away from this one any time soon, we have had these technologies for decades and they will be around for a while longer. The only thing to be done is to ease the transition from these technologies into the innovations of the present slowly and securely. There is little room for total disruption in the payments space.
  2. Inadequate Authentication of Identity: Last, but certainly not least, Identity Management and Authentication represents not only the limiting factor in almost all current mobile payment methods, but holds the key to supporting everything to come. There is no silver bullet, no single-function remedy, the only way to resolve this challenge is to build as many authentication factors into every transaction as possible, ideally without creating friction in the payment process.

Secure authentication of identity is the key to reducing mobile fraud, but no solution will be accepted that gets in the way of people actually using it. Only by ‘bridging’ the established with the new, implementing new technologies seamlessly behind/alongside old ones, and making room for everything to come can we stay ahead of the thieves.

[Ed. Written in collaboration with]

Biometrics Is Only PART of the Answer!

The time will come when you will be able to walk into any shop, chose what you want, pay for it where you are standing, and walk out with it without having to go through the nonsense of lining up. The same will apply to getting through airport security/immigration, into a concert, onto public transportation and so on. Each of these ‘transactions’ will happen in the background.

The time will also come when whom you are is enough to make all of these transactions happen almost seamlessly, and biometrics will be an enormous part of that. However, WHAT you are does not equal WHO you are, and that’s where biometrics vendors miss the point. No form of static authentication (of which biometrics is one, same as passwords) can encompass your entire identity. Your likes, dislikes, hopes, fears, ambitions, friends & family interactions, even your reputation. The things that make you human, and 100% unique.

Also, what biometrics cannot do is replace every other form of authentication in the near term. Certainly not the authentication of payments for example when you consider that all payment card schemes globally are united behind the PIN.

“But that’s already happening!” you may say, and you’re right, you can authenticate payments with a fingerprint via your mobile device (Apple Pay for example). Then again, I can spend £20 (£30 from this September) at a time with my Visa / MasterCard contactless card with typically no authentication at all.

Ultimately, what we’re trying to get to is the universal demonstration of the one thing upon which all the transactions above rely; trust.

No single form of authentication (biometrics included) is going to get you a car loan, or a mortgage, but it WILL get you a cup of coffee, because authentication is just a sub-set of the overarching principle related to the demonstration of trust; Identity Management. The who you are, or more to the point, who you have been, is what gets you the mortgage, all your face is going to do is give the lender reasonable assurance that they are talking to the right person.

Authentication is not the answer that addresses the trust challenges we face today in a distributed world. Trust is not built on how you authenticate, it’s built on a irrefutable representation of your life; your credit history, criminal record, work history, references, social media profile, public statements of opinion (blogs, etc.) and so on. You are not going to place trust in someone you will likely never meet in person until you are reasonably satisfied that they will keep their end of the bargain.

Even multi-factor authentication is only going to give more certainty that the person you’re dealing with is the person you expect, it does nothing to ensure that your transaction will go as planned. Only identity can give you that kind of assurance.

Every transaction in the future will be a combination of identity management and authentication, and how much you need of each will be agreed by both sides, up front. This is a complete departure from today where trust is mostly one way, and should address the majority of the current challenges we have related to fraud.

[Ed. Written in collaboration with]

How to Lose All Credibility in Security

There are some things in life that you assume everyone must know by now; give a firm handshake, never accept credit for someone else’s efforts, never be rude to waiters and so on. Yet so many vendors in the information security industry fall foul of an offence far worse than these.

They use phrases like:

  • 100% secure
  • Unbreakable
  • Completely safe
  • Fraud-proof
  • Hack-proof
  • and so on…

The fact remains that NOTHING in information technology is 100% secure. Nothing. If someone wants it badly enough, and they have the necessary skill-set/support, they are going to get it, and anyone who espouses differently should find another line of work before they cause any[more] damage.

And it’s all so unnecessary. You don’t need 100% security even if it was possible, what you need is security ENOUGH. The bad guys are lazy, and if you’re too difficult to breach they will move on, so just ‘build your fence higher than your neighbour’s’ From what I’ve seen in the 15 years I’ve been consulting across the globe, this should not be too difficult.

The calculation you have to make is this;

If the Cost of Security > Value of Data = do what you can afford and no more, OR, if the Cost of Security < Value of Data = do it, but do only what makes sense.

So what process magically gives you the answers to this equation? Easy, the Risk Assessment. One of the most basic tenets of a security program done well, and one of the most under-utilised business tools in every organisation I’ve helped. A risk assessment process performed appropriately will tell you what you’re not doing well, how to fix it, AND how much to spend on doing so.

But I digress.

I can actually empathise with organisations and individuals trying to sell security. It’s tough, but that’s no excuse for lying about your products, and that’s exactly what you’re doing if you claim 100% security. Lying. You have a responsibility to your customers, and whether you like it or not, and whether you ARE or not, you are the usually the expert in the room (if you know 1% more than the other person you are the expert). Your client came to you for help, it’s up to you to provide what the client NEEDS, not necessarily what they asked for.

Your credibility as a provider of information security services or products goes hand-in-hand with your integrity as an organisation and/or individual. Think of your integrity as a form of currency; you can either invest it in your credibility, or spend it on quick wins. Only one of these has a long-term future.

I will note however that if you’re a buyer of security services, you have as much responsibility as the seller to buy only what you need. YOU must ask the right questions, and the only way you can do that is to either do your homework, or hire someone to do it for you. Never expect a salesperson to think twice about giving you what you ask for, then charging you again for providing what you should have asked for in the first place. This scope creep is your fault as much as theirs.

This white paper is not how to sell, I can’t do that, this is how I think you sell with integrity; How to Sell Security

Biometrics in Payments – Irresponsible Demand Generation

Demand generation is defined as; “The focus of targeted marketing programs to drive awareness and interest in a company’s products and/or services.”

Done responsibly it can be a very effective tool in any organisation’s marketing/PR tool-set, and I applaud anyone doing it well. Done irresponsibly it can lead target organisations to make very poor decisions that they will end up bitterly regretting. Yes, each organisation is responsible for making their choices, and for performing proper due diligence, but in an industry as complex as payments, vendors are often seen as the experts.

This position must NEVER be abused!

The example of demand generation that I invariably use is that of the smartphone. Until I saw one I had no idea I needed so much functionality in a mobile device. Now, quite literally, I cannot do my job without it.

Off the bat, that suggests 3 things:

  1. Smartphone manufacturers were justified in their aggressive marketing efforts …eventually;
  2. The drive by each vendor to win the entire market for themselves, while promoting competition, has left us with an enormous variety of devices and technologies that are difficult to adopt for fear of backing the wrong horse, and;
  3. I’m not smart enough to be a futurist.

But what if they had worked together on standardisation in the beginning (like with bloody power adapters for example!), how much better off would we be?!

Now biometrics vendors are the vultures over the kill, and the password is the corpse (harsh I know, but the alternative is wolves, but they work in unison for the good of the pack).

Biometrics companies are spending vast sums on marketing and PR resources to become the next big thing in authentication, All the while completely ignoring the fact that they are offering something little different (single-factor, static authentication), and side-stepping the most basic of practicalities; ease of adoption, and future-proofing.

The FACT remains that implementation of effective biometrics is extremely difficult. Distribution, false positive rates, disability support, privacy issues and a plethora of other challenges will continue to ensure that single-factor authentication with biometrics will not replace the 4 digit cardholder PIN any time soon. Nor should it.

It’s not about replacing the PIN, it’s about seamlessly combining the PIN with other forms / factors of authentication like biometrics. Anything else is irresponsible in the extreme given that most smart phones are capable of all 3 authentication factors multiple times each! Passphrase, PIN, fingerprint, voice recognition, iris, geo-fencing, device registration, device profiling, social media profiling you name it, can all be entered into a mobile device through normal and already established consumer use.

The following is not necessarily an endorsement of Fast Identity Online (FIDO) Alliance, but you can see from their Mission that they fully appreciated the importance of evolutionary change, not revolutionary change:

“The Mission of the FIDO Alliance is to change the nature of online authentication by:

  • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
  • Operating industry programs to help ensure successful worldwide adoption of the Specifications.
  • Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.”

Reliance on single factor authentication with biometrics is a mistake, so avoid any organisation who adopts the ‘password is dead’ stance and just do your homework based on a business need, not a buzz-phrase.

What We Could Learn From the 11 Plus

The title alone will severely limit the interested audience, as the 11 Plus is a concept that even at its ‘height’ was restricted to England and Wales.

The premise was that children in their last year of primary education (aged 11 – 12) took a test to narrow down their options for their secondary education. The better they did on the 11+ the more choices they had. I wish I had ‘failed’ mine way back in 1978, going to an all boys school absolutely sucked.

A friend of mine’s daughter had recently gone through the process, and like me he was amazed at the questions being asked. This was not a straightforward maths/english/reasoning test, this was a test of character that put to shame my interview techniques as a Senior Manager in charge of adult security consultants. Should I be unfortunate enough to ever be the manager of people again, I will be using these questions:

Why should you get priority over other children for a place in this school? – How would YOU answer that question, or what answer would you be looking for?! Say the wrong thing and you’ll come across as arrogant, insecure, indecisive, desperate, disinterested or a combination of several of these.

List 3 things you are good at or like doing. – Generally speaking, people like doing the things they’re good at and dislike things they aren’t. Sadly most people don’t KNOW they’re bad at something, so a question like this can help weed out the humble from the potentially deluded.

What is the most exciting thing that has ever happened to you? – Personally I would dismiss anyone saying anything about work. Passion for your chosen career is one thing, but someone without other interests is to me rather suspect.

Is there anything that I haven’t asked you about that you would like to tell me? - This one’s a doozy! Do I say no and let the person think there’s nothing more to me, do I say something and perhaps come across as trying too hard or do I ramble on because I’m nervous and end up boring the hell out the interviewer?

The above were good, but the next one was to me astounding;

Is life fair?

Bear in mind this is being asked of an ELEVEN year old, but now think about the answer you would give. No it’s not fair is whiney, yes it is fair is delusional, which leaves the only real answer; life is neither fair nor unfair, it just is. It is surprising just how many people cannot accept this.

Life is what YOU make of it, so any answer outside of that speaks volumes to the person you’re interviewing. If they consider life unfair then they are clearly not taking full responsibility for their own actions, anyone who thinks life is fair has likely never been truly tested and makes the following quote rather appropriate;

“I’ve never met a strong person with an easy past.”

Experience is one thing, you can read that on a person’s LinkedIn page, character is something else and rarely glimpsed during the interview process. Perhaps by asking questions we would ask our own children we can change that.