Screen Shot 2015-05-03 at 11.37.04

Payments Innovation Should NOT be Disruptive!

By now I think everyone has heard the phrase ‘Disruptive Innovation’, as defined by; “an innovation that helps create a new market and value network, and eventually disrupts an existing market and value network (over a few years or decades), displacing an earlier technology.“. This phase is especially bandied around in payments.

But how many of you have heard the phrase; ‘Sustaining Innovation’, which; “does not create new markets or value networks but rather only evolves existing ones with better value, allowing the firms within to compete against each other’s sustaining improvements.

So if you accept that a payment itself is just a way for you to access your stored value (what we call money) any time / place of your choosing, why is everyone so interesting in disrupting the existing payment ecosystem? And by “everyone” I of course mean those who are trying to either break into market, or those trying to wrest even more control for themselves. Non-cash payments work [for the most part], and you have a large degree of faith in your bank’s ability to protect your monetary assets, do you really want the whole thing to change? Do you even know what it is that you want that’s different from what you have today?

Do things even need to change? Yes, they do. Are there innovations available NOW that make the payments process easier, cheaper, and more secure for the consumer? Yes, there are. Can we expect the entire payment industry to throw out everything they have spent billions on over the last few decades, are used BY billions, just to make room for every start-up with a good idea? No, we can’t, and that’s the real issue here.

In the last 10 years there have only been 2 true disruptors in the payments industry; the mobile phone, and block chains (Bitcoin et al), neither of which has achieved anywhere near its full potential. Yet. Not because the technologies are flawed [necessarily], but because the introduction OF the technologies was done poorly. For mobile devices, the payments challenges included the ‘fight’ between NFC and BlueTooth, the numerous options for security on the device (Secure Elements, Trusted Execution Environments and so on), and the presumed insecurity of the technology overall. For block chains is was, and still is, the almost complete lack of understanding of how they even work in the first place. I’ve looked into them and I still find the concept nearly incomprehensible.

But even these disruptors need current context, and they represent a fundamental shift from our overly complicated view of payments back to its basics; I go to work to earn value (money), the value gets stored somewhere (a bank), and I access the value when I want it regardless of time or location (mobile payment). This would suggest that the only disruption we really need is the disintermediation of some of the players. There are simply too many middle-men whose only input to the new world of payments will be value erosion. Thank God the Mobile Network Operators (MNOs) are too busy bickering amongst themselves or this would be even more complicated!

As a consumer who has a very good idea of what he want to see change, I know that only those who help the payments industry evolve will have a lasting positive impact, and this will only be though collaboration and fair competition.

The greedy can stay home.

Screen Shot 2015-05-01 at 11.59.05

Been Breached? The Worst is Yet to Come, Unless…

The information security sector is rife with negativity and pronouncements of doomsday, and while the title is no better, this blog is not meant to scare, but to provide an alternative view of the worst case scenario; a data breach and resulting forensics investigation. The fact remains that if your data is online, someone has the necessary skill-set and wants it badly enough, they are going to get it. So the sooner you prepare yourself for the inevitable, the better you will be able to prevent a security event from becoming a business-crippling disaster.

By the time you make your environment as hack-proof as humanly possible, the chances are you have spent far more money than the data you’re trying to protect was worth, which in security equates to career suicide. Instead, you are supposed to base your security posture on the only thing that matters; a business need, then maintain your security program with an on-going cycle of test > fix > test again.

Unfortunately what happens in the event of a breach is that you are told what was broken and how to fix it from a technical perspective. This is analogous to putting a plaster / band-aid on a gaping wound. You’re not actually fixing anything. A forensics investigation, instead of being seen as the perfect opportunity to re-examine the underlying security program, is seen as an embarrassment to be swept under the carpet as soon as possible. Sadly, valuable lessons are lost, and the organisation in question remains clearly in the sights of the attackers.

For example, let’s say a breach was caused by an un-patched server. The first thing you do is fix the server and get it back online, but all you have you have done is fix the symptom, not the underlying cause;

  1. How did you not KNOW your system was vulnerable? – Do you not have vulnerability scanning and penetration testing as an intrinsic part of a vulnerability management program?
  2. How did you not know your system wasn’t patched? – Is not patch management and on-going review of the external threats landscape also part of your vulnerability management program?
  3. Did the breach automatically trigger a deep-dive examination of your configuration standards to ensure that your base image was adjusted accordingly?
  4. Did you fix EVERY ‘like’ system or just the ones that were part of the breach?
  5. Did your policy and procedure review exercise make ALL necessary adjustments in light of the breach to ensure that individual accountability and requisite security awareness training was adjusted?
  6. Were Incident Response, Disaster Recovery and Business Continuity Plans all updated to incorporate the lessons learned?

And perhaps the most important part of any security program; Is the CEO finally paying attention? Ultimately this was their fault for not instilling a culture of security and individual responsibility, so if THIS doesn’t change, nothing will.

If the answer is no to most of these, you didn’t just not close the barn door after horse bolted, you left the door wide open AND forgot to get your horse back!

Most breaches are not the result of a highly skilled and concerted attack, but by those taking advantage of the results of  systemic neglect on the part of the target organisation. i.e. MOST organisations with an Internet presence! Therefore, organisations that can work towards security from the policies up, and the forensics report down, have a distinct advantage over those who do neither.

[Ed. Written in collaboration with Voodoo Technologies; Voodoo Technology, Ltd.]

Screen Shot 2015-03-14 at 13.46.04

Is Authentication of Identity Even Possible?

Before I can answer that questions, I need to define what I think Identity is. Too often authentication is used interchangeably with identity, but that’s like saying a bank account and money are the same thing.

In its most basic terms, authentication is the what-of-you, identity is the WHO-of you. You can authenticate via password to log into your computer or buy a cup of coffee, but if you want a mortgage, considerably more background information is required. I could give you 5 usernames & passwords, 5 forms of biometrics, and have 5 different hardware tokens and you would still not know to any degree of certainty if I’m good for a loan.

Example: Two people are standing in front of you, one’s a stranger and one’s a close friend. You know [for the sake of this hypothetical] that they are both who they say they are, but do you feel equally comfortable lending them your car?

I would assume the answer is no, you would NOT be comfortable loaning a stranger your car, so what’s the difference? Trust, pure and simple. You trust your friend because you know WHO they are, not WHAT they are.

Unfortunately you will never be able to know everyone on the planet as well as your friends, so how can you assure a sufficient level of trust to do business of any sort? Currently, authentication is enough, but it’s almost entirely one way. If you want to buy something on the Internet YOU have to complete the login details (often including a permanent account), you have to enter all of you payment details, and you have to accept the risk that the merchant will send the goods as promised.

With an identity, built over the course of time and receiving input from many sources, every individual and every organisation can build a demonstrable level of trust so that both sides have the assurance they need to conclude the transaction. Fraud in e-commerce is rampant because we simply don’t have this 2-way assurance.

From the individual side: Credit score, confirmation of available funds, payment history, and any number of other factors can build a Trust Assurance Score (TAS), and it will be up to both the buyer and the seller to agree on the level of score required to complete a purchase. e.g. on a scale of 1 – 100 (100 being a perfect TAS) the merchant needs a score of 5 to buy the ubiquitous cup of coffee, but a score of 50 to rent a car, and a score of at least 75 to get a mortgage.

From the merchant side: Time in business, corporate credit rating, ratings and reviews and so on can build their TAS, so you can decide up front the level of risk you are prepared to accept to conduct the business at hand.

Clearly there are many challenges with this; How do you build a rating in the first place (the young and new businesses should not be unfairly advantaged)?; How do you  provide instant access to this rating without exposing all of the detailed information behind it?; How do you tie in the level of authentication required to even request a TAS? And so on.

I’m not proposing a way to fix this, I’m simply trying to demonstrate that  the reason we don’t HAVE identity built into transaction authentication is that these issues have not been addressed yet. And until we have identity built into transactions, we won’t have the levels of trust required to make significant change. Payments for example will move from plastic to mobile, but authentication (even multi-factor) is not enough to significantly reduce fraud.

I suspect block-chains (the technology behind crypto-currencies) has a big chunk of the answer, but I can’t even conceive on how this will be done. I just know it needs to.

Screen Shot 2015-03-16 at 16.31.48

Want to Stop Thinking for Yourself? Get Some Faith!

I don’t necessarily mean faith as it pertains to religion, although that is by far the best example of how faith can completely negate ever having to think for yourself. Ever again.

When I talk about faith, as defined by; “A complete trust or confidence in someone or something.” you can perhaps see where faith can be a force of tremendous good, or horrific bad. When you remove the need to question something, you remove any reason for that thing to change. When your most valuable asset; your ability to reason, is subsumed into a concept not of your making, you have lost your individuality, your uniqueness. You have lost your sense of self.

When humans first became self-aware (estimated at around 60,000 years ago), the number of things to fear rose exponentially. Animals don’t fear an eclipse, but humans managed to attribute countless negative interpretations to this natural phenomenon. With self-awareness comes both the need for rationality (a reason for something), and the trait that I think truly defines us most as human;


When you are absolutely certain of something, you can effectively ignore it; I have absolutely faith the sun will rise tomorrow or why would I bother getting out of bed? I have absolute faith that my wife loves me or why would I be with her?

The difference between the above paragraph’s examples, and faith in religion (for example), is both tangibility and direct experience. The sun has come up every day I’ve been alive (except the few days I spent in Scotland), and I’ve been with my wife for 10 years. That’s proof enough for me. But what if I base my faith on a concept that has only been passed on by others? Or out of a book? What does that do to our thinking? In some cases clearly not much, but some of the worst horrors in history have been perpetuated based on interpretations of words written centuries before.

And what happens when such thoughts becomes mandatory? When not having the same thoughts becomes a valid reason to violate the rights of others. Again, this is not just religion, but science and even sports aren’t immune from unshakable faith. Scientists and fans alike have committed atrocious acts because in their mind the victims were so wrong that their very lives were forfeit.

It’s a combination of things that keeps this destructive force self-perpetuating; from bigoted parents teaching their kids to hate, to inflexible older generations unable or unwilling to adapt, to a general unwillingness to admit when you’re wrong. Hiding bigotry against sexual orientation behind the bible, racial bigotry behind past atrocities, and murder behind a God all have their roots in the natural byproduct of misplaced faith; ignorance.

I have no answer for this, all I can do is not be part of the problem. Life is not fair, life just is, and YOUR life is what you make of it. That fact remains that it is already difficult enough to find happiness enough to make the life you have worth living without making it difficult for yourselves by hating, and hurting everyone around you by your selfish actions.

Believe in whatever you want to believe, just leave the rest of us out if it.

Screen Shot 2015-03-26 at 11.56.15

EMV Liability Shift, How Mobile Authentication Can Ease the Pain

In October of this year, any merchant in the US who does not demonstrate the ability to accept EMV transactions can be deemed liable for the fraud associated with counterfeit cards.

That’s only 5 months from now.

Most people in the EU can’t really understand the confusion this has generated – we’ve had chip & PIN for well over a decade – but for the population of the US, swipe & signature is as natural as handing over cash. Retailers are rightly concerned that adoption will be a slow and painful process, but that may not be their biggest concern.

Estimates of the cost of transition from magnetic stripe to chip range from 12 (mine) – 33 (the press) billion USD, and the lion’s share of this will fall to the retailers who must replace their existing payment entry devices (PEDs) with chip compatible ones. The chances are good that this expense was not in their long-term costings, and bringing forward the end-of-life of their PED infrastructure is simply not an option in an industry where profit margins are razor thin.

But the thing that few people realise is that while the chip alone is a positive factor in fraud reduction (anti-counterfeit), the greatest benefit of the roll-out of EMV is only achieved when in conjunction with the use of a 4 digit Personal Identification Number (PIN). This effectively adds a second factor of authentication (the card is something you have, your PIN is something you know) making card present transactions significantly more secure. PIN alone would have significant positive impact as well.

It follows therefore that while organisations scramble to comply with the letter of EMV, there already exists in almost everyone’s pocket the capability to provide not just a PIN, but multiple forms of authentication and value-add services that far exceed the benefits of the chip; the mobile phone.

Even the loss of the Primary Account Number (PAN), which is the largest cause of card related fraud, is meaningless if the thief can’t complete the transaction. Add to this the numerous benefits of instant coupons, loyalty programs and even ratings & reviews, and the retailer now has the capability to enhance the customer journey while meeting the intent of EMV.

Neither the card issuers or even the card schemes themselves are fixated on EMV itself, they are only truly interested in reducing fraud. Retailers share this goal, even if they do not entirely agree with the way to get there.

It is up to authentication vendors to provide alternatives, and get those alternatives tested, real-world proven, and on the table. This will not be authentication vendors alone, or mobile device manufacturers alone, and the result will not be a decision made by card schemes alone. This will be a collaboration between ALL players, and will only work if everyone comes away a winner.

Especially the consumer.

[Ed. Written in collaboration with]