Screen Shot 2016-02-09 at 10.28.35

Biometrics is Dead, Long Live Mobile!

In my continuing crusade against greedy and self-serving biometrics vendors – which is absolutely NOT all of them – I figured I would give them a little taste of their own medicine with a ridiculous assertion in the title.

Of course biometrics isn’t dead [I believe it’s still in its infancy] and of course it will only continue to grow in distribution and influence. Its adoption will sky-rocket as mobile devices take over the world and IoT makes thinking for yourself redundant, and I for one am more than happy for it to spend time more in the sun.

What I cannot / will not accept from biometrics:

  1. Its growth at the expense of ANY other form of authentication (without appropriate justification),
  2. Its false and irresponsible claims to its security, and;
  3. Its blatant disregard for its ultimate benefactor; the mobile phone

Put to one side for a minute that not ONE legislation / regulation in payments actually requires biometrics (where “strong authentication” is primarily defined as 2-factor), and focus for a second on how biometrics has even made it as far as it has. Simply put, without the mobile phone, there would BE no biometrics in the mainstream.

It’s not like we would all carry around a separate device to perform biometric authentication, would we? No, we wouldn’t, so it’s only because biometrics is so readily available that we even consider it an alternative to passwords. That’s right, an ALTERNATIVE, and for the foreseeable future, one completely driven by consumer preference. No financial institution in their right mind will make biometrics mandatory, probably ever. I certainly wouldn’t.

So if the mobile phone is so all-powerful, why aren’t they attacking passwords? Simple, a) they have no need to, they are the dominant factor, and b) they are smart enough to realise that without the OTHER two factors they are not providing the best solutions possible.

In other words, they get it.

Rather a bleak picture, isn’t it? 1) not required for regulatory compliance, 2) will never be mandatory, only a consumer preference, 3) will never be suitable for some forms of authentication due to false ‘positives’, and; 4) it completely reliant on something else for its distribution. But even with all of this against it, I will embrace biometrics, in all its forms, if it provides me the convenience I crave, with ENOUGH security to transfer the risk to someone else (my bank for example).

And that’s really what it all boils down to; risk. A simple word but one completely misunderstood, and usually handled poorly. Bottom line; if the effort to steal something is greater than its value, it’s safe …enough. That’s all biometrics and passwords provide; security enough, and the amount of security you have to provide for a transaction is directly proportional to the value of the transaction.

For example, why would you use Apple Pay when it requires authentication that the contactless card does not? Is it more convenient? No. Does it provide more value-add services? No. Does it have anywhere near the distribution of plastic? No. Do YOU have to care about the security of contactless? No, you don’t.

Biometrics is, and will always be only a player in the game. While mobile holds most of the cards, any form of biometrics will be beholden to it, so they should play nice.

Screen Shot 2016-02-01 at 15.33.01

Biometrics Advocates, Get With the Bloody Program!

In just the last week, these are two of the articles paraded by the ‘Biometrics For eCommerce’ group on LinkedIn, both of which are taken from;

Is Biometrics Putting The Nail In The Password’s Coffin?

Is It Time To Cash In PINs For Biometrics?

My question is; Just how dumb do you have to be to wage a war against your own side? You don’t see The Times and The Sun slagging each other off, or Lexus and Toyota competing for the same demographic, do you? And why not? BECAUSE THEY ARE ON THE SAME DAMN TEAM!

So why is it that biometrics advocates feel the need to pick on passwords / PINs? I can only imagine it’s something like a school bully who only picks fights he thinks he can win, or perhaps they realise that biometrics is nowhere near the panacea they want it to be so they have to compare it against the lowest common denominator.

And let’s face it, that’s exactly what PINs are; the lowest form of password, which is the simplest of the 3 forms of authentication. That’s why it’s so prevalent, and orders of magnitude more accepted and consumer friendly than any form of biometric. But it is also the cause of all of their limitations, which are not inconsiderable.

However, instead of trying to kill the password /PIN, what’s wrong with taking the position of collaborative support? PINs are inadequate for some scenarios, just as biometrics are wholly inappropriate for others. Addressing the factor of authentication outside of the context of risk is no different from asking how long is a piece of string.

What about consumer preference? Is ANY financial institution or bank going to enforce a ‘biometrics-only’ stance? Not unless they are irretrievably stupid.

What about device capability? Are we going to force all 7.3 billion people on the planet to buy the latest smartphones? More than 2/3 of all mobile phones are still not biometrics enabled, do you really see passwords / PINs going away ANY time soon? No, nor do I.

Even for those with smartphones, who’s to say that the something-you-know has to be a passWORD? A picture of your own choosing will suffice. Or special characters in place of numbers perhaps? How many people out there speak Klingon? All you have to do is remember SOMETHING, and the smartphone could not make that easier (especially for those with learning disabilities).

Clearly my blog’s limited reach will have no impact on those too short-sighted or just too plain greedy to adopt a collaborative approach to authentication and identity management, but like almost all FinTech’s disruptive innovators, those going it alone will fail. Biometrics has finally, and rightfully, taken it’s place in the arsenal of weapons used against the bad guys, but for now advocates seem Hell bent on using them against their own friends.

In the end, only multi-factor authentication will win the day. Biometrics will be a big part of that, but the mobile phone (something-you-have) itself will be even bigger, and something-you-know will never go away.

Nor should anyone want it to.

Screen Shot 2016-01-26 at 11.28.50

What Will 2016 Be “The Year Of” In Payments?

I guess it’s quite prophetic that 2016 is the Chinese Year of the Monkey, though I suspect that the Year of the Headless Chicken will be a little more accurate.

Every year, someone either predicts a ‘Year of x‘, or claims that the previous year was ‘The Year of y‘, and usually it’s the very organisations with a direct vested interest in the technology in question. 2015 was the Year of Biometrics, 2014 was the Year of Encryption, and so on.

Thankfully the financial industry at large took a step back and put these, and many other technologies, into an appropriate perspective. Mostly. Especially biometrics, where numerous vendors were dribbling all over themselves when Apple Pay finally hit the mainstream. We heard cries of “The password is dead!” and “Biometrics is the future of authentication!”, all of which was utter nonsense in light of the Payment Services Directive 2 (PSD2).

Yes, many banks have invested significant sums in biometrics (usually to enhance their mobile banking app security), and no, these investments will not be wasted, but from what I’ve seen most of them have missed the point; that authentication is just a temporary means to an end.

The result is that those Hell bent on disruption will fail without collaboration, those with a single authentication technology will fail without partnerships in a multi-factor solution, and those interested only in keeping things the same will be left behind. The only hope of achieving a balance between all of these things is to ask the only stakeholders who have no idea what they want;

The consumer.

Even after a few years of dramatic changes and innovation in payments, what everyone seems to have missed – or at least underestimated – is that payments (or finance in general) is far too complex for the average consumer to understand. In my opinion it’s been made too complex to even be sustainable, especially when you consider that the concept of a payment is actually very simple; I have a value stored here, and I want to transfer it over there in exchange for a product or service. HOW that happens should not be the consumer’s concern, only the security and efficiency of that transaction should.

I have no problem paying my bank to protect my stored value (i.e. money), as long as it’s reasonable. I have no problem paying someone to protect (and accept liability for) the transfer of that money somewhere else, as long as it’s reasonable. What I DO object to is the numerous intermediaries in the current system who not only make the process expensive, but ridiculously slow and inefficient.

But what I really want is for payments to go away entirely, at least from my perspective as a consumer. I want the HOW of the payment to be handled in the background, and the decision made by a trusted third party who found the best all-round deal for the product/service of my choosing. Whether that’s finding a plumber, or shopping for groceries, the only innovations I care about are ones that take care of the things I hate doing; like filling out online payment forms, or lining up in Sainsbury’s to pay for a pint of milk.

So, in truth, 2016 will likely be the Year of Nothing Much Happened. Truly beneficial change will take a long time, and while the pieces necessary for innovation are already available, getting all of the stakeholders to agree on the way forward will extend way beyond this year, and likely next.

I’m hoping that 2016 will actually be the Year of Getting the Future-State Plan Right, but I somehow doubt it.


Screen Shot 2016-01-13 at 12.39.44

Attention Channels/Resellers, Don’t Forget Consulting Services!

A long time ago on a career path far far away I was responsible for the delivery of consulting services across the EMEA and APAC regions. Even as someone fairly new to a Director level role it was clear that any company not selling security through as many external channels as possible would be hard pressed to cover enough ground to achieve significant success.

It seemed fairly obvious to me that it was the security resellers (VARs and the like) who were best placed to cover more ground than any internal team could possible hope to match. Plus, most of the bigger VARs already had pipelines hundreds strong because EVERY organisation who has bought security relevant equipment is a target for security relevant consulting. The may not know it or want it, but they will understand why they were approached.

The only problem was that not one VAR gave a damn, and the mains reasons are two-fold;

  1. Consulting cannot be commoditised – VARs are generally ‘box shifters’, they sell a piece of equipment at a profit and move on. Selling consulting of any sort is a fairly significant learning curve, an investment of effort no VAR was prepared to make.
  2. Not enough margin – VARs are used to fairly significant margins on equipment, there’s not much wiggle-room in the world of consulting, especially in the hugely price-compressed  world of QSAs/PCI for example.

Both of these are fair points, there are challenges that I have not mentioned, and undoubtedly others of which I am not even aware, but I still think VARs have missed a enormous opportunity. Assuming of course they actually have their client’s best interests at heart.

When a security consultant performs a security gap analysis they will cover almost every aspect of a security program, including the security controls in place. From network devices and servers, to more ethereal products like data loss prevention (DLP) and web application firewalls (WAF), to software like anti-virus, file integrity monitoring (FIM) and encryption. All controls are examined in turn, gaps documented, and an acceptable remediation agree with the client.

What you now have is a laundry list of EVERYTHING the customer needs to properly manage their security program, and there is no way a VAR would ever have been able to cross-sell / up-sell to that extent. Even salespeople working at security consulting companies rarely have this kind of insight! A good consultant can expose opportunity like no VAR in the history or VARing.

No, I am not suggesting that VARs hire security consultants to help sell technology the client doesn’t need, and in fact, there are times when a consultant will prevent a client from buying technology for which the client simply has no use or cannot possibly manage. What I am saying is that most organisations want to buy from a trusted vendor, but rarely know the right questions to ask and end up with what they asked for, not what they needed. VARs will not know the difference, a consultant will.

The fact remains that all organisations who don’t have in-house expertise need help at some stage; A network administrator can install and manage a firewall, but it takes a security expert to optimise the architecture based on the business processes. A SIEM administrator can import logs and generate alerts, but it take a security expert to optimise the output to incident response. And so on.

It’s the VARs who help their clients manage not only their technology needs, but their business needs who will truly make a difference. And a lot more money.

Screen Shot 2016-01-05 at 11.24.17

Information Security Needs Teachers, Not Consultants

This blog could just as easily be titled “Information Security Needs Teachers, Not Technology”, but I’ll pick on technology vendors some other time. Then again, it could also be teachers vs. anything-else-you-care-you-mention, because there is nothing in security that cannot be made easier, better, cheaper, more sustainable etc by someone who passes on their skills to those who need them the most.

Their customer.

Teachers are rarely recent graduates of X University, or theoretical researchers at Y organisation (Gartner, Forester et al), and especially not a lot of PCI QSAs I’ve come across, teachers are the people who sit in front of their clients day in and day out trying to make themselves redundant. I use the phrase; “If you can’t do what I do at the end of this contract, I’ve failed.”

Even in 2016, information security expertise is a depressingly rare commodity, with few organisations able to afford the full, or even part-time retention of SMEs in-house. Instead, the vast majority of organisations hire consultants to help them through their security and/or compliance challenges. In and of itself this makes perfect sense, I have no issue with it, and have in fact made a career out of providing these services.

My issue is with those consultants who don’t teach their clients to do what the consultant was hired to do, perhaps with the assumption that the client will have no further need for the consultant’s input once the job is done. The fact is, if the client doesn’t renew the contract, it’s because either 1) they don’t care enough to accept the guidance given; 2) the consultant drained their available budget, or; c) the consultant didn’t know what the Hell s/he was doing.

In a previous blog (The 4 Consultant Types: Know Which You Are, Know Which to Ask For) I detailed the 4 consultant types:

  1. The ‘Auditor’: Extremely detail oriented, and can (and do) write massively detailed reports on exactly what you’re doing wrong. And that’s it.
  2. The ‘Assessor: Still very tied to the written instructions, but are better able to read the intent of the situation, and are subsequently better able to tell you why a things is not right. And that’s it.
  3. The ‘Consultant’: I reserve this title for people who are able to not only explain simply what you are doing wrong and why it’s wrong, but what you should be doing AND provide several options on how to fix it. That’s it for them too.
  4. The ‘Teacher’: These rare folks are able to enormously simplify the challenge at hand, and teach the client to fix it themselves. And not just once, whatever the solution was, the Teacher will show the client how to maintain the fix, and how to implement a cycle of continual improvement in line with business goals.

The silly thing is that a good security teacher will never be out of work, no matter how hard they try to pass on their skill-set. Whatever s/he was hired to do for the first contract is invariably just scratching the surface of the work that needs to be done. A consultant may be asked to come back to repeat a task, but a teacher will be invited to help the entire business move forward.

Every security teacher aspires to be invited to take part in an organisation’s Governance committee, where the IT side and the business side have real conversations. Some call this a Trusted Advisor, but frankly I’ve never seen one who was not a teacher first.