PSD2

The Key to PSD2 Adoption? Mobile Phones!

On January 13th, 2018 the Payment Services Directive 2 (PSD2) becomes national law across the EU.

Depending on whom you ask – and to a large degree what their vested interests are – PSD2 will either have little effect, or be a FinTech game changer that will kill banking as we know it.

From the bank’s perspective, they clearly don’t want change. They have been front and centre for generations when it comes to consumer interaction, and the data they have collected is a major source of their power. Start-ups on the other hand, need a way in, and access to that data is a very good place to start. Whoever controls the consumer directly, will have the best chance of controlling the consumer’s financial choices.

PSD2 itself is supposed to promote 2 things:

  1. Make it easier and safer to use internet payment services by better protecting consumers against fraud, abuse, and payment problems as well as strengthen consumer rights; and
  2. Promote innovative mobile and internet payment services. [competition in other words].

The first applies no matter who you are, bank, service provider, or merchant. Combine this with General Data Protection Regulation (GDPR) and everyone needs to protect personal data.

The second however, is supposed to create a so-called ‘level playing field’, but can start-ups truly compete against the big banks who already have the direct consumer relationship?

Innovation is not the problem, FinTech is busting at the seams with new ideas, but none of them mean much unless they are adopted by the masses. What do they have to do to displace a bank, when the chances are they will not actually be providing banking services as we understand them? And what exactly areinnovative mobile and internet payment services” in this context – and to the point of this blog [finally] – how are mobile devices going to make all the difference?

Counterintuitively, mobile phones will actually improve security. You only have to look at the sheer number of each authentication factor of which the modern smartphone is capable to realise that traditional banking apps just don’t cut it. From passwords / passphrases, to fingerprints, to geo-fencing, to whatever comes next, your phone gets as close to true identity management as any device can.

That’s not to say mobile phones are secure, they are not, and this is one of the biggest hurdles to overcome. A bad guy ‘hacking’ into one of your banks accounts is bad enough, now imagine them hacking into an app that controls access to all of your finances. Money management apps is one of the greatest potential benefits of PSD2, and one of its scariest.

As for how mobile devices will aid PSD2 adoption, you only have to look at the trends. According to Statista for the UK:

  • By the end of 2017 66% of the UK’s population will be using a smartphone – That’s 43 million people, and given the demographic, they control the lion’s share of the UK’s wealth.
  • In 2015, 58% of all smartphone owners used banking apps

It follows therefore that a good chunk of that 43 million will be using their devices for a lot more than Facebook.

The only statistic that does not back this up, is adoption of mobile payments. Despite the Apple Pays/ Samsung Pays, and the plethora of digital wallets, mobile payments have in no way realised their potential. This is not the fault of the smartphone, this has to do with the inability of the payment apps to provide any sort of value-add. From loyalty point, to instant coupons, to ratings and reviews, payment apps are not improving the BUYING experience, just adding a payment option.

PSD2 will change all of that. When you have an app that can not only help you find the best price for something, but give you the best purchase choices based on your combined financial history, now you’re providing true benefit. It’s not about how you pay, it’s about how you buy.

Yes, you can do all of this through a PC / laptop, but on what device do you spend the majority of your time online?

[If you liked this article, please share! Want more like it, subscribe!]

 

Why Mobility is Good for Security

I should get the Pulitzer for these headlines. It’s only an matter of time until they add blogging to the list of literary/artistic mediums.

What it should say, is that BECAUSE of Mobility/BYOD, the spectre of information security raises its head higher than it usually does (which isn’t saying much), thus getting the attention of the senior management who are either entirely focused on running their business, or busy running it into the ground.

I actually had first-hand experience a while ago of an organisation that is on its way to becoming a BYOD-free zone, and considering what they do, I don’t blame them. At least until they get their security culture and policies sorted out anyway.

Which is kinda the point, as very few things I can think of have put the business side and the IT side into greater confrontation.  Business wants increased productivity AND cost savings, and IT Security want …well …IT security.

I don’t think anyone can deny the inevitable increase in productivity when your work email is sent to the same device you spend vast portions of your life on (usually in order to avoid talking to actual people).  But then you also can’t deny that confidential information on a device that is insecure (currently) is a VERY bad idea.

I know there are BYOD ‘solutions’ out there, but none of them work, and most of them are downright crap.

So where do businesses screw-up?; easy, they look IMMEDIATELY to technology to solve the problem that only education and policy can solve (again, currently).

Here’s a scenario:

  1. A salesperson wants to send a classified contract to legal, should they;
    1. Just send it, because it’s to an ‘internal’ department?
    2. Password protect it if they have that ability on their mobile device?
    3. Never try to send it from a mobile device?
    4. Follow the corporate policy?
    5. Wait until the next day to send it securely from a known-good device?

The correct answer is d.

Hang on – you may say before hearing the explanation – why are b., c. and e. wrong?  They are not wrong, they’re just not right given that policy ALWAYS trumps what you think is the right thing to do.  If corporate policy says you can post classified docs to Facebook for feedback, so be it.  You’re company will be out of business, and your CEO in jail (hopefully), but that’s a perfect segue to my next point…

Do you think you have the right to question your company’s policies?

The answer is that you absoLUTEly have not only the right, but the obliGAtion to question policies if you consider them in any way discriminatory, incomplete, redundant, inappropriate, unworkable …you name it. Not only that, you have a further obligation to help enforce those policies, it’s your company as well.

Policies are supposed to be the parameters upon which the corporate culture if founded.  They define the CEOs perspective on everything from community programmes, to acceptable use, to expenses, and if the CEO doesn’t bother to create them (or at least approve them), as well as evangelise them, they will not be followed.

So, back to my favourite phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [secure BYOD though policy enforcement] , it’s the CEOs fault, and no-one else’s.

If you don’t think policy is the way to go on this, let me ask you one question; Would you follow company policy if this was the language in it; ‘All employees are strictly forbidden to send confidential information from their mobile devices.  All confidential data must be deleted immediately, and the matter reported to [department].  Any breach of this policy will result in dismissal, and subsequent legal action if deemed appropriate.’

I would.

Why Is Bring Your Own Device (BYOD) So Hard?

This is not going to be about the legalities, policy, or privacy issues surrounding BYOD, that has been covered many times over in articles like this one; “Why almost everyone gets it wrong about BYOD” by Brian Katz.  I would hope that you are fully aware that regular information security policies do not cover the use of personal devices, and have established appropriate policies accordingly.

What I will be focusing on is a) the risks based approach, b) some musings on current ‘solutions’, and c) my thoughts on a possible technology solution.

A lot of these so-called BYOD solutions focus on the communication channels, secure browsing, malware protection, and/or Mobile Device Management.  All of them miss the major point, which is the risk to data at rest.  Do you really expect your employees to VPN into some kind of proxy just to browse the Internet?  Or how do you expect people to sign up to having their phone entirely erased if they loose it?

The issue is that not one mobile application, I repeat, not ONE, works at an Operating System (OS) layer that prevents jailbreaking.  Any encryption of either  the data channels or the data itself is performed by software running on top of the underlying OS.  Jailbreaks work AT the OS layer, meaning that any functionality of the application is immediately at risk, including any encryption keys.

Charles Henderson says it better than me; “Is Your Mobile App Safe?

So BYOD is not about keeping your data from being stolen, you can’t, it’s about agreeing on what you are prepared to loose, and what to do if (when) that happens. So instead of throwing ineffective technologies at the problem, you have go back to basics and look at Role Based Access Control, data classification, retention policies and so on.  You should even question whether or not the cost savings and assumed productivity enhancements associated with it are really worth the effort.

In other words, if you do decide to proceed, assume that whatever your employees are downloading on their phones and tablets is now available to everyone, and implement your BYOD solution accordingly.

I would argue that you are probably better off educating your employees to never put confidential information in emails than you are trying to control how they use / abuse their personal phones.

I believe that there is currently only one way to perform BYOD securely; in a hardware module.  If you accept that you cannot perform authentication / encryption safely at the application layer, and that you will likely never have access to the underlying OS (iOS for example), then you are left with hardware.

The hardware module would perform several functions;

1. Authentication – Once the module is plugged into the mobile device, it establishes a secure channel back to home base to perform whatever form of authentication you choose (LDAP, username/password, certificate, even biometrics).  All encryption keys are kept on the hardware device.

2. Encryption – Seeing as the keys are on the hardware device (some form of mini-HSM perhaps), you can leave the encrypted data on the mobile device when not used for work related applications.

3. Storage – The hardware module could also be used to store all work related data, and the mobile device provides nothing more than  a communications channel.

The form factor for the hardware module could be something that is already very common, the phone case / battery charger.  Like this for example;
Screen Shot 2013-07-08 at 16.43.01

Or it could be something like this that has many connection types;

Screen Shot 2013-07-08 at 16.46.01

There are many things to work through, and perhaps the most significant is that this module would literally have to jailbreak / hijack the mobile device before it could have the kind of control needed to enforce the BYOD policies.  Easy enough on Android/Windows, but I’m fairly sure Apple would have issues, they have already totally screwed the ancillary device market with their lightning adapter. I know Apple are also working on an secure embedded SIM technology, but I really don’t see how it can perform he above functions in something so small, and they haven’t even seen fit to add Near Field Communications (NFC) chips to their iPhones.

Thinking ahead, this may not be a viable solution for all businesses, you still have to purchase hardware, and the centralised management station would have to perform everything an MDM does, but for the hardware modules, not the mobile device.  However, for government, government contractors, military and so on, perhaps the encryption aspect alone would be of interest?

Who is currently best placed to corner this particular market?  I think POS / terminal manufacturers like Verifone, Ingenico, or Micros would be contenders.  They already have manufacturing capability, HSM technology, small-form storage modules, OS and mobile communications expertise etc.

All they would really need is deep expertise in the specific mobile technologies covering the majority of the smartphone / tablet market; Apple, Android, Samsung, maybe even BlackBerry.  I’m guessing those skill-sets are not too hard to find.

Clearly there is a lot more to it that I have mentioned here, I do want to keep something back for collaboration opportunities 🙂

What are your thoughts?  What have I missed?  Is this viable?