PSD2

The Key to PSD2 Adoption? Mobile Phones!

On January 13th, 2018 the Payment Services Directive 2 (PSD2) becomes national law across the EU.

Depending on whom you ask – and to a large degree what their vested interests are – PSD2 will either have little effect, or be a FinTech game changer that will kill banking as we know it.

From the bank’s perspective, they clearly don’t want change. They have been front and centre for generations when it comes to consumer interaction, and the data they have collected is a major source of their power. Start-ups on the other hand, need a way in, and access to that data is a very good place to start. Whoever controls the consumer directly, will have the best chance of controlling the consumer’s financial choices.

PSD2 itself is supposed to promote 2 things:

  1. Make it easier and safer to use internet payment services by better protecting consumers against fraud, abuse, and payment problems as well as strengthen consumer rights; and
  2. Promote innovative mobile and internet payment services. [competition in other words].

The first applies no matter who you are, bank, service provider, or merchant. Combine this with General Data Protection Regulation (GDPR) and everyone needs to protect personal data.

The second however, is supposed to create a so-called ‘level playing field’, but can start-ups truly compete against the big banks who already have the direct consumer relationship?

Innovation is not the problem, FinTech is busting at the seams with new ideas, but none of them mean much unless they are adopted by the masses. What do they have to do to displace a bank, when the chances are they will not actually be providing banking services as we understand them? And what exactly areinnovative mobile and internet payment services” in this context – and to the point of this blog [finally] – how are mobile devices going to make all the difference?

Counterintuitively, mobile phones will actually improve security. You only have to look at the sheer number of each authentication factor of which the modern smartphone is capable to realise that traditional banking apps just don’t cut it. From passwords / passphrases, to fingerprints, to geo-fencing, to whatever comes next, your phone gets as close to true identity management as any device can.

That’s not to say mobile phones are secure, they are not, and this is one of the biggest hurdles to overcome. A bad guy ‘hacking’ into one of your banks accounts is bad enough, now imagine them hacking into an app that controls access to all of your finances. Money management apps is one of the greatest potential benefits of PSD2, and one of its scariest.

As for how mobile devices will aid PSD2 adoption, you only have to look at the trends. According to Statista for the UK:

  • By the end of 2017 66% of the UK’s population will be using a smartphone – That’s 43 million people, and given the demographic, they control the lion’s share of the UK’s wealth.
  • In 2015, 58% of all smartphone owners used banking apps

It follows therefore that a good chunk of that 43 million will be using their devices for a lot more than Facebook.

The only statistic that does not back this up, is adoption of mobile payments. Despite the Apple Pays/ Samsung Pays, and the plethora of digital wallets, mobile payments have in no way realised their potential. This is not the fault of the smartphone, this has to do with the inability of the payment apps to provide any sort of value-add. From loyalty point, to instant coupons, to ratings and reviews, payment apps are not improving the BUYING experience, just adding a payment option.

PSD2 will change all of that. When you have an app that can not only help you find the best price for something, but give you the best purchase choices based on your combined financial history, now you’re providing true benefit. It’s not about how you pay, it’s about how you buy.

Yes, you can do all of this through a PC / laptop, but on what device do you spend the majority of your time online?

[If you liked this article, please share! Want more like it, subscribe!]

 

Froud on Fraud: Cybersecurity Predictions for 2017

This time last year I wrote Froud on Fraud: Top 5 Predictions for 2016. Unsurprisingly, none of these things has transpired. At least not yet anyway [embarrassed silence].

So why do this again, when it’s fairly clear that any insight I have – if any – is aimed more towards potential long-term trends than to short-term results?

The reason I’m taking another stab is I can’t help feeling that 2017 is going to something of a watershed year for cybersecurity. At least I hope so, because there is so much hype, scaremongering and dross out there that something needs to change. And it must change soon, before cybersecurity professionals get lumped into the same category as the better known examples of sleaze; used car salesmen, estate agents, and lawyers (no offence Sis).

The last few years has been bad for the cybersecurity/privacy profession. From Snowden, to the Snooper’s Charter, from Target to Yahoo there has been no good news. Forget that the press will not print good news if they can possibly help it, things actually are getting worse. State sponsored attacks, organised crime, numerous vulnerabilities in Android and iOS, irresponsible Internet of Things manufacturers, there is little to smile about.

But instead of coming to the rescue, the cybersecurity industry seems Hell-bent on making it worse by cashing in on the confusion. From biometrics vendors disgracefully overstating their worth, to consulting practices doing everything in their power to cross-sell and upsell their wares, it’s becoming increasingly difficult to know where to turn.

The only bright side? Legislation.

Yes, legislation. The Payments Service Directive (PSD2) and the General Data Protection Regulation (GDPR) – for example – are both designed to start putting things right in payments and data privacy respectively. No one with a vested interest in keeping things the same was ever going to do anything themselves, so now they’ll have to. Banks, large retail, you name it, there will now be a price to pay for how you treat the consumer.

And let’s face it, it’s all about the consumer.

So with the above in mind, these are my predictions for 2017:

o

  1. ISO 27001 certification will be increasingly important: Unlike PCI which is entirely prescriptive, no other regulation that I have ever seen requires anything other than ‘appropriate‘ or ‘reasonable‘ security measures. Appropriate and reasonably to whom is always the first question. ISO 27001, and other frameworks like it, perform one overarching function; to provide demonstrable evidence that an organisation is taking security seriously. Whether the organisation is actually taking security seriously is another matter, but it is hard to fake certification. Not impossible mind you, just difficult. ‘Compliance’ with GDPR, and other data privacy regulations globally will look to ISO for help.
    o
  2. Biometrics vendors will keep pushing their wares, and fail: OK, so this one is more of a wish than a prediction, but I am so sick of the hype around biometrics that I need to vent. Yes, biometrics if very important, yes, it’s better than a password in most scenarios, but it is NOT an answer by itself. Biometrics will not replace the password, nor will it ever be a solution all by itself. It will do what every other form of authentication should do; take its rightful place in the arsenal of identity management systems.
    o
  3. Amazon GO will be the new model for brick & mortar: Any brick and mortar retailer not terrified by the opening of the Amazon GO store in Seattle is completely missing the point. The point is that consumers don’t care how they PAY, they care how they BUY. Cash, credit cards, even the Apple Pays and their ilk are just forms of payment, they are not relevant to how we choose the products and services we actually BUY. We demand a lot more from our merchants than a glorified cash register. In Invisible Payments, Are They Real? (Aug ’15) I went a little further than Amazon did, and will go even further in a week or so. And while I don’t expect 2017 to see a sharp increase in GO-esque stores, it’s definitely a glimpse of the near future.
    o
  4. Containerised Security Services: Anyone who has looked to Amazon Web Services or Azure for hosting their e-commerce systems often do so in order to outsource security as well. The fact that neither of these services provide much is often a nasty surprise. Yes, the merchants asked the wrong questions (or none at all), but it is incomprehensible to me that vendors like AWM DON’T provide comprehensive security wrappers. 2017 will see an increase in modular and full-service security programs (at least to PCI minimums) from all of the major providers. Hopefully these will be easily understandable and transparent to non-experts, because even the better service providers do a piss-poor job of getting their point across.
    o
  5. Automated Governance, Risk & Compliance: GRC is a fantastic concept, implemented poorly. However, with the ever increasing regulatory landscape, larger organisations simply can’t keep up with the audit  ommitments. GRC tools have traditionally been mostly manual in nature, which explains their lack of adoption. More and more GRC vendors are looking to automate compliance baseline input by providing APIs to end-point vendors (A/V, SIEM, vulnerability scanning etc) for automated input of production system data. 2017 will see GRC vendors finally focusing on the only thing that makes sense; asset management and automated baseline comparisons of known-good profiles.

OK, so 5. is a bit of a stretch, but there’s no way my OCD would allow for only 4 predictions.

What are your predictions?

[If you liked this article, please share! Want more like it, subscribe!]

PSD2: Where is the FCA?

On 12 January 2016, the revised Payment Services Directive (EU) 2015/2366 entered into force in the European Union, and will apply from 13 January 2018.

Anyone know what ‘apply’ means in this context?

On August 12th, the European Banking Authority (EBA) released its Consultation Paper “On the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2“. There have been many articles since then trying to explain what it means, at best these are educated guesses.

All other RTSs and Guidelines entrusted to the EBA won’t be available until January 2018. Classification of Major Incidents for example.

So as the UK’s ‘competent authority’ for PSD2, it’s surprising – and more than a little disappointing – that they have so far provided zero guidance, and won’t until sometime in 2017.

For example, the most pressing questions are:

  1. If January 13, 2018 is the date when PSD2 will ‘apply’, does that mean that’s when Account Servicing Payment Service providers (ASPSPs) have to make “at least one communication interface enabling secure communication” available? Or do they have until October 2018 at the very earliest (per the Consultation Paper)?
    o
  2. What happens to ASPSPs if they aren’t ready? Are there penalties?
    o
  3. When will the FCA begin the certification process for Account Information Service Providers (AISPs) and Payment Initiation Service Provider (PISPs)?
    o
  4. Do ASPSPs already qualify as AISPs and PISPs if they currently perform these functions?
    o
  5. Does the FCA have final say in liability?

I was fortunate enough to give a series of PSD2 presentations last week to a large ASPSP, and it was clear that there is significant confusion and frustration surrounding it. I know the legal teams of the larger organisations will already be lobbying the FCA, but I think it’s about time some of these conversations get translated and filtered down to the masses.

Of the 50 people I trained in those 3 days:

  1. PSD2 knowledge was very low;
  2. So far they have received little guidance from senior leadership;
  3. 85% were more scared than optimistic;
  4. Only 10% saw any opportunity for their organisation, the rest saw their jobs threatened;
  5. Almost all saw PSD2 primarily as a force for disintermediation of the card schemes, acquirers and issuers;

Clearly this organisation is not alone, and all the planning in the world will do nothing without a goal in mind. What will PSD2 look like in 2018? What can organisations do NOW without definitive guidance? Is there really enough information out there to warrant investment at this stage?

No organisation wants to invest in business transformation without 2 things; 1) clear opportunity for doing so, and 2) clear guidance from the competent authority. Also, no organisation wants to be first while there is so much uncertainty, but no organisation wants to be last. The advantage in this respect is clearly with the new entrants in the market, not the incumbents.

All that said, wishful thinking is going to get us nowhere. The FCA will jump in only when they are good and ready, it’s up to us to do what we can in the meantime.

Here’s what senior leadership at ASPSPs could be doing:

  1. Ensure the conversations between the legal teams and the FCA are filtered down to all staff – If you’re not having these conversations with the FCA, you must start;
  2.  Set-up a task force to examine opportunities related to Access to Information (XS2A) – You’ll have to give your customer’s information away for free, don’t you want the same from your customer’s other ASPSPs?;
  3. Set-up a task force to examine opportunities related to innovation in payments – Like it or not, existing payment channels will see significant competition. Don’t be Kodak, or Blockbuster, or IBM…;
  4. Set-up training opportunities for as many staff as possible, in-house or 3rd party. – Uncertainty kills motivation, you cannot let this turn into fear; and
  5. Take a long hard look at your mobile apps and APIs, these things will have very significant impact down the road. – You cannot be left behind where customer convenience is concerned.

The time to prepare is now, the time to panic is a long way off. This may sound strange given everything I’ve written up to this point, but look at it this way:

  1. Innovation in payments will only be relevant when consumers ask for it – Just look how little impact Apple Pay and the like have had. Why would it, when it’s no more convenient or value-add than the plastic they are trying to replace.
  2. Regardless of the January 2018 date, you have years before current payment methods begin their inevitable decline – Make smart choices, don’t make choices based on perceived deadlines.
  3. Your customers are yours to lose – YOU have the existing relationship with your customer, new entrants in the game will be at significant disadvantage. Unless you do nothing.

The PSD2 is a good thing for consumers, it’s really up to ASPSPs if this is mutual.

[If you liked this article, please share! Want more like it, subscribe!]

Biometrics is Dead, Long Live Mobile!

In my continuing crusade against greedy and self-serving biometrics vendors – which is absolutely NOT all of them – I figured I would give them a little taste of their own medicine with a ridiculous assertion in the title.

Of course biometrics isn’t dead [I believe it’s still in its infancy] and of course it will only continue to grow in distribution and influence. Its adoption will sky-rocket as mobile devices take over the world and IoT makes thinking for yourself redundant, and I for one am more than happy for it to spend time more in the sun.

What I cannot / will not accept from biometrics:

  1. Its growth at the expense of ANY other form of authentication (without appropriate justification),
    o
  2. Its false and irresponsible claims to its security, and;
    o
  3. Its blatant disregard for its ultimate benefactor; the mobile phone

Put to one side for a minute that not ONE legislation / regulation in payments actually requires biometrics (where “strong authentication” is primarily defined as 2-factor), and focus for a second on how biometrics has even made it as far as it has. Simply put, without the mobile phone, there would BE no biometrics in the mainstream.

It’s not like we would all carry around a separate device to perform biometric authentication, would we? No, we wouldn’t, so it’s only because biometrics is so readily available that we even consider it an alternative to passwords. That’s right, an ALTERNATIVE, and for the foreseeable future, one completely driven by consumer preference. No financial institution in their right mind will make biometrics mandatory, probably ever. I certainly wouldn’t.

So if the mobile phone is so all-powerful, why aren’t they attacking passwords? Simple, a) they have no need to, they are the dominant factor, and b) they are smart enough to realise that without the OTHER two factors they are not providing the best solutions possible.

In other words, they get it.

Rather a bleak picture, isn’t it? 1) not required for regulatory compliance, 2) will never be mandatory, only a consumer preference, 3) will never be suitable for some forms of authentication due to false ‘positives’, and; 4) it completely reliant on something else for its distribution. But even with all of this against it, I will embrace biometrics, in all its forms, if it provides me the convenience I crave, with ENOUGH security to transfer the risk to someone else (my bank for example).

And that’s really what it all boils down to; risk. A simple word but one completely misunderstood, and usually handled poorly. Bottom line; if the effort to steal something is greater than its value, it’s safe …enough. That’s all biometrics and passwords provide; security enough, and the amount of security you have to provide for a transaction is directly proportional to the value of the transaction.

For example, why would you use Apple Pay when it requires authentication that the contactless card does not? Is it more convenient? No. Does it provide more value-add services? No. Does it have anywhere near the distribution of plastic? No. Do YOU have to care about the security of contactless? No, you don’t.

Biometrics is, and will always be only a player in the game. While mobile holds most of the cards, any form of biometrics will be beholden to it, so they should play nice.

Biometrics Advocates, Get With the Bloody Program!

In just the last week, these are two of the articles paraded by the ‘Biometrics For eCommerce’ group on LinkedIn, both of which are taken from PYMNTS.com;

Is Biometrics Putting The Nail In The Password’s Coffin?

Is It Time To Cash In PINs For Biometrics?

My question is; Just how dumb do you have to be to wage a war against your own side? You don’t see The Times and The Sun slagging each other off, or Lexus and Toyota competing for the same demographic, do you? And why not? BECAUSE THEY ARE ON THE SAME DAMN TEAM!

So why is it that biometrics advocates feel the need to pick on passwords / PINs? I can only imagine it’s something like a school bully who only picks fights he thinks he can win, or perhaps they realise that biometrics is nowhere near the panacea they want it to be so they have to compare it against the lowest common denominator.

And let’s face it, that’s exactly what PINs are; the lowest form of password, which is the simplest of the 3 forms of authentication. That’s why it’s so prevalent, and orders of magnitude more accepted and consumer friendly than any form of biometric. But it is also the cause of all of their limitations, which are not inconsiderable.

However, instead of trying to kill the password /PIN, what’s wrong with taking the position of collaborative support? PINs are inadequate for some scenarios, just as biometrics are wholly inappropriate for others. Addressing the factor of authentication outside of the context of risk is no different from asking how long is a piece of string.

What about consumer preference? Is ANY financial institution or bank going to enforce a ‘biometrics-only’ stance? Not unless they are irretrievably stupid.

What about device capability? Are we going to force all 7.3 billion people on the planet to buy the latest smartphones? More than 2/3 of all mobile phones are still not biometrics enabled, do you really see passwords / PINs going away ANY time soon? No, nor do I.

Even for those with smartphones, who’s to say that the something-you-know has to be a passWORD? A picture of your own choosing will suffice. Or special characters in place of numbers perhaps? How many people out there speak Klingon? All you have to do is remember SOMETHING, and the smartphone could not make that easier (especially for those with learning disabilities).

Clearly my blog’s limited reach will have no impact on those too short-sighted or just too plain greedy to adopt a collaborative approach to authentication and identity management, but like almost all FinTech’s disruptive innovators, those going it alone will fail. Biometrics has finally, and rightfully, taken it’s place in the arsenal of weapons used against the bad guys, but for now advocates seem Hell bent on using them against their own friends.

In the end, only multi-factor authentication will win the day. Biometrics will be a big part of that, but the mobile phone (something-you-have) itself will be even bigger, and something-you-know will never go away.

Nor should anyone want it to.