Biometrics is Dead, Long Live Mobile!

In my continuing crusade against greedy and self-serving biometrics vendors – which is absolutely NOT all of them – I figured I would give them a little taste of their own medicine with a ridiculous assertion in the title.

Of course biometrics isn’t dead [I believe it’s still in its infancy] and of course it will only continue to grow in distribution and influence. Its adoption will sky-rocket as mobile devices take over the world and IoT makes thinking for yourself redundant, and I for one am more than happy for it to spend time more in the sun.

What I cannot / will not accept from biometrics:

  1. Its growth at the expense of ANY other form of authentication (without appropriate justification),
  2. Its false and irresponsible claims to its security, and;
  3. Its blatant disregard for its ultimate benefactor; the mobile phone

Put to one side for a minute that not ONE legislation / regulation in payments actually requires biometrics (where “strong authentication” is primarily defined as 2-factor), and focus for a second on how biometrics has even made it as far as it has. Simply put, without the mobile phone, there would BE no biometrics in the mainstream.

It’s not like we would all carry around a separate device to perform biometric authentication, would we? No, we wouldn’t, so it’s only because biometrics is so readily available that we even consider it an alternative to passwords. That’s right, an ALTERNATIVE, and for the foreseeable future, one completely driven by consumer preference. No financial institution in their right mind will make biometrics mandatory, probably ever. I certainly wouldn’t.

So if the mobile phone is so all-powerful, why aren’t they attacking passwords? Simple, a) they have no need to, they are the dominant factor, and b) they are smart enough to realise that without the OTHER two factors they are not providing the best solutions possible.

In other words, they get it.

Rather a bleak picture, isn’t it? 1) not required for regulatory compliance, 2) will never be mandatory, only a consumer preference, 3) will never be suitable for some forms of authentication due to false ‘positives’, and; 4) it completely reliant on something else for its distribution. But even with all of this against it, I will embrace biometrics, in all its forms, if it provides me the convenience I crave, with ENOUGH security to transfer the risk to someone else (my bank for example).

And that’s really what it all boils down to; risk. A simple word but one completely misunderstood, and usually handled poorly. Bottom line; if the effort to steal something is greater than its value, it’s safe …enough. That’s all biometrics and passwords provide; security enough, and the amount of security you have to provide for a transaction is directly proportional to the value of the transaction.

For example, why would you use Apple Pay when it requires authentication that the contactless card does not? Is it more convenient? No. Does it provide more value-add services? No. Does it have anywhere near the distribution of plastic? No. Do YOU have to care about the security of contactless? No, you don’t.

Biometrics is, and will always be only a player in the game. While mobile holds most of the cards, any form of biometrics will be beholden to it, so they should play nice.

Thinking About Using the PCI DSS as a Standard for Other Regulations? Don’t.

In a recent article in SC Magazine; “An Inconvenient Truth: New Customer Data Regulations Coming” Jeremy King of the SSC suggests that Payment Card Industry (PCI) “provides the most complete set of data security standards available globally.” I can only assume he means that the PCI Data Security Standard (DSS) contains a list of basic security controls every organisation should have in place, and not that the PCI DSS in any way resembles real-world security.

Because it doesn’t, and you only have to look at the number of breaches involving ‘PCI compliant’ merchants and service providers to see that PCI, by itself, does little to prepare organisations against the challenges they face.

PCI compliance is a commercial obligation, nothing more, and any fines levied are only paid because the merchant or service provider who was breached wants to keep taking plastic. The Payments Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR) will be LAW in the 28 countries of the EU, and attract both legal and financial repercussions that could potentially cripple even the largest of businesses. No standard based on a bare minimum set of controls will ever protect personal data in a meaningful way.

Nor will any ISO standard, or COBIT, or any other information security framework for that matter. At least the PCI DSS puts its money where its mouth is and tells you what controls to implement, all security frameworks do is tell you something is a good idea, never how to do it a manner appropriate to your business.

Because they can’t, only the individual organisation can ever provide definition, and business justification, around the horribly inexact – but regulation standard – phrases; ‘appropriate’ and/or ‘reasonable security’.

The implementation of a security program that can meet the intent of ANY regulation includes very specific processes that the PCI DSS does not cover, and if they do, it’s in a very limited fashion with no-where near the emphasis required to express the importance. For example;

  1. The Risk Assessment (RA) is way down in section 12, when it should have been the very first thing performed before PCI compliance was even contemplated. An RA performed in-line with the PCI DSS would not be sufficient.
  2. The only nod to Disaster Recovery and Business Continuity Planning is a single bullet in 12.10.1, when these processes are absolutely central to any organisation staying in business responsibly.
  3. The requirements related to 3rd party due diligence are entirely inadequate relative to the risk involved.

…and so on. I have addressed the inadequacy of the actual PCI controls many times, so I won’t bother repeating them here. Suffice to say, the majority of the controls would be no-where near enough.

There are only 3 main ways to appropriately address the current and new tranche of regulations / directives:

  1. Make the CEO legally responsible for security breaches, and apply criminal penalties in-line with the egregiousness of the negligence – Clearly fines don’t worry CEOs enough, perhaps some jail time would.
  2. Ensure the policies, procedures, and standards are world-class – There is no security program without the application of accurate corporate knowledge
  3. Training & Education – This should be self-explanatory

Compliance with any of the upcoming regulations is no different from any regulation already in place. There is nothing outside of an appropriate security program that will ever be required, so just do the things you should have been doing from the very beginning.

Security is not easy, but it IS simple.

PSD2: The Race to the Consumer

The following things have been clear for a while:

  1. The three and four party models represented by the card schemes are in real danger of being disintermediated as mobile technology advances;
  2. The use of plastic will only begin to fade when consumers have a compelling reason to move, mobile payments alone is insufficient;
  3. Retailers are desperate to engage consumers much earlier in the buying process, as well as for a long time after it;
  4. Identity Management and Authentication will take their rightful place in payments and beyond; and
  5. The average consumer has no idea what they want

What has NOT been clear [to me anyway] is what will be the impetus for thing to actually change, and I never thought it would be a regulation.

But that is exactly what is happening here in the EU. Even a cursory examination of the Payment Services Directive 2 (PSD2) makes it clear that the established order is changing. It has already been adopted by the European Parliament, and adoption by the EU Council of Ministers is only a pending formality. Once published, each of the EU countries has just 2 years to write the Directive into their laws.

If you had to distill the PSD2 into its major players, they would be;

  1. Account Servicing Payment Service Provider (ASPSP) – Usually the banks, these guys will need to open up account data once they have received permission to do so from the consumer.
  2. Account Information Service Providers (AISPs) – Aggregators of data received from ASPSPs
  3. Payment Initiation Service Providers (PISPs) – Can initiate a payment, but can only provide a ‘Yes’ or ‘No’ in terms of funds availability.

It’s the AISPs that are truly the new guys on the block. Imagine it; a non-bank Third Party Provider (TPP) can, once properly vetted / ‘licensed’ request all the information from all of your banks / financial institutions and display it to you in a single location! The possibilities to money management alone are enormous, but it’s retail that will be the big winners. Well, some retailers.

The reason that retail and TPPs alike should be dribbling at the thought of this is that these centralised ‘Money Managers’ (MMs) are the perfect location to begin the buying process.

You want to buy a TV, so you open your MM app which has already gone through the effort to combine feeds from all of the following:

  1. Retailers – If retailers do not provide feeds of stock, deals, locations, terms and so on, these will not be presented to the consumer as an option
  2. Ratings & Reviews – Few people realise what goers into those 5 stars you see on Amazon and the like, but you’d be surprised how much influence they have
  3. Your Finances – No point looking if you can’t afford it

Then, once you have gone through a nice friendly wizard to narrow down what you are looking for, your MM goes out and looks for the best deal, AND offers you the best payment terms from all of your lenders. And the WAY you pay? What do you care, the MM has already determined the best way and took care of the detail?!

Those steps may not sound all that radical, but there are two incredibly important facts here:

1) the holder of your money has become far less relevant, so even the banks themselves are losing the Race to the Consumer, and

2) consumers will stop caring HOW they pay in terms of channel, making every other intermediary in the current payment ecosystem irrelevant.

This is what your money is, a stored value, why SHOULD you care if it’s direct debit, standing order, or branded card as long as it’s the best deal for you. It all comes back to you anyway.

[If you liked this article, please share! Want more like it, subscribe!]

Does the PSD2 Worry You?

If the answer is yes, you have clearly not learned any lessons from years of regulatory compliance, breach headlines, every security best practice, or basic common sense. And if you continue to do nothing, for whatever the reason, you likely deserve the bad things that happen to you.

Yes that’s harsh, but non-compliance is all so unnecessary. Just like PCI, nothing the PSD2 mandates is something you should not have been doing a long time ago, and if 2 YEARS is not enough time to fix what’s broken in your organisation, please let me know so I can stop doing business with you.

If you’re a financial institution, did it not occur to you to stay up to speed with the latest and greatest advances in access control? Data classification and meta tagging? Did not the FIRST version of the PSD have enough hints that the ever-worsening threat landscape was only going to increase the security and privacy burdens?

Worse than this are the two major offenders; 1) Payment Service Providers (PSPs) who thought that they were somehow immune to regulation because “it’s not OUR data”, and 2) the FI’s who used them because they thought they could outsource the responsibility.

Yes, security come at a cost, and very little of that expense will ADD to your bottom line, but if it’s an ROI you’re looking for, how about staying is business? Between PSD2 sanctions and potentially EU General Data Protection Regulation (GDPR) fines/sanctions, and maybe even PCI fines if it’s cardholder data you lose, I would say your responsibility is clear.

But it’s not all doom and gloom, the path towards compliance is actually very simple. Not easy, simple.

First, get the CEO and/or Board of Directors involved. if they don’t care, no-one else will, and any project to achieve ANY form of compliance will either fail out of the gate, take twice as long, or cost twice as much. As I’ve said too many times now;

Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [enter any goal here], its the CEOs fault, and no-one else’s.

Second, run a risk assessment to determine 3 things; 1) what business assets and processes are affected, 2) what are the gaps between current and required capabilities and 3) how much should you spend to fill those gaps.

In parallel with the risk assessment, fix your documentation!! The cheapest and most important facet of every security program is the one most ignored, thereby rendering everything else you do somewhere on the scale of sub-optimal all the way to completely ineffectual.

Third, do NOT do this just to achieve PSD2 ‘compliance’, do it for ALL aspects of your business, and do it once. Done properly, any progress toward any form of regulatory compliance becomes a standard operating procedure, and eventually the ages-old cliché; business as usual. Anything other than this was wasted effort irrespective of it’s intended goal.

You wouldn’t ask your doctor for a temporary fix would you, security is no different?

In the end, you really only have 2 choices; throw a patch on a gaping wound and hope that you have implemented enough smoke and mirrors to stay under the radar, or do things properly and avoid the worst of the fines regardless of how long it takes to get compliant. While that sounds somewhat counterintuitive, the regulators do not WANT to fine anyone, but if data is lost, it will be the bullshit artist who will be hurt the most.