Biometrics in Payments – Irresponsible Demand Generation

Demand generation is defined as; “The focus of targeted marketing programs to drive awareness and interest in a company’s products and/or services.”

Done responsibly it can be a very effective tool in any organisation’s marketing/PR tool-set, and I applaud anyone doing it well. Done irresponsibly it can lead target organisations to make very poor decisions that they will end up bitterly regretting. Yes, each organisation is responsible for making their choices, and for performing proper due diligence, but in an industry as complex as payments, vendors are often seen as the experts.

This position must NEVER be abused!

The example of demand generation that I invariably use is that of the smartphone. Until I saw one I had no idea I needed so much functionality in a mobile device. Now, quite literally, I cannot do my job without it.

Off the bat, that suggests 3 things:

  1. Smartphone manufacturers were justified in their aggressive marketing efforts …eventually;
  2. The drive by each vendor to win the entire market for themselves, while promoting competition, has left us with an enormous variety of devices and technologies that are difficult to adopt for fear of backing the wrong horse, and;
  3. I’m not smart enough to be a futurist.

But what if they had worked together on standardisation in the beginning (like with bloody power adapters for example!), how much better off would we be?!

Now biometrics vendors are the vultures over the kill, and the password is the corpse (harsh I know, but the alternative is wolves, but they work in unison for the good of the pack).

Biometrics companies are spending vast sums on marketing and PR resources to become the next big thing in authentication, All the while completely ignoring the fact that they are offering something little different (single-factor, static authentication), and side-stepping the most basic of practicalities; ease of adoption, and future-proofing.

The FACT remains that implementation of effective biometrics is extremely difficult. Distribution, false positive rates, disability support, privacy issues and a plethora of other challenges will continue to ensure that single-factor authentication with biometrics will not replace the 4 digit cardholder PIN any time soon. Nor should it.

It’s not about replacing the PIN, it’s about seamlessly combining the PIN with other forms / factors of authentication like biometrics. Anything else is irresponsible in the extreme given that most smart phones are capable of all 3 authentication factors multiple times each! Passphrase, PIN, fingerprint, voice recognition, iris, geo-fencing, device registration, device profiling, social media profiling you name it, can all be entered into a mobile device through normal and already established consumer use.

The following is not necessarily an endorsement of Fast Identity Online (FIDO) Alliance, but you can see from their Mission that they fully appreciated the importance of evolutionary change, not revolutionary change:

“The Mission of the FIDO Alliance is to change the nature of online authentication by:

  • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
  • Operating industry programs to help ensure successful worldwide adoption of the Specifications.
  • Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.”

Reliance on single factor authentication with biometrics is a mistake, so avoid any organisation who adopts the ‘password is dead’ stance and just do your homework based on a business need, not a buzz-phrase.

Can a Blog Be Your CV / Resume?

In a recent post (Digital Anarchy? Not Without Identity Management) I posited that eventually Identity Management would consist of a construct of your entire life. From the beginning, all the way through your to your present day, and continuing without pause until the end. The premise is that the more that is known about you, the harder it becomes to pretend to be you. Most fraud mechanisms work on making value judgements related to ‘normal’ behaviour, so why don’t we help that process along?

Privacy and profiling issues aside of course! 🙂

So it occurred to me that if all potential employers knew exactly what I believed in, and – assuming they agreed with me – how I could provide benefit to their organisation, then a CV is almost unnecessary.

LinkedIn already provides the factual information about my previous employment, and as much detail regarding my functions / achievements as I deem fit to share. Employers can do a background check based on my online presence long before approaching me directly. So add a blog on top of that, and what else could they possibly need to make a decision regarding next steps?

References? Background Investigations? Yes, but these are final steps, as the only purpose a CV serves is to get you that first interview. As such, it is VERY hit and miss, and a shining gem of a CV to one HR pro is a not-so-polished turd to another. In the end, HR are not even your final audience, but every candidate is expected to know all about writing CVs and cover letters, as well as interview techniques and etiquette. All you end up doing is filtering out the worst candidates, not narrowing down the best.

A blog, on the other hand, shows many things, all of which have good and bad elements depending on your point of view:

  1. Communication Skills – Writing is not easy, and even doing an average job of it takes a level of skill. If you cannot get your point across in 500 – 1000 words, AND in a way that the majority can understand, you either need to work on your writing skills, your knowledge of the subject, or both.
  2. Subject Matter Expertise – Blogs on specific subjects should be written by people who have relatively significant experience in their chosen profession. But that does not mean they are alway right. A blog from a ‘security expert’ with whom I vehemently disagree will be dismissed just as quickly as would a blog on intelligent design.
  3. Desire to Help – While my blog [for example] was initially started because my wife told me to, it soon became an integral part of my weekly tasking. The skill-set I have (such as it is) does no good to anyone until everyone can follow the guidance I am trying to impart. Security expertise [for example] is NOT something that should be used just as a competitive advantage. There is plenty of opportunity to make a living while giving as much as you can back.
  4. Thought Leadership …Or Not – One of the fastest growing buzz-phrases / clichés, but the concept is sound; Are you a person who creates the new, improves the old, or sustains the present? All of these things have their place, any one of them is not necessarily better than the others, but you need to know which you are, and so do your potential employers.
  5. Skin In The Game – A phrase I’m borrowing from our American friends, it means that you are actually taking part in something, and not just sitting on the sidelines watching. Good if you’re contributing positively, bad if you’re an idiot.

Anything that fights against “But we’ve always done it this way!” is to me a good thing, and that’s where a blog really comes into its own. All of your ideas, concepts, or even random thoughts need to be put down into words that others can follow, which mean YOU have to clarify them first. Ideas catch on, but only the ideas that see the light of day.

For good or bad my blog is now my CV, let’s see how it pans out! 🙂

[If you liked this article, please share! Want more like it, subscribe!]

Digital Anarchy? Not Without Identity Management

I read a rather long but very interesting article the other day (thank you nephew) titled ‘The Coming Digital Anarchy‘ by Matthew Sparkes (Telegraph). Despite the rather dramatic title (I have done this egregiously myself from time to time), the concept regarding the future of ‘blockchains’ is sound, and is a far better researched and a far more encompassing version of my earlier article ‘On The Irrelevance of Money‘.

However, with the exception of one fairly cryptic phrase; “In [his] version of the future, identity and reputation will be the new currency.” the means by which this new order will be usable has not been addressed. Nor have I seen it addressed in any other articles of its ilk.

Regardless of the manner in which our data is stored, either the current file/database method, or the de-centralised / distributed method of blockchains (written for the crypto currency Bitcoin, but has much wider implications), we, the owners of the data, need to access its function securely, and put it to use in any scenario we choose.

If you can assume for the sake of argument, that the concept of the block chain is a valid method of storing and securing data, how can we access the data’s benefits in a method that’s equally secure? Your computer, mobile phone, static knowledge (username / password etc.), physical tokens (credit cards, RSA Tokens) are what we use now, and seeing as they are based on current methods of authentication, inherit their flaws. It is a hard enough stretch to get people to accept that their entire ‘Internet Worth’ (trying to coin this phrase) is not maintained by any institution, but to grant access to this without ensuring your identity is protected in the same way goes too far, even for me.

Your identity is all you have that’s truly yours, everything else is a universally agreed representation of value (money for example), so until such times as we can bring our full identity to bear we are reliant on small, and very specific elements of it. Elements that are relatively easy to steal, and duplicate.

It follows therefore, that the more of our identity were can securely distribute, the harder it will be for anyone to pretend they are us. Even in a scenario like Invasion of the Body Snatchers where they completely take over our physical bodies, unless the entirely of my life was instantly at the impostor’s disposal, AND they were able to duplicate my personality precisely, my family and friends would know there was something wrong. And if I’m honest, might actually prefer the new me.

Which brings me to the true value of your identity; Trust. You would not lend a stranger a £1,000 without significant rules in place, but you would think nothing of lending it a family member (assuming they’re not a douche-bag). Why? Because you have a lifetime of trust built up behind you.

How then do we duplicate a lifetime of trust in an electronic form, between two complete strangers? Well, if you’re reading this YOU can’t, probably it’s too late for most of us, but it’s NOT too late for those young enough to begin the process. All we need is the technology.

Oddly enough, I think that block chains provide the answer here too, but I am making a huge assumption based on limited knowledge of how they work. However, from what I know already, they are an ideal medium as their very nature is to record everything that ever happens from the beginning. It just needs to be worked out how to accept the input from everyone with whom the individual comes into contact, and how to represent that in terms of levels of trust. Much like a credit rating, but infinitely more difficult to explain.

In just the last few days Ghash has thrown a huge spanner in the works by controlling the magic ‘51%’ of Bitcoin, thus completely ruining the whole concept of de-centralisation. They have said that we should not worry, and to trust them, but so do the banks. There is clearly a lot of work left to be done.

Until people MUCH smarter than me can work out these issues, and we completely redefine the concept of Privacy (that’s the easy part, right?), this is all theory and speculation, but I cannot see any safer way to get where we are headed. Things change, whether we are ready or not.

Your identity as a baseline is both irrefutable, and cannot be duplicated, but it DOES mean you have to be a decent citizen your whole life or be ostracised. Is that such a bad thing if we have a global consensus on right and wrong?

[If you liked this article, please share! Want more like it, subscribe!]

On The Irrelevance of Money

OK, so money isn’t irrelevant …yet, but it will be. Like so many things that are in existence, they are only still used because they have either achieved global ubiquity, or there is nothing better to replace them, or both.

Money, in all its forms, is probably the definitive example of this, but I can actually see a time in the not too distant future when it will be replaced with what it has always represented; Value.

Let me take a step back here and say that this subject is wayyy too complex for me to do true justice, and I have no intention of reading any books on economics to ensure it’s factually accurate, but by its very nature, money is limiting to the continuation of globalisation. Like it or not, the world is getting smaller and less unique across traditional borders both physical and political. People are starting to want the same things, and while not all of things they want are good, the common ground between them is once again driven by value.

Money simply cannot keep up with the changes, and the massive complexity of producing cash, providing debit and credit services, exchange rates, inflation, and a plethora of other things I have made it my goal to never understand, will eventually drive a requirement for something new;

I’m calling it ‘Digital Identity and Virtual Value Management’.

Errr, what?

Another step back; In the past, if you were a wheat farmer and needed meat, you would exchange wheat for meat at a ratio you agreed directly with the person standing right in front of you. You would then each go on your way happy that you have received fair value for your goods. However, if you wanted dairy products, carpentry skills, metal working skills or a whole host of services, you had to repeat this process, and of course, the representative values would always change depending on your immediate needs.

Now, in a massively over-simplification of history and probably fact, it was decided in the year [mumble-mumble] that it would make sense to replace the bartering system with a universally agreed (i.e. by the ‘government’) meaningless object (money), which would represent the VALUE of every commodity so that the holder of this meaningless object was owed the value of it in any commodity they chose.

Great, so now instead of carrying around huge quantities of wheat, our farmer can now walk up to any provider of goods and exchange their meaningless objects for whatever they want.

Eventually these meaningless objects became paper-based, then plastic, and now it’s digital, but it’s still meaningless. Only the VALUE of what it represents means anything, and you SHOULD be able to spend that any time, any place, anywhere, without the need for a meaningless object.

Your identity should replace the meaningless object, and your value should replace money in all it’s forms.

But who sets your value? Who is to say that the services of a lawyer are more valuable than those of a plumber?

You do.

Currently, if you accept £50,000 / year for your employment, YOU are the one who set that value, not your employer. If you think you’re worth more, go somewhere else, or, what you should do is increase your value by improving yourself in some way (education, experience, work harder, you name it). And herein lies one of the biggest mistakes people make their whole lives; focussing on money when what they SHOULD be focusing on is improving their own worth, their VALUE to others.

So, what is Digital Identity? It’s the unequivocal ability for you to prove that you are you, to anyone, anywhere. If everyone in the world KNEW that you were you, then you would not need money, passports, or any physical form of identity. Whether this is effected by biometrics and knowledge verification or [more likely] a combination of these and other yet-to-be invented factors is unclear, but the digitalisation of everything will continue until this form of Identity Management is commonplace.

And Virtual Value? This you can see happening already with Bitcoin and its brethren. What’s missing is the input of non-monetary value, or in other words, I have no way of entering my self-determined worth into a virtual environment, then have others validate it for my actual work in a way that I can spend on something else. But this is coming too, it almost has to.

I can imagine a time when I perform a piece of work for someone, immediately be ‘credited’ with the agreed virtual value, then be able to walk into a store, pick up what I want and walk out again without performing any manual payment transaction whatsoever. My Digital Identity will be confirmed the second I walk into the store, the value of the goods will be automatically calculated based on my choices, and the value of those good will be deducted from my virtual net-worth (or Internet-worth! :)) as soon as I step back out into the street.

Seems rather ridiculous that we still use credit cards, doesn’t it?

How Identity Management Will Transform the Future of Payments

For generations – quite literally – credit cards have ruled the non-cash payments world, but it’s now time to start saying goodbye to the ‘plastic’.

At the time of their introduction (way back in the late 1950’s early 60’s) they were a fantastic innovation, and they have rightly had their decades in the sun. Until now, there has been nothing to replace them, nothing anywhere near as widespread, ubiquitous, incredibly versatile, and still growing as a market.

Now there is.

I am talking of course about the mobile phone, but as I will try to demonstrate here, I’m convinced that this is just a reactive and brief stepping stone, and it will not be 60 more years before that next transition comes about.  Actually, it’s already happening.

The table below represents my thoughts on the next steps, and are not based on anything resembling research, known statistics, and maybe even reality. This is just a visual representation of what I believe;

Screen Shot 2014-03-20 at 10.27.12

Credit Cards – Began way back when, and have enjoyed an enormous growth over the years. However, the up-front nature of the card itself has required a massively expensive infrastructure to accommodate it, leaving half the planet un-covered and un-banked. Beginning this decade we will see a rapid decline in their use as consumer choices expand, and issuer’s profits drop.

Mobile Phone – Enormous and unprecedented growth and owned by more people than any electronic product in history. Anyone who believes that the inherent insecurity and inconvenience of battery life will prevent the transition of payments onto this platform is going to be left behind. Nevertheless, these limitations WILL ensure that the transition to what’s next in payments comes much faster than the move from plastic. Rapid advances in battery technology and OS security will maintain the trend for a few years.

Non-Invasive Biometrics – As I’m calling it, but I basically mean wearables and anything else that comes up that starts doing away with the keyboard and begins the process of identity management through non-static authentication (passwords, secret information), and learning the wearer’s physical profile to effect the majority the functionality. Voice at first I assume.

Invasive Biometrics – Implants in other words. There will be those who say this is a ridiculous concept, that it will never take off, but I believe that the next generations will not see this as outrageous, and WILL see the mobile phone as antiquated and inconvenient. Anyone who has seen the 2012 version of Total Recall and the phone implanted into Colin Farrell’s hand either said “NO WAY!”, or like me said “I WANT ONE!”. Batteries will always be a limitation, but the human body IS a battery (of sorts), and it will be harnessed accordingly (hopefully not like in The Matrix).

Cumulative Identity Profiling – Again, this is what I’m calling it, but it’s basically the culmination of the trend toward a totally different idea of privacy, and one that I cannot see clearly because I’m not of this yet-to-be-born generation. Anyone who is the parent of a teenager knows that their kids have never NOT had a mobile  phone, and that almost their entire life is recorded online. The are never unplugged. We are horrified for them, but that’s our judgement, not theirs, and theirs will win. Identity Management and authentication will be a sum total of your life’s experiences, and therefore almost impossible to fake, or duplicate. The whole concept of privacy will be turned on its head.

There are those who say that this can only happen in industrialised nations, those with the money to afford such things, and yes, there will always be a portion of the population who will be out of the loop for a while. However, Mozilla (for example) are releasing a $25 smartphone, and it is estimated that within a few years Africa with have a 50% smartphone adoption. This trend will cover almost everyone, eventually.

The innovation involved with payments is really at the beginning of its evolution, and I’ll probably look back on this post in 5 years time and laugh at my naivety. Nevertheless, the card brands know its coming (hence NFC, HCE etc.), the terminal manufacturers know its coming (hence the rise of phone based mPOS), and the retailers know its coming (hence the push back on EMV), so the only thing left is for the consumer to start making demands and there will be no looking back.

The average consumer will forgo security for convenience, it will be up to the payments innovators to make sure enough security is built in to protect people from themselves. Which I think is unfortunate, but it’s that or educate 7 billion people.