Financial Institutions Need a Can-Do Attitude

 “Don’t mistake activity with achievement.”
– John Wooden, former UCLA basketball coach and 10-time NCAA Basketball Champion

Target, Neiman Marcus and Michaels recently compromised sensitive customer data to hackers, joining Facebook, Gmail, Twitter, and Yahoo!. And those are the ones made public.

Financial institutions (FIs) aren’t safe either: Global Payments (processor for Visa and MasterCard), Bank of America, Citibank, JP Morgan, and Fidelity National Information Services all suffered data breaches recently. Hundreds of millions of dollars stolen and boatloads of personal data exposed to criminals.

Companies, especially FIs, are not doing enough to safeguard sensitive information. FIs scramble to buttress their systems to thwart attacks, while criminals easily elude the safeguards.

If you shop online your information could already be on a hacker’s hard drive, waiting to be bundled and sold to another criminal, making you vulnerable to identity theft and other crimes.

The protection plans offered by credit card companies and FIs do provide additional protection. But, if it isn’t enough, why would consumers pay for safeguards that should be provided automatically? The “safeguards” aren’t really all that safe, in truth.

EMV (Eurocard, MasterCard, Visa) (covered on this blog) would be a step in the right direction, erecting additional layers of protection between FIs and hackers. EMV has been adopted by most of the world, but not in the U.S.

EMV replaces the magnetic strip on cards with a microchip used for authentication, encrypting the information during the transaction, making it more difficult for thieves and card skimmers to steal. Security is further bolstered when used with a PIN or signature. However, it is by no means a panacea.

Retina scans and fingerprints could also thwart criminals. Those systems require expensive investment in hardware and new software to support them. FIs and their customers should implement anything that makes it more difficult for hackers.

Dual-factor authentication (2FA) is another, more feasible, option. It adds another level to the standard password login. The FI would send a code via text message to your mobile phone, which then is entered by the user to execute the transaction.

Ninety-one percent of Americans already have a mobile phone, according to Pew Research. Convenience alone makes 2FA via text message a logical solution.

Sending out text message codes would require investment in software, but the cost is meager compared to implementing a scanner or other hardware solution. Twitter, Google and Facebook already support 2FA as an option at login. It should be made mandatory.

2FA has been around for decades but never took hold. If a mobile phone was compromised, it would carry frightening ramifications. And, transactions are susceptible to Trojan horses, Man-in-the-Middle attacks, and other malware. In fact, all computers are vulnerable to these types of attacks.

Tokens like RSA’s SecurID, 1Password, Toopher, YubiKey and the like that provide one-time passwords have weak points as well, which can serve as gateways for criminals. If breached, could expose every one of the user’s passwords, all at once. Not good and hardly safe.

So what’s the answer?

Disappointingly there isn’t one that ensures total protection in all situations. Hackers are clever and will continue to exploit weaknesses in any, and every, system.

2FA is easy to implement with current technology and is a formidable additional security layer.

Coach Wooden said, “Do not let what you cannot do interfere with what you can do.” FIs need to heed this advice.

About David Sutton: David has a BA in economics and a MS in business journalism, and his articles have appeared on Forbes.com and in the Boston Business Journal. David has had a bank account since he was three.

Cookies for Banking

CookiesWe need to talk about the cookie.

It’s such a sweet word—warm, comforting, bringing back memories of home. But in this time and this business, it also means something very different. In fact, it symbolizes the constant debate between openness and privacy, an uncomfortable discussion we need to have.

The end of January always brings us Data Privacy Day, as designated by the National Cyber Security Alliance (NCSA). The occasion is typically marked by a smattering of articles on the sensitive topic, particularly if it closely follows a high-profile data breach. This year proved no exception, and again, sensible advice that’s easy to follow is a good thing. The message of caution may be repetitive, but it’s still relevant, and it gets more so with each passing year.

That’s because, with each passing year, we get more of everything—data, devices, channels, applications, scams. The more we talk about privacy, it seems, the less we have of it.

For example, the NCSA asks consumers to celebrate Data Privacy Day hosting events and, of course, by “sharing resources and advice on social media.” It’s a weird irony that some of the tools we use to disseminate that advice will inevitably cost us a little bit of our privacy (any idea how many metatags are associated with each Tweet?).

That brings us back to the cookie, the subject of an interesting new research initiative from an organization with deep roots in the subject, the Interactive Advertising Bureau. “Privacy and Tracking in a Post-Cookie World” offers perspectives not only on the state of affairs as they relate to privacy, but alternative models for data transparency and privacy controls for all constituencies.

The White Paper traces the cookie’s relatively harmless origins, and describes how it has outlived its usefulness in a multi-platform user universe. Rather than identify a single, all-purpose solution—which may be how this option went awry in the first place—the IAB proposes a series of solution classes that can be adapted to develop specific technologies to meet particular industry and customer needs.

Of course, the IAB has a vested interest in learning more about consumers. So do those of us in finance. But that may be where our interests and concerns diverge.

Let’s be clear: Every time a retailer suffers a data breach, or a consumer inadvertently gives away personal financial details, or even a credit card falls into the wrong hands, it comes back to us. Even if it’s not our fault, it’s our problem. The government, other industries and the public will ask what we’re doing wrong. We function at the intersection of money, technology and data, and that means there’s a huge bull’s eye on our industry.

No one reasonably expects us to have all the answers, any more than the IAB does, but that’s no reason why we shouldn’t be asking the questions. The welter of regulations and compliance mandates governing the industry should be seen as a starting point, not a boundary. We want technologies that help us serve our customers better, but that still means walking a sometimes-fine line between extracting relevant information and respecting consumer privacy.

The perfect punctuation mark to Data Privacy Day this year came with the guilty plea from Aleksandr Andreevich Panin, who allegedly created the bank-hacking malware SpyEye, which apparently infected 1.4 million computers. He’ll be spending some quiet time for conspiracy to commit wire and bank fraud. Of course, we can rest assured that for every felon behind bars, there’s a bunch out there doing what they do.

Still, out-and-out criminality like this is one issue; data privacy is another. In this environment, we can be blamed for having information customers give us willingly, even if it helps us serve them better.

It would be good to have a range of alternatives to the cookie that meet our customers’ and our industry’s specific needs. Now that’s a comforting thought.

Image courtesy of Grant Cochrane/ FreeDigitalPhotos.net

Greater Privacy Regulation For Children Online Will Impact Data Collection

*This post originally appeared on Payments Journal

In the coming weeks, federal regulators from the Federal Trade Commission are expected to outline new rules which will make collecting information from children’s online activities much more difficult without parental consent. Mary Engle, the associate director of the advertising practices division at the Commission states, “Today, almost every child has a computer in his pocket and it’s that much harder for parents to monitor what their kids are doing online, who they are interacting with, and what information they are sharing.” She continues, “The concern is that a lot of this may be going on without anybody’s knowledge.”

The current federal rule, the Children’s Online Privacy Protection Act of 1998, has become outdated due to new technological advances, say privacy advocate groups, despite the rule mandating the need for websites to obtain parental permission to collect sensitive personal information from children under 13. For example, under the existing rule, no regulation existed monitoring the use of webcams and online photography. However, regulators are expected to mandate that companies seeking children under 13 to submit photos of themselves online would require parental consent.

Generation Z children are the most computer and Internet literate generation in history, and with new technologies and applications continually produced that involve the exchange of personal information, privacy rules are vital. While no one is debating the importance of maintaining the safety of children, both online and offline, the new rules could potentially have a substantial effect on the payment industry, particularly for firms involved in the collection of information and social media websites.

The growing number of Generation Z online users means that the market represents a potential goldmine for online realtors and marketers. The new rules, however, will likely change the ability of firms to accurately target and market their goods and services for the teen and pre-teen markets online. While the added security in the new regulations will provide for children is important, it will slow the growth and development of payment-related technologies for this emerging demographic.

Tristan Hugo-Webb is an analyst with the Mercator Advisory Group covering the international market and U.S. debit card market. His responsibilities include covering new U.S. and international legislative regulations and analyzing their impact on the payment industry in the U.S. and around the world. Tristan is also a frequent contributor to Payments Journal, writing on a series of payments industry issues.

Tristan is a graduate of Seton Hall University in South Orange, NJ, with a BS in Diplomacy and International Relations and Minors in Economics and French. He has spent several years living abroad including stays in Italy, Germany and Niger.