From Heartbleed to Heartburn

Briefcase with lock

Information security is a constant game of catch-up. We get new technology capabilities, the bad guys find new vulnerabilities. They devise new forms of malicious assault, we come up with new defensive strategies. And so it goes. We know it, they know it, everyone knows it.

Why, then, is the bug known as Heartbleed getting so much attention?

Sure, no disputes that it’s at least potentially a very big deal. But one week into the discovery, Google turns up more than 530 million hits on the subject. The Electronic Frontier Foundation, among others, has labeled it “catastrophic,” and some have gone so far is to describe it as the worst vulnerability to be identified since commercial traffic began on the Internet. Is it really that bad?

Hype aside, here’s what we do know. Over the years, the open source community—basically, thousands of

Heartbleed, the big bad bug in the room, takes advantage of a feature within OpenSSL known as heartbeat, and essentially steals the security certificates that verify a site’s and/or user’s authenticity. The bug has been present but quiet for the past two years, during which time it has potentially undermined security measures for password encryption in a range of environments, from search engine and social networking services to Android devices.developers not beholden to any corporation in particular—have worked together to create much of the software many of us use today. One such program that most people with a life actually know nothing about is OpenSSL, which is very important, since it provides a means for security on web servers all over the world. With this technology, sites can offer encrypted information to visitors, ensuring that the data can’t be seen anyone else when it travels between the user’s device and a particular site.

After that the details get more technical and, sadly, far more murky. On the one hand, we’re being told that despite considerable scrambling on the part of security specialists at companies everywhere, the potential for major damage is very real. It potentially affects hundreds of thousands of Web sites, from Google and Yahoo to Twitter and Dropbox, along with hundreds of millions of users. By that measure, the level of effort needed to truly fix the problem is nothing short of monumental. On the other hand, it’s far from clear just how many sites or users have actually been affected. Challenges issued by security companies to steal information using the vulnerability—basically crowdsourcing digital theft—have so far come up mercifully short, indicating that the concerns, while valid, could be overblown. On the third hand, of course, we just don’t know.

One thing is certain: The old adage about regularly changing passwords, and not using the same one for multiple functions and services, applies now more than ever. The buzz over this recent episode has apparently prompted many users to rapidly change their passwords for all the online services and devices they use, and that’s good. But it would be even better if that became a habit rather than a reaction to much-publicized fears.

There’s a larger question here as well. The ubiquity of technology in every aspect of daily life, from social media to mobile banking apps, has perhaps seduced consumer sensitivity to the issue of information security. And that’s definitely not good.

Making technology capabilities ever more user-friendly carries with it a potentially steep price tag; the easier a service is for everyone to use, the easier it might be for the bad guys for to hack. On a related note, many of the more common services, from email to mobile apps, are free. That carries with it fewer guarantees of rock-solid security.

Many financial technology vendors are already stepping into to the breach to implement fixes for the Heartbleed bug. For their part, numerous commercial banks and other financial services institutions are raising awareness of the threat and running tests to ensure that their communities are not left unprotected.

But somewhere in this environment, consumers have a critical role to play too. Regularly changing passwords is a good start. As digital currency in all forms becomes more embedded in the mainstream, it would be wise to be more aware of security threats and more proactive in taking security precautions.

Bribery, Corruption, Money Laundering: Banks in the Crosshairs, Part 2

This is Part 2 of a two-part series from FTI Consulting. Read the first part here.

Governments and regulatory bodies increasingly expect financial institutions to man the front lines in the war against international corruption and bribery, levying significant fines against banks that have been used by criminals or have conducted business with sanctioned regimes. To survive in this environment, firms must up their game by implementing risk-based controls to account for both front-end client acquisition and back-end transaction risks.

This effort must be led from the top. Senior management must set the tone and be fully engaged in building the internal controls that can make their organizations less vulnerable both to missteps and the depredations of criminals.

However, given the complexities of global finance, and the cunning of criminals, these defenses need to be risk-based, with the institution’s finite resources devoted appropriately to businesses and jurisdictions with inherently higher risk profiles or weaker control environments.

Mitigating client risk
Client-onboarding rules and processes more be made rigorous before accounts are activated. This requires assessments that can indentify:

  • Politically exposed persons.
  • People with criminal backgrounds or connections.
  • People conducting business in sketchy jurisdictions and geographies.
  • Individuals acting as proxies for hidden players.

Criminals are continually changing their strategies, using opaque structures to hide the true sources and destinations of funds. It is therefore critical to employ experienced investigators to establish the identities of high-risk individuals and entities, especially when they come from countries where this data is difficult to verify.

Mitigating transaction risk
Banks should deploy technologies to filter suspicious transactions. There is a vast array of commercially available tools that can flag unacceptable transactions (such as identifying sanctioned country codes on transfer receipts). They can trigger alerts and automate watch lists for suspicious persons and transactions, and can also produce reports that are critical when an institution finds itself in the regulator’s crosshairs. But all these tools are only as good as the people who use them. Firms must acquire skilled staff to fine-tune the systems as well as to assess and act upon the alerts and reports they produce.

Taking these actions is a statement of good faith. Using up-to-date processes and tools, and staffing the risk-management function as diligently as possible will make regulators less inclined to punish firms that make the occasional, unavoidable mistake.

It’s Never That Simple
Because it’s nearly impossible to define the scope of the problem – that is, how much money is being laundered or moved around the globe by criminals and terrorists – it is hard for institutions to measure the effectiveness of their programs or assign an ROI to their investments. Consequently, they should be measured by what doesn’t happen – fines, reputational damage, remediation costs, and lost business – not what does.

Ultimately, it is unrealistic to think that the financial industry can take on the bad guys by itself. One hopes that the future will bring greater levels of cooperation between governments and the financial sector. Ultimately, that’s the only way to de-fund criminal interests, terrorists, and others who would seek to sabotage the world’s financial system and use it to further their own anti-social ends.

 

Peter Brooke and Christine Moran are Managing Directors in the Governance, Risk and Regulation team at FTI Consulting, based in London.

Peter Brooke is an experienced Risk and Regulation Consultant at FTI Consulting, based in London. With a unique blend of in-house and consulting experience, Mr Brooke has worked in financial services for more than 24 years.

As a highly experienced Group Head of Compliance, Christine Moran is an energetic consultant at FTI Consulting. Based in London, Ms. Moran has a highly collaborative, grounded and commercial approach. She has a proven track record of building enhanced and effective compliance and regulatory risk arrangements in both retail and institutional businesses.

What We’re Reading: Retail Banking Myths, Security, ChaseNet

Below are interesting stories the Banking.com staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

  • 43 retail banking myths—busted!

ABA Banking Journal

With the financial services industry changing so quickly, it should come as no surprise that many assumptions banks and credit unions believed to be true for years could actually be rendered obsolete.  Myth 1. Banks must embrace big data to be successful. Reality: Most banks and credit unions have not fully leveraged insight that is currently available within their firewalls. Account ownership, demographics, product use, and other behavior data should be used for offers and communication before adding unstructured data from outside the organization.

Read more

  • Holidays Drove High Use of Mobile Banking Apps

American Banker

December was a busy month for mobile banking, as on-the-go holiday shoppers actively logged into their accounts to check balances or see if purchases went through. In American Banker’s monthly survey of mobile banking activity, more than 65% of respondents said that volume was up in December from a month earlier, while just 2% said activity declined. The rest reported that activity was roughly the same month to month. Several respondents attributed higher activity to the fact that their mobile banking app is relatively new.

Read more 

  • Mobile Banking: Making Security and Convenience a Package Deal

Bank Systems & Technology

The key to mobile security success is a multi-layered approach that enables companies to verify who their customers are and what they are authorized to do. The clash between convenience and security has been in motion as the world has shifted to mobile devices, but this is only the beginning. While highly-connected companies have been managing these challenges for years, the speed, scale, and scope of the ongoing business transformation are enormous.

Read more

  • Chase’s Quick Checkout: Leveraging the Power of ChaseNet

Celent Banking Blog

A digital wallet, which stores customer’s payment credentials and shipping details, and pre-fills them at checkout. Like other digital wallets, Quick Checkout is “open” – i.e. customers can register their non-Chase cards. However, their Chase cards will be automatically available and kept up-to-date in the wallet when they get replaced in case they expire or get lost or stolen.

Read more 

  • Capital One Ups the Punching Power of ClearXchange

Javelin Strategy & Research Blog

Person to person (P2P) payments are quickly becoming a regular feature of today’s banking industry. ClearXchange, the P2P payment platform that developed as a partnership between Bank of America, Chase, and Wells Fargo, has announced that it has added Capital One to its list of owners. Capital One is the second FI to join clearXchange (the first institution was the regional FI FirstBank) and is scheduled to go live with the service later in 2014. According to Javelin data, the addition of Capital One now gives clearXchange the capacity to reach 40% of all U.S. banking adults and 53% of all adult credit cardholders.

Read more

  • It’s Time to Uncork Commercial Relationship Revenue

Gonzo Banker

There is a brutal feeding frenzy occurring in the banking industry today: the complete commoditization of mainstream commercial and commercial real estate lending. Like a pack of vultures picking at the flesh of a potential new mini-perm deal or term loan, liquidity-rich banks are feverishly bidding down pricing into the zone of shareholder destruction. We see fixed-rate deals for 7 to 15 year terms that carry coupons lower than many banks’ net interest margins. Despite calls for sanity from every senior loan committee across the country, the brinksmanship continues. Business customers have grown savvy, and even the most loyal now send their credit needs out onto the street for competitive RFP bids. Loyalty these days seems to buy about 10 basis points for the banker.

Read more  

  • Banking Trojans emerge as dominant mobile malware threat

ZDNet

Kaspersky Lab’s latest mobile threat landscape report portends more ominous news for mobile device users as the number of new malicious programs tailored for smartphones and tablets more than doubled to nearly 100,000 malicious modifications in 2013. The vast majority of the most damaging mobile malware targeted users’ money and bank cards, according to the security software firm’s latest data, and more than 2,500 attempted infections by banking Trojans were blocked last year alone.

Read more 

Bribery, Corruption, Money Laundering: Banks in the Crosshairs, Part 1

Contributor Christine Moran

Contributor Christine Moran

This is Part 1 of a two-part series from FTI Consulting. Read the first part here.

The volume and pace of transactions in global financial markets – magnified and accelerated by new technologies – is mind-boggling. It has been estimated, for example, that every day there is $2.9 trillion worth of stocks, bonds and derivatives traded in U.S. financial markets.   It’s easy to see how this makes monitoring both client onboarding and financial transactions monumentally difficult.

For instance, in recent months an internal Vatican Bank investigation found that it had not been adequately vetting account holders, allowing criminals to launder money and transfer large sums via proxies. Last summer, German regulatory agency BaFin found Deutche Bank, with over €2 trillion in assets, laggard in reporting suspicious transactions to police due to inadequate internal controls.

Governments and regulatory bodies are well aware of the difficulty of policing transactional activity, as well as violations of international sanctions against countries with ties to terrorism, or with poor human rights records. Understaffed and underfunded, these bodies would like to shift their burden to the financial institutions, seeing that as the only way to keep ill-gotten money out of the financial system and to de-fund criminals and terrorists. And they are driving this agenda with a flurry of fines.

Contributor Peter Brooke

Contributor Peter Brooke

U.S. enforcement authorities, flexing their regulatory muscles, recently have imposed fines for sanctions breaches on Lloyds Banking Group ($350 million), Barclays ($298 million), and Standard Chartered ($327 million).  In the UK, the Financial Services Authority imposed a fine of £5.6 million on RBS for similar transgressions.

The U.S. Department of Justice and the Securities Exchange Commission are using the Bank Secrecy and Foreign Corrupt Practices acts to demand greater due diligence from all parties involved in transactions, holding them responsible for both sins of commission (such as facilitating money laundering or committing sanctions breaches) and omission (failing to implement sufficiently strong internal controls against either or both). In short, governments are making it clear that they will not tolerate what they deem to be reckless conduct on the part of financial institutions, or what they see as a weak commitment to abiding by international rules regarding sanctions and money laundering.

Financial institutions argue that the expectation that they can act as a branch of law enforcement is unreasonable. They cannot, they say, monitor every transaction or client with 100 percent certainty or make their businesses risk-free. They say the investment they must make in people, processes and technology to attempt to comply with regulations and avoid being implicated in financial crime places a massive strain on their resources. And, they point out, there is a limited pool of experienced people they can draw upon to lead, manage and run anti-money laundering and sanctions compliance programs.

In this debate, financial institutions are bound to lose. They have no choice but to get smarter about both client and transactional risk, and do more about them.

This will require top-level leadership, and a risk-based approach to mitigating financial and transactional risk. In part two of this article, we will discuss how financial institutions can do this.

 

Peter Brooke and Christine Moran are Managing Directors in the Governance, Risk and Regulation team at FTI Consulting, based in London.

Peter Brooke is an experienced Risk and Regulation Consultant at FTI Consulting, based in London. With a unique blend of in-house and consulting experience, Mr Brooke has worked in financial services for more than 24 years.

As a highly experienced Group Head of Compliance, Christine Moran is an energetic consultant at FTI Consulting. Based in London, Ms. Moran has a highly collaborative, grounded and commercial approach. She has a proven track record of building enhanced and effective compliance and regulatory risk arrangements in both retail and institutional businesses.

Are You Creating a Safer Internet for Your Members and Customers?

As more banking customers interact with their financial information online, it becomes ever more important that they know how to conduct themselves responsibly online.

Tomorrow, on Safer Internet Day, February 11th, ConnectSafely.org is asking Americans to spread an epidemic of kindness and share the #OneGoodThing  they’ve done, or seen somebody else do, to make the Internet a better place. Safer Internet Day (SID) is a global campaign to promote safe, effective use of the Internet and mobile technology. Hosted in the United States by ConnectSafely.org, Safer Internet Day is commemorated each year on the second Tuesday of February.

SID is a great opportunity to take the time and think about how you’re educating customers and members to be safe online, and reflect on the positive ways technology impacts the way we bank and interact with our finances.

Share your #OneGoodThing on Twitter, Facebook or submit here to spread kindness and celebrate the ways that the online world helps us every day so we can create a better internet together.

ogt-slight-left

 

Cookies for Banking

CookiesWe need to talk about the cookie.

It’s such a sweet word—warm, comforting, bringing back memories of home. But in this time and this business, it also means something very different. In fact, it symbolizes the constant debate between openness and privacy, an uncomfortable discussion we need to have.

The end of January always brings us Data Privacy Day, as designated by the National Cyber Security Alliance (NCSA). The occasion is typically marked by a smattering of articles on the sensitive topic, particularly if it closely follows a high-profile data breach. This year proved no exception, and again, sensible advice that’s easy to follow is a good thing. The message of caution may be repetitive, but it’s still relevant, and it gets more so with each passing year.

That’s because, with each passing year, we get more of everything—data, devices, channels, applications, scams. The more we talk about privacy, it seems, the less we have of it.

For example, the NCSA asks consumers to celebrate Data Privacy Day hosting events and, of course, by “sharing resources and advice on social media.” It’s a weird irony that some of the tools we use to disseminate that advice will inevitably cost us a little bit of our privacy (any idea how many metatags are associated with each Tweet?).

That brings us back to the cookie, the subject of an interesting new research initiative from an organization with deep roots in the subject, the Interactive Advertising Bureau. “Privacy and Tracking in a Post-Cookie World” offers perspectives not only on the state of affairs as they relate to privacy, but alternative models for data transparency and privacy controls for all constituencies.

The White Paper traces the cookie’s relatively harmless origins, and describes how it has outlived its usefulness in a multi-platform user universe. Rather than identify a single, all-purpose solution—which may be how this option went awry in the first place—the IAB proposes a series of solution classes that can be adapted to develop specific technologies to meet particular industry and customer needs.

Of course, the IAB has a vested interest in learning more about consumers. So do those of us in finance. But that may be where our interests and concerns diverge.

Let’s be clear: Every time a retailer suffers a data breach, or a consumer inadvertently gives away personal financial details, or even a credit card falls into the wrong hands, it comes back to us. Even if it’s not our fault, it’s our problem. The government, other industries and the public will ask what we’re doing wrong. We function at the intersection of money, technology and data, and that means there’s a huge bull’s eye on our industry.

No one reasonably expects us to have all the answers, any more than the IAB does, but that’s no reason why we shouldn’t be asking the questions. The welter of regulations and compliance mandates governing the industry should be seen as a starting point, not a boundary. We want technologies that help us serve our customers better, but that still means walking a sometimes-fine line between extracting relevant information and respecting consumer privacy.

The perfect punctuation mark to Data Privacy Day this year came with the guilty plea from Aleksandr Andreevich Panin, who allegedly created the bank-hacking malware SpyEye, which apparently infected 1.4 million computers. He’ll be spending some quiet time for conspiracy to commit wire and bank fraud. Of course, we can rest assured that for every felon behind bars, there’s a bunch out there doing what they do.

Still, out-and-out criminality like this is one issue; data privacy is another. In this environment, we can be blamed for having information customers give us willingly, even if it helps us serve them better.

It would be good to have a range of alternatives to the cookie that meet our customers’ and our industry’s specific needs. Now that’s a comforting thought.

Image courtesy of Grant Cochrane/ FreeDigitalPhotos.net

Swiss Banking Secrecy: The End of an Era

Here’s our version of the tree-falling-in-the-forest question: If the world of banking went through a massive change at the beginning of this year, and absolutely no one seemed to notice, then did anything really change?

The U.S. government had previously set a deadline of December 31, 2013, for Swiss banks to stop being so secretive. More specifically, regulators had warned financial institutions in that picturesque nation to accept new conditions in order to gain immunity from prosecution. Those conditions included nudging those banks to in turn nudge their clients into compliance. And apparently, quite a few of them have.

It’s not clear just how many of those banks have done what they’ve been told to do—these are Swiss banks, after all, and confidentiality is their stock in trade. But it’s being reported that perhaps 40 of the banks covered by the agreement—out of some 300—have already agreed to turn over client information in exchange for escaping prosecution.

In a way, this is just another step in the always painful negotiations between regulators and financial services corporations, and we’ve all seen a raft of settlements in the past few years—big fines paid by institutions, no jail time for individuals. But it’s also the end of an era.

Swiss banks have long had a hold on the public imagination. They represent great wealth, often obtained under shady circumstances, financing an international and intriguing lifestyle. These secret accounts have fueled countless thrillers and blockbusters, not to mention some very real escapades and tragedies, from drug wars to terrorist attacks. The reality is that the vast majority of Swiss banking clients made their money quite legally and want nothing more than to shield those assets from creditors and auditors, but in the end that doesn’t matter. Banking secrecy is more Swiss than chocolate, clocks and cheese. And perhaps inevitably, it’s ending—not with a bang but the proverbial whimper.

These confidential practices may seem like they’ve been around forever, but bank secrecy was only codified in Switzerland in 1934. The privacy laws are strictly enforced, prohibiting the sharing of information with just about anyone, including foreign governments. There were some checks and balances put in place, to be sure, but even subpoenas issued by Swiss magistrates sometimes came up short. Of course, as these institutions and their code of confidentiality—symbolized by a mysterious account number—became better known, critics increasingly charged that helped lay the foundation for underground economies and money laundering

In the last few years, we’ve seen some chinks in the armor. Early in 2009, the Swiss government officially abandoned the distinction between tax fraud and tax evasion when dealing with foreign clients—a minor change with major implications. In the same year, Swiss banking giant UBS ponied up a $780 million settlement with U.S. regulators. The government has also signed numerous treaties to avoid being labeled a non-compliant tax jurisdiction.

The last nail in the coffin was pounded home in October of last year, when the Swiss government said it would sign an official agreement that, if approved by the national parliament, will bring its confidentiality practices more in line those in place elsewhere. This was seen in the country as the “end of banking secrecy.” That’s bad news for a sector that accounts for up to 10% of the country’s gross national product.

It’s easy to see how the rash of investigations, prosecutions and convictions have taken their toll on this mysterious business. It’s also easy to see that banking itself is very different from what it used to be—every change from growing institutions in developing nations to the online banking and technological advancements have radically transformed the industry. The bastions of old were destined to fall, and that’s why it’s not a surprise that this long-venerated practice is fading without much notice.

Besides, the notion of secrecy itself now seems quaint. In the era of NSA snooping, data hacking, social media oversharing and reality show posturing, nothing seems private anymore. That may be the real change; let’s hope it’s a good thing.

What We’re Reading: Mobile App Mistakes, Security and Voice-Recognition

 Below are interesting stories the Banking.com staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

  • Smartphone users worldwide seek more mobile banking services

ABA Banking Journal

Smartphone consumers want to do much more mobile banking than most of today’s smartphone apps permit, according to an international survey by FICO. While the most requested functionality is the ability to check account balances (75%), more than half of respondents want to receive notifications of potential fraudulent activity (59%), make payments from their account (53%), and transfer money between their accounts (50%) using their smartphone.

Read more

  • The Biggest Mistakes Banks Make in Mobile App Design

American Banker

How can banks make their mobile apps more competitive? We recently asked Greg Nudelman, principal and CEO of San Francisco-based DesignCaffeine, who has worked with USAA, Intuit, and Wells Fargo on app design, about his pet peeves. Too many people try to approach app development the way they approach web development. ]That’s the completely wrong question to ask. They’re missing the entire opportunity that is presented by devices. You have to start from the ground up. The best way to approach that is lean methodology.

Read more 

  • A Guide to Winning the Mobile Banking Arms Race

Bank Systems & Technology

The rapid pace of change occurring in the financial services market largely driven by growing consumer adoption of mobile is permanently altering the retail banking landscape. More and more, offering basic mobile banking capabilities is perceived by consumers as mere table stakes when it comes to evaluating their banking relationship. Differentiation in the mobile channel is critical for financial institutions (FIs) to attract and retain customers and to reap the resulting revenue benefits. To achieve this, new features must be continually introduced, and at a frequent cadence to keep up with consumer expectations.

Read more 

  • Psst, Want to Know What Bank of America Spends on Mobile?

Bank Innovation Net

Mobile continued to grow in importance as a channel for the Charlotte, N.C.-based bank, with 14.4 million mobile customers, up from 14 million last quarter and 12 million a year ago. We dug into BofA’s earnings reports and found that CEO Brian Moynihan revealed the bank’s tech spend to grow its mobile channel during today’s 4Q 2013 earnings call. Moynihan said the bank had invested “half a billion dollars in the online mobile platform across the last three or four years, and we’ll continue to invest at that rate.”

Read more

  • Major security holes found in 90% of top mobile banking apps

BGR

Security is important in every app, of course, but if there is one group of mobile apps that users want to be secure even more so than any others, it’s probably mobile banking apps. It will undoubtedly come as a shock, however, that a new study has found 90% of mobile banking apps from top banks have serious security vulnerabilities that could potentially compromise sensitive user data. Security researcher Ariel Sanchez of IOActive recently published his findings after diving into home banking iPhone and iPad apps from 40 of the 60 top banks in the world.

Read more 

  • Wells Fargo tests voice-recognition mobile technology

Charlotte Observer

Imagine picking up your phone and being able to ask, “How much did I spend at restaurants last month?” That scenario might be in the not-too-distant future. Wells Fargo has begun testing voice recognition technology that would break ground on how customers interact with their smartphones. U.S. Bank said last year it was testing the technology among its employees. Insurers Geico and USAA have also incorporated voice recognition in their applications. Wells Fargo does not yet have a time frame for launching its version.

Read more 

  • Defining Social Media’s Purpose Can Help Produce ROI

Credit Union Times

In 2012, the $55 billion, Vienna, Va.-based Navy Federal Credit Union said it launched its “4 Million Members, 4 Million Stories” campaign as a way to thank its members for helping to reach the member milestone. The concept revolved around members submitting videos to share what they loved about Navy Federal on Facebook and to vote for their favorites to win prizes ranging from $4,000 and $1,000 certificates of deposit to $100 gift cards. During the giveaway, the credit union took the opportunity to promote auto loan refinancing and CDs via a mix of strategically crafted posts and paid Facebook ads.

Read more http://www.cutimes.com/2014/01/22/defining-social-medias-purpose-can-help-produce-ro

 

Security: What It Takes to Lead the Way

You say Target, we say EMV—how’s that for a conversation-starter?

The recent mass hack of retail giant Target—it’s estimated that more than 100 million consumers’ information might have been compromised—has generated considerable attention, as does every data breach that cuts to the bone. Expect to see the usual hand-wringing and calls for newer and more effective procedures, and with good reason. It’s entirely fair to ask why and how a multimillion dollar security network of the kind Target surely has could be brought to its knees—allegedly—by a software tool created by a teenager, written in a common scripting language and widely available on underground sites for barely $2,000.

That’s why we should expect to be hearing a lot more about EMV. For the record, the acronym represents Europay, MasterCard and Visa, and it first saw life as a joint effort between those conglomerates to enable greater security and interoperability in chip-based payment cards. The specification covers everything from POS terminals to ATMs, meaning every store and bank simultaneously. The standard is now defined and managed independently, and Integrated Circuit (IC) or chip cards based on it are being rolled out throughout the world. The chip and related software ensures that each customer’s account number and other details are essentially invisible. The suggestion here, and it would be label the potential benefit any differently, is that it would help contain the damage wrought by the Target hack.

Of course, when something is a global standard, that doesn’t mean it covers every market—there are always exceptions. And in the case of EMV, there’s a big one: The USA. Many regions across the pond have embraced the new technology, but magnetic-stripe cards, which are far more vulnerable to data theft of the kind we saw at Target, remain the norm on these shores. Credit card companies, who are among those hardest hit by data theft at market-facing outlets like banks and stores, have been stepping up pressure on their partners to adopt the EMV specification and introduce IC cards. But it’s probably not going to happen for a while.

There’s a good reason for this, or perhaps 8 billion reasons. That’s the dollar figure attached to the estimated cost of a full-on conversion to EMV technology adoption.

The simple truth is that through sheer size and economic heft, the U.S. is the world’s largest market for just any product it embraces. That gives it enormous standalone power—it’s why, for example, music stars who sell out globally barely make a dent on the charts here, or the World Cup can be the biggest sporting event while remaining a second-tier event for American consumers. The U.S. plays by its own rules, because it can.

It’s also worth noting that while credit card companies are rightly concerned about data fraud and consumers have reason to fear identity theft, the retail industry can make the case that the cost of conversion to the EMV spec, despite the benefits, isn’t justified by the potential prevention of fraud, (losses from this type of attack has been estimated in the $1 billion a year range.) Besides, federal statutes protect consumers from having to pay for purchases made fraudulently with their credit and debit cards.

Most importantly, it’s always premature to see any technology as a panacea. Protecting financial information is an ongoing struggle, a non-stop effort to stay ahead of the bad guys. Whatever measures we put in place, sophisticated cybercriminals will find a way to circumvent. However, the fact that credit card fraud rates in America, previously among the lowest anywhere, have doubled since IC cards began proliferating in Europe is cause for concern.

Whatever the merits of the argument, the current interest in EMV makes for a case study in market leadership. The fact that the U.S. retail and banking economies are so massive and complex should not automatically be a reason for them to be technologically behind the curve. We always need to be doing better. The EMV specification is one option that seems to provide enhanced security, but that’s it—one option. Being the biggest, and arguably the best, means it’s our responsibility to lead the way identifying, developing and implementing many more.

Security: On Top of the Christmas Wishlist

To security professionals in the financial services industry, every new data breach—with the high-profile coverage it generates—must seem like another knife in the back. All those resources dedicated to the area, all that time spent securing the infrastructure, never seem to be enough. Despite all the effort, some anonymous hackers somewhere are able to brazenly infiltrate the system and steal the account information of potentially millions of holiday shoppers. The Grinch was never this bad.

With the most recent debacle, the company squarely taking the hit in the court of public opinion is Target. But of course, it’s not just the retailer that’s going to suffer. The most recent information we have is that between November 27 and December 15, all consumers who swiped their credit cards at a Target store in the U.S.—perhaps as many as 40 million—had their information compromised. That includes names, both debit and credit card numbers, expiration dates and even the three-digit security codes on the back. As hacks go, this one is big, and of course it took more than just some petty thieves to get the job done. Reports indicate that a sophisticated network of cyber criminals coordinated their activities to uncover the treasure trove of private information. While no one can be sure how big the ne6twork is, it seems their haul could be in the hundreds of millions. As a result, it will end up affecting not just Target and its customers but also the credit card providers, IT companies and industry security specialists.

Christmas Ornamnet

But there are other repercussions too. While the industry has every right to be proud of the progress made in the adoption of many new technologies, each bringing about major changes in user behavior, the painful truth is that we could be doing much better. One big reason why we haven’t is security, and each high-profile data breach like this one sets back the conversation.

Take mobile banking. The speed with which this field has progressed is nothing short of astonishing—it’s gone from fantasy outlier to mainstream adoption virtually overnight, with thousands of custom apps emerging and finding an audience in record time. But most of the action is on the consumer side; corporations are still taking it slow.

We all know how mobile capabilities have obliterated the line with between personal and business data—sensitive information now resides next to video games and personal calendars on every knowledge worker’s phone and tablet. But with banking, it’s a different story. To be sure, there are other many factors to consider. For example, the average CFO has a lot more information to deal with than the average user, and the tiny screens we love on our smartphones can be a problem.

Yet the biggest issue by far is security. New research from Capital One shines a spotlight on this unfortunate issue. In its survey of financial services professionals, only a small number of the firms those firms that haven’t yet implemented corporate mobile banking plan to do so anytime soon. Fully 66% cited security challenges as the main concern.

On a very different but unrelated front, news emerged recently that the two-factor authentication feature designed to protect online bank accounts has been greatly compromised. The practice, which entails sending an SMS message with a code that quickly expires, has been threatened by new malicious software for Android devices. In fact, there are already numerous malware suites to defeat one-time passcodes, and experts urge institutions and individuals alike not to rely on them.

On the face of it, swiping a credit card while buying a Christmas gift, implementing mobile banking at large corporations and getting a test message with a code don’t have much to do with each other. But underlying each technological advance and the behavioral change it induces is the need for security.

The reality is that people will continue to use credit cards while shopping, just as corporations will inevitably overcome their justifiable skittishness and implement mobile banking—the benefits are just too great. But how fast those practices evolve depends on how secure we can make them. Looking ahead to 2014, it would be nice to end the year without having the Christmas spirit spoiled by concerns about financial information being compromised.

*Image courtesy of  digitalart - FreeDigitalPhotos.net