Community

Join the Community

21,438
Expert opinions
43,598
Total members
353
New members (last 30 days)
142
New opinions (last 30 days)
28,480
Total comments
Join Sign in

Regulators chasing their tail over data security lapses

1 comment
Stephen Wilson
Stephen Wilson
Managing Director
Lockstep Consulting
Location
Sydney
Followers
6
Opinions
34
Unfollow

 

Reading between the lines, regulators will continue to take a big stick to institutions that leak personal data.  And so they should.  But there must be a more artful approach to stem the flood of stolen ID data.  As a security professional, I am aghast at the never ending obsession with policy and process as the only weapons to fight ID theft.  That is, why do we think that beefed up security policies, staff training, audits, regulations and so on will make any fundamental difference? What about a bit of prevention?

IDs get stolen because IDs are valuable.  Look at the cyber crime clearing houses where personal data records including mothers maiden names, CCV2s and billing addresses are traded in parcels of 100,000 or more for a few dollars apiece.  Card Not Present fraud is growing at 40% p.a. in the UK and elsewhere, and is now the dominant form of payment card fraud.  To organised crime, it's childsplay -- vastly easier than hacking into Internet bank accounts and moving funds around.  Instead, just take stolen cardholder's account details and play them over the Inetrnet to a web merchant.  

It is high time that proper protections were put in place to prevent the replay of stolen IDs.  Only by rendering stolen IDs worthless to criminals will we cut ID theft. 

Stephen Wilson
Lockstep Group

Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards.  Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.

Sponsored

This content has been created by the Finextra editorial team with inputs from subject matter experts at the funding sponsor.

3900

Share

 
 
 
 
 

Channels

/security /payments

Comments: (2)

A Finextra member 

Dare I say "there is an easy solution'.

The question is, do you sell it to a bank or banks, buy a bank, become a bank or do it for all banks?

What course of action would you propose? Remembering it's the 21st century.

Stephen Wilson

Stephen Wilson Managing Director at Lockstep Consulting

Author

Dean Procter asked: "The question is, do you sell it to a bank or banks, buy a bank, become a bank or do it for all banks?"

I do believe the best hope for a solution to ID theft (including CNP fraud) is through safeguarding personal details in chips, be they EMV cards, SIMs, other smartcards, perhaps TPM chips [There are huge latent benefits to be had in applying government ID cards to secreting and notarising personal identifiers, protecting citizens from cyber crime, which would go a long way to redress community angst that ID cards don't really deliver much good to the individual.] 

But the most practical way forward, short term, would be for EMV card issuers to use their chips to secrete and notarise customer details for use online. Compared with using cards in unconnected readers to generate OTPs, this is a far more powerful and scalable way to leverage EMV cards into the online world. It could shore up 3D Secure (by hardening the personal details) or offer an alternative to 3D Secure, by sending notarised cardholder details direct from chip to merchant server. 

How to "sell it"?  EMV cards could be "Specially Personalised" [marketing speak!] for secure online payments, perhaps for a small fee levied annually against the cardholder.  Merchant sites could accept smartcard-notarised payments with very simple updates to their commerce servers.  For a bank to go ahead on its own with this, it might have to work with select merchants, through the acquiring side of its business, to have them preferentially accept such specially personalised cards (as opposed to regular CNP) for web transactions. Payment gateways could be important players; in many jurisdictions they act as systems integrators for merchant commerce servers, so they could make the necessary web site updates. 

Merchants, issuer and customers alike would all enjoy reduced exposure to fraud. Ideally that sort of proposition should 'sell itself' ;-)

Cheers,

Stephen Wilson.

 

Stephen Wilson
Stephen Wilson
Managing Director
Lockstep Consulting
Member since
24 Apr 2008
Location
Sydney
Followers
6
Following
2
Opinions
34
Unfollow

Now is not the time to go soft

How much worse can CNP fraud get?

Credit card numbers are like nitroglycerine

Banks really know their customers

Taking full advantage of Chip

See all Opinions from Stephen

More expert opinions

Ashish Pandey

Ashish Pandey Marketing Head at RichestSoft

How Much Does It Cost to Develop an App in the UK?

Susie MacKenzie

Susie MacKenzie Head of Legal and Regulatory Analysis at Corlytics

Regulating the Energy Wave in the Age of AI and Data

Brandon Spear

Brandon Spear CEO at TreviPay

How merchants can build a future-forward payments tech stack to win in B2B

Ashish Pandey

Ashish Pandey Marketing Head at RichestSoft

How Much Does it Cost to Build An AI System?

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

21,438
Expert opinions
43,598
Total members
353
New members (last 30 days)
142
New opinions (last 30 days)
28,480
Total comments
Join Sign in

Trending

Henrik Grim

Henrik Grim CEO and Co-founder at Mimo

How to Solve a Problem Like SMB Finance? A Roadmap to Fixing Late Payments in the UK

Roman Eloshvili

Roman Eloshvili Founder and CEO at XData Group

From Human to Algorithm: How AI is Transforming Financial Advice

Konstantin Rabin

Konstantin Rabin Head of Marketing at Kontomatik

Where can PayPal expand next?

Denys Boiko

Denys Boiko Founder at Erglis

How Big Data Helps Investors Make Better Decisions

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept