Community

Join the Community

22,264
Expert opinions
44,242
Total members
356
New members (last 30 days)
178
New opinions (last 30 days)
28,762
Total comments
Join Sign in

Regulators chasing their tail over data security lapses

  0 1 comment
Stephen Wilson
Stephen Wilson
Managing Director
Lockstep Consulting
Location
Sydney
Followers
6
Opinions
34
Unfollow

 

Reading between the lines, regulators will continue to take a big stick to institutions that leak personal data.  And so they should.  But there must be a more artful approach to stem the flood of stolen ID data.  As a security professional, I am aghast at the never ending obsession with policy and process as the only weapons to fight ID theft.  That is, why do we think that beefed up security policies, staff training, audits, regulations and so on will make any fundamental difference? What about a bit of prevention?

IDs get stolen because IDs are valuable.  Look at the cyber crime clearing houses where personal data records including mothers maiden names, CCV2s and billing addresses are traded in parcels of 100,000 or more for a few dollars apiece.  Card Not Present fraud is growing at 40% p.a. in the UK and elsewhere, and is now the dominant form of payment card fraud.  To organised crime, it's childsplay -- vastly easier than hacking into Internet bank accounts and moving funds around.  Instead, just take stolen cardholder's account details and play them over the Inetrnet to a web merchant.  

It is high time that proper protections were put in place to prevent the replay of stolen IDs.  Only by rendering stolen IDs worthless to criminals will we cut ID theft. 

Stephen Wilson
Lockstep Group

Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards.  Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

3947
 

Share

 
 
 
 
 

Channels

/security /payments

Comments: (2)

A Finextra member 

Dare I say "there is an easy solution'.

The question is, do you sell it to a bank or banks, buy a bank, become a bank or do it for all banks?

What course of action would you propose? Remembering it's the 21st century.

Stephen Wilson

Stephen Wilson Managing Director at Lockstep Consulting

Author

Dean Procter asked: "The question is, do you sell it to a bank or banks, buy a bank, become a bank or do it for all banks?"

I do believe the best hope for a solution to ID theft (including CNP fraud) is through safeguarding personal details in chips, be they EMV cards, SIMs, other smartcards, perhaps TPM chips [There are huge latent benefits to be had in applying government ID cards to secreting and notarising personal identifiers, protecting citizens from cyber crime, which would go a long way to redress community angst that ID cards don't really deliver much good to the individual.] 

But the most practical way forward, short term, would be for EMV card issuers to use their chips to secrete and notarise customer details for use online. Compared with using cards in unconnected readers to generate OTPs, this is a far more powerful and scalable way to leverage EMV cards into the online world. It could shore up 3D Secure (by hardening the personal details) or offer an alternative to 3D Secure, by sending notarised cardholder details direct from chip to merchant server. 

How to "sell it"?  EMV cards could be "Specially Personalised" [marketing speak!] for secure online payments, perhaps for a small fee levied annually against the cardholder.  Merchant sites could accept smartcard-notarised payments with very simple updates to their commerce servers.  For a bank to go ahead on its own with this, it might have to work with select merchants, through the acquiring side of its business, to have them preferentially accept such specially personalised cards (as opposed to regular CNP) for web transactions. Payment gateways could be important players; in many jurisdictions they act as systems integrators for merchant commerce servers, so they could make the necessary web site updates. 

Merchants, issuer and customers alike would all enjoy reduced exposure to fraud. Ideally that sort of proposition should 'sell itself' ;-)

Cheers,

Stephen Wilson.

 

Stephen Wilson
Stephen Wilson
Managing Director
Lockstep Consulting
Member since
24 Apr 2008
Location
Sydney
Followers
6
Following
2
Opinions
34
Unfollow

Now is not the time to go soft

How much worse can CNP fraud get?

Credit card numbers are like nitroglycerine

Banks really know their customers

Taking full advantage of Chip

See all Opinions from Stephen

More expert opinions

Ben Parker

Ben Parker CEO at eflow uk ltd

What’s happened to regulatory compliance in 2024, and how could this shape 2025 strategies?

5

Pratheepan Raju

Pratheepan Raju Advisory Enterprise Architect at TCS

Testing Gen AI Applications

11

Kuldeep Shrimali

Kuldeep Shrimali Consulting Partner at Tata Consultancy Services

Extended trading hour – Differentiated value proposition for brokerage firms

5

Jitender Balhara

Jitender Balhara Manager at TCS

FinOps : Harnessing Cloud Infrastructure with optimized balance sheets

2

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,264
Expert opinions
44,242
Total members
356
New members (last 30 days)
178
New opinions (last 30 days)
28,762
Total comments
Join Sign in

Trending

Ben Parker

Ben Parker CEO at eflow uk ltd

What’s happened to regulatory compliance in 2024, and how could this shape 2025 strategies?

Pratheepan Raju

Pratheepan Raju Advisory Enterprise Architect at TCS

Testing Gen AI Applications

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept