Community

I hope that the security of these DIY or crowd-sourced apps are better than that of the banks' own smart phone software.  Only two weeks ago we all heard that Banks scramble to fix mobile app security flaws.  And we've already seen what was probably a test run of trojan horse banking apps on Android phones.

Is it a good idea to let anyone develop banking apps?  We don't let anyone build card terminals.  In fact we advise customers to be wary of retail equipment that looks like it's been tampered with. 

But how can anyone tell by looking at it that a smart phone app is dodgy?

Robert,

Sorry but numbers are not numbers and data do lie. All the time.  For starters, have a look at these lessons: http://www.econoclass.com/misleadingstats.html.

"The comparison [of Facebook and a country] comes from the fact that there is a sense of community and countries are made of communities. It's a pretty amazing phenom that today we have anything at all that brings a half billion people together in some way on an ongoing basis."

OK, maybe Facebook will come to be something like a country one day, but we've got a long way to go.  I dispute that half a billion people have come 'together' via Facebook in the way that real world communities and nations do.  Let's just take a breath shall we?  It's simply too early to draw conclusions about the behaviours of online crowds, let alone ascribe 'nationhood' to them, when what we do know is they behave without many of the inhibitions, cues and rules that have governed human societies for millennia. 

Again, I don't dismiss social media.  It's an interesting idea that one day these crowds will come to act as communities as significant as real life ones, and this idea deserves more investigation and analysis.  Much more.  All I'm saying is that there is more to this than headcount, and the hype and trivia that passes for "analysis" of the social media phenomenon puts a lot of people off.

If someone wants to explain the significance of the number of Ashton Kucher's followers, I'm all ears.

Folks,

Despite my vitriolic flourish about evil informopolies, I do appreciate that social networking and social media are hugely important.  But my bullshit detector goes off loud and clear when it is said that "if Facebook were a country it would be bigger than ...". As a physicist would say, these comparisons are such crap, they're not even wrong.

If social media is so important, why not treat it with more rigour and less hype?

Elizabeth, my serious point is that whether social media is having a deep and lasting effect is a question that is not answered by guff like 'Ashton Kucher has more followers than the population of Israel'.  So what?  It astonishes me that these kinds of figures are promoted as meaningful.  And it's deeply ironic.  Advertising gurus go on about the power of information technologies to micro-segment their markets and to understand what is really going on, and yet we continue to get pounded by social media gurus with moronic headcount data as rigorous as TV ratings numbers from the 1970s. 

In the "information age", when the consumer is said to be commanding so much power because they know best and their recommendations are worth more than any traditional advertising, I am offended by that Youtube clip.  It's all style over substance, it treats us like fools, and it's clearly trying to lead us onto a bandwagon, like any other ad. 

Unless the clip is actually supposed to be satire?  It is kinda funny isn't it to use old fashioned advertising schtick complete with rubbery figures to promote a social media book.

Robert,

Perhaps.  But fossils, countries and social change all take an age to take shape.  The rate of real change is something that the Web 2.0 generation continues to overestimate. 

About that vacuous Youtube ad for the bloke's social media book ...

Is there a more hyperbolic, more idiotic slogan than "If Facebook were a country ..."?

If anyone thought about this for more than the 15 nanoseconds typical of social-media types, they might realise that, save for North Korea, there is more to nationhood than headcount. 

And if anyone thinks Facebook is literally something like a country, then I suggest it's an anodyne dictatorship, one where the sheer fun and intoxicating immediacy of networking takes the place of soma in "Brave New World".  The good citizens of Facebook are so stoned they don't see it for what it is: an evil "informopoly" with singular purpose, to make its Supreme Ruler rich off the back of the peoples' information.

Good grief!  I agree thiese mistakes aren't the end of the world, but they're much more serious than "just sloppy".  They are symptomatic of a horrible lack of attention to detail on the part of software designers.  We all know that the poor security of Internet banking today derives from lax architectures and designs in the early days of the Internet.  Those who developed TCP/IP and other protocols had no idea the Internet would be used for serious commerce, so they overlooked the need for communications integrity, tamper resistance, authentication etc. 

Let's not make the same mistake again!  Everyone seems to think that mobile and the cloud are the future of commerce.  Some even say that phones will replace plastic cards!  That's a huge call.  You would expect that commensurate care and attention would go into all facets of the engineering of mobile apps. But no, the future of commerce appears to be in the hands of hack programmers.

David,

I look at the whole card fraud problem from first principles.  The flaw in the system is that account numbers are replayable, and merchant servers cannot on their own tell good numbers from stolen ones.  There are a few ways to render numbers unreplayable.  CAP with dynamic signature is one; 3D Secure is another.  I advocate a third way, which is to asymmetrically encrypt (digitally sign if you will) transactions between the smartcard and the merchant. This is similar to CAP but subtly different; the chief advantage over CAP is that a proper PKI based system doesn't require an intermediate authentication server, so it's more scalable and lower cost.  It also skirts the klunky CAP reader problem.

Regarding 3D Secure, it has two fundamental problems (not to mention the practical problems of phishing-like pop-ups and the high transaction drop-out problems).  Firstly, 3D Secure represents a major departure from the elegant, mature four corner architecture.  For the first time in decades, we have the Issuer being joined directly to the Cardholder at the time of transacting.  The whole point of the four party model is to separate Issuer and Acquirer; to break that principle I think has immediate impact in tems of legal complexity, and I fear it will have unforeseen consequences as well.  From an IT point of view, 3D Secure adds significant new overheads, with a host of new messages being sent back and forth between the 3D Secure directory and the merchant server, and the issuer to the cardholder.  So it's inherently inelegant -- and sloooow.

The other fundamental problem is that any protection offered by 3D Secure against replay doesn't come from the protocol but rather from the personal authentication device that is used to identify the cardholder against the issuer.  3D Secure is agnostic to authenticaion method, which is allowed to vary from bank to bank. Typically the Issuer just re-uses whatever gadget they've already issued for Internet banking.  So some 3D Secure implementations use OTP dongles, some use SMS, some just use passwords.  Doh! 

Of course, 3D Secure can use smartcards, in CAP readers, or in connected readers.  This seems to me to be the only way to make 3D Secure properly non-replayable.  And then we can go one step further ... if transactions are signed using a smartcard, they can be validated at once by the merchant server without needing to be pushed through the 3D Secure cycle.   I've worked out a hybrid architecture that blends 3D Secure with chip, and thereby manages to push the Cardholder-to-Issuer authentication 'under the covers'.  Happy to discuss further offline.

Bravo David.  I am not sure I agree with your underlying theory, but I'm in total alignment with your criticisms. 

PCI-DSS -- like most security management standards -- provides protection against accidental breaches and against amateur attacks.  But it cannot do anything to stop highly organised crime gangs, nor inside jobs.

The fundamental problem is that PANs are currently replayable.  But if we instituted asymmetric encryption between smartcards and merchant servers, we could render stolen numbers totally useless.  And we could preserve the four cornered card processing model as is, avoiding all the horrid legal novelty and contractual changes that go with 3D Secure and its ilk. 

PCI-DSS does nothing at all to prevent the replay of stolen numbers; it does nothing to undercut the value of stolen numbers to criminals.  It is like shutting the stable door after the horse has bolted (or putting a steel door on a grass hut, as the Smartcard Alliance has said). 

And here's perhaps some more grist to the conspiracy theorists' mill: is it a coincidence that those other "innovations" tokenization and end-to-end encryption don't do anything to protect against stolen PANs either?!

Cheers,

Stephen Wilson, Lockstep.

"Plastic is ... certainly no more secure than your phone at the end of the day". 

We're talking about a very long day here!  The compact, de-featured computing model of the smartcard or SIM will for the forseeable future be intrinsically more secure than any handset. 

Yes, convenience and novelty often trump security ... but it's not sustainable.  There was a scandal in Australia a few years ago when an expedient suburban bank manager took to transporting cash in the back of his car (hundreds of thousands of dollars) because of a shortage of armoured vans.  His short cut didn't last long. 

Yes there will be competition pressure and disruption from non-banks exploiting new technologies, but real banks will copy the innovators, broaden their payment products, maintain superior security, and retain market share.  Afterall, security, in all its dimensions, is what banks are really for.