Taking security to the bank — moving money without getting ambushed
When it comes to scientific research, sometimes the debate is, “Just because you CAN doesn’t mean you SHOULD.”
In the future, it may be possible to genetically engineer a two-headed combination between a grizzly bear and a mongoose, as a substitute for a guard dog. But this is a horrifying notion, and besides, I think I’m already distantly related to one of these by marriage.
When it comes to online transactions, there are things you SHOULD BE ABLE to do, and stuff you SHOULD NOT do. The deciding factor here is always SECURITY. In the old days, we built software and populated databases, then tried to figure out afterwards how to defend them. Now we try to build security and compliance into our components in advance. But still, if you build it, they (the hackers) will come.
There are two basic vectors to stolen data. One is to break in, take over the machine, and copy stuff. The other vector is the all-too-common “pretending to be somebody else,” then simply requesting data through a normal pipe.
Stolen credentials are the enablers. We’ve got users who still make their password “password.” There are those who make their creds far too easy to guess. Just a handful of years ago, a candidate for high office made her challenge questions all things that were easily googled, so a prankster simply clicked on “Forgot Password” and then plugged in those stupidly publicly-available answers.
Based on this vector, bad stuff happens because people aren’t who they say they are. You don’t always have to do something stupid. My own tax return was almost heisted because the IRS had a massive weakness in its documents site and somebody used the hijacked info to pretend to be me. I find this surprising since I’m usually taller and thinner online. But I had to identity-proof to assure the IRS that I was who I said I was, and the other guy was not.
They use insane challenge questions harvested from obscure databases. Among other trivia, I had to cough up the nickname I was given by my eighth-grade classmates (“Sloppy”).
So how do we absolutely secure online transactions? We have to identify ourselves in a way that cannot be repudiated. The parties must be guaranteed that each is legit.
To get there, we need to marry various attributes. It’s not just you as a pair of creds, it’s you and your device and the time and your history of activity and anything else that applies to you and the thing you’re trying to act on.
Let’s outline a scenario. You’re on vacation and your wife needs to migrate cash from savings to checking so the payment won’t bounce when she has to bail you out after that stupid thing you did outside the tourist bar. It’s the middle of the night, you’re far from home. She gets on the cell phone, clumsily fat-fingers her creds into the mobile app (after four tries), and hopefully it’s really her.
Or what if you’re at the sales meeting, and the one guy who actually drove instead of flying in loses his wallet and needs some gas money for the ride home. He borrows it from you, and the notoriously unreliable slug promises that, no kidding, he’ll send you a check. What if he could just beam you some cash from his phone (ala Webster, for example)? But again, is it really him making the request?
Once again, these things are all safe if the person making the request can absolutely verify identity. You don’t want your account depleted after an attack, or at best FROZEN after an attempt. The banks and credit card companies must be awfully tired by now of absorbing the losses from fraud. It all comes down to the user guaranteeing identity.
So that day is here.
The technology exists (but isn’t always deployed) to verify identity. Passwords can be stolen, guessed, socially engineered, read off of Post-It notes. Mobile devices can be stolen. Challenge questions can be searched for, because you, you CHILD, put way too much crap on Facebook.
We can make cars completely safe to drive by welding a foot of iron onto all the surfaces. But then cars would all cost 70K and get five miles per gallon. The same goes for online security. Sure, you can make it safe by taking on a lot of artificial intelligence or extra questions, physical tokens and so on, but won’t the customer experience suffer?
Yes, it could. But it doesn’t have to.
That’s why the Flying Spaghetti Monster who created the universe gave you fingerprints. A voice. A face. A heartbeat. You can use any of these factors to authenticate. If a criminal lops off your thumb, you’ve got bigger problems. Otherwise, biometrics are supported by most standard smartphones. Forget passwords. You don’t need them.
Not to say that you have to rely on just one factor. Maybe a password is still employed, but you have to provide a fingerprint in conjunction. Factors might also be attributes that are provided for you by your device or circumstances.
Maybe you’re trying to move a bunch of cash at two in the morning and send it to a person you’ve never had a transaction with before. You’re in a strange place. You’re using a device that isn’t associated with you.
Is that really you? Are you trying to buy crack in the middle of the night? Or is it just plain fraud?
So again, the basic transactions, and the not-so-basic:
- You want to move money from one account to another.
- You want to TALK to your phone and tell it to send money to a friend electronically.
- You want to tell your mobile app using just your lovely voice to pay your water bill.
- You want to go online and explain to an artificially intelligent process, again by VOICE, to rationalize a duplicate payment. Or contest a fraudulent charge.
The bank wants it to be legit. You want it to be fast. You don’t want to rely on passwords. You want it accurate and safe.
This can be done. If your bank can’t do it, then why would you stay with them?
I travel a whole bunch, so my credit card numbers have been compromised a few times. It’s a pain for the bank, and it’s a bigger pain for me, having to wait on new cards and then changing my payment info for Uber, the airlines, my hotel chains, and so on. Imagine if somebody had your credit card numbers, and it DIDN’T MATTER. There would be no way for somebody to use your info if they could never spoof BEING YOU.
This technology exists. I work with it. I can help you demonstrate that you are really you. Unless somebody spots you in a bar with somebody other than your wife, and you’re trying to prove you AREN’T you. And then you’re on your own.
Author: Jeffrey Scheidel, Senior Director — Digital Sales | @IAMGURU2010
Originally published at blog.persistent.com on January 17, 2017.
