Is Authentication of Identity Even Possible?

Before we can answer this question, we first need to define what identity is. Too often authentication is used interchangeably with identity, but that’s like saying a bank account and money are the same thing.

In its most basic terms, authentication is the ‘what-of-you’ and identity is the ‘WHO-of you’. You can authenticate via a password to log into your computer or buy a cup of coffee, but if you want a mortgage, considerably more background information is required. I could give you 5 usernames & passwords, 5 forms of biometrics, and have 5 different hardware tokens and you would still not know to any degree of certainty if I’m good for the loan.

For example: Two people are standing in front of you, one’s a stranger and one’s a close friend. You know [for the sake of this example] that they are both who they say they are, but do you feel equally comfortable lending both of them your car?

Read more

How to Lose All Credibility in Security

The fact remains that NOTHING in information technology is 100% secure. Nothing. If someone wants something badly enough and has the necessary skill-set/support and access to resources, they are going to get it. Yet so many vendors in the information security industry are still using phrases such as:

  • 100% secure
  • Hack-Proof
  • Unbreakable
  • Fraud-Proof
  • Completely Safe
  • and so on…

Apart from being entirely unrealistic, it is also unnecessary. You don’t need 100% security – even if it was possible, what you need is security ENOUGH. Fraudsters are lazy, if you’re too difficult to breach or the benefit of gaining access is limited compared to the effort taken to achieve the breach they will move on, so just ‘build your fence’ higher than your competition. From what I’ve seen in the 15 years I’ve been consulting across the globe, this should not be too difficult.

Read more

Mobile Authentication: Exceeding Card Present Security?

Considering the sheer number of authentication factors of which a mobile device is capable, card-not-present transactions should be at least, if not more, secure than card-present transactions.

In reality, they can be as the technology is available, but the payments and mobile industries cannot seem to get out of their own way to actually utilise the technology to its full extent.

Let’s examine the card-present transaction: I walk into a shop, choose my items, then go the counter. The shop assistant rings up my stuff, I place my chip & PIN card into the terminal, enter my PIN and I’m done.

The only things ‘guaranteeing’ that I’m an authorised user of the card is that I have the card in my possession, and a 4-digit PIN number. Yes, some cards have photos on them, but they are few and far between, so the real security in a card-present environment is the difficulty of obtaining the card and the PIN from the true owner. I will not underestimate just how difficult this is, but other than the owner finding the card missing and reporting it, there are very few checks and balances.

Read more

Smartphones – A Revolution in Payments for Those With A Disability

Have you ever wondered what it would be like to go through life blind, or with a learning disability? Or what it will be like when you’re older and perhaps your mental acuity is not what it once was?

What must it be like to be almost totally reliant on loved ones, or maybe worse, the honesty and goodwill of complete strangers?

These are generally not thoughts most of us have very often, but for those with physical or mental challenges even the most menial of tasks become extremely difficult.

For the purposes of this blog we will only address how these difficulties are dealt with in the world of payments, specifically non-cash payments.

The issues faced today centre on the fact that the only widely-accepted form of non-cash payment is the branded credit / debit card (MasterCard, Visa, Amex et al), and both the cards themselves and the infrastructure necessary to accept them is geared almost entirely to those without any sort of disability. In fact, even if you wanted to make changes to the infrastructure, the effort would be entirely prohibitive given both the limited return on investment and the absence of any meaningful legislation.

Read more

EMV Liability Shift, How Mobile Authentication Can Ease the Pain

In October of this year, any merchant in the US who does not demonstrate the ability to accept EMV transactions can be deemed liable for the fraud associated with counterfeit cards.

That’s only 7 months from now.

Most people in the EU can’t really understand the confusion this has generated – we’ve had chip & PIN for well over a decade – but for the population of the US swipe & signature is as natural as handing over cash. Retailers are rightly concerned that adoption will be a slow and painful process. However, that may not be their biggest concern.

Estimates of the cost of transition from magnetic stripe to chip range from $8 – $12 Billion, and the lion’s share of the burden will fall to the retailers who must replace their existing payment entry devices (PEDs) with chip compatible ones. The chances are good that this expense was not in their long-term costings, and bringing forward the end-of-life of their PED infrastructure is simply not an option in an industry where profit margins are razor thin.

But the thing that few people realise is that while the chip alone is a positive factor in fraud reduction (anti-counterfeit), the greatest benefit of the roll-out of EMV is only achieved when deployed in conjunction with the use of a 4 digit Personal Identification Number (PIN). This effectively adds a second factor of authentication (the card is something you have, your PIN is something you know) making card present transactions significantly more secure. PIN alone would have significant positive impact as well.

Read more