Digital Transactions Authoritative, insightful and timely information for payments professionals
Security Notes
Gideon Samid – Gideon@AGSgo.com
I bet that right now you are behind on downloading the latest security patches from Microsoft. Don’t you wonder about this now-familiar routine? Patches and other security tactics are alive and well. My graduate students at the University of Maryland get lucrative job offers before they pass my final. But what about security strategy? We will never defeat the hackers with tactics. We should employ our advantage: conceptual power.
After all, it is because of robust security concepts that we have held on so far. The personalized password kept in encrypted-only form on a server is an example. The bad guys have responded with clever tactics, but the concept by and large holds. And recently it got a boost from a secondary concept: The password is never typed in. Instead, a procedure is employed by which you convince the bank or other party that you are in possession of the password. With these so called “zero-knowledge protocols,” the good guys in one fell swoop defeated mountains of key-logging code.
Now consider mobile transactions. Merchants want them, and banks and the networks smell new business. But there’s a pesky security question surrounding mobile, and the way to handle it leads to another great security concept: the “standard” or “certificate,” a means of bringing to bear the wisdom of the sages to your particular system. If you are compliant with the standard, if you can show a certificate, you demonstrate to your users that they are protected by the wisdom, insight, and thoughtfulness of the best people in the business.
It’s very powerful because it allows an unknown startup to innovate and offer its services. Alas, this wonderful solution needs a lot of conceptual work to make it as effective as it could be. As things stand today, business forces push the certification and codification processes way too fast. Lawyers write the commitment language so that when a security breach happens, they can point to some clause or another that absolves them of any responsibility.
The newly emerging industry of “independent certification agents” is also under pressure. The people they certify are the people who pay them, and they expect to be certified. When a big and costly security breach takes place, it most likely ends up in the lap of the victims, and all the code writers and code certifiers walk away unharmed. One reason is the youth of the industry. Building codes in the construction industry—by comparison—have evolved over thousands of years. A building inspector who fails to check if the elevator cable meets the standard will be royally sued by the estate of those who took the plunge when the cable tore off.
Admitting that we are feeling our way, we must think of a conceptual interim solution. Let’s revisit the aforementioned mobile transactions—paying through the phone and other pocket-held devices. These devices are built for maximum accessibility and competitive convenience, which is what hackers exploit in moving in for the kill. We don’t want to shun new technologies, but we may want to try them by stages. I would submit that any new transactional platform should first be tried on prepaid cards. Potential damage is capped, confidence is built, and those infamous patches can be applied before those high-worth credit cards are admitted. I recently contended, while talking with a brand executive, that prepaid cards will eat into today’s cash business. Many of us are reluctant to expose our credit cards to a fly-by-night street-corner vendor. But handing over our small-denomination prepaid card is a different story.
From my vantage point, I discern a gap between the security tacticians who battle hackers toe-to-toe and the security strategists who mostly write academic papers for publication. We need to close this gap. Let each side reach out to the other. My personal contribution to this need was to develop a security concept for wireless cash. It has attracted the attention of the United Nations and other organizations that work on extending credit to undeveloped areas. Your phone is your bank. Sounds great in parts of the world where banks are rarely found.
We are all under the tyranny of the urgent, and our first priority is to find the next patch. But where are the visionary few who will give us a universal, seamless payment solution to lubricate the progress of humanity, unhindered by hackers?
