Digital Insecurity: No Place Left to Hide

10 Tipping Points for the Payments Industry
Part 10
Years and years of finger-crossing while pushing ever-more unprotected financial account data across an expanding array of vulnerable origination points and networks have come to a sudden and long overdue demise. When and how the electronic payments industry finally gets serious about security?and privacy?could prove to be its ultimate tipping point.

The cascade of data breaches has the new Congress?and therefore lots of regulatory agencies?scrambling to legislate solutions in the absence of any decisive action by the industry. Last year's federal mandate for stronger authentication in online banking was just the first shot across the bow.

The challenges confront you anywhere you transact. Who hasn't been phished by torrents of e-mails spoofing popular bank and merchant Web sites and seeking to steal financial account information? Handy-dandy spoofing kits are available for online purchase for a few hundred dollars, and you can buy tens of millions of e-mail addressees on eBay to try them out for less than $20!

Tens of millions of the new contactless cards and fobs for tap-and-go purchases at point-of-sale are stirring a lot of bank and merchant excitement, but many consumers?and not a few security experts?are still wondering how safe they will turn out to be.

Mobile phone payments are all the rage now, but the security questions remain largely unanswered?short of re-equipping the public with a lot of new infrastructure and requiring security routines that cancel out the convenience of using a mobile device in the first place.
Meanwhile, the vast majority of financial-account compromises continue to stem from signature-based cards in the physical world. Ironically, these cards are based on preserving the anonymity of the cardholder, but expose the financial account for all to see. Credit card security was doomed a decade and a half ago, when the card companies decided not to PIN these transactions. But expanding their use to remote transaction venues continues to test the resources and will of an industry still reluctant to abandon the gravy train of fees and interchange to commit to safer, better, and cheaper alternative payments.

It has become abundantly clear that the industry's reliance on letting the merchant or a third party control the disposition of the financial-account data is just plain crazy. But so, too, is the banking industry's rote practice of doing most financial-account setups based largely on Social Security Numbers, which any fool of a county clerk can post on official public records made available for Internet perusal.

The financial damages from all this inane and illogical behavior are nowhere near what some researchers have been claiming, but it's still a large number (about $25 billion across all forms of payment), and it's getting bigger and bigger every year. To its credit, the banking part of the industry, which spends about one dollar in prevention for every 10 it loses to fraud, has certainly stood tall in doing what it can to keep the lid on this boiling cauldron. Compare the banks to the leaky sieve that is the U.S. health-care industry, for example, where the fraud costs are three times higher, and they spend less than a penny in prevention for every $1 in fraud.

But the bad news will keep on coming: Not long ago, David Jevans, chairman of the Anti-Phishing Working Group, told a payments conference audience that “perhaps the only way to be truly secure these days is to have a dedicated PC that goes only to your online banking Web site and never touches e-mail or the rest of the Internet. And even then you aren't completely safe.”

If that's the assessment for online banking, which the industry (and Washington) think they're on top of, then what are the prospects for over-the-air transacting, such as contactless and mobile payments?

Yet, thanks to the bank card associations, which have sought to promote signature card use online by offering zero liability to consumers?no matter how reckless they might be?a generation of consumers has been trained to disregard safe practices for use of financial accounts. And merchants have long disdained supporting additional transactional security for fear of aggravating abandonment rates and losing transactions (think Verified by Visa).

This myopia flies in the face of research that clearly shows the best customers of banks and merchants alike are receptive to and seek out providers who protect them. It's their mindless pursuit of volume from the 1%-to-2% who are bad actors?not just the fraudsters, but the chargeback recidivists, the naïve online consumers with unprotected devices, the irresponsible accountholders?with payment products and practices that enshrine customer anonymity but expose financial-account information at the beck and call of anyone who wants it, that is leading the electronic payments industry over the proverbial cliff.

Now's the time to throw out the blanket zero-liability paradigm and get legitimate, responsible consumers to put some skin in the security game, too. The good ones appear to be ready to do what's needed to protect themselves. Consumers who can't should get restricted account access. Those who won't should bear the specific costs of their misbehavior instead of loading their burden on the backs of the vast majority of responsible transactors.

Prognosis: So it's gut-check time for the payments industry. (Picture lots of wary smiles from your risk-management folks.) This time, people really are hopping mad. So get ready for a lot of well-intended but probably not well-thought-out “solutions” being crammed down the throats of banks and merchants. Wildcard: If the industry fails to ante up and play out this final hand, it risks a long-term loss of the good faith and trust of its customer base. Then there really is no cogent argument against letting ANY third party in the payment space to see if they can do better.
–Steve Mott