World War F

 
By Pete Kledaras, Chief Risk Officer

zombie blogZombies are everywhere. Almost any adult or child can describe them in detail – their appearance, their eating habits, how to kill them. And yet they don’t exist.

Fraudsters are everywhere. Most people are ignorant about them, aside from some sensationalized information designed to sell security services. Fraudsters do exist.

But consumers find no entertainment value in fraud theater. Nor do retailers. Survive another day, and the threats just keep coming.  Does it need to be that way?

Over the past ten years, retailers worldwide have been forced to spend billions to comply with PCI DSS to combat fraud. Industry heavyweights marched out technical solutions, from NFC to Chip-and-PIN to digital wallets. All of these solutions promised a lethal blow to fraud, succeeding only in pushing it to another place, like a gently squeezed water balloon.

Walls and wallets
PCI DSS seeks to reduce the amount of PII (Personally Identifiable Information) exposed during payment. PII is to be locked down and kept from retailers, who historically were considered to be in the best position (the point of sale) to authenticate the customer. Those local agents are now considered a source of fraud exposure.

Data is instead funneled through strong boxes maintained by very large third parties who authenticate customers on behalf of retailers. Authorization workflows overseen by the payment associations (Visa, MasterCard, American Express, Discover) are supplemented by services like CyberSource (Visa-owned) and Accertify (American Express-owned), acquiring banks, and other payments behemoths (PayPal, Heartland, WorldPay, and more) to facilitate payment and shield retailers from losses. The stronger the box, the better, right?

But securing such data has proven troublesome. Epic exposures have occurred among the strongest of the strong boxes, including PayPal, Apple’s iTunes, Global Payments, Sony’s Playstation, and Amazon’s Zappos. Chip-and-PIN and near field communications (NFC) technologies are harder to compromise than magnetic stripes, but not impossible.

Brad Pitt’s latest blockbuster accurately reflects the fate of large-wall security efforts (Spoiler Alert: Zombies breach Israel’s astonishingly high walls when they hear jubilation inside the gates.).

And what’s really scary, is that it’s the consumers who’ve been left to defend the perimeter against the zombies and fraudsters. Fraudsters are giddy, knowing that consumers are notoriously ill prepared for their impending attacks, thanks to their habit of naively making themselves vulnerable by enrolling in account-based loyalty programs, offers, social sites, and email services. Hacking, phishing, spoofing, pharming, phreaking, SMiShing, malware, and souped-up brute-force attacks all target these relatively low-value properties.

Stolen user/password pairs are then combined with information harvested from social sites, public records, and search engines. Once email is compromised (often without the victim noticing), it’s surprisingly easy to steal financial credentials and harvest the exposure, armed with personal details to quell any merchant’s doubts.

All good zombie scripts end in limbo
In the end, unlike zombies, fraudsters are hard to discern from real people.  There is no freakish stagger to automatically trigger alarm from the other end of a mobile device. So what to do?

Most security experts now recommend that consumers use a different user/password combination for every account, committing each to memory. You could also rely on another basket to put all of your eggs into, like LastPass, or a (fingers crossed) secure mobile device. Or just don’t create accounts anywhere online. But how realistic is that?

The leading mobile payment solutions create new central dependencies on institutions like Google or Microsoft or Visa, with little flexibility for retailers to build valuable, proprietary relationships with consumers. That’s not good for retailers.

The unifying proposition supported by MCX participants is to preserve the private relationship between individual retailers and individual consumers. That sounds about right. Yes, one can argue that MCX is just another centralized box, no less vulnerable than those already breached. But the more that retailers establish trusted relationships with consumers, the more value they can create for them, and the more retailers can protect them by more easily recognizing behavior that deviates from the consumer’s normal patterns.

Last month Gene Cornfield defined Branded Currency as a converged trifecta of Loyalty, Coupons, and Payments. Platform solutions that effectively weave together data from shopping, gifting, payments, and incentives will always and everywhere outperform mechanical efforts based narrowly on fixed authentication controls because behavior trumps credentials as a classifier. It’s far easier for a fraudster to know someone’s shoe size than how to walk in his shoes.

It will not take long for the marketplace to identify the next winning payments paradigm.  To a great extent, consumers have already spoken: adoption is highest among retailers who offer the most value with the least fuss. Target, Starbucks, and Amazon accept payment from virtually any device and in virtually any form, without sacrificing security.

They do this by understanding their customers’ behavior and rewarding their loyalty, driving the high-quality interactions that make it easier to identify fraud.

If we look to the retailers who are successfully outwitting the fraudsters and engaging their consumers, I think we’ll see a pattern… sometimes big data, not a big gun, is what helps the good guys win in the end.

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>