Member since

Andrew's blog archive

2019 (1) 2015 (1) 2012 (2)
Andrew Churchill

Andrew Churchill

ID & Authentication Standards author at MIDAS Alliance
Message Message me Posts: 4 Comments: 20
Bio Lead author of British Standard in Digital Identification & Authentication (PAS499), and research into security flaws of Government and payment industry systems, particularly in relation to Identity and authentication, and development of security solutions to address attacks against such systems.


Banking Strategy, Digital and Transformation

2019 - the year we may finally get to grips with Digital Identifcation & Authentication

11 Feb 2019

On Thursday evening I was delighted to be speaking in Parliament on behalf of the MIDAS Alliance at the launch of Tech UK’s Digital IDs report, hosted by the All Party Parliamentary Group in Digital Identity. This very well attended event heard of the opportunities afforded by getting digital identification & authentication right, ranging from...



Mere tokenism - how not to deploy security

09 Feb 2015

There has been much commentary of late over the surge in interest in tokenisation, not least on the back of certain mobile payment platforms. Tokenisation, as a principle, has of course been around for many years, but with the ever increasing prevalence of data breach disclosure notifications the adoption of ‘the token’ seems to coming of age. T


For once, it's not Government taking your money!

27 Aug 2012

‘State-sponsored banking virus found in Middle East’ ran the recent headline, referencing the latest cunning plan to fleece banking customers of their access credentials, but the article’s conclusions struck me as flawed for a number of reasons. First and foremost there is nothing new about malware stealing banking access credentials - as my last...



The computer you are reading this on is mine ...

24 Jul 2012

For several years, the blogs and news stories on these pages have discussed a variety of threats from this Trojan or that, with Zeus making its first appearance in Finextra’s pages as far back as April 2008. So, whilst it may no longer really be ’news’ it was interesting to see Zeus back in the headlines recently over its latest manifestation in H...

Andrew is Commenting on

Why isn't banking leading the way in security?

  Hi Max, A good post from a security perspective, as all your points on vulnerabilities of weak 2FA implementation are all true, though I would challenge the PIN stronger than biometric piece on a number of levels. But it was your title I wanted to pick up on from a legal perspective. As we all know, all organisations have to be able to identify and authenticate their customers under GDPR, where there is suspicion that a Subject Access Request not be from the genuine customer (not that GDPR provides any guidance on how to do this). Let's call that 'common practice'. Then certain industry sectors covering Critical National Infrastructure (CNI) have additional security requirements added in (in EU) under the security of Network Information Systems Directive (NIS), which provides additional access control and ID/Auth requirements. Let's call that good practice. But Financial services are exempt from NIS because they have stronger sector specific security standards, such as those defined under RTS SCA in PSD2. Now these requirements, coming into force in September this year provide a range of strictures which would outlaw OTP SMS, but don't provide much in the way of guidance as to what IS fit for purpose, and that's where the new British Standard comes into play, as PAS499 in Digital Identifciation & Authentication guides organisations through how they should implemnt a practical and secure solution. Let's call that Best Practice, so the Banks WILL be leading the way come September, not only from a regulatory perspective but in practical implementation.