Blog article
See all stories ยป

An article relating to this blog post on Finextra:

FSA chides financial institutions for data security lapses

The Financial Services Authority has warned UK institutions to improve their data security practices after a review of systems and controls at 39 firms uncovered slipshod practices at banks, building...

See article

Regulators chasing their tail over data security lapses


Reading between the lines, regulators will continue to take a big stick to institutions that leak personal data.  And so they should.  But there must be a more artful approach to stem the flood of stolen ID data.  As a security professional, I am aghast at the never ending obsession with policy and process as the only weapons to fight ID theft.  That is, why do we think that beefed up security policies, staff training, audits, regulations and so on will make any fundamental difference? What about a bit of prevention?

IDs get stolen because IDs are valuable.  Look at the cyber crime clearing houses where personal data records including mothers maiden names, CCV2s and billing addresses are traded in parcels of 100,000 or more for a few dollars apiece.  Card Not Present fraud is growing at 40% p.a. in the UK and elsewhere, and is now the dominant form of payment card fraud.  To organised crime, it's childsplay -- vastly easier than hacking into Internet bank accounts and moving funds around.  Instead, just take stolen cardholder's account details and play them over the Inetrnet to a web merchant.  

It is high time that proper protections were put in place to prevent the replay of stolen IDs.  Only by rendering stolen IDs worthless to criminals will we cut ID theft. 

Stephen Wilson
Lockstep Group

Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards.  Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.


Comments: (2)

A Finextra member
A Finextra member 29 April, 2008, 09:11Be the first to give this comment the thumbs up 0 likes

Dare I say "there is an easy solution'.

The question is, do you sell it to a bank or banks, buy a bank, become a bank or do it for all banks?

What course of action would you propose? Remembering it's the 21st century.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 01 May, 2008, 01:55Be the first to give this comment the thumbs up 0 likes Dean Procter asked: "The question is, do you sell it to a bank or banks, buy a bank, become a bank or do it for all banks?"

I do believe the best hope for a solution to ID theft (including CNP fraud) is through safeguarding personal details in chips, be they EMV cards, SIMs, other smartcards, perhaps TPM chips [There are huge latent benefits to be had in applying government ID cards to secreting and notarising personal identifiers, protecting citizens from cyber crime, which would go a long way to redress community angst that ID cards don't really deliver much good to the individual.] 

But the most practical way forward, short term, would be for EMV card issuers to use their chips to secrete and notarise customer details for use online. Compared with using cards in unconnected readers to generate OTPs, this is a far more powerful and scalable way to leverage EMV cards into the online world. It could shore up 3D Secure (by hardening the personal details) or offer an alternative to 3D Secure, by sending notarised cardholder details direct from chip to merchant server. 

How to "sell it"?  EMV cards could be "Specially Personalised" [marketing speak!] for secure online payments, perhaps for a small fee levied annually against the cardholder.  Merchant sites could accept smartcard-notarised payments with very simple updates to their commerce servers.  For a bank to go ahead on its own with this, it might have to work with select merchants, through the acquiring side of its business, to have them preferentially accept such specially personalised cards (as opposed to regular CNP) for web transactions. Payment gateways could be important players; in many jurisdictions they act as systems integrators for merchant commerce servers, so they could make the necessary web site updates. 

Merchants, issuer and customers alike would all enjoy reduced exposure to fraud. Ideally that sort of proposition should 'sell itself' ;-)


Stephen Wilson.


Now hiring