Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Profile
Location
London
Member since
2009
Writes about
Security Regulation & Compliance

Andrew's blog archive

2019 (1) 2015 (1) 2012 (2)
Andrew Churchill

Andrew Churchill

ID & Authentication Standards author at MIDAS Alliance
Message Message me Posts: 4 Comments: 20
Bio Lead author of British Standard in Digital Identification & Authentication (PAS499), and research into security flaws of Government and payment industry systems, particularly in relation to Identity and authentication, and development of security solutions to address attacks against such systems.

Blogs

Banking Strategy, Digital and Transformation

2019 - the year we may finally get to grips with Digital Identifcation & Authentication

11 Feb 2019

On Thursday evening I was delighted to be speaking in Parliament on behalf of the MIDAS Alliance at the launch of Tech UK’s Digital IDs report, hosted by the All Party Parliamentary Group in Digital Identity. This very well attended event heard of the opportunities afforded by getting digital identification & authentication right, ranging from...

1

 

Mere tokenism - how not to deploy security

09 Feb 2015

There has been much commentary of late over the surge in interest in tokenisation, not least on the back of certain mobile payment platforms. Tokenisation, as a principle, has of course been around for many years, but with the ever increasing prevalence of data breach disclosure notifications the adoption of ‘the token’ seems to coming of age. T

 

For once, it's not Government taking your money!

27 Aug 2012

‘State-sponsored banking virus found in Middle East’ ran the recent headline, referencing the latest cunning plan to fleece banking customers of their access credentials, but the article’s conclusions struck me as flawed for a number of reasons. First and foremost there is nothing new about malware stealing banking access credentials - as my last...

1

 

The computer you are reading this on is mine ...

24 Jul 2012

For several years, the blogs and news stories on these pages have discussed a variety of threats from this Trojan or that, with Zeus making its first appearance in Finextra’s pages as far back as April 2008. So, whilst it may no longer really be ’news’ it was interesting to see Zeus back in the headlines recently over its latest manifestation in H...

See all Andrew's blogs

Andrew is Commenting on

Why isn't banking leading the way in security?

  Hi Max, A good post from a security perspective, as all your points on vulnerabilities of weak 2FA implementation are all true, though I would challenge the PIN stronger than biometric piece on a number of levels. But it was your title I wanted to pick up on from a legal perspective. As we all know, all organisations have to be able to identify and authenticate their customers under GDPR, where there is suspicion that a Subject Access Request not be from the genuine customer (not that GDPR provides any guidance on how to do this). Let's call that 'common practice'. Then certain industry sectors covering Critical National Infrastructure (CNI) have additional security requirements added in (in EU) under the security of Network Information Systems Directive (NIS), which provides additional access control and ID/Auth requirements. Let's call that good practice. But Financial services are exempt from NIS because they have stronger sector specific security standards, such as those defined under RTS SCA in PSD2. Now these requirements, coming into force in September this year provide a range of strictures which would outlaw OTP SMS, but don't provide much in the way of guidance as to what IS fit for purpose, and that's where the new British Standard comes into play, as PAS499 in Digital Identifciation & Authentication guides organisations through how they should implemnt a practical and secure solution. Let's call that Best Practice, so the Banks WILL be leading the way come September, not only from a regulatory perspective but in practical implementation.

15 Feb 2019 Reply Read article

UK iPhone users unsure on Apple Pay

  Matt - interesting point on Access to Account, but your earlier comment on your Galaxy/Vodafone Passport on the Tube intrigues me - I've just tried again, and my Vodafone Wallet Smartpass is still telling me that paying through the phone isn't available without the new NFC SIM (which itself ruins the point of having an NFC device), and that these aren't available yet either! I trust you don't mean you've stuck the card on the back, so please do let me know how you've managed a work around! Also, given the difficulty TfL have had managing refunds on bank cards and more recently on bpay 'non-cards', it'll be fun watching them track back on an Apple Pay uncompleted journey! Ian - 'all fine for now' as you say until PSD2 comes out, but the kick off of EBA early adoption is 1st August! On the original article as a whole, it will also be interesting to see how low that 27% falls when the inevitable avalanche of frauds hit here, as they have seen in the US.

13 Jul 2015 Reply Read article

Online Banking Fraud

  Bjorn, You're quite right, and ENISA guidance has had 'assumed compromise', typically though not necessarily through infection, in place since 2012. The problem is that banks aren't taking the mitigation steps far enough. The forthcoming 'early adoption' of PSD2 through ECB/EBA SecuRe Pay strong authentication requirements may well go some way to address this from August, depending of course on how they are managed (if they are managed!)

10 Apr 2015 Reply Read article

PayPal pays $7.7m in US sanctions case

  My first reaction from the headline was 'only $7.7m for a regulatory breach - that's a bit tame nowadays'!! But if you look at it as fining them 175 times the amount in question, or the expectation that full checks should be carried out on payments averaging just $90 a time, and it looks rather different!

26 Mar 2015 Reply Read article