Will Apple’s Mobile Payments Service be Secure?

Apple Pay Video

Over the weekend, I read and watched several pieces about Apple’s new mobile payments service, specifically about the security of the new service. By far, the most interesting to me was an interview on Bloomberg TV with Shape Security Director of Product, Michael Coates, and Square’s former COO, Keith Rabois.

While both interviewees were focused on Apple’s new service, what interested me most were their views on today’s payment protections and security.

Keith shared his view that today’s debit and credit cards are extremely exposed to fraud, and protected by a user PIN or signature at best. I believe Keith underestimates the tremendous amount of fraud analytics that happen behind the scenes to protect users’ transactions. Keith does note that signature validation is rarely checked by merchants, which is an all-too-valid observation and a point I plan on discussing in an upcoming blog post as it pertains to the introduction of EMV in the United States.

In discussing authentication, Michael Coates certainly gets it right when he says we need to move away from user passwords and towards additional systems that employ user-friendly two-factor authentication. The constant trade-off is adding security layers for better payment protection, but ensuring that the defenses employed are frictionless and convenient for the customer.

Both interviewees understood the tradeoff is security versus usability: the more security layers you add, the more cumbersome the payment process tends to become for the consumer. Only when this balance is struck will the customer be likely to take full advantage of the security technology. Here at Finsphere, we are strong advocates of multi-factor authentication and believe that adding security that is noninvasive and works in the background is critical to usability and acceptance by the customer.

I am excited by Apple’s recent announcement of its new mobile payment service and the many conversations about security and payments usability it has sparked. As my previous blogs have shown, I am certainly in favor of simplifying the financial experience for customers!

I encourage you to watch the interview and let me know your own views in the comments here, or on TwitterFacebook, or LinkedIn.

Until next time,

Mike Buhrmann,

CEO, Finsphere

EMV Myths and Truths (continued)

EMV-for-blogIn my last post, I examined the first two myths and “truths” presented in a recent downloadable report from Gemalto titled “Four myths and truths about EMV payments.” We looked at some hard numbers regarding the US migration to EMV, as well as the rationale behind adopting EMV at all, as opposed to transitioning straight to mobile payments. These two topics were fairly easy to tackle, but the next two are a bit more complicated. Here is my stance on the last two myths and proposed “truths.”

Myth #3 – EMV isn’t the right solution because it doesn’t address CNP (card-not-present) fraud, leaving e-commerce and online fraud untouched. 

Truth – Actually, EMV payment cards enable some of the most successful CNP fraud solutions in the world.

I mentioned in my prior post that I believe Myth 3 and its “truth” minimizes the level of fraud still present after EMV implementation. Actually, Myth 3’s truth never addresses the level of CNP fraud remaining. I have yet to see a report anywhere showing anything other than a spike in CNP fraud after EMV implementation. In fact, some of the growth statistics regarding CNP fraud post-EMV is startling.

The Gemalto report claims that EMV payment cards enable more effective authentication tools for CNP fraud (if only merchants and banks would implement them!), which include one-time-passwords, on-card PIN codes, and personal card readers. All of which likely add another layer of end-user interaction and complication.

Myth 3’s response ends by pointing out that EMV payment cards are a worthwhile solution for card-present fraud reduction alone, and “can enable” strong authentication against CNP fraud too. There is no question that EMV payment cards have significantly reduced card-present fraud following implementation – no doubt worthwhile for those with a card-present-only solution. What is less clear is whether it is worthwhile when CNP fraud is considered a part of total card fraud, especially if it will take significant time, money, and effort to enable additional solutions.

Myth #4 – EMV is expensive and difficult for merchants to deploy.  

Truth – EMV payment technology is cheaper and easier for merchants to install than ever before.

Gemalto’s truth statement is technically true. Most technology becomes cheaper as time passes and development continues. That EMV might be less expensive and less difficult to implement now than previously does not alter the fact that the total cost of merchant deployment in the U.S. is projected to run into the several-billion-dollar range. In my opinion, a more credible statement is that EMV implementation is costly and deployments can be time consuming and technically challenging, but that the return on investment can be worth it.

Concluding thoughts:

Gemalto states up-front that the purpose of its “Four myths and truths about EMV payments” is to address four of the most common myths associated with the migration to EMV chip cards. I believe it did choose the most common concerns associated with the EMV migration underway in the U.S., however, I believe the responses could have been more direct and precise in context to add credibility to the overall report.

Next up, I’ll submit my own myth about how EMV will simplify the customer experience and then provide my own truth! And I promise to do my best to provide the appropriate amount of context and balance. Until then, we hope you’ll follow the conversation and share your views in the comments or on Twitter, Facebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

EMV Myths and Truths

myth_vs_travelI received an email this past week offering a downloadable report from Gemalto titled “Four myths and truths about EMV payments.” The offer ended with the statement, “Read more and then take a stance.” How could I resist? I figured the report would be somewhat slanted given that Gemalto has a vested interest in EMV, but nevertheless, downloaded the report. The following are my thoughts on the first two identified myths and truths – my stance, if you will.

Myth #1 – EMV will never take hold in the U.S.

Truth – The migration to EMV is well underway, and momentum is growing.

The only argument I have with the above “Truth” statement is the use of the word “well.” The migration is clearly underway, but how “well” it is going in terms of timeliness is debatable.

The report clearly points out that the issue of timing involves the cards and terminals – end-users have to have EMV chip cards and merchants have to have point-of-sale (POS) terminals to read them.

EMV will truly arrive in the US when cards and terminals are in place to support it. The good news is that current estimates call for 100 million EMV chip cards issued and 4.5 million physical terminals to be in place by year-end 2014. But even at this rate, it is projected that 50% of merchants will still not be ready to accept EMV payments by the fourth quarter of 2015.

Bottom line: Yes, the migration is underway and the momentum is growing. But, to be fair, a transition that will cost businesses over $8 billion dollars to implement is not going to happen overnight. Nor was that the expectation, based on the durations of the EMV implementations in other parts of the world and the complexity of the U. S. market. Fortunately this report is not claiming that the migration will be complete any time soon…now that would be a myth!

Myth #2 – It makes sense to jump straight to mobile payments.  

Truth – Cards aren’t going away, and we need to secure them. EMV chip cards and mobile payments will both likely be big players in the payment ecosystem for the foreseeable future.

The underlying assertion made by some is that the U.S. should skip EMV and move straight to mobile payments. Gemalto points out that new contactless POS terminals are capable of handling both EMV and mobile payments and that not all customers own a smartphone or want to pay with their mobile phones. In essence, the migration to EMV provides a path for both mobile payments and contactless EMV cards and more choice for consumers. I am in agreement with the rationale behind the truth asserted here; cards are not going away soon and there is a foreseeable path for both mobile payments and cards in the future, if merchants choose to go that route.

Myths 1 and 2 were fairly easy to tackle. In a future post we’ll examine myths 3 and 4 of the Gemalto paper. Myth 3 deals with card-not-present transactions and I think the so-called “truth” minimizes the level of fraud still present after EMV implementation. Myth 4 deals with the expense and difficulty for merchants implementing EMV technology.

After that, maybe I’ll submit my own myth about how EMV will simplify the customer experience and then provide my own truth! Until then, we hope you’ll follow the conversation and share your views in the comments or on Twitter, Facebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Happy New Year! – Some Resolutions for All of Us

New-Year_Resolutions_listHappy New Year! And with the new year comes the inevitable resolutions – pledges to lose weight, exercise more, read a new book, spend more time with the family, eat healthier – the list is endless. On my way to work this morning, I was listening to a radio announcer proclaim that the average male’s New Year’s resolution lasts three days…that’s it, just three days! Females were only slightly better – one week! Given that we are into the second week of 2014, I assume that most of us have already broken our pledges to ourselves.

But wait, don’t feel bad. In my last blog, I provided theft and fraud prevention suggestions to keep your identity (and money) safer. In this blog, I will recommend two resolutions for 2014 that are very easy to do and keep. And the payoff is increased security and soundness of your money!

One of the notable news stories over the holidays was the theft of debit and credit card information from Target stores. Over 40 million debit and credit card accounts were affected, which included basically everyone who used his or her card at a Target store between Black Friday and December 15th. Not only was card information taken, but also encrypted personal identification numbers (PIN). Put this information together and you have the potential for putting a lot of people’s debit card accounts at risk.

With the Target breach as a backdrop, here are my two 2014 resolutions for you: 1) Change your PIN on your account at least once this year. In fact, if you do nothing else for a resolution this year, make your resolution to change your PIN today – it’s easy to do at your bank’s ATM or branch. 2) Check your bank statements monthly. Better yet, get an online account with your bank and monitor your transactions daily or weekly through your bank’s web portal or a third party service provider.

Why change your PIN? Simple, if your financial information is compromised, a new PIN makes it more difficult for the bad guys to use your credentials to make charges. Why monitor your transactions? Although banks monitor for fraud, only you know the legitimacy of every transaction you’ve made. Banks often fail to detect fraud and count on their customers to monitor their own accounts. Your catching it early will help avoid many headaches down the road. It’s that simple.

That’s it! Two easy resolutions: change your debit card PIN and monitor your transactions. It doesn’t matter whether you used your debit card at Target or not. These two resolutions will help protect your debit card and monies from being misappropriated and make for a better and safer 2014!

Here’s hoping your 2014 is great. I’ll be checking in with you later in the year to see how these resolutions are going!

We invite you to share your resolutions and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Holiday Fraud Season: A Reminder

Holiday Shopping

Every year during the five weeks between Black Friday and the end of the year, fraudulent activity spikes. When you’re shopping for the holidays and other special occasions, you’re in the mood to give and make others happy. Unfortunately, there are also people out there aiming to take advantage of you.

Whether you’re shopping in a mall or online, it’s important to take a few steps to make sure your gifts end up in the right hands and someone else isn’t using your identity for their financial gain. Keeping yourself safe during the holiday season is especially important, as getting your card shut down because of a fraudulent charge can bring your holiday shopping to a grinding halt. Taking the following theft and fraud prevention precautions will help you avoid becoming a statistic:

* Keep your bags close. As your shopping trip continues, the bags can pile up and eventually become hard to keep track of. A quick lunch break can be just the distraction a thief needs to swipe that new iPad out from under you. If you find yourself with bag overload, find a safe place to store your items or make the extra trip to your car to place them in your trunk and out of view.

* Keep your money and credit cards closer. While that purse might be the perfect complement to your wardrobe as you cruise through the mall in style, it could also be a target for thieves. Men: It might be easier than you realize to swipe that wallet from your back pocket. If possible, keep cash and credit cards in your front pocket or any place that would be tough for thieves to reach without you noticing.

* Less is more. The less personal information you carry with you, the better. It’s quite easy to drop something in the hustle and bustle, or even to have your wallet stolen. Carry minimal amounts of cash and never carry documents with you containing your social security number.

* Use only reputable websites when shopping online. When paying online, make sure the website URL is preceded by the letters “https,” as this coding inscription denotes that the data being passed back and forth on the website is encrypted. This means you have a far smaller chance of having your personal data compromised.

By taking measures to protect yourself and your identity, you’ll make sure your purchases deliver the delight you set out to bring to your loved ones and that you can enjoy peace of mind during the holiday season.

‘Tis the season for giving – but make sure you’re not being taken!

We invite you to share yours and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Video Blog – Guest Expert Series: How to Innovate Fraud Detection and Elevate Consumer Satisfaction in Today’s Digital-first Environment

Recognized globally as one of the decade’s most influential leaders in financial services, Deanna Oppenheimer contributed to USA TODAY’S CyberTruth column (Why Erroneous Payment Card Declines Will Keep Rising – July 22, 2013) providing insightful commentary on the problem of false positives as well as the magnitude of the problem it’s causing for banks and their customers.

Over the weekend, Apple released its two latest versions of the iPhone, touting its new feature, TouchID, an authentication method that lets users log into their device by touching their smartphone’s home button. Less than 5 days after its release, a European hacker group claims to have successfully circumvented the biometric authentication method, causing a stir of editorial opinion that using fingerprints is an inferior security method.

As this blog has opined over the last several months, staying ahead of the fraudsters is an hour-by-hour struggle for most companies, and one that the banking industry is vigilantly focused on. In this video blog, Oppenheimer addresses the issue and lends insight into advances in fraud detection that are showing tremendous strength in stemming fraud, reducing false positives, and providing a less intrusive (and frustrating) experience for the consumer.

While we hope that barbaric predictions (thieves resorting to brutal robberies in order to access a victim’s fingerprint is one theory circulating) will remain the stuff of late-night TV crime dramas, we will continue to discuss issues of identity and financial security, bringing you our point of view, and those of other experts.

We hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn. And as always, leave us your comments – or post your own video response – as we continue to discuss and debate the obstacles and opportunities facing the industry.

Mike Buhrmann,

CEO, Finsphere

Video Blog – Guest Expert Series: Mobile 4th Wave – Opportunities in Payment Authentication and False Positive Reduction

So much intelligent insight came out of the hours of video interviews originally conducted for USA TODAY’S CyberTruth column (Why Erroneous Payment Card Declines Will Keep Rising – July 22, 2013) that we decided to launch a video blog component to appear from time to time in addition to my regular blog posts.

In this first installment, guest expert Russ Jones (global payments strategist and consultant for Glenbrook Partners), discusses the concept known as the “4th Wave” and how mobile operators have a unique opportunity to use cell phone data to help better authenticate credit card transactions and reduce false positives.

We thought this was a particularly timely topic as some of the mobile industry’s foremost thought-leaders and influencers are convening in Seattle this week to discuss this very topic as well as the future of mobile at the Mobile Future Forward summit.

As the discussion of identity and financial security continue to dominate the daily news cycle, we’ll do our best to bring you our point of view, and those of other experts.  We hope you’ll follow the conversation here or on Twitter, Facebook, or LinkedIn.  And as always, leave us your comments – or post your own video response – as we continue to discuss and debate the obstacles and opportunities facing the industry.

Mike Buhrmann,

CEO, Finsphere

Why erroneous payment card declines will keep rising

CyberTruth Video

In my April 19, 2013 blog, I address the topic of credit card declines, explaining how cards are processed and what leads to a cardholder being declined when he or she is legitimately attempting to make a purchase, a term known in the banking industry as a false positive. The basis for this blog is now a great piece on USA TODAY’s CyberTruth column.

Finsphere is in the business of identity and financial security. It is particularly pleasing to me to see more discussion and focus on issues that negatively affect each of us as we use payment cards in our day to day lives – especially on issues that are addressable with the types of technology that Finsphere is currently deploying.

I’ve heard numerous personal stories about being declined. And we know that everyone has a story. So if you’re so inclined, we invite you to share yours and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

One-time Passwords – How Inconvenient!

OTP Key RingAs I immerse myself more into social media (are you following me on Twitter?), I’ve noticed a lot of coverage on the increase in password security breaches and high-profile hackings. Just last month, the daily deals site LivingSocial disclosed that it had suffered a massive cyber attack, requiring 50 million customers to reset their passwords. This is one of the biggest password breaches to date, surpassed only by Sony’s PlayStation network being compromised in 2011, when nearly 100 million accounts were exposed. Obviously, the chatter on this subject certainly seems warranted.

As financial institutions, online services, and social media platforms scramble to more effectively fend off fraud, the opinions on what works, what won’t work, and what might work are filling up cyberspace faster than you can type 140 characters. It seems the solution-du-jour is the implementation of one-time passwords (OTPs). Google, Twitter, Dropbox, and other popular services support the use of one-time passwords, touting them as an extra layer of protection and making it harder for hackers to break in. My opinion? One-time passwords are very intrusive to the end-user. Entering your login credentials, initiating the OTP process, waiting to receive a message from the company (via text message, email, or voice mail) containing a random code, and then entering that code as yet another security input is flat-out inconvenient. And despite these extra security measures, there’s still a chance that the company is hacked, forcing you to come up with a new and ever more complicated password – which we all hate. In fact, according to the 2012 Online Registration and Password study, more than a third of people would rather fold laundry and scrub toilets than come up with new passwords.

Trade-offs exist within all fraud management systems and one-time passwords have their place, but using one-time passwords as the de facto standard is not that place. We all want better security. That’s the entire value proposition behind what we do here at Finsphere, but we believe that risk-based authentication offers a viable, non-intrusive means to provide improved security. If keeping your data safe means you have to go through a series of steps that are intrusive and inconvenient, in my opinion, that’s not a feasible deal to strike.

The almost daily announcement of cyber-hacking has been driven, in part, by the Obama administration’s focus on issues surrounding cybersecurity. The focus has undoubtedly influenced media coverage on cybersecurity threats, meaning news coverage of data breaches has become more abundant. Likewise, data loss disclosure laws now require companies in nearly all 50 states to notify consumers when identity security has been compromised. Accordingly, businesses need to take more aggressive action to protect their customers’ sensitive data. However, one-time passwords should be a fall-back position or incorporated as a part of a less intrusive solution, rather than used for every log-in attempt. Otherwise their use may result in backlash from customers, or worse, losing them altogether.

Tell us what you think about one-time passwords. Have you been in a situation where you were asked to use one? What was your experience like? We welcome your comments, like-minded or otherwise, and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere

Five Words Nobody Likes to Hear: “Your Credit Card Was Declined”

Card DeclinedAs the CEO of a technology company that develops identity authentication solutions for a variety of industries, including banks and credit card providers, you might think I wouldn’t hear those dreaded five words very often. Well, think again. Like millions of other consumers, having your card declined when the transaction is either legit or you are certain you have sufficient funds, can (and does) happen to all of us.

When a waiter, sales clerk, or even an anonymous screen message comes back with “Your credit card was declined”, most people experience a plurality of visceral responses, ranging from embarrassment to anger, and even panic. So why does it happen?

Good Credit – Bad Call?

Having a card declined when the cardholder is legitimately attempting to make a purchase or when there are ample funds to cover the purchase is known in the banking industry as a false positive. A lot of things happen between the time you swipe your credit card and when you get an approval or a denial. Very simply, the process works like this:

  1. A merchant passes the transaction information (including amount and your credit card information) through the credit card network to the bank or credit card company that issued the card (the card issuer).
  2. Next, the card issuer’s fraud management system evaluates the transaction to determine the probability that the transaction is fraudulent. This evaluation typically starts with generating a fraud risk score between 1 and 999. The higher the score, the higher the probability of fraud.
  3. The transaction information, along with the fraud risk score, is then fed into a decision rule engine, which ultimately determines whether the transaction should be authorized or declined.

The fraud risk score and decision rules are based on an analysis of your normal behavior, prior behavior of all individuals who carry the same credit card, and known fraud patterns. Deviation from your normal card usage behavior will often trigger a decline. This evaluation process is essentially the same for debit cards as well.

False positives not only cause significant inconvenience and embarrassment for you, they are also responsible for millions of dollars in lost revenue for financial institutions. Depending on the card issuer, false positive ratios – the number of high-risk transactions the system flags as suspicious, compared to the number of transactions that are actually fraudulent – can be as high as 40:1. This means that up to 97% of card transactions flagged as high-risk (initiating a card decline, account block, or intrusive customer contact) are actually legitimate. That is an astounding percentage. This is true in both card present (when you are physically making a purchase with your card in hand) and card not present (when making a purchase online or over the telephone) transactions.

I Am Not A Crook!

I commented in a recent post that credit card issuers are faced daily with new and increasingly sophisticated types of attacks, so in their pursuit to keep our information secure and protect us from fraud, we are often subject to feeling as if we are the criminal.

In a recent study conducted by Penn Schoen Berland, feedback revealed that cardholders would be prepared to increase use of their cards, both domestically and abroad, if they felt more confident that their card would not be declined. The impact on customer satisfaction from having transactions declined and cards blocked, especially when traveling abroad, is considerable. While I wasn’t one of the study participants, I can definitely agree with their perspective.

Because financial institutions are scrambling to more effectively fend off fraud, the many layers of security customers are being asked to navigate are seen as a nuisance. We call our bank before taking a business trip or vacation in hopes our card won’t be declined while trying to pay for a rental car or theater ticket, etc. We are asked to set up alerts so that text messages can be sent to our mobile phones if the bank suspects fraud. And don’t get me started on the elaborate (and not necessarily fool-proof) passwords being demanded of us these days.

How to Reduce False Positives

So what can you do to lessen your chances of hearing those five dreaded words? Here are some tips that may help:

  • Communicate With Your Card Company

Predictive models used to identify fraud are usually based on identifying charges that don’t fit a previous pattern. So, if you’re taking a vacation abroad, or even travelling just outside your own state, let your bank know in advance. It may not always save you from a card decline, but it is still a good idea.

  • Competition is Good – So Carry Several Cards

You’ve probably experienced the (frustrating) situation where your card is declined, but when you present a different card for the same transaction, it’s approved. Because it’s challenging to know which charge may get flagged as a potentially fraudulent transaction, having other cards from competing issuers may help. Think of it as a back-up generator or spare tire.

  • Get a Prepaid Card

If you want a greater likelihood that you won’t get stuck without a way to pay for goods or services, especially if you’re going to be far from home, having a prepaid card on hand is a reliable strategy. They are often sold at airports, so if you’re heading out of town, you could pick one up before take-off.

  • Be Patient

Technology like Finsphere’s that incorporates mobile proximity and location-based fraud analytics has been proven to significantly reduce false positives for both card present and card not present transactions. As adoption of this kind of identity authentication solution grows, your day should get a lot brighter.

Being in the business of identity and financial security, I’ve heard numerous personal stories about being declined. And we know that everyone has a story. So, if you’re so inclined, we invite you to share yours and hope you’ll follow the conversation here or on TwitterFacebook, or LinkedIn.

Mike Buhrmann,

CEO, Finsphere