The Age of Context and Security

by George Peabody on January 13, 2014

in Authentication, Card Fraud, George Peabody, Point of Sale (POS), Security, Technology

Post image for The Age of Context and Security

The news from Target, increasing the number of cards compromised to 70 million and the expansion of data loss to mailing and email addresses, phone numbers, and names, affirms that we’re in a security crisis.  As my colleague Scott Loftesness puts it, card data is, from a brand and business perspective, the new radioactive material.  Add personally identifiable information (PII) to the list of toxic isotopes.

The depressing vulnerabilities these breaches reveal are a result of skilled hackers, the Internet’s lack of inherent security, inadequate protections through misapplied tools or their outright absence.  Security is very, very hard when it comes to playing defense. There are no silver bullets, of course. Security is, like staying warm this winter, about layers.

There is a set of new technologies that could, in combination, produce a defense in depth that we have not enjoyed for some time.  This post takes a look at those approaches and what they may mean for security as a whole.

Looking at the ACTs

Early last fall, internet and Silicon Valley observer Robert Scoble and his colleague Sal Israel released The Age of Context, a book based on the hundreds of interviews Scoble has conducted with tech start-up and established company leaders.  In what is a wide-ranging survey, they examine what happens when our location and to whom we are connected are combined with the histories of where and when we shop.  The result is a very clear picture of our needs, wants, and even what we may do next.

Combining the smartphone and the cloud, five “Age of Context” technologies or ACTs as I’m calling them, will change how we live, interact, market, sell, and navigate through our daily and transactional lives, if they haven’t already. The five technologies are:

  1. Mobile Devices and Communications. Mobile devices are aggregation points for cloud-based services, sending to the cloud torrents of very specific data.
  2. Big Data. The ocean of data generated from those mobile streams, and our online activity, can be examined to develop rich behavioral data sets.  This data enables merchants, for example, to mold individually targeted marketing messages or to let financial institutions improve risk management at an individual level.
  3. Social. Social networks map the relationships between people and the groups they belong to, becoming powerful predictors of behavior, affiliations, likes, dislikes and even health.  Their role in risk assessment is already growing.
  4. Geolocation.  Nearly every cell phone is equipped with GPS. Mobile network operators and an array of service providers can now take that data to predict travel patterns, improve advertising efficiency, and more.
  5. Sensors. Smartphones, wearables (think Fitbits, smart watches and Google Glass) and other devices are armed with accelerometers, cameras, fingerprint readers and other sensors. Sensors enable highly granular contextual placement.  A merchant could know not only which building we are at and the checkout line we are standing in but even which stack of jeans we are perusing.

The many combinations and intersections of these technologies are raising expectations, and concerns, over what’s to come.  Everyone has a stake in the outcome: consumers, retailers, major CPG brands, watchdog organizations, regulators, politicians, and the likes of Google, Apple, Microsoft, Amazon, eBay / PayPal, and the entire payments industry.

Scoble and Israel make clear we are only at the beginning of this process.  We should have misgivings about this and, as an industry, individuals and as a society, we will need to do better with respect to privacy.  And certainly with respect to relevance.

My recent web searches for a new camera continue to haunt me through ads placed on sites I frequent, weeks after I made my purchase.

On the positive side, provided we can manage the privacy permissions we grant and the occasionally creepy sense that someone knows way too much about us, the intersections of these tools should provide more relevant information and services to us than what we have today.  Anyone who has sighed at the sight of yet another web ad for a product long since purchased or completely inappropriate to you (Diapers? Really?) understands that personalized commerce has a long way to go.  That’s part of what the “Age of Context” technologies promise to provide.

ACTs in Security 

The ACTs’ role in commerce is one, albeit essential, application.  They have the potential to power security services as well, especially authentication and identity-based approaches. We can combine data from two or more of these technologies, for example, to generate more accurate and timely risk assessments.

It doesn’t take the use of all five to make improvements.  Firms like Early Warning Systems have demonstrated that the correlation of just two data points is useful.  Early Warning has demonstrated that if you can show that a POS transaction took place in the same state as the cardholder’s location (based off of triangulated cell phone tower data) then you can improve risk assessment substantially.

The ACTs let us ask powerful questions of each technology:

Mobile

  • Where does my device typically operate?
  • How is my device configured?
  • Is the current profile consistent with the past?

Data

  • What have I done in the past?
  • Is there a pattern?
  • How does that fit with what I’m doing now?

Social

  • Am I a real person?
  • Who am I connected to?
  • What is their reputation?

Geolocation

  • What building am I in?  Is it where the transaction should be?
  • Which direction am I going in or am I running away?

Sensors

  • Where am I standing? What am I looking at?
  • Is this my typical walking gait? What is my heart rate and temperature?

Knowing just a fraction of the answers to these questions places the customer’s transaction origination, the profiles of the devices used to initiate that transaction, and the merchant location into a precise context.  The result should improve payment security.

More payments security firms are making use of data “signals” from non-payment sources, going beyond the traditional approach of assessing risk based primarily on payment data.  Firms like Signifyd have added social data to improve fraud detection for ecommerce payment risk scoring.  Competitor Socure, calling its approach Social Biometrics, evaluates the authenticity of social profiles across multiple social networks including Facebook, Google+, LinkedIn, Twitter, and email, with the goal of identifying bogus profiles. These tools are, of course, attractive to ecommerce merchants and others employing social sign on to simplify site registration.  That ability to ferret out bogus accounts supports payment fraud detection as well.

This triangulation of information is what creates Scoble and Israel’s notion of context.  Apply it to security.  If you can add the cardholder’s current location based on mobile GPS (the customer is at home) to the access device’s digital fingerprint (that’s her tablet) to the payment card (she’s used that card for her last eight purchases), to the time of day when she typically shops, then the risk becomes negligible.  Such precise contextual information could pave the way for the retirement of the distinction between card present and card-not-present transactions to generate a card-holder-present status to guide risk decision-making.

Sales First, Then Security 

Of course, the use of ACT generated and derived signals will be based on the anticipated return for the investment. Merchants and financial institutions are more willing to pay to increase sales than pay for potential cost savings from security services.  As a result, the ACTs will impact commerce decision making first—who to display an ad to, who to provide an incentive to.

New Combinations

Behind the scene, the impact of the ACTs on security will be fascinating, and important, to watch. From a privacy perspective, the use of the ACTs in security should prove less controversial because their application in security serves the individual, merchant and the community.

Determining the optimal mix of these tools will take time.  How different are the risks for QR-code initiated transactions vs. a contactless NFC transaction?  What’s the right set of tools to apply in that case?  What sensor-generated data will prove useful?  Is geolocation sufficient? Will we find social relationships to be a strong predictor of payment risk or are these more relevant for lending?  And what level of data sharing will the user allow—a question that grows in importance as data generation and consumption is shared more broadly and across organizational boundaries. It will be important for providers of security tools to identify the minimum data for the maximum result.

I expect the ACTs to generate both a proliferation of tools to choose from and a period of intense competition. The ability to smoothly integrate these disparate tools sets will be a competitive differentiator because the difficulty of deployment, for many merchants, is as important as cost. Similar APIs would be a start.

Getting More from What We Already Have

The relying parties in a transaction—consumers, merchants, banks, suppliers—have acquired their own tools to manage those relationships.  Multi-factor authentication is one tool kit.  Banks, of course, issue payment credentials that represent an account and proxy for the card holder herself at the point of sale or online.  Financial institutions at account opening perform know your customer (KYC) work to assure identity and lower risk.

Those siloed efforts are now entering an era where the federated exchange of this user and transactional data is becoming practical.  Firms like SecureKey, Nok Nok Labs and initiatives like the National Strategy for Trusted Identity in Cyberspace (NSTIC) are building tools and the economic models to leverage these novel combinations of established attributes and ACT generated data

The ACTs are already impacting the evolution of the payments security market. Payment security incumbents like Early Warning and specialists like Signifyd and Socure, to choose just two from the social side, find themselves in an innovation rich period.  Done well, society’s security posture could strengthen.  Here’s hoping.

Hope’s a great thing but it’s insufficient.  I want to help contribute to putting these tools to their best use.  If you have an idea for your initiative and would like to see it move forward faster, let’s see if I can help. Get in touch.  If I can’t help you, I know one of my Glenbrook colleagues can.

{ 4 comments… read them below or add one }

Dave Birch January 13, 2014 at 3:49 pm

Excellent piece George, thanks. There is a real challenge in using these technologies effectively to deliver not only security, but privacy. I wonder if privacy might become a bigger part of the customer proposition around payment services in coming years?

Reply

TravelAI January 14, 2014 at 9:20 am

Dave – Just because some tech offers opportunities to those that reveal information about themselves (e.g. their location), doesn’t mean that in order to benefit from tech you *must* give up privacy.

All those sensors and processing power on mobile devices can be harnessed to process your sensitive data on the phone and still produce a useful result without sharing any sensitive location. For example, we’ve developed software that can detect what mode of transport you’re on without sending any information from your phone. In the context of this article, your phone could examine your travel behaviour and see if it matches your typical journey before allowing access to your banking app, for example.

Privacy is a big divider. Scoble puts all his data out there and there are other influencers like Gary Vaynerchuk who just yesterday forcefully argued that people who are worried about privacy will lose
http://www.garyvaynerchuk.com/privacy-is-dead-and-its-not-a-big-deal-245-video/. This doesn’t seem to marry up with all those people who have been shaken by the recent NSA revalations.

I think you can often avoid the question, by using the processing power of the phone to process the sensitive data in order to produce a useful result that is not privacy sensitive.

Reply

Jessica Dodson January 16, 2014 at 12:17 pm

Triangulation of information makes sense because it helps identify outliers. Uncommon usage of data would send up a red flag and make people aware of the security issue (hopefully) before it reaches critical level like it did with Target. The sooner you notice something is up the sooner you can lock it down.

Reply

Peter Braun January 29, 2014 at 3:31 pm

Today, most people are suggesting that to benefit from certain services consumers have to give up their privacy. But what if the providers just could let go and give up collecting personal data on their customers? Providers could make their applications (that are running on consumers’ devices and not corporate servers) collect and analyze all or subset of the data that you listed (and more in the future), generate a score or maybe a few scores and have the app make decision based on that score. Or return the summary score to the provider’s servers to make the decision there without revealing the components like location and sensor results that are private in nature. Even add targeting could be done on consumer’s device. Then the app would delete the granular data on the phone used for the decision. The added benefit for providers would be that all computations would be done on people’s phones saving the need for many servers. Why would providers do it? If people insist and governments enforce (through laws), this could become a reality. (Yes, governments too would have to let go and stop collecting every tidbit of data on their suspects / subjects / citizens.) Would the code that would execute these computations be too big and computations too CPU intensive for today phones? Maybe today but not a few years from now. … This could be a way for new startups to compete – on a premise of not collecting personal data while providing all benefits that such collections provide.

Reply

Leave a Comment

Previous post:

Next post:

Clicky Web Analytics