The news from Target, increasing the number of cards compromised to 70 million and the expansion of data loss to mailing and email addresses, phone numbers, and names, affirms that we’re in a security crisis. As my colleague Scott Loftesness puts it, card data is, from a brand and business perspective, the new radioactive material. Add personally identifiable information (PII) to the list of toxic isotopes.
The depressing vulnerabilities these breaches reveal are a result of skilled hackers, the Internet’s lack of inherent security, inadequate protections through misapplied tools or their outright absence. Security is very, very hard when it comes to playing defense. There are no silver bullets, of course. Security is, like staying warm this winter, about layers.
There is a set of new technologies that could, in combination, produce a defense in depth that we have not enjoyed for some time. This post takes a look at those approaches and what they may mean for security as a whole.
Looking at the ACTs
Early last fall, internet and Silicon Valley observer Robert Scoble and his colleague Sal Israel released The Age of Context, a book based on the hundreds of interviews Scoble has conducted with tech start-up and established company leaders. In what is a wide-ranging survey, they examine what happens when our location and to whom we are connected are combined with the histories of where and when we shop. The result is a very clear picture of our needs, wants, and even what we may do next.
Combining the smartphone and the cloud, five “Age of Context” technologies or ACTs as I’m calling them, will change how we live, interact, market, sell, and navigate through our daily and transactional lives, if they haven’t already. The five technologies are:
- Mobile Devices and Communications. Mobile devices are aggregation points for cloud-based services, sending to the cloud torrents of very specific data.
- Big Data. The ocean of data generated from those mobile streams, and our online activity, can be examined to develop rich behavioral data sets. This data enables merchants, for example, to mold individually targeted marketing messages or to let financial institutions improve risk management at an individual level.
- Social. Social networks map the relationships between people and the groups they belong to, becoming powerful predictors of behavior, affiliations, likes, dislikes and even health. Their role in risk assessment is already growing.
- Geolocation. Nearly every cell phone is equipped with GPS. Mobile network operators and an array of service providers can now take that data to predict travel patterns, improve advertising efficiency, and more.
- Sensors. Smartphones, wearables (think Fitbits, smart watches and Google Glass) and other devices are armed with accelerometers, cameras, fingerprint readers and other sensors. Sensors enable highly granular contextual placement. A merchant could know not only which building we are at and the checkout line we are standing in but even which stack of jeans we are perusing.
The many combinations and intersections of these technologies are raising expectations, and concerns, over what’s to come. Everyone has a stake in the outcome: consumers, retailers, major CPG brands, watchdog organizations, regulators, politicians, and the likes of Google, Apple, Microsoft, Amazon, eBay / PayPal, and the entire payments industry.
Scoble and Israel make clear we are only at the beginning of this process. We should have misgivings about this and, as an industry, individuals and as a society, we will need to do better with respect to privacy. And certainly with respect to relevance.
My recent web searches for a new camera continue to haunt me through ads placed on sites I frequent, weeks after I made my purchase.
On the positive side, provided we can manage the privacy permissions we grant and the occasionally creepy sense that someone knows way too much about us, the intersections of these tools should provide more relevant information and services to us than what we have today. Anyone who has sighed at the sight of yet another web ad for a product long since purchased or completely inappropriate to you (Diapers? Really?) understands that personalized commerce has a long way to go. That’s part of what the “Age of Context” technologies promise to provide.
ACTs in Security
The ACTs’ role in commerce is one, albeit essential, application. They have the potential to power security services as well, especially authentication and identity-based approaches. We can combine data from two or more of these technologies, for example, to generate more accurate and timely risk assessments.
It doesn’t take the use of all five to make improvements. Firms like Early Warning Systems have demonstrated that the correlation of just two data points is useful. Early Warning has demonstrated that if you can show that a POS transaction took place in the same state as the cardholder’s location (based off of triangulated cell phone tower data) then you can improve risk assessment substantially.
The ACTs let us ask powerful questions of each technology:
- Where does my device typically operate?
- How is my device configured?
- Is the current profile consistent with the past?
- What have I done in the past?
- Is there a pattern?
- How does that fit with what I’m doing now?
- Am I a real person?
- Who am I connected to?
- What is their reputation?
- What building am I in? Is it where the transaction should be?
- Which direction am I going in or am I running away?
- Where am I standing? What am I looking at?
- Is this my typical walking gait? What is my heart rate and temperature?
Knowing just a fraction of the answers to these questions places the customer’s transaction origination, the profiles of the devices used to initiate that transaction, and the merchant location into a precise context. The result should improve payment security.
More payments security firms are making use of data “signals” from non-payment sources, going beyond the traditional approach of assessing risk based primarily on payment data. Firms like Signifyd have added social data to improve fraud detection for ecommerce payment risk scoring. Competitor Socure, calling its approach Social Biometrics, evaluates the authenticity of social profiles across multiple social networks including Facebook, Google+, LinkedIn, Twitter, and email, with the goal of identifying bogus profiles. These tools are, of course, attractive to ecommerce merchants and others employing social sign on to simplify site registration. That ability to ferret out bogus accounts supports payment fraud detection as well.
This triangulation of information is what creates Scoble and Israel’s notion of context. Apply it to security. If you can add the cardholder’s current location based on mobile GPS (the customer is at home) to the access device’s digital fingerprint (that’s her tablet) to the payment card (she’s used that card for her last eight purchases), to the time of day when she typically shops, then the risk becomes negligible. Such precise contextual information could pave the way for the retirement of the distinction between card present and card-not-present transactions to generate a card-holder-present status to guide risk decision-making.
Sales First, Then Security
Of course, the use of ACT generated and derived signals will be based on the anticipated return for the investment. Merchants and financial institutions are more willing to pay to increase sales than pay for potential cost savings from security services. As a result, the ACTs will impact commerce decision making first—who to display an ad to, who to provide an incentive to.
Behind the scene, the impact of the ACTs on security will be fascinating, and important, to watch. From a privacy perspective, the use of the ACTs in security should prove less controversial because their application in security serves the individual, merchant and the community.
Determining the optimal mix of these tools will take time. How different are the risks for QR-code initiated transactions vs. a contactless NFC transaction? What’s the right set of tools to apply in that case? What sensor-generated data will prove useful? Is geolocation sufficient? Will we find social relationships to be a strong predictor of payment risk or are these more relevant for lending? And what level of data sharing will the user allow—a question that grows in importance as data generation and consumption is shared more broadly and across organizational boundaries. It will be important for providers of security tools to identify the minimum data for the maximum result.
I expect the ACTs to generate both a proliferation of tools to choose from and a period of intense competition. The ability to smoothly integrate these disparate tools sets will be a competitive differentiator because the difficulty of deployment, for many merchants, is as important as cost. Similar APIs would be a start.
Getting More from What We Already Have
The relying parties in a transaction—consumers, merchants, banks, suppliers—have acquired their own tools to manage those relationships. Multi-factor authentication is one tool kit. Banks, of course, issue payment credentials that represent an account and proxy for the card holder herself at the point of sale or online. Financial institutions at account opening perform know your customer (KYC) work to assure identity and lower risk.
Those siloed efforts are now entering an era where the federated exchange of this user and transactional data is becoming practical. Firms like SecureKey, Nok Nok Labs and initiatives like the National Strategy for Trusted Identity in Cyberspace (NSTIC) are building tools and the economic models to leverage these novel combinations of established attributes and ACT generated data
The ACTs are already impacting the evolution of the payments security market. Payment security incumbents like Early Warning and specialists like Signifyd and Socure, to choose just two from the social side, find themselves in an innovation rich period. Done well, society’s security posture could strengthen. Here’s hoping.
Hope’s a great thing but it’s insufficient. I want to help contribute to putting these tools to their best use. If you have an idea for your initiative and would like to see it move forward faster, let’s see if I can help. Get in touch. If I can’t help you, I know one of my Glenbrook colleagues can.