Monday, 20 August 2018

My convenience, your security

Last week there was fraud event with my credit card.  Fortunately, my card company spotted the attempted fraud and blocked any transactions – so no hassle arguing over money.  What it did mean however was that I was stranded, away from home, with no credit card to pay for my return train tickets.  Throughout the entire experience, security was a distant thought; all I cared about was (in)convenience.

Having been notified about the attempted fraud, it took me 24 hours to actually contact my card company.  This wasn’t because I was on top of a mountain with no phone coverage – or that I’d been held captive by the fraudsters - the simple truth is that I wasn’t that bothered.  It was so low down my list of priorities that it disappeared from day one’s task list, and on day two I forced myself to do it first thing otherwise I knew it would drop off again.  I didn’t know how serious the attempted fraud was – was it a half-assed attempt on an online payment, had they tried to access my account using my personal details?  I still don’t know exactly what happened, “security reasons” mean that I don’t get to know the what, why and where.  This lack of involvement is definitely one of the reasons why I see the problem as my card companies, not mine; and why I care more for my convenience than their security.

When on the phone, I went through the usual knowledge-based authentication.  What’s my favourite colour of dog?  What month was my rabbit born?  The usual process that leaves me feeling cold when there are much more modern ways of secure communication.  Hey, is it any wonder that you’re having to deal with your fraudsters with legacy security processes?    They satisfied themselves that it wasn’t me who’d tried to buy a Gucci handbag from a website in Guatemala or whatever had occurred.  Now they’d cancel my old card and strap a new one to a homing tortoise.  What?  Cancel my card?  I need it!  I can’t wait for you to send me a new one.  Obviously, I was terribly sad to hear of their security problems, not sad enough that to solve it they’d have to inconvenience me.  After much grumbling, and telling me repeatedly that there was no choice other than cancel the old one,
they eventually agreed to at least deploy the new one via homing cheetah instead. 

After hitch-hiking back home, spending another day grumbling about the inconvenience of it all, my new card arrived.  Security as the top concern, my card company has sent this using a signed for service.  So obviously the delivery person had scribbled on their pad themselves and left it securely propped up by my front door.  Convenient for them, convenient for me.  Not so secure for my card company.

Now those who know me, will be surprised that I’ve been talking about a credit card; I don’t actually use the card.  I use Apple Pay.  This was my next point of inconvenience, having to set up my card on my phone and watch.  Except that it wasn’t inconvenient at all.  It was either witchcraft or some sort of data sharing between my card provider and Apple.  When I selected to add a new payment card to my wallet I was asked if it was the card ending in the last 4 digits that my card provider had sent me.  Instantly I forgot about GDPR and informed consent and personal data.  This was convenient… and kind of cool.

Sadly, not everyone accepts Apple Pay – though happily, for convenience again, I can usually save my payment details with the service providers that I use regularly.  One such provider is the App where I buy my train tickets from.  Now this App is absolutely awful.  It looks like the train company asked their office cleaner to develop it for them.  And high on the fumes of Vim mixed with Bleach the cleaner agreed to do this despite not having any of the skills required to do so.  Yet using it means that I have access to eTickets.  No print at home or collect from the station for me – eTickets all the way… convenient.  Given how awful I said the development of the App is, I don’t really have great confidence in how secure it is either.

If I was a betting man, I’d guess that the fraud on my card was more likely to have come from the train company that Apple.  Though I also know that I’m using my card as designed when I fill them in and when I click the button to save for future use.  If the card company doesn’t use the best security, then it would appear that neither of us are that bothered.  Maybe convenience is best for both of us.  My new card details are now in the place where the old ones were.  The same pattern repeated across all my regular interactions.

Unless my card company changes to show me that security is important to them, and educates that security is important to me – mutual authentication as a minimum for communication regardless of channel, tokenisation and identity in payments, customer centric fraud prevention – then convenience will remain my priority and security will remain their problem.

Read my other posts
Check out my other posts

About me
Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has over 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA

Connect with Bryn on Linked In: Bryn Robinson-Morgan

Saturday, 2 June 2018

Privacy is not dead

The implementation of the European Union’s General Data Protection Regulation has raised the profile of where our data exists and how our data is used.  This has led to many discussions on the concept of privacy, and for many to declare that privacy is dead.

It’s true to say that our data is far more freely available than it has ever been.  The advent of social media created a willingness, even a desire, for people to share their activities, their thoughts, their feelings.  Facebook changed the concept of friendship – The average Facebook user has around 350 “friends” who they share their lives with.

Whilst our data has been made available via public registers – the electoral roll, telephone directories and all – the digitisation of this information onto the internet brought convenience and searchability for anyone wanting to find out information about us.  Our sharing of information via social media added depth and meaning to our data.

With so much information about our lives available and easily accessible, it is surely fair to assume that privacy is dead.  My assertion is that privacy isn’t dead, it’s just misunderstood.

Given that I gave social media is a cause, I’ll provide balance by using it as to why privacy still matters.  When the world’s largest data business, Google, tried to move into social media they understood privacy.  Their implementation was based on the fact that we have circles of privacy.  The idea that I share different information about me with different circles of people.  The Venn diagram of privacy where context is key.

Within GDPR, the processing of sensitive personal data contains a derogation for personal data which are manifestly made public by the data subject.  This doesn’t mean that because the data has been made available it is a free-for-all for whoever wishes to use it.  We have to consider the context for which it has been made available.

When we consider privacy, this shouldn’t be on the basis of what information is available, or where it exists.  We need to look at privacy from the perspective of the user.  If I shared what I got up to on the weekend with my immediate family circle I haven’t given away my right to privacy.  This information, whilst maybe more accessible and more public than at any time in history, doesn’t make it any less private.  Privacy wasn’t dead when the first phone book was published, so why should it be now?

The new paradigm for privacy is looking at information hidden in plain sight; protected by context.  This may mean that we have to consider how we authenticate and verify our customers.  Knowledge based challenges are worthless where the information is available to fraudsters who don’t operate by the same rules of privacy.  The value of static data for this purpose has diminished.

When we understand this new paradigm, we can design for it.  Understanding enables us to better authenticate and verify our users.  It allows us to put users back in control of their data.  It allows us to innovate around how users can earn value from their data.

Privacy isn’t dead; it’s just misunderstood.

Read my other posts
Let's get physical - how to get fit for the digital era by leveraging the offline world
Trust me, I know a shortcut - Digital identity is hard.  Take shortcuts at your own risk
The rise of synthetic identity - Fraudsters are playing the long game, we need to think ahead
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing Poor security practices are putting users at risk 
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity
Privacy is not dead - Understanding the new paradigm of privacy

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn over 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA

Connect with Bryn on Linked In: Bryn Robinson-Morgan