Tag Archives: fraud

HSBS UK – Mobile-friendly security from the start

It goes without saying that we are all using mobile more and more to manage our lives. To support this transformation, businesses need to do more than just design mobile browser-friendly pages and smartphone apps: they need to make all of the customer-facing business processes “mobile-friendly.”

eavesdroppingOne process often over-looked is answering those “account security questions” required to gain access to (or assistance with) your account. Too many businesses manage this is a way that completely falls apart when you are likely to need this most (in an airport, department store of other busy place far from your home or office).

The routine model of most companies is to ask you to provide personal identifying information (PII), such as your mother’s maiden name, social security number. Verbally sharing the answers to these is fine when you are in the privacy of your home or office. Sharing them in public, where you can be easily overheard, is an invitation to identity theft. Typing them over a smartphone is also less than ideal, especially when you are holding bags or waiting at a checkout counter.

Some companies try to get around this by using strong passwords. However this too is an item that you would never want to speak out loud in public. It is also likely be something hard to type on smartphone keyboard or flip-phone keypad.

The answer is to consider the mobile use-case from the start and to design a process that works equally well anywhere: at home, in public, on your PC or on any telephone. HSBC (United Kingdom) does a really good job with this. This is not a surprise as HSBC is a very global company and use of mobile for business transactions is much more widespread in Europe in Asia than it is in the US. HSBC uses a two-part system for authentication, where both parts are completely numeric (enabling easy entry anywhere by keypad or voice recognition) AND both are items that are completely useless to anyone who overhears them in public (a magic combination):

  • The first item you use is your account number. This is fully numeric and it is the same number you give others who need to give money to you (i.e., it is something you are not afraid someone else will hear).
  • The second item is a numeric PIN (Personal Identification Number). However, it is a PIN that is never used in its entirety. The IVRS, computer or call centre agent speaking to you over the phone will never ask you your PIN: they will only ask you a series of questions like “What is the third digit of your PIN? What is the sixth?” As a result, anyone overhearing you (unless you are silly enough to have your phone on speaker) will not gain any information they can use to crack your account (before triggering a fraud alert and security lock).

This simple design works really well everywhere (it even translates well across multiple languages). It is not only easy to use. It is something that you feel comfortable using in public.

We need more solutions like this to make our mobile lives easier.

Skype’s ‘fraud’ problem

Skype is a great technology and compelling product. However Skype has not set up the appropriate protections within their network to make it a safe place to do business (as viewed by multiple major financial institutions). It must address this if it wants to generate a large, recurring revenue stream.

Skype IS a great online conferencing service

200px-Skype_logo2.svg_1Skype is a great online conferencing service. I use it daily to conduct online video conference calls with friends and colleagues all over the world. As long as they have a Skype account and a video camera and Skype software installed, I can see them, speak with them, send them files, and text chat with them—all free of charge. It is far easier to use than services other online teleconferencing services.

Skype COULD BE a great telephone conferencing service as well

Skype provides the ability to do call and conference with telephones as well (landline and mobile). This is where Skype has positioned itself to generate more than simple online advertising revenue. To make a Skype-to-Telephone call, I need to buy and use Skype Credits. Why would I want to do this (instead of using my mobile phone number)? For one major reason: Skype is VoIP-based. As such, I can make international calls much more cost-effectively—and in a more user-friendly fashion—than setting up a separate internationally dialing plan (or separate VoIP account). This prospect becomes even more use friendly as Skype be used from my Smart Phone (as long as I am connected to any Wi-Fi network).

Unfortunately, this theory does not execute well in practice…

It turns out Skype does not have a good reputation with major banks

I travel a lot and have many friends in Europe, Latin America and the Middle East. This week, I bought some Skype Credits so I could call them at a low rate and wish them Happy New Year. My plans did not work out well…

nocreditMy first credit card (a major UK-based bank that I use when I travel outside the US) immediately denied the charge. My second credit card (a major US-based bank) also denied the charge. My third credit card (a regional US-based bank) correctly processed the charge and allowed me to purchase the credit. Within minutes, my test call to the France worked (at less than $0.03 per minute). I was a little miffed that it took three card attempts (I pay my credit card bills online monthly in full), but was relatively pleased with the service I purchased. Then I went to the supermarket 2.5 miles from my house…

At the supermarket, all of my cards were turned off due to a Fraud Alert (a rather embarrassing situation). When I called each company, every one said the exact same thing:

“You purchased something on a web site called ‘Skype-dot-com’;
this triggered a fraud alert and caused us to block your account.”

I have been using ecommerce sites since 1997; I have never had this happen with any other web site.

This is a major problem

I immediately turned off auto-replenishment on my Skype account. I cannot risk having them repeatedly shut off my credit card due to a fraud alert. It would take a lot to get me to turn this back on. This is a major problem that limits Skype’s ability to grow recurring revenue.

How Skype can address this

The new owners of Skype should invest in creating a broad human- and technology-based security infrastructure:

1. Enable member policing supported by a Community Action Team

Enable Skype Members to report suspicious or threatening behavior (e.g., all those “Contact List” requests from “SexyBettyXYZ”) to a Community Action Team empowered to review and terminate accounts in response. In addition, Skype should automatically suspend accounts that receive a threshold number of reports within a time window.

2. Create a member security call center

Create a Call Center where Members can call and report problems, ask questions and check to ensure their account is secure. This immediately puts Skype on the level of any other telco. The beautiful thing is that Skype can do this with lower IT costs than any other business.

3. More aggressively monitor and block suspicious IP addresses

Skype probably already has many automated safeguards to protect against password phishing and intrusion detection. It should take this a step further and block suspicious IP addresses from their network. Yes, this is an endless “Chess Game.” However, it will make Skype a less appealing target to many hackers and phishers.

4. Create security threat reporting relationships with “The Authorities”

Create business reporting and forensic information exchange relationships with authorities like the FBI and INTERPOL. Make it easy to escalate suspicious behavior (and electronic evidence) to these authorities to go after hackers, phishers and online-based abusers. This not only makes Skype safer; it also provides Skype access to a broader set of resources to resolve security issues.

5. Create fraud reporting and processing operations in conjunction with financial services institutions

Create business processes, virtual call centers, reporting frameworks, credit and debit processing operations and forensic information exchange frameworks to make it easy for financial services institutions to verify transactions, report fraud and take care of victims of fraud. Without this investment, many people will simply not be able to use Skype for recurring paid transactions.

None of these approaches are new. They were all pioneered in the early days of the Business-to-Consumer Internet where they were critical to establishing safe, online business environments.

Yes, these investments are expensive. However, they will pay off in the long run by enabling direct consumers, small businesses and large enterprises to use Skype as an all-in-one telephone and video conferencing provider.