Tag Archives: information security

HSBS UK – Mobile-friendly security from the start

It goes without saying that we are all using mobile more and more to manage our lives. To support this transformation, businesses need to do more than just design mobile browser-friendly pages and smartphone apps: they need to make all of the customer-facing business processes “mobile-friendly.”

eavesdroppingOne process often over-looked is answering those “account security questions” required to gain access to (or assistance with) your account. Too many businesses manage this is a way that completely falls apart when you are likely to need this most (in an airport, department store of other busy place far from your home or office).

The routine model of most companies is to ask you to provide personal identifying information (PII), such as your mother’s maiden name, social security number. Verbally sharing the answers to these is fine when you are in the privacy of your home or office. Sharing them in public, where you can be easily overheard, is an invitation to identity theft. Typing them over a smartphone is also less than ideal, especially when you are holding bags or waiting at a checkout counter.

Some companies try to get around this by using strong passwords. However this too is an item that you would never want to speak out loud in public. It is also likely be something hard to type on smartphone keyboard or flip-phone keypad.

The answer is to consider the mobile use-case from the start and to design a process that works equally well anywhere: at home, in public, on your PC or on any telephone. HSBC (United Kingdom) does a really good job with this. This is not a surprise as HSBC is a very global company and use of mobile for business transactions is much more widespread in Europe in Asia than it is in the US. HSBC uses a two-part system for authentication, where both parts are completely numeric (enabling easy entry anywhere by keypad or voice recognition) AND both are items that are completely useless to anyone who overhears them in public (a magic combination):

  • The first item you use is your account number. This is fully numeric and it is the same number you give others who need to give money to you (i.e., it is something you are not afraid someone else will hear).
  • The second item is a numeric PIN (Personal Identification Number). However, it is a PIN that is never used in its entirety. The IVRS, computer or call centre agent speaking to you over the phone will never ask you your PIN: they will only ask you a series of questions like “What is the third digit of your PIN? What is the sixth?” As a result, anyone overhearing you (unless you are silly enough to have your phone on speaker) will not gain any information they can use to crack your account (before triggering a fraud alert and security lock).

This simple design works really well everywhere (it even translates well across multiple languages). It is not only easy to use. It is something that you feel comfortable using in public.

We need more solutions like this to make our mobile lives easier.

New technologies Wikileaks will inspire

Wikileaks is back in the news again today, with more information on its threat to disclose information on Bank of America. Any responses to block this will likely be followed with more DDoS attacks by Operation Payback. In light of this, it is easy to fall into the pattern of focusing on the “tax” that hackers impose on the cost of IT and information security.

However, there is another way to look at this. The good thing about technology is that it always adapts. The technology industry will evolve to the new threats that Wikileaks and is fans have found and develop products to address them. Here are just a few that come to mind:

DDoS “Insurance”

We have the technologies today (e.g., distributed read-only caches, on-demand cloud computing capacity) to handle massive spikes in traffic. What remains is someone who can offer this up as an “insurance service.” Here is how it would work:

  • You buy the service with set traffic thresholds
  • When traffic spikes above these the company calls and asks if it is due to a promotion or and unscheduled event (i.e., DDoS attack)
  • If it is true traffic, the company allocates more computing capacity at a surge charge
  • If it a DDoS attack, it allocates read-only caches to share the load, directing users to the full functionality servers after they have authenticated.

I could see Amazon easily step into this space (they already provide capacity to help Twitter support surges).

Consumer-friendly Security Certificates

We have many technologies to certify that users are valid, from certificates to VPNs to thick local clients. However, most of these technologies are not user-friendly to mainstream consumers. (Some would argue they are not user-friendly to business users as well). What is needed is:

  • Packaging this into a mainstream product that is both consumer friendly and easy to integrate with existing business web sites
  • Establishing a partner network with businesses to accept the certificates
  • Setting up the customer service infrastructure to support consumers

Many would argue that this would remove much of the anonymity of the Internet. However, as the rise of social media has shown, consumers are less scared of disclosing personal information to companies than many of us thought.

I could see a company like PayPal making this work. They have the security expertise and a network in place that combines it with identity protection.

Data Watermarks

We have digital watermarking and rights management for multimedia (e.g., pictures, videos, music). We will eventually need to incorporate this into raw data. This would allow use to track the chain of custody for all data—making it harder for people to download confidential data and bring it home to share. It would have to–

  • Be integrated into the data itself, in a manner that destroys the integrity of the data if removed
  • Incorporate the time and point of access from which the data ware removed or accessed
  • Include the option to force inclusion of the logged in identity of users accessing the data (for businesses, government, etc.)
  • Capture and append this whenever the data is written

This is a tricky one. I see groups ranging from MIT to the US NSA figuring out how this would work. However, organisations using sensitive data would love it (and pay much for it).

Acceleration of the InfoSec Arms Race

Once these products are place, people like Julian Assange will quickly find new ways around them. However, technology providers will counter these with new and improved services. The net result of this “InfoSec Arms Race” will be improved control and security of our information. It will also create wealth for creative professionals and savvy investors.

Isn’t innovation wonderful?