The trouble with
daring a hacker

padlock-1243509_1280

It has become something of a journalistic fad for reporters to invite hackers to, well, hack them. Without exception, they emerge shaken by two observations: Just how vulnerable they are; and just how much sensitive data they’d forgotten about that awaited discovery.

TIME reporter Joel Stein is one of the latest to give it a whirl. He writes about his experience in his column dated March 23. Unsuccessful at recruiting real hackers—those he contacted may have feared embarrassing him or worried about entrapment—he finally cornered a pair of young staffers at the magazine with no hacking abilities, gave them his passwords, and told them to have at it.

“The advice hackers give when looking for dirt in a pile of data,” Stein says, “is to …

… search for words such as pissed or angry. They suggest figuring out to whom the most emails are sent, since that signals a trusted relationship. And to use Facebook to suss out relationships—ex-girlfriends, college acquaintances—to spot dubious interactions. Deleted photos are telling, as are erased emails. And they say to always, always look in the draft folder, which houses the truly horrible stuff people are too smart to send … Using this advice, my two hackers delivered an 18,000-word document of humiliations three weeks later.”

Three years earlier, Telegraph reporter Sophie Curtis wondered,

… is the threat of being hacked something that you or I really need to worry about? And if someone did hack into your computer, what would they be able to do with the information they found?

Over the summer I decided to put these questions to the test. I got in touch with an ‘ethical hacker’ called John Yeo, who works for cyber security firm Trustwave, and asked him to try and hack me.

Curtis had written a good deal about cyber security, so, she wrote, “most of my profiles are fairly locked-down.” But, not so fast. Her hired hackers found indirect ways of learning more about her. Next, they faked an email appearing to come for LinkedIn, a source she trusted. The mere act of opening the email—without clicking links—embedded a single pixel that let her hackers “fingerprint” her computer, that is, identify …

… which operating system the computer is running, as well as which browser I was using, which browser add-ons I had, and which security software might be running on the computer.

That’s where Curtis’s tale turns scary. I recommend reading her article by clicking here. You might also check out this piece by Kevin Roose, who “dared two expert computer hackers to ruin my life.” Roose reported,  “If I had to give myself an overall digital security grade, I’d give myself an A-.” But then he found out that 

… it didn’t matter how good my defenses were. Against a pair of world-class hackers, my feeble protections were about as useful as cardboard shields trying to stop a rocket launcher. For weeks, these hackers owned the hell out of me. They bypassed every defense I’d set up, broke into the most sensitive and private information I have, and turned my digital life inside out.

“Please hack the Pentagon”

According to the Infosec Institute, in the 1960s the word hacker originally meant

… someone dedicated to solving technical problems in machines in a different, more creative fashion than what is set out in a manual … “hacking” just intended to find out a quick way to evaluate and improve problematic systems that need to be optimized.

Yet the potential threat wasn’t hard to anticipate. The Unites States government routinely hired hackers to test online security as early as the 1960s and 70s. Despite such precautions, it caused no small stir when in 1990 three men not retained by the government were indicted for hacking into classified U.S. military data. Meanwhile, the 1983 movie War Games, with Matthew Broderick and Ally Sheedy, had already fanned the public’s fears.

War Games was highly fictionalized, but the threat of hacking is real and continues to grow. This is from Symantec’s 2016 Internet Security Threat Report:

In 2015, we saw a record-setting total of nine mega-breaches, and the reported number of exposed identities jumped to 429 million. But this number hides a bigger story. In 2015, more companies chose not to reveal the full extent of their data breaches. A conservative estimate of unreported breaches pushes the number of records lost to more than half a billion.

The threat of nefarious hacking has increased the demand for “ethical” hacking. Last year, a call went out from no less than the Pentagon seeking hackers to try to penetrate their defenses. Of course, applicants had to pass a background check. Even that’s a little unsettling, since more experienced, not-so-ethical hackers usually don’t bother submitting to background checks before setting to work. In any case, according to USA Today, the program …

… launched in April and the Pentagon said it would [offer] prize money awards and other recognition … The Pentagon has acknowledged that its networks are under daily assault by hackers and securing the systems are [sic] a high priority. Last year, an email system used by the Joint Chiefs of Staff was penetrated by hackers and had to be taken offline in order to cleanse the system.

Somewhere in all of this are important takeaways:

  • Vigilance is a must. Even with good security in place, you must never assume you’re invulnerable.
  • Most of us have no clue as to the sophistication of determined hackers.
  • Just opening an email can be dangerous, even without clicking on links.

It creates something of a juggling act for an industry like banking, whose markets demand digital services. The trick is to keep clients forewarned and forearmed while avoiding frightening them so much as to lose their confidence. Perhaps paradoxically, the proper presentation of information on staying safe from hackers can increase client confidence by dont-post-it croppedconveying that a financial institution is knowledgeable and cares about its customers.

In the meantime, a bit of good advice for us all is summed up in a cartoon, which, out of respect for copyright laws, I shall not post. But I can link to it.

Posted in Uncategorized by Matt. No Comments

Catch my presentation on Zelle at PAYMENTS 2017

PAYMENTS17_logo_new

I hope you have already marked your calendar for April 23-26 and booked a flight to Austin, Texas. (Unless, that is, you live within driving distance.) You surely do not want to miss NACHA’s PAYMENTS 2017 convention.

This year, it will be my honor to take the stage at the event on Tuesday, April 25, at 8:31 a.m. I’ll be talking about Early Warning’s Zelle network and provide an inside look at how Fiserv is delivering the first turnkey version.

In an October 2016 press release, Fiserv reported that the Zelle network …

… will be offered by many of the country’s leading financial institutions, and will provide consumers with a faster way to send and receive payments within the security of their financial institution.

Fiserv will offer the first turnkey version of Zelle to simplify integration for financial institutions of all sizes. It will offer all the elements of the Zelle solution in a single platform to reduce costs and speed time to market for financial institutions.

The media have been heralding Zelle as banks’ answer to P2P payments threats from nonbanks such as Paypal’s Venmo. Personally, I think that trivializes just a little. I suspect that, more than just answer alternative P2P payments threats, Zelle will absolutely set the standard. Consider a few of Zelle’s competitive advantages:

  • Zelle lets just about anyone with a valid deposit or demand account send funds to just about anyone else. Even if their bank isn’t a participant. Which their bank should be, especially with Fiserv making it easy for them.
  • The Zelle app is intuitive and easy to use.
  • Financial institutions can brand the Zelle app.
  • Even so, the Zelle app presents all users a consistent look and interface, regardless of whether they access it via their financial institution or download it directly from Zelle.
  • Funds availability is lightning fast, thanks to Zelle’s unique, rapid-fire funds verification technology.
  • Zelle is incredibly versatile. For instance, it lets users easily split the check at a restaurant.
  • Zelle is secure.

Aite Group’s Retail Banking & Payments analyst Talie Baker summed it up nicely: “The launch of Zelle gives banks a chance to establish a foothold as the provider of choice for person-to-person payments and even take back their share of the market from non-FI providers.”

Fiserv is a global leader in financial services technology solutions and happens to be my employer. Early Warning is a leader in financial technology that protects and advances the financial system. NACHA, which is much easier to say than “National Automated Clearing House Association,” is a not-for-profit, self-regulatory association of “ … nearly 10,000 financial institutions via 11 Regional Payments Associations and Direct Membership.”

If you attend PAYMENTS 2017, please grab me and say hello.

Posted in Uncategorized by Matt. No Comments

India sets off on
the long road to a
cashless society

RupeeThe Republic of India hopes to boost digital payments via Aadhaar Enabled Payments and Unified Payments Interface, or UPI. But it faces two problems:

Problem 1. Banks are largely responsible for getting merchants to accept digital payment via Aadhaar and UPI.

Problem 2. India’s government would like banks to show a bit more oomph in that regard.

That’s why India’s government is looking at rewarding banks with up to 10 rupees per Aadhaar and UPI transaction.

Dissatisfied with the National Institution for Transforming India (NIRI)’s progress, last year Prime Minister Narendra Modi transferred responsibility for promoting adoption to the Ministry of Electronics and Information Technology, or MeitY. The latter has made the current proposal.

The Economic Times reports, “Funds will be made available from the India Inclusion Fund of Nabard and the corpus could be as high as Rs 1000 crore, according to an official.” A crore equals 10 million. Depending on exchange rates, Rs 1000 crore works out to somewhere between $150 million and $202 million in U.S. dollars. Not exactly chicken feed, depending, I suppose, on the chicken.

India has already announced consumer incentives as well. For consumers who pay using digital technology, there will be a .75 percent discount on gasoline, a .5 percent discount on rail fare and hospitality services, a full 10 percent discount on insurance premiums, and other incentives.

Not that I’m complaining, but I was curious as to why the Republic of India is gung-ho about digital payments. I learned that the underlying goal is ambitious: India wants to go cashless, period. There are myriad reasons, from frustrating tax evaders, to countering a sudden physical currency shortage, and, as Slate points out

This government is trying to fight corruption and move towards a more digital economy. In India, people have stashed away huge amounts of money—income that has never been declared and is then laundered through extravagant weddings, construction work, luxury vehicles, jewelry. Nobody knows exactly how much “black money” there is, but it’s safe to say that there’s a lot.

All of which may account for GSM Association and Boston Consulting Group’s prediction that digital payments in India may top $500 billion U.S. within three years.

Incentives aside, the road to cashless-ness is a long one. An NPR article by Julie McCarthy cites a Pew survey showing that only 17 percent of Indians own a smartphone and only 20 percent have Internet access. Moreover …

[Senior Associate Dean at the Fletcher School at Tufts University Bhaskar Chakravorti], who co-authored a report titled “The Cost of Cash in India,” found that, “most Indians lack the means to use cashless alternatives irrespective of their desire to do so.”

There’s a proposed solution for that one, too. Chief Minister of Andhra Pradesh N Chandrababu Naidu recently recommended a Rs 1000 subsidy for smartphone purchasers. With sm3artphones in India priced from Rs 6999 to Rs 12,999, it remains to be seen how much the subsidy will help out India’s considerable poor population. Especially, as Chakravorti continues:

“The digital infrastructure in India is so horrendously poor,” Chakravorti says. “The majority of people don’t have access to smartphones. Large numbers of them cannot read or write. Mobile connections are extremely poor. Even the people in the city, for them connections are terrible.”

These are real problems, and they are not necessarily unique to India. It might be a good idea to keep our eye on India as it works through them. Their experiences may streamline the process for those who follow.

Posted in Uncategorized by Matt. No Comments

X, Y, Z … A?

 

Dub them Y-nots or Alphas, one thing is certain: My son’s generation comes with finely-tuned chocolate cookie detection ability.

If you adopt an alphabetized naming system, think twice before starting with X. You will run out of letters in no time.

Having gone through X, Y, and Z, marketers are wondering what to call the rising generation of preschool- and elementary school-age children. Fortune remains agnostic as to what the name will be. Futurist Mark McCrindle blogged that submissions in response to a survey included “… the Regeneration, Generation Hope, Generation New Age, the Saviours, Generation Y-not and the New Generation.”

Much as I like the idea of calling my kids “Y-Nots,” what seems to be gaining favor and will likely prevail is a suggestion that we circle back to the letter A with “Generation Alpha.” This may be due in large part to the fact that McCrindle, who does not want for media exposure, has championed it in a big way.

I bring up McCrindle with hesitation. There is some question as to how much to rely on his claims. ABC Media Watch looked into him and emerged not altogether reassured:

… the media have been happily running this stuff for years, without apparently ever bothering to question its claims. It’s just typical of the dross that fills our TV, radio and newspaper every day.

But all the media coverage gives McCrindle Research the publicity to attract private, paying clients. And it gives Mark McCrindle a high profile on the lucrative public speaking circuit.

Either way, McCrindle’s term of choice seems to be edging out competing ones. Publications that have embraced “Alphas” and credit McCrindle for it include Forbes, Business Insider, The New York Times, and Business.com.

An Advertising Age piece by Sysomos chief strategy officer David Berkowitz treats the adoption of “Alphas” as a fait accompli, albeit without reference to McCrindle. Perhaps prematurely, since by his definition the oldest Alphas will start elementary school next year, Berkowitz predicted “13 Things to Know About the Alpha Generation.” He goes out somewhat on a limb with a couple of specifics, like Alphas will “hate sharing the economy” and love “full-fat, organic dairy,” but most of his predictions are broad and, therefore, safe: I challenge you to name any population to whom you couldn’t retrofit “They don’t play by the rules” or “They break free of any boundaries.” Guaranteed not to fail is “They are very mobile, except when they’re stationary.” Can’t argue with that.

The possible absurdity of predicting Alphas’s behaviors this early is summed up in a pragmatic question that Alex Williams of The New York Times put to McCrindle in an interview conducted by email:

Is it jumping the gun to try to define a group of people who are barely past the age of watching ‘Barney & Friends’?

Instead of answering, McCrindle raved about Alphas in terms of projected numbers:

There are more than 2.5 million Gen Alphas born globally every week. When they have all been born (2025), they will number almost two billion. They start school next year and will be the most formally educated generation ever, the most technology supplied generation ever, and globally the wealthiest generation ever.

Maybe so. But then, maybe we should give Alphas a little more time to grow up before committing dollars to anyone’s predictions.

Posted in Uncategorized by Matt. No Comments

Under the new
administration:
Predicting the
future of fintech

Wilcox on future of fintechPerhaps you heard: The United States has a new administration.

Relax. I’m not going to opine here about bathrooms, health care, or walls. I could think of no surer way to lose about 50 percent of valued personal and business relationships. Instead, I’m going report on sundry educated guesses as to what we in the payments industry might expect.

There is widespread agreement that the Dodd-Frank Wall Street Reform and Consumer Protection Act faces serious revision if not outright repeal. The act’s stated purpose is:

To promote the financial stability of the United States by improving accountability and transparency in the financial system, to end too big to fail, to protect the American taxpayer by ending bailouts, to protect consumers from abusive financial services practices, and for other purposes.

Dodd-Frank merged a number of federal agencies and created a fair share of new ones, the most notable being the Financial Stability Oversight Council, the Office of Financial Research, and the Bureau of Consumer Financial Protection. Depending on whom you ask, Dodd-Frank is a godsend, a millstone, or a bit of both. TechTarget offers a succinct summary of the two views. Proponents, it says …

… believe the act prevents the United States economy from experiencing a crisis like that of 2008 and protects consumers from many of the abuses that contributed to that crisis.

… whereas opponents …

… believe the compliance burdens the legislation creates makes [sic] it difficult for U.S. companies to compete with foreign counterparts.

But, in any case …

In February of 2017, President Trump issued an executive order that directed regulators to review provisions put in place by the Dodd-Frank Act and submit a report on potential regulatory and legislative reforms.

The award for scariest headline goes to Nasdaq, who recently ran the not terribly reassuring, “Will Trump Disrupt the Payments Industry?” The article quotes E&S Consulting founder Lori Breitzke:

“Trump may repeal the CFPB, given his disdain for [Dodd-Frank]. If this occurs, the CFPB’s new prepaid card rules will be repealed along with the agency, and another entity will be created to replace it. ​If Trump cannot repeal the CFPB, he will instruct the agency to ignore, rather than enforce, the existing rule governing prepaid cards. Trump also will lower taxes on small businesses, fostering growth and the need for more merchant accounts and services.”

A number of journals are following Trump’s threat to cut off remittance send from the U.S. to Mexico. Shortly after the 2016 election, Business Insider reported that the threatened cutoff:

… could drastically curtail the operations of US remittance firms. Mexico is the largest receive destination for US remittances, cashing $25 billion in 2015, according to the World Bank. The strength of that corridor is pushing firms to double down on Mexico—for instance, Western Union recently nearly doubled the size of its retail network in the country, and MoneyGram unveiled a product in partnership with Walmart to make it easier and less expensive to send money from the US to Mexico. Cutting off access to the corridor, even temporarily, could drastically change the trajectory for these companies.

For mobile payments, the news may not be all bad. Most agree that the threatened cutoff may, as John Rampton, writing for Mashable, observes …

… put mobile payments, such as digital wallets and peer-to-peer payment apps, in a better position to thrive. Unlike traditional payments companies, these allow users to make cross-border payments without government interference.

Rampton takes a look specifically at the payments industry. He predicts a rollback of regulations welcomed by the financial services industry, agrees that cutting off remittances to Mexico could have adverse economic consequences, especially for the likes of Western Union, and reports a curious, early “skirmish” between the administration and the New York State financial regulator Maria Vullo, who wrote, “The OCC should not use technological advances as an excuse to attempt to usurp state laws that already regulate fintech activities.” Vullo was reacting to the White House’s just-released whitepaper, “A Framework for Fintech,” which, as of this writing, the White House has apparently pulled from its site.

Predictions by various pundits, policymakers, and reporters are all over the board. One thing all appear agreed on, however, is that no one really knows what’s coming. As Rampton summed up,  “While the new presidential administration could bring about many new changes in the payments system—both good and bad—it’s still too early to predict exactly what’s going to happen.”

Posted in Uncategorized by Matt. No Comments