It’s not hard to pick out the banker in a Western. Just look for someone sporting sleeve garters and a translucent visor.
This is a rare case in which Hollywood actually gets things right. In the late 19th century, sleeve garters served a practical purpose. Back then, you couldn’t walk into Nordstrom and ask for your neck size and sleeve length; if you couldn’t afford your own tailor, you made do with a one-size-fits-nobody. Shirt makers tended to err on the side of making sleeves way too long, so unless you wanted cuffs below your fingertips, you’d don garters to hoist them up where they belonged. This also helped reduce soiling from dragging sleeves over ink, dusty shelves, and musty documents.
Translucent green visors came along a little later on the heels of newfangled incandescent lighting. Clerks donned the visors to protect their eyes from the harsh overhead light of early bulbs. That’s also why green shades sit atop the traditional banker’s lamp.
Fast forward to a few decades ago …
Worsted and flannel suits in navy and charcoal gray had become all but required attire for bankers and other professionals. Suits were dark and somber for two reasons. One was that dark fabrics hide stains better than light ones. The other was that, until dry cleaning came along, the only way to make a stain “disappear” was to dye the whole suit a few shades darker.
Fast forward to today …
A growing number of banks are opting for business casual, having traded the suit and tie for khakis and sport shirts.
Assuming, that is, we’re talking about banks that still bother with physical locations. For all you know, your online banker could be in a T-shirt and blue jeans.
And that has marketing implications. Despite their practical origins, sleeve garters, visors, and, later, dark suits circled around to become symbols of professionalism. You could walk into a bank, see the attire, and—right or wrong—feel some assurance that you were dealing with competence.
The new challenge is to convey an aura of competence absent the traditional trappings that once characterized banks. That job increasingly falls to websites and apps. More than function, they must look and feel like the kind of business to whom people would willingly entrust their funds, business and personal information, and more.
Branding isn’t going away. Like everything else, it’s going digital.
Data breaching is big business. It is, as I wrote last week, something of an arms race. When we strengthen our armor, we don’t send the bad guys home in ignominious defeat; we send them off to upgrade their armor-piercing weaponry so they can return for another foray.
The financial fraud arms race is as old as currency itself, and there’s no reason to expect it ever to end. Last week, HEI Hotels became the latest large-scale victim, following in the footsteps of notables like MySpace, the Internal Revenue Service, The Home Depot, Target, Neiman Marcus, and others.
The above are not anomalies. If you’re in the mood for being alarmed, click here to view “World’s Biggest Data Breaches: Selected losses greater than 30,000 records. Lest bankers seek solace in the thought that breaches are more a retail than a banking problem, click “banking” in the filter box at the upper right.
But before you decide that your best option is to wait out the arms race under your desk in fetal position, I have good news. There is much that banks can do to protect themselves, merchants, and consumers.
Here are a few tips:
Keep up with security technology. Bad guys regrouping and returning notwithstanding, it turns out that we good guys are pretty good at keeping pace and, at times, a step or two ahead. To ignore the state of the art is to look for trouble. That should go without saying, but you’d be surprised how many financial institutions give data security more lip service than action. To be sure, upgrading is costly in terms of software, hardware, retraining personnel, and, sometimes, retraining consumers. But the cost of keeping current is a bargain compared with the costs—which include legal, insurance, and client confidence costs—of a serious breach.
Keep up with security news. A host of business and financial publications are available and useful. Still in the mood for a good but needful scare? Try UBM Technology’s DarkReading.com. You might also follow UBM’s blackhat blog and consider attending a blackhat® convention.
Never assume the security arms race has been won. The much-heralded credit card chip has a track record of reducing but not eliminating fraud.
If your financial institution is small, don’t fall into the trap of thinking you’re an unlikely target. Smallness may increasingly make you a more likely target. Like anyone, hackers prefer the course of least resistance. More hackers are turning their attention to smaller banks and other smaller businesses that tend not to be able to afford the best protections or not to bother with them. Which means you must bother with them and find a way to afford them.
Beware the isolation trap. Data security is its own field of expertise. Even if you employ your own, first-rate team of tech geniuses, their combined expertise cannot approach that of companies entirely focused on digital banking technology. (Note: Should you accuse me of using my blog to make a blatant, shameless pitch for the likes of my employer, Fiserv, I’m offended at the accusation—even though that’s exactly what I’m doing. I highly recommend checking out our compliance and fraud management page among others.)
Be proactive in educating your merchant and consumer clients. This is as much a marketing as a security measure. Security concerns have been known to hold people back from adopting mobile banking technology. Educating clients on security precautions increases mobile technology adoption.
For merchants, PC Magazine’s Max Eddy reported on an interesting piece of advice: Do not use chip reading terminals that still have magnetic stripe reading capability. According to Eddy, during a recent Black Hat conference, security guru Peter Fillmore showed that terminals which read both chips and stripes leave an exploitable security gap. Fillmore also demonstrated the ease of capturing data from tap cards.
For what it’s worth, Eddy reported that Fillmore had reluctant, high praise for Apple Pay:
“I want to kick at Apple Pay but I can’t,” Fillmore joked. “It’s one of the best methods for these transactions … and is generally more secure than your cards.”)
Fillmore said that Apple Pay has a lot going for it since it has a separate secure element chip and performs the transactions on that secure chip. But Fillmore reasoned that Apple Pay is susceptible to the attacks he demonstrated because the cards themselves are insecure. It would depend on the cards loaded into Apple Pay and if an attacker found a way to force someone to make a particular transaction in order to snag the data.
For consumers, U.S. News & World report contributor Anisha Sekar suggests that financial institutions advise them in the basics: only buy from websites whose URL starts with “https,” set up alerts for every card and digital transaction, sign card backs, avoid use of public Wi-Fi, and, to limit personal liability, notify the bank immediately of a lost or stolen card.
I urge you to take heed. I don’t want to see you on the next version of the World’s Biggest Data Breaches: Selected losses greater than 30,000 records. There are better ways to earn recognition.
HEI Hotel properties affected by the breach
(click to enlarge)
You may not have heard of HEI, but you have certainly heard of the 20 potentially targeted properties, or at least their brands, that HEI operates. These include Marriott, Hyatt, Equinox, Intercontinental, Sheraton, Westin, and others.
From the HEI Notice:
Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.
HEI believes the malware could have affected “… payment card data—including name, payment card account number, card expiration date, and verification code—of customers who used a payment card at point-of-sale terminals at the affected properties.”
According to a DigitalTrends.com report released two days ago, the malware had its way with HEI for a whopping 15 months, from March 1, 2015 through June 21, 2016. That’s plenty of time for tens of thousands of transactions.
HEI operates high-end properties, so it may not be unreasonable to assume that the average wealth of those targeted, and their respective card limits, may be higher than, say, the average THD or Target shopper. Moreover, both business and consumer credit cards may have been hacked.
Digital security is an arms race. Each time the good guys come up with a new way to foil hackers, the hackers simply busy themselves defeating it. I don’t expect the arms race to end anytime soon, if ever. Not even chip cards will do away with fraud, although chip use in Canada and other countries has reduced it.
But we needn’t sit helpless. There is much that banks, merchants, and consumers can do to protect themselves. In next week’s post, I’ll go into that in more depth.
IT’S A FACT that Sir Isaac Newton set forth laws of motion and gravitation that have endured for nearly four centuries with precious little revision. It also appears to be a fact that the sight of a falling apple may indeed have catalyzed his theorizing about gravity. The part about its bonking him on the head was an embellishment that came along years later.
If Newton were to park his remarkable noggin under a tree today, there is some question as to whether he would have observed an apple—that is, Apple Pay—on its way down or up. Four weeks ago, The Street ran a piece by Brian O’Connell entitled “Apple Pay Growth Sours As Consumers Reject Digital Payments”. Two weeks ago, Business Insider ran a piece by BI Intelligence, which somehow I suspect is not the name of a real person, entitled “Apple Pay is dominating the mobile payments industry.”
O’Connell opens with the suggestion that Apple executives love to talk about the success of their technology, but prefer to dodge conversations about Apple Pay. Reasons he cites:
“In the U.S., iPhones account for about 44% of the estimated 207 million smartphones,” notes Andy Schmidt, principal executive advisor at CEB Tower Group in Boston. “Of these iPhones, approximately 29% of them are from the iPhone 6 family—the devices that support Apple Pay. That means that only about 13% of all smartphones in the U.S. are even capable of using Apple Pay.”
Vendor adoption is another issue that’s holding back Apple Pay, Schmidt says. “While 13% of U.S. smartphones are Apple Pay enabled, not all vendors accept it either at point of sale (POS) or online where the ‘buy now’ button reigns supreme, further decreasing potential adoption,” he adds.
The above reporting appears at odds with the BI Intelligence article, which opens:
In its Q2 2016 earnings call, Apple provided some new Apple Pay data that indicates the service’s ongoing steady gains.
The data indicates that as the platform expands internationally, it continues to hold its own in the US mobile payments market despite the entrance of strong competition …
BI Intelligence credits the alleged success of Apple Pay to growth of monthly active users, due largely to international growth, and popularity in the U.S., where Apple Pay accounts for a reported three out of four contactless transactions.
It’s nothing new when the same data lead to opposing interpretations. Nor is at a secret that no one, not even the most scrupulous journalist, is immune to bias. This may be a case where we must await future hindsight in order to know whether glass-half-empty or glass-half-full reporting was right. Meanwhile, it’s an exciting ride we can all enjoy.
Languages spoken in commerce-less civilizations typically have words for the numbers one through five—something to do with the fact that most of us carry around five fingers on each hand—but have no word for six or anything beyond. Instead, they make do with a catch-all word that roughly translates to “a whole bunch.”
Societies engaged in the simplest of trade needed little more. The invention of words for numbers greater than five became needful only when keeping track of trade required more than the fingers of one hand. With the unreliability of memory and the reality of human perfidy, an accurate means of recording numbers soon followed.
Here, we owe fourth century BCE Mesopotamia a debt of gratitude. It was about that time that the Mesopotamian sheep trade really took off. To keep track of payment, traders devised a small clay token, marked with a plus sign, which everyone agreed represented the value of one sheep.
Do not underestimate the importance of that plus sign. As far as historians have been able to trace, this marked the world’s first appearance of written language. The earliest writing owes its start not to artistes seeking expression, but to merchants seeking top dollar for livestock.*
One token per sheep was fine for ma-and-pa sheep merchants, but hauling around oodles of clay tokens proved impractical for big box sheep merchants. This led to the development of denominations: They devised a token for ten sheep, another for twenty, and so forth.
As fast as enterprising Mesopotamians came up with tokens, other enterprising Mesopotamians came up with ways to counterfeit them. Since security chips, holographic images, and polyester threads printed with minute letters were scarce 6,000 years ago, resourceful merchants developed other ways to foil counterfeiters. Some of them were quite ingenious. Wikipedia reports:
To ensure that nobody could alter the number and type of tokens, they invented a clay envelope shaped like a hollow ball into which the tokens on a string were placed, sealed, and baked. If anybody disputed the number, they could break open the clay envelope and do a recount.
I found this next part of particular interest:
To avoid unnecessary damage to the record, they pressed archaic number signs and witness seals on the outside of the envelope before it was baked, each sign similar in shape to the tokens they represented.
Hmm. They agreed upon the value of a token that was marked with a number; then they locked the tokens out of view and relied on authenticated markings to represent their sum total value. At least symbolically, that’s what we do today: We agree upon the value of a unit (dollar, yen, euro, what-have-you), lock it out of view, and represent the sum total of units by means of authenticated markings—except we use a screen instead of a clay ball.
Ironically, the very system of trade that required the invention of numbers greater than five has gone full circle. The “tokens” we use today have even allowed us to dispense with the numbers two through five. We manage quite well using only ones and zeroes.
*Though writing first arose in Mesopotamia as far as historians know, writing arose independently in other locales. Mesoamericans invented writing around the first millennium BCE, and not for commerce, but for literary purposes. Chinese characters most likely arose independently as well. The earliest verified evidence of Chinese writing dates to the late Shang dynasty toward the end of the second century BCE. Literacy in China today requires knowing from 3,000 to 4,000 characters. If you didn’t grow up learning them, good luck with that. That may have interesting implications as increasingly significant numbers of Chinese adopt digital payments systems.