Security, Fear, Risk in Payment Products
The question came to my mind when I want reading a report on Corporate email security from Coremail, according to the report, the 112M corporate email users in China receives 730M Junk mails every year, representing 69.8% of all emails they receive in their corporate mailbox; if the attackers try 10 times, they can successfully hack into 109.8K email accounts
It does sound..well...not so secure.
Not at all.
But i have felt so when using my company email.
This realization gets me curiosity to find out what makes the sense of security and what breaks it.
Dictionary.com defines the term security in several ways, but we'll focus on these two descriptions:
- Freedom from danger, risk, etc.; safety.
- Freedom from care, anxiety, or doubt; well-founded confidence.
The first form of security is what an information security program is meant to address. Information systems can be defined as being "unsecured," so we attempt to "secure" them; that is, protect them from danger. From hackers who tries to steal information from these systems for example.
The second form of security is an emotional state. We may feel "insecure," so we desire a sense of security—that sort of warm, fuzzy feeling we get when we know that everything is going to be alright. When a child is with his/her mother they generally feel secure, this feeling comes from the past care and protection the mother brought before.
While the first sense of security has real value, it prevent money loss, company reputation, crime etc; the second one only has a perceived value, we feel good about it but it does not result in tangible gain.
Is there any relationship between the two, well naturally the material insecurity results in negative emotions, does the negative emotion affect our perceived security for the next time when we encounter such situation, the Chinese says “A person who was bitten by a snake will fear the rope for 10 years” (because the shape of the two are similar), which explains how the two forms of security associate with each other.
Strong emotions affect our decision-making processes. Fear can occur in varying degrees: worry, terror, fright, paranoia, horror, etc. Nevertheless, it is generally caused by the known, not the unknown. Adults fear what children don't. After all, if he doesn't know that he should fear it, will he run away? With no experience on which to base a fearful response, he probably won't flee. This is the fearlessness of ignorance.
With the concept of security understood, I wander how it is used in the sales and implementation of new security technologies and other industries
Biometric identification is among the newest security technologies on the market, it refers to any technology that does one of two things: identifies you or authenticates your identity. For identification, an image is run against a database of images. For authentication, an image has to be accessed from the device to confirm a match. The latter is typically used for unlocking computers, phones, and applications.
Since Apple introduced its incredibly usable biometric identification with Apple’s home button fingerprint sensor in 2013, the appetite for biometrics has expanded rapidly. Now NASA has developed a method for verifying the identity of a person based on his or her heartbeat electrocardiogram signal (and made our smartphone one step nearer to our heart). Other apps are looking at the uniqueness of vascular patterns in the eyes or even a person’s specific gait to verify identities.
Although many experts say biometrics are intrinsically secure (since no one else can have your ears or eyes), I mean, nobody else owns the same thing like you do. And it is for sure harder to steal than a password or credit card numbers. They are, inherently, public, I do know what your face looks like, if I meet you, and I can take a high resolution photo of it (as a group photo, or even just from far), And that makes them easy to hack. Or track.
When the Office of Personnel Management in United States was hacked last year, 5.6 million people’s fingerprints were compromised. Universities are hacked every year, medical records, the IRS, banks, dating websites, the list goes on and on. Biometric data isn’t immune to these attacks. In fact, Vkansee, a mobile security company, broke into Apple’s Touch ID system with a small piece of Play Doh just at this year’s Mobile World Congress. MSU Computer Science researchers Kai Cao and Anil K Jain published a new paper describing a <$500 method for using a 300dpi scan of a fingerprint (which can be captured from a fingerprint sensor itself) to produce a working replica printed with conductive ink fed through a normal inkjet printer, in a procedure that takes less than 15 minutes. (it is a bit more expensive than the Play Doh though)
And worse even, the use of data about your body parts is largely unregulated. yes, large corporations that are utilizing this technology participate in the self governance of it; as far as they can police on their own practices about using and sharing data, the structural investigation and punishment of the leaking of such information and the compensation of financial loss as a result of such leaking is just not there.
I would not say there is better solution for identification, I am not an expert in this field. And as most of the audience, I am merely a receiver of whatever the product or service I am utilizing choose to provide for me, be it Touch ID or password or verification SMS code. Security is at the end of the day for the benefit of the company, if there is no negative consequencies, I wander how many would still bother to protect consumer rights in any sense.
Following the same logic about the actual security and the perceived security, we knew that actual security of course is important, actually, needed for business contingency reason; it is perceived security that affects the top line revenue. So, how do we provide the same function and make it looks better?
Payment industry has been a good ground to look at how to strategically “provide security”:
First, “Transform the Concept”, we provide different kind of positive stimulus to improve the overall satisfaction; payment gateway for example, the top value proposition are usually simplicity of use (PayPal; Amazon One-lick payment etc), coverage (support multiple payment sources), merchant services (simple to integrate API and SDK, auto reconciliation, easy to use backend etc) and of course, low merchant fees; which all that, you channel the consumers and the merchants to things you want them to value, and what they should value;
Second, “Pay For It and Make Sure the World Sees It”, you have to get some sort of fraud solution anyway, you may not have the adequate expertise in-house to review all the transactions or configure the fraud rules, you may not choose best product on the market but the cheapest, but it does not matter. The world needs to know you have it, in the way the world always see it (protect all kinds of transactions; all currencies; industry specific etc). So keep telling them. Like Bruce Schneier wrote in his Wired article his about this issue on January 25, 2007 “In Praise of Security Theater”: It's only a waste if you consider the reality of security exclusively. There are times when people feel less secure than they actually are. In those cases […] a palliative countermeasure that primarily increases the feeling of security is just what the doctor ordered. The goal here would be to bring the perceived risk into alignment with the real risk in a given situation. We try to lower the perceived risk so people can see beyond it,
Third, “Make People Pay for it”, does spending money bring peace in mind? Yes it does. Especially for products in area that the customer has little knowledge on. When you pay you get something right? In this case, you get security. And payment companies also profit from selling security, marking up from the actual fraud solution providers, so it is win-win-win situation.
Managing risk, from a commercial perspective, is a balancing act. You must weigh all factors carefully and rationally, being aware of the impact that fear may have on decision-making. Some fear is rational, based on facts. It's when fear goes beyond a rational response that it can lead to irrational decisions. WE can even say fear is a risk by itself. Ignoring the reality of fear can lead to hasty, potentially expensive, and unnecessary actions that may cause more harm than good.
Technology Opportunity: Method and Device for Biometric Verification and Identificationhttps://www.nasa.gov/ames-partnerships/technology/technology-opportunity-method-and-device-for-biometric-verification-and-identification
You can use putty to get past the iPhone's fingerprint securityhttp://www.businessinsider.com/hack-iphone-touch-id-with-play-doh-2016-2
Hacking a phone's fingerprint sensor in 15 mins with $500 worth of inkjet printer and conductive inkhttp://boingboing.net/2016/03/06/hacking-a-phones-fingerprint.html
In Praise of Security Theaterhttps://www.schneier.com/blog/archives/2007/01/in_praise_of_se.html