Skip to main content

Security, Fear, Risk in Payment Products

The question came to my mind when I want reading a report on Corporate email security from Coremail, according to the report, the 112M corporate email users in China receives 730M Junk mails every year, representing 69.8% of all emails they receive in their corporate mailbox; if  the attackers try 10 times, they can successfully hack into 109.8K email accounts

It does sound..well...not so secure. 

Not at all.

But i have felt so when using my company email.

This realization gets me curiosity to find out what makes the sense of security and what breaks it.

Dictionary.com defines the term security in several ways, but we'll focus on these two descriptions:
  • Freedom from danger, risk, etc.; safety.
  • Freedom from care, anxiety, or doubt; well-founded confidence.

The first form of security is what an information security program is meant to address. Information systems can be defined as being "unsecured," so we attempt to "secure" them; that is, protect them from danger. From hackers who tries to steal information from these systems for example.


The second form of security is an emotional state. We may feel "insecure," so we desire a sense of security—that sort of warm, fuzzy feeling we get when we know that everything is going to be alright. When a child is with his/her mother they generally feel secure, this feeling comes from the past care and protection the mother brought before.

While the first sense of security has real value, it prevent money loss, company reputation, crime etc; the second one only has a perceived value, we feel good about it but it does not result in tangible gain.

Is there any relationship between the two, well naturally the material insecurity results in negative emotions, does the negative emotion affect our perceived security for the next time when we encounter such situation, the Chinese says “A person who was bitten by a snake will fear the rope for 10 years” (because the shape of the two are similar), which explains how the two forms of security associate with each other.

Strong emotions affect our decision-making processes. Fear can occur in varying degrees: worry, terror, fright, paranoia, horror, etc. Nevertheless, it is generally caused by the known, not the unknown. Adults fear what children don't. After all, if he doesn't know that he should fear it, will he run away? With no experience on which to base a fearful response, he probably won't flee. This is the fearlessness of ignorance.

With the concept of security understood, I wander how it is used in the sales and implementation of new security technologies and other industries 

Biometric identification is among the newest security technologies on the market, it refers to any technology that does one of two things: identifies you or authenticates your identity. For identification, an image is run against a database of images. For authentication, an image has to be accessed from the device to confirm a match. The latter is typically used for unlocking computers, phones, and applications.

Since Apple introduced its incredibly usable biometric identification with Apple’s home button fingerprint sensor in 2013, the appetite for biometrics has expanded rapidly. Now NASA has developed a method for verifying the identity of a person based on his or her heartbeat electrocardiogram signal (and made our smartphone one step nearer to our heart)Other apps are looking at the uniqueness of vascular patterns in the eyes or even a person’s specific gait to verify identities.

Although many experts say biometrics are intrinsically secure (since no one else can have your ears or eyes), I mean, nobody else owns the same thing like you do. And it is for sure harder to steal than a password or credit card numbers. They are, inherently, public, I do know what your face looks like, if I meet you, and I can take a high resolution photo of it (as a group photo, or even just from far), And that makes them easy to hack. Or track.

When the Office of Personnel Management in United States was hacked last year, 5.6 million people’s fingerprints were compromised. Universities are hacked every year, medical records, the IRS, banks, dating websites, the list goes on and on. Biometric data isn’t immune to these attacks. In fact, Vkansee, a mobile security company, broke into Apple’s Touch ID system with a small piece of Play Doh just at this year’s Mobile World CongressMSU Computer Science researchers Kai Cao and Anil K Jain published a new paper describing a <$500 method for using a 300dpi scan of a fingerprint (which can be captured from a fingerprint sensor itself) to produce a working replica printed with conductive ink fed through a normal inkjet printer, in a procedure that takes less than 15 minutes. (it is a bit more expensive than the Play Doh though)

And worse even, the use of data about your body parts is largely unregulated. yes, large corporations that are utilizing this technology participate in the self governance of it; as far as they can police on their own practices about using and sharing data, the structural investigation and punishment of the leaking of such information and the compensation of financial loss as a result of such leaking is just not there.

I would not say there is better solution for identification, I am not an expert in this field. And as most of the audience, I am merely a receiver of whatever the product or service I am utilizing choose to provide for me, be it Touch ID or password or verification SMS code. Security is at the end of the day for the benefit of the company, if there is no negative consequencies, I wander how many would still bother to protect consumer rights in any sense. 

Following the same logic about the actual security and the perceived security, we knew that actual security of course is important, actually, needed for business contingency reason; it is perceived security that affects the top line revenue. So, how do we provide the same function and make it looks better?

Payment industry has been a good ground to look at how to strategically “provide security”:

First, “Transform the Concept”, we provide different kind of positive stimulus to improve the overall satisfaction; payment gateway for example, the top value proposition are usually simplicity of use (PayPal; Amazon One-lick payment etc), coverage (support multiple payment sources), merchant services (simple to integrate API and SDK, auto reconciliation, easy to use backend etc) and of course, low merchant fees; which all that, you channel the consumers and the merchants to things you want them to value, and what they should value;  

Second, “Pay For It and Make Sure the World Sees It”, you have to get some sort of fraud solution anyway, you may not have the adequate expertise in-house to review all the transactions or configure the fraud rules, you may not choose best product on the market but the cheapest, but it does not matter. The world needs to know you have it, in the way the world always see it (protect all kinds of transactions; all currencies; industry specific etc). So keep telling them. Like Bruce Schneier wrote in his Wired article his about this issue on January 25, 2007  “In Praise of Security Theater”: It's only a waste if you consider the reality of security exclusively. There are times when people feel less secure than they actually are. In those cases […] a palliative countermeasure that primarily increases the feeling of security is just what the doctor ordered. The goal here would be to bring the perceived risk into alignment with the real risk in a given situation. We try to lower the perceived risk so people can see beyond it,

Third, “Make People Pay for it”, does spending money bring peace in mind? Yes it does. Especially for products in area that the customer has little knowledge on. When you pay you get something right? In this case, you get security. And payment companies also profit from selling security, marking up from the actual fraud solution providers, so it is win-win-win situation. 

Managing risk, from a commercial perspective, is a balancing act. You must weigh all factors carefully and rationally, being aware of the impact that fear may have on decision-making. Some fear is rational, based on facts. It's when fear goes beyond a rational response that it can lead to irrational decisions. WE can even say fear is a risk by itself. Ignoring the reality of fear can lead to hasty, potentially expensive, and unnecessary actions that may cause more harm than good.

Reference:

2016年中国企业邮箱安全性报告http://mp.weixin.qq.com/s/FtOdOZ7_SNwJEgyHKvo0zw

Technology Opportunity: Method and Device for Biometric Verification and Identificationhttps://www.nasa.gov/ames-partnerships/technology/technology-opportunity-method-and-device-for-biometric-verification-and-identification

You can use putty to get past the iPhone's fingerprint securityhttp://www.businessinsider.com/hack-iphone-touch-id-with-play-doh-2016-2

Hacking a phone's fingerprint sensor in 15 mins with $500 worth of inkjet printer and conductive inkhttp://boingboing.net/2016/03/06/hacking-a-phones-fingerprint.html

In Praise of Security Theaterhttps://www.schneier.com/blog/archives/2007/01/in_praise_of_se.html



Popular posts from this blog

4 Techniques to Make Your UX Review Meetings Successful

As a product manager, I often need to sit down with the executive management team to get their feedback on the new designs. It can be a frustrating process and many times I found that I cannot get things down in the time I am allowed to have.
Nevertheless, not having the sign-off from management is terrible for the team, we face high risk of having to re-work (yes, we always need to re-work, but it feels better if it is an improvement), schedule get delayed etc.
Over my 200+ review meetings, i've came to understand the reasons and learnt skills on how to stir the meeting towards an efficient completion, and I want to share them with you.
There are 4 key reasons of an unsuccessful product review meeting: 
1. Audience Lack the Background Knowledge: especially when introducing a new function, executives don’t know what they are looking at, or how the end users will be using such function, you may have sent the presentation before and again in the meeting invite, it doesn’t matter;

2. T…

What Changes will Machines Bring to us - As Employees

Machine learning to the employment has been a topic in debate. Darrell West, in his paper titled "What happens if robots take the jobs? The impact of emerging technologies on employment and public policy” suggested a list of actions government should take to ensure people whose job has been replaced by machines can live a decent live. The general sentiment seems to suggest a turbulent era as work force transform.

Growing up in China during the time of State owned enterprise reform, I had real experience living through the time of large group of people being laid off because the jobs were suddenly gone. My parent’s generation had to learn new skills for a completely new industry at their 40s and 50s. Few of them made it and even became millionaire, many of them didn’t and the family suffered a lot. I followed the news of Detroit Car manufacturing industry lapse and it shows familiar traits. The fact is, jobs come and go all the time, employee as a group will constantly adapt while …

21 Tops on How to Write a Successful Blog

Hubspot and General Assembly came together to offer a 10 week planner for successful blog. The type of blog discussed in this plan are corporate blogs used to bring people to the site and explore what the company is doing, potentially generate a lead.




Identify Your Target Persona: talk to sales team and research contract dataStart Building Evergreen Content: start with evergreen contents that stay relevant though time; do keyword search to see what people are searchingChoose the Right Content Management Tool: a good tool is easy to use and allow users to track metrics such as conversion rate, page view, and where traffic come fromDesign Your Blog: consistent layout; Focus on Your Content Strategy: basically it is depending on what you wantSet Subscriber Path: there needs to be a workflow for emailing the subscriber, a subscription form and an unsubscribe form. Hubspot is towards the "don’t email your subscribers too often” group while I also heard UI Breakfast Jane Portman talked …