Online security

Even though it’s a few years since I wrote this article. The key principles of designing secure banking solutions haven’t changed, and are still relevant today. Trust will always be main priority, and the convenient solution wins in the long run. The challenge is to integrate trust and convenience.

Transaction Authentication

‘Something you understand’

The new factor in online security

Abstract

Online attacks have advanced significantly in recent years. Two-factor authentication, which is used to protect online banking users, has not evolved at the same pace, meaning that users are not sufficiently protected against these new and advanced attacks.

This raises an important question: is it possible to make online activities more secure for the user? More specifically, we want to understand whether it is possible to prevent online attacks by involving the user? In this paper, we elaborate principles for providing security in factor-based authentication. We propose a strategy using these principles to make online activities more secure.

This paper introduces Transaction Authentication – the new factor for factor-based authentication – as a way to establish informed consent in the authentication and authorisation process for online security. We show how the solution provides security while minimising user involvement, by balancing security and usability.

Read the paper here

Posted in Uncategorized

Listen to Simon Sinek’s intersting and inspiring talk about WHY.

People don’t gather around people or products just because they provide certain qualities, they gather because they have a vision, and can realize their vision in their products.

I like Steve Jobs, he visited Xerox Corporation at their  Palo Alto Research Center (PARC) in 1979, where he got his vision, that electronic systems must be user friendly. He understood the importance of anthroplogists and user interface researchers. Those who understand the vision is essential. His vision (WHY) have since then driven Apple. In fact Apple don’t compare with competition – they do what they think is right. iPhone was the first handset in which you could use the browser, and where people actually cold purchase items on. That they have application facism have only helped them establish trust.

When it comes to online banking and online shopping, the vision is to make it easy for the user, convenience always wins in the long term. But it cannot only be convenient, it must also have trust as that feeds the limbic brain, and tells the customer that it’s safe to do banking. To not make it cumbersome you need to balance usability with security, as there is always a tradeoff.

If there is a risky transaction, such as paying a high amount to a new beneficiary, any customer would feel uncomfortable doing that without having a security technology in place. Making this correct, it’s possible to bring alot of convenience, and stop risky transactions, by introducing increased security, when needed.

Posted in human interaction, security, usability

Forwarding a post from Karlstad University mailing list:

————————————

[Humanit-listan] HumanIT doktorander

From: Jakob Svensson <Jakob.Svensson@kau.se>

To: <humanit-listan@lists.kau.se>

Date: 23 Sep 2010 – 13:50

We at HumanIT are very happy to fund and welcome PhD student Julio Angulo to Karlstad University.

Julio will deal with the UI aspects of security on online banking and the concepts of anonymous credentials and data minimizationt in collaboration with Gemalto and Nordea. Julio is also involved with OZLAB together with John Sören Pettersson and HCI aspects of the PrimeLife project together with Erik Wästlund and others. He is giving Usability advice to some of the interfaces being developed for handling privacy preferences and will do User-Test to evaluate the usability of such interfaces.

Julio has a B.Sc. on Computer Science from the University of British Columbia, and a M.Sc. on Computer Science with emphasis on Ubiquitous Computing from Blekinge Tekniska Högskola, as well a Masters from Lund University on Interaction Design. Julio has worked for the mobile industry as an Interaction Designer in companies like UIQ Technology AB and STEricsson.

Before moving to Karlstad Julio was doing an Internship as a Software programmer and UI Designer on a small company that delivered logistic solutions to hospitals around Skåne.

Jakob Svensson, Ph. D.

Director HumanIT (www.kau.se/en/humanit [http://www.kau.se/en/humanit])

Ass. Prof. in Media and Communication Studies

Karlstad University

65188 Karlstad – Sweden

+ 46 (0) 54 700 1893

jakob.svensson@kau.se

_____________________________________________

Humanit-listan mailing list

Humanit-listan@lists.kau.se

http://www.lists.kau.se/mailman/listinfo/humanit-listan

Posted in Uncategorized

Was on sitting on a small café in central Gothenburg the other day, where I started looking at the wall, and found a blackboard full of names and numbers. They told that the café act as a bank “doppio bank” – but with a small twist.

They had one wall with their entire customer base written on it, with the balance of each customer printed on the wall, and some of the customers also had brought their own photos. During my short visit to the café, I saw two persons actually paying with their balance, and the coffee-man changed their balance on the wall.

I wonder how they identity their customers, and also how they authenticate them. Maybe there is a need for an identification solution here J.

Well the sad part is that they have to close the bank, it’s not allowed to be a bank, no matter how big in Sweden, unless you have a banking license, so their banking activity will cease end of the year. I will return before they close, because I made a deposit of 1€ and want to get a coffee for that.

Posted in Uncategorized

Cambridge researcher Saar Drimer recently demonstrated in German TV how easy it is to bypass the PIN verification at an EMV POS-terminal (http://blog.br-online.de/report-muenchen/2010/09/03/neue-chips-im-visier-der-kreditkartenmafia.html). Saar equipped himself with a modified credit card having a cable linked to a computer in his backpack. He then makes a credit card transaction, where he enters the PIN ’0000′, and demonstrates how the transaction is approved even though the PIN was fake and the receipt tells the cafe-owner that transaction was approved. Saar together with Steven Murdoch and Ross Andersson some time ago released the report “Chip and PIN is Broken”, explaining a serious flaw in the EMV chip that enables an attacker to completely bypass the PIN-verification on the chip card, and was covered in an earlier post.

In the TV-report, Ross Andersson and Steven Murdoch further explain the complexity of EMV, indicating it’s to complex to be verified. Something one could consider would be to make it formally verifiable, which effectively would reduce the specification to few pages.

Posted in EMV, News, Online threats, security, Technology

The advanced digital life is still in its infancy, we are just starting discovering what it takes for a cardholder, citizen or a facebooker to stay safe online. What really matters is to understand that a person is acting with multiple personalities online, often without reflecting.

Most people are concerned, but do not really grasp the concept of security and privacy and do not have a clear strategy on how to act in order to protect their different persona online. When being asked, some customers care, but most don’t, until they’re asked if it would be OK if they had their health-records posted on Facebook for anyone to see.

Privacy and Security is something that most people only will request after they experienced it. A good example is the comparison with the seat-belt, a Swedish innovation that is today used in every corner in the world. Once understood, a customer don’t want anything less.

The real challenge is to gain knowledge and provide technology that enables the Internet to become a secure and trustworthy place for everyone, not only the brave. Everyone need to use the Internet, therefore it’s crucial that we take the emotional human into consideration, as he cannot objectively perceive ePrivacy or eSecurity.

Gemalto is doing an interesting coverage on Digital Sweden (www.gemalto.com/digital_sweden/index.html), where we are trying to describe why Sweden is far ahead in the digital service evolution. Martin Ogarp, a bright business developer working at Nordea is being interviewed trying to give a clear answer on Nordea philosophy (www.gemalto.com/financial/ebanking/sweden_banks_today.html).

“- Customers have come to expect online access to their bank, and it has to be a high quality service,” he says. “Our philosophy, and the starting point of Nordea’s eBanking initiative, is that all interactions with the bank should be able to be carried out however the customer chooses.”

Nordea is securing both eBanking and eCommerce transactions, making life more secure for their cardholders, using cutting edge technology from Gemalto.

Posted in Chip Authentication Program, EMV, News, security, Technology

Prospect theory was developed by Daniel Kahneman, professor at Princeton University’s, and part of this is risk thermostasis, which is the model on how we perceive risks.

We all know that security is difficult, but in fact when it comes to selecting a security technology, there are certain drivers:

• Buy what everyone else bought (Authority), this is what IBM leveraged on in the early days
• Go with the known brand (Authority), this is companies such as Nike
• Buy of greed (“I want this”), where the product has certain qualities that attract the customer. Apple have managed to get into this position, providing a user-experience not previously seen
• Buy of fear (“I want to prevent something”), this is how insurance companies are making money.

In general it’s difficult to sell based on fear, therefore clever companies turns the buy of fear in buy of greed, which makes the sales much easier, “When people are afraid, they are much more willing to buy security to be safe“.

Buying security from a large company is much easier, and therefore it’s much easier to accept the deal. Buying from a large company isn’t necessarily bad, in fact it can actually be quite good, as the large company is able to share development cost among a larger customer base, and must always deliver good quality and cannot take the risks as small companies sometimes need to make. Consider the following, you are going to do skydiving and you need a parachute, two companies are selling what you need. First is the huge company, known to everyone, the second is a small niche-company that have cost-effective parachutes. Which brand would you select? For many, the answer would be based on Authority and buy what everyone else buys, and would accept the higher price. Companies that have authority must maintain their reputation, therefore they must deliver product consistently that people depend on.

User care very little about technology, and he shouldn’t for various reasons. But you still want to be safe, there are certain things you never buy based on price.

Social Sophistication, is what brings values to customer, provides relevant information to him, in his present context.

Technical Sophistication is what brings unique properties and solves a need, as the needs are satisfied using technology. Technical Sophistication happens in emerging industries areas, where engineers are developing new and innovative concepts that satisfies real customer needs. Once the technology is understood and mature, technology is hidden, and Social Sophistication,

Technology is digital and Users are emotional…..

A classic example is Ericsson, in the 90′s it was possible to check the battery level on the mobile, and the result was 3.8V. That didn’t mean anything for a user, the developers had absolutely no understanding of what users wanted to see, and instead the user had to adopt the technology instead of vice versa. Once a technology has matured, it is followed by a commercialization, which brings the technology to the market. In this transition, is when innovation happens, which is basically turning knowledge into money. The definition that 3M has of R&D is that research generates knowledge, and innovation creates money. 3M measures their innovation power in the amount of revenues they make on products that are 5years or younger, this is what makes them stay alert.

• In the beginning, Cars was sold with repair kit included, after some years, this was removed, as customer didn’t know and didn’t care on how to fix problems
• In order to get things working, we need to remove the complexity for the user.
• We cannot train users in security, instead we need technical intermediaries, that package security into their product, where security reaches an acceptable level, and the product can be sold on greed, instead of fear.
• Facebook is a technical intermediary, and care very much care about their technology, and how that works.
• Personal ócommodity
• “Security will be integrated as a part of the way you buy“, where solution providers buy security, and being the technology intermediary´
• “Solution providers buy security companies“
• Solution providers are the technical intermediary, becoming utility companies.
• “Security is provided bundled in greed sale.”
• Cars sell security, as part of the package
• Awards, reputation are signals, and that gives us the Lemon theory

Buyer have problem evaluating sellers, one good example is the “Used car signals”. In order to maintain a high price, it’s essential that the product have high trust, otherwise it will become commodity, and nothing to compete against.

Reputation is very valuable, companies take great care of their reputation, and they should, and security is not different.

Posted in Behavioural Economics, Identity, Uncategorized

Online banking is about more than cost cutting. Banks are just waking up to its potential for increased revenue and new business opportunities. In this context, online security is not just a cost of business to be weighed against losses to fraud. It is the key that opens the door. But it will only work if banks change the way they build a business case for trust and security. Continue reading ‘Trust is good for business’

Posted in security, usability

Yesterday, we had our recurring “Secure eBanking Forum”, which is an event that we are hosting on a regular basis, inviting banks that have interests in strong authentication with usability and security. This time, our focus was on “Principles of Usability”.

Here is the presentation I did, which intend to be a thought provoking presentation on the principles of usability. It shares some of our experience in the field, and hopefully also provides you with some inspiration.

Posted in Behavioural Economics, human interaction, security, usability