Flashback to 2005 for a moment, and witness the arrival of new advice for the US banking sector concerning how best to marshal its risks in respect of online e-payments. This guidance came from none other than the Federal Financial Institutions Examination Council (FFIEC) – an interagency body of the United States government empowered to prescribe uniform principles, and standards, across all US financial institutions.
Now fast forward to the present day. Digital security expert, Adam Dolby of Gemalto, recently made the following comments,
“…the 2005 guidance was stricter than its predecessor because most banks had failed to take action. The FFIEC was hoping the banks would self- regulate, but that didn’t happen!”
It now transpires that rather than acting upon the FFIEC guidance, many key players within banking instead opted for a ‘minimum compliance’ approach, or in simple terms – ‘what can we get away with’. So, if our banks are reluctant to spend money on payment authentication, and on-line security, then it’s perhaps not unreasonable to form the view that losses through fraudulent activities are merely absorbed by the banks; i.e. it’s just the price of doing business on-line.
Dolby continues stating,
“…when we rolled out internet banking we educated people and told them it was safe, protected behind firewalls and secure socket layers. And now everyone thinks it’s safe.”
It’s an interesting statement, one that hints to ongoing security threats for e-payments; ones which the banks are not necessarily equipped to counteract. Movie fans may draw parallels with the Brad Pitt and Edward Norton film ‘Fight Club’. In the movie, Norton’s character talks about how automotive giants determine whether a car should be recalled once found unsafe.
Edward Norton: A new car built by my company leaves somewhere travelling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, (A), multiply by the probable rate of failure, (B), multiply by the average out-of-court settlement, (C).
A x B x C = X.
If X is less than the cost of a recall, we don’t do one.
Woman on plane: Are there a lot of these kinds of accidents?
Edward Norton: You wouldn’t believe.
Woman on plane: Which car company do you work for?
Edward Norton: A major one.
So when your bank tells you that a new ‘contactless’ payment card is 100% secure, perhaps you’ll keep in mind their track record for ‘security’ and their approach to acting on the advice of independent regulators such as the FFIEC. There’s probably nothing to worry about, but just to be on the safe side then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.
This article makes reference to an original story in Digital ID News: