Interview

Security in Financial Services


Join Simon Keates (Head of Strategy and Payment Security at Thales) and Dr. Udo Milkau (Fellow Analyst at KuppingerCole) talking about Security Issues in the FinTec Industry!

Hi, good morning Udo. It's great to be here with you looking forward to having a quite wide ranging conversation around different things in, in FinTech and changes that are afoot, but also obviously what's going on insecurity. I guess just a bit of background from me. I've been working in, in Thales and in payments and security for about 13 years. It seems like a crazy amount of time, but to be honest, it's probably one of the most exciting areas within security that I've been lucky enough to find myself working within. I think some advice that I received about 10 years ago was to never get into the world of payments because it's incredibly boring and, and nothing exciting ever happens then. So now you're on mobile and mobile payments and, and digital payments viewing an intrinsic part of our life. And so I'm really glad I didn't listen to that advice and that, you know, I get to have conversations with, with people like you. So yeah, looking forward to our conversation.
Good morning, Simon. I think you're definitely right. And to introduce me, I could say I'm a digital dinosaur because started with digital technology long time ago and have also been in financial services for more than 20 years, but you arrive, especially in payments. We had times our payments did not develop very much. So we had the introduction of the first cards and then we had a chunk and then we had a long period where things are going rather smooth, slowly replacement of checks at the beginning, then replacement of cash depending on the country, more or less. But I think with all what we call digitalization now with the mobile phones, with the, I phones with tokenization technology, and nowadays we are talking about central bank, digital currencies, token in the other sands very much is going on. And there is quite an acceleration of the developments if our compound the time now to the time, let's say 20 or 30 years ago.
Yeah, exactly. I think it's a, it's a great point that you raised that payments kind of leveled off for a little while. And we were, we were, we were nice and stable. I would say it's it's, it is fair to say that from a security point of view, at least payments continued to mature all the way through this process. You know, you think back to the earliest memories of credit cards, you know, simple pieces of cardboard that were potentially very easily cloned and, and I'm sure that once fraudsters and criminals saw a way to extract money from the system, that they quickly figured out how to, how to do that cloning. Then we've gone onto plastic cards within bossing and mag stripes and holograms all the while trying to stay one step ahead of the criminals or introducing things to try and stop attacks that, that, that existed until we got to chip and pin.
And I think that was probably maybe the most exciting thing to have happened. And then of course, payments moved onto a digital platform and that's where the fraudsters went. You know, as soon as they one hold is, is, is one, one vulnerability has stuff for them, they just try and find different ways of, of extracting money from, from the system. So you move into digital, you move into FinTech and these have now become, I think the security targets to criminals physical card fraud is, is not so interesting. Go for the low hanging fruit, I think is, is the criminals mindset. If you put barriers in their way, they'll go and find another easier target. No one wants to spend a great deal of effort going after a particular target. So as we move away from the strong security backed physical card world, they'll move into digital and move into FinTech and find different ways of monetizing and extracting money from that system
Definitely ride. And as you said, criminals are from my point of view, really examples for racial actors. As in economy theory, those guys are described, they are very racial. They are looking always for the low hanging fruits where it can make the most money, little less effort, and remembering the time of the max drop. We had all the discussion how to get the max Stripe secure and the real solution boss, Dan chip, and pin, and then standardization with PCI technology and maybe after rods also tokenization. So we have a lot of these pieces in place. What did happened within, let's say the last five years, all these criminals and fraudsters really went to the non-regulated part grip to assets. And if you look on the, on this field of crypto assets, you will find all types of fraud and criminal behavior. You can imagine, but it's a fully unregulated environment. And what's very strange. The broader call, the blockchain itself of course is secure. But if you take the whole environment with all the participants, crypto exchanges, crypto wallet, providers, and so on and so on, then you have so many different participants in this new world, which really invite every type of fraudsters and criminals just to go in there. And as I said, make as much money in the simplest and easiest way as they can do.
No. I think it's almost the exact promise of, of cryptocurrency and Bitcoin and all of the other coins, the promise of the unregulated environment and the ability to transact without governments and, and schemes getting in, getting in your way of making payments. If I want to sell goods here in the UK, and you want to pay me out of Germany, I don't have to worry about SEPA and international money transfers. We can just transact and that's great. But like I said, the very promise of this really gives rise to the use of on two sides, really the use of that system for criminal activity. But due to that lack of regulation, lack of security, kind of wrapping itself around that, that system also gives rise to the system being attacked itself. You can't attack the blockchain, but certainly when you have crypto exchanges, you have social engineering attacks at, at, at the most simplest level, send money to this Bitcoin address instead of that, but a Bitcoin address. And the next thing my wallet is empty,
Definitely. Right? And I think regulation is not always the best thing you can do, and it's not the philosopher stone for every problem in the world. But one important aspect in regulation, it's not so much the technology itself or the technology standards, because that is something all the professional participants have to deal with. Regulation also generates security for the retail user, for the customer, for the citizens, which are no experts in payment technology, who just wants to have a simple secure payment. And if you have then regulation, if you have high security standards, so people can trust in these payment systems. And I think they did it with carts payment, especially with chip and pin where they have real good feeling. So going away from this and why a moment where regulation is not for regulation sake, but to provide security and also trust in the whole system.
I think crypto asset is really the totally different examples of a totally non-regulated environment. And then the problem started. And I think in between, let's say in between this old world and the world of the crypto assets, we have all the developments for, we have for the time being, we have contactless. So in principle, contactless technology is a simple technology, but nevertheless, you can make many mistakes if you, as a customer or you as a small merchant are not a really next priority in that. And that is the point where a possible security collections can come in. And that's the thing where we should spend more awareness on that, how we could fix this point in the whole environment and not so much in one piece of the technology, because if I talk about encryption, I think the experts know how to get encryption really safe and what the key lengths would be answer on and so on, but no citizens would ever understand what we are talking about.
Yeah, that's a great point. And I think, you know, the thing that I remind myself of often is thinking about the perception of, of security in these environments and not actually, you know, what the real security is down at, you know, in, in the backend systems, but what does it look like at the front end? And I talked to my family about using contactless. They're still apprehensive about using the technology because of this perceived threat about the security and, you know, the, the media sometimes does a great job in, in helping with that perception, but often gives a quite negative feeling to, to the use of new technology. But I think as well, you know, within card payments that, that regulation, that, that ecosystem provides a lot of security in terms of good usability that I can use my card in any store with chip and pin.
I can be sure that I, as the consumer, I'm not going to be defrauded very easily, as long as I keep my pin secure, but at the merchant side as well, you know, they know that they'll get paid and I know as well, if something goes wrong, I can call up my bank and say, this wasn't me. And given that if it wasn't a pen authorized transaction, I can get that money back in my account. And that's what wraps around all of this regulation as well. It's not just, you have to encrypt the data in a particular way, but this is how the process works. And through that process, I'm protected as a consumer regardless of the underlying technology.
Yes. And I think browse has, has two aspects. The one aspect, as you said, is there is also always regulation where I can get my money from as a consumer and who is liable for a transaction. And I think the other benefit of regulation is to have clearly defined procedure and simple usage. And from my point of view, as simple usage is even more important that highest security standards, which are then quite complex to use. If you make the usage too complicated for the average user, then he will not add, the artery will not add the transaction. He would change to other means of payments, which are simpler, but maybe not so secure. And so we have to think more from, as you said, the front end point of view, how is the average consumer doing this transaction, which then could achieve a very high standard of security, whereas thinking only in technology terms, you would never get the buy in from the users at the front-end.
Yeah. You know, you're absolutely right about introducing difficulties into that transaction chain. And I know if my wife has presented with a 3d secure pop up on her, on her browser, or if she's buying something online, she will very quickly abandon that because it means standing up going, finding her cards, you know, remembering what that password is perhaps. And yeah. So just introducing barriers in, in, into that, it doesn't matter how secure it is. It would be great to have a 10 digit alphanumeric passphrase for our, for our credit cards when we withdraw money from an ATM. But we know that users don't manage with passwords generally. And we know that it's hard to remember that those sorts of things, if all digit pin code sounds like a terrible idea in, in the fact that it's, it's only four digits, it's easily brute force, but you know, the usability of it is, is key. And we want users giving that pin secure. It's something that they can keep under their control quite easily and maintain relatively good operational security. If you make that thing any longer, the pin, any longer, they start writing it down, it starts becoming a little posted in their wallet. And then it just breaks the entire premise of increasing that security by becoming too complicated for, for the users to, to build good operational security around.
Yes. And I think that is a very important point. As you said, this aspect of consumer behavior, that is, I think very important point. We have to take into account when we are talking about security and also about technology for security, because we could have the best technology in the ball. If the user is either not using it or using it in the wrong way, then all the effort and all the money was spent for that is gone. But I think it's also very interesting how it will develop in the future because we have a long discussion about seamless payments now, and whether it's checking out of an Uber taxi by good trust, go out of the taxi and the payment is done in the background for that very, very convenient types of payments, I think, which are also deeply integrated in all these daily processes we have, whether using a taxi or whether buying petrol at the petrol stations. We have ventral thing, how we integrate also security in this process, because I think a four digit pin number of boat work there. And then we have to think, could it be a new type of technology? Could we think about facial recognition? We know it's a highly debated thing, but how can we use that in a, in a real all day and why amount to make very convenient types of payments and the seamless payments working with the same security level, as we know it is, let's say very old and analog chip had Pinboard
You're you're right. I think, you know, the big difference that we have today, I probably compared to the, the, the old chip and pin world is as we become more dependent on mobile phones, on, on apps running and out and on our phones or websites, we have a lot more data points to, to capture and, and try to assess the, the risk of a transaction. And I think we need to start thinking about doing this to lower the friction to the user. I think there's a counter argument to that as well as obviously all of this gathering of data becomes something that makes me very nervous. You know, as again, thinking about easy targets as organizations start to build up this wealth of information, that information becomes a great target for criminals to extract from the system and using things like identity theft or social engineering attacks, because there are easy ways of converting raw personal data into, into money.
And these are the work, the ways of doing it. So, yes, I think we can make use of the new data points, but we need to do it in an intelligent way. And we need to be careful about the storage and retention of that data. Long-term. And of course, going back to your point earlier is used technology that we've been using in banking for the last 10, 15, 20 years, like encryption, like tokenization to protect that data so that if it does end up in criminals hands, are these the most sensitive parts of it are protected and I've no value to the criminals and don't present a way for them to extract money from the system,
Definitely ride. And as you mentioned, social engineering, you know, the best way to do social engineering is to gather all the data you have in the social media about a person, and then to collect this data, we use this stage, or, and then I have a quite good profile. So you have really very good basis where you can start on your social engineering on. And if you want to avoid that situation, which we have with these publicly data or in social media, for them, this more integrated, seamless payment processes, we have to have a very strong technology in the backend to keep all these data points quite secure and usable only for certain purpose, like to check or like to see whether the payment is differing from the usual pattern and so on and so on. So we have also, there are a lot of technology available, but we have really to think, what does it mean in the whole chain and in the whole environment and who are participants in the environment. And I think the example of a petrol station makes it very clear. The owner of the patrons will never be the experts in payment or in biometric identification. So we have to think how we use this technology for the benefit of the clients, of the merchants and everybody else, but always keeping in mind the behavior of the front end may be totally different to what we think at the back and how behavior should be.
Yeah, exactly. You know, consumer behavior is definitely, I wouldn't say it's overlooked, but it is definitely something that needs to have stronger attention paid to it in terms of how is it a user actually going to perform this time 90% of the time, probably they're not going to do it the way that you, you, you, you think they will. And if it's something as simple as writing down a password or a, or a, for a pin to maybe something a bit more, if, if I have this great system on my website to allow users to log in and they need to use a hard token or something like that, then perhaps those hard tokens just stay plugged into my laptop. And actually don't bring in any necessarily any security necessarily because of the user has deviated from what I imagined them doing in terms of deploying this, this technology
Definitely during the ride. So I think technology is important, a very important pillar for security, but behavior or understanding the behavior is also a very important pillar. And if you'd come to, let's say merchants, or I'm pretty diverse in companies, then we have also the aspect of education. So education and training, when it comes to security, when it comes to payment, when it comes to payment, fraud, money laundering, and all that, it really has an impact on the daily behavior. And as I said, you could have the best technology, if it is not used or used in an improper way, then all the, the, the good ideas and good efforts is gone. And then we are back at very, very simple fraud mechanisms where no technology can have, because they are using the, and the gap in the whole process chain, which was not really planned, but it's simply existing. The fraudsters are developing at the same, or even a faster speed and the professionals on the other side. And we have always to keep up to date.
And I think, you know, we talk a lot about the, the end-user behavior and how they might deviate from things. But I think the same compensation or same thought needs to be given for internal users. Again, thinking about technology where, you know, we might develop a solution or any of the security vendor develops a solution, thinking this is going to be the best way to protect data, to protect process. But if those internal users are not sufficiently informed and they don't end up using the technology, the way that we designed it, then again, it leaves a hole open in the system. So I think as a vendor community, we equally need to, to concentrate on the use of our products, make them easy to use, to achieve the goals that we set out for them to do. So, you know, we really need to think about designing solutions that that help users achieve their goals. And don't let them think about ways of deviating from that process to try and try and find a better way to do it.
Definitely agreed. So
I guess the, we, we, we talk a lot about the, the changes and maybe some of the difficulties that, that are coming up, but to be honest, I think as I said earlier, I'm really glad I made the decision to, to stay within payments. That is certainly an interesting place to be. And it's not all fighting the forces and doom and gloom. I think this is an exciting time to be part of the payments ecosystem. I think the challenge of banks, the alternative payment methods providing better ways of doing things to users, keeping the banks on their toes and forcing them really to, to remain relevant and introduce those same kinds of services. So I think, you know, a good amount of competition is, is keeping the, the world interesting with regard to payments, but as well, the new things that we see start to happen within FinTech, I think are exciting if that is pay with my voice, pay with my Palm, or just pay by walking into a shop. I think these are exciting things to try and experiment with. We need to, we need to understand what the, the, the, the threat profile is in these environments. And, you know, I'm sure that we'll enter another phase of many trials and pilots of organizations trying to try trying to do new things, and there'll be some failures, but I think we're, we're walking into this as a community with our eyes much more wide open than we did when we started introducing cards 20 or 30 years ago.
Definitely. Right. And I think avoiding to be the attack whacked, or we need technology on the one side, we need a very good understanding of customers' behavior and also in virtuous behavior. That's a very important point. We need education of all the people involved in the technology, and also regulation can have here. And for Europe, the European commission just proposed a digital operation resilience act of two weeks ago. So I think that is a constantly challenged, but nevertheless, as you said, time is quite interesting. Things are moving a while we had one or two decades with worries, slow moving development. We have now very morality of, of different solutions on the table. And we have to see what's really usable with high security and also with the benefit the customers, especially.
Yeah, absolutely. There is a huge amount of change happening at, at the moment. I think, you know, think about a couple of technologies that we've lived with for many years, mobile phone being one of them and, and say card payments as the other. There were a lot of mistakes made in the past. So there are great lessons, I think, to be learned from looking back in time at the solutions that we think of legacy as, or, or as old fashioned where we've come a long, long way to make them the secure platforms that they are today. So, you know, I think leaving messages look back at the legacy systems that we're trying to challenge that we're trying to bring improvements to, but think about the, the, the security that they've introduced to mitigate against the variety of threats that we've seen as they become popular and as criminals have found ways to monetize them and extract that value.
And yes, and I think I have really to thank you because as you said, looking back to the last 20 or 30 years, that also gives me as a digital dinosaur. The feeling that what I did in the past was not quite useless, even if you see not the development from day-to-day, but if you look back then 20 years and see what we all could use, you call it legacy use also for the future. I think that's a quite good feeling for being a long time in the industry and, but also gives quite good feeling for being curious for the future and, and for the future development. Yep. Absolutely.
Thank you very much. It's been a great time talking to you and look forward to catching up sometime in the future. Okay, great. Thanks a lot.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00