So today, I'd like to share with you a little thing that'll probably have a big impact.
It's a fun game -- take something innocuous, and see if you can follow the impact trail.
Exhibit One -- The RSA Card
Shown here is an interesting prototype of a new, credit-card format version of RSA's one-time password technology.
It's the size and shape of an ordinary credit card. Matter of fact, you can embed this technology in just about any credit card you'd be carrying right now.
And every time you press the button, you get another one-time password that supports the two-factor authentication we all know and love from the token world.
Doesn't seem like a big thing, does it? Just smooshing one technology into another ...
But the first time I saw this, I started thinking about everything it could change. Some of this may come to pass, some may not, but it's an interesting exercise.
Tokens Are Not Fun To Carry Around
If you're like me, you jump online during the day in a variety of circumstances. Sometimes I have my token with me, sometimes I don't.
If I had a card-format thingie in my wallet, there's a lot less chance that I won't have it with me, and a whole heckuva better chance that I won't lose (er, misplace) the device.
So, right away, a better, more consistent user experience. And less cost/hassle to deploy. I don't seem to space out on my drivers' licence, as an example.
That much is pretty obvious.
Hmm, What If My Credit Card Had This?
If you're like me, you use your credit cards everywhere. And I'm sure that with each of the hundreds of uses per year, every transaction is securely encrypted and stored, never ever to leak out.
And, if you believe that, I'd refer you to my post on the TJX aftermath ...
The fact is that anyone with my credit card number and few other bits of information can do some serious damage. Yes, my liability is limited, but it's a royal pain in the butt when it happens.
The credit card companies responded by putting a three-digit code that's supposed to ensure you really have the card in your hand. Nice, but ineffective, because anyone with that three-digit code is free to use your credit card, even if they physically don't have it.
As a consumer, it'd be nice if I could offer this one-time password -- and have it realtime authenticated -- after which, the card number (and its one-time password) is useless.
I'm sure the credit card companies see the value in this, but as a consumer -- I'd like this as well.
Yes, It's Really Me Buying This
I've got another beef -- the fraud-detection algorithms on my credit cards. I travel a lot. Sometimes I buy weird stuff in weird places. My wife and kids use the cards.
And about once a week, one of us will try and use a credit card, and we'll get denied because we triggered some fraud detection algorithm.
The banks claim that this is a good thing, and consumers really like having their transactions denied so that they can chat with their friendly credit card companies on a frequent basis, but -- to me -- this is an increasing pain in the patootie.
This kind of one-time password eliminates most of the need for this sort of thing, and I'll be a happier consumer if my card works when I want it to work.
A Trusted Relationship With My Financial Provider
I'm amazed that a user name and password will get you in to most financial sites. My banking site, my 401k site, my investment site -- all seem to use a simple username/password to get in.
I don't like it one bit. I'd like stronger authentication, please. And if my financial service provider offered me a card like this one to get in securely, I'd feel pretty good about that financial provider.
I feel so strongly about this, I'd even switch providers if they could offer me something like this. I'd even trust them to conduct transactions with other of my financial service providers in a kind of trusted-portal arrangement.
Heck, send me a branded credit card with the RSA thingie in it, and I'll happily use it.
How about you?
And Then There's IT Security
Funny thing about network security. Outside the firewall, you need VPN and RSA authentication to get in. But once inside the firewall, it's pretty much username / password to get at the company's most sensitive information.
That's not right. There's no logical reason why we shouldn't enforce a more secure two-factor authentication on the real sensitive bits of information.
Part of the counter-argument is that it's too much of a hassle / expense to issue keyfobs to everyone. Hmm, everyone seems to already have a corporate credit card -- why not this?
So, Some Deeper Questions
How much do we lose on credit card fraud every year? I use the phrase "we" because -- at the end of the day -- we all pay for it. The credit card companies consider it a cost of doing business which we all help defray.
I, for one, would prefer to do business with a credit card company that understood this, and took reasonable steps to not only minimize fraud, but stop hassling me when I'm trying to use the darn thing.
How much do we lose with online fraud every year? Again, the "we" phrase -- because we all pay the bill. Again, I'd prefer to do business with any site -- especially a financial site -- that understood this. I'd even trust them to do other things for me.
How many of us live in anxiety due to rising identity theft? Simply because it's very easy for one person to masquerade as another?
Lots of details to work out here ... but you can hopefully see how little things can maybe make big impacts.
Like a credit card that's really secure ...
I, for one, would love it if our RSA security could be handled via something more compact. The keychains we have for EMC are pretty bulky, considering their limited use. Maybe they should also be laser-pointers!? :)
Posted by: Nathan Smith | August 27, 2007 at 06:18 PM
An excellent post, although I have to wonder how long this technology will take to reach the status of all the others; nice to have but it's been cracked, hacked, and smacked. We're not dealing with script kiddies any more, here. They are sophisticated high-tech criminals.
I would like to make one correction. You are right that we all pay for fraud but in the on-line world, it's the merchant that considers it a cost of doing business, not the credit card company. If you know of a single instance where the credit card company took the loss for on-line fraud and let the merchant keep his money, let me know.
Posted by: Tom Mahoney | August 27, 2007 at 09:39 PM
I will defer to you as to the subject of who gets soaked for fraud. But -- I think you'll agree -- either way, we all end up paying higher prices, regardless of who eats it.
Thanks for the comment!
Posted by: Chuck Hollis | August 27, 2007 at 11:53 PM
Yup, the merchant is going to pay for it. If the merchant goes belly up, the payment processors (Litle, etc) takes the hit on any charge backs (aka contested charges).
That said, fraud comes with a lot of fees as well. These are sometimes negotiated with banks and Visa/MC.
In the end, the popular "we all pay for fraud" is probably accurate.
Posted by: Chris | August 28, 2007 at 11:10 AM
There's a constant battle between security and privacy. For items that belong to me (my assets at a bank or investment house) I certainly want them to know that it's me that's requesting access. But for financial transactions with merchants, many consumers are starting to want to be as anonymous as possible. Sure my credit card company needs to authorize that I'm good for the debit/credit, but I'd rather not leave a string of personal data around the web and at the places I shop.
The Identity 2.0 conversation is an interesting one worth following. It's trying to balance the items you so eloquently mentioned above while preserving privacy (when you want it) in the process.
Learn more at http://en.wikipedia.org/wiki/Identity_2.0
Posted by: Kraemer | August 28, 2007 at 11:16 AM
How about a little enhancement that would require fingerprint recognition before the security code would be displayed?
Now, that would add a level of complexity for hackers.
Posted by: Michelle | August 28, 2007 at 01:26 PM
Hi -- it sure would add a layer of complexity.
After thinking about it, my opinion would be that it's not worth it -- the biometric doesn't offer that much more protection and adds a ton of cost.
Given the SecurID approach above, you'd need to (a) steal the card, (b) know the PIN, and (c) make sure the real owner didn't report it missing. Just having a stolen card in your possession would be pretty much useless -- and I guess that's the point.
And there's another, more practical concern -- as far as I know, the basic biometric-on-a-card tech is still a lo-o-o-o-ong way out.
Thanks!
Posted by: Chuck Hollis | August 29, 2007 at 09:57 AM
Risk versus Reward!
the reason that companies have not adopted this into credit cards, public websites etc is that the demand is just not there. Yes, there is online fraud and risk for the institutions, but they have built processes around this and the losses - insured - are minimal. When weighing this up against the additional (and not inconsiderable) cost of implementing another layer of authentication, such as SecureID, it's the more expensive and more cumbersome option.
Chuck, you're a techie and would probably gravitate to those sites that employ this extra layer, but the majority of customers are disinterested in this and would not wish carry around 1 secure-id card for every secure website they wished to access, extra bulky credit card with built-in authentication.
Posted by: Geoff Mitchell | August 31, 2007 at 12:50 PM
No, I'm not speaking as a techie, I am speaking as an uber-practical marketeer.
Most people wish to avoid risk, whether rational or not. We avoid unsafe cars, marginal airlines, and so on.
My survey of this topic shows that people have a semi-rational fear of identify theft, inappropriate use of their credit cards, some hacking into their web accounts, and so on.
These perceptions of risk are probably out of proportion to the real risks, but that's human nature.
Should a smart company offer a consumer a "safer" credit card, or a "safer" financial web site (albeit at a modest premimum), I would predict that such a company be rewarded with customers who are willing to pay extra to avoid a bit of risk.
If you've ever known someone who's purchased the "extended warranty plan" for a car, or home electronics, you know what I'm talking about.
Thoughts?
Posted by: Chuck Hollis | August 31, 2007 at 09:30 PM