Credit Union Geek

Learn Marketing & Strategy Insights, You Will.

Tag: apple pay (Page 2 of 2)

Combination Lock

A Merchant Breach Rant For You To Empathize

March 3, 2016 / / 1 Comment

This CUbit is an extension of a comment I shared on a CUInsight article today. You can view the full story (and my comment) here. Background: Wendy’s appears to have experienced a POS (Point of Sale) breach sometime in the past, oh, few years. The malware (bad software) has crept around their systems and locations under the radar, only mentioned briefly in a corporate report and supported by credit unions seeing increased debit card fraud from members who frequented the chain.

I don’t eat at Wendy’s, so my cards are not compromised (by this breach, at least). But why should that make a difference? Just because you enjoy an occasional Frosty doesn’t mean you should have to watch your account for fraud. And, in all honesty, when faced with limited options, I’ll have their baked potato. Will I pay with plastic? Of course. Will millions of others? Sure.

If you read my posts regularly, you’ll know this isn’t the first one on merchant breaches. Nor will it be the last. At least with how they’re treated today. The onus on security is akin to me paying someone to watch my car, having it stolen, then the watcher just looking at me while shrugging their shoulders. When was the last time you heard about a card breach affecting the issuer? That’s right, almost never. Because they care about security. In fact, they have regulations mandating their adherence to stringent policies. Whether you’re Bank of America, our regional community bank, or one of thousands of credit unions, you protect card information. And given how rare an issue arises, I’d say you are all doing a great job.

(From this point, my original story comment is expanded upon, so if it looks familiar, that’s on purpose, and thank you for reading!)

My frustration isn’t with the credit unions. Not at all. It’s with the retailers. Wendy’s just happens to be the case in point today. Let me repeat what I’ve said before many times: We. Have. The. Technology. To. End. Breaches.

Between adopting EMV and contactless payment (Apple Pay, Android Pay, CU Wallet, etc.), we can have tokenized transactions at all purchases. This means your card number, unless physically lost/stolen, is impossible to be compromised. Even if the merchant’s system is crawling with malware. All the criminals get is a one-time use number (which is immediately identified as fraud when attempted again). The number you see on the piece of plastic never appears on their end.

Would new systems solve the problem? Mostly. But there are also an enormous amount of dangerous practices still being performed. Know anything about PCI compliance? No way these actions would pass. Now you want examples, so here are two I’ve experienced in just the past few weeks. The first came while I was with a friend getting his car serviced. This wasn’t at a mom-and-pop shop, rather, he went to one of the largest dealerships in the southeast United States. What did they do upon payment? They photocopied his credit card, front and back, to store with his service paperwork.

Let me repeat: They took a picture of his credit card. Then they put it in a glass office with hundreds of others, in full view of staff and customers. “We lock that office”, they said. Color me comforted.

Another crazy action occurred just two days ago at a hotel in Los Angeles. Upon check-in, hotels like to keep your card on file for incidentals (or if you decide to rock-star-style destroy the room). That’s fine, and there’s a proper way to do it. This Comfort Inn (again, big company which knows better) took an imprint and put it with the regular paperwork, under no lock and key.

And we wonder why breaches are so common (imagine their security on digital if that’s how they treat in-person).

Since merchants (especially multi-nationals) have little responsibility in the breaches (it’s not like we’ve heard credit unions talk about this before…), they are slow to make any changes. If they had to burden 100% of the breach costs, do you think we’d still have major merchants doing such dumb things with your information?

As a technologist, it’s incredibly frustrating to see event after event of preventable breaches occur, while those completely not in the wrong having to bear the costs (the Big 3, community banks, and credit unions all included).

Plus, who likes having to reset all of your automatic payments and online shopping accounts?

Image credit: https://www.flickr.com/photos/111692634@N04/11406986014/

Mobile and Tap to Pay Card

Yeah, Another Hack

November 22, 2015 / / 1 Comment

This isn’t the first CUbit you’ve read discussing a hack. Wasn’t the first about cars?

Well, there’s another high-profile hack to discuss today. This time, cyber criminals hit Starwood Hotels across the country. Starwood is the parent company, but I’m sure you’ll recognize Sheraton, Westin, even the Dolphin hotel at Walt Disney World. If you’ve stayed at any of these properties in the past year, keep an eye on your credit/debit cards.

How did they do it? “Who cares?” you say, “the data is already stolen, and it’s always the same thing.” To some extent, you’re right. Obviously, people looking to take your money gained access to your data somewhere down the line. What I consider important is the point on the line where it happens. First, kudos to the entire banking industry, since we almost never hear about leaks stemming from their end. Your security processes mean the low-hanging fruit for criminals is somewhere else. That “somewhere else” is at the point of sale. Malware (read: software made to do mean things) was installed on POS systems, so every card swiped could potentially be saved for later use.

I have a few issues with this type of hack, which tends to be a more common approach. The primary being: It’s completely avoidable!

That’s right. There’s no reason for any card information to be stolen in this way, ever again. We have two advances to thank:

1. EMV chips. You know that gold square on your card? It houses a computer chip which creates a one-time use card number and does some other voodoo along the way to increase security. However, it’s not always used! That chip (and the security that comes with it) only runs when you insert your card in the bottom slot, not when it’s swiped. Personally, I’d never swipe with an EMV card if at all possible. When I was in Peru, we ate at a restaurant where the server came to our table with the card machine. He inserted our EMV cards into the slot, right there. No one walked away with the card. That was the norm. As EMV cards become ubiquitous, this should be demanded here, too.

2. Mobile or Tap to Pay. Systems like Apple Pay and Android Pay bypass the attack vector of this hack as well. Like EMV, they pass a one-time use number to the system, and hold your card number close to the vest. On iPhones and some Android phones, they also require a fingerprint, further ensuring the person paying is actually you. These mobile payment platforms protect your data from everyone, sometimes to the chagrin of the merchants (who want that data for marketing purposes). The tap-capable cards use the same tech (just without going through Apple or another company).

Bottom line: You’re going to see these hacks on a regular basis. Whether your information is part of the leaks is partially up to you. Are you using an EMV card, and doing so in the bottom slot, every time? Or did you add your cards to Apple Pay and “touch to pay” wherever you go?

No security is 100%, but by embracing the best tech we have (and mobile payment is awfully convenient, too), you can reduce the chances of needing to have your card replaced again and again.

Piggy Bank

Making Change With Your Change

September 12, 2014 / / 0 Comments

Unless you were in cryogenic storage on your way to Pandora (the moon, not the music service), you’re likely aware of the Apple event held Tuesday (September 9).  Among the wonderful surprises they had for us was Pay (properly written as shown with the Apple logo…Mac users, that’s Option-Shift-K).

Tim Cook explained that their goal was to make the lowly leather wallet a thing of the past.  Pay is their first step in that direction (though I would say the iPhone began the journey, carrying photos, cards, and more, but, stay on topic here, Joe).  Is it as revolutionary as implied?

Yes.

Apple is unique amongst technology companies.  They are rarely first to announce/release anything.  In fact, they are often last.  Music players?  Archos had decent-enough MP3 players long before the iPod.  Phones?  Palm, Microsoft, and RIM (Blackberry) made smartphones for years prior to the iPhone announcement.  Tablets?  You could buy a Windows tablet way back in the 90s.  Was it terrible?  Only if you wanted to use it like in Star Trek.

Waiting is a tough pill to swallow.  You’re watching potential market share pass you by, and shareholders see profits missed in every competitor’s sale.  But, if done strategically, it can make you great. More about waiting in the future.

Google has had a mobile payment system for a few years now, called Google Wallet.  It integrates with Android (and iOS) devices, and on certain phones, can support touch-to-pay at merchants using compatible terminals.  No credit cards to carry or swipe.

Sound familiar?

In principle, Pay is no different than efforts made before.  It imagines a future where we pay for things easily and securely by waving our phone (or wrist) in front of sensors or tapping a button on a website.  Money is transferred.  We get our coffee.  The universe is happy.

What makes their platform unique is scale, trust, and integration.  At launch, over 80% of cardholders will be supported by large banks and Navy Federal.  I’m certain the second line of launches is not far behind.  Where can you use the system?  Well, launching with over 200,000 places ready to go is nice.

Knowing every Whole Foods you enter will accept your phone to pay is reassuring.  Then there’s trust.  I won’t delve into what makes the system so secure, only the most visible: a fingerprint.  To pay, you “sign” by validating your fingerprint.  Can’t fake that one.  Finally, the concept is integrated into places both in the real world and online.

Sites/apps will have a “Buy with Pay” button, eliminating the need to enter your name, address, card number, expiration date, or anything.  Again, verify with a finger, and you’re done.

Does Apple make money from it?  Sure.  Does it make our lives just a bit easier?  Definitely.  I realized yesterday that Apple obsesses over the things we consider minor annoyances. What bothers you is a critical flaw for them.

Frustrated you left the light on in the living room before leaving for a trip? Properly equipped, you can get a notice when your phone detects you’ve left the house, asking you if it should be turned off (or just turn it off automatically).  Did you leave the credit card you wanted to use for shopping at home?  That’s ok, you can just tap it in your phone (or watch).

Integration of our lives digitally is happening.  Claiming each improvement is only a small change with no revolutionary impact is being short-sighted.  Seldom do we realize we’re living a new chapter in the next generation’s history books.  This was another turn of the page (or screen, on the hovering-holo-e-book-reader).  If you’re not already preparing for this and what will evolve from it, you’re falling behind.

Image credit:  Peter Fertig from Pixabay.

Newer posts »

Brief Bio

Geek. Environmentalist. CU Marketer.
Learn More.

Powered by

Sci-fi & Disney references

You thought I was going to say WordPress or something? Sure, it is, but that’s what really keeps this site going.

© 2024 Credit Union Geek

Theme by Anders NorenUp ↑