Credit Union Geek

Marketing, Strategy, and The Force by Joe Winn

Tag: cubit (page 1 of 3)

78% of All Websites Link Here

See what I did there? I made up a statistic. (Or did I?) Statistics have a funny way of saying everything but what they were intended to do.

Why mention it now? Because 10% of you already stopped reading.

That liked stat was pretty close to accurate. Yesterday, I saw an article heading making the credit union rounds. It said “87.9% Of U.S. Adults Do Not Use Mobile Banking”.

Wait, only one out of ten people use mobile banking? Then why the focus on the platform from every bank, credit union, and community bank? The number seemed off, and by a lot. A quick search located an article from Wikipedia citing a 2012 study of mobile banking usage worldwide. In it, the United States was said to be at 32% penetration. And that was 4 years ago, before Apple caved and gave you all giant-screened iPhones. You know, the distant past!

So we’ve determined the statistic is wrong. But flat-out incorrect, or just taken out of context? I mean, 64% of all statistics are contorted to get your point across. I dug deeper. The credit union publication’s article linked to another source, who linked to the original source of the statistic. Unfortunately, it was a statistic clearinghouse which requires payment for access to statistical data (irony, anyone?). I could not locate where that stat originated. However, this is my prediction:

A survey was conducted to determine American adults’ mobile banking habits. A first question set the stage by asking if they ever used mobile banking. For those who answered no, it may have asked one more question of why (convenience, features, security, etc.). This is where our questionable number originates. The majority of respondents felt that their banking needs were met without ever opening the mobile banking app. Which is valuable information on its own. But now we have context.

The 87.9% was of a much smaller value representing those who don’t use mobile banking, not of the whole. Let me see if I can make this visual:

Mobile Banking Usage Chart

Does that make sense? The stats, taken out of context, told the wrong story. However, they still tell an important story, just a different one. Your members do use mobile banking, but is there enough value for them to bother over the convenience of already being at their work computer? Can they easily process bill payer on a Sunday evening? Send money to a friend after a friendly game of cards?

And that, my friends, is why you always check the source and context of any statistics. I’m told 58% of people don’t, so be part of the (made-up) minority!

Image credit: Me, after a 10-minute stint on Pages, and realizing my “87.9%” segment is nowhere near 87.9%. Hey, it got the point across, right?

Image credit (feature): Me, after realizing making up statistics is actually really hard and settling on making a college preference statement instead.

A Merchant Breach Rant For You To Empathize

This CUbit is an extension of a comment I shared on a CUInsight article today. You can view the full story (and my comment) here. Background: Wendy’s appears to have experienced a POS (Point of Sale) breach sometime in the past, oh, few years. The malware (bad software) has crept around their systems and locations under the radar, only mentioned briefly in a corporate report and supported by credit unions seeing increased debit card fraud from members who frequented the chain.

I don’t eat at Wendy’s, so my cards are not compromised (by this breach, at least). But why should that make a difference? Just because you enjoy an occasional Frosty doesn’t mean you should have to watch your account for fraud. And, in all honesty, when faced with limited options, I’ll have their baked potato. Will I pay with plastic? Of course. Will millions of others? Sure.

If you read my posts regularly, you’ll know this isn’t the first one on merchant breaches. Nor will it be the last. At least with how they’re treated today. The onus on security is akin to me paying someone to watch my car, having it stolen, then the watcher just looking at me while shrugging their shoulders. When was the last time you heard about a card breach affecting the issuer? That’s right, almost never. Because they care about security. In fact, they have regulations mandating their adherence to stringent policies. Whether you’re Bank of America, our regional community bank, or one of thousands of credit unions, you protect card information. And given how rare an issue arises, I’d say you are all doing a great job.

(From this point, my original story comment is expanded upon, so if it looks familiar, that’s on purpose, and thank you for reading!)

My frustration isn’t with the credit unions. Not at all. It’s with the retailers. Wendy’s just happens to be the case in point today. Let me repeat what I’ve said before many times: We. Have. The. Technology. To. End. Breaches.

Between adopting EMV and contactless payment (Apple Pay, Android Pay, CU Wallet, etc.), we can have tokenized transactions at all purchases. This means your card number, unless physically lost/stolen, is impossible to be compromised. Even if the merchant’s system is crawling with malware. All the criminals get is a one-time use number (which is immediately identified as fraud when attempted again). The number you see on the piece of plastic never appears on their end.

Would new systems solve the problem? Mostly. But there are also an enormous amount of dangerous practices still being performed. Know anything about PCI compliance? No way these actions would pass. Now you want examples, so here are two I’ve experienced in just the past few weeks. The first came while I was with a friend getting his car serviced. This wasn’t at a mom-and-pop shop, rather, he went to one of the largest dealerships in the southeast United States. What did they do upon payment? They photocopied his credit card, front and back, to store with his service paperwork.

Let me repeat: They took a picture of his credit card. Then they put it in a glass office with hundreds of others, in full view of staff and customers. “We lock that office”, they said. Color me comforted.

Another crazy action occurred just two days ago at a hotel in Los Angeles. Upon check-in, hotels like to keep your card on file for incidentals (or if you decide to rock-star-style destroy the room). That’s fine, and there’s a proper way to do it. This Comfort Inn (again, big company which knows better) took an imprint and put it with the regular paperwork, under no lock and key.

And we wonder why breaches are so common (imagine their security on digital if that’s how they treat in-person).

Since merchants (especially multi-nationals) have little responsibility in the breaches (it’s not like we’ve heard credit unions talk about this before…), they are slow to make any changes. If they had to burden 100% of the breach costs, do you think we’d still have major merchants doing such dumb things with your information?

As a technologist, it’s incredibly frustrating to see event after event of preventable breaches occur, while those completely not in the wrong having to bear the costs (the Big 3, community banks, and credit unions all included).

Plus, who likes having to reset all of your automatic payments and online shopping accounts?

Image credit: https://www.flickr.com/photos/111692634@N04/11406986014/

A Challenging Balance: Safety & Security

The debate between privacy, safety, and security has been ongoing for longer than I can guess. I wouldn’t be surprised if cave dwellers used secret passwords to enter adjoining caves or offer assistance in hunts. What were those codes worth to other tribes?

While we may have evolved in language skills and developed mind-boggling technology, the basic premise is unchanged. There is a perception that your privacy in some way compromises the security of the masses. If law enforcement cannot read your mail, then how will they stop the next terrorist attack? Obviously, the discussion merits far more than a short CUBit on this humble blogger’s site. I won’t argue that point. There is a place to strike balances between the privacy rights of individuals with the security responsibilities of your government. But this balance should never tip excessively in favor of the latter. I’d argue it must always lean towards the individual. Even if that person has committed heinous crimes?

There’s the rub. To collect evidence against this one person would put the security of a billion others (most of which not citizens of this country, and therefore not beholden to its laws) at risk. Is the balance needle moved?

This precise situation came to a head yesterday. Remember that time a person shot a bunch of innocent people in San Bernardino? Yeah, no love for them and deepest sympathies to the victims and their families. Well, the shooter owned an iPhone 5C and the FBI wants to collect information from it. Unfortunately for their investigation, the suspect used a passcode. As you may know from your own devices, you can only get it wrong 10 times and the device will erase itself. This feature is so good that the FBI cannot bypass it. So, they did what you’d expect…ask for a key. Since iOS 8 (we’re on iOS 9.2, or 9.3 on beta), Apple stopped keeping encryption keys. This means only the person with the passcode can access the phone’s data, not Apple. The FBI went to court against Apple on the matter. Early this week, a Federal judge ruled that Apple must provide a way for the FBI to access the phone.

They refused.

“So Apple sides with terrorists?” you may say. No, they side with their customers. You see, to modify one device would mean opening all of them up to this same intrusion. “But it can prevent another shooting or even a terrorist attack!” This is circular reasoning, as it presumes the result at the outset. I could just as easily say that it causes a terrorist attack since malicious actors used this “backdoor” to access a government official’s phone. In that case, the argument would be that we should encrypt and secure our devices better. Not to mention all the cases where a suspect’s information could now be accessed by authorities with impunity. All that encryption and security would then mean nothing. It would be akin to having a state of the art deadbolt on your door, but not adding hinges.

Is there a solution? Yes, but it’s not great, and it’s a bug. Companies regularly offer “bug bounties”, or cash rewards, to hackers finding security issues in their software. If the FBI wants this information so bad, offer an enormous bug bounty, say, $5 million, to crack the iPhone’s encryption. However, stipulate that payment only occurs if the flaw is not publicly disclosed and is submitted to the FBI and Apple simultaneously. That way, the FBI gets what they want (access to the suspect’s phone), Apple doesn’t compromise their values or the software (and gains an opportunity to fix a flaw, making it more secure for all), and none of us lose security for the sake of one investigation. Perfect? No. It’s possible no one will figure out how to bypass the passcode lock. Then what?

What’s your take? Can you think of a better way to satisfy all parties? Is there a way to truly balance privacy and security? The comments are open.

PS – This affects your credit union and members, too. Just swap “key to phone” with “key to member data”.

Older posts

© 2017 Credit Union Geek

Theme by Anders NorenUp ↑