You might remember that my mother has been visiting us since just before Christmas, and you might also remember that I’m from the US, so…that’s where she lives. Not only that, it’s where she banks and where she has her mobile phone service (unsurprisingly).
Given the almost daily deafening stampede of credit card details we see in the news, many banks have ratcheted up their security fraud thresholds considerably, and the two places I spend most of my time, South Africa and Brazil, are hot-spots on the global fraud source heat map.
I’m not going to name names here in terms of the banks, but there are two that I want to talk about. Both of said banks provide mobile apps for their customers for accessing their balances, making payments, finding branches and all that stuff. And both banks are “traditional” in that they don’t offer nearly the flexibility in managing their cards or accounts like some of the newer, online-only banks like Nubank or Azlo, so basically, if you have a problem, then your self-service options for fixing the problem are…somewhat limited.
I could also mention a third bank which says quite earnestly that “we’re here for you, wherever you go”…as long as you don’t need them outside of 7am-6pm, M-F US/Central time, but I’ll save those stories for another day.
So, as we all probably know, the traditional approach to fraud notifications employed by banks today are potentially one of the following:
- Sending you an email that asks you to validate the transaction
- Sending you an SMS that basically does the same, or
- Trying to call you.
Now, imagine if you happen to be traveling in a foreign country using a typical US phone. As you may or may not know, the US mobile phone system works dramatically differently than in most of the rest of the world because you pay to both make and receive calls and messages. And, as a result, adding on a short-term “international” package is still stupidly expensive.
If you have a modern version of iOS, you have the option of Wi-Fi calling, which will allow you to have access to your local number outside the US as if you were in the US. Given my world, I couldn’t live without this feature.
However, what you may or may not know is that you need to activate Wi-Fi calling while you’re physically in the US due to 911 emergency response regulations. So, if you have a relatively new phone, and decide to make a somewhat spontaneous trip under somewhat hectic circumstances, let’s just say that the odds of you remembering this little detail about something that you activate maybe once when you get a new device – if you see the value in activating it at all…
…are somewhere between piss-poor and unbelievable.
Exactly as it was in this case.
So, you arrive in your foreign destination with your interoperable money in the form of credit and debit cards, but you don’t have immediate, automatic – or sometimes even easy – access to ANY of the primary support channels required should you have any trouble.
No roaming service to receive calls.
No roaming service to receive SMS messages.
No roaming data service and only privacy-stealing, public Wi-Fi- access points to access your email and internet support services.
And you go to try and make a purchase with your interoperable money, and your attempt is blocked as fraudulent—despite the fact of pre-alerting them of your travel plans.
You’re effectively left to about as old-school of a collect (or reversed charge) phone call—assuming you can find a phone.
But even if you call them, which fortunately she could given my T-mobile super phone and fantastic global call and data roaming plan (no, I don’t get kickbacks, but I’d be hard-pressed to do the business I do the way I do it without that service)…
…they still want to send you an email or SMS to validate your identity—or, God forbid, call you back on the number you’ve previously registered.
It’s almost like the BBC skit about buying the bread rolls, “If the real world worked like online shopping,” skit that’s making the rounds this week on social media.
So, the bank’s “secure” because they haven’t lost any money…
…but the bank’s NOT “secure” in ensuring they have a happy, loyal and satisfied customer that won’t jerk every cent out of their accounts with you and take it somewhere else (unfortunately, probably as equally bad).
That’s lesson 1: making sure you find the right balance of value and security. Maybe this is explicitly a decision someone made, or maybe it isn’t. The fact is, it should be at least on the “yes, but only 0.0001% of our customers would be affected by that, and even if they left, we’d only lose $10M of $100,000,000 billion in revenue, so that’s ok” list.
Most of the time, it isn’t a conscious decision. It’s an unexpected systemic behavior.
Now, the difference between the 2 banks:
Bank 1: only will identify you with an SMS or a call back to the registered number which either a) doesn’t work because of no roaming, or b) is a fixed-line phone you can’t take with you.
Bank 2: uses the functionality of their existing, highly-likely-to-be-installed-by-the-customer mobile banking app to send “secure” validation codes to their customer.
I’m not going to get into the whole code sending scam stuff, because that’s not the point, and it’s a whole different problem.
Lesson 2 comes back to the issue of control that you seem me harping on about all the time. Far too often we end up nearly killing ourselves – either physically or mentally – trying to control things we really can’t because we don’t understand the nature of control. Almost every time we forget the limits of what we can control, we get in trouble.
So, if I already have a channel a customer installs, where do I have the most control? On that channel, or on one that I have no idea how, when or how often it’ll be connected—or how much it’ll cost the customer to have that connection?
Bank 2 said, “hey, let’s build that into the app,” and so, with a shared key to the guest Wi-Fi in the shop and while speaking with the agent on the super phone, the message was sent, received, confirmed, and – other than the time taken which shouldn’t have been required in the first place – the operation was completed smoothly.
Similar transaction with Bank 1: no solution other than to use card from Bank 2 and earn the ire of the customer.
If you don’t think there’s literally dozens of security architecture decisions in each one of those scenarios I’ve just been blathering on about, then I’m not sure if even joining the upcoming cohort of the flagship learning experience, Building Effective Security Architectures, would help you understand the layers of value to each of the security customers involved that would need to be considered when deciding what the most appropriate security solution should be.
Of course, it’s something we spend 2 weeks talking about during the course, and then we come back in the final 2 weeks to tie it all together in how to build architectures from top-down, bottom-up and, the rarely discussed, but in my experience the most frequent case, “middle-out” perspective. But even then, it might not be enough for the veil of mystery to be lifted.
Now, if you do understand and recognize these things already, but you’re not as quick to identify, understand or communicate them effectively to the rest of the team and your organization as a whole, then you too might just get something out of popping in for the duration of the cohort.
Only you can decide if it’s worth it to you or not.
When you do, here’s the link to join us if you’re ready:
Andrew S. Townley
Archistry Chief Executive