I’ve been in the security business for literally decades. I don’t look it, because I started when I was two. In the old days, as in the 80’s and even early 90’s, organizations would launch new systems, customer-facing and otherwise, and then after the fact figure out how to secure them. So these safety measures were always overlays, not intrinsic or natural. New interfaces often were launched without the gold star of utter security. Nowadays, vendors like to say that the product isn’t real until the documentation is published and the first demo is available. But it took years for the industry to also say, this thing isn’t real until we’ve mostly guaranteed it can’t be compromised.
At times, more generic approaches are needed to account for all possibilities, such as API gateways that can provide endpoints for any REST or other kinds of calls, or web server plug-ins that authenticate and provide SSO to regardless of the target URL on the back end. But for specific use cases requiring very particular policies, I was forever working on projects to retrofit security, because of the lack of foresight on developers and product managers. I like to think we’re well past that, but in fact we’re not always.
The theme of this year’s Money2020 in Las Vegas is “Creating the Future of Money.” Another tag line reads “Where the Future of Money is Invented.” It could be “What’s Money Going to Look Like Next Year?” Which is not a bad way to think about it, since people are already speculating about how spending and payments will take place after peer-to-peer, crypto, and whatever telepathic methods get stale. And “money” doesn’t just refer to the currency per se but also its other characteristics, such as how it interacts with the ecosystem. Crypto, for example, isn’t just a thing sitting in an account. It comes with it an entire storage and delivery methodology.
Just as the first steps in solving a problem are: 1) admitting you have one and then 2) determining the approach, the first steps in securing money are 1) knowing the kinds of people you’re doing business with, and then 2) recognizing them when they show up with their palms out.
You could say that the poorly-named, strangely-intended Patriot Act put an official stamp on the process by insisting that you can’t execute financial transactions with people until you know who they are. It was originally designed to combat the funding of terrorism, but it’s been used waaaaay more against common racketeering, and to enforce that notion of identifying the parties to a financial relationship. Hopefully the banks, lenders, and credit issuers would all be identifying identities of their customers regardless. This is hardly the future for money. Nobody wants to get ripped off by doing business with bad people.
The future of money means increasing its footprint. Reaching out to the unbanked or underbanked. Making financing available to young people who would like to establish themselves but get locked out for all the wrong reasons (such as that old catch: you can’t get credit unless you, well, have credit). Identity-proofing those with seemingly insufficient history or other profile attributes. More good people in the money pool, with fewer bad people beside them, makes for a more robust environment. The trust that comes with positive outcomes, and the more rapid acquisition of those positive outcomes with less friction, powers the engine of commerce.
Future money identification
Therefore the future of money truly means building that trust and streamlining the process of plugging in good actors and deflecting bad actors. You’ll feel way better hiking in the woods if you know everybody else you’re with knows how to build a fire and defend against mountain lions.
So what does that future really look like? The foundation is already there, to identify and certify consumers for loans and credit cards, but the execution still eludes many institutions, because of the costs, because of the complexity of building multiple layers, because of the uncertainty of one’s own defenses. There are financial institutions that tolerate more risk with the assumption that more good loans and accounts will make up for the ones who go sour. Yes, your uncle will come over and fix your wi-fi, but he’ll be bringing his unemployed kid who will drink all your beer. Life is a trade-off.
But does it have to be? Besides, if more crooks get away with fraud, they’ll only be encouraged to keep at it.
That retrofitted security I referred to earlier? It often meant employing what we called “defense in depth,” as in “I encrypt the data, I mask the data, I obfuscate the path to the data, I require multi-factor authentication and enhanced access to reach the data.” And that’s good stuff. But when you employ multiple layers to perform the same task, such as by using one gizmo to validate an applicant’s email, another to validate the phone, another to validate the address, and so on, ouch. What happens when one says “yea” and the other says “nay?” Are you checking more than one source, to ensure that you won’t reject an applicant because the data you’re checking is stale?
Are you leaving money on the table because those false positives incorrectly label good people as bad? Are you forcing good applicants to jump through the hoops of KBA and manual review, practically inviting them to bail on you, because your identity verification process is under-powered? Are you giving access to bad people because they provided somebody else’s legit profile data? In other words, are you losing potential revenue while feeding the fraud beast?
This is what we solve at Socure. We get those good people on as quickly and easily as possible, keeping any potential friction to an absolute minimum. And we do this by :
- Checking applicants against multiple data sources
- Employing deep machine learning to train our fraud models using crazy amounts of data, representing known outcomes across hundreds of millions of transactions, at a scale nobody else approaches
- Rolling those multiple point solutions for email, phone, address, hat size, etc. into one powerful, encapsulated model, and making sure they all point to a single individual instead of some scarecrow constructed from stolen bits of other people’s profiles
The future of money means more strong swimmers in the pool. We just have to help them ease into the water without having to cannonball. We’ll also weed out the sharks. Talk to us about how to help your organization see and secure the future of its own money.
If you’re at Money2020, we’re at Booth #4326. We’re easy to spot, since we’re all wearing orange. Like a bunch of happy little pumpkins. Halloween’s coming, after all.
Jeff Scheidel is a technologist with 34 years in software, including 26 years in security solution design. He is the author of numerous white papers on security and regulatory compliance, as well as a McGraw-Hill book on identity, access, database, and application protection. Jeff is an expert on compliance requirements across a number of industries, and has presented at a wide variety of security events.
Funny, This Doesn’t Taste Like Third-Party Fraud to...
You can’t prevent identity fraud if you don’t know what it...
How Do You Protect Your Online Business From...
As a longtime horror fan, I live for October. It’s nearly...