What have we learned amid the breaches that have snared millions of individuals? Equifax, of course, is among only the latest of the headline-grabbers.
Put another way: What haven’t we learned?
If the definition of insanity is doing the same thing time and again and expecting different results, then perhaps the way we pay through, and interact with, online banking may have a hint of madness, or at least complacency.
In an interview with PYMNTS, InterComputer’s president and CEO, Scott Volmar, delved into the staggering numbers that lay out in stark terms the ravages of cybercrime.
Here’s a wakeup call of sorts: Volmar noted that in recent months, the U.K. banking authority – more commonly known as the Financial Conduct Authority (FCA) – has seen cybercrime balloon to theft on the order of £8 billion, with 89 hacked banks in the U.K.
Weak spots across the pond: Online banking, where the web is a portal (no pun intended) through which cybercriminals gain access and hurt clients. In the wake of the FCA assessments, Barclays shut down its online banking conduits for two weeks to deal with vulnerabilities and change log-in processes and other credentials, only allowing banking to take place during normal business hours.
Studies abound on the impact of payments fraud, said Volmar. Two of those studies stand in stark contrast to one another. The Federal Reserve had a payments study issued in 2015 that did not tally fraud, but only discussed it subjectively, perhaps as the data may have proven disheartening.
Conversely, JPMorgan Chase published a study last year that showed 74 percent of executives surveyed said their firms had experienced some type of cyber fraud. That 74 percent tally, said Volmar, “is unthinkable. It’s unlivable. What organization can or wants to sustain even 0.1 percent of fraud?”
Yet, he noted, banks build into their profits margin an allowance for payments fraud, functioning almost like a loan loss reserve. Within the JPMorgan data, in 2016, fraud by payment type found critical mass in checks at 75 percent of fraudulent activity in the U.S., primarily through B2B. Wire transfer was 46 percent of fraudulent activity.
And though the web may offer convenience, it offers not much in the way of security. “The point of all this is that we continue to use the web for something it was not designed to do. It was not designed to protect data or identities or even generate good identities. The insanity element is that we keep adding a security product here and a security product there, and the hackers overcome that as well,” Volmar said of online banking.
The CEO pointed out that most people may not understand the difference between the World Wide Web and the internet. The latter is the infrastructure backbone, and sitting on top of that are rules and protocols that form the World Wide Web. “The web is a wonderful way to share data, but a very weak way of protecting it.”
Volmar said that one solution is the private internet, where the web “cannot intermix with … computers’ private lines. Nor can email intermix with it.” And without all that interaction, the private internet would eliminate a large swath of cybercrime. Layers of protection can help authenticate users who should be allowed to transact.
In this case, when the private internet works in tandem with other methodologies, Volmar believes it can eliminate the physical space that exists between two people trying to conduct a transaction. “You have to know with 100 percent certainty that they are who they say they are and that they can do what they say they can do … and then commerce goes forward,” he explained, adding that “we need this secured digital foundation that people can rely on.” The (insecure) web connections that are linked throughout the credit card systems are vulnerable to credit card and debit card fraud.
When taken in isolation, biometrics isn’t the silver bullet either, said Volmar, suggesting that if a fingerprint scan goes into a database that is stored in the cloud, which then somehow gets hacked, the prints will be out there. Layering multiple security and fraud protocols that could include biometrics is the best way to effectively authenticate the consumer.
The use of the internet to form the private networks about which Volmar speaks is something he and his team have been working on for many years. PrivateLine uses a secure transmission protocol called InMail, offering digital certificates and real-time, reconciled clearing and settlement between financial firms via its Trusted Settlement offering. In essence, Volmar said, these networks are both private and permissioned, akin to the distributed ledger technologies being developed for deployment in financial services today.
Like other permissioned distributed ledger networks, scale is always a challenge. Security only works if both ends are using the network — and the world is a big place with lots of banks.
What’s the one thing that is in short supply as technology evolves? Time. One school of thought holds that evolution happens at a pace that was once reserved for revolution.
During the discussion, Volmar said that blockchain has evolved beyond its ties with bitcoin, and scale has come as a result: “Blockchain is no longer blockchain. That has been thrown out” in favor of what he called “blockchain-like” technology.
The key difference between the two is the absence of the need for mining to prove that transactions are authentic.
Volmar noted that Ripple had sought to use blockchain to do international payments, but has found problems with scale. The mining process and peer-to-peer (P2P) aspects of blockchain were eventually eliminated in favor of putting a distributed host in place, with web-based security.
The latest developments in the blockchain have illuminated the need businesses have to transact with one another in cyberspace. But beyond business-to-business (B2B) payments, in eCommerce and payments at large, the industry is chaotic and in flux. Volmar noted that less than 20 percent of potential eCommerce transactions are being conducted online.
In efforts to scale such digital activities, process matters, of course, as it does with any endeavor. InterComputer’s own adherence to “blockchain-like” principles can help scale come to fruition. If all banks mapped their customer account systems or altered their web delivery systems to run on ICN with PrivateLine, he told Webster, they would be connecting all consumer and organizational customers. Bank merchant customers could benefit from PrivateLine connections for money transfers from account-to-account (real-time) payments.
For mobile and credit cards, merchant banks and their merchant partners can examine where web interface vulnerabilities exist and replace those connections with PrivateLine connections to their own private networks. The B2B eCommerce puzzle is no longer a puzzle when trusted digital interoperability is visible to executive teams and boards. Other private networks will then emerge, he told Webster.
Secured messaging and transactions, Volmar posited, help point out the flaws of traditional banking, where “the free and open model winds up costing money — a lot of money — and reputations in the end.”