While many banks and credit unions are dumping their card portfolio’s this
news makes one think “wow, smart move.” A new payment platform company
named RevolutionMoney announced (today) their plans to yank the rug out from
under traditional card payment processors by circumventing the credit card networks that charge merchants an average of 1.9% on transactions.

This couldn’t have come at a better time, as I spent two frustrating hours last night
searching merchant account programs looking for a better deal for my wife’s
new business. I went to bed with no resolution and angry.

Revolution Money believes they can reduce traditional fees by 75%; a mere fraction of what card companies are charging today. This is sure to make every merchant jump with joy, including myself. But this isnt jsut a one trick pony. By no mean the first to take on PayPal, RevolutionExchange (one of two products launched, today) allows consumers to transfer funds to anybody via the Internet, for FREE! Think free International wire transfers!

Now, I don’t know if that is part of the deal, but it sure makes one ponder the possibilities. Do you know how many billions of dollars are transferred out of this country by individuals, and the fees they incur? So if it’s free, why would RevolutionExchange bother. Well, that brings us to the second product announced today, and a bombshell in itself.

The RevolutionCard is a highly secure alternative to the mag-stripe cards in your wallet and will be accepted using existing point of sale equipment. The RevolutionCard is a PIN based credit card with no visible or physical information on it. The card, of course, carries an APR on balances. It’s pretty novel, but whether or not it will be accepted by the masses is left to be seen.

But if anyone can pull this off it’s the impressive team behind Revolution Money. It’s a who’s who of heavy hitters. Former AOL chairman Steve Case is the main man behind it. AOL Vice Chair emeritus Ted Leonsis will chair the company. Joining him will be former Treasury Secretary Lawrence Summers, former Mastercard CEO Russell Hogg, former Charles Schwab CEO David Pottruck, former Vice Chairman of JPMorgan David Golden, and former CEO of Fannie Mae, Franklin Raines. The company recently announced a $50million Series B round from Citi, Morgan Stanley, Deutsche Bank and others.

As Case puts it, “we have built an innovative Web 2.0 company based on the latest
technology to disrupt the decades-old system with the goal of offering the
industry’s most accessible, easy-to-use and secure payment system that puts
money back where it belongs, in consumers’ pockets.”

Where do I apply?

Three weeks ago I started getting letters from Certegy explaining that someone was using my name, address, and driver’s license number on fraudulent checks in Houston, Texas. Since I had never been a victim of ID theft (at least that I am aware of), I called Certegy then hit the couch with my laptop in a search for facts.

Wow, what a confusing world! Let me preface this by saying, I’m in the information security field and understand the many forms of ID scams that exist. What I soon realized is that ID Theft is not only a big business for the criminals it has become a big business for legitimate companies. All the estimates we see about the losses incurred by ID theft should include the revenues of the companies offering services to prevent it; insurance, credit monitoring, incident assistance, education, hand holding, account locking, etc. It’s an industry folks! …and a competitive one, at that.

I dove into the details on this one because, many of the financial institutions I work with have considered contracting with one of these companies to offer assistance to their account holders. I wanted to know if these services are worth the money and whether or not this is something the financial institutions should be offering.

After studying the market, the crimes, and methods of protection, prevention, and resolution and as a recent victim, here is my take. ID Theft, card fraud, check fraud, etc is diverse and dynamic. I think these services can be helpful in some cases. Especially, those where the consumer knows nothing about this problem, has no desire to understand it, and has some extra cash laying around. Although that being said, consumers should understand that the services vary. There are good companies and suspect companies offering these services. So you don’t end up with a false sense of “protection” is highly advisable in this case to understand what you are buying. As much as these service providers want you to believe that all you have to do is spend 10 minutes signing up and SHAZAM! Your protected. This is not always the case.

There are differences in these services. There are differences in the costs. Some services I’ve seen offer next to nothing for $9.99 a month. To be honest, you’ll spend just as much time determining what the companies services really are as you would learning how to do this on your own. For free! And folks, it’s very easy to do if you know what to do.

So, do I think a bank or credit union should offer ID theft prevention/response services? Absolutely! I would love to have been able to contact my bank for some assistance. In fact, that is a huge relationship development opportunity that institutions could take advantage of.

Should they contract with one of these service providers? Well, that depends on what the service really is. Third party service provider due diligence comes to mind here! To put it in perspective, there is a widely recognized provider named Lifelock, that is endorsed by many reputable companies and is funded by two top venture capitalists. Google them to open the can of worms they are now dealing with. Would you want your institution’s name behind this company?

I did find a couple providers (which Im not going to name) that offer relatively valuable services. But I think if an institution is going to promote one of these services for a fee, they should also offer up advice on how their account holders can do this stuff on their own. It is really not that hard.

Lastly, nope, I don’t plan to subscribe to one of these services right now.

Bank of America has just done a great great thing with their multi factor authentication solution. In a nutshell, they are now allowing customers to optionally sign up for an “out of band” second authentication factor. Is’nt that great! We are completely serious … this is a great step. And since it is optional for users, it sidesteps the whole “oh its too much trouble for users” issue. If users want the added security and are willing to deal with a little extra work, then bingo, they can now do that at Bank Of America.

The new solution is called SafePass ™. SafePass ™ delivers a one time use code via a text message to a user’s mobile device (aka phone). The code can only be used once and is only valid for 10 minutes. This is very similar to the hardware style tokens such as those from RSA and others where you press a little button on the device and get a one time code (typically good for 60 seconds or so).

If you recall the discussion in the previous post, the point was made that “typical MFA” solutions as deployed by banks and credit unions today do NOT really protect a user if there are trojans/viruses involved. And that the only real way to beat some of these eaves-dropping viruses is via some form of out of band authentication.

Bank of America has really differentiated here, and we applaud them wholeheartedly for that !

Many institutions are busy having recursive meetings and discussion where they debate the merits of out of band authentication then lament the added complexity, and they never break out of this circle. Ok everyone, BofA has done it, so it’s ok for you to do it now.

Or as SouthWest would say “Ding, you are now free to implement of out of band authentication”. (note, that was a play on “Ding, you are now free to move about the country”).

My answer is no.

First, some definitions:

Typical MFA: This is what most banks and credit unions have done in response to the FFIEC mandate. Basically a combination of:

• some kind device id (looking at signatures based on browser info and cookies)
• some additional challenge questions
• showing the user something they should recognize (like a picture or text)

Virus, Trojan, Worms: All of these different types of nasties have one main thing in common, the end result is nasty code running loose on your machine. The differences between viruses, trojans and worms have mostly to do with delivery, which is an interesting discussion but not particularly relevant to this topic.

So here is why my (actually the) answer is no. Basically, any form of authentication that does not include some out of band data (like a HW token, or an SMS message, or a phone call) is susceptible to nasty code on the end point machine because the nasty code can always intercept, capture, or reverse engineer whatever security trick is used.

Examples:

• some MFA solutions make you click your password in with an on screen keyboard (sometimes the keys even move around, oh ah)
  • setup a webex, invite someone to join and then login to your online banking while they are watching, guess what, they just watched you click away and have your information.
  • it’s pretty darn easy for a hacker to create a nasty that acts just like webex without you even knowing
• some MFA solutions have challenge questions
  • same webex example, so the hacker gets to learn your questions and answers
  • also, the hacker can delete the cookie on the your machine that tells the MFA solution not to challenge this user/machine combination, that way the real user ends up being challenged every time he logs in, and guess what, the hacker now knows ALL the questions and answers
• some MFA solutions show you a picture and a text as a way to boost your confidence that you are at the real site
  • first off, most people don’t really get that, and if the hacker put up a page without the image and text, most users would never even notice
  • but let’s assume people do pay attention, with the webex example, the hacker can see your shiny little picture easy enough
  • more than that, the hacker can actually scrape the image directly out of the browser so he even has a copy of the original picture, which gives him the ammo for one hell of a spear phishing site
• some MFA solutions use device signatures, and say things like “our device signature data is based on 58 different characteristics of the end users machine!”
  • this is all completely spoofable by a hacker, if he’s got code on your machine, he can discover all 58 of those factors and just do the same
• some MFA solutions use geo location to locate the user who is logging in, and then not allow the login or throw up some additional challenges
  • geo location data based on IP address is not that accurate, and completely spoofable to boot
  • and we already discussed how challenge questions do not cut it

So has this MFA exercise been just a big farce ? Not completely, at the end of the day, it did put up some additional road blocks for the hackers and bad guys. But it was no more than roadblocks, a determined hacker can still get you, especially when the scenario involves an infected machine.