Hacked Off?

For those companies holding vast quantities of customer data, they must be quaking in their boots this summer. Company after company have been falling prey to hackers and data breaches over the last few weeks; with Carphone Warehouse being the latest victim after the Ashley Madison affair, which has finally only just played out.

Last night hackers claim to have released around 10 gigabytes of personal data from the Ashley Madison site including card information onto the dark web. In the long term the Ashley Madison breach could affect up to 40 million people globally.

With over 2.4 million Carphone customers being affected here in the UK and the privacy watchdog being called in to investigate, you can just begin to imagine the damage limitation taking place in their headquarters. As up to 90,000 people may have had their card details comprised, it begs the question: What can companies do to protect themselves and their reputations against the threat of cyber-attack?

Companies just love data. Lots of it. From names, to addresses to what you like doing at the weekend. This information can have value for the business, but if it’s valuable for companies, it’s also valuable for hackers. Individuals affected by the Carphone Warehouse attack have been warned to be alert to phishing attacks as data could be sold on. Those who buy this type of data will likely want to gain additional information from individuals through phishing to allow access to higher value assets such as bank accounts.

With 2.4 million peoples’ data on the loose in this latest breach, it only takes a small percentage to fall prey to such attacks and it’s been worth the hackers’ time.

This brings into question what the value of data is, and those services that sit over the top of it such as the well-coined phrase “big data”. How many companies are actually utilising all the data they are holding on their customers and would it be less risky for businesses to cut down the data they hold and still manage their customer accounts effectively?

With reports that the big data market is going to increase in size six fold by 2019 it’s hard to see how these two trends can live happily side-by-side.

We have on one hand, a trend of increasing data breaches and cyber-attacks on data, the other of increasing data monetisation.

So what is the solution? We’re finding that cryptography enabled personal digital identities will increasingly become the answer to this endemic data breach problem. This allows the individual to be in more control over their personal data, limiting the data they are willing to share if they want to, whilst at the same time, the organisation can be confident that they are transacting with the correct customer.

There are many new services out there, including federated digital identities, personal data stores, attribute exchange and signal sharing. Work being done through the Open Identity Exchange, Digital Catapult, the GSMA, Kantara and other organisations is exploring how these new methods and standards can help solve the problem of online identity, online fraud and decrease how much personal data is shared thus decreasing the risk of personal data being stolen.

Innovate Identity have worked on many projects in this area, one of which is around attribute exchange and have found users prefer these new methods.

They are quicker, easier for users to perform and users only give consent to the minimum amount of data to be shared; putting users back in control of their data and overall significantly decreasing risk.

For systemic problems we need systemic solutions. We need to put users back in control of their personal data and create a more secure Internet for everybody.

Are Security and Customer Experience Mutually Exclusive?

As online transactions increase in volume, so do customer expectations of a seamless online experience. As a consumer, you don’t want to jump through hoops to complete your transaction. But on the other side of the coin, as transactions increase, so does the risk of online fraud. The merchant or payment provider is required to consider the fraud risk and put in place security measures to prevent their businesses making losses.

How do vendors juggle the customer requirement for a fast and effective online transaction with the business requirement to prevent fraudulent attacks?
Customer experience and security are often considered to be at polar ends of the spectrum. Creating a smooth customer journey and also preventing 100% of fraud is difficult at the best of times. At SXSW 2014, Edward Snowden challenged startups to combine exceptional user experience with privacy at the inception of a
product stating: “The tools that exist to enable secure end-to-end encryption are not very polished. You have to choose between a service that is easy-to-use and reliable and polished, and a tool that is highly secure and impossible for the average person to use.”

According to TRUSTe 2014 report on privacy, 74% of internet users are more worried about online privacy than in 2013. Also, more than 9 in 10 people worry about their privacy online and on social networks. A Harris Interactive poll last summer found that 7 in 10 people will not download an app they do not trust. Most organisations give users notice on how they manage fraud and use consumers’ data in this context somewhere in their terms and conditions. Yet how many of us actually read these lengthy terms and conditions? We also have many recent examples where users simply are not informed by organisations as to how their information is or has been used, like the recent Facebook experiment. All this does is simply erode trust and the internet needs trust to operate and grow.

In 1980, a US organisation called the Organization for Economic Cooperation and Development first published their seven Privacy Guidelines. However in 1980, there was no World Wide Web, mobile phones, social networks, wearable tech or ‘big data’. These are the privacy regulations we are still supposed to be adhering to today and the notice and consent requirements of those laws have fallen way behind today’s technology.

The lack of modern guidance makes it difficult for companies, merchants and payment providers to navigate the right path of security and privacy, especially when they are trying to acquire more customers and create a seamless online experience. And it is particularly difficult across borders; a privacy process that is deemed acceptable in the US may not be in Germany or the UK. Equally, it is difficult to know if customers actually care and it seems to divide them, which is no good if you have a ubiquitous product that you want to sell to everyone. Baskets are being abandoned because of too much security or concerns about how their personal information is going to be used.

The good news is that more guidance is coming. In 2013 (updated March 2014) Microsoft and Oxford University’s Oxford Internet Institute (OII) published a report outlining recommendations for revising the 1980 OECD Guidelines. Their report makes recommendations for rethinking how consent should be managed in the internet age.

Noting that expecting customers to manage all the notice and consent duties of their digital lives in circa 2014 is unrealistic if we are using rules developed in 1980. This report paves the way for merchants to start understanding how they might manage user consent today with the new technologies that are available. This is going to be helpful for many companies, because more information about what their customers like and do not like enables them to create better-targeted and more compelling products. Without it could mean they find it harder to create a successful ongoing relationship with their customers.

So, does the customer experience and security requirements
need to be mutually exclusive?
The answer is no, but gone are the days when one or two customer on-boarding journeys would suffice. User journeys will need to become more sophisticated, taking advantage of new technologies that enable security but
only collect the proportionate amount of customer data to do so. These more sophisticated journeys will dynamically re-route customers based on risk in real-time. Merchant and payment providers will need to start thinking about putting their customers at the heart of their product development and test how real customers move through their transaction journey. Too often the product is tested but the customer journey is created in a vacuum without real customer input.

In the future, organisations will need to better engage and educate their customers on the personal data they need to complete a transaction, how they use this data and why. This transparency should lead to less abandoned baskets and more fulfilled orders. How companies embrace this customer empowerment will be key in the critical balance of security, privacy, user trust and the holy grail of customer experience in the future.

The Internet of Things and Identity

The internet has facilitated the communication revolution. How we connect with our friends, families and work colleagues has changed forever. With revolution comes evolution, a movement well underway thanks to the Internet of Things.

In 2020 it is reported that there will be 27 billion or more devices connected through the internet. These devices won’t just be connected through the Internet; they will interact with each other daily.

What Could the IoT Look Like in the Future?

Well, imagine if you ran out of your favourite juice; it could be ordered directly from your fridge. Think of going to your local gym where the machines and equipment know your workout as soon as you arrive, changing automatically to suit your level of fitness or your current health status.

The possibilities of IoT are even creeping into my own home. My husband keeps on talking about attaching a Tile (a tracking device) to our cat so we know her exact whereabouts. I still haven’t quite worked out if I’m interested in knowing the cat’s exact location (she’s probably getting fed at multiple houses on the street) but what I can tell you is the look on the cat’s face tells me it’s not happening any time soon.

It’s cliché to say but the possibilities (for humans and pets) really are endless.

Is it Hype or Reality?

The Internet of Things is scaling high on the hype-meter right now. Everybody seems to be talking about it, writing about it or in some cases already trying to build and use it.

An enthusiastic example is located on a 5 acre plot in Virginia, USA. It’s called the SmartThings House. More than 200 household appliances and objects, from the kitchen coffeemaker to the garage door to the kid’s trampoline, are all connected to the SmartThings system. These items no longer work solo; they work with one another. The home office can automatically text an adult if a child leaves home or ‘tell’ the home air-conditioning system to start powering up when the homeowners are on their way home.

Another example (again from the US) comes from HeatSync Labs, [http://bit.ly/1960M4p] a hackerspace that has built a connection between sending Bitcoins via your mobile device to make a tiny toy doll do a hula dance.

The point? I’m not sure, but it raises intriguing questions about who will adopt and use IoT devices. Will the IoT just become toys for the wealthy and the geeks? Or will they gain momentum as ubiquitous devices that they’re hyped up to be?

What Could This Mean for Identity?

So imagine we’re surrounded by tiny, intelligent devices that capture data about how we live and what we do. Arguably, this is something that we already experience but the Internet of Things takes it up a notch by giving objects the ability to interact with one another.

For example, collecting your health and fitness information through a health-related device like FitBit or Jawbone and then, if your fitness is improving, feeding it to the insurance company so you can lower your premiums.

On the one hand this is great. For people to use their IoT networked devices to give information about their identity could unlock products and services they previously couldn’t access.

However, we have seen some companies exploring the possibility of monitoring employees through wearable technology and this could mean a loss in both choice and privacy.

Security Will Be a Continued Concern

What is likely is that with a scale in connected devices, there will come a scale in viruses and hacking. Having not fixed that problem today, it’s evident that it’s going to be here in the future too. The argument is not whether system vulnerabilities can be eliminated, rather, it is how these security concerns will be addressed that will affect the uptake of these devices.

Is Identity the Key?

In my opinion there doesn’t need to be a loss of privacy in using IoT objects. However, there does need to be some delineation between the personal information held by the organisation (and therefore on the device) and the personal information that is core to an individual’s identity.

There are a few approaches to this problem but in order for it to be effective, the relationship between people and organisations has to change. It could be that the devices connect to a private network rather than the internet. Or for those devices connected to the public internet, encryption would be used to protect personal data.

As things like the IoT become more sophisticated, so too should our ability to control our own personal data, our identity and our privacy. Only when the person is central to the transaction and has full control of his identity data will the Internet of Things truly work.

How the Collaborative Economy Relies on Digital “Trust”

“Collaborative Consumption”, “The Sharing Economy” and “Peer-to-Peer” are relatively new terms; the premise in which their function lies is not. Since trade began, we have always tried to cut out the middleman.

The internet as an enabler

The internet has been the “collaborative consumption” enabler, allowing peers to reach each other faster and on a larger scale. As a result, this has disrupted traditional trade models. We now have the peer-to-peer model for almost everything; from those better-known brands such as AirbNb, Zipcar and Taskrabbit through to new entrants like Lending Works.

The earliest “collaborative” model we can probably all think of is eBay. Founded back in 1995, eBay changed the way that people bought and sold second hand goods both on and offline.

Fast forward almost 20 years to the present day and we can now cut out the middleman in hotel stays, transport, financial services, odd jobs, as well as being able to rent pretty much anything you want, directly from the owner.

Let’s not forget that perhaps the newest (and most controversial) collaborative or peer-to-peer models are emerging from the payments and banking industry where we are seeing disruption through crypto-currencies like Bitcoin.

Collborative consumption valued at USD 3.5 billion

But with Forbes’ valuation of the market in 2013 at USD 3.5 billion, most people are trying to understand the enormous social, economic and environmental potential of collaborative consumption, on a global scale.

It’s certainly a concern for the traditional models. It was only last week that we saw taxi drivers in the UK take to the streets of London in protest of the launch of Uber in the UK. To be honest, I don’t think the person organising the protests had heard the phrase “no PR is bad PR” with Uber claiming (and enjoying) an 850% rise in the download of apps from the previous Wednesday.

Being a Londoner myself and having taken too many expensive taxi rides, I think the Uber app is a welcome addition. Whether certain sectors like it or not collaborative consumption is transforming business and consumerism.

These newer models can leave a void

However, there is one very valid point that the taxi drivers did make last week. Where there are essentially very few standards by which the market operates, how do the peers in the market trust each other? Market disruption happens more often than not before standards or regulation come into place. As we have seen with Bitcoin, this often leaves a void with people trying to work out how they can gain comfort and confidence in this new way of doing things.

In the example of a taxi ride app, how do I know the person picking me up is ok? How does he/she know I’m ok too? A traditional model would enforce the taxi driver to have a CRB (Criminal Records Bureau Check), which is both an identity and criminal history check.

For those companies already entering a regulated space, such as peer-to-peer lending within the financial services industry, the answer is a little easier because they can fall back on existing frameworks such as Know-Your-Customer checks and anti-money laundering.

Does this newly formed industry simply seek to take our insurance when the horse has bolted, after the event that something bad has happened? Every business is built on its reputation and the challenge for this sharing economy will be how they can manage this.

Disruptive methods of trust creation

I believe the key to unlocking this industry lies in trust creation. Traditional ways of creating trust have often been to complete some level of identity verification. The challenge is in the fact that these traditional methods are often not contextual to the transaction and therefore impair the user experience.

For example, how would you feel if when going to use a taxi ride app, you were required to type in your passport or ID card information before you could take a ride anywhere? This way of identity verification is usually expensive from a merchant perspective and intrusive from a consumer perspective. It tends to leave both sides exposed as the consumer’s personal data is left everywhere they transact.

So for a disruptive economy we need disruptive methods of trust creation. New models of creating online trust are emerging such as reputation-based personal clouds, personal data stores and user-centric identity.

User uptake will benefit everyone, worldwide

The good news is that through global industry collaboration many of these new models of identity already have trust frameworks with standards, scheme rules and governance in which they operate and interoperate.

In the long run these standards and frameworks should bring down the cost of creating an online identity, enabling digital identity to become ubiquitous across the internet whilst simultaneously creating and elevating trust.

The user uptake of these new identity models will enable these collaborative businesses to protect their reputations and allow their commercial model to fly.

User-centric Identity

This month, I once again contributed an article to The Paypers’ Voice of the Industry where I covered user-centric data and its impact on customer transactions. You can read the original post here.

User-centric Identity

We are in a time when customer expectations concerning their online experience is becoming ever more sophisticated. In tandem, some of the negative aspects of online privacy are becoming better understood and questioned by those customers. These issues affect us not only as merchants but also as consumers and it is impacting the design of consumer identity – globally. With user experience, speed of transaction, user control, privacy and security all featuring highly on the consumer’s agenda when transacting online, the key question is whether the current status of online identity offerings can provide the type of system that today’s customer expects.

Or do new user centric or consumer identity models hold the key to frictionless customer transactions?

Imagine if as a consumer you could….

Book a flight providing just the identity information needed and no more, pay, and do it all with just 3 simple clicks on your mobile.

Register a new business, register said business for tax and open a business bank account – without having to send paperwork off or visiting a physical branch.

Vote in an election from the comfort of your own living room, securely, and on your mobile.

So what is user centric or consumer identity?

The aim of user centric identity is, as the name suggests, a system that holds the customer at the centre of the design. The user is able to share previously verified information with the required organisation to allow the transaction to take place, without having to share more personal information than the transaction requires.

Let’s use an example where the customer is required to be over 18. Rather than be required to provide larger quantities of personal information that can also provide friction during a transaction, the user would only need to share previously verified information to confirm that yes, they are over the legal age or no, they are not. Information such as full name, DOB, address, ID card’s, passport or driving license wouldn’t be necessary since the user is already age-verified and would then be allowed to purchase the age-restricted goods or services.

Some will object to this design because they fear a lack of consumer data from such transactions. This is because the merchant only has access to the information it needs to make the transaction. But if merchants want more data for their own analytics, they simply need to request this data from the user or ask how much information the user is willing to share. Granted permission from the user means that consumer data will be easier and safer than ever before. This design also protects the user’s privacy whilst simultaneously reducing the security burden on the merchant.

Enabling a digital society

The aim of a user centric digital society is to enable users to access public and private services securely and conveniently in a privacy-enhanced and secure way. But to achieve this we need to understand the differences between now and what could be.

One of the critical differences in a user centric digital society is enabled through the infrastructure. Instead of one single, all-encompassing central system or identity database, the design is based on an open, decentralised system that links together multiple identity and security service providers. All of these security service providers would have met a set of standards to ensure they can be trusted to deliver into the ecosystem. This allows the safe, convenient and flexible exchange of private, government and corporate data.

The global economy

A number of countries are already using new security standards and identity models, openly stating the financial benefits it has had on their economy. One example has been in Estonia. Here, they have gone straight to mobile identity that allows users to verify their identities using their mobile as a secure token. Many more countries are moving in this direction including the US, UK and New Zealand amongst others. All of which are adopting slightly different approaches but the context remains the same.

Whilst there is not yet a global interoperable infrastructure for electronic identity, there are a number of programs already looking at how each country’s standards would work to allow these digital identities to not only federate within a given country but into other countries too.

Future opportunity not threat

If user centric identity design becomes widespread then the cost and speed of verifying a customer should (in the long term) significantly reduce. It should also enable customers to feel more secure and encourage a channel shift from offline to online. These moves can only bode well for ecommerce in country and cross-border global commerce.

Social Data for Identity

Last month, I contributed an article to The Paypers’ Voice of the Industry  social data for identity in the digital marketplace.

The point that I really wanted to emphasise is that the only way to enable digital market opportunities is to create trust. This changing online market moves with innovation, speed and the ability to reach across borders – all at a level we have not seen before. As a result, there has been an increasingly common use of social data to provide trust. 

2.7 Billion People Are Online
That’s a lot of people, almost unfathomable. Many are coming from emerging economies like the BRICs and the newly coined MINT countries (Mexico, Indonesia, Nigeria and Turkey). With experts having touted them to be the next economic giants, the question is how can we embrace these new markets whilst also managing the risks?

The most dependable solution is to create trust. But here is where it gets tricky. How do companies create such trust? The major culprit preventing growth in the digital market is fraud. Here is why social data comes in. So how can social data legitimately answer this problem and consequently create trust?

Traditional Identity Footprints are Limited

Currently, numerous companies use credit data to verify identity or identity documents. Whilst extremely valuable for identity, credit data is also limited to geographical regions and personal characteristics. So this kind of makes trust difficult too.

It also leaves organisations with gaps in their ability to manage risk and on-board new customers.  To combat this problem, we have seen organisations move towards new sources of “big data” such as social data to validate identity attributes.

Particularly for those companies and organisations operating internationally, many use social data as an alternative to the traditional forms of identity footprint. Using social data has also helped such companies achieve liquidity. Early adopters of these new methods include Airbnb, eBay and Paypal.

Ebay, Airbnb and Paypal are all early adopters of social data use

The New World of Big Data

Social data statistics from across the globe certainly kickstarts some interesting conversations about this new big data (and its use). Did you know social networks in China account for 1/6 of their total online population? Similarly in Russia, the main social network covers over 100 million of the 118 million strong population. In the UK, social media accounts are owned by 90% of the 16 – 24 year old age bracket. The opportunity certainly awaits for those who take it.

China’s social media by numbers. Image from ministryoftofu.com

Russia’s internet consumers. Image from digitaleastfactor.com

We have no time to lose

Companies like Trulioo, Trustev and Veridu are already taking advantage of the trust offered by social data. These companies are enabling accounts to be verified from real or fake, use visual knowledge-based authentication, and verification of other identity attributes contained within the social profile.

Looking to higher influencers, even the European Commission urge us to embrace the wave of globalisation in order to exploit the opportunities offered by the digital market. This is something they believe is yet to occur. Or at least not to its full potential.

What can merchants do?

As merchants, our goal is to facilitate the increase of cross border eCommerce, increasing GDP by creating greater digital access for all.

According to the Single Market Act II (2012), the internet economy already accounted for 21% of GDP growth in some key economies. In the same year, there was a gradual increase (24 % rising 5% from 2008) in the number of EU residents who made purchases over the internet from another Member State.

Forty percent of shoppers in the European Union now use the internet to buy goods and services. However, 35% of internet users are not buying online because they have concerns about payment and delivery. Using the new big data and social data can help to close this gap.

As consumer confidence grows in online shopping and regulation changes to enable trade, European cross-border transactions could account for at least 20% of all eCommerce within the next five years. If European cross-border commerce could increase to 20%, it is estimated it would contribute a 4% growth in GDP across the whole of Europe.

With regulators and researchers like Open Identity Exchange mulling over how these new methods fit with more traditional methods, I believe that whilst still in its infancy social data, other “big data” like it, and future innovations in this area, have the potential to take us into a new world of identity services and trusted transactions in the future.

Anyone for Identipedia?

A Google search for ‘anti-fraud systems’ throws up 589 of the most ‘relevant’ results. On the first page alone links range from anti-virus software to national systems used for fraud to the repor- ted number of losses by the National Fraud Authority (NFA).

Typing in ‘identity verification service’ and I get a similar number of results- anything from two factor authentication to device finger- printing to credit referencing agencies.

Scary stuff…. and I don’t just mean the amount of fraud reported by the NFA.

What isn’t helping is the seemingly endless and apparently inter- changeable terminology: one person’s ‘identity’ or ‘fraud’” isn’t the same as another’s. Maybe it’s about time we created our very own dictionary? Identipedia?

As an industry, we are so focused on making things sound sexy but we have forgotten we are supposed to make it clear to cus- tomers how to make a purchasing decision.

From a merchant’s perspective, wading through the plethora of systems and trying to understand what is beyond the sales pitch can be difficult and confusing. In some cases this has dire consequences.

I recently saw a client who had not reviewed their systems for a number of years. Upon analysis they found that with the “silver bullet” system they had in place, 83% of fraud cases passed straight through their identity checks. But didn’t someone say that identity systems stopped fraud!?

So what do we know?

I’m a big advocate for keeping things simple. So whilst we’re all swimming in a sea of acronyms we should also never lose sight of the basics.

There is a balance with all of these systems (whatever we decide to call them) and the loss verses optimisation curve is the way in which businesses should measure what is the right approach for them. Getting good customers over the line with a good customer experience whilst preventing risk is key.

Internalising the following ideas and tactics into your decision- making process will make it easier when choosing the right identity system for you.

Define your requirements – An ex-military friend of mine uses the following saying: “Time spent in resonance is seldom wasted”. Never a truer word has been spoken in relation to purchasing decisions with these types of technology.

Organisations should spend time clearly defining their business requirements, needs, and strategy before buying any technology. Systems can increase efficiency but only when used correctly and in the right process. Technology should only be considered once the customer journey and experience has been defined and business rules are created. Without this technology can work against you, making things less efficient, not more.

People and process – People and process are the under- pinning for any system. You must ensure that the technology is not expected to replace good people and process. It’s about augmentation, not replacement.

Bring fraud and marketing together – traditionally, fraud and marketing teams do not make decisions together, leading to each department buying a different point solution. Instead the two teams can work together using the same logic of identifying and preventing bad customers to enable decisions on how to identify the good ones.

Test – Never buy without completing benchmark testing making a side-by-side comparison of suppliers. The type of fraud your organisation is experiencing or your customer demographics may be similar to another company but it will not be exactly the same. Spend some time designing the test around the outcomes you are looking to prove. Supplier test data typically should only be used for technical integration testing, not to assess if the system prevents fraud or can be used for identity proofing.

Keep it simple – A well-implemented, simple system that can be tailored will deliver ten times the value of a poorly implemented, off-the-shelf system. It is possible that re-visiting and optimising an existing system can also deliver value and may not require additional integration work.

Change will happen – Flexibility is critical since things will always change. It tends to follow a pattern similar to this: 1. Fraud threats change, 2. Business needs change, 3. Regulatory needs change,  4. Customer behaviour changes , 5. Technology changes

So we need technology that is flexible, on-demand to deal with such change and provided by suppliers that adapt to the market. In addition to adaptive technology, we need to be making systematic reviews of any changes. There also needs to be some level of tailoring to people, process and technology to ensure continuous optimisation. That way, we get more of the good customers and less of the bad ones…

The Opportunity

As an industry, we are starting to recognise the issues that merchants might be having in understanding the market. Clarity is one such issue. Recent initiatives like the launching of The Open Identity Exchange’s OiXnet aim to provide clarity for the identity market though an online registry.

And others are doing their bit too. The MRC continues to ensure that presentations at its events are driven by the merchant, giving real life practical examples rather than just a sales pitch.

Despite complications there is a huge opportunity for merchants in getting this right. Combining classic theories like Moore’s Law with trends such as big data, social and mobile means that the acceleration of innovation is beyond what we have ever experienced before.

The market has to move towards increased customer centricity. Simply because unless customers get a good on-boarding experience they will go elsewhere.
For merchants that can manage their risk effectively and create a great experience, these profitable customers are there on the table for the taking.