Wednesday, July 8, 2009

EV SSL Encryption Is Safe! "Yeah...Right!"

I posted many times that a web browser is not safe. "Especially" not safe for financial transactions. I've also posted that there was less of a risk that your cardholder data would be stolen if you "typed" your credit/debit card number in a box 2 years ago than there is today.  Tomorrow will see even more risk than today. 

That being the case, how well will we prepared for what "tomorrow" brings?

I stand firm, and I stand tall in my belief that a web browser WAS NOT/IS NOT designed for eCommerce.  Therefore financial transactions MUST be done outside the browser space.


Much to my chagrin,  some industry "experts" callously (in my opinion) disagree and argue that it is in fact safe to type credit/debit card numbers into a box at a merchant website. (after all, we all need convenience, right?)

I've even read where they try and back it up with statements such as:
  "Oh, if you go to a site with where it says: "https://, the "s" stands for "secure" and that means the web page you are on is "definitely" safe.

Two words: "Yeah...Right...." (See "https = httBS")

Or I've heard these "experts" quoted as saying
"Those "SSL certificates" are great, they definitely tell you that the web page you are visiting is protected by "secure socket layers" and that means for sure you are safe!

Two Words: "Yeah...Right..." (See
: "99% of SSL Secure Websites Are Not")

Then I've read where these "so-called experts" say
"We need websites to move over to the "more secure" gran-daddy of them all... EV SSL digital certficates!   A website that implements Extended Valuation SSL is even "safer than safe!"  It's the "safest!" 

Here's more on them "gushing" about the security of EV SSL...

Extended Validation (EV) SSL is considered by all to be more secure than SSL: Calls for widespread EV SSL implementation are on the rise as SSL threats increase. Two years after its rollout, the "more secure" Extended Validation
Secure Sockets Layer (EV SSL) digital certificate for authenticating Websites and securing Web sessions is used on more than 11,000 Websites worldwide."

"Calls for EV SSL adoption have intensified amid concerns of new man-in-the-middle (MITM) attacks targeting newly discovered weaknesses in SSL, namely the
MD5 encryption algorithm hack that allows the creation of forged CAX.509 digital certificates, and the MITM attack demonstrated at Black Hat DC that basically makes users think they are visiting a secure Website when they are not. "

Cool, EV SSL sounds great. So go ahead... if you see a website "protected" by EV SSL, then by all means, listen to the experts, because, after all...they know best. Their "analysis" should give you confidence to feel free to type your credit/debit card numbers into EV SSL protected websites. No worries!   
Wow, yeah, sounds great, that's the ticket! When will all the websites move to EV SSL, because EV SSL "really guarantees" a safe environment!   But before they do, I have just...

Two Words: (besides "Caveat Emptor")
"Yeah, Right!"  (see below)

Researchers to demonstrate new EV SSL man-in-the-middle hacks

Twosecurity researchers' assault on Extended Validation (EV) SSLcertificates will continue next month at the Black Hat Briefings.Alexander Sotirov and Mike Zusman, building on work presented in Marchat the CanSecWest 2009 security conference, are expected to demonstratenew attacks, including an offline hack that poisons a site protected byan EV certificate

EV SSL certificates are supposed  to offer an extra layer ofprotection for websites.

Sites protected with EV SSL encryption display the familiar green icon in the URL address bar. EV SSL certificates are more expensive than traditional SSL certificates(often by hundreds of dollars).

They also require substantial vetting of the buyer up front, including, in most instances, articles of incorporation, a verifiable physical location, a designated corporate agent who must be validated, and proof the organization is not prohibited by some sort of government embargo from doing business with a certificate authority, among other requirements.

While EV SSL certificates can guarantee to a degree that awebsite visitor has indeed landed on a legitimate website, they cannot guarantee the security of the elements on the site. Sotirov and Zusman have proved this conclusively.

Their research demonstrates that EVSSL-protected sites, once thought invulnerable to man-in-the-middle attacks, are indeed as susceptible to them as non-EV sites, largely because of a flaw in Web browsers' security models..

The flaws are universal,
Sotirov said.

Editor's Note: Wait a minute, did they say "once thought invulnerable" followed by "susceptible" and then admitted there is a universal "flaw in Web Browser's security models?" 

Does that mean it's NOT okay to Enter/Type your credit/debit card numbers into a browser?  No matter what?  Even if they say it's safe?   Wow...who would of imagined? 
Next thing ya know, there will be a report that analyzes alternative payments and concludes it's safe to "mouse click" PIN numbers into a web browser. Yeah...Right!

Continue Reading the EV SSL Man in the Middle Attack Susceptibility Article

Reblog this post [with Zemanta]

Analysts Say Google OS Threat to Microsoft

Analysts: Google has muscle for long-term battle with Microsoft Windows

Upcoming Chrome OS is latest weapon in Google's ongoing 'guerilla war' with Microsoft

Computerworld - As Google Inc. acknowledges that its engineers are working on an operating system for netbooks and PCs, analysts say it's the company in the best position to take on Microsoft Corp. and its vaunted Windows software.

In a blog item posted Tuesday night, Sundar Pichai, vice president of product management at Google, said the company is working to deliver the new Google Chrome OS in the second half of 2010. Noting that Google's engineers are "rethinking what operating systems should be," Pichai said the Chrome OS will be lightweight and open source.

It's a bold move for any company to tread in a market that has so long been stubbornly held in Microsoft's grip. Others have tried and failed to make a noticeable dent in Microsoft's worldwide share of the operating systems market. But Google, which would be considered the Goliath in most industry duels, has the financial muscle, the engineering might and the industry clout to actually put up a fight with an industry powerhouse like Microsoft, analysts said.

"I think they are fighting a guerilla war with Microsoft, with the goal of chipping away and gaining more market share over time. And this is well within their capabilities," said Dan Olds, principal analyst with The Gabriel Consulting Group. "It's also important to remember that Google doesn't need an OS to support its revenue stream. They have lots and lots of revenue from their advertising bread and butter. That means they have staying power and that's critically important in this market. If anyone is going to take on Microsoft successfully, Google has the resources, engineering, and time to do it."

Continue Reading at ComputerWorld Operating Systems

By the way, doesn't the Chrome Logo look the the Simon Game? I wonder if "Simon Says" so?

Apparently, I'm not alone as somebody put together the Chrome/Simon (they called it Chromon)

Here it is:

It Might Pay Again to Discover

Discover Financial Services Announces Pricing of Public Offering of Common Stock

  • Press Release
  • Source: Discover Financial Services
RIVERWOODS, Ill.--(BUSINESS WIRE)--Discover Financial Services (NYSE:DFS - News) today announced the pricing of a public offering of 54,054,055 shares of its common stock at a public offering price of $9.25 per share. The company has granted the underwriters a 30-day option to purchase up to an additional 8,108,108 shares to cover over-allotments, if any.

Discover will receive estimated net proceeds from the offering of approximately $480.3 million, or approximately $552.4 million if the underwriters choose to exercise the over-allotment option in full. The offering is expected to close on July 13, 2009. The net proceeds from the offering will be used for general corporate purposes, which may include capital contributions to the company’s subsidiary, Discover Bank, possible investments in the company’s businesses, or possible repurchase of fixed rate cumulative perpetual preferred stock issued by Discover to the U.S. Treasury under its Capital Purchase Program (subject to regulatory approval).

J.P. Morgan Securities Inc. is acting as the sole book-running manager for the common stock offering. A copy of the prospectus supplement and prospectus relating to these securities may be obtained, when available, by contacting J.P. Morgan Securities Inc., Attn: Prospectus Department, 4 Chase Metrotech Center, CS Level, Brooklyn, NY 11245 or by calling 1-718-242-8002

Meanwhile, here's "Barron's Take" on the offering:  It Will Pay Again to Discover

Reblog this post [with Zemanta]

United Airlines on the Brink - Need Help from Processors

Cash squeeze may put United Airlines in a bind --
The global recession has caused airline ticket sales to plunge deeper than anyone -- carriers or analysts -- anticipated.

Rather than banking cash from peak-season flying this summer as they normally do, United and its peers are paying a king's ransom to borrow money to get them through the winter months, when demand for air travel usually chills.

But after leveraging everything from frequent-flier miles to spare jet engines, United is running low on assets that it can use as collateral for debt or sell to raise cash. That limits the Chicago carrier's options as it faces requirements by its credit card processors to keep unrestricted cash near the present level of $2.5 billion, analysts said.

The prospect of another lean winter for U.S. carriers could spur more consolidation, analysts said, with United and Houston-based Continental Airlines as the likeliest carriers to head back into merger negotiations.

Cash is tight across the airline industry, and Ft. Worth-based American Airlines and Tempe, Ariz.-based US Airways could also face liquidity crises if conditions deteriorate, analysts warned. American faces steep debt payments over the next year and pressure from a credit card processor. US Airways has little debt but thin cash reserves.

"The whole industry is looking at an erosion of liquidity and cash flow," said Bill Warlick, senior director and lead airline analyst with Fitch Ratings. "It's a very grim revenue picture."

The need for action is especially pressing for United. If its cash holdings decline, two major credit card processors, JPMorgan Chase & Co. and American Express, could require it to set aside hundreds of millions of dollars to safeguard advance bookings in case the company folds.

Under an agreement that took effect March 1, American Express requires United to pony up money on a sliding scale if its unrestricted cash falls below $2.4 billion. The lower United's cash, the greater the amount it must set aside. United may also pledge aircraft, real estate and other assets as collateral.

As of January 2010, Chase will require United to hold at least $2.5 billion, a provision that would have cost United $134 million had it been effective in May. If United's cash falls to $1 billion, Chase would require it to set aside half of its monthly credit card charges, according to a Securities and Exchange Commission filing.

While credit card firms pushed Frontier Airlines into bankruptcy last year, (See: Mayday! Mayday! Mayday! ) analysts think it very unlikely that they'd pursue similar drastic measures with United unless operations deteriorate to the point where the airline isn't viable.

Chase, in particular, has a deep partnership with United that gives it a vested interest in keeping the carrier aloft. Chase's Mileage Plus affinity card is one of its most popular credit cards, while the bank last year gave United $600 million for the advance purchase of frequent-flier miles. A Chase spokesman declined to comment.

"When you have big boys at the table like credit card companies, and a big airline like United, nobody is going to throw anybody into bankruptcy," King said. "They're going to find a way around it, unless there's no way around it."

Continue Reading at the Chicago Tribune

, , , , , , ,

Reblog this post [with Zemanta]

MoneyGram Signs Money Transfer Deal for ATM's with Saudi Bank

Forbes: MoneyGram International Inc. has signed a deal with National Commercial Bank, the largest bank in the Middle East, to offer a money transfer service at the bank's 1,400 ATM locations in Saudi Arabia. Financial terms were not disclosed.

Click to continue

UATP Announces VP Global Sales; Focus on Growing UATP Programs

UATP Announces Vice President, Global Sales; Focus on New Issuers and Growing UATP Programs | SYS-CON INDIA
WASHINGTON, July /PRNewswire/ -- Universal Air Travel Plan, Inc. (UATP) has a new Vice President, Global Sales, K. David Holmes III who has been promoted from Regional Commercial Director, The Americas, UATP, effective immediately. Holmes will focus on the recruitment of new airline Issuers and Merchants, growing existing UATP Issuer programs and expanding UATP's partner program with non-traditional forms of payment companies.

"Dave has extensive knowledge of travel payment as it interfaces with the airline industry and a successful sales record finding solutions for carriers," said Ralph Kaiser, president and CEO, UATP. "With over eight years at UATP, Dave is well positioned to continue his success as Vice President and grow UATP's global market share. His knowledge will continue to drive UATP into new channels and capitalize on expanding UATP's successful partner program, connecting airlines to non-traditional forms of payment."

UATP currently has eight payment partners including: Bill Me Later, HomeATM, Moneta, PayPal, Paysafecard, Stored Value Solutions, Acculynk and Ukash. For more information contact,

Contact K. David Holmes, III, Vice President, Global Sales at

About UATP

UATP accounts are accepted as a form of payment for corporate business travel by Amtrak, airlines and travel agencies worldwide. UATP accounts are issued by: Air New Zealand (ANZFF.PK), American Airlines (NYSE: AMR), Austrian Airlines (AUALF.PK), Continental Airlines (NYSE: CAL), Delta Air Lines (NYSE: DAL), Japan Airlines (JALSY.PK), Northwest Airlines, Qantas Airways, Ltd. (QUBSF.PK), United Airlines (Nasdaq: UAUA), and US Airways (NYSE: LCC). AirPlus International issues the UATP-based Company Account for: British Airways (LSE: BAY.L), Continental Airlines (NYSE: CAL), and Lufthansa German Airlines.

, ,

Unpredicatable Gas Prices Push Shoppers Online

Chart of the Week: Unpredictable Gas Prices Push Shoppers Online

Consumers are comparing products online and doingmore shopping at online retailers in an apparent concern about risingand unpredictable gasoline prices.

Internet marketing trend and research analysis firm eMarketerreported that some 14 percent of U.S. consumers were doing moreshopping online and that 32 percent of U.S. consumers had done or woulddo more online price comparison as a result of fluctuating gas prices.The eMarketer analysis was based on a June 2009 survey that theNational Retail Federation had commissioned to measure consumerattitudes ahead of the Fourth of July holiday.

Respondents to that survey generally planned to take fewer shoppingtrips (42.9 percent), shop sales more often (42.6 percent), and shopcloser to home (40.4 percent) when the made purchases from traditionalbrick-and-mortar retailers.

Reblog this post [with Zemanta]

CashStar Partners with Offers eGift Cards

CashStar Throws Its Gift Cards on the E-tail Table

It seemed like a logical leap: If you already provide shoppers withcoupons online, what's to stop you from offering them an online sourcefor e-gift cards? So the founders of online gift card company CashStarpooled resources with online shopping coupon mogul Coupons Inc. tocreate an outlet for merchants to offer more services than areavailable from plastic gift cards hanging on pegs in stores. ThoughCashStar's founders quickly were met with lots of encouragement, theyhad few takers in their efforts to sign up merchants to try out thee-gift card experience.

ID90 Technologies Partners with Moneta to Expand Payment Options

ID90T Partners with Moneta to Expand Payment Options – 50,000 Airline Employees May Choose Moneta for Online Travel Payments

ID90T, part of the ID90 Group, has partnered with Moneta Corporation to offer Moneta online payments to its fast-growing base of 50,000 airline employee users. Moneta, a growing alternative payment choice for online transactions, offers consumers and merchants a convenient, safe and affordable method for Internet ACH debit transactions directly from a consumer’s bank deposit account. ID90T provides online and Interline e-ticketing solutions for airline employee travel via its advanced web based Interline Fare Calculator® (IFC), the end-user interface to its Interline Ticketing Platform. ID90T facilitates immediate cost savings and unprecedented conveniences for airlines and their employees, while protecting and enhancing the travel privileges currently enjoyed by each airline employee.

“By partnering with Moneta, we realize significant savings on interchange while offering airline employees a safe, convenient way to pay for discounted travel,” said Tristan Schukraft, Managing Director of ID90T. “We are able to pass some of this cost savings along to airline employees as discounts for Moneta-based payments during the initial rollout period. During beta testing, we discovered that customers paying with Moneta had a higher average ticket spend, suggesting that this payment method was preferred over credit card transactions. We are very excited about the impact of the Moneta partnership to our bottom line.”

The ID90T partnership will rapidly expand Moneta’s existing user base of 70,000 enrolled members as the two companies pursue joint marketing programs to the 50,000 airline employees ID90T currently serves.

“The ID90T partnership demonstrates the opportunity for Moneta as a preferred alternative payment method for online retailers,” said Guido Sacchi, CEO of Moneta. “Travel providers and leading merchants like ID90T face many challenges in keeping costs low. We are committed to working with online retailers and travel providers to provide the lowest cost payment methods available.”

About Moneta Corporation

Moneta Corporation is a leading payments company offering secure, convenient methods for consumers to pay online merchants directly from their checking or money market accounts. Moneta partners with online merchants to accept and process payments, while providing financial institutions branding opportunities during the transaction process. Moneta’s rapidly growing partner network enables online retailers and travel providers to attract valuable customers with a preference for paying directly from their well-established bank accounts. Moneta is a privately-held company headquartered in Atlanta, Ga. For more information visit

About ID90T

ID90 TECHNOLOGIES, LLC (ID90T), provides innovative online and Interline e-ticketing and NIET solutions for airline employee travel via its advanced web based Interline Fare Calculator ® (IFC). ID90T facilitates immediate cost savings and unprecedented conveniences for airlines and their employees, helping airlines become compliant with IATA’s 100% e-ticketing mandate. Visit

Author Information

Carol Kleywegt
Moneta Corporation
Reblog this post [with Zemanta]

Microsoft Death Blow Plot: Google Operating System

Google Plans to Launch Operating System for PCs

Google Inc. is preparing to launch an operating system for personal computers, a direct assault on the turf of software giant Microsoft Corp., which has long dominated the market for software that runs PC applications.

The Silicon Valley Internet giant announced the new move in a blog post late Tuesday night. It said the software, which will initially target low-end portable PCs called netbooks, would be based on its Chrome Web browser and available to consumers in the second-half of 2010.

The post--by Google's Sundar Pichai, vice president of product management, and Linus Upson, its engineering director -- said the ...

Continue Reading at Wall Street Journal
(subscription required) or here's a link to 1130 Related Articles

Here's one of the better ones from the Baltimore Sun:

And now, faithful readers, we receive news that Google is planning its own operating system, in a direct challenge to Microsoft and its Windows hegemony. The New York Times and tech-news site Ars Technica, broke the news on their respective websites. Inquiries from the press forced Google to disclose the news a day earlier, last night, on their official blog, which gives a light rundown on why they're doing what they're doing. In a nutshell, Google is looking to expand its Chrome web browser as an operating system for the cheap netbooks that have proliferated in the marketplace. Some initially believed we'd see a version of Android, Google's mobile computing platform, transmogrified into some type of operating system. But Google went with the Chrome platform instead. In the company's own words:

Speed, simplicity and security are the key aspects of Google Chrome OS. We're designing the OS to be fast and lightweight, to start up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work.
So what does this all really mean? From a competitive standpoint, some folks, like the guys at TechCrunch, see it as Google dropping "a nuclear bomb" on Microsoft, which dominates the personal computer OS market.

Continue Reading at Baltimore Sun

US Bankcard Losses Increase 66.8% Y2Y

Standard and Poor says that losses on US bankcards reached a record 10% for the month and will continue to see losses that average between 10.5 and 12.5 over the next 12-18 months...

S&P said the losses among bankcard trusts in its U.S. Credit Card Quality Index reached a record 10 percent for the month, as unemployment continued to rise, making it difficult for consumers to pay down credit card debt. That was a 66.8 percent increase from May 2008. Bankcards generally carry the logos of MasterCard, Visa or American Express.

The year-over-year increase in May was slightly below the 70.9 percent jump in unemployment during the period. But the expansion of losses among the trusts over the past six months outpaced unemployment growth by 49.3 percent to 38.2 percent, S&P said.

Losses on U.S. retail cards, which include gas and department store cards, jumped to 12.2 percent, the highest point since S&P began tracking the statistic in January 2000.

S&P expects card losses to average between 10.5 and 12.5 percent for the next 12 to 18 months.

Reblog this post [with Zemanta]

In eCommerce We (Don't) Trust - The Fickle Pickle

Oracle Report: Consumers Fickle About Ecommerce Security Controls

Nearly one-third of U.K.'s online shoppers don't trust online securitymeasures, but most don't want additional controls if it affects easeand speed of transactions
Editor's Note I don't blamethem as I feel exactly same way.  In fact, that's a major reason why HomeATM "replicated the "brick and mortar" experience.  It's not slower, it's faster.  It's not frustrating, it's enamoring.  By swiping your card, "you are the power" behind the buying experience, wheras when you type, you don't know if you're "giving your power away" to fraudsters. 

Let's look at this through the eyes of pure common sense:

First, wouldn't you agree that it is undeniably EASIER to "swipe" your card than "type" 14-16 digit cardnumbers, 8 digit expiration dates and 3 digit CVV numbers!  That doesn't sound "convenient."  And to those who say you've got all that stored on your PC, well, shame on you.  Can you say malware?

Second: It is undeniable that it's faster too.   One swipe vs. pick and peck and pick and peck and pick and peck and oops, gotta start over, must've dyslexiated one number somewhere.

Third: When it comes to familiarity, swiping their card is something that consumers do everyday at brick and mortar locations, so in terms of making the user experience strong, convenient, with ease of use AND security, I would argue that at the end  of the day, swiping will replace typing.   Whether it's Mag and PIN or Chip and PIN, it doesn't matter as HomeATM is EMV ready. 

Fourth:  Swiping is obviously more secure when the consumers cardholder data is encrypted outside the browser space instead of "typed" into it. 

So what's the problem?  The naysayers cry, "Oh,  you have to get the terminal into the hands of the consumers!  So?  I never heard the argument to stay with paper and carbon because it would be too difficult to get Point  of Sale Terminals out to all the retailers.  (Even though they cost about $2500 each)  So it is nonsensical to argue it is too much of a hassle to get them out to consumers...especially at $15.00 bucks each... 

  • Online consumers don't have much patience for security controls that slow or complicate their purchases -- even though they say they don't trust existing online security to keep them safe, according to a new report.

  • Two-thirds wanted more online security, but many still said that if this meant slower transaction processing, then they would find it frustrating.

  • Some 72 percent of consumers had experienced problems with online transactions, including slow processing speed or too many steps to go through.
  • This created a “dilemma” for online retailers, the report said, asthey weighed up improving security against making user experiencestrong.  Editor's Note: Weighed up?  It's NOT "one or the other."  Hopefully I've made the point that it is possible to conduct a secure transaction and at the same time make the user experience strong.  There's NO dilemma here, I promise.

  • Most of those interviewed said they did not want two-factorsecurity authentication outside the banking sector. Editor's Note: What?  Hold on, I was taking a sip of coffee when I read that and now it's coming out of my nose...
Okay...I'm back.  With all due respect to Oracle, I would humbly suggest they didn't ask the "online retailers" the "right" question...

Here's why:  Brick and mortar retailers have their customers "swipe" their card and "enter" their PIN each and every minute of each and every day.  That's "two-factor security authentication" folks.  What you have (your card) and what you know (your PIN) equals "two-factors". So why on earth would "most" of those interviewed say they did not want 2FA?     

Here's the question I'd like to ask online retailers:  "If you could offer your customers a truly secure way to pay, one with which they are already familiar, and, at the same time, create a card-present environment, which reduced your Interchange Fees by up to 100 basis points, Would you consider that a dilemma?  Didn't think so.
Here's the Oracle Study:  But first an important quote:

"Low consumer confidence impacts revenue generation...
but the inverse isalso true: good security that increases confidence without creatingfurther hassle, drives sales.

Our research shows that smart retailersand their technology partners have an opportunity to build securityinto their value proposition, and in doing so, foster customer loyaltyand increase revenue,” said Marty Carroll, Director, Foviance.

“Consumer says no” – Oracle Study Suggests Current Security Technologies Impede Online Commerce
Significant opportunities for retailers with a more sophisticated security strategy to strengthen customer loyalty

Findings reveal a complex picture of consumer activity online with emotions and attitudes influencing behaviors

“Online Security: A Human Perspective”

  • Thames Valley Park, Reading, UK – July 06, 2009: OracleCorporation UK Ltd today launched “Online Security: A HumanPerspective” a report based on research by Foviance, the userexperience consultancy
  • Foviance spoke to UK consumers, whoregularly use the Internet about their experiences of online securityand its impact on their behaviour. The study gathered quantative datathat was assessed in more detail through a diary study and focusgroups. This approach offered both baseline statistics and a deeperunderstanding of consumer attitudes and behaviours
  • Thequantative survey covered 550 respondents and the diary study assessedthe responses and habits of sub-group of 24 people, asking them abouttheir experiences of real-life online security situations. The focusgroups brought this smaller panel together to qualify trends andextract greater detail about the initial findings
  • The research revealed three key areas of interest:
Current consumer attitudes to online security: mixed messages

  • Consumersappeared to have contradictory attitudes towards online security, withperceptions very much ‘press-led’ and fuelled by assumptions of thepotential threats and expectations about their rights.
  • Consumerscontinued to list predictable threats, such as malware, spyware,identity theft and 30% said they do not trust central or localGovernment with their personal data.
  • Yet when questioned moreclosely respondents revealed a distinct contradiction between theirattitudes and their understanding of the issues. For example, almost athird of survey respondents (30%) do not trust online securitymeasures. When some members of the focus groups raised WiFi as asecurity threat, others agreed, but detailed questioning revealed aclear lack of understanding
  • Indeed the majority of surveyrespondents (70%) blamed themselves as the primary cause their ITsecurity problems, which suggests they accept their ‘culpability.’ Thatsaid a nearly a quarter (24.9%) blamed the website, brand or technologyif they experienced login problems
  • The focus groups alsorevealed consumers showed no desire to understand the mechanics of ITsecurity in more detail and had high expectations about their rights ifaffected by a security threat
  • However, consumers go on tosuggest they would not respond favourably to stricter security. Despitetwo thirds (66%) stating they would be more confident online ifwebsites imposed additional security measures, they were unlikely toaccept these measures if it meant the transaction process increased ineither time or complexity. In fact, 26% reported that such measureswould drive them onto competitors’ sites.
  • This creates adilemma for less recognised brands to reassure prospective customersand for larger brands that have been hit by a security issue. How doesa company engender trust, which can lead to customer loyalty andpotential revenue growth if consumers offer such mixed messages aboutcurrent security technology?
Cracking the code: balancing security and convenience to avoid bad habits

  • Theanswer seems to be that both online retailers and other organisationswith an online presence need to demonstrate a greater understanding ofinstinctive human responses to security. Customers want reassurance,demonstrating this with their buying preference for trusted brands, butthey do not want it at the expense of convenience
  • Respondentsto the research and focus group participants cited a number offrustrations that have led to them abandon online transactions,including being perplexed by username and password selection rules,being forced to wait for an email password reminder and being flummoxedby password reminder questions
  • The survey also produced some worrying statistics:
-72% of respondents have had at least one problem in the past three months alone
- The number one reason for discontinuing a transaction was the process taking too long (48%)
- 38.9% said that a purchase process with too many steps is a barrier to online shopping
- For survey participants that had abandoned a purchase in the last 12 months 16% did so because the transaction took them to another website, such as 3D Secure Way
  • Stricter security policies also lead to less secure consumer practices
- 25% of those questionned in the survey admitted to keeping written lists of their online usernames and passwords

- In one focus group a participant admitted to writing passwords on every account statement

  • Thedangers to online vendors are obvious as consumers are quite preparedto complain to others about their frustrations to others. 8 exampleswere raised over the course of the focus groups with participants veryquick to name the brand. 31% of people surveyed were likely to use asite less frequently if they encountered login problems.
  • Thismakes it extremely difficult for online retailers (and for that matterany organisation wishing to interact with its stakeholders via theInternet) to balance security needs against providing a fast andefficient service. For example, there was a point blank refusal toaccept the extension of 2-factor security beyond the banking sector onthe grounds transactions, which involved smaller sums should notrequire this technology.
  • The report offers some guidance withrespondents and focus group participants suggesting that they look for‘trust signals’ from an online brand, which could include:
  • 3rd party certification logos
  • Security and privacy policies
  • Customer reviews / ratings
  • Confirmation page / confirmation email
  • Terms & conditions

A security enabled online world: using security to tip the scales

  • Theresearch provides clear insights beyond the usual assessment ofconsumer concerns about IT security to suggest that there are clearbenefits for online vendors, whose security approach can help to tipthe scales in their favour
  • For instance if consumers have tomake a risk assessment of two online sites, weighing up the merits of aprice-based one against those of a recognised brand, unsurprisinglyattitudes to online security tend to drive the consumer to the latter.Furthermore focus group respondents suggested they would be willing topay a premium for such products and services.
  • Hence theobvious calculation is that a good approach to security breeds trust,which in turn engenders loyalty that can help to drive revenues
  • ConsequentlyOracle recommends a number of steps that businesses can take to improvethe customer experience and foster brand loyalty without compromisingsecurity:

Take the onus away from the customer and reassure them: customers are anxious about security and do want online transactions to be protected. As a result, companies should publish highly visible third-party security certification logos, so that customers immediately recognise that each click, transaction or purchase is secure. Businesses should also make their own security and privacy policies highly visible, with customer reviews and ratings on show for visitors to see. In addition, businesses should also confirm all purchases with a confirmation page, followed by a confirmation email

Build a better user experience by recognising there are shades of grey: Organisations need to appreciate that the one-size-fits-all approach for assessing the risk of fraudulent activity no longer works. Instead, businesses should assess the varying degrees of risk presented by particular transactions. If we consider that the most likely reason for abandoned transactions is because it is taking too long, then businesses should consider the level of threat versus disruption to the customer. For instance, a £5,000 online transaction calls for more security controls, such as two-factor authentication, than for a purchase of just £10.

Stop thinking in terms of a moat and castle – introduce a multi-layered approach: Organisations need to shift the onus of responsibility away from the consumer to encourage online sales. This can be achieved by taking a layered approach, with technology that drives confidence at each level of an online purchase. From the website to the back-end processes and where sensitive customer information is stored, companies can install a mechanism that manages customer information throughout its lifecycle, wherever it resides. Technology is now available that automates and simplifies the setting and management of IT security policies, which minimises users’ need to clear a confusing variety of security checks. By taking the concern away from consumers, organisations can take positive steps towards building a trusting, long-term relationship with customers. By analysing the origin and nature of incoming transactions, behavioural intelligence and profile information can be gathered to generate a risk score for each transaction, allowing continual assessment of threat levels and the ability to dynamically update policies and respond to new threats.

Supporting Quotes

“It’s time to stop viewing IT security as a castle and moat, companies need to take a more sophisticated approach and that requires a shift in mindset,” explains Des Powley, Director Security, Oracle UK and Ireland. “Done well security can be an enabler of online activity, whether that is retail eCommerce or engagement with public services. Organisations must remember that security is an emotive subject that understandably triggers very primitive instincts for consumers and citizens. It’s time to be more strategic, which includes using technologies such as adaptive authentication and single-sign-on all delivered seamlessly with the service.”

“Low consumer confidence impacts revenue generation, but the inverse is also true: good security that increases confidence without creating further hassle, driving sales. Our research shows that smart retailers and their technology partners have an opportunity to build security into their value proposition, and in doing so, foster customer loyalty and increase revenue,” said Marty Carroll, Director, Foviance.

About Oracle
Oracle (NASDAQ: ORCL) is the world’s largest business software company. For more information about Oracle, please visit our Web site at

About Foviance
Foviance is a leading customer experience consultancy with a focus on delivering measurable benefits that works globally with some of the world’s best known brands.

Founded in 2000 and with a heritage in website usability and data analytics, Foviance delivers consultancy to its clients about the effectiveness of their individual channels, such as mobile, web and call centre and how they combine in a cross-channel environment. For many clients, insight is provided not only in their home market, but also internationally through Foviance extensive alliance network.

Foviance engages with its customers wherever they are in their product lifecycle, and provides insight so they understand how to improve, create and deliver excellent customer experiences.

Foviance boasts 43 of the UK FTSE 100 companies among its client roster, including Barclays, BSkyB, and Sainsbury’s. In addition Foviance works with International brands such as Astra Zeneca, Dell and Nokia. For further information please visit:

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

# # #

Reblog this post [with Zemanta]

Visa and Monitise in Strategic Alliance

Mobile money specialist Monitise has entered into a strategic global alliance with Visa International, a subsidiary of Visa Inc., the world's largest retail electronic payments network. The five-year agreement, worth $13 million in addition to ongoing license, service and development fees, combines Visa's reach, payments expertise and trusted brand with the Monitise Mobile Money platform and toolkit.

Monitise will be a strategic development partner for Visa's suite of mobile services, including payments, mobile money transfer, mobile transaction alerts and mobile marketing offers to support Visa's mobile strategy to extend the reach of its global network to the more than 4 billion mobile devices around the world.  “Visa is the world's most trusted, inclusive and innovative payments network,” says

Monitise CEO, Alastair Lukies. “This alliance validates our unwavering commitment to building truly accessible, inclusive and reliable services over the past seven years. It is a landmark announcement in the mobile payment space and we are excited to collaborate with the world's foremost payments company to accelerate the convergence of payments services and mobile devices.”

Monitise creates mobile banking networks that enable customers of multiple banks and mobile operators to perform banking and payment transactions directly from their mobile handset.

The company has live services in the UK and the US, where it has delivered the MONILINK and Monitise networks in partnership with VocaLink and Metavante Corporation respectively, and is currently working with international partners to deliver similar safe, secure mobile banking and payment services in territories worldwide. Current key partners include VocaLink, Metavante, HSBC, Lloyds TSB, first direct, Alliance & Leicester, Royal Bank of Scotland, NatWest, Vodafone, Orange, O2,

Reblog this post [with Zemanta]

Disqus for ePayment News