Sunday, December 27, 2009

A man on a plane

Following the latest news of the attempt to blow up a Delta flight, and the reintroduction of debates about terror and security worldwide, I want to share some random thoughts this incident brought about.

The weakest link

A reliable source is one that provides you data and information you can use with little to no validation; a source you can trust as part of the group of sources you use to evaluate the riskiness of a specific situation. Be it a credit report from Experian, a Whitepages entry from or a customer calling in to report, you need to know the possibility of your resource being compromised and the information you receive being mistaken or, much worse, maliciously injected by fraudsters. This is the basic malfunction that drives SQL injection attacks, if you don't sanitize DB entries you're most probably in for a big bad surprise. The weakest link – in this case, it seems to be Nigerian aviation security controls – has failed the whole chain. It may be improper screening, low budget security tools or just procedures not permeating through the system, but it let someone with malicious intent onboard and only luck failed him. The fact that Netherlands security just passed the stick on and let all passengers continue shows that the hand-over between security personnel in different airports might need some additional reinforcement, because terror is constantly looking for ways to inject itself in. There should be additional focus around determining the reliability of various airports as a reliable source of validated passengers and acting accordingly.

Lists don’t work

So his name was on a list. So what? Here’s what lists do: they make legitimate people’s lives harder (ever tried boarding a plane in domestic US with an Arab name or with a Middle Eastern passport? Enjoy the ride…) but much worse than that, they transform risk measures into binary checks (on the list? Stop. Not on the list? Carry on), a classic case of “searching under the streetlight”. So he WAS on the list but not under “really bad” but only under “naughty”? Come on. I have preached against black lists in the past (Hebrew only) and this is another case where, clearly, some old fashioned flight track analysis crossed with previous alerts could have made the trick. The data was there – it’s all a matter of interpretation.

Hindsight’s 20:20

I take off my shoes in remembrance of the shoe bomber; I don’t carry liquids in remembrance of the 2006 bomb-as-a-soft-drink plot; and I get sniffed by an automated sniffer every once in a while in a random US terminal. As far as I’m concerned, I should probably stop flying soon and leave air travel to terrorists and security, in an everlasting cat and mouse game. The most important thing about attacks that materialize (even if they fail) is learning from them. If all we get is another restriction, we are missing the point here. Every false positive and false negative (in any automated or manual decision making process) needs to serve as feedback to the system to improve on – in its ability to make better decisions, not in the restrictions it applies on the general population. Hopefully, the conclusions will not end up only bringing another top-dollar cutting-edge new machine to sniff people at airports, but will aid in making flying safer and easier for legitimate travelers while shutting it down for terror.

Monday, December 14, 2009

42% of users have a good reason to fear

Working in the risk management business, I often get these layman questions about ePayment security. They are close relatives of questions IT people are being asked about hardware purchasing; when people finally find that item they wanted to find or a bargain they can’t resist, they want to make sure they don’t get scammed. Who’s better for that than your friendly neighborhood risk management specialist? I’ve given my part to eCommerce, you should know, and if retailers felt a $3000 shift in their revenues this year – this one’s on me, guys. No need for commission this time.

Seriously, though – why are thousands and maybe hundred-thousands of interactions related to purchasing on the web really important? As I mentioned in my previous post about Square’s trust issue, good payment services instill trust (among other things); and for an industry based on users exposing themselves and their financials, trust – created, in my case, by getting a recommendation from an authority – is one of the main challenges for emerging companies.

Sunday, December 6, 2009

Payments start from Square one

In the 1998 movie “half baked”, the main characters sell weed to various buyers to get their friend out of jail. Not the most sophisticated movie, if I may say so, but decently funny. While they’re selling, you hear a voice over by the main character Thurgood Jenkins (Dave Chapelle) telling about the type of people you meet. One of them is the “enhancement smoker”, the one that thinks every deed is better done “on weed”. It boils down to quotes like:  
  • Enhancement Smoker: "Did you ever see Scent of a Woman?"
  • Scarface: "Yup."
  • Enhancement Smoker: "You ever seen Scent of a Woman... on weed? That's the way to see it. It's just wacked." (yeah, I know)
Let me tell you something: people in the valley are enhancement “smokers” too. Only they’re not using weed (or they might. I’m not judging). They’re hooked on the iPhone (and the “app economy”). Hey man, did you ever play console games? Ever did that… on the iPhone? Ever acquire a payment on from a credit card? Ever done that… on the iPhone? Seriously, guys, smart phones are cool, but international market adoption is still slower than one would imagine looking at the hype around the iPhone. Not that it won’t succeed – it will, but it will definitely take more time, and personally, if I had to bet on apps vs. mobile web, I would bet on the latter (late addition: see Giff Constable's post about the app store, especially the first few paragraphs). See my (future) mobile #3 post on technology and risk for more thoughts.

What Square is, and what it isn’t

Don’t get me wrong: the new Square gadget on the iPhone is cool. How cool? Way cool, not only because it’s a smart idea but also because they managed to pull it off in such short time. Kudos. It’s going to allow people who always planned to charge cards to start doing so – seemingly very comfortably and quickly; in developed countries, where credit card and smart phone penetration is high, Square has the potential to become a smashing hit. But among all the crazy positive coverage and superlatives it is getting, I’d like to keep a few things in proportion.

Friday, December 4, 2009

In defense of offers

Question: Who’s the bad guy in the house? (All together) OFFER WALLS! (Once again) OFFER WALLS! (Didn’t hear ya) OFFER WALLS!

Ok, ok, enough with the chanting. Bashing offers is so popular these days it’s almost a new sport. Can’t blame most of the commentators, it’s tempting, and the whole “scamville” charade just made it even more fun. And why not? Offers can be easily portrayed as devil’s spawn, the portal to mischievous premium billing without your consent, money laundering, call it what you may. It’s so easy to terrify non-technical people that you’re almost inclined to join; and if one can benefit a bit from it (no paid service to rid your computer of scam offers yet? Don’t worry, it’s just around the corner), then why not. So looks like we’re covered. Or are we?