Tag Archives: target

eBay cyber attack highlights value of card on/off tools

eBayEbay is yet another giant consumer brand that has fallen victim to a cyber attack. Like many of us, I raced to change my password when I heard the news break early Wednesday morning. Of course the news media and many eBay users assumed the worst had happened and that personal and financial information had been breached. Fortunately, the attack was limited to a corporate network and only a small amount of employee login credentials were breached. EBay’s PayPal business unit did not show evidence of user personal or financial information being exposed. Few.

Given the frequency of these high profile breaches, it seems like only a matter of time before hackers are able to break into the networks of the most trusted consumer brands and financial institutions. Target experienced a massive breach late last year that many consumers are still dealing with today.   High-end retailer Neiman Marcus experienced a breach as well. Larry Ponemon, chairman and founder of the Ponemon Institute, which specializes in data-security issues, said “It shows that even the best of Internet sites are vulnerable to cyber attacks … you can’t stop this tidal wave.”

Yikes! What are consumers to do?! Even the perceived most secure websites, businesses and financial institutions are vulnerable to cyber attack. I think the best form of protection is to empower consumers to control when, how and where their credit or debit card data is used. If consumers can limit the use of, “turn off” or block the use of a card, they are empowered to protect themselves from any resulting damages from these cyber attacks.

Ondot Systems provides one of the most compelling solutions to help consumers take control of their payment cards.  The Ondot solution lets consumers…

  • Turn a credit card on or off
  • Limit the use of a card to a specific retailer or spend category
  • Limit card use to an area near them or to a specific geographic region

Ondot SolutionsThe eBay cyber attack highlights the consumer value of Ondot solution    Imagine that you were a victim of a data breach and that your credit card information may have been sold on the black market. Sadly, this is the case for millions of US consumers. The Ondot solution empowers you to prevent any fraudulent transactions should a fraudster purchase your data and attempt to buy things on or offline. For example, upon hearing about the breach you could easily turn off the card immediately giving you extra time to determine if it’s necessary to cancel the card. Or, if you limit card use by geo proximity to you, use of the card will be denied to any cyber criminal across the world attempting to purchase items. You are empowered to protect yourself from fraudulent payments BEFORE they even happen. That’s cool.

Ondot Systems does not provide a direct to consumer solution. They are actively pursuing relationships with the major payment processors and financial institutions to white label the technology. I’m wondering though if this technology is relevant enough that consumers could actually ask their bank card providers for it….or be willing to switch to a card provider who has this technology deployed already. The Ondot solution could prove to be a strong differentiator that may attract many new customers to a bank’s credit card offering.   With the increase in data breaches, I’m hoping my bank will provide this functionality soon. If not, I am open to learning more about who does offer this technology.

Ondot has the wind at its back now. However, this technology is not new and competitors have built similar solutions. From what I understand from my patent attorney friends, this technology is not particularly defensible for there are many ways to skin that technology cat.  Meow.  Ondot must build strategic partnerships with the largest payment processors first to grow market share…and do it quickly.  These processors will pave the way to deploying to small and mid tier banks.  Ondot’s big hurdle will be in how easily the solution is deployed at the bank.  As we know, these smaller banks get heartburn if a solution integration requires a big internal commitment.  However, it appears they have addressed this hurdle with seamless integration into the universally accepted payment standard and with deployment support. Once deployed, Ondot’s next challenge will be in how well they engage these banks in co-marketing the solution to the consumer.  Many mid and lower tier banks run lean on marketing so the key here will be how to take advantage of current marketing channels to drive adoption.  However, I have a feeling consumer word of mouth may be the most effective channel.

Ondot is a formidable competitor and is well positioned to be the market leader.  Now it’s about how well they execute.


Mobile platform security is key for mobile payments providers

I was at one of many Christmas parties and conversation topics, of course, covered “where will you be for Christmas” and “are you done with your shopping.”  Almost everyone was done with their shopping, but the big follow up question was “Well, did you end up shopping at Target?” There were a handful of people at this gathering that did shop at Target over the ill-fated shopping period.

The conversation very quickly involved everyone around the buffet table and included comments like, “I can’t believe hackers actually were able to break into a huge chain like Target” and “your credit card information is not safe anywhere!” Clearly EVERYONE at this party will be checking their credit card statements very closely in January!

However, one comment made really grabbed me. “If my credit card can be swiped by hackers at Target, I’m sure as hell not going to want to use my phone to pay for stuff.”  Obviously this exclamation sparked another round of fervent debate and discourse. A few well-known coffee and pastry shops in the area were called out in conversation as using new mobile payments technologies and were “flagged” as potential places to monitor for card fraud.

The implications of the Target data breach on the mobile payments vertical are HUGE.  There are serious challenges that must be addressed both on the consumer and business side of the equation for the many emerging mobile payments technology providers.

First of all, consumers have the perception that it’s no longer safe to use even debit or credit cards at physical retail stores.  According to one account of the Target breach, a security analyst at a major bank was made aware that cybercriminals were planning to sell online a new stock of stolen credit/debit cards.  The analyst bought the stolen card numbers of his/her bank customers using Bitcoin.  Presumably, these transactions lead to the discovery that these card numbers were stolen from Target.

One could easily make the assumption that Target was not even aware of the breach until the bank analyst made these card number purchases from the cybercriminals. Yikes! This lack of awareness of the problem scares me deeply at the consumer level.  Would Square be able to quickly inform a merchant that consumer’s payment data has been swiped and is being sold by cybercriminals? Could Square inform users that their data was stolen?

Secondly, business and IT executives at Target and all major retailers are wondering how and why the Target payments system was hacked.  Obviously, there are fast and furious internal investigations within Target as their legal and technical teams prepare for a barrage of lawsuits coming their way from banks and consumers.  These Target executives will be pounding on the doors of their payment system providers and their 3rd party vendors as well.

The discovery phase of these lawsuits will get UGLY FAST.  Moving forward post breach, all physical and online retail payment platform providers will be evaluated with much greater scrutiny with a focus on platform security, ability to detect a data breach and processes to quickly inform users that data has been compromised.

Emerging payment providers such as Square, Dwolla and PayPal need to address these implications head-on to address consumer and business needs in a post Target data breach world.

Platform security is now a big focus.  Yes, each provider does have website messaging that talks to how secure their platform is.  However, security requirements and technology must be increased especially as the payments platforms are being sold into individual SMBs and at the enterprise level that use multiple mobile devices to process transactions.

Mobile payment providers can quickly equip themselves with cutting edge mobile platform security technology through strategic partnerships.  Industry leaders include MobileIron, Good Technology, or AirWatch.  For example, by partnering with MobileIron, Square can provide a layer of mobile platform security to their SMB customers who use the payment platform across multiple mobile devices (payment terminals).

Addressing the mobile platform security needs will help address consumer concerns as well that their payment data and money are safe at the payment platform level. Square, Dwolla and PayPal must educate consumers on WHY their payment data and money are safe.  Providers must clearly explain what happens if a Square account is hacked and the PIN number and cash balance is stolen.  Can these providers stand behind a guarantee that transactions are safe?  Can they back up consumers’ cash balances if the money is stolen?  These are all key concerns that must be addressed for consumers to feel safe in using mobile payments technology to pay for items at physical retail.

Personally, I keep a very low balance in my mobile PayPal account that is connected to a low balance bank account.  Why?  I still don’t trust that the receiving terminal is that secure and nefarious code could somehow steal my account numbers and distribute across the world…all through an unsecured wireless connection at the SMB’s business location.  Maybe I’m just paranoid and uneducated.


%d bloggers like this: