Earlier today I read an article about Monzo leaking PINs of their customers into operational logs. Bad. What’s worse – this is the second Monzo’s technical problem I came across within last 12 months.Continue reading Monzo and Challenger Banks’ Security
Ok, everyone seems to be writing about it so here’s my take so far. A professional code of malware extended in a pretty silly way that somehow got into computers of companies. And hackers collected well below $100,000.
The main reason we want to use cloud technologies is because they simplify cost management and allow us spend only as much as we need at any given time. The question is how secure it is and what risks are acceptable.
Banks simplify access to our bank accounts. They keep relaxing security while hoping to replicate the boiling frog story. The trouble is that no-one dies and someone will figure out – sooner rather than later.
I touch on a few things: using online banking to find valid card numbers, and date of birth, increasing chances for unauthorised access, lowering security of login credentials and changing role of debit cards.
Tokenisation is a hot topic as it makes card processing cheaper and more secure. The goal is to replace your card number with a random number that is hard to use for unauthorised transactions – and it removes the need to encrypt databases.
What we are primarily looking at now are mobile payments but we are designing solutions for e-commerce as well. Payment processing involves re-encryption of PINs (PIN-blocks) for card-present transactions.
We are now integrating encryption into a corporate infrastructure and it made me think about payments and PCI audits. PCI stands for Payment Card Industry. Anyone who got close enough to e-commerce, or card payments knows what a burden it is on running a business.
Sooo, I have spent some time this week thinking about architectures for “technical security systems”. I could say “cryptography” straight away, I guess. Thinking about protecting sensitive data that may be subject of independent audits.
The scope of PCI audits is given by storage and processing of credit card numbers and PINs (in case of Chip&PIN systems). Once you experience the pain, you definitely want to get “out of scope”. This is true for merchants just as banks.
We did a bit of research into what IT start-up companies need in terms of security. I did expect that secure authentication / logons would be at the top but I was surprised that OTP (one time passwords) were at the bottom.