Long live innovation! Of the in some respects backward kind.
Yes we did have the chipknip, a stored-value debit card system that for small amounts (e.g., parking in Amsterdam though that hardly counts as ‘small’). And yes, of course it was abolished because nobody wanted it. For one, because the stored value had to be loaded onto the card, at ever (sic) less available separate ATM-like holes in the wall. For a second, because losing the card meant losing the stored value.

For a third, because given this functionality, people much preferred to stick to cash money that was more easy to get, much more widespread usable (think C2C payments…), quite similar if not same in risk, and anonymous obviously vis-a-vis anonymity promised by, hold it, banks, of all the crooks one could imagine. If you don’t see the latter, consider whom Jesus threw out of the temple as prime example of choice of all that was rotten in society back then already, and banks have ‘developed’ ever since.
This to the chagrin of banks that, as usual, packed their most devious of actions in the thinnest of transparent films of customer-servicing arguments and licked their, expensive is an understatement, wounds.

But now we have the triumphant return of the idea in the form of NFC payments off one’s debit card. Which comes with one improvement (not having to preload) but with all the other risks aggrevated:
The ‘preload’ is, relatively, limitless or to one’s credit (sic) limit. Compared to the user-controllable stored value of yesterday.
Skimming doesn’t even require the card to be physically put into a physical reader anymore. The still physical NFC reader devices are just as susceptible to plants of skimming devices as before. Maybe the customer can check the debitable amount but the displayed can be spoofed easily, obviously [or you are foolishly considering yourself competent when not seeing that risk]. But passers-by can skip just as easily (and ‘approve’ without any your notice).

Yes, even with small amounts payments, every now and then one will be required to enter one’s PIN as verification of holdership. But that hinders, and was a measure previously implementable easily so why not then already? And for larger amounts the PIN is required always, turning the actions into a simple debit card payment as we (in the developed world so maybe excluding North America) have grown accustomed to for decades already, but now need not enter the card into the chip reading slot anymore. Wow, the improvement! And all this while maintaining the latter debit card systems.

So, we have to trade security for convenience. While banks trade simplicity for … complexity. And savings, nowhere near. How to prevent some to consider banks to be full of i… ..?

[The back side of subsequent developments may be pretty or not; Dunedin]


About maverisk

Maverisk Consultancy, IS Audit and Advisory services: Wikinomics meets governance and audit; otherwise, see my personal LinkedIn profile
This entry was posted in ERM, GRC, Information Risk Management, Information Security, Innovation (technologicallly driven), Privacy and tagged , , , , . Bookmark the permalink.

Your comments are welcomed!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s