Archive for May, 2013

Why Is This Data Breach Different?

Saturday, May 25th, 2013

What data breach? Are you talking about the one that happened at Heartland in 2009? Or, maybe the Fidelity one from 2011? Again, no?

Oh, you’re referring to the latest one that led to the arrests in New York of several people who fraudulently withdrew $45M from several ATMs.

By now, it should be obvious what’s different about the latest breach. If not, read on.

High-profile breaches in the past, like the ones that hit Heartland Payment Systems and Fidelity National Information Services, involved theft of payment card information. The current one has gone further and has actually resulted in the loss of money. It’s accordingly known as “$45M ATM heist” than data breach.

Like other past breaches into payment information, this one also began as breaking and entering into the databases of several payment processors – including ElectraCard Services and EnStage – who hold sensitive card information of banking customers. The first B&E into ElectraCard Services happened in December 2012 and the second one involving EnStage, in February 2013. At the time, there was little publicity about these breaches, at least nothing that caught my eye. The real media frenzy began only when the scamsters who used the stolen information to withdraw money from ATMs were apprehended in NYC two weeks ago. In other words, this is one of the rare cases of a high-profile data breach that is directly linked to financial losses.

Like an onion peel, details of the present incident are unraveling day by day. I hope we’ll eventually get answers to the following questions:

  • Where were the PIN and magstripe data stolen from? (According to its statement, it was not from ElectraCard Services)
  • Was the data stolen from inhouse data centers of the payment processors? Or was it located on a “cloud” provided by some third party cloud services companies? Although this might seem irrelevant for a common man, it’s necessary to get into these details so that security professionals can plug the right holes.
  • Between the time the security breaches reportedly happened in December 2012 / February 2013 and the ATM heists  occurred earlier this month, did the banks involved – National Bank of Ras Al-Khaimah PSC and Bank of Muscat – reach out to all the affected cardholders and ask them to change their ATM PIN numbers?
  • How soon were the withdrawal frequencies and limits reset to their original – and correct – values?

I also hope this incident makes it amply clear to regulators that large scale frauds happen as a result of breaches into payment processors’ systems, and not when individual cardholders are shopping online and putting through one-off transactions. Keeping this in mind, they should revisit their present approach of trying to prevent fraud by insisting on cumbersome two-factor authentication for all values of online and mobile payment transactions. Such a procedure adds friction and causes heavy shopping cart abandonment (more on that here) while proving futile when payment information comes under an attack where it’s found in bulk. Instead, regulators should shift their focus to ensuring that payment card information is encrypted and stored absolutely safely. In this context, the CEO of Heartland Payment Systems set the tone by accepting that, when it comes to security levels to be maintained by payment processors, PCI certification is necessary but not sufficient.

Exercise Caution While Selecting Western Values For Emulation

Wednesday, May 22nd, 2013

Values2When I began Talk of Many Things many years ago, “globalization amidst cultural differences” was one of the topics I was planning to cover on the blog. Somewhere along the line, it fell off my radar.

Now, thanks to my friend and fellow IITB alum Sanjiv Sood, Owner of Norquest Brands Pvt. Ltd., I’m back to this subject.

Sanjiv circulated this speech by Mr. N R Narayana Murthy,  Chairman of the Board, Infosys Technologies Limited to the so-called Yahoo! MADhouse Group today. Speaking at Lal Bahadur Shastri Institute of Management, the doyen of Infosys expounded on the role of Western values in contemporary Indian society. Among other things, the speech covered apathy, civic sense, corruption, family values, private sacrifice and public good.

IMO, deep insights about local values can be gathered only by living in a certain country for a year or more. While travel broadens the perspective, it’s no match for time spent in the trenches in a foreign land. Ditto for reading books and magazines about international culture.  Having lived for years in more than one Western country, I find it difficult to accept that all values uniformly attributed by Mr. Murthy to the “West” are true of all countries in that group. Some differences:

  1. You go past any street in downtown Frankfurt, Berlin or Munich and you’ll realize how much graffiti there is. Just that they get cleaned up quickly. While working on a customer engagement, I recently learned about the amount of investment made by local counties / boroughs in people, technology and infrastructure to just clean graffiti.
  2. The amount of litter in the London Tube network is unbelievable. It’s far worse than anything I’ve seen on any form of local transit or long distance transport in India. Of course, I’ll hand it over to the Brits for their mastery in spinning such things. Couple of reasons given by locals for this situation include (a) After the July 20xx bombings in London where the bombs were concealed in trash cans, all trash cans have been removed from public transport stations, trains and buses, so there’s no choice but to litter (b) “I don’t mean this to be a racist slur but most of the littering is done by Asians and East Europeans”.
  3. In USA, lobbying records would show the huge amount of money that’s spent by businesses to fund election campaigns of politicians in return for favorable public policies – just that it’s not called corruption.
  4. In UK, £50 Led Zep concert tickets will be sold on eBay for as high as £8K. I don’t know how much “private sacrifice” happened “for public good” in that.
  5. NHS National Program for IT, Biometric Passport – these are examples of public projects in the UK that are aborted – not just delayed – after literally blowing billions of GBP of taxpayer money. For all his / her troubles, some MP would suddenly find himself richer with deeply-discounted Accenture stock options or a £400K mansion in some quaint countryside “gifted” by some vendor and Accenture / some other vendor will escape a billion pound penalty. For all the apathy about Milan Subway for 40 years, I don’t think BMC spent one paisa on it.
  6. In Germany and many other parts of Europe, you give your car for servicing. You’ll be told to collect it back after 8 hours. You go back after 8 hours, your car will be ready for pickup. Yes, that’s punctuality. On the other hand, in India, you’ll be promised delivery in 4 hours, you go back in 4 hours, you’ll have to wait at least one more hour before you can collect your car. Agreed, that’s lack of punctuality. But, with a 5 hour total lead time for the job, that’s also faster service. I’m not bringing cost into the picture.
  7. I agree that USA is the bedrock of innovation. However, as NRN himself pointed out during a recent TiECon event held in Pune, such level of innovation is lacking even in UK and Europe, not just India and China. Maybe NRN was implicitly referring only to information technology but since he didn’t explicitly make that qualification, neither will I.
  8. Lastly, most of us know the glaring difference in paid vacation between USA and Europe. For the uninitiated, it’s as few as 8 days a year in the US and as many as 20 in Europe.

I could go on but the “West” is not as homogenous as it’s made out to be.

Therefore, we need to be very careful about which value to select from which Western country to emulate in India.

Stores Have Themselves To Blame For ‘Showrooming’

Friday, May 10th, 2013

In How Can Organized Retailers Respond To Showrooming?, I’d written about the new shopping trend in which consumers use a physical store as a showroom to touch and feel a product but ultimately buy it from an online competitor – often at a lower price.

Although showrooming hasn’t yet become mainstream, it’s bound to gain traction with rapid smartphone adoption and availability of comparison shopping mobile apps like RedLaser. Since it eats up their salesforce bandwidth without leading to sales, showrooming is not a friend of brick-and-mortar retail. In my previous post, I’d outlined a few strategies that retailers could adopt in order to counter showrooming. While these strategies are not hard to implement, I recently went through an experience that suggested that the solution to the showrooming problem could lie in something far more basic: Better inventory management.

A leading Indian retailer of gadgets, home appliances and white goods has a tagline to the effect that it helps customers buy.

This is a strong differentiator in a competitive environment that is full of companies – both online and brick-and-mortar – indulging in hard hard selling and sharp business practices. However, it’s a big problem if the company’s real accomplishment is “we help you buy … from our competitors”.

At least, that’s what happened with me on two different occasions. In the market for a smartphone, I visited the said retailer’s competitors. Most of whom neither had working models nor salespersons who had any clue about what they were selling. Frustrated with all of them, I went to the “we help you buy” retailer. As expected, I was able to touch and feel actual products at its stores. Its salespersons were well informed and even helped me decide a suitable model. I was also willing to pay the small premium charged by this retailer in return for the superior shopping experience it delivered. If you thought the story ended on that happy note, you’d be wrong.

On both occasions, the said retailer didn’t have stock of the model recommended by its own salespersons. A quick system check turned up zero stock of the smartphone at any of the company’s stores in my city. Forced to give up with this company, I went ahead and bought the model it had recommended from an online store. Although I’d no intention of engaging in showrooming, that’s what this retailer forced me to do, thanks to its poor inventory management. Maybe the retailer has a problem with its inventory management software. Maybe it thinks that we’re still living in a world where customers placed an order, paid a ‘token’ advance and waited for a week or two to receive the item. Whatever the reason, this retailer has been afflicted by it for a long time, considering that my two attempted purchases from it were spaced two years apart.

The Death Of Cash Is At Least 190 Years Away

Friday, May 3rd, 2013

According to a Barron’s article titled The End of Cash?, the use of cash as a percentage of retail spending in the USA declined from 36% in 2002 to 29% in 2012. Extrapolating these figures – by using the same negative CAGR that works out to around 19.5% per decade – we should see the end of cash usage by 2202, that is, 190 years from now. An Excel model used to arrive at these figures can be downloaded from my personal website here. Since it’s fashionable to proclaim the death of cash, in arriving at the Zero-Cash-Day, I’ve conveniently ignored the fact that cash contributes 40% to P2P payments (Source: Blog post titled The Less-Cash Society by Aite Group’s Ron Shevlin).

But will cash really be dead even two centuries from now? I strongly doubt it. Mainly because the movement between cash and noncash modes of payment is not as unidirectional as it is often made out to be. Just as electronic fund transfers and card payments have been replacing cash in some facets of life, cash has also been edging out electronic payments in some others. Counterintuitive as this might seem at first glance, a quick look at a few recent payment innovations will make my point clear.

A couple of years ago, we saw the launch of Kwedit in the USA. Now called PayNearMe, this alternative payment method permits people to shop online but pay with cash at brick-and-mortar stores.  As I’d pointed out in Why Pay By Credit When You Don’t Have To Pay By Kwedit, a blog post I’d written at the time Kwedit was launched in 2010, the new method of payment was targeted at people who either couldn’t qualify for payment cards or didn’t want to use them for making online payments owing to security concerns.

Subsequently, growing incidents of identity theft and loss of financial data have prompted regulators to enforce greater security measures by way of 3D Security, One Time Password, Out of Band Authentication and so forth. While they’ve made online payments more secure, they’ve also made them more rare: The friction they’ve caused has virtually obliterated the mobile payment channel; the multi-website trips they entail before a payment can be completed have led to greater number of failed online payments, which could be as high as one in 12 payments, as I’ve noted in my blog post titled Skating Away With Online Payments. Of late, the fear of an online payment getting lost somewhere in the cyberspace is increasingly pushing me to opt for cash-on-delivery terms for eCommerce transactions despite having used card and bank transfer based electronic payments regularly for around 10 years now. So, at least in my case, ‘once an electronic payment user’ doesn’t mean ‘always an electronic payment user’.

Looks like I’m not alone.

A leading airline in India recently announced cash-on-delivery as a new way to pay for customers booking tickets on its website. This comes after years of supporting just the standard modes of electronic payments via bank transfers and debit / credit cards. Under COD, customers browse flights, check availability and book e-tickets online, same as before. However, now, the airline’s COD service provider – a Silicon Valley VC-funded startup – collects physical cash from the customer’s house. As soon as this happens, the airline emails the e-ticket to the customer, no differently than before. With this great example of omnichannel support, the airline mitigates the risk of customers moving away to costlier physical outlets to buy their tickets just because they’re no longer comfortable with making payments online. At the same time, the new payment method doesn’t erode the airline’s margin since cash collection charges are no greater than the Merchant Discount Fee / Merchant Service Charge applicable for card payments.

If cash can enter into a business like e-ticketing that has worked on the basis of 100% online ordering and fulfillment all this while, I’m even more convinced about my oft-expressed belief that the cash-versus-cashless pendulum could swing both ways. So, at  least for now, tales of the death of cash are, like those of Mark Twain’s, greatly exaggerated.