UL has spent more than a century helping companies embrace innovation while keeping consumers safe and happy. And that’s a very useful skillset in financial services right now, says Kevin Emery, Director of Cybersecurity Enablement.
On the face of it, ensuring vacuum cleaners don’t spontaneously combust and battery-operated toys don’t go rogue, has little to do with strong customer authentication or EMV (Europay, Mastercard and Visa)-supported transactions. But at UL, a company that issued its first safety certificate back in 1909 (for a vacuum cleaner, in fact), they’d politely disagree.
As the UL motto proclaims, it’s all about ‘making the world a safer place’ – and, given that 2019 was a record year for identity theft, with account takeovers, ‘smurfing’, and other nefarious frauds perpetrated against financial institutions, UL’s experience in testing and strengthening the safeguards around everything from national defence systems to solar panels and appliances, is very pertinent.
Especially, says Kevin Emery, director of cybersecurity enablement, when it comes to the next era in transaction technology – voice-activated payments and the Internet of Things (IoT).
Who better to make sure your fridge doesn’t lay your account wide open to a cyberattacker while it’s placing the weekly grocery order? Or prevent Alexa from getting duped into thinking you’ve just told her to move funds between banks. Such services aren’t available… yet, but they are the holy grail of frictionless payments and, when they arrive, they have to be secure.
UL strives to instil trust in organisations and help them make smarter decisions by progressing innovation safety standards, sustainability and connected security. A decade ago, it turned those skills to the financial services sector.
“It’s all the same foundations: trust and security,” says Emery. “Our passion is safety and security. It’s not just about compliance, the tick in the box. It’s about ensuring that our customers’ risks are successfully mitigated.”
As the world becomes ever more connected, UL’s presence in so many industries looks set to stand it in good stead, particularly in the area of smart homes and smart cities, the IoT and automated processes driving what is known as Industry 4.0, become mainstream.
Enabling secure payments is key to the IoT business case but devices may have split loyalties (selfish vs altruistic) and multiple masters, so where is the liability for payments made in error, failure to make a payment and disputes between shared owners? Will the IoT create new frauds and how can a consumer with multiple devices, networks, providers, employers, bank accounts and an extended family, stay in control?
In a recent interview, Isabelle Noblanc, VP and general manager for identity management and security at UL, said traditional identity management and authentication models must be rethought and re-engineered, moving control from enterprise contexts into the hands of end users. “The minute a digital product starts interacting with others, digital credentials become paramount,” she said. With more than 21 billion connected IoT devices and sensors in operation globally – the equivalent of nearly three devices for everyone on earth – security concerns related to them are getting increased attention from regulators. New laws scheduled to come into effect in both California and Oregon in January 2020, for instance, require manufacturers to design connected devices with ‘reasonable security features’. UL’s global IoT Security Rating is the first effort to objectively assess the security of consumer IoT devices.
“Security should be an enabler,” says Emery. “Something that helps with the traction and use of a system, rather than detracting from it.”
Changing nature of threat
The risk landscape for payments is in a state of constant change, says Emery. He cites experience of the humble personal identification number, or PIN.
“The threat models that we’ve used for the last 30 years have dramatically changed in the last five years. The way we deal with PINs is now managed on a completely different level, depending on what they’re used for.”
Whereas card-present payments used to simply involve entering your card and then your PIN in order to complete a transaction, such a code can now be used in a range of different ways.
“It could be used for your online banking, for a mobile app or to generate a one-time passcode.
“There are many changes and impacts in different areas, from a security aspect, from an interoperability aspect and from a compliance aspect,” adds Emery.
But, at the end of the day, all customers want is simplicity in the control they have over their money, how they work with multiple accounts and how they can secure those accounts.
“It’s about implementing simple approaches to very complex systems,” says Emery. “To really help facilitate the customer interaction and address the fundamental customer need.
“I don’t think I’ve ever thought ‘oh, that’s a new way to pay for something’,” he says, citing ride-hailing app Uber as an example. The key aim of a customer hailing an Uber is to easily get from A to Z, not the thrill of trying out a new, invisible payment method, after all.
“From QR to open banking, all these new payment methods and frameworks provide the consumer with a tonne of choice, but they are also commoditising a previously bespoke area of the payments industry,” says Emery. “We’re going to see payment services fragment and we’re going to see them converge and that’s probably going to happen all at once in the sense that all this technology is causing a lot of confusion – where can I use it, where can’t I? At the end of the day, the customer only wants to be able to pay. So, let’s try to eliminate the technology for them.”
Telecoms has already achieved that, he says, highlighting the example of an iPhone user sending a message.
“If I send a message to someone with an iPhone, it goes over iMessage. If I send a message to an Android user, it will go as a text message. There’s no choice there
in terms of how I send that message. My phone knows what I want to do, at a fundamental level. I want to send a message, and then it works out the best way to do it.”
And it should be exactly the same with payments, he argues.
“I really think that’s the approach we need from a payments perspective. The customer will use their app, their phone, however they’re paying for something. And between that device and whoever they’re transmitting the payment to, the device will work out what’s best.
“I think there’s going to be a lot of work and a lot of opportunity in looking at those pieces of the puzzle and working out where your risk is – if you change this piece, does it affect this piece? – and making sure all those pieces in the puzzle are certified. Once they know that – once they know it’s safe and secure – consumers will be happy as long as they can have access to it, use it in the different ways they want to, and move it around to different areas if they need to, in an instant manner.”
So, how close are we to realising an invisible world of payments?
“I think crossing that chasm is the difficult part – how it gets from being an idea, then a pilot, to something which is really, suddenly, in the blink of an eye, being used everywhere.
“IoT devices, but especially how you pay for things in the automotive space, is going to be really interesting and not just how you pay for things when you’re in your car, but things how the payment process works when you’re topping up your electric Tesla – actually through the charging cable, for instance? How does that work? What does it look like? How do payments really converge at the heart of this connected world we’re in?”
It’s a long way from bagged vacuum cleaners, but if anyone can work out the answer to that question, it’s the security-by-design experts at UL.