The biggest news in payments security in the last month concerns allegations that point of sale terminals supplied by PAX Technology have been subverted to have the capability of launching cyberattacks. Details of the allegations can be found at Krebs and Bloomberg; in response, PAX Technology has published a rebuttal.
Victoria Saporta, BoE executive director for prudential supervision, has said recently that minimum resilience requirements should be required for the tech giants’ (and others’) hosting services, before they may process and store banking data. We strongly support these comments. We have identified this issue as one of a number of new risks arising from modern financial systems architecture, in recent Structured Risk Analyses that we have carried out for financial and retail organisations in North America, Asia-Pac and EMEA.
Deep in the mists of time (that is to say, the early-1990s), I led the team from Consult Hyperion responsible for Mondex specification, design and development. For those not familiar with paleo-payments, it was one of a clutch of (contact) smart card based electronic cash systems, none of which survived beyond, let’s say, early adolescence. There were two main reasons for their demise, one technological and one business. The concept was ahead of the capabilities of the underlying technology. Transactions took about the same amount of time as cash plus change, which wasn’t a compelling reason for anyone to leave their wallet behind. The promoters of the schemes (retail banks and payment brands) did not target particular niches where there may have been a business case (I always thought car parking might work) but instead blanketed retail outlets in particular cities or small countries. So, mostly unused devices were put under the counter, and people forgot about the schemes after an initial blaze of publicity.
We’ve now had well over year of sporadic lockdowns, of varying degrees of severity. I’m loathe to tempt fate, but it does seem that, in the UK, we’re heading towards a low background level of Covid-19, during the summer months at least. It’s therefore an appropriate time to examine the changed methods of working, and whether, or to what extent, they should be incorporated into normal practice.
It’s that time of year again: where’s it’s traditional to take stock and look to the future. At Consult Hyperion, we do that through our ‘Live 5’ process; where we look at major trends in business, technology and consumer attitudes and project them onto our areas of business focus, with twists of our own. This is more than a marketing exercise. It informs our advisory services, but also sets our own strategy, for example by determining what technologies are investigated, and protypes built, by our Hyperlab unit.
Predictions from 1909
This essay is about a work of science-fiction, of which many features have come to pass. I re-read it this week, as it seemed that even more might be, and not necessarily to our advantage, in the world of Covid-19, and I wanted to confirm or deny my memory. In any case, science-fiction is a great background for technology strategising, helping to get beyond limited thinking based on incrementalism.
I took my English Literature ’O’ Level in 1974 and three works from the syllabus have stayed with me since: Macbeth, Lord of the Flies (which I had read a couple of years earlier) and one that no-one’s ever heard of: a science-fiction short story, The Machine Stops, by E.M Forster. That’s right, E.M. Forster, better known for acute observation of middle-class Edwardian manners (A Passage to India, A Room with a View, Howard’s End…). Apparently, he wrote it to demonstrate how easy it was to generate science-fiction akin to H.G. Wells. Indeed, it bears a certain resemblance to The Time Machine, except for an inversion: in Forster’s dystopian far-future, the effete leisured class live underground, while the rough outlaws live on the surface.
Forster’s ‘civilised’ tribe live in a world of pure ideas, only loosely connected, if at all, with sensory perception. I think what I found shocking was the protagonist flying over the Himalayas, glancing out and immediately shutting the blind, with the dismissive thought “no ideas here”. Having shuttled back and forth between England, Australia and America for much of my life until then, at a time when few did, I was appalled. I used to strain to remain awake, whenever it was even half-light, in order to take in everything, and speculate (and later research) on the physical make-up of the land and the people it supported. In fact, I still do!
Air travel was by fleets of airships, so Forster backed the wrong aeronautical horse, so to speak. Although, he explicitly stated that civilisation had given up the dream of beating the sun in Westward travel, as we have, having attained it in a limited fashion with Concorde, for not quite three decades. For the same reason, partly: the availability of real-time electronic communication.
The civilised world is run by ‘the Machine’; a kind of internet, with mechanical appendages; imagine the Internet of Things is an established reality. FaceTime has been invented, and so has Zoom: people’s time is mostly spent in isolation in their identical cells, giving or receiving webinars, on abstruse but useless topics. Alexa will pick up on any expression of discomfort and diagnostic kit and treatments will be lowered from the ceiling, in the manner of oxygen masks in planes. People never travel to things, but things to people, as if by Amazon. “And of course she had studied the civilization that had immediately preceded her own — the civilization that had mistaken the functions of the system, and had used it for bringing people to things, instead of for bringing things to people. Those funny old days, when men went for change of air instead of changing the air in their rooms!”. Not all predictions were correct in 2020; Google was just a big book, which everyone had, principally as a manual for getting the machine to satisfy all reasonable wants.
The natural atmosphere was supposed to be not capable of supporting human life and a respirator was needed at all times, in the unusual event that anyone had—how shall we say—a reasonable excuse to leave the home. I re-read the story partly to determine why that was, imagining disease. Actually, the supposition was either false or greatly exaggerated; what was the case was that the atmosphere stimulated the senses in a way that overwhelmed those used, and possibly adapted, to the sterile air produced by the machine. Notwithstanding the lack of a pandemic, it was certainly the case that humans physically repelled each other and social distancing was the norm.
The denouement has an increasing level of seemingly random and, at first, minor breakdowns in the operation of the machine. In my mind, these were because the machine’s designers could not anticipate all changes in its external environment.
There is, however, a ‘mending apparatus’ which automatically patches the machine. But when that starts to malfunction… The moral is that society should not, by becoming completely dependent on its own creations, become detached from understanding the nuts and bolts of technology. That is something your favourite consultants will never do!
Back to the story. It is clear that the Chinese had taken over the world at some earlier time. Perhaps when, as now, they concerned themselves with acquiring and applying the whole gamut of technical skills.
The team put on an excellent webinar this Thursday (May 21st, 2020) in the Tomorrow’s Transactions series. The focus was on Trust over IP, although digital identity and privacy were covered in the round.
The panellists were Joni Brennan of the DIACC (Digital ID & Authentication Council of Canada—full disclosure: a valued customer), long-time collaborator Andy Tobin of Evernym and our own Steve Pannifer and Justin Gage. Each of the panellists is steeped in expertise on the subject, gained from hard-won experience.
Joni and Andy presented, respectively, the DIACC and ToIP layered architectural models (largely congruent) for implementing digital identification services. The panellists agreed that no service could work without fully defined technical, business and governance structures. Another key point was that the problems of identification and privacy merge into one another. People need to make themselves known, but are reserved about making available a slew of personal information to organisations with whom they may seek no persistent relationship or do not fully trust.
At one point, it was mentioned that practical progress has been slow, even though the basic problem (to put one aspect crudely, why do I need so many passwords?) of establishing trust over digital networks has been defined for 20 years at least. It could be argued that Consult Hyperion has earned its living by designing, developing and deploying point solutions to the problem. I began to wonder why a general solution has been slow to arise, and speculated (to myself) that it was because the end-user has been ill-served. In particular, the user sign-up and sign-in experiences are inconsistent and usually horrible.
Therefore, I posed the question “What is the panel’s vision for how people will gain access to personalised digital services in 2030?” The responses were interesting (after momentary intakes of breath!) but time was short and no conclusions were reached.
I slept on the problem and came up with some tentative ideas. Firstly, when we are transacting with an organisation (from getting past a registration barrier to download some info, through buying things, to filing tax returns), everything on our screens is about the organisation (much of it irrelevant for our purposes) and nothing is about us. Why can’t our platforms present a prominent avatar representing us, clickable to view and edit information we’ve recorded, and dragable onto register, sign-in or authorise fields in apps or browsers?
Now, there could be infinite variations of ‘me’ depending on how much personal information I want to give away; and the degree of assurance the organisation needs to conduct business with me (of course, it’s entirely possible there could be no overlap). I reckon I could get by with three variations, represented by three personas:
- A pseudonym (I get tired of typing email@example.com just to access a café’s wifi; there are some guilty parties registering for our webinars too!)
- Basic personal information (name, age, sex, address) for organisations I trust, with a need-to-know
- All of the above, maybe more, but (at least, partly) attested by some trusted third party.
Obsessives could be given the ability to define as many options, with as many nuances, as they like; but complexity should be easily ignorable to avoid clutter for the average user.
I think it’s the major operating system providers that need to make this happen: essentially, Apple, Android and Microsoft, preferably in a standard and portable way. For each we would set up an ordered list of our preferred authentication methods (PIN, facial recognition, etc) and organisations would declare what is acceptable to them. The system would work out what works for both of us. If the organisation wants anything extra, say some kind of challenge/response, that would be up to them. Hopefully, that would be rare.
The Apple Pay and Google Pay wallets are some way to providing a solution. But sitting above the payment cards and boarding passes there needs to be the concept of persona. At the moment, Apple and Google may be too invested in promulgating their own single customer views to see the need to take this extra step.
I sensed frustration from the panellists that everything was solvable, certainly technically. Governance (e.g. who is liable for what when it all goes wrong?) was taken to be a sticking point. True, but I think we need to put the average user front and centre. Focus groups with mocked-up user experiences would be a good start; we’d be happy to help with that!
COVID-19: Consult Hyperion and you
The effects of the global pandemic, COVID-19, are touching every aspect of our lives, our communities, our businesses and the global economy. I hope that your own health, and that of your loved ones, will not be severely affected, and that your business life is able to continue unabated with some inevitable adjustments.
I personally wanted to reassure you that despite the challenges we are all facing, Consult Hyperion is fully accessible and taking proactive and expedient measures to protect our team and our clients.
It is not unusual for our team to work remotely, as client work often demands, but now both our UK and US teams have mobilised to full remote working in support of the Prime Minister’s guidance that the more people who are able to work from home, should. We have systems and policies in place to protect all information, project work and client deliverables. Our teams have embraced the use of digital tools for their internal communication and briefings, as well as for outbound thought leadership and to continue the narrative on the topics for which we are known as experts.
I take great pride in the team at Consult Hyperion. For over 30 years we have worked for organisations like yours. We have helped deliver products and services that have changed how consumers pay, travel and interact on a daily basis. I have no doubt that the team at Consult Hyperion will continue to deliver for you during this difficult time. Now more than ever, our vision holds true.
Neil McEvoy CEO and Co Founder
Hyperion Systems Ltd trading as Consult Hyperion: Tweed House, 12 The Mount, Guildford, Surrey GU2 4HN Registered in England at the above address, Company No: 1955749