Scott Dueweke

The financial services industry is not collaborating effectively to address online payment risks, says Scott Dueweke of Booz Allen Hamilton.

"There's a huge opportunity for collaboration, but it hasn't even started," Dueweke, a payments processing expert, says in an interview with Information Security Media Group [transcript below].

Organized crime, on the other hand, has developed an incredible array of relationships and tools to steal information online, Dueweke says.

The financial services industry is far behind its adversaries, and that won't change until organizations begin collaborating and cooperating, he says.

"You can help share the information to shore up your defenses," Dueweke says. "I think that's key."

During this interview, Dueweke discusses:

Before joining Booz Allen, where he oversees the consultancy's payments trends division, Dueweke was appointed to the U.S. Agency for International Development at the U.S. Department of State, where he helped pioneer the field of e-commerce. Dueweke also led marketing for IBM's Internet Payments group, and went on to develop peer-to-peer and non-traditional payment systems at a dot-com startup.

Security Challenges

TRACY KITTEN: What are some of the greatest security challenges facing online payments today?

SCOTT DUEWEKE: The answer is clearly identity, identity and identity. It's all about knowing your customers, partners, their customers, maybe even their customers' customers, and also about knowing your employees. Without a mastery of identity, losses because of fraud, attacks and resulting lack of confidence are going to constrain growth as companies move into this space.

KITTEN: Would you say that banks or e-commerce merchants are at greater risks?

DUEWEKE: Organized crime has developed an incredible array of relationships, tools and forums where they communicate, private marketplaces, where they go and sell what they have stolen, whether it's PII, credit card information or whatever; and these are enabling a global criminal enterprise. ...We've seen a lot of breaches, whether it's Global Payments, LexisNexis or Experian, who have been the target of these approaches. They immediately go and try to sell this information in these forums, and they're using alternative payment systems as the life-blood to fuel this economy. That's how they sell and receive value for their stolen information.

Account Takeover

KITTEN: What would you say is the greatest worry for banking institutions as well as some of these e-commerce merchants?

DUEWEKE: At the end of the day, the account is the customer and the customer is the account. ... So, I've got to say the account takeover should be the greatest concern. You can counter DDoS attacks through technical means, prevention and awareness. Being able to prevent account takeover, however, requires better identity management, especially user verification. Too many companies today are relying on outdated and weak identity verification techniques such as CAPTCHA. ...

Knowledge-based authentication in an age of social media sharing is a joke as well. There's so much information out there that you're going to be able to guess or learn about a person well enough that you're going to be able to beat those knowledge-based authentication access controls. In fact, it's believed to have been what played a key role in the Global Payments fiasco, where they have hundreds of thousands of credit cards numbers stolen and sold in these underground marketplaces. Some point soon, multi-factor authentication and strong biometrics, probably facial recognition, will begin to close the advance that the criminals currently have, but we're behind the curve.

Payment Processor Concerns

KITTEN: What would you say about the security of payments processors?