8 things to stop doing immediately

We can always take online security a little for granted but some behaviours put us at more risk than others. This isn’t an exhaustive list so if you can think of more, please add it to the comments. Another one I wanted to add but couldn’t find a picture for is failing to verify a BSB/Account Number with someone you are transferring money to. You should always verify over two different mediums before transferring e.g. sms/email/phone (especially if you are transferring a large amount of money). People have lost a lot of money by missing this simple step.

1. Give away personally identifiable information about children’s whereabouts, likes/dislikes and birthdays.


2. Plastering family/bumper stickers all over your car. You might as well wear a “come rob me” sign.


3. Using Windows XP and/or Internet Explorer 6. No anti-virus/spyware protection


4. Checking emails/banking accounts/social media accounts over “Free Public Wifi”. Ok so if this is a little hard to avoid, at the very least be aware of the risks, avoid doing banking over this channel and change your passwords frequently. Also, set different passwords for your accounts…


5. Logging in/entering your password details from email links. This can be a phishing attack to steal log in credentials. Instead, always log in via the official website.


6. Going to the official site and entering login/password details in without checking the URL/certificate details. Instead, look for a green bar.


7. Doing stupid things in public like Karen Bailey’s epic racist rant against Chinese people. You will be publicly disgraced and even arrested.

Do: Stand up to racists (non-violently). The guy in the background became a national hero after hitting back with “You’re scum”


8. Posting stupid things online that you can never take back. Justine learnt the hard way after losing her job after this tweet. The tweet spread like wildfire and a campaign for her immediate dismissal had taken off during her return flight. By the time she landed, she had already lost her job.


Forget the hype, will Facebook Payments go bust?


Facebook Payments might perform really well and I may end up red in the face… Nevertheless, this is a personal opinion about some challenges that Facebook may need to overcome before they take over the world – again.

It’s not simple enough. The ability to send and receive payments relies on both parties having a personal credit card or Visa/MasterCard branded debit card. For those who do not have a credit card or cannot guarantee they will have sufficient funds in the bank to pay friends, this is awkward. To avoid awkwardness, they may simply never join, even when their financial situation improves.

You also need to be friends with the person you are paying. This may be a great way to grow your friend list but this is not for everyone. There are plenty of times when friends bring plus ones (or multiples) to events that someone organises and pays for e.g. hens nights, birthdays, group outings etc. It’s not always appropriate to add plus ones as Facebook friends…but is it awkward to insist they send money the traditional way than to accept their friend request?

Cash still remains the simplest way to pay a friend back. They pay for something e.g. dinner/movie ticket/cinema and you pay them back or shout them the equivalent at your next outing/when you scramble enough cash. For friends based interstate or overseas, cash may not be an option but then with greater distance, people crave more security.

It’s not complicated enough. The idea of making a payment through a Social Network actually scares people. These are the folks who crave the security of logging into their bank system or using a bank issued card to access their money. The idea of trusting Facebook to make a payment is a bit scary. Even though Facebook claims they are PCI compliant and have a fraud department to review dodgy transactions, they just are not known for providing a secure enough platform to entrust them with your card details. The idea of Facebook being able to market products to you directly and give you an option to buy instantly may satisfy some but insult and scare away a lot of others.

It costs too much. For Facebook to do this, they will have to invest heavily in security to stay PCI compliant and may be liable to pay for any breaches. As they are not directly making money from this, will the costs outweigh the benefits?


Who pays for card fraud? The results may shock you


Where fraud is decreasing…

Card fraud has significantly declined in countries that have rolled out EMV chip technology. Chip technology performs dynamic authentication of Card and PIN values. This is more secure than performing static authentication of card data printed on magnetic stripes, as data can be skimmed, PIN entry recorded and counterfeit cards produced without card owners knowing. Countries (e.g. USA) that haven’t adopted the EMV chip standard and continue to use static cards and signature based verification, are waking up. In late 2014, Barrack Obama signed an executive order to speed up the adoption of EMV technology via the BuySecure Initiative. By October 2015, it is expected that the US would have transitioned to Chip and PIN technology to reduce card fraud.

Where fraud is increasing…

In countries with the EMV Chip and PIN technology deployed, where fraud has declined at point-of-sales where the card needs to be present, fraud is increasing in transactions where the card is not present. Card not present transactions involve the use of card details printed on the card (account number, expiry date and CVV) to make a payment over the internet, mail or phone. These details may differ from the data stored on the magnetic stripe or chip, but can authenticate payments nevertheless. Card not present fraud actually has wider implications for businesses who process online transactions. While the cardholder’s bank (issuing bank) is liable to cover the costs of disputed payments where a card is present, businesses may be found to liable to where a card is not present and may not be able to retrieve any goods sent to the fraudster.

Combatting fraud..

3D Secure, an authentication protocol developed by Arcot Systems and rolled out to Visa (Verified by Visa), MasterCard (SecureCode) and American Express (SafeKey), is a way to reduce and combat card not present fraud. 3D Secure shifts the liability of fraud back onto issuing banks, making them responsible for authenticating the customer before making a purchase. Once the issuing bank has authenticated a customer, they send an authentication code to the card company (e.g. Visa) which is then verified and sent to the business’s bank (acquiring bank) for processing.

With the many advantages of 3D Secure, it’s not perfect. There are extra steps involved for the customer and it is not always the best user experience (if implemented badly). 3D Secure can also become a target for phishers if customers are redirected to a phishing site instead of the issuer banks website for registration or authentication.

More information 




3 examples when Digital Payments failed. What can they learn from store cards?


1. BebaPay

BebaPay was Google’s attempt to introduce digital payments to Kenya. BebaPay was a prepaid card powered by Near Field Communication (NFC) technology. It was first introduced to the transport system with the view to extend to shops and small businesses. BebaPay also hoped to expand to other parts of Africa eventually. It was introduced to the transport system to solve the inefficiencies of the current cash-based system. Commuters were running out of change, losing their tickets and sometimes being overcharged. Drivers and conductors were unable to obtain meaningful data to assess where the popular routes were. BebaPay was trying to make payments simpler but ultimately found it hard to compete with the simplicity of cash. With cash, bus operators were paid in real-time and to the full cent. They also had more flexibility and privacy to do as they wish with the cash. For everyday consumers, BebaPay was less convenient than cash and therefore had no value-add. With the bus operators offside, commuters indifferent and no regulation/law to enforce the use of BebaPay. It died.


2. Square Wallet

Square was a digital wallet, invented by Jack Dorsey (inventor of Twitter). Square is a mobile application with a credit card reader attached to a plug-in from a headphone jack. Customers could swipe their credit card and set up a tab with their name and then head into one of the participating stores to pay by just saying their name. It was supposed to revolutionize payments by making transactions more human and easier. However, against the convenience of cash, cards and the benefits of store cards, Square did not add enough value to cause any real disruption. Even with Starbucks and Whole Foods Markets on-boarded, it failed to gain widespread adoption. The application was removed from Apple and Play stores.


3. Google Wallet

Similarly, Google Wallet failed to gain adoption for similar reason. The NFC chip wasn’t integrated with many devices and the user experience wasn’t compelling enough to gain widespread adoption. It made payment simpler but not simpler than what was already available.

Digital payment ventures based only around the idea of simpler payments may wish to ask themselves the following questions. Am I really making it simpler? How well do I know my customers, both the merchants and users? Will I be adding an additional layer of complexity?

Vs Starbucks

Alternatively, store cards like the Starbucks store card have done very well. Starbucks store cards have had widespread adoption with millions of active users and billions of dollars being deposited into their cards annually. The differentiator being the loyalty program and free in-store deals that provides customers with a true end-to-end customer and payment experience.