To the War-room!

I’m currently studying for an MSc in Project Management. This is making my head pop at times so I’ll blog the bits that don’t make it into my academic submissions from time to time.

Man in front of a wall of writingIt strikes me that in the various projects I’ve worked on, I’ve found myself struggling to move between projects at a moment’s notice, flipping my consciousness in the process. In my head, I am mentally trying to compartmentalise my project work to ensure I don’t get confused as a result of any “leakage”. Meanwhile, my desk gets messier.

What if we could reflect this set of mental compartments in the real world, in the office? By separating project activities from each other in the office, it might just make it easier to flip between projects. Robert Wysocki mentions the “War Room”, which is a room dedicated to the project. This room will probably just be a meeting room “commandeered” by the project team for their collaboration and requires little more than usual office stationery and equipment during the course of the project.

The War Room should contain:

  • A whiteboard
  • A computer and projector
  • Ample water
  • Flipchart
  • Plenty of wallspace and blu-tac

The room is the “meeting point” for the project team both as part of formal meeting times and collaboration times, perhaps as a way to get away from the usual team and concentrate on the job in hand without distractions. The act of removing yourself from your usual position in the office will be an immediate benefit to reducing distractions and when you’re headed to the project War Room, it’s clear to your colleagues what you are working on.

It might be messy, with scrawling across the whiteboards, papers hanging from the wall, textbooks left open and memos littering the desks. It is however a workspace, dedicated to a particular purpose. When individuals enter that room, they join the project either as a collaborative member, a manager or an observer. It’s a physical boundary between the hum-drum taking-care-of-business work and transformative, collaborative work.

Of course, not every office is able to facilitate such luxuries. It might be due to physical constraints (not enough rooms/space) or political (“why should they get their own room?”). Unfortunately, the argument against productivity and office design has long since been lost and we’re doomed to cubicles spread across noisy, windowless offices so making the case for a dedicated collaborative space is going to be difficult.

Then again, if the business can’t give you a dedicated project collaboration space, what value do they really have on the project?

Chip and PIN safety is just smoke and mirrors

I’m no expert on credit/debit card safety but I’m concerned enough to share my thoughts and experience based on recent “hacking” stories in the news and complacency of retailers when storing your card data.

Chip and PIN is not more secure

Chip and PIN Security abstract imageFrom 2004, Banks have been pushing the Chip and PIN “safety in numbers” campaign to encourage customers (and particularly merchants) to shift to the new Chip and PIN technology. Previously, a payment was authenticated using a signature on a receipt (either produced via swiping in a magnetic card reader or a physical imprint of the card details). This had a high rate of fraud due to the weaknesses in signature authentication and ability for cards to be cloned – the magnetic strip became a single point of failure.

On the surface, it appears more secure. France saw an 80% drop in fraud when switching to Chip and PIN. The two factor authentication of Chip and PIN (what you have, what you know) has significantly reduced card cloning; the user doesn’t have to hand over their card whilst worrying about double swiping and their PIN is shared with their ATM PIN so the usability was maintained. However, card fraud has increased in the years since, resulting in the movement of fraud attempts rather than their elimination.

Without considering the vulnerabilities, four immediate problems come to mind.

Firstly, if you don’t enter your PIN correctly, the merchant will invariably downgrade to a Chip and Signature transaction. To the consumer, this mirrors the older process of signing the receipt. The difference is that the merchant has specifically opted in to using the less secure protocol and assumes the risk of fraud. (Given the attention I’ve seen sales assistants pay to the validity of the signature, I wouldn’t put any confidence in this mechanism).

Secondly, CCTV cameras are routinely aimed at the tills, for good reason. But these also collect what users are entering in PIN pads. Of course, we’re encouraged to conceal our entry with our other hand, but we do live in a society and this creates an implication of distrust of your fellow customer. If the card is stolen or is cloned in some way by a compromised terminal, your authentication is compromised but your card is fine.

Thirdly, what confidence do we have that the terminal has not been compromised? Consider the new means of robbing a bank, from an apartment a few blocks away. Santander and Barclays were both targeted with inexpensive IT kit installed by supposed IT engineers which allowed direct access to banking systems. What’s to say the same technique hasn’t been employed, with a sales assistant being duped into allowing “upgraded systems” to be installed from “head office”? A man-in-the-middle device can trick a card into believing signature authentication was used even when an invalid PIN was entered, leaving the incorrect PIN count held in the card intact.

Finally, there is the competence of the merchant. Hotels and bars often hold cards “open” to allow for future drinks/etc. to be added to the account at the customer’s convenience. Theoretically, when the customer signs the receipt when the account is closed they would identify any anomalies (assuming they’re not drunk enough not to realise). I’ve managed to pay for two expensive cocktails in a 5-star hotel without entering my PIN or signing due to this account system being incompetently applied.

In these the weakest security is the person, and it is most often the merchant at fault. Then there are the known exploits in Chip and PIN such as man in the middle attacks (PDF), so-called “yes-cards”, offline authentication, card cloning for use abroad, electronic authentication downgrade and good old robbery.

Cardholder not present is still not secure

Cardholder not present (CNP) is a technique of authenticating the card when the merchant cannot guarantee the authenticity of the cardholder, typically when ordering online or over the phone.

There are various ways of “proving” the identity and validity of a card in this scenario.

Firstly, the Card Security Code (CSC) attempts to prove that the card is in the possession of the purchaser (note, not necessarily the cardholder) at the time of ordering. These are the three digits on the reverse of your card. The CSC is not encoded in either the chip or the magnetic strip on the card, therefore a cloned card would not contain the CSC, rendering the transaction invalid. This can authenticate the transaction (and by implication, the validity of the card, if not the purchaser) but relies on the competence of the merchant to avoid these values being compromised. For instance, the PCI standard mandates that the CSC must not be stored within a database following transaction authorisation, should the database containing card data become compromised. The recent case of StaySure having their CSC data being hacked shows that this is not guaranteed and the customer has no way of knowing. (Ask yourself, if the CSC is needed for an electronic CNP transaction, how can Amazon ask for this code only once and continue to bill your account.) This comes down to the reliability and trustworthiness of the web sites and the individuals running them. How does the company store your card data? Do they retain your data, and for how long? Are there opportunities for individuals within the company to access that data unencrypted? Are paper trails generated containing your card details? The web site is a sealed box into which you have no view of how your financial data is managed. Phone-based and mail-based orders may be written down and printed off and left in accessible piles on employees’ desks (which is why PCI mandates physical access security to cardholder processing areas).

Secondly, Visa’s “3-D Secure” authentication mechanism known under the brands “Verified by Visa” and “Mastercard SecureCode” whilst seemingly authenticating the cardholder by asking more pertinent questions directly related with the cardholder’s bank account, does not provide real assurance to the cardholder that it is indeed genuine. The technique used by the scheme requires a web commerce site to embed an IFRAME within their checkout process that acts as a “window” into the banking system, requesting extra verification data. However, the user does not necessarily know that the site within the window is genuine. A malicious web site may embed a false authentication site, the user’s computer may be infected allowing false authentication sites to be used or DNS poisoning may be used to redirect valid authentication sites to malicious parties.

The Chip and PIN programme does provide benefits to the consumer, without a doubt, though this is largely based on usability. Any argument for increased security is a smoke and mirrors marketing campaign by the card issuers. Fraud has increased, particularly in Cardholder Not Present scenarios (and coupled with weak IT security on the part of web sites) and attacks have merely shifted to alternative weaknesses as opposed to being prevented. The big winners are the banks, because they are able to transfer the risk of a fraudulent transaction from themselves to the merchant or the customer. Stringent merchant contracts allow the bank to transfer liability of fraud to the merchant should the merchant chose to downgrade their authentication or to the cardholder if it can be proved that fraud was attempted. Interestingly, if a PIN has been entered, the banks refused to accept liability until 2009 even if the user denied having used the card.