Thought Leaders in Cyber Security: Andrew McLennan, President, North America of Inside Secure (Part 3)

Sramana Mitra: I have a follow-up question. If you look at the space of security in the context of payments, both mobile payments and desktop payments, who are the major security vendors and what are the differences in the key approaches? You have, of course,  just described your approaches. What are the key approaches in the industry and why is one better than the other?

Andre McLennan: There are three basic approaches and a variety of vendors across the space. You can use hardware to secure where you host Java code. All the processing is done in the hardware, and you’ve the most secure processing environment. But I think we’re all aware now that hardware is never 100% secure. It’s a great paradigm for payment, but the problem is it requires the maker of the payment application to understand what the hardware is. This is where you see the likes of Apple Pay come in, because they understand what their hardware is.  They can devise a payment experience knowing exactly what the hardware platform is. Of course, what that means is if the hardware is compromised, everyone loses. Every single person’s security is compromised.

As we go on to the next platform, you see the likes of Samsung Pay, which uses a trusted execution environment. It’s a hybrid of software and hardware. It’s a largely hardware-hosted processing. Eventually, it follows a very similar paradigm to the hardware security. It’s less secure. It’s easier to observe and have more lines of software. If you can observe the process, you can expose everyone’s secret keys. That’s a disaster.

On the software side, it’s a very similar paradigm. All security is done in software. Software is generally easier to observe because you won’t require special equipment. The trick in that environment is if you can make it impossible to observe or certainly so difficult to observe that it’s not economically viable for a hacker to extract the data. That’s the approach that we’ve taken. We have ended up in a situation where we are extremely resistant to attacks. It’s nearly impossible to observe anything that we process. On top of that, we also manage the security down to the individual user level. Even if I can expose the software security, all I get is one user’s detail. I don’t get everyone’s. I just get one person’s details. If I have to repeat that and grab another user’s detail, then I have to hack another user’s detail.

On top of that, there is the fraud detection built on the tokenization part. Once you clone the token, it’s very difficult because that token may have been encrypted to that particular user. It becomes very difficult for that token to enter a token stream. It becomes difficult for you to make a fraudulent payment in any sensible way. We have double protection, if you like. It’s easier to observe. The break, if it happens, is confined to a single person. It’s not confined to everyone in the ecosystem.

This segment is part 3 in the series : Thought Leaders in Cyber Security: Andrew McLennan, President, North America of Inside Secure
1 2 3 4 5 6