I’m sure that by now you are all familiar with the major data breach that occurred at British Airways earlier this month. It was a “Magecart” attack on the scripts running on the BA web site (the booking page at BA runs 30 scripts, and remember that many of these are minified scripts spanning thousands of lines of code). The breach was pretty serious: 380,000 customers were affected. In fact, it was so serious that “shares of British Airways’ parent company IAG fell around 4% as markets opened” the day after it was reported. The stolen data included customers’ names, e-mail addresses, billing addresses and payment card information (including CVVs) but not passport details.
Since I had booked a fair few flights during this period, which included arranging for family members to attend a funeral, I didn’t for one moment that my card details had been hijacked by cyber-criminals. I don’t really care though. If the Magecart miscreants do have my card details and use them to buy something, then it is Amex’s money that has been stolen, not mine. Thanks to a combination of consumer protection legislation and Amex terms and conditions, when the transaction shows up on my bill I’ll just call up and cancel it.
(Incidentally, the last couple of times I’ve attempted to charge things back to Amex, it was for transactions that were actually correct. Due to the ancient ISO 8583 protocol, transactions don’t carry enough information for consumers to recognise them. So when I see a charge of £35 to “BA.COM” with no explanation of what it’s for, I of course automatically click on it for more details only there are no more details, so I charge it back only to discover it was for a change to a family member’s flight that I’d completely forgotten about. But I digress.)
Now, to be honest, I’m pretty unsympathetic.
This sort of breach of card data may not be around for much longer though. Earlier in the year Deutsche Bank announced a pilot project with the International Air Transport Association (IATA), the trade association for the world’s airlines, to test a new payment model using account-to-account payments enabled by PSD2. I’m sure my BA app will sprout a new button to pay directly from my bank account (in return for double Avios or whatever) fairly soon and the very notion of storing payment card details to pay for travel will seen almost quaint. The reason that I say this so confidently is that I remember an interesting comment from last year’s Google I/O conference, referring to the opening up of the European payments marketplace under PSD2 in a discussion with Bank Innovation. Talking about Google wallet Daniel Döderlein, the CEO for payments systems provider Auka, said that the service is linked to a user’s credit card, but not for long (at least for European users) because “once Google’s able to go to direct to account they will cut out the cards companies and to some extent, the bank,”
This resonated with a story that I heard more than a year ago and mentioned to a few clients in seminars and workshops. A friend of mine was on a study tour of the US during which he visited a number of different technology companies as well as a number of different technology users in a group of related industries. He told me that the whole time he was in the US, the only people who had asked him about PSD2 came from Facebook and Google. Not from banks, not from retailers, not from payment processors and not from card issuers. From the internet giants. Giants who control platforms and devices that can tie together authentication and authorisation using modern cryptography that does not involve entering sensitive personal information into web forms and then posting it through the internet tubes.
Tired: Card Present and Card Not Present; Wired: Cardholder is Present and Cardholder Was Present.
Snippings 