tag:www.econsultancy.com,2008:/topics/security Latest Security content from Econsultancy 2016-04-14T11:01:52+01:00 tag:www.econsultancy.com,2008:BlogPost/67718 2016-04-14T11:01:52+01:00 2016-04-14T11:01:52+01:00 Key trends in online identity verification (so everybody knows you're a dog) Danny Bluestone <h3>Using our ‘real’ identities online</h3> <p>Online anonymity is waning. A user’s digital behaviour never used to be closely connected across the web, nor did it connect to their offline lives.</p> <p>Technically, there were also fewer plug-and-play solutions like <a href="https://econsultancy.com/blog/61911-the-pros-and-cons-of-a-facebook-login-on-ecommerce-sites/">Facebook Connect</a>, which can follow and connect users’ activities across the Internet. </p> <p>The desire for anonymity hasn’t completely disappeared. But, as the social web has grown, people have become happier to use their ‘real’ identities online. Some social networks are even throwing their influential power behind ‘authentic’ identities to make their platforms more credible and secure.</p> <p>For instance, Twitter issues verified account status to key individuals and brands who are highly sought after. This helps users differentiate and validate if specific accounts are credible. </p> <p>Furthermore, the boundaries between social and commercial websites are blurring. Some users submit real-name <a href="https://econsultancy.com/blog/67117-analysing-amazon-s-palliative-approach-to-fake-reviews/">reviews on Amazon</a> and other ecommerce sites like Etsy, where authenticity can increase sales by generating confidence from customers. </p> <p><em>"<a href="https://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you%27re_a_dog">On the internet, nobody knows you're a dog</a>"</em></p> <p><img src="https://assets.econsultancy.com/images/0007/3930/dog.jpg" alt="dog" width="500"></p> <h3>The rise of identity verification services</h3> <p>So, identifying people online – and confirming that information against their ‘real’ selves – is becoming increasingly important. </p> <p>Verification is required by a surprising amount of digital businesses: from purchasing products and applying for services, to social networking platforms, where users’ authenticity is built into the experience.</p> <p>It’s consequently no surprise that the technology behind identity verification services is constantly evolving, while balancing two critical, and often competing, factors: security and user experience.</p> <p>Last year alone ecommerce fraud <a title="rose by 19%" href="http://www.infosecurity-magazine.com/news/uk-online-banking-fraud-soars-64/" target="_blank">rose by 19%</a> and online banking losses soared by 64%, compared to 2015. High-profile <a href="https://www.marketingweek.com/2015/10/30/the-talktalk-hack-shows-why-every-brand-must-take-customer-data-seriously/">data breeches at TalkTalk</a> and Sony have made consumers more aware of the security threats.</p> <p>Yet users are still incredibly fickle. They will go elsewhere if the verification stage of a purchase or online account setup is too lengthy or rigid regarding which proofs of identification are acceptable. </p> <p><em>TalkTalk website</em></p> <p><img src="https://assets.econsultancy.com/images/0007/3932/Screen_Shot_2016-04-14_at_10.36.35.png" alt="talktalk" width="615"></p> <h3>Trends in verification solutions</h3> <p>Exposing more personal information about ourselves and revealing our true identities online opens up great opportunities and risks. Organisations must navigate (and mitigate) these for their users.</p> <p>Consequently, a number of solutions have emerged to validate who we are online.</p> <p><strong>Two-Step Verification</strong></p> <p>Creating a username and password to access specific websites is the most familiar online identity system. But, we’ve known it’s a broken process for years. </p> <p>It’s too difficult to create and manage unique, elaborate passwords for each online account we have. And even the idea that a ‘strong password’ can protect us is now a fantasy, with hackers regularly breaking into computer systems and releasing username and password data.</p> <p>Worse than this, plenty of us <a title="daisy-chain accounts" href="http://www.wired.com/2012/11/ff-mat-honan-password-hacker/all/" target="_blank">daisy-chain accounts</a> to our main email address; creating a single point of failure for hackers to exploit, gaining entry to countless more with ease. </p> <p>The most common solution is two-factor authentication: requesting knowledge (such as an alphanumerical ‘secret’) and possession (adding a physical level) for a user to verify themselves. Cash machines were the original implementation of this idea, requiring possession of a physical card and remembering a secret PIN. </p> <p>The trick is establishing a second, physical authenticator that is secure, but doesn’t inconvenience the user.</p> <p>For example, many companies have avoided the delay and cost of issuing unique physical tokens (such as a key fob, or card reader); instead, asking users to add a mobile contact number and enter unique codes sent via SMS. </p> <p><img src="https://assets.econsultancy.com/images/0007/3931/Screen_Shot_2016-04-14_at_10.27.47.png" alt="two step verification" width="615"></p> <p><strong>Biometric Verification</strong></p> <p>Biometric technology can streamline the second step in two-factor authentication. Fingerprint data is the clear favourite, as a particularly elegant solution for unlocking smartphones.</p> <p>Promoted by Apple and Samsung, it requires investment from device manufacturers to install the sensors and secure partners willing to use the channel for purchase, like PayPal. </p> <p>Concerns about storing such sensitive data has been addressed with both companies storing an encrypted mathematical model instead of the fingerprint images. But as a <a title="Mashable hack" href="http://mashable.com/2013/09/25/video-hack-apple-touch-id/#KhNkh0x3zZqo" target="_blank">Mashable hack</a> revealed, people leave copies of their fingerprints everywhere – and lifting a copy can be used to unlock devices. </p> <p><img src="https://assets.econsultancy.com/images/resized/0007/3706/econsultancy-touchid3-blog-flyer.jpg" alt="" width="470" height="265"></p> <p><em>To set up Apple’s TouchID, users repeatedly tap the phone’s sensor so it can map a single fingerprint that will unlock the phone. </em></p> <p>Some businesses are even exploring more outlandish models. Amazon recently filed a patent application for <a title="payment by selfie" href="http://www.independent.co.uk/news/business/news/amazon-files-patent-to-offer-payment-with-a-selfie-a6931861.html" target="_blank">payment by selfie</a>.</p> <p>Preventing fraudsters using a photo to pose as another, the proposed system would involve its own two-step process. One photo would be taken to confirm identity. Users would be asked to subtly adjust their position, then a second photo would ensure their proximity to the device.</p> <p>MasterCard has already trialled facial recognition technology, ensuring users are actually there with a blink instead. 83% of those tested believed it felt secure.</p> <p>The company has even proposed <a title="heartbeat recognition" href="http://www.theverge.com/2016/2/23/11098540/mastercard-facial-recognition-heartbeat-security" target="_blank">heartbeat recognition</a> as an alternative, integrating sensors that can read people’s electrocardiogram, or the unique electrical signal their heart produces.</p> <p> <img src="https://assets.econsultancy.com/images/resized/0007/3695/econsultancy-mastercard-blog-flyer.jpg" alt="" width="470" height="267"></p> <p><em><a title="MasterCard's selfie pay system" href="http://newsroom.mastercard.com/latin-america/photos/mastercard-identity-check-selfie-pay-en-mobile-world-congress/" target="_blank">MasterCard’s selfie pay system</a> was available to test at Mobile World Congress, Barcelona. </em></p> <h3>National service verification</h3> <p>Demand for access to government services online is rising – but verification is particularly critical for national schemes.</p> <p><a title="CitizenSafe" href="https://www.citizensafe.co.uk/" target="_blank">CitizenSafe</a>, one of <a href="https://econsultancy.com/blog/65774-gov-uk-the-government-s-website-is-better-than-yours/">GOV.UK</a>’s certified identity verification providers commissioned a <a title="YouGov survey" href="http://digitalmarketingmagazine.co.uk/digital-marketing-news/govuk-verify-partner-citizensafe-launches-consumer-awareness-campaign-with-cyber-duck/3239" target="_blank">YouGov survey</a> that found 61% of full-time workers (and 64% students) believed online identity verification was the most convenient option for them. </p> <p>Hailed by the UN for providing the world’s best e-Government content, <a title="Estonia's service provision" href="http://www.theatlantic.com/international/archive/2014/01/lessons-from-the-worlds-most-tech-savvy-government/283341/" target="_blank">Estonia’s service provision</a> rests on centralised unique personal identification codes, given at birth. Microchipped ID cards with this code enable users to sign things online and use a range of digital services from online banking to voting.</p> <p>But, such comprehensive nationalised schemes have faced concerns from privacy and civil liberties groups.</p> <p>Instead, countries like the UK and US are adopting a verification approach that checks who the user is against physical sources, such as passports, utility bills or drivers licence. These sources aren’t centrally stored, so no department or individual knows everything about you.</p> <p>Transitioning from public beta to live next month, <a title="GOV.UK Verify" href="https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify" target="_blank">GOV.UK Verify</a> is the UK’s solution to accessing national services easily (yet securely) online. GOV.UK certified a variety of identity verification companies, like CitizenSafe, to verify users’ identities on the Verify portal. </p> <p><img src="https://assets.econsultancy.com/images/resized/0007/3704/govukverify2-blog-flyer.jpg" alt="" width="470" height="255"></p> <p><em><a title="GOV.UK Verify" href="https://identityassurance.blog.gov.uk/2016/04/06/new-certified-companies-now-connected-to-gov-uk-verify/" target="_blank">GOV.UK Verify</a> empowers you to choose from a range of certified companies to verify your identity. </em></p> <p>Users complete the online verification process just once to create an account they can use to quickly and easily access a multitude of government services, such as tax returns, benefits and allowances. </p> <p>Furthermore, two-factor authentication is used when users login to their online account, needing to enter a user ID and password as well as a code sent to a stored phone number.</p> <h3>New data storage solutions</h3> <p>Whatever identification solution is used, a critical question remains around how personal data is stored to safeguard it against hackers.</p> <p>Even if hackers can’t access your credit card details, obtaining your home address, date of birth, contact details and other personal data could give them enough to access, change or use a multitude of your online accounts, posing a serious risk.</p> <p>One of the recent solutions to overcome this issue is blockchain technology. Initially developed as a ledger for bitcoin transactions, blockchain is an incredibly secure distributed database where no single organisation (or individual) holds all information.</p> <p>Blocks of data are added sequentially, embedded using a ‘hash’ of the block just before it. CoinDesk explains how this acts as a <a title="digital version of a wax seal" href="http://www.coindesk.com/information/how-bitcoin-mining-works/" target="_blank">'digital version of a wax seal’</a>, confirming data is legitimate and hardening the chain against tampering and revision.</p> <h3>Summary</h3> <p>Connecting our digital services and activities with our ‘real’ offline identities has significant implications for our safety.</p> <p>Leveraging the myriad of new technologies and systems available, businesses have some choice and must balance the security of user data with providing a seamless service, or users will look elsewhere. </p> <p>Whatever approach you choose, communication with customers throughout their experience is the key. For instance, users may be reluctant to give you their mobile number during an <a href="https://econsultancy.com/blog/64385-how-to-attract-registrations-without-creating-a-barrier-to-checkout/">online sign-up</a> if you don’t explain that it’s for a two-step identity verification process that will protect their identities.</p> <p>Carefully considered communication, on the other hand, is likely to make users tolerate a slightly more elaborate on-boarding process in the interest of keeping their data safe.</p> tag:www.econsultancy.com,2008:BlogPost/67549 2016-02-23T00:04:00+00:00 2016-02-23T00:04:00+00:00 What are VPNs & why are they so important in Asia? Jeff Rajeck <ul> <li>Indonesia <a href="http://www.bbc.com/news/world-asia-35594617">recently banned 477 websites</a>, including Tumblr.</li> <li>China blocks Google, Facebook, Twitter, and many other Western sites using the 'Great Firewall of China'.</li> <li>And because of licensing issues, TV and movies which are widely available in North America and Europe are inaccessible in Asian countries. </li> </ul> <p><img src="https://assets.econsultancy.com/images/resized/0007/2096/great-firewall-blog-flyer.png" alt="" width="470" height="243"></p> <p>But, as with many things in Asia, where there is a will, there is a way around it.  And in this case, <strong>it's the virtual private network (VPN).</strong></p> <h3>What is a VPN?</h3> <p>A VPN is a way for people to connect to the internet which makes it look like their computer is somewhere other than the place it is.</p> <p>It was traditionally a way for employees to access their corporate network from home. The employee would log their home computer into a VPN and it would appear to other computers on the company network that it, too, was in the building.</p> <p>But recently it's become more popular with tech-savvy media hunters hungry for TV and movies which are not yet available in their home country.</p> <p>People all over Asia subscribe to VPN services and now enjoy Netflix like the Americans, BBC like the British, and live sports globally, wherever they are shown.</p> <p>And as more sites are being blocked by various Asian countries, it seems that web surfing and social media will also be a popular reason to sign up for a VPN service.</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/2097/vpn-blog-flyer.png" alt="" width="470" height="307"></p> <h3>Are VPNs difficult to use?</h3> <p>For the uninitiated, using a VPN simply involves installing software on your computer, configuring your browser, or downloading an app.</p> <p>And once the VPN is set up, it's just a matter of paying a small subscription fee to the service and you are then, virtually, in the country of your choice.</p> <p>There are free options as well, though these are typically far less reliable.</p> <h3>How popular are VPNs?</h3> <p>It is difficult to say. Both providers and users have a vested interest in not letting anyone know what they are doing!</p> <p>GlobalWebIndex, a digital consumer research company, <a href="https://www.statista.com/chart/3719/share-of-internet-users-who-use-vpns/">published survey results in 2014</a> and found that usage widely varied from country to country.</p> <p>Western countries had low adoption of VPNs, with the US being typical at around 3%.</p> <p>In Asia, however, nearly one in five Chinese (19%) used a VPN and in Indonesia it was nearly one in four. There are also other reports which show much higher usage rates.</p> <p><img src="https://assets.econsultancy.com/images/0007/2098/VPNusers.PNG" alt="" width="455" height="474"></p> <p>And any search on 'VPNs in &lt;country&gt;' will reveal a lively discussion between local netizens on which VPN service offers the best rate for the fastest download speed and, almost inevitably, how well Netflix works on it.</p> <h3>What does this mean for brands?</h3> <p>It's quite clear that for publishers and media producers this means that country-based licensing agreements are being systematically breached by people all over the world.  </p> <p>Publishers need to either work on blocking VPN access to their content or find a way to deliver licensed content globally.  </p> <p>Netflix recently worked out an agreement with over 100 countries.</p> <p><strong>It's less clear, however, what it means for brands.  </strong></p> <p>For brands who are advertising on this 'leaky' media, VPNs are a mixed blessing. </p> <p>If the brand is international and offers its products fairly universally across the globe, then this is not necessarily a bad thing.  </p> <p>Its product is now being associated with media that is so valuable to people that they are willing to go to great lengths to consume it.</p> <p>But for brands who target its products regionally, having its ads viewed via a VPN can, at best, send mixed messages to consumers and, at worst, possibly make them feel ripped off in their home countries.</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/2099/mcdonalds-dollar-menu-blog-flyer.jpg" alt="" width="470" height="460"></p> <h3>So what can brands do?</h3> <p>Start by just being aware that many people in Asian countries, and elsewhere, consume Western media like Westerners.  </p> <p>Then, when buying media, brands can ask questions about the number of consumers who are likely to be coming in through a VPN and their country of origin.</p> <p>If the brand is global or works with a global agency, then counterparts in the Asian countries may know what TV shows or Western sites are popular, yet unavailable, in the country.  </p> <p>There could be an opportunity for a brand to tell its story in a unique way to its 'forbidden' fans.</p> <p>For the most part, though, brands are just going to have to get used to this sort of random, global distribution of media.  </p> <p>Information, as they say, wants to be free and any attempt to keep your messaging contained to a particular geography will almost certainly not work.</p> tag:www.econsultancy.com,2008:BlogPost/67546 2016-02-18T13:19:00+00:00 2016-02-18T13:19:00+00:00 California hospital cyber hack shows importance of digital risk management Jeanmarie Tenuto <p>While ransomware is most commonly used to attack home computers and extort money in exchange for a key code, the persistent vulnerability of healthcare and growing boldness of cybercriminals is making for an increasingly high-risk environment for today’s healthcare organizations. </p> <h3>Webinar</h3> <p>We'll discuss this issue in more detail, but first allow me to draw your attention to our webinar on <a href="http://www.eventbrite.com/e/reputation-risk-reputation-management-social-media-in-healthcare-tickets-20934646090">Reputation &amp; Risk: Corporate Reputation &amp; Social Media in Healthcare</a> which takes place from midday-3pm EST today (Thursday 18 February).</p> <p>We will discuss these and other topics including Branding &amp; Social Media, Employment Law, Digital Media and Freedom of Speech, and Cyber Security.</p> <p>Go <a href="http://www.healthcaretechnicalsolutions.com/reputation/">here</a> for information or go <a href="http://www.eventbrite.com/e/reputation-risk-reputation-management-social-media-in-healthcare-tickets-20934646090">here</a> to register.</p> <h3>The impact</h3> <p>Staff at Hollywood Presbyterian Medical Center in Los Angeles have been left filling out forms by hand and completely unable to perform some procedures, including CT scans.</p> <p>Their patients have also been left to retrieve and deliver their own medical information to providers and many are being transported to other facilities for treatment.</p> <p>Patient data, emails, medical charts, imaging documents, and more are completely unavailable until the systems come back online, <a href="http://www.bbc.co.uk/news/technology-35584081">according to BBC News</a>. </p> <p>Right now, callers to the hospital are greeted by a voicemail message that informs patients their medical records have not been accessed by hackers. </p> <p>The hospital has also assured the community that patient care will not be impacted (despite complaints from patients.)</p> <p>Officials have not yet commented on the ransom, but CEO Allen Stefanek has declared a state of “internal emergency.”</p> <p>You can be assured that <a href="http://www.yelp.com/biz/hollywood-presbyterian-medical-center-los-angeles?sort_by=date_desc">this hospital's reviews</a> will soon reflect not only their vulnerability to a cyber attack, but also how it’s been handled by staff and administration. </p> <p><img src="https://assets.econsultancy.com/images/0007/2081/Hollywood_hospital_2.png" alt="" width="981" height="537"></p> <h3>The Lesson</h3> <p>We’re looking at two issues here:</p> <ul> <li>The risk Hollywood Presbyterian was operating under before the attack.</li> <li>How it is handling the situation now.</li> </ul> <p>Not much has been revealed about the details of the attack. We don’t know for sure how it started, the hospital’s history with cyberattacks, or if it had emergency plans in place.</p> <p>We don’t know whether they had a PR plan (it honestly seems like they didn’t) or whether they had their employees trained to manually look up and enter codes on patient charts and bills. </p> <p>What we do know, is what’s going on now. We know that the hospital has been down for over a week. We know that it has made no mention of the attack on its <a href="https://www.facebook.com/Hollywood-Presbyterian-Medical-Center-34204164029/">Facebook</a> or <a href="https://twitter.com/hollywoodpres">Twitter</a> accounts.</p> <p><img src="https://assets.econsultancy.com/images/0007/2082/Hollywood_Hospital.png" alt="" width="920" height="444"></p> <p>It appears that local news outlets seem to be the source of most information around the incident. </p> <p>We can’t tell what’s going on from the outside, but it very much appears as if this was yet another healthcare organization that ignored the reality of the healthcare environment we live and work in. </p> <p>Cyber security related issues are tremendous concerns for the healthcare sector.  </p> <p>Breaches in healthcare data are more than just IT concerns or PR damage control cases. They undermine patient trust and harm the provider’s goodwill, and consequently, their bottom line. </p> <p>When asked why hackers would target hospitals, the most common answer was ‘they are easy targets.’</p> <p>Hospitals in general, but community hospitals mostly, are grossly underinvested in security and the hackers can get access to health information, insurance and financial information, which has a high resale value.</p> <p>Even as healthcare organizations ramp up their technology to manage risks, there’s only so much that sophisticated tools and systems can do.</p> <p>People remain the biggest friend and the biggest foe to patient data security. In today’s digital media environment it's everyone’s duty to act responsibly and protect healthcare data.</p> <p>[<strong>Editor's Note 02/18/16: </strong>The Hollywood Presbyterian Medical Center <a href="http://www.nbcnews.com/tech/security/hollywood-presbyterian-medical-center-pays-hackers-17k-ransom-n520536">ended up paying around $17,000 as a ransom</a> to the hackers.]</p> tag:www.econsultancy.com,2008:BlogPost/67081 2015-10-22T16:01:43+01:00 2015-10-22T16:01:43+01:00 SSL certificates will soon be free for all websites Patricio Robles <p>While achieving a high level of security is an involved process that requires time and effort, one of the basics is about to get a lot less expensive.</p> <p>That's because this week, the Internet Security Research Group (ISRG), a non-profit organization with backing from companies like Mozilla, Cisco and Automattic, <a href="https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html">announced</a> that its automated and open certificate authority (CA) has received cross-signatures from IdenTrust.</p> <p>What does that mean in non-techie terms? SSL certificates issued by <a href="https://letsencrypt.org/">Let's Encrypt</a> will be trusted by all major browsers.</p> <p>That's noteworthy news because Let's Encrypt offers SSL certificates at no cost. So starting in November, businesses will have a way of securing their websites using SSL without spending any money on a certificate, which can cost upwards of hundreds of dollars a year in some cases.</p> <h3>HTTPS everywhere</h3> <p>According to the ISRG: "Vital personal and business information is flowing over the Internet more frequently than ever, and it’s time to encrypt all of it.</p> <p>"That’s why we created Let’s Encrypt, and we’re excited to be one big step closer to bringing secure connections to every corner of the Web."</p> <p>The ISRG is not the only organization pushing to drive greater adoption of SSL.</p> <p>Last year, Google called for "HTTPS everywhere" at its Google I/O conference and even announced that it <a href="https://econsultancy.com/blog/65304-google-confirms-https-as-a-new-ranking-signal-what-are-the-implications/">added HTTPS as a ranking signal</a>...</p> <blockquote> <p>...over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal.</p> <p>For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS.</p> <p>But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web. </p> </blockquote> <p>Google's encouragement almost certainly helped convince some to use HTTPS, but there are a number of reasons many websites still don't employ it.</p> <p>For instance, many small businesses with limited access to technical know-how are less likely to understand how to acquire and install an SSL certificate.</p> <p>But cost is also a barrier, and with a free option that works with all major browsers, it's possible that we'll see hosting companies and makers of server management software integrate with Let's Encrypt to make certificate acquisition and installation practically painless.</p> <h3>Free SSL certificates won't always be the best option</h3> <p>While Let's Encrypt could very well be a game-changer in driving adoption of HTTPS – a small but important first step in promoting <a href="https://econsultancy.com/blog/5302-ten-common-sense-data-security-tips">data security</a> – companies will want to keep in mind that its free certificates won't always be the best option for all websites.</p> <p>Let's Encrypt certificates provide domain validation but there is no verification of the organization behind a domain.</p> <p>The most expensive SSL certificates frequently provide Extended Validation (EV), which involves verifying the organization behind a website.</p> <p>When these certificates are used, web browsers highlight the organization's name in a green address bar. </p> <p><img src="https://assets.econsultancy.com/images/0006/8199/ssl.png" alt="" width="434" height="44"></p> <p>For companies operating certain kinds of websites, such as those that involve ecommerce and financial transactions, this level of validation and browser highlighting of trust is often desirable.</p> <p>But for many websites, Let’s Encrypt's free certificates should be a fine option and their availability will leave companies with little excuse for not securing their websites using HTTPS.</p> tag:www.econsultancy.com,2008:BlogPost/65962 2015-01-13T14:00:00+00:00 2015-01-13T14:00:00+00:00 A negative SEO case study: how to spot an attack & fix it David Moth <p>It can be seen as a reaction to Google’s success in clamping down on dodgy linkbuilding – it’s now more difficult for spammers to game the system in their own favour so they have to attack the competition instead.</p> <p>One of the contributors to the search trends article was Nick Fettiplace, SEO director at <a href="http://www.jellyfish.co.uk/">Jellyfish</a>, an agency that was subject to a <a href="https://econsultancy.com/blog/65932-what-is-negative-seo-and-how-can-you-protect-your-website/">negative SEO</a> attack last year.</p> <p>They’ve been kind enough to share the data relating to the attack, which was presumably undertaken by one of its competitors.</p> <p>I should point out here that Jellyfish doesn't know who was behind it and isn’t trying to point the finger of blame at anyone in particular.</p> <p><img src="https://assets.econsultancy.com/images/0005/8081/blame.jpg" alt="" width="450" height="233"></p> <p>So, how did it go down?</p> <h3>Evidence of a negative SEO attack</h3> <p>This graph shows how Jellyfish’s search rankings were trending in 2014 in relation to several comparative SEO agencies.</p> <p>The decline towards the end of the timeline occurred when Google implemented <a href="https://econsultancy.com/blog/65621-penguin-3-0-what-s-it-all-about/">the Penguin 3.0 update</a> which sought to penalise low quality backlinks.</p> <p><a href="https://assets.econsultancy.com/images/0005/8078/Jellyfish_rankings.png"><img src="https://assets.econsultancy.com/images/0005/8078/Jellyfish_rankings.png" alt="" width="1009" height="413"></a></p> <p>The agency’s senior SEO manager, Jonathan Verrall, said that he typically checks for changes in the site’s link profile every week, so they were able to quickly diagnose the problem.</p> <p>Closer analysis of the company’s backlink profile shows that there was a sudden spike of links in October and then again in November.</p> <p><img src="https://assets.econsultancy.com/images/0005/8079/Screen_Shot_2015-01-12_at_16.03.11.png" alt="" width="880" height="183"></p> <p>Data pulled from Cognitive SEO shows that from the beginning of August through to October there was hardly any suspect link activity, but in October there was a sudden spike with more than 1,700 new links that were seen as unnatural or suspect.</p> <p>Obviously this kind of action is going to ring alarm bells with Google and is likely to lead to a ranking penalty.</p> <p><a href="https://assets.econsultancy.com/images/0005/8076/cognitive_SEO.png"><img src="https://assets.econsultancy.com/images/0005/8076/cognitive_SEO.png" alt="" width="1070" height="314"></a></p> <h3>Where were the links hosted?</h3> <p>Analysis of the suspect links showed that they had been posted as comments on thousands of websites.</p> <p>This is a tactic known as ‘comment spamming’, whereby the guilty party uses spamming software to quickly post thousands of links in the comments section on blogging sites.</p> <p>Econsultancy is often the target of these kind of comment spamming campaigns, though our spam filter usually keeps them at bay.</p> <p>That said, before we upgraded our filter last year these comments would often slip through and in my early days at Econsultancy I was naïve enough to wonder why high profile agencies would resort to such flagrant and obviously spammy tactics.</p> <h3>What was the target?</h3> <p>Cognitive SEO’s backlink tool showed that the attack was primarily aimed at Jellyfish’s SEO training page.</p> <p><a href="https://assets.econsultancy.com/images/0005/8080/Screen_Shot_2015-01-12_at_16.05.27.png"><img src="https://assets.econsultancy.com/images/0005/8080/Screen_Shot_2015-01-12_at_16.05.27.png" alt="" width="1011" height="269"></a></p> <p>All the links used exact match anchor text for ‘SEO training’ which, coupled with the fact that the landing page had been optimised to within an inch of its life (quite legitimately, and as one would expect from an SEO agency), meant that Google rightly thought something was afoot.</p> <p>Consequently the agency was penalised and began to lose visibility in search rankings.</p> <h3>Backlink removal</h3> <p>Verrall used several different site and web crawling tools to make sure he had identified all the dodgy backlinks, then set about the long-winded process of asking sites to remove them.</p> <p>He said that the amount of effort involved with getting links removed depends on the type of website. Webmasters at link farms, such as link directories, article directories and blog networks, tend to ask for removal payments. </p> <p>But thankfully Verrall says that these types of sites are generally a thing of the past. However...</p> <blockquote> <p>...if you are looking to get links changed or removed from established websites who treasure their readership, they tend to be very accommodating and will change backlinks quite happily.</p> </blockquote> <p>We get link removal requests fairly regularly at Econsultancy and in general we ignore them as it’s often clear that the person making the request is the guilty party (I'm not suggesting that's the case with Jellyfish).</p> <p>Our old content director Chris Lake wrote an interesting article discussing <a href="https://econsultancy.com/blog/62564-three-reasons-why-publishers-hate-living-in-a-post-penguin-post-panda-world">the various link removal requests we receive</a> and explaining why they’re such a pain in the behind.</p> <p>It took Jellyfish three days to get through the first round of emails to webmasters, which were followed up with a second round of emails to those that didn’t respond.</p> <p>If any sites still failed to respond to the request or refused to remove the link then Jellyfish was forced to upload them to the Google Disavow tool.</p> <p>However, disavowing links can bring its own problems, as Google likes to see that you’ve made a conscious effort to remove the offending links.</p> <p>According to Verrall:</p> <blockquote> <p>It’s also good to keep a log of the removal progress within your disavow file by using the comment functionality.</p> <p>We typically keep track of the removal process in a cloud based spreadsheet which we reference within the disavow file just in case a member of the Web spam team manually reviews our efforts.</p> </blockquote> <h3>The road to recovery</h3> <p>All the dodgy links have now been removed or disavowed, but the recovery process isn’t a quick fix.</p> <p>Though the attack was swiftly identified and fixed, Verrall said he will need to wait until the next Penguin update to see if the site has fully recovered.</p> tag:www.econsultancy.com,2008:BlogPost/65876 2014-12-09T13:35:00+00:00 2014-12-09T13:35:00+00:00 How the sharing economy will develop in 2015 David Moth <p>And I previously wrote a post looking at <a href="https://econsultancy.com/blog/65870-five-startups-disrupting-the-life-sciences-industry">five interesting startups that are impacting life sciences</a>.</p> <p>At Le Web today Jeremiah Owyang hosted a panel that discussed the extent to which the sharing economy is revolutionising established industries.</p> <p>Sharing startups have raised more than $8bn in funding, with most of it going to transportation companies.</p> <p><em><strong>Jeremiah Owyang's <a href="http://www.web-strategist.com/blog/">Collaborative Honeycomb</a> (click to enlarge)</strong></em></p> <p><a href="https://assets.econsultancy.com/images/0005/7301/jeremiah_s_diagram.jpg"><img src="https://assets.econsultancy.com/images/resized/0005/7301/jeremiah_s_diagram-blog-flyer.jpg" alt="" width="470" height="654"></a></p> <p>One of the beneficiaries of this investment is Lyft, which was represented on the panel by David Estrada.</p> <p>He was joined by Olivier Grémillon, the managing director of Airbnb in Europe and Africa, and Frédéric Mazzella, the founder and CEO of BlaBlaCar.</p> <p>Owyang began by giving his five predictions for the sharing economy in 2015:</p> <ol> <li>There will be new sharing startups in every business sector. Funding and execution will dictate the winners.</li> <li>Mature platforms will launch APIs resulting in more growth and analytics.</li> <li>There will be a global debate about user safety, privacy and sharing of data.</li> <li>Crowd demands startups share value with people, leading to more open source movements.</li> <li>Governments and corporations realise they have to get involved, so sharing goes mainstream.</li> </ol> <p>And here are some of the highlights from the panel session. For more on this topic read our posts on <a href="https://econsultancy.com/blog/65149-nine-user-experience-lessons-travel-sites-can-learn-from-airbnb">nine user experience lessons travel sites can learn from Airbnb</a> and <a href="https://econsultancy.com/blog/63186-the-sharing-economy-40-peer-to-peer-start-ups">40+ peer-to-peer startups in the sharing economy</a>.</p> <h3>What has caused the massive growth in the sharing economy?</h3> <p><strong>Frédéric Mazzella</strong></p> <p>The internet and smartphones have allowed us to share resources that are expensive to use, such as cars.</p> <p>The Ford Model T was created in 1908, a company likes ours would probably have launched in 1909 if the technology was around.</p> <p><strong>Olivier Grémillon</strong></p> <p>The recession definitely played a role in the growth we’ve seen. It was a catalyst for new services to emerge.</p> <p>But the tech aspect is also true. Through a cellphone or laptop it’s very easy to book a house or villa wherever you want in the world. And it’s the same with other services.</p> <p>In our case it’s as easy to book an apartment in the street next door as it is on the other side of the world because all transactions are done in your own currency.</p> <p>It’s also the case that people want more sustainability, to build more connections with other people, and to generate revenue from the assets they already have.</p> <p><a href="https://assets.econsultancy.com/images/0005/7306/Screen_Shot_2014-12-09_at_12.34.10.png"><img src="https://assets.econsultancy.com/images/resized/0005/7306/screen_shot_2014-12-09_at_12.34.10-blog-flyer.png" alt="" width="470" height="260"></a></p> <h3>How do you balance a global strategy with catering to localised markets and cultures?</h3> <p><strong>Frédéric Mazzella</strong></p> <p>It’s a case of having two complementary strategies. You need a global strategy so your product is generic enough to be scalable, but you have to keep a part that is adaptable to local cultures and economies.</p> <p>We want to build a brand that can expand anywhere but there are certain blocks that can be tailored to local markets.</p> <p><strong>David Estrada</strong></p> <p>Our service is hyperlocal as different situations present themselves in each city.</p> <p>San Francisco is perfect for us as it’s only seven-square miles and densely populated. There are very few garages or parking spots, and people tend to be quite social and are often looking for extra work.</p> <p>In comparison a city like Houston is a very different market. Car ownership there is high, gas is cheap, and there are more parking spaces than they know what to do with.</p> <p>So it’s not as easy for us to establish a presence in that type of city.</p> <p>If we want to launch in Paris, for example, we need to do a lot of work to understand the market, make sure we have enough drivers to satisfy demand and take account of regulations.</p> <h3>Privacy and safety are key concerns with the sharing economy. How can we make sure the public are happy with how these startups operate?</h3> <p><strong>Olivier Grémillon</strong></p> <p>The amazing thing is how few problems actually occur. At Airbnb when we look at the number of cases where something happens (e.g. breakage or property damage) it’s really small.</p> <p>In fact we recently increased our claims liability to $1m, as it doesn’t cost much to offer this service because not much actually happens. </p> <p><a href="https://assets.econsultancy.com/images/0005/7307/Screen_Shot_2014-12-09_at_12.34.20.png"><img src="https://assets.econsultancy.com/images/resized/0005/7307/screen_shot_2014-12-09_at_12.34.20-blog-flyer.png" alt="" width="470" height="218"></a></p> <h3>What about the information that you have on people? How do you enable privacy?</h3> <p><strong>Frédéric Mazzella</strong></p> <p>Maybe you just don’t use the data at all. It’s used for analytics, but nothing else.</p> <p>I think the culture of the company is very important. Our pool of people roughly doubles ever year, so if you want to keep the right culture you need to write it down.</p> <p>When we had 60 staff [BlaBlaCar now has around 200) we all gathered in a room and asked what values we have, what makes it so special to work here, and how do we make sure new people have the same spirit and culture.</p> <p>We came out with 10 values that we use to define ourselves.</p> <p><strong>David Estrada</strong></p> <p>Trust and safety have to be at the heart of your service. We’re offering platforms for people to come together.</p> <p>This is a very competitive marketplace with a low barrier to entry. You have to provide people with safety and privacy or they’ll go elsewhere.</p> <p>At Lyft we know the origin and destination of all rides, so we have to put tight controls on who can access that information and limit access to people who really need to see that data.</p> <h3>Do you have a message for government leaders on regulating the sharing economy?</h3> <p><strong>Frédéric Mazzella</strong></p> <p>From our perspective the first thing to remark is that people are sharing cars, they’re not making profit. </p> <p>Our users simply share the costs, so it’s just like they’re sharing the cost with friends and family members. They’re not offering a professional service.</p> <p><a href="https://assets.econsultancy.com/images/0005/7308/Screen_Shot_2014-12-09_at_12.34.34.png"><img src="https://assets.econsultancy.com/images/resized/0005/7308/screen_shot_2014-12-09_at_12.34.34-blog-flyer.png" alt="" width="470" height="292"></a></p> <p>The sharing economy is a new way of interacting with each other, for the next generation it will just be normal.</p> <p><strong>Olivier Grémillon</strong></p> <p>We’re so new there are no laws to regulate what we’re doing.</p> <p>It’s normal that there’s a reaction to a new phenomenon, but I think we’re past the point where governments think they have to try to regulate us.</p> <p>As long as you explain what you do, how it will remove some costs for the users, how more people can visit some wonderful cities, then it will be fine.</p> <p>In some cases it does need to be regulated as you need things to be fair and clear, and it’s normal that this creates some debate, but it’s a healthy debate.</p> <p><strong>David Estrada</strong></p> <p>Governments don’t have a framework for what we do. </p> <p>They have regulations for taxis that are aimed at trying to create a safe environment and they want to do the same for us.</p> <p>We need to change the mindset and show them that we can create the same level of trust and safety with no level of regulation from the government whatsoever.</p> <p>We already take on background checks and all of the costs. </p> <p>Let us take on the burden and let individuals deal with one another directly without the government always being the intermediary.</p> tag:www.econsultancy.com,2008:BlogPost/65367 2014-08-27T16:24:00+01:00 2014-08-27T16:24:00+01:00 Three’s a crowd: how first-party data builds customer relationships Rachel Serpa <h2>Multiple devices</h2> <p>In a time when consumers would sit down at their desks in front of their computers and dial-in to the internet, third-party cookies functioned to give marketers a fairly thorough picture of consumers’ web browsing habits.</p> <p>But consumers today don’t 'log online,' they live online. According to Mary Meeker’s 2014 Internet Trends report, on average, people in the US spend over seven hours each day looking at screens - that includes 103 minutes in front of computers, 151 minutes using smartphones and 43 minutes with tablets (Quartz).</p> <p>As if Google searches and browsing behaviors weren’t limiting enough, cookies only function across individual devices. Businesses still depending on third parties for customer insights are left with an increasingly fragmented view of their customers, making it impossible to build cohesive, end-to-end customer journeys. </p> <p><strong>Go from third</strong><strong> to first</strong><strong>:</strong> Stop relying on cookies and start capturing consumer identity via <a href="https://econsultancy.com/blog/11051-21-ways-online-retailers-can-improve-customer-retention-rates">site registration</a>.</p> <p>Giving visitors the option to login to your site or app gives your brand first-party, permission-based access to customer data, enabling you to <a href="https://econsultancy.com/blog/65027-repaving-the-customer-journey-preparing-for-the-future-of-multichannel">tie all on-site, cross-channel activities to a single user identity</a> and create cohesive customer journeys across devices. Establishing consumer identity also solves the growing issue of shared devices.</p> <h2>Data privacy</h2> <p>Yes, third-party cookies track consumer search and browsing behaviors across the web. But that’s not even the worst part. Many consumers don’t even know that they are being watched or that their data is being bought and sold.</p> <p>And those that do know have made it clear they don’t approve: 65% of consumers delete their cookies, and 39% have changed their browser settings to block them altogether (MediaPost).</p> <p>As more consumers catch-on about cookies, third parties are taking even more invasive approaches to get their hands on user data. Canvas Fingerprinting, which essentially attaches hidden number identifiers to user devices and is extremely difficult to disable, is just one example of emerging 3rd party practices.</p> <p><img style="float: right;" src="https://assets.econsultancy.com/images/resized/0005/2002/privacy_seal-blog-half.png" alt="" width="300" height="196"></p> <p><strong>Go from third</strong><strong> to first:</strong> Earn your customers’ trust by openly informing them of the data points you are looking to collect, as well as how this information will be used and that you will never sell it to third parties.</p> <p>Don’t ask for all desired data points the moment a consumer visits your site; adopt a progressive profiling approach that enables you to gather a greater depth and variety of information over time. Not only does this improve consumer relationships, but it also increases the accuracy of the data you collect.</p> <h2>Relevant experiences</h2> <p>Think about it: if someone were to try to characterize you based on your browsing history, what would you look like? Does searching for “Louis Vuitton” make you rich? Probably not. Does clicking on an ad featuring a cute baby make you a mother? Or even a woman, for that matter? Not necessarily.</p> <p>The truth is that most third party profiles have consumers all wrong. Particularly with the rise of mobile and shared devices, arbitrary ad clicks and search queries are hardly a reliable means of consumer identification. </p> <p>This then begs the question, how can you have a relationship with a customer if you don’t even know who she is? With a recent Responsys study revealing that 34% of consumers say they have “broken up” with a brand due to receiving poor, disruptive or irrelevant marketing messages, the answer is, you simply can’t.</p> <p><strong>Go from third</strong><strong> to first</strong><strong>:</strong> <a href="https://econsultancy.com/blog/64684-will-you-survive-the-logged-in-user-revolution#i.1lw8hl381fcneu">Prompting users to sign-in to your site or app</a> using an existing social media account makes consumer identity verification seamless, especially via mobile device, while giving your brand permission-based access to social data points including favorite brands, activities, relationship status and more.</p> <p><img style="vertical-align: middle;" src="https://assets.econsultancy.com/images/resized/0005/2003/journeys-blog-full.png" alt="" width="615" height="403"></p> <p>However, even identity-related data is difficult to manage without a single view of consumers across channels. Put a robust master database in place than can consolidate insights across your marketing channels to give you a complete, real-time picture of your customer base.</p> <p>Third party data and collection techniques are deeply embedded in many businesses today. Extracting these practices from your marketing efforts will take diligence, but it’s a necessary transformation for brands looking to establish 1:1 relationships with their customers. Three’s a crowd.</p> tag:www.econsultancy.com,2008:BlogPost/65304 2014-08-11T10:11:33+01:00 2014-08-11T10:11:33+01:00 Google confirms HTTPS as a new ranking signal: What are the implications? David Towers <p>The S in HTTPS stands for Secure, so this change essentially means that any websites using secure and encrypted connections across their domains will benefit from this ranking update.</p> <p>This formal announcement follows comments from Matt Cutts (Head of Web Spam at Google) at SMX West in March, where he said that he would like Google to make HTTPS a signal within the search rankings.</p> <p>Read on for more information about the implications of this change, and for further insight into other ranking factors download <a href="https://econsultancy.com/reports/seo-best-practice-guide">Econsultancy's Search Engine Optimization (SEO) Best Practice Guide</a>.</p> <h2><strong>Why has Google made this change?</strong></h2> <p>Google doesn’t control the web, but increasingly we are seeing Google use its influence to put pressure on websites to conform to what it considers best practice. Google coerces website owners by penalising websites which don’t use the standards it considers as best practice and Google has done this before with <a href="https://econsultancy.com/blog/63006-page-load-speed-14-valuable-tips-for-ecommerce-managers">site speed</a> and mobile design.</p> <p>In 2010, Google announced that site speed was a ranking signal and in 2013, Google confirmed that sites which are not mobile friendly would not rank well.</p> <p>As a result of Google penalising websites which were slow and not mobile-optimised, sites were forced to address these issues in order to avoid losing visibility within the search results.</p> <p>Since 2010, Google has been experimenting with encrypting search results and over the last 12 months it has made strides towards encrypting all its services. In September 2013, Google confirmed the rollout of encrypted search to all users and in April 2014 it expanded secure search to all clicks made on paid ads.</p> <p>Other search engine providers including Bing and Yahoo have also embraced the move to encrypting search results and consequently the vast majority of search queries made today are now encrypted.</p> <h2><strong>What are the implications?</strong></h2> <p>As a result of this change, <strong>we anticipate that secure and encrypted connections will become the norm for all websites</strong> in the future rather than being limited to, as it is currently, primarily ecommerce websites.</p> <p>Google has clarified that right now HTTPS is a very lightweight signal which will affect less than 1% of search queries globally, but this may change over time.</p> <p>Ultimately this is good news for users on the web as sites using HTTPS encrypt the data between the browser and the site, thereby protecting the security and privacy of what a user chooses to do on that site.</p> <h2>What could this look like in the future?</h2> <p>Since July 2014, Google has alerted mobile users when a site is likely not to be compatible with their device. Sites using incompatible technologies like Flash have lost significant click share as a result of this change.</p> <p>In the future, and it likely won’t be before many months, it’s possible that Google could alert users when the site does not use HTTPS.</p> <p><strong>Now: Google alert users about Flash on mobile devices:</strong></p> <p> <img src="https://assets.econsultancy.com/images/0005/1357/google-example-flash-warning.jpg" alt="Google warning users website not mobile friendly" width="300" height="197"></p> <p><strong>Future: Google could alert users that a site may not be secure:</strong></p> <p><img src="https://assets.econsultancy.com/images/0005/1358/Google_alert_site_not_secure.jpg" alt="Google warning users website not secure with HTTPS" width="300" height="197"></p> <h2>What does this mean for businesses now?</h2> <p>All businesses with a website should consider using HTTPS for all the content on their websites as this will likely become the global standard and in addition, there will be a small marginal benefit within the Google search results from doing this in the short term.</p> <p>For businesses with websites already using HTTPS, they need to check whether this is being used across the whole domain or just on specific pages where sensitive data is transmitted. Google has been clear in this announcement that it wants websites to use HTTPS across all the content on the website, not just checkout or login pages.</p> <h2>How should HTTPS be setup?</h2> <p>The main items that will need to be addressed are the following:</p> <ul> <li>Appropriate choice of single-domain, multi-domain, or wildcard certificate.</li> <li>Use of 2048-bit key certificate.</li> <li>Use of a web server that supports HTTP Strict Transport Security.</li> <li>Use of relative URLs for resources that reside on the same secure domain.</li> </ul> <h2>What do you think?</h2> <p>Do you agree that this move from Google will mean that secure and encrypted connections will become the norm for all websites in the future?</p> tag:www.econsultancy.com,2008:BlogPost/64498 2014-03-12T12:28:31+00:00 2014-03-12T12:28:31+00:00 How are finance brands helping customers to bank safely? Niklas Olsson <p>When it comes to keeping their customers’ money and personal data secure yet also easily accessible, banks have a number of key external stakeholders to consider who all, in different ways, put the pressure on.</p> <p>In order to keep up, banks constantly need to evolve their planning, tactics and deployment strategies, as well as establish structures that allow for responsive solutions.  </p> <p><img style="vertical-align: middle;" src="http://www.maparesearch.com/images/uploads/MapaResearch-Security-Overview-March14.jpg" alt="Mapa slide of the bank and its relationship with the external stakeholders" width="615" height="461"></p> <p>The last 12 months have seen a major shift for many banks as <strong>the number of <a href="https://econsultancy.com/blog/63958-how-banks-can-improve-finance-management-tools-and-apps">mobile banking</a> logins now exceeds internet logins.</strong></p> <p>Furthermore, banks highlight that the overall internet banking usage is decreasing, yet due to frequent mobile banking activity the total number of digital banking interactions is on the rise.</p> <p>Considering this, it is no surprise to see that banks primarily invest in improving their mobile banking login experiences. Here are a few of the themes which we think are emerging as key trends. </p> <h2>Login options to suit customer preferences</h2> <p>We see that banks are continuing to add new login solutions which are designed to keep the fraudster out as well as meeting customer expectations for easier access to their accounts.  </p> <p>As part of this,<strong> the dominant approach seems to be optional levels of security</strong>. One bank recently updating its offering is first direct (UK).</p> <p>In the past customers have logged in using username, answering a memorable question and providing partial digits of an electronic password.</p> <p>Late last year, first direct announced to customers (see email below) that it is introducing a security token (as HSBC did back in 2011) to keep customers safe against fraud threats.</p> <p>Note that customers can choose between different options: </p> <ol> <li>Stick to the current solution meaning limited access.</li> <li>A regular Secure Key security token.</li> <li>A digital Secure Key accessed through the mobile banking app.</li> </ol> <p><img style="vertical-align: middle;" src="http://www.maparesearch.com/images/uploads/MapaResearch-FirstDirect-SecurityChoices-Mar14.png" alt="Email from First Direct informing customers of its security choices" width="562" height="1127"></p> <p>This is just one of many examples where customers are being given the opportunity to choose and banks can keep existing solutions as well as using new ones.  </p> <p>Continuing with this theme, I want to highlight another example [my]bank of TSB Bank (NZ) which, with a customer base of a mere 160,000, has pushed the limits of personalisation in a number of areas, one of which being security.</p> <p>The bank was launched in 2010 to attract Generation Y users. Customers can personalise the level of functionality available in the app based on their defined security preferences.</p> <p>After login, users can customise a number of security settings, such as password and PIN, device recognition and if they would like to use two factor authentication or not.</p> <p>Furthermore, customers use a slider bar to indicate their ease of access. The highest option allows users to launch the app in a ‘view only’ mode with a PIN required in order to make transactions.</p> <p>There are still questions as to what extent customers utilise or even appreciate these features but it does show flexibility and choice appearing on the bank’s agenda. </p> <p><img style="vertical-align: middle;" src="http://www.maparesearch.com/images/uploads/MapaResearch-Secuirty-PasswordStrength-Mar14.png" alt="[my]bank customisable security settings on their mobile app" width="400" height="588"></p> <h2>Mobile banking: providing easier access to basic features</h2> <p>Looking back 24 months, the majority of mobile banking apps required customers to login using the same credentials as for internet banking – resulting in lengthy processes and a disjointed user experience.</p> <p>Since then <strong>we have seen a clear trend towards banks introducing PIN code login solutions</strong> (often by linking the app to a specific device).  </p> <p>This has certainly sped up processes and we believe it is one of the key reasons why mobile banking usage has accelerated at such a pace. Highlighted below are three banks providing this solution, SNS Bank (NL), Discover (USA)  and NAB (AUS).</p> <p>Do note that with both Discover and NAB customers still have the options to use regular internet banking login details. </p> <p><img style="vertical-align: middle;" src="http://www.maparesearch.com/brochures/MapaResearch-Security-IntroOfPasscode-Mar14.jpg" alt="Mapa Security Report slide showing the introduction of a passcode login" width="615" height="461"></p> <h2>Lower payment limits and card related features</h2> <p>In terms of post-login experience,<strong> it is commonplace to require customers to go through a second level of authentication</strong> when carrying out certain tasks such as paying a new recipient or changing contact details.</p> <p>However, yet again we see that development is being driven by the promise of easy on-the-go mobile banking solutions. For example, in the Netherlands and Belgium we have noticed a number of banks allowing customers to set preferred daily or weekly payment limits as part of the app registration.</p> <p>By doing this, users can login using a PIN and then carry out transactions without the need for further authentication or card reader. This is one user-centric example which will certainly add value through convenience.</p> <p>The general trend to allow customers to view their credit cards within mobile banking is on the rise. Furthermore, banks have understood that enabling users to block a card (debit or credit card) can be a win-win for both parties.</p> <p>This is effectively both a cost-saver to the bank and an added feature to customers as they can block the card in just a few taps. Below are four different banks providing solutions to suit all.</p> <h2>Educating customers: how to create content that customers will act upon</h2> <p>Transactions can today be carried out faster than ever, hackers can quickly take advantage of this information or access to services. We see that more and more banks communicate with customers via text message or push notifications to confirm sensitive tasks and keep customers up-to-date on the latest developments.</p> <p>The latter certainly brings customers closer to their finances and enables them to quickly take action. </p> <p>In terms of educating customers, one approach is to provide security information via multiple channels, but how many customers actually read and take action from online safety procedures?</p> <p>USAA recently introduced its ’My Security Advisor’ tool where users have to answer a few questions about their online habits and then using information based on the USAA tools the customer is signed up for, an actionable plan will be created in order to keep them protected.</p> <p>Suggestions include:</p> <ul> <li>Switching to paperless statements.</li> <li>Setting up security and fraud alerts. </li> <li>Activating security software.</li> </ul> <p>From My Security Advisor, users get an indication of their current level of risk and results are saved so customers can revisit the tool at any time.</p> <p>We like this type of activity based approach and it can be an effective use of a forum to inform customers of new measures on an ongoing basis.</p> <p><img style="vertical-align: middle;" src="http://www.maparesearch.com/images/uploads/MapaResearch-Security-MySecurityAdvisor-Mar14.jpg" alt="Mapa Research slide on USAA communicating and educating customers around security" width="615" height="461"></p> <h2>The future: Biometric solutions?</h2> <p>One of the trends pinpointed in Ericsson’s recently released '10 hot consumer trends 2014' report is 'your body is the new password'.  A survey tied to this report showed that <strong>52% of smartphone users want to use their fingerprint instead of passwords</strong>.</p> <p>Furthermore 74% believe that biometric smartphones will hit the mainstream market in 2014.  </p> <p>Are we there yet in banking? Not quite. </p> <p>However, looking at recent developments, biometric solutions (primarily voice biometrics) are gaining ground and most importantly consumers are being exposed to them more and more, alluding to future success. </p> <p> Here are a couple of examples to illustrate what is happening in this arena: </p> <ul> <li> <strong>Barclays (UK) Wealth and Investment Management</strong> is using <a href="http://www.finextra.com/News/FullStory.aspx?newsitemid=24800" target="_blank">voice biometric technology to verify the identity of customers</a> as they converse with call centre agents over the telephone.</li> <ul> <li>Since its introduction, <strong>84% of Barclays' customers have enrolled in the system</strong>, with 95% of those customers successfully verified in successive calls. </li> <li>Customer feedback has improved since the technology was introduced five months ago, with 93% of customers rating the bank at 9 out of 10 for speed, ease of use and security.</li> </ul> <li> <strong>USAA</strong> have already implemented voice recognition within mobile banking (see below).</li> <li> <strong>Bridge Community Bank (USA)</strong> has <a href="http://www.finextra.com/News/FullStory.aspx?newsitemid=24470" target="_blank">introduced in-branch biometric security</a> </li> <ul> <li>Customers submit fingerprint and facial biometric data as well as their name, address, date and country of birth and gender. Tascet uses this data to generate a 16-digit 'financial security number' which is linked to the customer account. </li> <li>To identify themselves in a branch and carry out transactions, customers then provide their name and fingerprint.</li> </ul> </ul> <p><img style="vertical-align: middle;" src="http://www.maparesearch.com/images/uploads/MapaResearch-Security-VoiceBiometrics-Mar14.jpg" alt="Mapa slide with screenshots of USAA's voice biometrics" width="615" height="461"></p> <p>Looking outside banking, Apple has introduced a fingerprint sensor for iPhone 5.  Furthermore, Apple CEO Tim Cook recently admitted that mobile payments was a business that 'intrigued' the company and that it influenced Apple's thinking when developing the TouchID fingerprint scanner.</p> <p>This will be an interesting space to watch for future developments. </p> <p>One of the key concerns with biometric solutions is how to safely collect and store biometric data according to different jurisdictions already in place.</p> <p>Another would be the risky strategy of relying on only one technology to provide secure login, which could result in being easy to exploit. </p> <h3>Concluding points:</h3> <ul> <li> <strong>Consumers take security as a 'given' when managing their day-to-day finances,</strong> whether on a mobile on-the-go or on a desktop or tablet at home. This is an ongoing challenge for banks and the initiatives outlined above show that the security space is constantly evolving.</li> <li> <strong>We predict more collaboration between banks and related financial institutions</strong> in order to stay abreast of developments and in turn counteract the continually agile hackers who communicate through online channels to exploit weaknesses in banks’ infrastructures and systems. </li> <li> <strong>The number of login options are increasing providing customers with more freedom of choice</strong>, yet over time we believe the digital channels will merge and as a result, the number of solutions will decrease.</li> </ul> tag:www.econsultancy.com,2008:BlogPost/64460 2014-03-07T11:36:00+00:00 2014-03-07T11:36:00+00:00 The home of the future, today. How smart is that? David Skerrett <h2>Lounge </h2> <p>First up you get to your front door and enter the lounge. The <a title="August" href="http://www.august.com" target="_blank">August</a> Smart lock detects you and your wife via proximity to your smartphone, unlocking the doors, turning off the alarm and you both get a personalized verbal welcome through the connected sound system and smart TV. </p> <p>The lights come up automatically depending on the time of the day and to your personal settings. Plus you can still use keys and operate the lock manually so don’t worry if you run out of charge on your smartphone.</p> <p><iframe src="https://www.youtube.com/embed/EFlPncm4fnY?list=PL_Ir13HbgE0uNTWUxWMl_lirjArBLchA_&amp;wmode=transparent" width="560" height="315"></iframe></p> <p>With the smart lock you will have no more awkward conversations with ex’s or friends you fall out with. You can give and revoke access via their smartphones to open your house with a virtual key.</p> <p>Or you can just give them access on weekends or for one day when they in town and you are at work.</p> <p>Equally you can assign access to your cleaners, but just on the days and times they should be in your home. The house owner gets an alert when someone opens you door. Goji, a competitor to August, even emails you a photo of everyone who comes to your door.</p> <p>This functionality is powered by AllJoyn: an open source project which is being expanded by the AllSeen Alliance (which comprises the likes of Qualcomm, LG and Panasonic). </p> <p>AllJoyn apps and products can communicate over Wi-Fi, power line or Ethernet, regardless of manufacturer or OS and without the need for Internet access.</p> <p><img src="https://assets.econsultancy.com/images/resized/0004/5366/alljoyn-banner-blog-full.jpg" alt="" width="615" height="240"></p> <p>Now you are home, its time for the battle of the air conditioning with husband and wife arguing through their mobiles over setting the right temperature (I’m always hearing how women feel the cold more than men!).</p> <p>When the AC is set to cool the house down the <a title="LIFX" href="http://lifx.co/" target="_blank">LIFX</a> LED lights can be set to be blue, or red when set to heat the house up, so you can tell which way the temperature is going to be heading without looking at a screen.</p> <p><iframe src="https://www.youtube.com/embed/oQkdQlXOBGU?list=PL_Ir13HbgE0uNTWUxWMl_lirjArBLchA_&amp;wmode=transparent" width="560" height="315"></iframe></p> <p>Now the temperature is sorted, how about a glass of wine? The connected wine fridge can send push notification alerts if the door is not shut properly after you.</p> <p>Rather than the '<a href="https://econsultancy.com/blog/64211-the-internet-of-things-five-new-products-changing-the-market-now">Internet of Things</a>', we hear the phrase the 'Internet of Everything' used during our demo. </p> <h2>Bobby's Bedroom</h2> <p>And that seems pertinent as we see the connected Teddy bear. In Bobby's bedroom we see how using a mobile app and in just a few seconds all devices clocks can be set after a power outage.  </p> <p>It’s time for Bobby to wake up and his alarm goes off. The LED lights come on gently at first and then rising in intensity, there is a verbal alert and the connected Teddy bear, called Teddy The Guardian, talks encouraging Bobby to get up (hopefully not freaking him out as it did to most of the adults on the demo tour).</p> <p><img src="https://assets.econsultancy.com/images/0004/5367/Tedi.jpg" alt="" width="516" height="340"></p> <p>Later when it’s past Bobby’s bedtime he watches YouTube on a tablet he’s hidden from his parents. When he accesses it two things happen. </p> <p>Stream boost software kicks in with the WiFi so that everyone in the house streaming/downloading media has a good experience. </p> <p>It also triggers an alert to Bobby’s parents that Bobby is on YouTube late at night, which appears on the Smart TV they are watching along with their smartphones and Toq smart watch. So the parents can switch off the Wi-Fi just to that room.</p> <p>The Toq smart watch from Qualcomm is well worth a mention, as its pretty slick. The screen uses technology called Mirrorsol so the visibility under well-lit conditions is great, the battery life is impressive, and the watch has wireless charging.</p> <p><img src="https://assets.econsultancy.com/images/0004/5368/toq-watch-front.jpg" alt="" width="350" height="350">  </p> <h2>Media Room</h2> <p>Last up is the Media room. Of course you can stream music from your smartphone via wifi to your sound wall, wireless speakers and TV. You can also control all of this via smartwatch and choose which speakers you use, along with volume, etc.</p> <p>Finally the <a title="Birdi" href="http://getbirdi.com/" target="_blank">Birdi</a> smoke alarm is demo’d. An incident tells smart lock to open, the LED lights turn to red and an audio message telling you that smoke is detected followed by alarm. Time to leave.</p> <p>But what a thought provoking tour, with some great use cases. </p> <p><strong>The exciting thing is that this is just the tip of the iceberg. Soon interior decorators and home builders will need to become technologists.</strong></p>