Close the door, Richard!
I travel a lot. Not so much by plane these days as by car, SUV and even RV. And this is by choice — I simply have lost patience with the process involved in catching a plane.
Four to five hours of my time spent so that airport and homeland security can be satisfied. And me, a businessman consistently proving to be of little interest to all those charged with ensuring that we all arrive safely at our final destination.
These processes have driven away any pleasure there once was in travel. So now, if I can drive there in less than three days, I will drive and build a business agenda that ensures I fully leverage the time spent in a far-distant city. I value my security, certainly, but in America we have passed that point where the cure is worse than the disease.
In my last post I wrote of how, with respect to the ATM outages that hit London in the run-up to the Olympics (a circumstance that wasn't repeated during the games as best as I can tell), the bigger picture is that when any city experiences a flood of tourists there will be a need for cash. I also observed how, given the diversity of the visitors, there's little likelihood that everyone will be carrying the requisite debit and credit cards we normally expect tourists to carry.
That post was referenced in the LinkedIn discussion group, Fools for NonStop. It drew this comment from Neil Coleman, a software architect for the Australian company, Infrasoft: "Though not ATMs, but certainly related, beware the self-service fuel stations that only take VISA-branded debit cards in France. They don't take credit cards (VISA or MasterCard), they don't take cash, and no human attendants in 'coo-ee.' Lucky for me, an exceedingly helpful local Frenchwoman passing by let us use her debit card in exchange for cash!!"
The point Neil raised is one that bothers me a lot. Even in the world of ATMs, will the software that financial institutions deploy to clamp down on fraud end up driving away patrons? At a time when financial institutions like to attract other institutions' customers to their own ATMs and collect the appropriate fees, will the steps taken (rejecting cards other than those from a specific geographic location) end up costing us more than the cash we have at risk?
Security is a problem for financial institutions at all levels, particularly with the rapid uptick in popularity of solar-powered ATMs tapping into the cellular or mobile network, as we see so often today in emerging markets, and where traditional steps to anchor within solid structures is problematic.
But assuming we have the ATM firmly nailed to the ground, how do we secure the connection — there's still many ATM's networked using IBM's SNA, either directly or tunnelled via routers supporting DLSw — a legacy from a time when IBM's network architecture was the de facto standard for all connectivity.
Again, even if we can't uproot the ATM, can we hijack the transaction? Are we really relying solely on the complexity of a legacy protocol to protect us, hoping against the odds that all associated with supporting SNA protocols in the past have eased gently into retirement? Is this a really big door we have left wide open?
Infrasoft, the company Coleman works for, developed the product uLinga (Australian aboriginal for "to fly") and it is meeting with early success replacing legacy SNA networks, ensuring that connections between SNA end points can run more securely over industry-standard IP networks (including end points that are IBM mainframes running CICS and IMS). Working with the German software company, comForte, the flow of messages over TCP/IP is protected via stronger SSL protocols and this is certainly a good place to start.
"With such a diverse mix of connectivity still in use, dial-in modems, SNA, TCP/IP without encryption, even X.25 and X.25 over TCP/IP (XOT), securing networks is still an ongoing pursuit for many financial institutions with large investments in legacy technology," comForte CTO, Thomas Burg, told me in a recent email exchange. "Before clamping down on just whose card will be accepted and limiting access to essentially just the local community, there's a lot more options out there to better ensure the network isn't an open door to everyone."
Growing up in a musical family — and with the name Richard — I would often hear a song from the late 1940s that I paid little attention to until recently. And the words?
Come on, open the door,
'Cause I'm standin' here scratchin' in my pants pocket,
And standin' here gropin' in my coat pocket,
And standin' here feelin' in my shirt pocket,
And I can't find the key.
Open the door, Richard!
Little did I know that we would all be doing the same someday, as we switched from keys to pins. And yes, there will be those, laptop in hand, looking at the network, only too willing to open the door — with our pin!
On the other hand, if this is all old news and everyone has relegated their legacy devices to the dustbin, then yes, drop me a line. Post a comment. But I would be surprised, as often these days my conversations with financial institutions include references to old networks still being supported as the result of an M&A action, or even when an authorization agency still mandates an SNA or X.25 link.
Before we implement cures worse than the disease, are we completely sure we have closed every open door that we know exists within our networks?