Main content

Cloud security - it's the process stupid

Den Howlett Profile picture for user gonzodaddy October 6, 2013
Is it only up the banks to secure transactions or should there be process steps inside applications and services? We look at the hospitality industry as one example where simple changes would remove stress and cost.

Phil Wainewright's analysis of cloud security where there are financial transactions at stake got me thinking. He argues:

Why try and tear down the walls when you can just steal the keys and walk right in? Most attacks today gain access by stealing or cracking passwords that allow the hacker to assume a trusted user’s identity.

I'm going to take a swerve on this down the travel route.

There are other ways in which loss can be incurred and much of it is down to process flaws. In some cases, the flaws are adding friction to processes that should be far simpler. Here's an example from the hospitality industry.

Travel trouble

It's not uncommon in the technology industry for vendors to pick up the costs of third party travel for a variety of events and meetings. There are many variations on the theme. Some will book flights and hotels on your behalf. Others will book flights but leave the traveler with hotel costs and other incidentals to settle and then reclaim. Still others try to be helpful by taking the load off the traveler but in the process introduce weaknesses that make credit card theft/fraud far more likely. In all cases, the processes are flawed, weak and time consuming.

Part of the problem lies inside the value chain. For example, some hotels have recently started asking for CCV numbers as part of the booking process. The problem here is self evident. If that information is entered into the booking system by hand or is not passed through using a secure system then the risk of fraud remains. That's before we start thinking about straightforward error.  How might this be resolved?

Just as Phil believes the banks will come to our rescue (I am somewhat skeptical given their past history of failing to agree on standards for ATMs and file types) I believe that you need agreement across a much broader set of players. Both the financial institutions and supply chain actors need to take an active part. In my example, that includes application developers, travel agents and hotel operators.

The financial institutions are already part way there. Instead of asking for CCV data in online transactions, Mastercard asks for a separate security code entered via the Mastercard SecureCode system. The hotel systems are a long way behind.

Finding a solution

When booking online, hotels often ask for credit card information, ostensibly to secure the room when in reality they are looking to cover extras in cases where a central booking service has already secured the room and committed to the room charges. The problem here is that the user doesn't know the extent to which they are being asked to pre-authorize costs. The logic escapes me.

It would be far simpler to insert a process step that talks to the specifics of the amount required for pre-authorzation. That way, the separation of cost responsibility is maintained while the individual knows the extent of their expected liability. In turn, using services like SecureCard ensure that everyone's security needs are satisfied.

Make sense?

Featured image credit: © SP-PIC -

A grey colored placeholder image