Apple Pay Makes Mobile Payments Sexy; But Secure?


Is Apple Pay going to be secure?

Apple has us ooing and ahhing about the iPhone 6, it’s big brother the 6+ and finally the Apple Watch. But the biggest announcement of all didn’t even have to do with gadgets. The most significant announcement was about a new service that will be built into those devices…

It is Apple Pay, Apple’s own version of a “mobile wallet” that will allow Apple users to pay for items with just a tap or wave of their device. That is if those items happen to be in stores that have agreed to install the technology necessary to allow near-field communication (NFC – no not the football conference, the radio-wave technology) to work. Of course, Apple has done the background work to ensure a lot of big names (MC, Visa, AMEX and retailers such as Target, Macy’s and McDonald’s to name a few) are already on board, which is a significant mark in their favor.  And with the upcoming mandatory implementation of EMV technology, Apple may have just timed this perfectly.

I’ve always been a bit freaked about digital wallets because the Internet giants offering them (Google, Amazon) are the same companies that collect reams of personal data, from search behaviors to my product preferences, and I don’t want any one company having all of that.

Many companies have tried to get mobile payments off the ground in the past without much success. So why might Apple be different (security implications in red)?

  1. Apple is a master at integrating hardware and software. This doesn’t just mean that their payment system will be more user friendly than previous offerings (which it will), it also means that Apple has more control over the security and the privacy of each transaction. For example…
  2. No cardholder data will be stored on the iPhone itself, OR on Apple’s servers. This is a significant divergence from previous offerings (Google Wallet) and is an extremely smart play on Apple’s part. Why? Because…
  3. Apple has basically chosen to stay out of the information collection business to focus on  what they do best, which is produce innovative digital devices and the corresponding behind-the-scenes software that make their devices so practical and useful. Consequently, they will continue to be a more trusted brand than their direct competitors. Unlike Microsoft, Facebook, and Google, Apple doesn’t appear to want to become a data-mining company. Apple executives have stated that they have no desire to collect or share user data. This could change when Apple realizes the profit they are passing up for the sake of privacy, but  in the meantime…
  4. The same companies that have always collected your purchasing data (Visa, MC, Amex and the retailers you buy from) will be responsible for the same sensitive cardholder information they’ve always had access to, and Apple will simply be passing the transaction through, using a unique series of numbers that will reveal nothing of value should the phone be hacked.
  5. Finally, like it or not, Apple will make mobile payments sexy (did I just say that – I think maybe I’ve drunk too much of the Apple CoolAid). That sounds shallow, but their similar effort (iTunes + iPods, iPhone + App Store) revolutionized the music and smartphone industries. Apple has had a knack for getting consumers to warm up to ideas that have been tried before but never really took off (think iTunes, music players, smart phones, and tablets)  Also, they have done what others who have tried mobile wallet concepts in the past have not: they’ve made it sexy.
  6. Instead of a credit card that reveals all of its secrets on a magnetic stripe (no security there), Apple Pay will require a thumbprint scan (which never leaves the device) in order to make a charge. In other words, it utilizes CHIP & PIN technology, which every retailer is required to implement before 2015 ends anyway. Apple’s timing is impeccable – let’s just hope the technology is up to the task.

I’m not in any way saying that Apple doesn’t face huge challenges in terms of security, privacy and adoption of Apple Pay. Of course they do. I’m simply saying that they have the best shot yet at bringing together the hardware, software, industry connections and marketing chops to finally make mobile secure payments, well… pay.

John Sileo is an an award-winning author and keynote speaker who specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes frequent media appearances on shows like 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.



5 Ways to Doom Your Next Cyber Security Summit (Cyber Security Speakers Like Ambien)

Have you ever snored through a cyber security speaker’s presentation, despite being caffeinated, sugared up and subjected to convention-strength air-conditioning? So imagine what it’s like for audience members who desperately need high-level background on data protection (so that their organization doesn’t become the next Target), but don’t have a technical bone in their body.

Many cyber-security awareness events are studded with brilliant techies full of amazingly useful ideas who have a minor problem communicating their genius. And if your audience members don’t listen, don’t understand, don’t care–then there is little hope of changing their risky data-security habits. Attendee boredom is a meeting planner’s nightmare, an IT department’s budget-buster and an organization’s fast track to data breach.

But your event doesn’t have to be this way. Avoid the 5 Ways and your team will become the silent hero of your next conference.

5 Ways to Doom Your Next Cyber Security Summit

  1. Sacrifice all entertainment at the alter of content. Because data security is a serious topic, meeting planners for cyber security events are often pressured to pack too much content into too little time, leaving attendees overwhelmed, undereducated and cranky. Solution: For your keynote and general sessions, hire cyber security speakers that deliver relevant content packaged in an entertaining and memorable style. That way, you are eating your cake and having it too. Conferences that balance relevant content with effective engagement get the most BANG! for their buck.
  2. Hire experts who talk AT your audience, not with them. Let’s face it, the traditional (talking head) keynote is dead. If your cyber security speakers and experts don’t interact with your audiences, they will lose them after the first 140 characters. Attention spans are short and attendees have Angry Birds to distract them, so you must entice them to listen on multiple levels. Solution: The best conference managers I’ve encountered make attendees part of the conversation by using tools like conference hash tags (#brilliant), social media follow-up discussions and by hiring interactive speakers that make the audience part of their presentation.
  3. Demoralize your attendees with techno-babble. Here is a secret: technical types like geek-speak because it makes them look smart and provides job security (who’s going to fire the guy that knows how to eliminate the Heartbleed Bug?). But that doesn’t work at conferences full of non-technical employees, managers and executives. In fact, it doesn’t even work with techies, because everyone is listening with a different level of ability. Solution: Look for experts able to express complex and technical ideas in simple ways that can be consumed and understood by ALL levels. For breakouts and deep dives, feel free to get as technical as the audience needs, but design your general sessions with everyone in mind.
  4. Save money by bringing in only “industry experts”. A common substitute word for “industry experts” is “vendors”. And the purpose of vendors is TO SELL PRODUCTS (to your audience). Vendors are a crucial component to the financial health of your event, but there is a better way to honor them. Solution: Have your vendors sponsor the keynote speakers that will make their product (and your conference) shine by association. Give their brand some exposure during the presentation so that your speaker doesn’t become a salesperson. Utilize vendors and “member experts” to fill in breakout sessions, panels and socializing events.
  5. Make it all about the organization. Conferences are often designed around getting employees to change their behavior “for the good of the company”. The problem is, we humans are somewhat selfish by nature and tend to ask what’s in it for us. It’s a neon red flag if your cyber security speakers teach in terms of policies and regulations, compliance and legal mumbo jumbo. Solution: Connect with your attendees by providing clear evidence on how they are affected personally by data protection. Once they “get it”, it’s easy to expand that security mindset into the workplace. Make security personal before you expect it to be applied professionally.

I have seen a number of cyber security speakers that rock the stage and end up making the meeting organizers the quiet heroes of the conference. Don’t settle for boring when you have an opportunity to make your event amazing.

If you are looking for cyber security speaker who will not only keep your audience awake with entertaining content, but who has spoken at the Pentagon, appeared on Rachael Ray and recently taken up Stand Up Paddle-boarding, get in touch with John directly on 800.258.8076.

“I’ve never learned so much I was doing wrong and had so much fun doing it!”  

– Fortune 500 CEO on John Sileo’s Cyber Security Secrets for Non-Geeks keynote

Sileo Speaking at NAFCU Technology and Security Conference

Credit Union Members: A special thanks to NAFCU for having me back a second year to present at their Technology and Security Conference.  Join us in Vegas for some fun and really get into the nuts and bolts of cyber security.

Screen shot 2013-09-09 at 11.04.06 AM


Congress Fails to Limit NSA Surveillance Using Patriot Act Loophole


NSA Surveillance includes the collection of your phone and email records for the sake of detecting and disrupting terrorism. The practice has proven effective, but the scope of the data collected (every phone call and email available, even if you are innocent) has raised eyebrows.

Congress, in a rare show of bipartisan agreement, may be leaning toward limiting the amount of data the NSA can collect.

Rep. Justin Amash, R-Mich., backed by Rep. John Conyers, D-Mich., put forth an amendment that would restrict the NSA’s ability to collect data under the Patriot Act on people not connected to an ongoing investigation.  The action was initiated after Edward Snowden, a government contract worker, leaked highly classified data to the media, revealing that the NSA has secretly collected phone and email records on millions of Americans without their knowledge or consent.

The bipartisan support was counterbalanced by a bipartisan effort to defeat it, with both House Speaker John Boehner and House Democratic Leader Nancy Pelosi opposing it.  In the end, the amendment to a defense spending bill was narrowly defeated by a vote of 217-205.

Still, the close vote may be indicative of a changing viewpoint in Washington: that NSA Surveillance should have oversight.  As Rep. Jim Himes, D-Conn., an Intelligence Committee member stated, “I think as more and more people come to understand the breadth of the authorizations that the NSA and other intelligence agencies have, they start to get a little worried about the encroachment on their privacy, and that’s absolutely fair.”

Himes stressed that the NSA is not out of bounds with their actions. “They are acting pursuant to very clear authority under Section 215 of the Patriot Act,” Himes said.   (215 provides authority for the surveillance programs.) But, he said, “that law is too broadly worded and being interpreted a little broadly.”

When the Patriot Act was introduced, there was an implicit understanding that the bill would come with a sunset period. In other words, the Act would be rolled back as the threat diminished. That rollback has never really taken place, and the NSA continues to exploit our short term memories by utilizing 215 to gather more information than the average American, heck, the average Congressperson, would be comfortable with. Once power is given, it’s exceptionally difficult to take it back. But Congress may be moving in the right direction.

Will Adams, Amash’s press secretary pointed out, “It was the first time that either house of Congress has gone on the record concerning NSA’s blanket surveillance since the NSA leaks started coming out.” He continued, “We got 205 votes despite the fact that we were up against the entire establishment in Washington…The civil liberties of Americans is not a partisan issue.”

Bill sponsor Conyers said in a statement to reporters, “This discussion is going to be examined continually … as long as we have this many members in the House of Representatives that are saying it’s ok to collect all the records you want just as long as you make sure you don’t let it go anywhere else. That is the beginning of the wrong direction in a democratic society.”

Despite the defeat, the debate has led to talk of cutting funding and denying the NSA the authority to continue its data collection. Talk in Washington, however, seems to be fairly cheap. Rep. James Sensenbrenner, R-Wis., cautioned the administration that if it “continues to turn a deaf ear to the American public’s outcry, Section 215 will not have the necessary support to be reauthorized in 2015.”  He further stated, “The proper balance between privacy and security has been lost.”

I’m not suggesting that the entire NSA program be scrapped, I’m simply asking for more transparency as to what is being gathered, and a certain assurance that private data is only being collected and retained on suspects actually under suspicion, not on every American citizen.

John Sileo is a cyber security keynote speaker and CEO of The Sileo Group, a privacy think tank that trains organizations to harness the power of their digital footprint. Sileo’s clients include the Pentagon, Visa, Homeland Security and businesses looking to protect the information that makes them profitable.