Archive for March 2011

Insecurity derailment

with one comment

Last week, news emerged that RSA has suffered a serious security breach that has left many wondering whether the millions of SecurID tokens in use around the world are really that secure after all. I’d be very surprised if RSA didn’t suffer financially as a direct consequence of this breach but RSA as a business will survive.

Jack Dorsey’s new venture, Square is hot at the moment. It’s a credit card reader and associated service that plugs into your iPhone or iPad and lets you take credit card payments. Square takes 2.75% and deposits the rest of the money into your bank account the following day. The device itself is free. All you need is a US address and a US bank account and you can start accepting payment by credit card.

Credit card fraud amounts to billions of dollars every year. Stolen credit card details sell for up to $50 but turning the stolen details into cash isn’t straightforward – fraudsters normally buy goods online which they then re-sell for cash. It would be much easier if you could simply set up a bank account under an assumed name (not that difficult in this age of identity theft), fill it with money debited from the stolen credit cards and then withdraw it the following day.

In theory, Square doesn’t allow this because the card has to be physically swiped through the device.

Except it doesn’t. Major Malfunction and Zac Franken have discovered that it’s possible to spoof the Square system into thinking that a card is present when, in fact, it’s not. This obviously opens up the risk that Square could become a vehicle for large-scale fraud and I can’t help wondering what the credit card companies would do if that were to happen.

Could Square fall victim to its own failure to build a secure platform?

Written by jackgavigan

March 23, 2011 at 11:16 pm

Posted in InfoSecurity

Open vs Proprietary platforms

leave a comment »

A few weeks ago, Twitter suspended two of Ubermedia’s clients from accessing the Twitter API. I was busy at the time and didn’t pay much attention but Twitter’s recent announcement discouraging the development of new Twitter clients and a tweet from entrepreneur/VC Max Niederhofer (“What if the inventor of SMTP had told people to stop building email clients? Will Twitter go the way of Usenet?“) got me thinking about whole affair again.

There’s an interesting dynamic happening here. In principle, there’s no barrier to building an open version of Twitter (or Facebook, for that matter). In fact, SMTP and Usenet are good examples of open, decentralised platforms for e-mail and discussion boards, respectively. There’s no reason you couldn’t have multiple micro-blogging sites, publishing RSS-style feeds that are aggregated on the client side.  But Twitter don’t want that because, in that scenario, the network effects that currently drive everyone to Twitter would be neutralised. A lot of the eyeballs that Twitter wants to display adverts to would disappear, and Twitter would go the way of Compuserve. In fact, there are indications that Twitter is moving away from open standards like RSS.

So, Twitter needs to own its users’ eyeballs in order to generate revenue from them and justify its multi-billion dollar valuation. But what happens if users are accessing Twitter through a third-party app (like Ubermedia’s apps) that connects via Twitter’s API? Ownership of those users’ eyeballs is a little murkier. Arguably, Ubermedia has more control over them than Twitter. If Ubermedia were to add support for other micro-blogging platforms to their clients, Twitter could very rapidly lose it’s dominant position (and the attendant market valuation).

Twitter’s response was to stomp on Ubermedia by suspending its clients. They’d probably like to withdraw support for third-party clients altogether but there’d be a massive outcry and, potentially, the risk of legal action or some kind of FTC investigation, so they’ve settled for making it clear that new Twitter clients are unwelcome. More interestingly, they’ve also made changes to the T&Cs that are clearly designed to prevent developers from siphoning Twitter content into their own micro-blogging service, including a stipulation that third-party clients “must use the Twitter API as the sole source for features that are substantially similar to functionality offered by Twitter” and “may not use Twitter Content or other data collected from end users of your Client to create or maintain a separate status update or social network database or service.”

Exactly what this means for apps like TweetDeck, which includes support for Facebook, MySpace and LinkedIn status updates, remains to be seen. Coincidentally, Ubermedia is rumoured to have agreed to acquire TweetDeck (as if the plot weren’t thick enough already).

It’ll be interesting to see what happens next.

Written by jackgavigan

March 14, 2011 at 4:14 pm

Posted in Openness

Big Company vs Startup

leave a comment »

It’s a common fallacy amongst startup folks that large companies are incapable of being innovative or nimble.

Two words: Utter crap.

During the first five years of my career, I worked for small- to medium-sized companies, ranging from a small software house/systems integrator with about forty staff to a three-man dot-com start-up. Then, in the summer of 2000, as the dot-com bubble was collapsing (and after we’d shut down the aforementioned dot-com startup), I took a three-month contract consulting on e-commerce projects at Deutsche Bank, a 130-year old, multi-billion pound/dollar/euro bank that employed about 8,000 people in London alone, and over 100,000 people globally.

You’d imagine that this company would be a case study in Companies That Are Incapable Of Being Innovative Or Nimble but nothing could be further from the truth. At the time, Deutsche Bank had identified ecommerce as a key area for exploitation and it had a lot of very smart people working on a variety of projects that were aimed at giving it a head start on its competitors.What’s more, the company seemed to be very comfortable with the fact that not every project it invested in was going to be successful – an attitude that reminded me more of a venture capitalist than a massive financial services firm.

Individual business areas were allowed the scope and given the necessary support to explore new ideas, relatively free from bureaucratic constraint. Over time, I came to realise that, in the zero-sum game of the financial markets, companies like Deutsche Bank are fiercely competitive and that competitiveness leads them to react very quickly to opportunities (and, indeed, threats).

A firm’s ability to be innovative and to react  rapidly to take advantage of market opportunities does not depend on its size. It depends on its leaders. More accurately, it depends on its leaders’ propensity for change and appetite for risk. (Note that when I talk about leaders in this context, I’m not referring to those at the top of the company, but those who run individual business areas.)

It’s no surprise that startups have a propensity to be innovative and nimble – it’s easy for a small, new company to change and pivot, and, after all, a startup wouldn’t have started up in the first place if its leadership lacked an appetite for change and risk. However, an appetite for risk is not the exclusive purview of those who found startups. An entrepreneurial approach can work just as well within a large company as it can for a small one, and many large companies seek to foster an entrepreneurial culture. At Morgan Stanley, I undertook a project to investigate what underpinned the entrepreneurial culture within the Commodities and Emerging Markets departments and whether the same approach could be replicated across the rest of the company.

I think that people in the startup scene sometimes get a big snobbish and look down their noses at big, established companies (possibly in part because they lack the cool factor  possessed by startups) and there are lots of stories about large companies that failed to react to newer, smaller competitors. However, there are also lots of  large companies that have continued to thrive although I suppose that “David Vanquishes Goliath” makes for a better headline than “Actually, Elephants Can Dance”.

Written by jackgavigan

March 9, 2011 at 11:13 pm