Time to decode the ‘Social’ in ‘Social Commerce’

“If I had to guess, Social Commerce is the next area to really blow up” – Mark Zuckerberg

‘Social Commerce’ or more simply ‘Social Payments’ has been a relatively new concept to come up in the last few years. And in most cases, it remained like the early days of big data – easier to toss around but not presenting a clear picture. I believe the vagueness gets accentuated by the fact of the word ‘Social’ being a part of it. This is what leads a whole set of audience out there, to think that just latching on to or simply appending a ‘pay’ option inside a social network makes up for the concept. Nothing could be further from the truth. The true meaning of the word ‘Social’ in ‘Social Commerce’ is actually the full context of your real life use cases where any social activity is involved. For example – a dinner with your friends, an act of planning and sharing cost for a gift, so on & so forth.

don't keep calmIn fact, if you actually ponder, you would perceive that the real driver of this phenomenon has been something else entirely. It is the proliferation of ‘shared economy’ lifestyle that makes these social use cases so prominent and common for us.  Also your payment instances and touch points intersect across the whole matrix of these use cases. Traditionally, the process has been pretty fragmented with the social & fun experience never coming across in those payments you made with your friends. Until now!

And the reasons are plentiful. Let’s start from why social commerce has not worked with the incumbents (your digital wallets) –

  • The pain of uploading money first from your bank account (because come on, you don’t keep large amounts of money in your mobile wallet)
  • The limits of sending money to another wallet (You can’t send more than Rs. 10k at one time as a normal user!)
  • The charges and time delays on withdrawing my wallet balance into my bank account (They are charging you for transferring your money back to yourself!)

And I am sure you must have realized that the arrival of our own stack – UPI is the one of the key turn arounds (the ‘Paypal moment’) for Indian ecosystem, especially in terms of enabling ‘Social Payments’ as a category to exist independently in a big manner. UPI has brought about 10X the simplicity and 10X the speed which is a core pre-requisite for situations where you need to share money with your friends without any awkwardness. Now imagine adding all your social use cases on top of this beautiful and secure base of UPI. As you may have realized by now, that not only does it create a completely new paradigm but also increases the value by an order of magnitude (because of the network effects). 

Once the wheels of motion start on any evolutionary path, it becomes almost impossible to stop them. The natural extension is that this category is bound to grow in India as well both in numbers and value (give the fact that it has already reached to 10s of billions of dollars in the west (US) with Venmo and the east (China) with WePay). The key thing to remember here is that in any new economy, it requires a fresh approach and outlook since the positioning is different from traditional P2P players and hence the product delivery and experience also needs to be different for the user. There have been numerous examples around the world with large social networks trying to add a basic P2P payments functionality and hoping it to take off in a big way. But it has not worked that well numerous examples like Snapcash (P2P payments via Snapchat in US).

sharing moneyThis brings us full circle to the two golden philosophies that have stood the test of time again and again –

  1. The products that work on the premise of ‘this thing/activity can be done here too’ never make the cut. For example – ‘You can send money on Paypal too!’ is NOT what a Venmo user is thinking.
  2. Once a consumer associates a product with a certain repeat and high frequency use case, it becomes nearly impossible to change his habit and perception for that product. For example – Messenger has traditionally been a place for sending messages and that is what a user thinks of when he recalls that app (and not for sending money).

This is where the formidable advantage of having a clean slate comes in –

  • Tailoring the product design around your real world habits when it comes to splitting, collecting, managing and tracking all your payments with your close contacts
  • Ensuring that the experience is insanely fun so that it takes away all the awkwardness that traditionally accompanies any monetary transaction with your friends
  • Ensuring that the product caters to all your use cases to such a minute detail that even you get surprised when it comes to the features!

Needless to say that I am more than excited about how the Indian market is evolving in the fin-tech domain (especially with the Indian government supporting it at an awesome level). Look forward to continued awesomeness and magic along the way.

Cheers, Rohit Taneja, Mypoolin

Internet of Hacks? Minimal prevention steps

Friday 21st Oct 2016 has been billed as the first large scale cybersecurity incident from the IoT world. The widely reported attacks involved inserting malware into devices to turn them into a network of controllable bots that was directed to attack websites. One of the principal targets was Dyn the DNS provider to Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others. More than 10 million devices were alleged to be hacked and almost all (96%) of them were IoT devices, according to Level 3 Threat Research Labs.

internet-of-hacks-minimal-prevention-steps

These devices are typically headless (no screen) but are full-fledged (linux) computers . The IoT devices typically are more constrained with microcontrollers instead of CPU and real time micro OS like tinyOS, Contiki, mbed etc. However, there is no question that too will come. The source code of the Mirai malware has been open sourced fueling  an arms race between attackers and defenders.

There are important public policy and regulatory aspects in the  repeated vulnerability of the Internet but here we provide some advice on minimal steps we need to take to reduce basic vulnerability.

Network Operators (ISP, Cellular)

Network operators may end up being the spider at the centre of the web and play a central role in securing the IoT.

Cellular operators have traditionally not been very forthcoming on security and  have long grappled with vulnerabilities in Signalling System 7 (SS7), which allows all operators to talk to each other. SS7 – the central-nervous system of the worldwide mobile network – connects our phones and  allows us to move around while using them. More people use SS7 than the internet. This 1975 vintage system is full of vulnerabilities. Google “SS7 hacks” to see how WhatsApp or Telegram can be tapped. In IoT, we are dealing not just with information and money but life and death and the operators need to up their game quickly and by quantum jumps.

In the cat and mouse game being played out in cyberspace, the classical intrusion detection mechanisms are being bypassed. Attackers launch a few probes and if they fail, go away and attack some other device and come back to this device a bit later. Unless we correlate activity across large slices of time it becomes difficult to detect this behaviour. Attackers are simulating humans! The network operator can however detect sustained attempts by a bot across multiple sites. Operators should be much more proactive in shutting such bots down and blacklisting concerned ISPs. A proactive action to protect sensitive end-user installations can be a great value added service.

Smart Home User

1. Change default password in your home router. Ensure the trapdoor used by your service provider (ISP) and device manufacturer (Router maker) are locked down and not using defaults or easily guessed passwords. Since many routers (based on Linux variants) are already infected, you may even consider a factory reset or changing to a more secure version.

2. Review devices directly connected to Internet, i.e. those that have an IP address and are directly addressable. DLNA, uPnP are suspect. Disconnect where possible. Check with your supplier if an on-premise Hub can be a gateway and hide all devices from the Internet. This is the recommended architecture. See recommendations for device manufacturers below.

3. Arrange to shut down all incoming internet connections. At the minimum review and remove telnet, ssh etc. May need technical configuration at your router. 

SmartFactory and SmartBuilding

4. Review recommendations 1-3 for SmartHome. Do a root and branch review of all routers. Upgrade and use trusted computing and hardware root of trust in securing WiFi and internet access points.

5. Review logging capability of the IoT network. IoT devices use non-Internet protocols like Bluetooth and IEEE 802.15.4-based ZigBee, Wireless HART, ISA 100.11a etc. For an in-depth look at IoT protocols, go here. Security information and event management (SIEMtools are a bit rudimentary for these IoT networks. Consider open-source tools like Foren6 as a stop gap and work with your vendors to encourage development of proper tools. This is a good space for new products. (Entrepreneurs, behind every crisis is an opportunity!)

6. Segment the IoT network from the general internet connected one. Place the segmented IoT part under more aggressive and conservative controls.

7. Ask your IoT providers about security. An architecture which hides IoT devices behind a segmented network and funnels all incoming connections through a managed choke-point is a minimal starting point. It is very difficult and probably impossible to secure all IoT devices. More effort should go to managing the network and controls need to extend beyond firewall rules  to commands and API calls. Encrypted outbound traffic needs extra care.

Device Manufacturers

8. Consider an architecture which provides security.  See https://t.co/mLQPh81a1l  for an intro to IoT Stack

9. Most important is to hide IoT devices from the internet behind a IoT gateway. Many start-ups especially for the Smarthome build or roll out custom gateways.  If you are connecting IoT device through BLE to smartphones or newer Routers, review and block incoming Internet connection.

10.  Security has not been a major consumer concern. Our research indicates fatigue is setting in. How to configure and how to trust what works, when even Yahoo, LinkedIn and JP Morgan etc are hacked? For IoT, an incident movement is starting. See IamtheCavalry.org. Opportunity for brand positioning and innovation? How do you sell a car on safety? Some random ideas:

Consider a sticker on each device which provides auto-configuration credentials in a QR code for the segmented (Home) network. User scans using a smartphone and it configures the App or home router, IoT gateway. Consider a configuration-less PKI like DeviceAuthority.

Consider super-user activity (like switching over-the-air upgrade off), which changes critical functioning of device and builds defence like 4 eyes (two operators have to approve) or 2 factor authentication ( OTP).

Consider logging and forensics at the gateway.

11 Security in Design to Deployment: Consider what level of concern you need to address for your brand and engage skilled consultants to audit and review the threats and controls and the architecture you have adopted. Avoid temptation to roll your own crypto algorithms or update and patch delivery method. These are complex and non trivial. Open source middleware and IoT platforms are coming up (Kaa project, Iotivity , platfromio etc) and explore them. It may even be worthwhile to use a commercial platform.

Guest post by Arvind Tiwary & Vishwas Lakhundi.

Arvind Tiwary is chair TiE IoT Forum and member Taskforce on IoT security set up by CISO platform and IoT Forum.

Vishwas Lakkundi is an IoT Specialist & Consultant and a member of Taskforce on IoT security set up by CISO platform and IoT Forum.

Views expressed here  are personal.