Skip to main content

Cash, Credit Cards, Convenience and Security

I was recently asked by Microsoft to make a comment regarding the concept of 'User Convenience -v- Security' from a software perspective.  Security is often seen as restrictive or inhibitive, so is generally not the first thing many (non-technical) users think about or implement.  Also, from an SDLC perspective, security is often seen as an add-on and left to the QA and audit teams to implement before an application or piece of software is released into the wild.  Convenience in both counts, takes hold, reducing security to a post-incident action.

Convenience Wins Out

The same can be applied to many things.  Convenience versus safety is another angle.  How many of us don't bother with the seat belt on a roller coaster, flight or car journey if it's too tight and uncomfortable?  If it's restrictive we avoid it, even though in those examples, our lives could be at stake.  A broader view could look at the market for insurance.  The inconvenience component is the cost up front.  This could restrict us from spending our cash on something more instant and rewarding, instead of the potential for a payout in the future when things don't quite go to plan.

Convenience will always win, which requires safety and security mechanisms to be built implicitly, in order for them to be used.  This then brings up another discussion around control and 'nannying', which is off the topic I want to focus on here.

Convenience Of Credit Cards

I was recently in the US, and whilst I was dodging hurricanes, I used my credit card to make some incidental and not so incidental purchases.  Normally, even for small purchases under £10, I'd be asked for my PIN or signature in the UK.  More often than not it would be PIN.  This is deemed to be more secure as it requires something I have (the card) and something I know (the PIN), whereas the signature option requires only something I have (the card, as if I'm a good forger I can write out the signature again).  Many banks now, can allow for small purchases (under £10) to be executed without the need for PIN authentication.  This is promoting the convenience aspect again.  Customers are more likely to use the card as it's easier, making the banks busier and more profitable.

In the US, I used my card for two metro tickets ($28) and a car park ($4) in the same day.  Both machines were self-service, using the magnetic strip component of the card, as opposed to the internal chip.  Neither required any PIN authentication.  Neither gave the option for receipt interestingly either.  The option to remove the PIN is almost certainly for convenience.  Both were incredibly busy sites, with high volumes of customers.  Speed was paramount and the time saved by not entering a PIN would be welcomed by all involved.  The customer is happy as they are on their train quicker, and the point-of-sale machine, interfacing bank, issuing bank and the interconnecting switches, have considerable less payload to encrypt and decrypt.  Everyone's a winner?

More Secure Without a Pin?

Later that evening, I then used my card for buying two cinema tickets.  This was not a busy site and there was an attendant in presence.  The price was about $30 including some popcorn (of course).  Again my PIN was not asked for.  This got me thinking about the entire process.  For a small purchase the security aspect is wavered in favour of convenience.  If the card was in fact stolen, the amount lost would be small.  If the card was stolen, there is a window of opportunity that exists between the card going into the wrong hands and the owner realising, informing the issuer and the time it takes to cancel the card.  This could be hours or maybe a day.  In that time, a would be attacker is more likely to use the card for larger purchases, as the the risk-reward ratio would be higher.  Secondly, the attacker is unlikely to want to use the card in the presence of others, so would more likely attempt to use the card on line which requires neither the PIN or signature - but alas would still require something they potentially didn't know, which would be the victims address.

Can We Achieve (Convenience == Security) == True?

So using a card without some sort of secondary (something I know) authentication would potentially open up a vulnerability which could be exploited by a thief.  But can we get to a point where the convenience aspect can be kept in place (no PIN), but security at least not degraded (or better still even improved)?  The credit card example has arguable achieved this.  With the PIN turned off for small purchases, the convenience factor will outweigh the small risk of a thief trying their luck to buy a $4 Starbucks and even if they succeed, the loss is small and will actually trigger their illegal actions to the owner - once they check their statement.

Perhaps this is just an illusion and all that has occurred is a risk acceptance scenario, paid for by the speed of the PINless transaction.

The panacea is the ability to make security so built into a process, that it becomes natural or difficult to avoid implementing.  If that's a new process, there is no faster-easier-security-less approach to benchmark against.  The real difficulty occurs where the process or application already exists in its insecure convenient state.

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Online-ification: The Role of Identity

The Wikipedia entry for Digital Transformation, "refers to the changes associated with the application of digital technology in all aspects of human society".  That is a pretty broad statement.

An increased digital presence however, is being felt across all lines of both public and private sector initiatives, reaching everything from being able to pay your car tax on line, through to being able to order a taxi based on your current location.  This increased focus on the 'online-ification' of services and content, drives a need for a loosely coupled and strong view of an individual or thing based digital identity.