Skip to main content

Cash, Credit Cards, Convenience and Security

I was recently asked by Microsoft to make a comment regarding the concept of 'User Convenience -v- Security' from a software perspective.  Security is often seen as restrictive or inhibitive, so is generally not the first thing many (non-technical) users think about or implement.  Also, from an SDLC perspective, security is often seen as an add-on and left to the QA and audit teams to implement before an application or piece of software is released into the wild.  Convenience in both counts, takes hold, reducing security to a post-incident action.

Convenience Wins Out

The same can be applied to many things.  Convenience versus safety is another angle.  How many of us don't bother with the seat belt on a roller coaster, flight or car journey if it's too tight and uncomfortable?  If it's restrictive we avoid it, even though in those examples, our lives could be at stake.  A broader view could look at the market for insurance.  The inconvenience component is the cost up front.  This could restrict us from spending our cash on something more instant and rewarding, instead of the potential for a payout in the future when things don't quite go to plan.

Convenience will always win, which requires safety and security mechanisms to be built implicitly, in order for them to be used.  This then brings up another discussion around control and 'nannying', which is off the topic I want to focus on here.

Convenience Of Credit Cards

I was recently in the US, and whilst I was dodging hurricanes, I used my credit card to make some incidental and not so incidental purchases.  Normally, even for small purchases under £10, I'd be asked for my PIN or signature in the UK.  More often than not it would be PIN.  This is deemed to be more secure as it requires something I have (the card) and something I know (the PIN), whereas the signature option requires only something I have (the card, as if I'm a good forger I can write out the signature again).  Many banks now, can allow for small purchases (under £10) to be executed without the need for PIN authentication.  This is promoting the convenience aspect again.  Customers are more likely to use the card as it's easier, making the banks busier and more profitable.

In the US, I used my card for two metro tickets ($28) and a car park ($4) in the same day.  Both machines were self-service, using the magnetic strip component of the card, as opposed to the internal chip.  Neither required any PIN authentication.  Neither gave the option for receipt interestingly either.  The option to remove the PIN is almost certainly for convenience.  Both were incredibly busy sites, with high volumes of customers.  Speed was paramount and the time saved by not entering a PIN would be welcomed by all involved.  The customer is happy as they are on their train quicker, and the point-of-sale machine, interfacing bank, issuing bank and the interconnecting switches, have considerable less payload to encrypt and decrypt.  Everyone's a winner?

More Secure Without a Pin?

Later that evening, I then used my card for buying two cinema tickets.  This was not a busy site and there was an attendant in presence.  The price was about $30 including some popcorn (of course).  Again my PIN was not asked for.  This got me thinking about the entire process.  For a small purchase the security aspect is wavered in favour of convenience.  If the card was in fact stolen, the amount lost would be small.  If the card was stolen, there is a window of opportunity that exists between the card going into the wrong hands and the owner realising, informing the issuer and the time it takes to cancel the card.  This could be hours or maybe a day.  In that time, a would be attacker is more likely to use the card for larger purchases, as the the risk-reward ratio would be higher.  Secondly, the attacker is unlikely to want to use the card in the presence of others, so would more likely attempt to use the card on line which requires neither the PIN or signature - but alas would still require something they potentially didn't know, which would be the victims address.

Can We Achieve (Convenience == Security) == True?

So using a card without some sort of secondary (something I know) authentication would potentially open up a vulnerability which could be exploited by a thief.  But can we get to a point where the convenience aspect can be kept in place (no PIN), but security at least not degraded (or better still even improved)?  The credit card example has arguable achieved this.  With the PIN turned off for small purchases, the convenience factor will outweigh the small risk of a thief trying their luck to buy a $4 Starbucks and even if they succeed, the loss is small and will actually trigger their illegal actions to the owner - once they check their statement.

Perhaps this is just an illusion and all that has occurred is a risk acceptance scenario, paid for by the speed of the PINless transaction.

The panacea is the ability to make security so built into a process, that it becomes natural or difficult to avoid implementing.  If that's a new process, there is no faster-easier-security-less approach to benchmark against.  The real difficulty occurs where the process or application already exists in its insecure convenient state.


Popular posts from this blog

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.