Oneupweb : How Not to Do Online Security
Is there anywhere that good intentions are more often associated with unintended consequences than the online realm?
When persons meet face-to-face, there are many cues we can use to establish trust and credibility. Online, not so many. Because of the potential for fraud and theft during online transactions, merchants and banks have tried a number of ways to enhance security and authentication.
Security is tough because a buyer focused on making an online purchase may not also plan to spend the time and thought required to ensure security. Much of the gain in reliance on e-commerce systems has come from training consumers in basic security practices, like choosing strong(er) passwords, distinguishing secured/unsecured browser connections and verifying the URL of the sites they visit. Technology succeeds when it makes those vital practices easy for the consumer.
An experience I had recently makes me wonder if these problems will ever be really solved. A new system called 3-D Secure made its way into my online experience, and it has been anything but good.
The bank that issues my credit card and an online merchant I periodically use adopted this system sometime last year and gave me a series of unwelcome surprises. As I was making a payment on the merchant’s site, I was directed to set up a new authorization of my credit card. Though the card brand and my bank were both identified, the address bar showed a site I had never heard of. In my experience, that is a sure sign of a phishing attempt. So instead of completing an online transaction in the usual couple of minutes, I was forced to spend the next hour calling my bank to find out what was happening. And I was burdened with registering a new security code on their reliably authenticated site, dealing with technical difficulties along the way and finally returning to the vendor to complete my order.
I complained then that I was presented with this new security “feature” unexpectedly and in a way contrary to good practices, but I went on to use it. Unaccountably, for the last several months, my merchant began to process my transactions WITHOUT using the new authentication method. I wondered what was the point, but went on happily making my payments.
Then, last week, the request to authenticate re-appeared. Since by now I had forgotten my secure code, I was again unable to use my credit card. Worse, when I went to my bank’s website to reset the account, I wound up on a broken third-party site—with no support, even through my bank, and no way to manage my “security” or make my payment. On the third day of trouble, I finally found a support specialist at my bank who could reset the account for me and allow me to complete the simple purchase.
At least a few fine folks have anticipated these kinds of problems. They write:
3DS fixes the economics, at least for merchants and banks: … banks get to shift liability in turn to customers. (In fact the ‘3D’ stands for three domains – the bank, the merchant and the payment network; the customer seems not to have been considered at design time.) …
But 3DS ignores the other lessons learnt from earlier systems. The result is that customers receive little benefit in security, while suffering a huge increase in their liability for fraud. They are also trained in unsafe behaviour online.
Now both my bank and the merchant involved are reputable companies, each serving millions of customers. Yet, they made a serious mistake in the implementation of their security technology—they didn’t sufficiently consider the needs of their customers. What I can do is report to them my perception of their decisions, and remind you, if you are implementing e-commerce, to be wary of promising new security techniques that might bring unintended consequences.
