Security is supposed to be inconvenient. Good security should make you take extra steps to prove your identity. For example, when I leave my home in the morning or go to bed for the night, I lock the door and the deadbolt behind me. A simple task that doesn’t require much effort to implement but is effective in keeping me and my family safe.
The opposite is not quite so true. When I come home, I can’t just walk in. I have to “authenticate” myself by providing the correct key to unlock both locks. It takes twice as long to prove who I am and get the door open. You can look at this as a form of multi-factor authentication. My point is, it is relatively easy to set up good multilayer security. But that same security meant to keep you safe takes more effort for you to get where you are going.
Good security = effective security
When security measures are too easy to use, their effectiveness is diminished. There are many examples of how convenience has made our data and money less secure. Credit card skimmers on gas pumps is one example. We gain convenience by paying at the pump. The only form of authentication is either your PIN or a ZIP code – neither of which is hard to figure out. So what happened? Thieves installed credit card skimmers on the gas pumps to grab your card information. With easy communication over Bluetooth, the thief doesn’t even have to exit their car to download the stolen data.
Online purchases are even less secure in general because currently there isn’t a good form of multi-factor authentication. If someone has your user name and cracks your poor password (Pet’s name? Really?) they now have access to all of your stored payment information. Simply change the shipping destination and that new 65-inch TV is theirs. To be fair, some sites, like Amazon, do provide a multi-factor log in system – but it is inconvenient (more on this in upcoming BLOG posts).
To help combat fraudulent online transactions, the UK has passed legislation that forces online retailers to implement a multi-step authentication process for online and mobile purchases. The EU’s Second Payment Services Directive (PSD2)’s Secure Customer Authentication (SCA) rules require online retailers to use two types of authentication methods. There is a growing concern that many would-be purchasers will not complete the transaction due to the new requirements, with up to 49% likely to abandon their purchases or not make a purchase in the future. (click here for the original Internet Retailing article.) The goal is not too slow down online shopping, but make it hard for someone other than you to complete the purchase.
The best way to make it hard for someone else is to use a second form of authentication that is unique to you. Facial recognition is one way, thumbprint is another, and my favorite is some form of directed challenge and response. Directed challenge and response can take many forms, from an email that you have to respond to, to an app on your mobile device that you have to acknowledge. Regardless of how it is done, the key concept here is the challenge is directed at you. It is something that only you can respond to.
Good security is inconvenient – it has to be or it is ineffective. One lock on the door is good, but a second lock is better. And if the second lock can only be opened by you, you’ve reached a new level of security.
For a tale of online woe, check out my previous Blog post “Don’t fall victim to online mayhem” about how someone tried to use my American Express account for their own gain. See, this can happen even to the most diligent of us!