Following the disclosure by a name brand retailer that their point-of-sale (POS) system had been breached, shoppers outside one of the retailers brick and mortar locations unanimously told a television reporter that cash was the safest way to pay in-person.
For all the advantages e-payments offer, the average consumer is still not convinced its safe or secure. Unfortunately, its hard to argue otherwise, given recent history.
The effort to launch CurrentC, an electronic payment system sponsored by a consortium of merchants led by Walmart, recently received a black eye when it was announced that email addresses of potential beta testers had been compromised. Further compounding the concern of would-be users, at least those who know a little something about IT and information security, was the consortiums stance that it was just email addresses that had been lost.
In an increasingly connected world, its possible to obtain just one piece of information here, and match that to other pieces of information collected elsewhere and soon, the information in hand is enough to compromise an account. Think for a moment, how many accounts do you have for which the email address is the username? Of those accounts, how many have credit cards associated with them? LinkedIn, Amazon Prime, and airline loyalty programs quickly come to mind.
There is a parallel between regarding an email address as just another piece of harmless information and U.S. Social Security numbers (SSNs). When conceived, a SSN was not intended to be an identifier. It was just another piece of information. If every citizen had one however, what a convenient way to use a unique number for an originally unintended purpose. SSNs started being used as an identification number. That turned out to be a bad idea as considerable personal information could be cross-referenced by using an SSN. Similarly, email addresses were just that, intended to be a mailing address, not an identifier. As long as everyone has one, however, theyve slipped into the username category.
The unintended consequence of using an email address as a username cannot be ignored. Anyone with access to your email potentially has half of a username and password combination.
For a payment system, every link in the payment chain must be evaluated from a security and risk perspective. What if we use email addresses as a username? Its not necessarily a bad practice, but email addresses are becoming personally identifiable information much the way SSNs evolved into an identifier. They should be protected as such.
As pointed out above, if many people have access to your email address, half of your user credential is routinely exposed. If an email address is the user ID, it makes sense that additional authentication factors for login should be standard.
In the CurrentC process, the end user must scan a QR code with their smartphone to trigger the e-payment. The smartphone is an effective proxy for a smart card or ATM card. The something you have in your possession in a classic, two-factor authentication schema.
This does raise the questions, how does the end user register that phone and app to the payment system? and what authentication was applied to the registration process? The most dangerous encounter in any remote or e-relationship is the first-time encounter.
If the registration process for an app tied to a payment account is not secure, and if the end user is not reliably authenticated to the phone tied to that userthe registration becomes the weakest link in the chain. This is one aspect of an e-payment vehicle that should not be left as the final consideration. A secure registration should be designed into the system.
A brick and mortar store implementing an alternative to credit cards has an advantage of requiring in-person proof of an applicants identity. Enroll in-person at the store and bring a credit card or a government issued photo ID.
An online enrollment presents a different set of challenges. An out-of-band, two-factor authentication process that calls or sends a message to a phone is a start. Behind the scenes, a service that offers reverse telephone look-up information should also be consulted. Binding the end user to the smartphone is critical as is ensuring the end user is the rightful user of any credit or debit account backing the e-payment account. This is particularly important given all the credit and debit card information that has been compromised over the last several years.
Studies have shown that an end user doesnt mind security and authentication steps as long as the steps are encountered throughout a smooth process. They dont like to clear nine hurdles just to begin a process. Thorough consideration of each risk from both the user and IT security perspectives and risk mitigation from the outset will result in a smoother experience at every link in the payment chain. The ultimate result is successful adoption as the end user chooses to leave their cash at home.
John Zurawski is a vice president at Authentify.