Blog article
See all stories »

Security versus convenience - am I never satisfied?

One of the biggest aggravations involved in dealing with banks and credit card issuers is their security checking process when you contact their call centre. Questions, questions, so many questions. Sometimes, you have to supply this information even when they call you. My recent experience with Barclaycard suggests that they have gone some way towards making this less annoying, but it still raises questions of another sort.

I use my Barclaycard for work expenses. The last transaction I made was for a train ticket on Friday. Late Sunday evening I received a text from Barclaycard flagging up a series of transactions for £50 and £100, made a few minutes earlier. I was asked to reply either Y, confirming they were mine or N, if any of them weren’t. I replied N and immediately received another text, saying they would call me Monday morning.

On Monday morning, I contrived to miss the call, which was to my mobile, and instead picked up a voicemail, asking me to ring back on a 0800 number. This I did, and was greeted with a automated answer system message, personalised with my name, which then put me through to an agent in India. We talked through the transactions and the card was blocked. At no point was I asked any security questions.

Fair enough, except I called back from my landline to get the free call and Barclaycard does not have my landline number, to the best of my knowledge. This makes me think that they dynamically assign a range of 0800 numbers to fraud cases to identify the call. It certainly made my morning less stressful, not having to find my Barclaycard phone password.

I don’t have much information about the fraudulent transactions – I assume they were online rather than card present using a magnetic stripe clone but I didn’t manage to find out if the cvv was used. I’m not sure how the card was skimmed – I’ve never been to Home Depot and this particular card pretty much only gets used with a very limited range of retailers, mostly online. Perhaps there was a skimming device in the Scotrail ticket machine? Has Viking been compromised recently? Or the Scottish Crime Writing Festival (oh, the irony)? The choices otherwise are fairly limited.

However, the use of the text to initiate the fraud control process gave me pause. This strikes me as the sort of thing that may not always occur to men but if you steal my card in person, the chances are you will steal my phone too because they are both in my handbag. Then you only have to reply Y to the initial text (assuming I don’t lock my phone, which many people don’t), and carry on your merry way. Here, some form of authentication, possibly a biometric one, seems a good idea.

In other words, the old security versus convenience tension raises its head again. I greatly appreciated not having to go through the whole date of birth, password and first pet/school/car/favourite teacher nonsense on the phone (most of that is firmly filed under ‘trauma – forget’) but a bit of authentication earlier in the process wouldn’t have gone amiss. That said, I didn’t reply Y initially, so I don’t know what would have happened then.

3219

Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 25 September, 2014, 13:24Be the first to give this comment the thumbs up 0 likes

A couple of years ago, I'd expressed fond hopes for my banks to introduce 2-way SMS for fraud alerts (http://www.finextra.com/blogs/fullblog.aspx?blogid=5801). While my banks haven't obliged, good to know that Barclaycard supports this feature. In a lighter vein, your longing for "a bit of authentication earlier in the process" is another example that reinforces the essence of the German proverb quoted at the end of my post:)

Talking about security versus convenience, after a lot of introspection and deliberation, I'm led to conclude that basic human nature precludes the emergence of a golden mean between the two. Users want convenience as long as the feature is used by the genuine user but they want security to kick in if the feature falls in the wrong hands. Whereas, the service provider has no way to know in advance if the feature is used by the legitimate user or not and can reach this conclusion only after it has subjected the "user" to the feature - with its present level of security and convenience.   

For a long time to come, I predict that we're going to have to accept security over convenience or vice versa. My guess is the choice made by the regulator will be driven as much by cultural factors as anything else.

In India, by enforcing 2FA measures like PIN and Mobile OTP for offline and online card transactions respectively, RBI has long hinted its leaning towards security. In ruling that UBER must use 2FA for card payments for taxi fare, the Indian regulator went on record saying, "security first, convenience next".

OTOH, nearly ten years have elapsed since FFIEC mandated 2FA for online payments in USA. Still, I haven't come across a single US website that asks for VbV - some don’t even ask for CVV - for accepting card payments. It's clear that convenience comes ahead of security in USA.