The Retailer Authentication Conundrum4 min read
Who are you? In public people don’t know you from Adam and when you do interact how do you really know they are who they say they are? The world today is a global mix of communication and data flows, every corner of the planet is now reachable and yet the world has yet to figure out how to definitively prove identity.
I am going to focus this post primarily on retail transactions although the problem of identification of an individual is rampant all over this country. Tens of BILLIONS of dollars are lost every year to credit and debit card fraud. Yet the major card companies, MasterCard and Visa, are doing very little to force change. Perhaps insurance write offs are far less expensive than leading the industry to solve this problem. However, it’s not the card company’s fault entirely, the retailers themselves are mostly to blame for allowing fraudulent card use to happen in the first place. It bugs me to the extreme when I go to Target or WalMart and I use my debit or credit card I NEVER am asked for my ID. They never even look at the card, compare the signature from the digital pad to the back of the card, and never see that I have SEE ID written boldly on the back.
Here’s the message I get from Target and WalMart around this practice. They value me as a customer but not my data or identity. I read my local city paper religiously and almost weekly there is a case of someone that got their wallet or purse stolen and they got a few hundred dollars charged at Target, WalMart, gas stations in the hours after. If the retailers took an ounce of prevention the thieves would be stopped in their tracks.
I got to thinking, if I were Visa and MasterCard I would be pressuring the retailers to change and if I were in the security departments of Target or WalMart I would be forcing the card companies to change. So why haven’t they? Lack of effort tells me they don’t care about the individuals identity theft problems, credit score recovery, loan application problems down the road, and so on.
Now that we are getting to mobile payments, swipe your phone to pay, and moving more and more away from physical paper and coin currency there needs to be a massive and sweeping change to proving the payer is authorized. Making it too convenient to the customers make is just as convenient for the social deviants. So let’s get drastic, yet simple to eliminate this problem. What needs to happen is to take all this technological advancement that the retailers and companies are using to make us spend money easier and get a two factor process in to use it.
Why not have a random pin get sent to you when you make a transaction? I am not talking about entering your ATM PIN at the register like they are rolling out today, which I think is the stupidest approach to this. Your ATM pin should be between you and the bank, not every retailer and nosy people watching you enter it. Have an app that has your photo that displays the pic the retailer uses to complete the transaction. Then you need the phone and the card along with the face to match it. If one or the other gets stolen or lost they are worthless. This would eliminate credit card numbers being stolen and used on online retailers overnight. If you have the credit card numbers with the security code, so what? I have the phone that the text is sent to.
Worried about speed of the in bound text? If Facebook and Goole, that have 500+ million users, can get me a two factor text with a random number in a few seconds, credit card companies and retailers can do it while I wait in line instead of checking Facebook or playing my Words With Friends round I can use my technology to protect my identity and financial resources.
It’s true that this will require a vast, centralized communication center that doesn’t exist in wide use today. It will require users to actually learn to use their powerful smartphones beyond phone calls and games. It will require that retailers push for it and enforce it. At the end of the day, any retailer can let anyone use a credit card with as little or as much authorization scrutiny. It really comes down to how long customers will tolerate the retailers doing nothing to protect their data as much as they spend to keep you coming back.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter