Cash, Credit Cards, Convenience and Security

I was recently asked by Microsoft to make a comment regarding the concept of 'User Convenience -v- Security' from a software perspective.  Security is often seen as restrictive or inhibitive, so is generally not the first thing many (non-technical) users think about or implement.  Also, from an SDLC perspective, security is often seen as an add-on and left to the QA and audit teams to implement before an application or piece of software is released into the wild.  Convenience in both counts, takes hold, reducing security to a post-incident action.

Convenience Wins Out

The same can be applied to many things.  Convenience versus safety is another angle.  How many of us don't bother with the seat belt on a roller coaster, flight or car journey if it's too tight and uncomfortable?  If it's restrictive we avoid it, even though in those examples, our lives could be at stake.  A broader view could look at the market for insurance.  The inconvenience component is the cost up front.  This could restrict us from spending our cash on something more instant and rewarding, instead of the potential for a payout in the future when things don't quite go to plan.

Convenience will always win, which requires safety and security mechanisms to be built implicitly, in order for them to be used.  This then brings up another discussion around control and 'nannying', which is off the topic I want to focus on here.

Convenience Of Credit Cards

I was recently in the US, and whilst I was dodging hurricanes, I used my credit card to make some incidental and not so incidental purchases.  Normally, even for small purchases under £10, I'd be asked for my PIN or signature in the UK.  More often than not it would be PIN.  This is deemed to be more secure as it requires something I have (the card) and something I know (the PIN), whereas the signature option requires only something I have (the card, as if I'm a good forger I can write out the signature again).  Many banks now, can allow for small purchases (under £10) to be executed without the need for PIN authentication.  This is promoting the convenience aspect again.  Customers are more likely to use the card as it's easier, making the banks busier and more profitable.

In the US, I used my card for two metro tickets ($28) and a car park ($4) in the same day.  Both machines were self-service, using the magnetic strip component of the card, as opposed to the internal chip.  Neither required any PIN authentication.  Neither gave the option for receipt interestingly either.  The option to remove the PIN is almost certainly for convenience.  Both were incredibly busy sites, with high volumes of customers.  Speed was paramount and the time saved by not entering a PIN would be welcomed by all involved.  The customer is happy as they are on their train quicker, and the point-of-sale machine, interfacing bank, issuing bank and the interconnecting switches, have considerable less payload to encrypt and decrypt.  Everyone's a winner?

More Secure Without a Pin?

Later that evening, I then used my card for buying two cinema tickets.  This was not a busy site and there was an attendant in presence.  The price was about $30 including some popcorn (of course).  Again my PIN was not asked for.  This got me thinking about the entire process.  For a small purchase the security aspect is wavered in favour of convenience.  If the card was in fact stolen, the amount lost would be small.  If the card was stolen, there is a window of opportunity that exists between the card going into the wrong hands and the owner realising, informing the issuer and the time it takes to cancel the card.  This could be hours or maybe a day.  In that time, a would be attacker is more likely to use the card for larger purchases, as the the risk-reward ratio would be higher.  Secondly, the attacker is unlikely to want to use the card in the presence of others, so would more likely attempt to use the card on line which requires neither the PIN or signature - but alas would still require something they potentially didn't know, which would be the victims address.

Can We Achieve (Convenience == Security) == True?

So using a card without some sort of secondary (something I know) authentication would potentially open up a vulnerability which could be exploited by a thief.  But can we get to a point where the convenience aspect can be kept in place (no PIN), but security at least not degraded (or better still even improved)?  The credit card example has arguable achieved this.  With the PIN turned off for small purchases, the convenience factor will outweigh the small risk of a thief trying their luck to buy a $4 Starbucks and even if they succeed, the loss is small and will actually trigger their illegal actions to the owner - once they check their statement.

Perhaps this is just an illusion and all that has occurred is a risk acceptance scenario, paid for by the speed of the PINless transaction.

The panacea is the ability to make security so built into a process, that it becomes natural or difficult to avoid implementing.  If that's a new process, there is no faster-easier-security-less approach to benchmark against.  The real difficulty occurs where the process or application already exists in its insecure convenient state.