Thursday, March 4, 2010

In Security vs. Security, Customer Loses

I just went through a real-life event that really rubbed salt in my security wounds.  It's not bad enough that meaningful security is hard to accomplish - but when we solutions step on each other... it makes matters even worse.

Let me explain...

I wanted to take my wife out some place fun for her birthday.  There was this comedy club in town her friends were always talking about, that we've never been - so I thought I would give it a shot.  Naturally I hit the website rather than going to the box office.  First off, the site design left something to be desired but I figured, hey - they had one of those "McAfee Secure" seals so everything must be good ... I mean, my buddy Trey Ford works there...  I checked out the site, bought some tickets online (using a one-time virtual credit card like this) and that's when things really started going south.

The Problem-
First off, the site has that look.  You know what I'm talking about.  Second, that "McAfee Secured" logo makes me wonder even more about how seriously they took security - or whether it's more likely they're just "checking the box"... But here lies the real problem... I paid with a virtual credit card.  Why is this a problem?  Because - I now have to show that card and an valid ID when I go pick up my tickets. ... So one security feature (virtual credit card numbers) is stepping on another (validating the credit card in person).  Now - this would be a seriously sticky situation - if people actually cared about security.  Why do I say that?  Well - when I called the box office to explain my situation I was told "Oh, don't worry, just give them you're name, no one really checks that (physical credit card)".  Well ... that sucks.

So here's my problem - we have 2 pretty good security measures in place, unfortunately they're stepping all over each other, and we sprinkle in a bit of carelessness and we have all the makings of a disaster.

Big Picture-
The bigger picture still, here and elsewhere, is that this is common.  Employees don't understand the value of things like checking physical credit cards against an ID in-person, and all the best planned security measures in the world won't do any good if no one cares.  The site demonstrates clearly, at least to me, that they are simply checking the security check-box- otherwise someone at some point would have noticed ...gee, this may be a problem!

Bummer.  Another place to avoid.


nickhacks said...

I'm assuming that in the club's case, the number of instances they've had where an attacker has tried to falsely pick up tickets that someone else purchased is rather low. This reduces the incentive they have to authenticate the person picking up the tickets.

If they did actually authenticate you via the card you purchased with, it would create more headaches and unhappy customers when someone didn't read the fine print, carelessly left their credit card sitting next to their keyboard at home, and now can't get their tickets.

They aren't arranging for you to pick up a briefcase full of diamonds, only comedy club tickets. In this case I think the level of (in)security is reasonable

Scott said...

This is a bit of a fundamental problem of web-based ordering and in-person pickup. Essentially the merchant should require two-factor auth - consider that there may be multiple John Smiths out there - so identification is not sufficient for authentication. Thus, only possession of the credit card used will validate the buyer.

In this case, use a real card (preferably a rarely-used one) and take the "risk" of fraud.

On a side note, purchasing at the box office isn't necessarily any more secure. At the Punch Line in Atlanta, the box office uses the same Internet web site to process ticket orders as you can use at home.. Better hope they're Secured By McAfee as well!