Mobile security perceptions don't approach reality. And that's a problem.

Credit to Author: Evan Schuman| Date: Mon, 18 Nov 2019 07:44:00 -0800

In general, security vendors love consumer surveys where consumers say that they would never, ever, ever do business with a retailer or a bank with poor security practices. But consumers have historically been terrible predictors of their own behavior, and they also tend to tell retailers and banks what they want to hear, rather than the truth.

And the truth, based on the public financial filings of plenty of companies that have suffered public data breaches, is that consumers — partially thanks to zero liability programs from the payment card companies — tend to not change retailers or banks when such data breaches happen. Why? Quite a few reasons. First, zero liability sees to it that they don’t lose any money (it actually limits losses to $50, but almost no business enforces that, and they tend to simply eat all of the consumer losses). If consumers lost large amounts of money from breached retailers or banks, yes, they’d flee, but that doesn’t happen.

Then you have the reality that consumers often don’t read about these breaches and, even if they do, they tend to not care. If a store is offering a product or service that they want and the price is good, they are not going to abandon that retailer because of a data breach nine months ago that didn’t end up impacting the consumer. As for the consumer lying to a survey, that’s simply a case of sending the message they want to send. Those consumers want the retailers/banks to protect their money, so they’ll gleefully check off the box that says “I’ll abandon a retailer that doesn’t have great security” because, well, why not? It doesn’t obligate them to do anything.

I bring this up because of a pair of surveys that hit my desk this week. Identity vendor Ekata reported that “91 percent will not use a platform again if they are a victim of fraud.” Not true. Assuming the survey is accurate, it merely means that the overwhelming majority of consumers will say this when filling out a survey, not that they will indeed abandon that platform. That’s vendor wishful thinking.

Tip for any CISO/CSO or IT leaders who are being pitched by a security vendor that makes a claim that consumers will abandon retailers or banks (payment card processors and card brands are a different case): Ask the sales rep to name any publicly held retailer or bank that has been breached and then suffered a statistically significant number of customer departures. Then hit the SEC database, look up that business’s quarterly filings and see if it reported any breach-related losses. You won’t find any. It’s an argument that works in surveys but not in the real world.

Part of this is because of departure friction. The simple truth is that it’s a hassle to change banks — and the more services the consumer uses, the harder it is to leave — and a pain to switch retailers (because the customer most probably likes the merchandise and the pricing and convenience or else wouldn’t be a repeat, longtime customer). I make an exception for Visa and Mastercard because there is little to no friction switching from one to the other. And major processors lose money when breached because it’s other businesses — not consumers — that abandon them.

This brings us to the second item that crossed my desk. It was a survey from Iovation, a fraud detection vendor. That survey found that “close to two-thirds (64 percent) agree that they would switch financial institutions/credit card companies for ones that have more advanced security protocols in place, while 61 percent agree that they would switch to a company that makes security easier for them.”

“Makes security easier” is an interesting point that I’ll get back to that in a moment. But there’s a big problem with consumers saying that “they would switch financial institutions/credit card companies for ones that have more advanced security protocols in place.” Specifically, the overwhelming majority of consumers have no clue what security protocols are in place with financial institutions or payment card companies. When was the last time you saw a consumer pen-testing a financial institution, gaining access to forensic reports for that company or conducting a sworn deposition with that institution’s CISO?

Banks, for very good reasons, keep as many details about their security programs secret for as long as they can. So how can consumers claim to switch businesses based on information that they can’t possibly access?

The bottom line is that they can’t. But — and here’s where Molly Hetz, an Iovation product marketing manager and the main author of the report, makes a useful observation — those consumers can make such a decision based on their perception of security. And that’s where things get tricky.

Consider: One of the best security and authentication approaches today is continuous authentication, where the system considers typing speed, typing pressure (for mobile devices), IP address, time of access, what files are being accessed, duration of session, typing accuracy (number of typos per minute), etc. — and compares all of it against a profile of a session that presumably was of the actual user associated with those credentials. The best part about continuous authentication is that it’s indeed continuous, meaning that it won’t theoretically be fooled by an attacker who does everything properly and within character for 10 minutes and then does the evil things that the attacker always planned to do.

I’m a fan of continuous authentication. It works far better than passwords, PINs, biometrics (at least the popular biometrics such as facial, fingerprint and voice recognition, rather than my favorite, which is eye scan) and multifactor authentication (MFA, which is often susceptible to man-in-the-middle attacks, especially with a numeric code sent to a mobile device via a text).

One of the advantages of continuous authentication is that it is transparent to the user, meaning that it generates no friction and doesn’t delay or detract the user at all. But Hetz makes the legitimate argument that when a financial institution uses such a frictionless authentication mechanism, the user doesn’t see it. And when users don’t see a security approach, they might very well assume that there isn’t one. This is a classic security contradiction: Using a more secure approach might cause users to assume it’s a less secure approach because those users associate friction — jumping through a lot of visible hoops, such as “click on all of the images that have a street sign” — as a sign that the financial institution is really trying to protect their money from bad guys.

Financial institutions “need to have some visible security, because if [users] don’t see anything that validates that security,” the users will assume it doesn’t exist, Hetz says.

But there are other points in the report that are not right without context. For example: “Importance is still placed on having low service fees (62 percent) and good customer service (55 percent), but it is clear that privacy and security needs must be addressed first.”

There are reasons why customers switch banks and reasons for them to stick around. The more bank services that are used (online bill paying, for example), the harder it is to switch banks. The customer thinks “Aargh! If I switch, I have to manually re-enter all of the details of all of the companies I pay. It took me months before I finally got that list complete.” Or consider some of the more sophisticated bots being used by financial institutions today. The more accounts a customer has with that financial institution (checking, savings, mortgage, retirement, credit card, debit card, shuttle accounts for ACH or Venmo or Zelle payments, etc.), the more helpful those bots can be. Again, it makes it more daunting for a customer to choose to move accounts.

Let’s look again at that survey answer. High service fees and bad customer service are absolutely reasons that can overwhelm the departure pain concerns, but perceptions of privacy and security will be unlikely to make a change worthwhile. An exception (which isn’t really an exception) would be a customer whose bank account was actually emptied out through fraud, and whose bank took a very long time to replenish the account and was not responsive when asked for status updates. But that’s less a security issue than a customer service one. And, yes, bad customer service will absolutely force customers to leave.

Another example: “Close to two-thirds (64 percent) agree that they would switch financial institutions/credit card companies for ones that have more advanced security protocols in place, while 61 percent agree that they would switch to a company that makes security easier for them.” Yeah, not so much. Based on Hetz’s argument, a consumer can absolutely have a perception — which may or may not valid — of weak security at a current financial institution. But how can consumers have a perception of security at a financial institution that they haven’t used yet? At best, they can see marketing claims from that other institution (I don’t think we even need to address how worthless those security claims are) and they could have heard word-of-mouth comments from other consumers, who may have even less of an accurate perception of the security standing.

That conclusion requires a very generous — and self-serving — interpretation of the survey results.

http://www.computerworld.com/category/security/index.rss