When Credit Card Security Goes Wrong
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
Security should protect and enable. Not deny and frustrate.
Cybersecurity leaders must institute processes and tools to understand the measures for success, in pursuit of an optimal path of capabilities, otherwise disappointment can easily result. Failure of security can be more than just an exploitation of a system. Exorbitant security costs can crater operating budgets and bad implementations can lead to terrible experiences that drive customers away. A poor security program can adversely impact financial stability and overall market share. Cybersecurity is a balance among three tradeoffs: risks, costs, and usability.
An Online Shopping Nightmare
Allow me to meander with a quick story. To the chagrin of my wife, I was purchasing more tech goodies late at night from one of my favorite online electronics stores when my credit card transaction was denied. I received a message stating incorrect card information. Being close to midnight, the likelihood that I fat-fingered something was high. So, I carefully re-entered my card data and again: denied. Knowing there is nothing wrong with my account or credit standing, I surmised I somehow struck a chord with my credit card company’s fraud algorithms. Strangely, I was not notified via phone, text, or email as usually happens. Yes, travelling the world and buying all manner of stuff has made me quite familiar with credit card security verification procedures.
I login to my account and can easily see it is flagged as “restricted”. In response, I call the 24x7 number and am directed to the security department helpdesk, where they verify my identity with a number of basic questions.
This is Where it Gets Odd
Satisfied with my identity, they then tell me their system is down and I should call back in an hour.
What? It is well after midnight and they want me to call back in an hour because of their error?
There are a couple of issues here, but let me be clear, one of them is NOT the flagging of suspicious transactions. I am ALL FOR THAT. In fact, I greatly respect my provider for an above average level of paranoia. I do appreciate it, although to date their algorithms have always given false-positives in my case. Regardless, I am still fine with having to call to confirm I am in possession of my card and did purchase way too many computer parts late at night. It is the right balance to protect my accounts and credit reputation from fraud.
Protect and Enable
The first issue is about completing the cycle for customer engagement. Why have a fraud detection and prevention system which blocks transactions and requires customer interaction if the system needed resolve the problem is ‘down for an update’? Being a multi-billion-dollar company, I would expect some backup system or process that could facilitate customers in good-standing in an expedited way, when the fraud algorithm misses-the-mark and impacts a legitimate customer. How can you run a business in such a way that alienates and infuriates your good patrons? Security operations are important, but not so stringent that the cost is unnecessarily impacting your clients!
I had no desire to spend more of my time ‘calling back’ to resolve their issue, but I did want to file a complaint so senior management would be aware of such undesired impacts. I have often found that IT and security processes that are detrimental to customer satisfaction are often obscured from the view of senior management. Executives are in the dark, unaware of problems because complaints never bubble up to them. So, I figured I would do the right thing.
I Should Have Just Gone to Bed
After politely asking to speak with a manager to file a complaint, I was put on hold for some time. Long enough apparently that the system miraculously came back online and my transaction was quickly unblocked. Although the issue was remedied, the customer-experience information still needed to get upstairs. Without proper feedback, poor processes tend to live on indefinitely. So, I persisted with my desire to file a complaint. This left me on hold again for quite some time. Then, without being transferred to anyone else, I was assured a complaint was filed on my behalf. I asked for a copy. No, they can’t do that. I asked for a complaint number. No, there is no number. I asked to speak to a manager. Please wait, again.
After more time, I talk to a nice gentleman who assures me everything is fine with my card and apologize profusely for the issue. I explain the purpose of my complaint, namely to help inform management of undesired effects of specific avoidable situations which are a detriment to their customer’s experience. Notes were taken which he would email to the ‘right’ people and I am told someone will call me in 3 to 5 days, which is reasonable.
It is now near 1am and I can’t even remember what I ordered in the first place. I am left wondering how can a massive financial transaction organization not have an integrated ticketing system to track customer issues? Why are complaints or issues written up in open format and emailed to people in other groups? Corrections cannot be made if customer feedback for security issues is not effectively getting to the right level of management.
Security Without Frustration
Being a security professional, I have tremendous patience and empathy when it comes to security checks, identity verification, and fraud prevention. There are limits to reason that must be identified and respected. Otherwise, security loses trust and it undermines the value.
Security organizations fight an uphill battle every day. We start with a bad reputation of high costs and unbearable impacts to user experiences. As professionals, we must be working hard to institute controls in ways that are minimally invasive, cost efficient, and still effective at managing risks-of-loss. Allowing avoidable burdens to customers is not the right path.
People rely upon their credit cards. What if this scenario was someone stranded that needed to buy gas, picking up critical prescriptions, an emergency plane ticket, or food for their crying infant? Being told to wait an hour or more to call back, not because the whole system is down for everyone, but because a fraud system mistakenly singled you out and it cannot be resolved due to backup capabilities not in place. How frustrated would you be?
Applying scrutiny to transactions is great. It can protect customers who are being victimized, merchants, and the financial institution. Taking an aggressive action to temporarily hold a transaction is acceptable if the resources are in place to quickly resolve the issue for customers accidentally caught in the net. Otherwise, good customers are penalized and treated like the criminals you are trying to disrupt.
Although I have called out an experience with a large financial institution credit card service, the problems are not unique to them. There are lessons here, for all cybersecurity professionals. We owe it to our organizations to make security a competitive advantage by protecting the business and customers. The long-term success must be measured in how we protect and enable a better organization. Security must be cognizant of the potential impacts to customer relations and design systems to secure assets while minimizing end-user frustration. This is how we make cybersecurity a valuable addition to digital services and organizations.
Interested in more? Follow me on your favorite social sites for insights and what is going on in cybersecurity: LinkedIn, Twitter (@Matt_Rosenquist), YouTube, InfoSecurity Strategy blog, Medium, and Steemit