I recently tried to send some money overseas through Western Union. I went to their website and put in all the requisite information, including my Credit Card information. At the end of the process, almost as an afterthought, I was presented with this dialog.
That’s right, folks… MasterCard wants to improve my security. This is a good thing. Visa have a similar feature – “Verified by Visa” – which I have been offered several times in the past and politely refused on every occasion. Unlike them, however, MasterCard would not take “no” for an answer – there was no way to decline this “feature” and still continue to execute the transaction.
Security is a good thing – I am all about security – but issuing me with yet another PIN that I have to remember is not security. Most people will probably write it down, and some will probably write it on the back of the card, which nullifies the security in the first place. On an infected computer, the PIN can be sniffed or keylogged, and be on the other side of the world before the customer has lifted their finger from the mouse button.
If MasterCard were really serious about security, they could have a person or a machine call or text the customer on their cellphone. This could be inconvenient, but I would rather have real security, even if it meant a little inconvenience. Or they could use a hardware key like the Yubikey. But that kind of solution costs money (about $5 per key, when purchased in thousand-up quantities), which makes it unacceptable to the banks.
Some of you may remember when Bank of America offered Credit Cards with the customer’s picture printed on the card. Now that was good security, at least for retail transactions – a quick glance was enough to see that the person was at least superficially similar to the picture. But they don’t make them like that any more. Why not? Because of two small problems: the first was that many cashiers simply did not look at the card, but that could be cured with training and penalties.
The main reason was that the pittance that it cost to put pictures on cards added up to many millions of dollars. Since neither the customer nor the bank was on the hook for fraudulent transactions, this was a cost that the bank was unwilling to bear. So rather than bear the cost of security, they scrapped it to save a dollar and a half per card… and offloaded the cost of the fraud on to the merchants. Problem solved.
And there, as Jack Sparrow might say, is the rub; the only security that is acceptable to the bank is cheap security. And yet another PIN for you to remember is cheap security indeed.
So what did I do? I closed the browser and, after verifying with Western Union that no transaction had occurred, I installed their app on my smartphone. Ten minutes later, the money was on its way, paid from the same card. Quickly, conveniently, and without the usual kerfuffle or flummery from MasterCard.
Cos that, dear reader, is how we roll…