The other day I was trying to send some money to some one using one of the money transfer companies. After going through a rigorous process and phone calls for half an hour, I gave up. Good news was that this company was taking extra precautions to secure their transactions through the Web given that in this case actual money was involved. Bad news however was that it made the transaction so complicated that they lost my business.
Many companies that conduct online transactions with customers are going through the same predicament. How to provide adequate security without making it too difficult for the customer to do the transaction?
There are certain practices that certainly make sense like strong passwords (e.g. minimum 8 character alphanumeric etc.) , having security questions, and even a secondary key. Where it starts getting sticky is when there are phone verifications or additional pieces of information that customers don't like providing or it's too time consuming.
The worst part of some of these processes is that two fundamental principles of "Let the Good Guys In" and "Keep the Bad Guys Out" are reversed. So, the good guys have problems getting in because of all the additional measures and the bad guys still come in. How does that happen? Very simple, the bad guys are coming in by exploiting the vulnerabilities in the Web applications that are sitting underneath the front-end. Most of the applications that we have seen are still vulnerable and hackers know how to easily exploit them through the user interface including forms and fields.
As a best practice, organizations should provide some best practices mentioned above for access by the "true" customers without making it too difficult. And, a much stronger emphasis needs to be placed on finding and fixing vulnerabilities in the code itself. Make it more difficult for the hackers to come in, not the customers.
I would love to hear some of the best practices people are following that are working well. Please post your comments.
- Mandeep Khera, Cenzic Inc.
Comments