You’re sitting at your computer when it occurs to you that you really need to buy more tube socks, so you click yourself on over to Tube-Socks-R-Us.com and fill your cart full of socks.
But wait, what’s this? You’re being asked for another sign of authentication before you can check out? Why, that means you have to get up! You need to go get your phone for that one-time PIN! And that darn phone is all the way over there! Well, just forget it, you say, and yet another abandoned cart gets added to the heaps of can’t-be-bothered purchase exhaustion that’s (reportedly) the stuff of online merchant nightmares.
Well, that’s the dystopian, dys-profitable e-commerce future envisioned by Stripe, at any rate. Stripe, maker of online payment technology, recently commissioned research from 451 Research. Based on input from 500 businesses and 1,000 consumers, 451 Research concluded that the EU’s online economy risks losing €57 billion (US $64.6 billion) when Strong Customer Authentication (SCA) goes into effect on 14 September 2019 and ushers what will potentially be forget-the-socks-inducing friction into the checkout process.
SCA is all about protecting consumers by clamping down on fraud. One of the new requirements of the second Payment Services Directive (PSD2) that was passed by the EU in November 2015, it involves introducing additional authentication into online checkout. That can be as simple as a one-time PIN code generated by, say, a text message, by a code generator with an authenticator app such as Sophos Authenticator, or it could be fingerprint confirmation on those devices that support it.
Here’s the definition of SCA from the current guidelines published by the European Banking Authority (EBA), the EU body tasked with supervising and regulating the banking sector:
Strong customer authentication is, for the purpose of these guidelines, a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence: i) something only the user knows, e.g. static password, code, personal identification number; ii) something only the user possesses, e.g. token, smart card, mobile phone; iii) something the user is, e.g. biometric characteristic, such as a fingerprint. In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s).
At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.
Reducing the security of online payments is a laudable goal, the 451 Research report agreed, but yikes, we’re going to be looking at a lot of transactions declined by banks:
While these objectives are laudable, SCA brings with it deep consequences for the customer experience and a far-reaching impact on Europe’s online economy. Online businesses that fail to abide by these requirements to build additional authentication into their checkout flow will see a dramatic drop in approvals as banks become obligated to decline their transactions outright.
We heartily support SCA
This will come as no shocker: at Naked Security, we believe that anything that makes fraud harder is to be applauded.
“The best way to approach this whole issue is for us all to agree to ditch the word ‘frictionlessness’ from our cybersecurity jargon,” said our very own Paul Ducklin…
I’m not suggesting that we make online spending so hard that no one wants to do it, but if €57 billion of turnover really does pivot on keeping online payments stripped back to a single, effortless click, then we’re softening up a whole generation of young computer users to the idea that cybersecurity is ‘someone else’s problem’ to be solved entirely behind the scenes. We’d do better to embrace an online world where the motto ‘Stop. Think. Connect’ is the one we live by.
If you’d like to learn more about two-factor authentication (2FA), we’ve got you covered. Read on!
Learn more about two-factor authentication
(Audio player above not working? Download or listen on Soundcloud.)
Sivakumar
With the rise of scammers and identity theft is on the rise and many fall prey to this yearn in year out. Yet we have ignorance all around. That extra precaution is only going to safe you. So stop complaining and support the good intentions.
Simon McAllister
How different is it to a customer ‘reserving’ an item for pickup, where the customer never shows (and thus never pays)? Shops can build the cost of abandoned carts into their business model in the same way. And as 2FA catches on more (specifically to those that currently oppose it) this won’t be an issue for long. So it’s just ‘change’ that some aren’t comfortable with for now. Good on the EU for implementing it!
Paul Ducklin
The whole metaphor of ‘abandoned carts’ is a bogus one anyway – in a grocery shop or a real supermarket, for instance, abandoned carts are an actual thing, and a potentially costly and wasteful one if perishable goods can’t be returned to chillers or freezers in time. Nothing’s ‘abandoned’ about a product on a web page… probably not even ordered in yet :-)
Cassandra
Well some electrons are seriously inconvenienced!
But if a cart is abandoned is there a “loss”?
The purchaser will either
– come back later (no real “loss” to retail business)
– go elsewhere online (no real “loss” to retail business sector)
– go elsewhere offline (no real “loss” to retail business sector)
– decide they don’t really need the product
— either spend on something else (no real “loss” to retail business sector)
— save the money – indirectly funding something more productive?
Arguably the definition of GDP as a measure of a “good”, economic activity, is wrong
– The drug dealer selling illegal (imported) drugs contributes to GDP (+ve !) and to the balance of payments problem (-ve)
– the local craftsman making something (avoiding an import +ve) contributes less to GDP (-ve)!
Matt Parkes
I agree in principle this is heading in the right direction, however I work for an ecommerce company that outsources its payment processing to a third party, well 2 actually, this means we tokenise the transaction and maintain PCI compliance. One company has just completed the changes required for 3D Secure v2.0, one of our processors doesn’t appear to be too worried (this company is owned by Mastercard no less), now we cant adjust our API’s/pages to accommodate until we know what needs changing so this makes us very annoyed, we are happy to do the right thing but can’t without the specifics, who do we turn to when our card declined rates go up, will our processors pay compensation, i doubt it.
Mahhn
One thing their research may have over looked- while initially after the change people may abandon carts a few times, however – once they have used it once, it will become normal. I expect this will put a good dampener on a lot of stolen card data. Expect SIM swapping/hijacking to get more aggressive though.
Richard
I have no mobile coverage at home so would not be able to purchase anything online from home. SMS texts are not the only way to check. Codes to verified email addresses / credit card address checks or additional passwords all contribute to security without meaning you have to have a mobile phone with coverage with you on every purchase. This will at least cut my online purchasing in half, I tend to shop in the evening from home. I realise I am in the minority living out in the countryside with poor coverage, but I am not alone.
Paul Ducklin
I don’t know any contemporary website that offers 2FA *only* via SMS. You can usually choose from a range of 2FA options, including app-based (no mobile coverage required) or, in the UK, card-based (you need a tiny, handheld card reader provided by your bank, no mobile coverage required).
The notion that 2FA somehow depends on mobile network coverage is a red herring. In fact, the US government wants to get rid of SMS-based 2FA altogether in the public service because crooks can do ‘SIM swaps’ to take over your mobile number more easily than they can steal both your phone and the unlock PIN.
JHH
I personally dislike the 2FA, and not because it’s “change”. I’ve gone through change: started with a rotary phone, no TV, etc and now have computers, smart phones, etc. I’ve seen plenty of technological change (my husband and I are in the industry). I hate it because it’s simply a pain in the ass. Know what will stop fraud? BETTER SECURITY ON RECORDS BY STORES AND BANKS. When Banks, medical labs, giant store chains, all get hacked and records stolen… well… let’s face it, they want the customer responsible for the authentication so they don’t have to PAY MORE FOR BETTER RECORDS SECURITY.
Paul Ducklin
There’s absolutely no reason why you can’t have both – it’s IMO a bit hypocritical to shout at the banks and shops to put more effort into stopping data breaches if you resent spending a few extra seconds of your own a few times a week (seriously, the additional effort of 2FA is pretty minuscule!) to help the cause.
Vog Bedrog
The abstract cost of abandoned carts would be offset by the reduction in the concrete cost of chargebacks for fraudulent transactions (often after orders have been filled). This resistance is short-sighted and selfish, and hopefully futile.
anonymous coward
Online businesses, especially the big ones like Amazon, make a tremendous amount of money from fraudulent card transactions even with chargebacks. They know that many people won’t report that their cards were used fraudulently for weeks, meaning these businesses have had the chance to invest the profits of the fraud for weeks. When the chargeback occurs, the business writes off the loss (which is standard in retail, so it has no competitive disadvantage), while keeping the interest from what was invested. The larger the company, the greater its ability to profit from fraud, even with chargebacks.
Your statement assumes fraud hurts online businesses equally. It doesn’t. And for that reason, larger, more established businesses have no desire to interfere with the status quo. They will make money from all transactions, naughty or nice.
This is a competitive business issue, nothing more or less. It’s big business versus small upstarts. To describe it as a matter of selfishness belies a deep misunderstanding of business.
Cassandra
What are the privacy implications of having your phone number associated with all your online purchases?
You can keep online accounts easily associated with different email addresses, but doing the same with different phone numbers is not as easy.
I already have a “Twitter SIM” for proving I’m not a robot when the Twitter bot propositions me thinking it has found a soulmate!
I already have a “Google SIM” for the more intrusive google functions
How many more? “Amazon SIM”, “Visa SIM”, “MasterCard Sim” (It’s what one of my Credit Card Companies in effect want me to do!)
Will phone manufacturers introduce not just dual-sim but multi-sim phones?
anonymous coward
Having your phone number associated with accounts is a problem for password resets or second factor authentication, because your phone number can be stolen from you in a type of fraud called SIM Swapping. It’s easy for thieves to bribe, blackmail, or fool cellular store/kiosk employees into transferring your phone account to a phone in a thief’s possession.
Often it’s done in the evening, so by the time you notice that your phone has been disconnected from your carrier, it’s too late to get help. The thief then has all night to figure out which online services you use, by trial and error, sending password reset links and SMS verification codes to himself.