08/07/2012

Security is Customer Service

Back in February, we published an article called Tough Love – Why Shift4 Standards Are So High. It explained the security reasons behind some of Shift4’s policies and how they benefit and protect our merchant customers – even though they are seen by some as an inconvenience.

Despite the points made in that article, we’ve recently had a couple of merchant customers ask us why they can’t just add a couple of security questions to their account and gain access that way (rather than having to fax over photo ID or a request on company letterhead, etc.). The best answer we’ve seen to this question actually comes from Evan Schuman, the editor of StorefrontBacktalk.com.

In light of the Global Payments breach back in March, Evan published an article entitled Could Global Payments Breach Finally Kill KBA Questions? (the article is behind a paywall, so you’ll have to get a StorefrontBacktalk account if you want to see it in its entirety). But, we’ll give you the basic gist of what he said here.

The article is based on the comments of Gartner’s Avivah Litan, who suggested that the hackers in the Global case gained access to an administrative account “by answering the application’s knowledge-based authentication (KBA) questions correctly.”

For those unfamiliar with the term, KBA is security based on (relatively) personal knowledge – something only the account holder should know. In practice, they often ask things like “What was your first pet’s name?” or “On what street did you grow up?”

In the era of Facebook, when nearly every aspect of our lives could be shared online, you can see how dangerous this might be. Dog’s names or street signs in our pictures are just not something most of us think to secure. One large organization used “What is your favorite flavor of ice cream?” to protect their super-user accounts. It didn’t take cybertheives long to figure out that a lot of people like vanilla, and voila – suddenly these criminals had full administrative access.

As Evan put it, “If something is sensitive enough to need protection, it would seem sensitive enough to need good protection. Hence, should KBAs be used at all?” We think it depends on both how well it’s used and what it is used for. At Shift4, KBA authentication can be used by administrators to gain access to their accounts – but only after several questions are answered successfully. For additional security, we do not allow for KBA access over the phone because humans can fall victim to social engineering efforts or can adopt an “oh, that’s close enough” attitude. It’s nearly impossible to use a manipulative “social-engineering” sob story on a computer. Also, we do not now, nor will we ever accept KBA questions to facilitate account changes or allow account access.

We are, frankly, shocked by how many organizations do accept these methods of authentication. We cringe when we call our banks and are asked only our address and the last four digits of our social security number (both easily accessible to a determined thief).

One of our employees recently shared a story of a long-time friend playing a prank on him. This friend hacked the employee’s Facebook account and reset his password and e-mail address because he was able to crack all of his KBA questions. “We grew up around the corner from each other, so of course he knew the street I grew up on. And he knew the name of my first pet because he was at the birthday party when I got the dog,” our employee said. “So, it took him no time at all to get in, change my password, and set my profile picture to a drawing of a pink teddy bear dancing on a rainbow.”

Fortunately, this case was more hilarious than malicious. But, it serves as a strong warning to all of us just how easy it is for KBA questions to be compromised.

We feel it is very important to keep your payment data secure. We will simply not allow dumbed-down security measures in the name of simplicity. Your security comes first. We know that sometimes we ask a lot of you in the name of security, but keeping your customers’ payment data out of danger and your company out of the headlines may be the most important service we provide.