March 6, 2019

Safe & simple: Can UX design protect us from hackers?

Andy Eva-Dale

Technical Director

124

Share on

Digitalisation has made some things in life simpler, but not security.

A joint-press release by MasterCard & Microsoft, who have recently launched a collaboration over online payments and identification, said:

“Currently, verifying your identity online… places a huge burden on individuals, who have to successfully remember hundreds of passwords for various identities and are increasingly being subjected to more complexity in proving their identity and managing their data.”

Beyond being inconvenient, this complexity is proving positively dangerous - and yet, neither brands nor consumers seem capable of tackling the problem. Today’s consumer has little patience for the faff of multi-device, multi-interface, multi-page verification processes, thumbing codes into cumbersome mobile keyboards and endless password resets. Businesses, meanwhile, are still figuring out how to profit from customer data, whilst the scale and costs of data hacks are escalating. The Marriot-Starwood breach this year was the second-largest in history, with 500m customers affected. The largest-ever attack – on all 3bn Yahoo accounts – ended up costing $47m in litigation expenses.

Easier said than done

Consumers are cybersecurity-conscious, but disinterested in managing the risks. PwC’s 2017 Protect.me survey found that “87% of consumers say they will take their business elsewhere if they don’t trust a company is handling their data responsibly”. And yet…

“Almost one in five people has faced an account hacking attempt but … only a third create new passwords for different online accounts and a worrying one-in-10 people use the same password for all their online accounts”

A lack of understanding seems to be an issue. Two Indiana University academics surveyed 500 American adults to understand why two-factor authentication – theoretically, a fairly effective security protocol – is not more popular. Most consumers, apparently, simply didn’t see the urgency. One of the researchers said of the participants, "We got a lot of, 'My password is great. My password is plenty long enough.” In an interview with The Economist, Adam Cooper, Lead Technical Architect at GOV.UK Verify confessed: “I am baffled most of the time” by most ID login processes.

This shows that if we are to work towards a more cyber-secure world, consumers are unlikely to be much help. Indeed, the same PwC study found that “72% of consumers believe businesses, not government, are best equipped to protect them.” This may be a misguided expectation; conducting a business online appears to depend on hoarding a mouth-watering jackpot of juicy data.

‘A key source of stolen card credentials remains persistent compromises of merchants who store card numbers along with customer details on their own systems as illustrated by hacks against Target, Equifax, Heartland and most recently Marriott.’

IT News

Failing to find a protocol simple enough for everyone will be costly. Marriot’s massive data breach earlier this year led to embarrassing levels of attention from the authorities. According to CNBC, “Attorney generals in Connecticut, Illinois, Massachusetts, New York and Pennsylvania said they would investigate the attack, as did the UK’s Information Commissioner’s Office”.

The NY Times reports Target’s heavily-publicised data breach in 2013 cost the retailer $202m. There is also a risk to profits. Whilst the vast majority of trade still takes place offline, digitally engaged consumers are more measurable, marketable and profitable. Mobile payment users spend twice as much online as illustrated by this Retail Dive report.

UX Proofed

UX improvements are one piece of the puzzle, making it easier for consumers to protect themselves. Indeed, simple security has become a selling point. Monzo Bank shouts about how easy it is to block/unblock a lost credit card.

Source: Monzo Bank

…and brands in finance and beyond are now working to introduce this same ethos into their digital UX. There’s a host of good examples. Most obviously, brands should reduce steps and alleviate the load on consumers. Biometrics, for instance, can now be used to log into online services provided by Bank of America, Capital One and Wells Fargo. Users of the Target app can also use a thumbprint to log in.

Similar gains can be made by simple UX planning. Lloyds bank, for instance, allows customers to bypass repetitive phone security questions by calling via the app. Where additional security protocols are required, they must be effortless. Two-factor authentication (2FA) is fairly quick and easy, and may even be triggered on demand. Barclays Bank customers who receive a customer service call can request a verification message via the app to confirm it’s not a scam. You might also consider making security more fun. Players of Fortnite, an online video game, can “unlock a skin” (I’m told this a good thing) by enabling 2FA on their accounts.

Source: imore

As important as these developments are, however, they cannot be the full solution, as UX improvements do not improve the way brands store and protect data. This brings the debate under the bigger umbrella question of how we – or how interested parties – manage our identities online.

Got ID?

“Any individual’s identity is contingent on the recognition of others… anything like a modern life is rendered all but impossible when that recognition is not forthcoming, or is suborned.”

- The Economist, December 2018

If you think about it, cash is exceptionally secure and simple: merchant and consumer confirm and verify the transaction on the spot, face-to-face. Short of violent crime, not much can go wrong. Digital payments present the challenge of how to compensate for this innate security. There are two possible approaches. One of them – currently commonplace - is to compensate for the lack of the person. This entails recording secure information (i.e., password-and-email combos), and/or by interacting with a device or card assumed to be in the customer’s possession.

The secure information is, however, a new layer of complexity, and a weak point which can be exploited by criminals focusing on card-not-present fraud…

“using stolen identification to open credit lines… creating new, digital-only identities by knitting together real and fictitious information.”

An Accenture study suggested that global annual losses of this kind of fraud may already run into the tens of billions. Dependency on ‘secure’ devices raises similar problems. The device may be stolen, and even biometrics can be hacked. Granted, brands could raise their defences. Monzo - again, leading the charge - used data analysis to help tackle a Ticketmaster breach this year. The challenger bank also operates a machine learning-powered fraud detection system.

But developments like this are really patches on a fundamentally flawed model, where a consumer brand is expected to police transactions and guard stored data. A second approach seems rather more futureproof. The thinking is that, rather than compensating for the physical person, you supplant them, relying on a verifiable digital identity instead.

Take the example of Estonia, hailed as a world leader in digital identification. ‘All residents have electronic ID cards, which are used in health care, electronic banking and shopping, to sign contracts and encrypt e-mail, as tram tickets, and much more besides—even to vote…

Estonia’s system uses suitably hefty encryption. Only a minimum of private data are kept on the ID card itself… Also issued are two PIN codes, one for authentication (proving who the holder is) and one for authorisation (signing documents or making payments). Asked to authenticate a user, the service concerned queries a central database to check that the card and relevant code match. It also asks for only the minimum information needed: to check a customer’s age, for example, it does not ask, “How old is this person?” but merely, “Is this person over 18?”’

Though rigorous and secure at a technological level, at customer level, it’s nothing more than PIN verification: an exceptionally simple protocol. The system is yet to have been hacked, and the success has not gone unnoticed. Banks, card issuers, technology companies and governments are now all proactively troubleshooting how to manage our digital identities online. Here is a podcast that talks about the issues of security, 2-step verification and SIM swapping.

More money more problems

Silicon Valley companies own the devices and operating systems on which digital transactions take place, as well as analogues of our identities in the forms of email accounts and social profiles.

This makes them useful partners. “Sign in with Google/Facebook” really is very simple. True enough, nine out ten companies which rely on a third-party identity supplier use either Google, Facebook, or both. But there are problems. For all their reach, neither Google nor Facebook is all-pervasive. Social channels phase in and out of fashion, and a majority of retail takes place offline. Nor is there a consumer appetite for putting that level of trust in big tech.

A survey of 133k consumers by consultancy Bain & Company put these companies at the bottom of the pile.

Source: Bain & Company

Equally, many governments may shy away from wading in. The UK’s first attempt to introduce national ID cards was a £4.5bn failure, partly because it conjured unsavoury connotations. And in countries much larger than Estonia, governmental ID requirements may hinder the relatively simple task of managing simple, secure transactions. Aadhaar, India’s foray into mandatory digital identity, has been plagued by problems, with people being refused basic services as wide-ranging as posting a letter to receiving healthcare.

Joining forces

Card issuers have seized on the natural bridge between payment and identity, and they seem to offer the greatest promise of salvation. In December 2018, Mastercard announced a strategic collaboration with Microsoft over an as-yet vague service “that would allow individuals to enter, control and share their identity data their way – on the devices they use every day”. VISA is also plugging away. 

Source: Mastercard

Card issuers have two reasons to feel confident of their success: engrained trust, and unparalleled reach. Ninety-six percent of the UK population has a debit card, and even market stallholders now often accept card payments. Tellingly, the majority of forays into payments to date by the FAANGs have linked back to a major card issuer. Technology companies, meanwhile, may manage matters such as the device, the interface, and necessary intelligent back-end tech required to create a secure, “universally-recognised digital identity”.

The importance of an agile technology partner cannot be underestimated. Exceptionally simple, minimalist user interfaces have been part and parcel of the success of Monzo and other challenger banks, whilst traditional-model banks languish with underwhelming digital customer service provisions and outdated UX. Card issuers and big tech firms must ensure they do not also fall victim to corporate inertia. Whilst they may not face equivalent competitive threats (payment processing is a tougher nut to crack than banking), consumer adoption is far from guaranteed.

‘Pindependent’

Consumers’ own inclination to defend themselves online may only weaken with time. Start-ups are sniffing around the payments and identity spaces. Yoti, for instance, seeks to become the “world’s trusted identity platform”’, storing customers’ government documents for purposes such as buying age-restricted products. Though only a piecemeal solution, advancements such as this will further raise customers’ demands for ease and simplicity. There is no panacea for meeting these demands. Reducing the burden on consumers’ time and attention is vital, and this can be achieved through UX improvements at every stage in the customer journey. Brands, equally, cannot realistically be expected to provide a robust defence against cybercrime. Intelligent technologies may support them, but as long as they need to store customer data in order to do business, they will remain irresistible targets to fraudsters. To connect the dots, a new security protocol must be established which alleviates the burden on both parties.

Source: London DSC

Something like the card PIN code holds promise. It’s very secure, very simple, and it already enjoys mass adoption; indeed, mobile payment apps already generally rely on a PIN login. The step towards it being used to authorise online transactions seems relatively small. The prize for tackling this goes beyond preventing crime. Mobile payments in-store are still only popular with 3-7% of western consumers, and only a quarter appear willing to try. If digital payments became viewed as being safe, or safer, than card transactions, this should also open up further marketing opportunities via the customer’s device: location based-targeting, beacons, push-notifications, personalised offers, etc.

That, in turn, should unlock a simpler, safer and more profitable future for all.

Words by

Andy Eva-Dale is a process-driven Technical Director with a passion for anything technical. He has over 15 years application development experience; working with organisations such as the London Stock Exchange, BAE Systems and WPP. During this time he has worked across full stacks on projects such as Grant Thornton, Aegon and East Midlands trains; scoping, designing, documenting and delivering award-winning, large enterprise standard products on a global scale. Andy has certifications in multiple technologies, has delivered talks on emerging technologies and is an active member of various communities

Contributing writer, Lucy Valentinova is a User Experience Consultant who is focused on delivering innovative websites and digital services that meet user, business, and development goals. UX design, strategy, user research and information architecture are central to her work and enable her to make informed decisions when it comes to proposing digital solutions.