Convenience vs. Security - Why convenience keeps winning

Monday, November 26, 2012

Rafal Los


Sometimes, as a colleague says, you hit 'a gray area where the risk analysis is inconclusive' ... and that quote from him got me thinking. It all started when I saw a sponsored tweet advertising me to put my credit cards in to the new Apple iOS6 - "Add your credit cards to Passbook to monitor balances, transactions, fees and more" ... and my Spidey Sense went off the charts.

Let's all pile our credit card details into an unproven (or at very least untested) virtual wallet on the latest Apple iOS release which is brand new and already jailbroken. You're probably more than a little worried if you remember what happened when Google launched a 'virtual wallet' service. I'm sure Apple's implementation is much better, right?

The answer is a definite 'maybe' ...and that heavily depends on the implementation details between 3rd parties and Apple which are buried in the API SDK... and would in all likelihood come out when someone reverse engineers the Passbook container, and figures out how outside apps use Passbook to store information.

While the jury is deliberating on the technical merits - and I'll see if I can do a thorough analysis - let's look at the situation right now. Right now you have to assume the thorough analysis is 'inconclusive' - so where does that put your comfort level? It will just come down to risk/reward.

Bottom line - are you willing to trade the convenience of having your credit card information stored in your mobile device (convenience) for the potential risk of compromise (risk)? In today's consumer credit climate you may be easily swayed to believe that the convenience far outweighs the inconvenience to your credit card(s) and I'd probably be right behind you. Here's how it breaks down for me-

  1. Credit cards are highly replaceable - It's important to remember that credit cards are simple to replace. A quick phone call to your credit card companies, or in some cases a single company if you have credit monitoring and they offer this service, and your cards are all expired and new ones are on their way to you. So there's the inconvenience of having to place the phone call and wait the 2-5 days it may take to get replacements, but generally this process is simple and straightforward, and easy.
  2. Issuing banks are accommodating to consumers - Does your credit card have a zero liability guarantee? If not you need to dump that card and get one that has this... nearly all credit cards these days offer a zero liability guarantee. What that means for me with my credit cards, as one example, is that I'm not liable for fraud committed on my card, and the dispute resolution process is relatively straightforward even for higher-dollar frauds. If you're silly enough to use a debit card in a digital wallet and money is actually *removed* from your account, my bank guarantees me the amount taken is put back by next business day! What a fantastic consumer protection mechanism!
  3. Digital wallet is more convenient - I don't know about you, but carrying credit cards is annoying. That plastic in your wallet, combined with business cards, loyalty cards, drivers license and the gym card make for a chunky wallet ... I'd much rather put my wallet on a diet and keep just a few bucks cash and dump the credit cards for something all-digital. I already carry my mobile device everywhere, and am less likely to forget my wallet at home than my phone... convenience is a powerful thing. Being able to pay with a near-field communications option or some other form of digital payment is a ton more convenient than having to pull my credit cards out of my wallet ...and probably faster if done right!
  4. Likelihood of loss - My wallet isn't encrypted, and at least (parts) of my mobile device are. My wallet is subject to pick-pockets, forgetting it, losing it, or having it stolen out of my gym bag ... again, I have my phone in my pocket or my hand a huge percentage more than my wallet. When I run, work out, and travel my cell phone is in my hand ... my wallet is in my back pocket or in a locker somewhere...

So working this out, convenience wins in the consumer mind, easily. Even in the mind of someone who's security-minded (not necessarily those of us that are overly paranoid and don't have credit cards anyway) convenience may win out over a little added risk. This is especially true if the card issuers are willing to take on the risk at the anticipation of higher revenue or profit. So while I investigate this interesting option we're still in that gray area... and although I'm not going to dump my financial information haphazardly into my mobile device into an unproven application - I may be willing to give it a try with a low-limit credit card.

Would you?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Security Awareness
Information Security
Security Awareness ecommerce Credit Cards Consumers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.