How We Fail To Protect Consumers Online
There's no doubt about it: Many of our online systems in place that collect payment and other sensitive information have been built with a fatal flaw that leaves consumers vulnerable to the consequences of security breaches. But what might be even worse is that we already have technologies that could provide an added layer of online security to protect consumers if only they were adopted industry-wide by retailers and credit card issuers.
When we talk about our fears around online security, it's often the high-profile data breaches, such as those at Target and Equifax, that seem to get most of the attention. We expect that retailers, credit card issuers, banks and even the government all have a role to play in order to protect our sensitive information -- and those groups unequivocally do have a role to play. But more can be done in the name of protection even after a breach in the era of big hacks, and consumers can take part in guarding themselves. The answer lies in an existing technology strategy: two-factor authentication.
But before we talk about the value of two-factor authentication, sometimes referred to as 2FA, we need to put this strategy into context. First, we all know anecdotally that more people than ever are going online to shop and conduct personal business. You’ve likely even done it yourself. Last year, a survey conducted by Pew Research Center revealed that roughly 8 in 10 Americans perform online transactions.
What Information Do Consumers Give Up When They Go Online?
At a minimum, that information is likely to include:
• Name
• Address
• Credit card number
Those are the most basic fields we’re asked to fill in for online forms. But even when you don't fill in a form with sensitive information, your personal data can be gathered by websites and from your browser through the use of cookies. The cached information is often stored to add convenience for the consumer such as when cookies are used to help auto-populate fields and save you time during a signup or other transaction.
In short, your data will be collected and stored by organizations. That much is unavoidable. Because of that, we do have standards, such as those in place for health care providers, that regulate how information will be gathered and stored and who can access it. In some cases, merchants have the right to disclose and sell your information.
But shopping online saves neither time nor money if your data is stolen by hackers, mined and sold for profit on the black market of the dark web and then used by unscrupulous people to steal from both consumers and retailers. That’s where adoption of 2FA as a security measure comes in as a solution to the problem of insecure data.
How? In short, two-factor authentication is a second step taken to confirm a process. It can be used to finish an online purchase, gain access to an online account or complete any transaction by verifying your identity.
Three Types Of Two-Factor Authentication
Here are the most common types of two-factor authentication, which you may have already used in online transactions:
• Use of your smartphone to receive a digital code that can be used to complete a login or purchase.
• Confirmation through use of an email link that redirects back to the online page as a final step.
• A second verification using either email or phone or even a confirmation of a payment method, through a merchant payment system used to process a transaction.
All of those methods of 2FA are useful and help to provide a layer of protection, even when your personal data has been compromised. It’s a bit like installing a home security system. A hacker or thief may have access to your credit card number from a data breach, but it isn’t likely they have also stolen your smartphone to complete the second step of the verification and finish the theft.
What We Can Do To Improve Online Security
My business, OpenVPN, specializes in online security. Because of the work that I do, I recommend and strongly support adoption of two-factor authentication to protect both consumers and retailers. I have seen how using a second verification process when processing a transaction can reduce fraud in a dramatic way. What is necessary is only the willingness to put these protections in place. Banks and credit card issuers must lead the way in adoption, as was done when credit and debit cards were upgraded to include smart chip technology.
We have already set a precedent for such an adoption. There are banks voluntarily adopting this process after being burned by fraud. Retailers are also getting savvier about accepting payment methods with two-factor authentication already built in, such as Apple Pay and PayPal. According to research done by Boston Retail Partners (via Statista), Apple Pay was accepted by 36% of retailers at the end of 2016, with another 22% of retailers planning to adopt in 2017. PayPal ran a close second place, with an adoption rate of just over 30%.
In my experience, consumers also have a role to play in protecting themselves. Even before widespread adoption of 2FA takes place, savvy consumers can choose to use online payment systems (Apple Pay, PayPal, Amazon Pay) that include the second layer of security to protect themselves.
The risk isn’t going away. We don’t have to reinvent the wheel to protect ourselves. We just need to be savvy enough to adopt existing technologies designed to improve security.