Overzealous Security

Tis the season for overzealous security to kick in. Is there such a thing as too much security?

Rock --> consumer

There's been nearly as much hype about the (non)mythical "Cyber Monday" as there is surrounding "Black Friday" this year. While a lot of attention has been focused thus far on how slow (in terms of performance) some major online-shopping sites have been, there's been very little discussion about the impact of automated fraud detection systems on online transactions.

I don't know anyone that would argue that these systems are a Bad Thing. After all, no one wants their bank to ignore what might be considered fraudulent online activity and everyone I know that's gotten that call from their bank or credit card company has been grateful that these systems exist.

But - and there's always a but - is it possible for these systems to be too zealous?

Don and I shop online year round, but the volume increases in late November to early December. We've got many nieces and nephews and tech-savvy relatives for which we shop and hey, while Green Bay may be the technological mecca of the midwest there are some things you just can't run out and buy. If you want it, you have to get it online. Being seven months pregnant, I much prefer shopping online than fighting crowds and going out in what is starting to be sub-freezing temperatures so this "drawback" to living in BFE isn't nearly as restrictive as it sounds.

But a sudden uptake in online purchases can apparently trigger hypersensitive fraud detection systems, at least at my bank. And it's not just the number of varied retailers that triggers the "do not honor" flag but apparently the number of transactions. That was bad news for me, as a single shopping cart from amazon.com resulting in 13 individual charges - even though 8 of the items were directly from amazon.com itself and not partner sites. My bank immediately flagged my card and refused all further transactions. Eventually I got things straightened out with the bank, but not before I had to find another card and retry transactions at several other online shops.

But my level of persistence may not hold true for a large number of consumers, especially if it may be their first online shopping experience. If "Cyber Monday" sales were down, how much did "lost transactions due to hyper-vigilant fraud detection systems" contribute to that? We may never know, but I'm certain it did contribute. I can't believe I'm the only online shopper who has been - or will be - the victim of an overzealous fraud detection system.

Fraud detection is necessary, but it needs to take a lesson from other security implementations around the Internet. Fraud detection systems appear to implement the strictest form of security - it's either all allowed or all denied. No white listing, no black listing, nothing. It's all or nothing with them. Web application firewalls like BIG-IP Application Security Manager have moved past such simple security schemes, employing a combination of both positive and negative security models as well as myriad other features that allow the system to learn and adapt. Such products also provide configurable actions based on the level of comfort of the administrator or application. When encountering new behavior a WAF can often be configured to allow it, deny it, or request review. It's this kind of flexibility that's required to ensure the highest level of protection for consumers online while not interefering with their ability to enact transactions.

As threat grows, fraud detection systems also need to adapt. Shopping habits are going to change - probably seasonally - and any system that has such a huge impact on a consumer needs to be both vigilant and dynamic. Taking a cue from the WAF market, perhaps that fraud detection system should allow me to white list online retailers, or at least ask me first before shutting off my card. In the past the bank would call before it denied charges or blocked the card, now it just denies them and shuts off my card without a word, leaving me frustrated and retailers out a sale.

Security is a necessity, but when it begins to interfere with business - whether online or in the real world - there is a problem, and that problem needs to be addressed. The goal of fraud detection - and security in general - is to stop the "bad guys" from spending my money/stealing my identity/absconding with corporate data/etc.

Achieving that goal should not be accomplished by assuming I'm one of them.

Imbibing: Orange Juice