Wednesday, November 26, 2014

Would the good people at MasterCard please fuck off?

So let me tell you about my night.  I have a long drive coming up tomorrow, about seven hours.  I'm going to be stuck in out the boonies, in a part of the US where internet access is a line-of-sight issue and if you can get it it's pretty bad quality.

So here's where my desire to have DRM-free media pays off.  I've just learned that 2000 AD has DRM-free digital comics available direct from their web site.  Awesome, and hey have a couple (hell, a ton) of series I keep hearing about available to purchase digitally.  So I buy two books to copy to my tablet so I can read them out in the middle of no-internet-land.  Or, I try to buy them.

My bank card is a MasterCard, and 2000 AD's payment processor (Sage Pay I think?) participates in this ridiculous program MasterCard set up called SecureCode.  What is MasterCard Secure Code? Why it's a system that requires users to create yet another password for you to remember every time you want to use your card online!  Yes, isn't that great?

It firstly annoys me and secondly worries me that MasterCard, a company who holds a lot of my financial security in their hands, doesn't understand basic security.  From having this bank card I already have one password, my online banking password.  Then I have another password, with the site I'm purchasing from.  Don't forget the password I have to log into my computer in the first place.  How many passwords would MasterCard like me to have in order to buy something online?

Pro tip:  Forcing someone to create an unnecessary password isn't more secure, it's less secure.  It's one more thing I have to remember, it's something that most people will either write down or use the same password they use for every other service.  Either option is insecure.  In some ways it's less secure than not requiring a password, because now if MasterCard Secure Code is hacked, the poor slob who only has one password now has that one password in some hacker's hands.

I'm sure it makes MasterCard feel better, because it's essentially a CYA maneuver.  Cover Your Ass.  Unfortunately it's a shit implementation of a shit idea that doesn't help me one iota.

The first time I faced a Secure Code screen it allowed me to opt out.  I tried many times on many devices to opt out tonight, and it wouldn't give me the option again.  Googleing "Secure Code opt out" results in many articles announcing Secure Code, assuring people that of course you'll be able to opt-out. Ha!

Here's another pro tip, for free MasterCard:  If you want more secure transactions, do one of two things:  1) Set up an authorization system where I can grant or revoke permission to a particular store or service to charge my card, kind of like Twitter and Google have in order to access my data.  2)  Get my cell number and text or email me every time my card is charged.

These aren't new ideas, they're in use by a lot of large companies.  I decided not to set up a Secure Code password, and I cancelled the transaction.  I might set it up in the future, but honestly I doubt I will.

For bonus reading, here's a little article I found (pdf) called "Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication".

Also this, this, and this.

I have to say, I can't wait until MasterCard (and Visa, they have their own version I've yet to deal with) goes the way of the dinosaur, with its ridiculous processing fees and its security theater.  I mean come on MasterCard, when you have me wishing I could use Paypal instead you know you've done something horribly, terribly wrong.


PS-I eventually purchased the comics using an American Express Serve card, which I was planning on cancelling, but it looks like I might have to keep it loaded for just such an occasion in the future.

No comments:

Post a Comment