The security user experience (SUX)

The next time you receive a phishing email, forward it to wherever your organization tells you to report phishing attempts. 

What response would you appreciate? Maybe a brief thank you or follow-up about how you helped the security team more rapidly filter out an attack and protect other users.

Unfortunately, you’re not likely to receive that gratitude.  Instead, you’ll probably receive a form letter exhorting you to be more diligent in spotting phishing attacks, with no information about the attack you might have forwarded. Often, you’ll get no information about your report at all.

This isn’t just an enterprise problem; consumer-targeted fraud around gift cards is growing, whether the attackers use phishing, vishing, or direct account takeovers. Unfortunately, retailers’ antifraud measures apply the same SUX principles as the phishing example described above—to the detriment of security.  

The great gift card security UX experiment

Having occasionally spotted the small warning signs anywhere you can buy physical gift cards—warnings that look more like a cigarette health warning than an educational display—I recently decided to start buying gift cards to see what the user experience would be like (and, possibly, so my wife wouldn’t see exactly how much money I was dropping on games in the App Store).

I started buying electronic gift cards through Amazon.  Their fraud detection system would delete some of the transactions, but, oddly, not all of them. When I bought physical supplies and added electronic gift cards, the gift cards would sometimes be silently canceled, but the physical items would show up on my doorstep the next day.  Despite buying solely through the app on my phone, my password was reset because “it might have been compromised.”  After setting a new password, I tried again, and my account was locked.  A help desk rep helpfully told me that this would keep happening if I persisted in buying e-gift cards through Amazon, and maybe I should stop.  At no point was I asked anything about why I was buying these gift cards or whether I was directly a victim of fraud. 

So, I set up an account and tried Walmart.  An order for a desk and an e-gift card was put on hold … and then canceled.  At least Walmart, unlike Amazon, treated the whole transaction as possibly fraudulent—and, to be fair to that fraud team, maybe I’d have had a different experience if I’d had a history with Walmart.

Next, I decided to try purchasing gift cards in person. I wandered into a CVS, bought some sundries, picked up two gift cards, and went over to the self-checkout lane.  When I scanned the first gift card, I got two alert messages:  One was a caution about not just throwing it into the bag where it might break; the other was long-winded message that vaguely mentioned fraud.  I scanned the second card, and the checkout machine stopped and told me to wait for assistance.  For a moment, I was excited.  Maybe the store manager would come over and see why I was buying gift cards!

Nope.  Someone came by, reached in with their keycard, scanned it, pressed something, and walked away.  Not a single word to me.  Clearly, the ideal process someone wrote up somewhere at HQ, in which someone would make sure I wasn’t being scammed, had been dropped by the wayside.

What’s going on here?  

Better security UX, better security outcomes

Processes are hard to scale, especially where they interact with humans.  Large organizations delegate online human interactions to junior staff, often in low-cost centers.  Physical interactions become expensive overhead.  What feels like a small cost (“just” check in with the user) when designing a process is an overwhelming fatigue on the part of the staff who do that interaction.  Every alert that maybe this is fraud tires them out, and, after too many false positives, efficiency wins over costly human engagement.

Of course, that human engagement is the real reason that security professionals have jobs.  We’re supposed to help our users and make them safe.  What we do instead is create more speed bumps that get in their way and annoy them.  And only rarely do those speed bumps provide value. 

Users could play an important role in stopping fraud and improving security, but only with an end-to-end security user experience that treats them like first class citizens.