The (Old) Business Case Against Security
Many Software as a Service (SaaS) companies have created a rather outdated business case against adopting basic security, including implementing technology and building it into their software. To them, a tradeoff is inevitable. Security is a slowdown, a barrier, a blockage, a limitation; which, from a business perspective, can translate to mean lower profits and usability.
Brian Krebs’ article on TurboTax’s “Anti-Fraud Efforts” reflects the effects of this sentiment. He wrote on behalf of security professionals that formerly worked at the company, Intuit, including a principal security engineer that filed an official whistleblower complaint with the U.S. Securities and Exchange Commission (SEC).
Despite developing fraud models that would cut down on stolen identity refund fraud (SIR), the engineers claim that the company would not adopt basic security policies, such as blocking the reuse of the same Social Security number across a certain number of TurboTax accounts, and preventing the same account from filing more than a small number of tax returns.
Those seem like perfectly reasonable controls to build into a software that directly handles money transfers and sensitive data like SSNs (not terribly different from other transactional services, like online banking), but the engineers claim they were told they “couldn’t do anything that would ‘hurt the numbers.’ They also claim they identified millions of accounts used only for fraud, but were forbade from flagging or turning off those accounts.
However, on the business side, Inuit executives claim they’ve been at the forefront of asking the Internal Revenue Service (IRS) to propose industry standards, of which they’ve yet to see. Intuit has since released a very lengthy blog responding to many of the allegations, which they also posted as a comment on KrebsonSecurity.com, garnering some interesting responses, including from tax fraud victims.
To their credit, they have since put some basic security in place since a large spike in state tax return fraud was traced back to the company’s software, forcing them to temporarily stop submitting returns in order to investigate. One of those security solutions include multi-factor authentication solution, as they stated:
The broad roll-out of multi-factor authentication to fight against the recent wave of identity theft breaches that have occurred from sources outside the tax system in the past year. Given the radically changed fraud environment, and advances in our understandings from two recent pilot programs of how to create the right type of MFA system for our customers, we have now implemented a new MFA system, allowing us to reject more criminals, while letting the legitimate taxpayers continue on with their filings.
This incident suggests that when it comes to prioritizing, many other companies may find themselves in a similarly hard place, where they may weigh compliance > security, and profits/cheapness > protecting customers from stolen identity fraud.
On one hand, limiting users and capabilities means lower adoption rates - meaning less customers, less revenue and not as impressive numbers. Many companies seem to forgo basic security measures for the sake of usability and their bottom line.
One example may be Amazon.com and Amazon Prime - they don’t currently support two-factor authentication to protect customer account information. But they do offer multifactor authentication for secure access to Amazon Web Service (AWS) accounts, which may be a response to the compliance requirements and privacy concerns of those using their cloud services.
The risks have been made clear. An information supplement to the Payment Card Industry Data Security Standards (PCI DSS) E-Commerce Guidelines (PDF) stated that there are many common and known vulnerabilities in web applications, including e-commerce shopping carts.
One of those vulnerabilities includes:
4.1.5 Weak Authentication and/or Session Credentials
Attackers often target vulnerable browser sessions, weak passwords, exposed protocols and services, and attempt to enumerate accounts, particularly administrative or service accounts with privileged access.
But unfortunately, the latest Payment Application Data Security Standard (PA-DSS) (PDF) (refer to 3.1.4.) doesn’t require the use of two-factor authentication to protect customer accounts against the very threats they recognize. It’s only required for remote access to the e-commerce merchant’s network.
It’s in the best interest of e-commerce vendors to allow customers to pass through their shopping cart and buying process unhindered and as fast as possible, to increase the chances of closing a sale successfully.
And to some businesses, that means eliminating anything that could get in the way - including a security solution that makes logging in difficult, frustrating users or causing them to abandon their shopping cart.
But new security solutions are designed for better usability options, letting you secure your customers and users without impeding them. Using one application to manage all of your logins cuts down on the different devices and software needed to carry out two-factor authentication. Learn more about Duo Mobile and our different Authentication Methods.
Instead of knowingly leaving applications open to identity fraud and credit card theft, a little more research should open up SaaS providers to better security solutions that can both protect their users while allowing them to go about their business (tax returns, shopping, whatever) unencumbered.