More Payment Companies Make Security a Moving Target

In two recent overseas incidents, payment companies redefined "security" to suit a specific situation, rather than keeping it the constant that their customers expect.

Companies have long struggled with the best way to balance security and convenience. Sometimes, shoring up security means cutting off some customers who might feel so inconvenienced that they refuse to come back (eBay learned this lesson the hard way when it asked all customers to reset their passwords; the company's earnings suffered because it underestimated the number of customers this move cost them). In some cases, companies simply let their customers decide where to draw the line between security and convenience. USAA, for example, lets its mobile banking users decide how long the app stays logged on at the end of a session.

The more recent incidents, at Sage Pay in the U.K. and Tencent in China, are cases where the companies made a decision without customer input and without a clear communication to the end user of what was going on. When payments players get caught up in these moves, particularly without a clear message to merchants or consumers that the security target has moved, they may inadvertently open a window for cyberthieves.

The Sage Pay occurrence involved a system update during which the company deliberately ran a significantly weaker encryption cypher. The company defended the move, saying that it was done "in order to avoid leaving customers with older systems behind in the process of updating systems," according to a statement the company sent to The Register.

The company delved into more detail in a blog post: "To maintain our PCI status as well as continue to be a safe and secure choice for customers we have to migrate everyone to newer industry standards when flaws are found in old ones. Our first action was to block requests to our payment gateway from browsers.  When we did this we impacted a number of customers who were using end of life software and operating systems.  At this point, rather than roll back the block, we temporarily introduced a lower rated cipher and logic that meant only certain browsers and customers could actually transact with us using it.  Although it was advertised as available by external scanners, it was only usable if whitelisted by us. At no point were our customers at additional risk."

The security downgrade was first noticed by a U.K. consultant, who blogged that the security change—to a non-PCI-compliant 56bit export cipher—was fixed and then quietly put back. That consultant, Paul Moore, praised the company's security head for quickly responding to his concerns, but wrote: "The fact they've knowingly reverted back demonstrates that quite apart from being a 'top priority,' security doesn't appear to be particularly important to them."

The Sage issue appears to have been based on the best intentions, no matter how ill-advised the actions were (the company would not provide comment other than what it stated in its blog post). The Tencent incident is more reminiscent of how the U.S. mobile carriers responded to Google Wallet in its early days. In 2011, the U.S. carriers blocked Google Wallet, citing security reasons, but the move was widely perceived as a way to favor the carriers' own mobile wallet, which used similar security.

Just before the huge Spring Festival starts on Feb. 19, Tencent killed the support for Alipay from WeChat, TenCent's huge (more than 600 million users) social media mobile app and service. That move prohibits the use of Alipay, an affiliate of Alibaba, for person-to-person money transfers, a modern spin on the tradition of sending red envelopes of cash during the New Year holiday.

"Tencent said it canceled links to some third-party platforms to protect users from fake red envelopes and fraud," according to a report in the ECNS news site. But on the business side, WeChat's payment service has been losing market share battles against Alipay.

Tencent did not reply to a request to comment. Alibaba responded to an E-mail seeking comment, but did addressed the details.