Getting Better (Some of the Time)

One of the perks of living with a cybersecurity expert is that you benefit from the higher awareness of risk, or so I tell my wife. One of the drawbacks of living with a cybersecurity expert is that you have to listen them whine about how unsafe every new technology is, or so my wife tells me.

But today, dear reader, I come to praise a new development, not to disdain it. I just did the following:

• Received an email making sure that I had received a new credit card
• Realized that I had not, which launched a rescue mission in my physical inbox
• Discovered the as-yet-unopened letter with the new card (the envelop looked like junk to me)
• Opened the letter to confirm that it contained a new card
• Saw a QR which would let me activate this new card
• Good news: these are convenient
• Bad news: these are pretty damn insecure
• Warning: don't scan QR codes unless you are highly sure of the source
• I read that the QR code would launch the credit card company's app on my phone
• Given that I trusted the source of the QR code, I scanned it
• The app was, indeed, launched
• The app required me to authenticate myself, as per usual. This was good.
• The app forced Multi-factor Authentication (MFA) via text message. This was good.
• The app had me touch the phone to the card, to prove that I had the physical card. Good.
• The app used MFA again; not sure why, but the more MFA the better I suppose
• The app securely communicated with the company to activate my card

Hurrah, say I: this was a great trade-off of convenience and security. My card was activated with a very low level of effort on my part and a high level of confidence on their part.

I love the fact that I can use the special relationship I already have with my phone to confirm my identity, but that the phone app means that I do not have to venture out onto the wild and wooly Internet to do so. I love the fact that my phone can "read" the card, confirming that I have the physical card and that I have authenticated myself to the phone. I love the fact that the text message confirms that this particular phone is MY particular phone.

Is this chain of trust perfect? No, it is not. Is it pretty darn good? Yes, it is. Is this method faster, easier and surer than just about any previous method? Yes, it is.

See? I don't complain about EVERY new thing that comes along. Once in a long time technology is deployed that is a better user experience and not a gaping security hole that haunts my dreams.

You can make equally good trade-offs in cybersecurity and Pythia Cyber can help. Contact us to learn more.