The ubiquitous social media “buy’ button and the journey of authentication

Earlier this year two of the world’s largest social media sites, Facebook and Twitter, announced the addition of “buy’ buttons to their offerings, giving users the option to add billing information to their personal profiles. With just one click, users can now purchase products advertised without being directed to another site for authentication. However, with the “buy’ button still very much in its infancy on social sites, will there be enough consumers willing to give up their card details for it to take off? And more interestingly, will it really make our lives easier?

Striking the balance between security and consumer convenience
Whilst a buy button might initially sound like a convenient tool for consumers bored of filling out lengthy payment forms online, it does blur the line between authentication and payment authorization. We’ve already seen the growth in the use of social media authentication credentials to access other sites – the increasingly familiar “Login with Facebook” button. It’s all very convenient, but is it safe?

Let’s be honest, most of us don’t use that many different passwords but we’re pretty good at using the stronger passwords for sites that need the highest security – online banking for example. Given that many people check their social media sites dozens or even hundreds of time a day the passwords we use for social media are likely to be the most often cached and most easy to enter passwords that we have. That may be fine if that’s all they are used for, but the trend is to use them for more – access to other, maybe more security sensitive sites and now, with the buy buttons, to actually authorize a payment.

That’s a worrying increase in scope and a reason why the role of the password is changing. There has been a steady shift in perception where the testing of a password is less a definitive authentication “event’ and more likely the start of an authentication process – a dynamic, multi-stage validation “journey’. Risk-based or adaptive authentication ratchets up as the user seeks to do more risky things, like make a payment. Websites already employ text message based one-time-passwords and challenge-response questions and will additionally start to use other ways of authenticating users, including behavioural analysis and geolocation. The question is how attackers will respond and how can users fix things when they go wrong.

There’s a good chance that hackers will go beyond just seeking facts about you (such as your mother’s maiden name), and instead look to learn and emulate your habits. It moves the concept of identity theft into identity emulation – that’s quite scary. From a user point of view there will be the need for consistency – avoiding doing things out of the ordinary that might trip up the all-knowing behaviour model in the sky – that feels rather ominous. If things do go wrong and user do fail the tests – how will they know which aspect of their behaviour was in error?

A friend or foe to consumers
The big question is whether this is really a good thing for consumers and the market as a whole. We’ve already seen fraud rates drop in physical stores with the roll-out of EMV and new initiatives such as Apple Pay should bring the same benefit to in-app purchases. But, all this just shifts the attention of hackers to the “last bastion of fraud’, online, and that will undoubtedly include buy buttons.

The challenge for social media sites in particular is that they rely on critical mass to a unique extent. In the physical world merchants compete for local shoppers and breaches like Target or Home Depot have a short term impact since shoppers have few choices to shop elsewhere. Online, people can easily take their business elsewhere once a reputation is damaged. What makes social media different again is that is tends to be a “winner takes all” market – for practical purposes there’s only one Facebook, Twitter, Instagram, Snap Chat etc. and so it’s not easy for an individual to switch. If these companies suffer a major breach that affects real money and not just account passwords, they could fall off their pedestals very quickly, and there are plenty of start-ups waiting in the wings to rapidly take their place.

It’s clear that social media sites are keen to get a slice of the payments pie – carving a percentage off each transaction they facilitate. The problem is that online transactions (called “card not present’) are already the least regulated and most prone to fraud with the merchants carrying the cost and risk. In the race to reduce friction, merchants might be willing to take on even more risk in order to get the sale and social media sites will be more than happy to help. For this reason 2015 may well be the year that retailers start to view the ease of cutting through security measures as a differentiator. And when things go wrong who will the consumer blame -the merchant or the social media site that brokered the deal?

It remains to be seen whether there is an appetite amongst consumers for buying via social media, or whether there is a backlash if these sites are seen as too commercialised. One thing is for sure, a major social media breach involving card data could be disastrous as this new market finds it feet. Key security tools such as encryption and tokenisation underpin the entire process and need to be done right if social media sites are to succeed.

Don't miss