Career advice: Good enough security trumps best security

One of the best things any computer security professional can do to further their career is to recognize that most people don’t really care that much about computer security. Few popular products sell because of security. Security absolutely doesn’t matter in most cases — until, of course, when it matters very much during a big hacking event. Most companies and their customers are very happy with the absolute least amount of security that has minimal impact on them. That’s just our computer security life. You must learn to operate within the confines of that social agreement.

Case in point: One of my most popular talks has been “The 12 Ways to Hack 2FA”. I’ve given the talk dozens of times. The key lessons are that multi-factor authentication (MFA) is good, but any MFA solution can be hacked. To that end, the current version of my talk now covers 18 ways to hack an MFA solution.

After every talk, at least one MFA vendor comes up to me to explain how their great solution fixes all those problems. Within a few minutes, I show them how five or seven of the attack types would easily work against their product. They usually go limping home.

Some vendors don’t give up. They come back to me with improved, five-factor (if there is such a thing) versions that do get rid of most of the attack channels. I’ve even come across a few that are really, really secure (but still not unhackable). They still walk away with a frown when I tell them that it’s unlikely that anyone will buy, much less use their product.

No customer is going to want to use an authentication solution that involves more than a few factors of authentication. Most want to do the very least to provide assurance to themselves with the least amount of “friction” for the customer. Companies know that anything that gets in the way of a customer using their product as seamlessly as possible is making them hemorrhage customers in a very real way.

Let me give you an example.

Credit card crime is on the increase and we don’t care

In the U.S., it was big news when all the U.S. credit cards were finally updated to “chip & PIN” (officially known as EMV cards, which we were all told would make our credit cards significantly harder to hack. They have for some types of credit card fraud.

Here’s the big kicker. Chip & PIN credit cards are meant to be used with both the chip and the PIN at the same time. At nearly every location you use them, all you are required to provide is the chip (and that’s only if the merchant isn’t telling you that you can’t use the chip at all). Without typing in your PIN, anyone can still use your credit card. If you drop the card or someone steals it, they can use it just like you use it. If it’s used anywhere but where your physical presence is needed, the chip doesn’t play a role at all.

Europe and other places where chip & PIN cards have been in use for over a decade longer than in the U.S. require you to use both at the same time. That’s real security and has led to a huge reduction in credit card crime. U.S. merchants were pretty sure all those pesky PINs would do is frustrate customers.

Less security an acceptable trade-off if it keeps customers happy

They are right. Customers who forget their pins are going to get frustrated, and possibly move onto non-PIN-requiring credit card solutions. So, America’s credit card vendors decided to not require the PIN, accepting far less security as a trade-off for not pissing off customers.

It worked. Very few people are complaining. The surprising part is that, as expected, overall credit card fraud actually rose. In-store purchases, requiring physical presence, dropped from $3.6 billion in 2015 to an estimated $1.8 billion in 2018, according to FT Partners Research, because chipped cards are harder to steal and replicate. Overall credit card fraud, involving non-physical presences, increased from $3.1 billion to $6.4 billion in the same time period.

I’m not saying that any of us are happy about credit card fraud. The vendors and merchants who have to eat the fraud costs certainly aren’t happy. The customer, even if all damage is immediately reversed, isn’t happy. Everyone wants to decrease fraud, but no one is absolutely hating the current way it is working.

No one, besides a few computer security people, are even noticing the lack of the PIN to complain. The people who care the most about computer security are always going to be in the minority, no matter what else the headlines may occasionally say.

The real role of security

The world is full of security theater and failed security. Credit cards aren’t nearly as secure as most people think. The TSA doesn’t stop all guns and weapons from getting onto planes (although there hasn’t been a successful terrorist attack since they were in charge). Police don’t stop most crimes. Banks are still robbed. Computers are still hacked. Ransomware still holds people’s data hostage. Phishing still works.

The world will never have to be crime-free. It just has to be at an acceptable level, where we stop most of the crime and aren’t inconvenienced too much most of the time.

Computer security professionals need to understand their role in the large world to become more valuable to their organization. Computer security is just but one part of the puzzle. Businesses need to compete, survive and lower costs. They do need to put down computer crime and fraud, but not to such an extent that the protection outweighs the benefits.

The fine line is to recognize the “right” amount of security in the right places to significantly minimize potential losses due to security crime, and do it in such a way that it does not handicap the business too significantly.

Computer security is important, but it isn’t considered alone. Otherwise, you could just make all computers standalone without connection to a network or the internet and get a very secure computer. Very few organizations, outside of the top-secret government and military types would accept those conditions. The rest of us have to find the right balance of computer security and business objectives. The best computer security professionals know this and work hard to achieve the right balance.