The Ubiquitous Social Media 'Buy' Button and the Journey of Authentication

By Richard Moulds January 14, 2015

Last year, two of the world’s largest social media sites, Facebook and Twitter, announced the addition of ‘buy’ buttons to their offerings, giving users the option to add billing information to their personal profiles. With just one click, users can now purchase products advertised without being directed to another site for authentication. However, with the ‘buy’ button still very much in its infancy on social sites, will there be enough consumers willing to give up their card details for it to take off? And more interestingly, will it really make our lives easier?

Striking the balance between security and consumer convenience

While a buy button might initially sound like a convenient tool for consumers bored of filling out lengthy payment forms online, it does blur the line between authentication and payment authorization. We’ve already seen the growth in the use of social media authentication credentials to access other sites – the increasingly familiar “Login with Facebook” button. It’s all very convenient, but is it safe?

Let’s be honest - most of us don’t use that many different passwords but we’re pretty good at using the stronger passwords for sites that need the highest security – online banking, for example. Given that many people check their social media sites dozens or even hundreds of time a day, the passwords we use for social media are likely to be the most often cached and most easy to enter passwords that we have. That may be fine if that is all they are used for, but the trend is to use them for more – access to other, maybe more security sensitive sites and now, with the buy buttons, to actually authorize a payment. That’s a worrying increase in scope and a reason why the role of the password is changing.  

There has been a steady shift in perception where the testing of a password is less a definitive authentication ‘event’ and more likely the start of an authentication process – a dynamic, multi-stage validation ‘journey’. Risk-based or adaptive authentication ratchets up as the user seeks to do more risky things, like make a payment. Websites already employ text message based one-time-passwords and challenge-response questions and will additionally start to use other ways of authenticating users, including behavioural analysis and geolocation.

The question is how will attackers respond and how can users fix things when they go wrong. There’s a good chance that hackers will go beyond just seeking facts about you (such as your mother’s maiden name,) and instead look to learn and emulate your habits. It moves the concept of identity theft into identity emulation and that’s quite scary. From a user point of view, there will be the need for consistency – avoiding doing things out of the ordinary that might trip up the all-knowing behavior model in the sky – that feels rather ominous. If things do go wrong and users do fail the tests – how will they know which aspect of their behavior was in error?

A friend or foe to consumers

The big question is whether this is really a good thing for consumers and the market as a whole.

We’ve already seen fraud rates drop in physical stores with the rollout of EMV, and newer initiatives such as Apple Pay should bring the same benefit to in-app purchases. All of this just shifts the attention of hackers to the ‘last bastion of fraud’ – online. That will undoubtedly include buy buttons. The challenge for social media sites in particular is that they rely on critical mass to a unique extent.

In the physical world, merchants compete for local shopper and breaches like Target or Home Depot have a short-term impact since shoppers have few choices to shop elsewhere. Whereas online people can easily take their business elsewhere once reputation is damaged. What makes social media different again is that is tends to be a “winner takes all” market - for practical purposes, there’s only one Facebook, Twitter, Instagram, Snap Chat etc. and so it’s not easy for an individual to switch. What’s at risk is a mass migration. If these companies suffer a major breach that affects real money and not just account passwords, they could fall off their pedestals very quickly. And there are plenty of start-ups waiting in the wings to rapidly take their place.  

It’s clear that social media sites are keen to get a slice of the payments pie – carving a percentage off each transaction they facilitate. The problem is that online transactions (also called card not present) already are the least regulated and most prone to fraud with the merchants carrying the cost and risk.

In the race to reduce friction, merchants might be willing to take on even more risk in order to get the sale, and social media sites will be more than happy to help. For this reason, 2015 may well be the year that retailers start to view the ease of cutting through security measures as a differentiator. And when things go wrong, who will the consumer blame – the merchant or the social media site that brokered the deal?

It remains to be seen whether there is an appetite among consumers for buying via social media, or whether there will be a backlash if these sites are seen as too commercialized. One thing is for sure, a major social media breach involving card data could be disastrous as this new market finds it feet. Key security tools such as encryption and tokenization underpin the entire process and need to be done right and social media has perhaps the most to lose if they get it wrong. 

Edited by Stefania Viscusi

Vice President Strategy, Thales e-Security

Related Articles

Amid Cryptocurrency Mania, Coinsquare's goNumerical Raises CAD $10.5M

By: Paula Bernier    12/5/2017

The company that operates the Canadian digital currency exchange known as Coinsquare says it has raised CAD $10.5 million in new funding.

Read More

Your New Heart Monitor is an Apple Watch. Really.

By: Doug Mohney    12/4/2017

Looking at a new smartwatch or fitness wearable for the holidays? If you are concerned about your heart health due to family history or reason, Apple …

Read More

Amazon Unleashes Alexa for Business - Consequences Abound

By: Doug Mohney    11/30/2017

Today, Amazon Web Services (AWS) announced Alexa for Business, bringing Amazon's intelligent assist into the office. This shouldn't be a surprise to T…

Read More

Pai Makes His Case for Title II Repeal

By: Paula Bernier    11/21/2017

FCC Chairman Ajit Pai today made clear his plans to repeal Title II net neutrality rules. The commission is expected to pass his proposal at its Dec. …

Read More

Winners of the 2017 Tech Diversity Award Announced

By: TMCnet News    11/20/2017

TMC, a global, integrated media company helping clients build communities in print, in person and online, today announced the recipients of the 2017 T…

Read More