The Ubiquitous Social Media 'Buy' Button and the Journey of Authentication

January 14, 2015
By: Richard Moulds

Last year, two of the world’s largest social media sites, Facebook and Twitter (News - Alert), announced the addition of ‘buy’ buttons to their offerings, giving users the option to add billing information to their personal profiles. With just one click, users can now purchase products advertised without being directed to another site for authentication. However, with the ‘buy’ button still very much in its infancy on social sites, will there be enough consumers willing to give up their card details for it to take off? And more interestingly, will it really make our lives easier?

Striking the balance between security and consumer convenience

While a buy button might initially sound like a convenient tool for consumers bored of filling out lengthy payment forms online, it does blur the line between authentication and payment authorization. We’ve already seen the growth in the use of social media authentication credentials to access other sites – the increasingly familiar “Login with Facebook (News - Alert)” button. It’s all very convenient, but is it safe?

Let’s be honest - most of us don’t use that many different passwords but we’re pretty good at using the stronger passwords for sites that need the highest security – online banking, for example. Given that many people check their social media sites dozens or even hundreds of time a day, the passwords we use for social media are likely to be the most often cached and most easy to enter passwords that we have. That may be fine if that is all they are used for, but the trend is to use them for more – access to other, maybe more security sensitive sites and now, with the buy buttons, to actually authorize a payment. That’s a worrying increase in scope and a reason why the role of the password is changing.  

There has been a steady shift in perception where the testing of a password is less a definitive authentication ‘event’ and more likely the start of an authentication process – a dynamic, multi-stage validation ‘journey’. Risk-based or adaptive authentication ratchets up as the user seeks to do more risky things, like make a payment. Websites already employ text message based one-time-passwords and challenge-response questions and will additionally start to use other ways of authenticating users, including behavioural analysis and geolocation.

The question is how will attackers respond and how can users fix things when they go wrong. There’s a good chance that hackers will go beyond just seeking facts about you (such as your mother’s maiden name,) and instead look to learn and emulate your habits. It moves the concept of identity theft into identity emulation and that’s quite scary. From a user point of view, there will be the need for consistency – avoiding doing things out of the ordinary that might trip up the all-knowing behavior model in the sky – that feels rather ominous. If things do go wrong and users do fail the tests – how will they know which aspect of their behavior was in error?

A friend or foe to consumers

The big question is whether this is really a good thing for consumers and the market as a whole.

We’ve already seen fraud rates drop in physical stores with the rollout of EMV, and newer initiatives such as Apple (News - Alert) Pay should bring the same benefit to in-app purchases. All of this just shifts the attention of hackers to the ‘last bastion of fraud’ – online. That will undoubtedly include buy buttons. The challenge for social media sites in particular is that they rely on critical mass to a unique extent.

In the physical world, merchants compete for local shopper and breaches like Target (News - Alert) or Home Depot have a short-term impact since shoppers have few choices to shop elsewhere. Whereas online people can easily take their business elsewhere once reputation is damaged. What makes social media different again is that is tends to be a “winner takes all” market - for practical purposes, there’s only one Facebook, Twitter, Instagram, Snap Chat etc. and so it’s not easy for an individual to switch. What’s at risk is a mass migration. If these companies suffer a major breach that affects real money and not just account passwords, they could fall off their pedestals very quickly. And there are plenty of start-ups waiting in the wings to rapidly take their place.  

It’s clear that social media sites are keen to get a slice of the payments pie – carving a percentage off each transaction they facilitate. The problem is that online transactions (also called card not present) already are the least regulated and most prone to fraud with the merchants carrying the cost and risk.

In the race to reduce friction, merchants might be willing to take on even more risk in order to get the sale, and social media sites will be more than happy to help. For this reason, 2015 may well be the year that retailers start to view the ease of cutting through security measures as a differentiator. And when things go wrong, who will the consumer blame – the merchant or the social media site that brokered the deal?

It remains to be seen whether there is an appetite among consumers for buying via social media, or whether there will be a backlash if these sites are seen as too commercialized. One thing is for sure, a major social media breach involving card data could be disastrous as this new market finds it feet. Key security tools such as encryption and tokenization underpin the entire process and need to be done right and social media has perhaps the most to lose if they get it wrong. 

Edited by Stefania Viscusi