MasterCard’s Version of “Security” Scares Me
TL;DR. MasterCard has a PayPal competitor called MasterPass. This account that holds your credit card details only accepts alphanumeric passwords, making them much less secure. MasterPass also pretends every email address is a registered account, likely as a security measure, but it isn’t obvious that you need to use a separate process to register.
I had an interesting new checkout experience today using MasterCard’s competitor to V.me and PayPal, MasterPass. When I entered my email address as part of the checkout process the text “Hello Angela” greeted me back. Obviously not what I expected! Initially I suspected someone must have used my email address to create their wallet account. Confused and concerned I called MasterPass’ customer support number and after an incredibly long hold relayed my story to one of their agents. The agent was even more confused than I was and placed me on hold again.
After another 5 or so minutes of contemplating the nature of existence he returned to tell me that, “it was clearly an accident.” He opened a case for me and someone would get back to me in 2-3 business days. Not exactly a great response. “Wouldn’t this be an issue for the fraud department?” I asked. “I’ll take it under advisement,” was as much as he’d commit to before we hung up and I became even more bewildered.
Curiosity fully settling in, I tried with more email addresses. Some addresses didn’t even exist but all of them supposedly were in use and greeted me with a name and a security passphrase. It started to make sense. MasterCard only accepts an email at first and then prompts the user for their password when it retrieves their passphrase. If they gave an error if the email wasn’t registered, phishers could easily build a database of MasterPass users. By making every address look valid, the system wouldn’t leak information about who was and wasn’t a customer. MasterPass will greet you by the wrong name because it makes it look like every email address is registered.
Aside from being a really bad approach (the security measure is no less secure by telling everyone if their name doesn’t match they need to register), it also breaks the checkout flow since needing to leave to register is not immediately clear (check out a screenshot of their checkout sign-in form to see what I mean). Only a small “need to sign up for this wallet” link exists that doesn’t even make it clear if it’s a link the user needs to follow or a simple description of the form below.
So, aside from a terrible, terrible new user experience; I was still willing to try this new service out and started signing up. I, of course, used Lastpass to make a secure password for my new account.
This is where having a MasterPass account was no longer important to me. MasterCard directly prevents the user from having a secure password. Granted, financial companies tend to have really terrible security in exchange for having a lot of card-holder insurance so even though you’re not secure, they’ll reimburse you when things go wrong. That doesn’t excuse opening up your users to having their personal data stolen or credit ruined because you can’t figure out how to handle passwords properly. Oh, and it’s written “alphanumeric,” a note for whatever crazy person designed this (or forced a developer to make it this way).
I, for one, am not using MasterPass until they begin to take passwords more seriously and likely after the system is more mature in general. Right now it even appears to contain a call out to the developer or library that made it in the footer: “Powered by Dante’s PM3″. If you designed this system, mysterious Dante, you have much to be ashamed of.