I thought about it long time ago. In the GSR New Year Part, I talked about this idea with the audience here. Let me record this simple idea.
There are many system that archived safety, not by making it more safe, but by making it more vulnerable, and thus decrease the barrier of usage, and then as a result, increased the user base, and finally archived lower security incident percentage – a more secure system. Let me give you some examples.
Credit Card
The idea of credit card is crazy. Before the electronic and real-time processing, you can use credit card just by giving a number. At the very beginning, even the card itself is not required, and now when paying online, you don’t need the physical card – just the number.
This is a very vulnerable system. There are thousands of easy ways to hack this system. What if I just oversaw a number, and use it to purchase my goods? What if I gave the number but denied that the transaction? How vulnerable the system looks like.
However, that is the most widely accepted modern payment method. Why? Because by eliminating the need of back-and-forth check, and other steps, it makes it so easy for people to use. Then the user base grows so far – faster than the fraud, because of the simple fact that there are more good people than bad people. As long as the fraud is controlled under a certain rate, the system is becoming more and more secure.
Online Payment in China
The opposite case is the online payment in China. People emphasize on security, and made the system so secure that it is very hard to use. You need to go to the bank in person, sign the documents, and get a certificate (sometimes a USB based certificate). Then you go back and install it, and you need to install an ActiveX control (Sorry, Firefox!), and go through a long process to pay online. Sometimes, it even need mobile SMS confirmation…
Secure? It is more secure than credit card system, but the problem is, much less people are using them.
Percentage = Numerator / Denominator
Let’s define the security as the percentage of fraud of all transaction.
Hold on if you don’t agree on this definition. If the absolute number is more important than the percentage, that is another story.
So, there are two ways you can decrease the percentage – decrease the numerator or increase denominator.
I see huge opportunity to increase the denominator by making the system simpler (but less secure), but not too much upside for decrease the numerator. (If you have virus on computer, they get what ever you enter, both in the credit card case, or in the current China online payment system). You can actually makes the system more secure when vulnerability can get you much more denominator.
More Examples
There are examples of this everywhere. Many hotel or restaurant offers you to book just by phone, email, without credit card guarantee. That is vulnerable because guests can be no show. However, since this system makes it much easier to reserve than requiring advance payment, they get much more customers. Actually, they are paying a No-Show insurance for each guest (they will have to pay the lose related to the no show if it does happens). Again, if the rate is controlled right, this is secure.
Another fictional example is, windows are very easy to break. However, if all the windows do not have any protection against a rock, the chance for your window to be broken is actually extremely low.
You Control The Fraud to be Proportional to Users
The criteria for this to happen is, you must control the fraud, and limit the damage of any individual bad guy. In the window breaking example, if someone can only break handful of window per night, the whole system is secure because of the assumption that there are less than 0.1% of people who want to break other people’s window. However, if there is anyway for the 0.1% to press a button to break 100 windows at the same time, this insurance type of mathematics model does not work.
That explains why certain vulnerable system works, and others don’t. If the bank set a limit to the credit for each card (which they do), or for the hotel booking, limit people to reserve just one hotel room (they never allow someone call in and reserve all the rooms of that night without guarantee), that will be a simple, and secure system as a whole.