Building Safty by Increasing Vulnerablity

I thought about it long time ago. In the GSR New Year Part, I talked about this idea with the audience here. Let me record this simple idea.

There are many system that archived safety, not by making it more safe, but by making it more vulnerable, and thus decrease the barrier of usage, and then as a result, increased the user base, and finally archived lower security incident percentage – a more secure system. Let me give you some examples.

Credit Card

The idea of credit card is crazy. Before the electronic and real-time processing, you can use credit card just by giving a number. At the very beginning, even the card itself is not required, and now when paying online, you don’t need the physical card – just the number.

This is a very vulnerable system. There are thousands of easy ways to hack this system. What if I just oversaw a number, and use it to purchase my goods? What if I gave the number but denied that the transaction? How vulnerable the system looks like.

However, that is the most widely accepted modern payment method. Why? Because by eliminating the need of back-and-forth check, and other steps, it makes it so easy for people to use. Then the user base grows so far – faster than the fraud, because of the simple fact that there are more good people than bad people. As long as the fraud is controlled under a certain rate, the system is becoming more and more secure.

Online Payment in China

The opposite case is the online payment in China. People emphasize on security, and made the system so secure that it is very hard to use. You need to go to the bank in person, sign the documents, and get a certificate (sometimes a USB based certificate). Then you go back and install it, and you need to install an ActiveX control (Sorry, Firefox!), and go through a long process to pay online. Sometimes, it even need mobile SMS confirmation…

Secure? It is more secure than credit card system, but the problem is, much less people are using them.

Percentage = Numerator / Denominator

Let’s define the security as the percentage of fraud of all transaction.

Hold on if you don’t agree on this definition. If the absolute number is more important than the percentage, that is another story.

So, there are two ways you can decrease the percentage – decrease the numerator or increase denominator.

I see huge opportunity to increase the denominator by making the system simpler (but less secure), but not too much upside for decrease the numerator. (If you have virus on computer, they get what ever you enter, both in the credit card case, or in the current China online payment system). You can actually makes the system more secure when vulnerability can get you much more denominator.

More Examples

There are examples of this everywhere. Many hotel or restaurant offers you to book just by phone, email, without credit card guarantee. That is vulnerable because guests can be no show. However, since this system makes it much easier to reserve than requiring advance payment, they get much more customers. Actually, they are paying a No-Show insurance for each guest (they will have to pay the lose related to the no show if it does happens). Again, if the rate is controlled right, this is secure.

Another fictional example is, windows are very easy to break. However, if all the windows do not have any protection against a rock, the chance for your window to be broken is actually extremely low.

You Control The Fraud to be Proportional to Users

The criteria for this to happen is, you must control the fraud, and limit the damage of any individual bad guy. In the window breaking example, if someone can only break handful of window per night, the whole system is secure because of the assumption that there are less than 0.1% of people who want to break other people’s window. However, if there is anyway for the 0.1% to press a button to break 100 windows at the same time, this insurance type of mathematics model does not work.

That explains why certain vulnerable system works, and others don’t. If the bank set a limit to the credit for each card (which they do), or for the hotel booking, limit people to reserve just one hotel room (they never allow someone call in and reserve all the rooms of that night without guarantee), that will be a simple, and secure system as a whole.

3 thoughts on “Building Safty by Increasing Vulnerablity

  1. xge

    The root cause of difference between electronic payment in China and in the US is in law enforcement rather in technology or business model. In China, law enforcement against ATM/credit card/online theft is equal to none. There is little risk of committing those crimes. The risk of using credit card lies solely with each individual user, thus it has to be made secure for everyone to accept. But in the US, if somebody committed credit crimes, there is a pretty good chance that they will get caught and punished. Also, the risk of credit crimes lies largely with banks(as I know, the maximum the users need to pay for a stolen credit cared is $50.)

    In a community, if theft and robbery happen every day and the police just don’t care, then what you need to do is to make the doors and locks extra strong, even though it means a lot of inconveniences for you, the legitimate user.

  2. jsfan

    Hi jianshuo, about the payment, this is not the point!

    why chinese people more emphesise on the security while dealing with online payment? because of the authority losen the control and be less responsible to the people who lost money by online fraud. Then people have to protect themself! This complicated method leads to least responsibility of the bank when people losing money. That’s why.

Leave a Reply

Your email address will not be published. Required fields are marked *