Robinhood stored user passwords in plain text
“When it says PCI-DSS on the outside, customers don’t care whether the password is encrypted or stored in cleartext on the inside”*. That’s the case with more critical apps like mobile wallets as I’d highlighted in the case of PayTM in Why Do People Obsess Over Security And Then Make Payments Without A Password?. I’m sure customers are even less bothered about such details in the case of a less critical app like RobinHood.
*: Adapted from the mid 1990s ad by the then popular Compaq PC, which took a dig on the then popular “Intel Inside” campaign by proclaiming, “When it says Compaq on the outside, nobody cares what’s on the inside”, in an attempt to comfort customers about its use of CPUs inside its PCs from Intel’s competitor AMD.
—
Yes, critical is in the eye of the beholder, of course.
Let’s take the recent Capital One hack and how critical it was for one its beholders – er, cardholders.
QUOTE (per Fortune DataSheet dated 3 Aug 2019)
As a few friends and I were settling a dinner bill last night, I noticed a Capital One credit card peeking out amid a table-full of taco scraps and emptied margarita glasses.
“Uh, oh,” I remarked. “Who’s got the Capital One card? Are you pissed?”
The owner revealed himself, yet he was oblivious to the week’s news. I informed him: A hacker had gotten her hands on personal information for more than 100 million of the bank’s customers and credit card applicants. The suspect, a former Amazon Web Services employee, per court documents, stole people’s names and addresses, 140,000 Social Security numbers, 80,000 bank account numbers, and one million Canadian social insurance numbers (like Social Security numbers, but Canadian).
My friend had no idea.
ENDQUOTE
So much for critical to beholder.
—
When customers don’t notice public announcements of major breaches at their financial institutions, who the heck is going to bother about opaque and indirect costs?
Besides, anybody can claim there’s opaque cost in anything and, by definition, those claims can’t be contested by anybody else. By becoming overzealous about fraud prevention, merchants lose sales and I claim that that adds hidden costs to banks, which they will pass on to customers, so I recommend that banks should continue with the status quo of covering customers for fraud-related losses without putting too much friction in the way of making the transaction happen.
I haven’t seen any evidence that fraud as a percentage of transaction values has increased, but, for the sake of argument, even if it has, so what. It could be argued that that’s the cost of doing business in today’s digital world. End of the day, a bank can keep jumping up and down to prevent all the fraud it wants but that won’t keep its lights on. Mitigating Fraud Does Not Pay The Bills
—
In 2011, I wondered Do Retailers Want To Have Their Cake And Eat It Too?. Eight years later, I’m convinced they’re not only greedy but incompetent and crybabies.
Every second store I visit, there are stockouts, salespeople are busy with their smartphones, the one-odd salesperson who deigns to attend to customers has less product knowledge than customers, etc. Retailers seriously need to get their internal act together instead of constantly crying about the adverse impact of external factors like payment processing costs, ecommerce, etc.
In any case, who is forcing retailers to accept whatever payment mode with whatever level of fraud and chargeback? Retailers are free to offer whatever payment modes they want. Nobody stops them from even inventing their own payment method. Oh wait, that’s what they tried with MCX / CurrentC. They should ask themselves why that movie ended badly.
—
In the USA, there are more than 6000 banks and fewer than 100 retailers (if that). So neither banking nor retail industry is a monopoly. I don’t know what “monopolistic behavior” means but, whatever it does, if it can be exhibited by banking industry with 6000 competitors, then what’s stopping the retail industry, which has fewer than 100 players, from exhibiting it and ensuring that it makes enough money to cover fraud and chargeback costs, instead of forever crying about costs of doing business? IMHO, “monopolistic behavior of banking” is just one more bogeyman – apart from high payment processing costs – used by retail industry to bark up the wrong tree and avoid fixing internal problems hampering its revenues and profits.
—
Oh, arrogance. Yeah right. Terribly monopolistic. Retailers should sue banks for monopolistic behavior, then.
On a side note, “products/services that are nearly identical to each other” is the textbook definition of commodity, whose purveyors are destined to go on a race to the bottom with lower and lower prices. If that’s what banking is, retailers should rejoice.
—
That’s services mindset. Rigidity – and the perceived arrogance that comes with it – are best practices in product business. It happens even in highly competitive industries and has nothing to do with monopoly / oligopoly. Every Tom Dick & Harry who doesn’t get a discount will have a common sense view of facing a monopoly, which is rubbish. “Abuse of monopoly” is necessarily a legal construct.
I can elaborate but this discussion has veered way far off course from the original topic. I’ll be happy to continue it offline.