MasterCard’s Version of “Security” Scares Me

TL;DR. MasterCard has a PayPal competitor called MasterPass. This account that holds your credit card details only accepts alphanumeric passwords, making them much less secure. MasterPass also pretends every email address is a registered account, likely as a security measure, but it isn’t obvious that you need to use a separate process to register.

MasterPass promotional image.
MasterPass promotional image.

I had an interesting new checkout experience today using MasterCard’s competitor to V.me and PayPal, MasterPass. When I entered my email address as part of the checkout process the text “Hello Angela” greeted me back.  Obviously not what I expected! Initially I suspected someone must have used my email address to create their wallet account. Confused and concerned I called MasterPass’ customer support number and after an incredibly long hold relayed my story to one of their agents. The agent was even more confused than I was and placed me on hold again.

After another 5 or so minutes of contemplating the nature of existence he returned to tell me that, “it was clearly an accident.” He opened a case for me and someone would get back to me in 2-3 business days. Not exactly a great response. “Wouldn’t this be an issue for the fraud department?” I asked. “I’ll take it under advisement,” was as much as he’d commit to before we hung up and I became even more bewildered.

Curiosity fully settling in, I tried with more email addresses. Some addresses didn’t even exist but all of them supposedly were in use and greeted me with a name and a security passphrase. It started to make sense. MasterCard only accepts an email at first and then prompts the user for their password when it retrieves their passphrase. If they gave an error if the email wasn’t registered, phishers could easily build a database of MasterPass users. By making every address look valid, the system wouldn’t leak information about who was and wasn’t a customer. MasterPass will greet you by the wrong name because it makes it look like every email address is registered.

Aside from being a really bad approach (the security measure is no less secure by telling everyone if their name doesn’t match they need to register), it also breaks the checkout flow since needing to leave to register is not immediately clear (check out a screenshot of their checkout sign-in form to see what I mean). Only a small “need to sign up for this wallet” link exists that doesn’t even make it clear if it’s a link the user needs to follow or a simple description of the form below.

So, aside from a terrible, terrible new user experience; I was still willing to try this new service out and started signing up. I, of course, used Lastpass to make a secure password for my new account.

Password can only contain alpha, numeric characters.
An example of how not to do passwords, courtesy of MasterCard.

This is where having a MasterPass account was no longer important to me. MasterCard directly prevents the user from having a secure password. Granted, financial companies tend to have really terrible security in exchange for having a lot of card-holder insurance so even though you’re not secure, they’ll reimburse you when things go wrong. That doesn’t excuse opening up your users to having their personal data stolen or credit ruined because you can’t figure out how to handle passwords properly. Oh, and it’s written  “alphanumeric,” a note for whatever crazy person designed this (or forced a developer to make it this way).

I, for one, am not using MasterPass until they begin to take passwords more seriously and likely after the system is more mature in general. Right now it even appears to contain a call out to the developer or library that made it in the footer: “Powered by Dante’s PM3″. If you designed this system, mysterious Dante, you have much to be ashamed of.

7 thoughts on “MasterCard’s Version of “Security” Scares Me

  1. Dante is ashamed of nothing. We build things as requested (that’s why they pay us). Since you are looking for things to be ashamed of you might want to use your “vast” consulting wisdom to learn about google.

    http://bit.ly/15JMTUT

    1. If this is how passwords are treated, I can only imagine what wild things happen to customer’s credit card, address and name data security. (masterpass.com is pretty much down today due to deals tied to it)

    2. If the above anonymous reply is actually from somebody at Dante, it’s even worse than before. Not only does the smart-ass “let me Google that for you” link smack of poor quality ethics, but funnily enough, Google returns THIS blog post as the first hit, and the second and third hits are seemingly two different companies, either of which might be the culprit.

      Yup, Dante should be ashamed — a lot.

  2. The T&C also seem to be *less* protective than using the CC directly. IANAL and perhaps the T&C from the CC override, but it appears that to the greatest extent possible, MC is taking no responsibility. Seems like a lose/lose to me.

  3. If only I had read your blog before I signed up for MasterPass. I’m locked out of my account because it won’t recognize me. Customer support told me they’d get back to me three days later!! THREE EFFIN DAYS!! I feel like the whole thing is a scam and all my info is very unsafe. I’m curious as to what you did in the end? Did they fix anything? Can you close your account with them? Tell me please, I’m dying of anxiety here!

    1. I never actually made an account with them; and have never used them. I’ve not felt like I’ve missed out by not using their service.

Leave a Reply