Discover Account Security Review

With the recent news that the hacking group Anonymous will launch attacks against Visa, Mastercard, and PayPal, I have decided to do my security review on Discover. I currently have a Discover credit card and frequently use discover.com. Although we have learned that credit cards may not carry as big of a risk as debit cards, any type of business that holds records of user's names, addresses, phone numbers, social security #'s, and bank account numbers are susceptible to attacks from hackers. Discover offers the option to control your account online. Users can manage their account, make payments, withdraw cash, and view their statements on the Discover website.

As an owner of a Discover Credit Card and user of the online "Account Center", I have a few worries about the security that Discover uses.The CIA triad is extremely important to protect Discover users. I think that is absolutely imperative that user's account information, including name, birth date, address, user name, and password, are kept confidential. In addition to the fear of identify theft, I believe it a must that credit card number, expiration date, and validation code stay private (only available to the user). Integrity is also important. Discover has to make sure that when a user makes a payment or changes their account in any sort of way, the user's changes are not compromised by a hacker. Additionally, it is important the card holder's username and password are never changed by hackers. Finally, availability may be the most important aspect. As a user, I expect that I will always be able to access my account over the internet as well as always be able to use my card.

If I were a hacker, I would view Discover as a source for a lot of information. First, user information is valuable in today's day and age. Disclosing account holders' names and other personal information could be profitable if other businesses would pay for the information. But the obvious goal of a hacker would be to disclose the card information and bank account information (common on users' account center because it is a common method of payment) in order to use the accounts for themselves. With a similar goal in mind, a hacker may try to alter users' information and change it to their own. This way they would have access to a card that could potentially have their own name attached to it. As we have learned from this course, hacking isn't always about personal gain. Hackers could overload the discover online site to deny access to users, simply to be a pain (or potentially as a distraction for another attack).

Although these threats arise when running a sensitive business, I believe that Discover has done a great job of implementing security measures to mitigate attacks. Users must have a user name, password, and answer to a security question to access their account. Additionally, when a user logs in, the site prompts them with the question "Is this a Shared Computer?" -- a precaution against leaving your account up on a public computer. As soon as you get to your account center, you see that the web site is secure. Clicking on the lock in the top corner of my browser, I have learned that Discover is protected with a 112 bit 3DES encryption. It carries a Verisign Class 3 Extended Validation.

A potential threat is in the "Cash Now" section of the web site, because a hacker's goal would most likely be money. But this section requires another security measure, both the expiration date and validation code on the credit card. Finally, the last security measure I noticed was the automatic logoff. After 5 minutes of inactivity the website automatically logs the user out.

I think that the security is very good on the Discover online Account Center, but the only thing that worries me is all of the access controls are "something you know". I would recommend adding another access control - either "what you are" or "something you have". I think that a card scanner (possibly in the future) on computers would allow users to log on to their account with two access controls. A different option would be to implement the finger print scanners that are already on some laptops. If Discover somehow required you to scan your index finger to log on, it would make it even more difficult for hackers to access your account.