2014 trends: Social media ‘buy’ buttons – friend or foe?

The last year has witnessed the rise of the buy button. Social media sites and search engines have attempted to hold on to traffic and increase ad revenue by allowing consumers to buy products directly from ads.

But for social media sites especially, the security question has raised its ugly head.

In September, Twitter took tentative steps towards integrating an e-commerce function to its site, introducing a ‘buy’ button to tweets for a “small percentage of US users”, allowing them to buy goods directly from some promoted tweets.

The move marked the first time that Twitter has held payment data on behalf of its users.

Facebook also wants access to our financial data, and isn’t afraid to show it. The social media giant has been playing with the idea of peer-to-peer payments and an e-commerce button throughout 2014. In September the company partnered with payments start-up Stripe to power a buy button it had been testing since July.

Even Tumblr has made an e-commerce play this year, adding ‘action’ buttons to posts allowing bloggers to link them back to Etsy, Artsy, Kickstarter and Do Something pages.

The idea behind the Facebook and Twitter buy buttons at least is that customers will favour impulse buys, leading advertisers to pay more for the privilege of reaching social media users.

But there’s an obvious security and trust issue here, one that we are going to see tackled head on in 2015.

“Even if we accept that these types of web sites have sufficient security to protect stored credit cards, which might be a stretch given their track record in protecting passwords, there the bigger issue of authentication,” said Richard Moulds, vice-president of strategy at Thales e-Security.

Let’s be honest, people check social media sites very often – maybe hundreds of time a day.

“Passwords and credentials are nearly always cached, are frequently federated to other sites and are often as ‘skinny’ as users can get away with – who types in a complex 16 digital code to access their wall?” Moulds said. “Yet these same credentials might now enable a payment – that’s quite scary.”

Predicting the death of the password is a perennial favourite that will probably never happen. For Moulds, what seems more likely is that the password will become the start of what he calls the ‘authentication journey’.

“Risk based authentication or adaptive authentication ratchets up the process as the user seeks to do more risky things, like make a payment,” Moulds said. “Sites will use a host of other information to decide whether to allow users to go to the next level of trust.”

“Authentication will move from being an event to being a process – a dynamic, multi-stage activity,” he added.

Social media sites in particular have a wealth of behavioural data. They know how you browse, what your interests are and who you interact with. But this type of authentication could only add to the problem of ID theft, Mould says.

“The risk is that this opens up a whole new world of ID theft where hackers don’t just try to steal you passwords, but try to mimic your lifestyle or shopping habits.”

Should we all start modifying our behaviour in order to give ourselves the best possible behavioural profile, trying to do things the same every day so as not to upset the analytics machine? Or will we worry about doing something out of the ordinary in fear of being mistaken for an attacker and having our accounts suspended?

“Time will tell if this approach can work at scale or whether, once again, convenience will trump security and the password’s lease on life will be extended yet further,” Mould concluded.

Related reading

Leave a comment