MasterCard MasterPass "Security Feature"

GHoosdumGHoosdum Icrontian
edited December 2013 in Lifestyle
I signed up for MasterPass recently because Newegg is running a promotion (10% off your purchase with the MASTERPASS promo code if you use MasterPass for that purchase).

Today I attempted to log into my account, entered my email address, and the MasterPass website told me, "Welcome back, Candyce!"

Obviously I'm not Candyce. I was mildly alarmed, suspecting someone else had hijacked my MasterPass account, until I realized that the email address I signed up with is not the one that I was using to try to log in, although both e-mail addresses are mine.

I looked at the MasterPass FAQ, and there was nothing listed in regard to other users associating their accounts with your e-mail address. I Googled several variations of "my email address is associated with someone else's MasterPass account" to see if the interwebs were aware of any kind of widespread fraud.

Finding nothing on either avenue, I called MasterPass customer support. After going back and forth with the representative telling me I was using the wrong e-mail address to log in, while I reiterated that I know that and am wondering how someone else was able to associate their MasterPass account with my other e-mail address, the representative finally told me: this is designed as a protective measure.

Say what?

Apparently the MasterPass designers included a "feature" whereby the entry of any e-mail address that isn't associated with an existing account will result in a fictitious name being returned by the system. This is supposedly designed to deter fraudulent activity, although I can't imagine an identity thief being deterred by anything.

What did happen is this: thinking that my e-mail address was being used by someone else for nefarious purposes alarmed me, and prompted me to investigate further. According to the CS rep, this isn't the first time they've received a call similar to mine, and they're apparently investigating ways to cause less customer alarm in cases like this. However, nowhere on the MasterPass FAQ or elsewhere is MasterCard letting their customers know about this issue.

So, if you should experience something similar to this, don't be alarmed, it's just an unannounced "security feature" helping protect you from fraudulent activity. That is, unless someone else really did associate another MasterPass account with your e-mail address.

Comments

  • ThraxThrax 🐌 Austin, TX Icrontian
    edited December 2013
    I read this several times and it still doesn't make any logical sense. WAT.
    oni_dels
  • fatcatfatcat Mizzou Icrontian
    this one time at band camp..
  • Thrax said:

    I read this several times and it still doesn't make any logical sense. WAT.

    Which doesn't make sense? The writeup, or the security feature?
  • BobbyDigiBobbyDigi ? R U #Hats ! TX Icrontian
    So what you are saying is we should log into their website with random email addresses to see what name it calls us?

    -Digi
    oni_dels
  • Exactly.
  • Makes at least a little bit of sense to me. If someone were trying to hijack a MasterPass account, by displaying false information on a non-existent account (instead of displaying something along the lines of "this account doesn't exist"), they're more likely to waste time trying to break into an account that doesn't exist as opposed to just seeing that the account doesn't exist and moving on to another email address. It definitely adds the potential for end user confusion, but it is a reasonable security measure to dissuade attackers.
  • ThraxThrax 🐌 Austin, TX Icrontian
    GHoosdum said:

    Thrax said:

    I read this several times and it still doesn't make any logical sense. WAT.

    Which doesn't make sense? The writeup, or the security feature?
    The security feature!
  • After re-reading my stream of consciousness up there, I realized that my detail of the feature may have also been unclear. ;)
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    Is Candyce's MasterPass password boner?
  • BetsyDBetsyD Cincinnati, OH Icrontian
    One of the financial institutes that I have an account with has a similarly confusing "security" feature, but is at least less annoying. If you try to sign in with an email that is unassociated with an account it will display a security picture and question that you never could have picked (not in the selection list). While equally annoying in the "wtf, why can't I login to my account" kind of way, it at least doesn't call me by a fictitious name :)
  • BetsyD said:

    One of the financial institutes that I have an account with has a similarly confusing "security" feature, but is at least less annoying. If you try to sign in with an email that is unassociated with an account it will display a security picture and question that you never could have picked (not in the selection list). While equally annoying in the "wtf, why can't I login to my account" kind of way, it at least doesn't call me by a fictitious name :)

    This is the better way of accomplishing what MasterCard is doing, since you select the photo (and usually set a phrase that is displayed as well) thus you would know that you put the wrong username in, but no one else would. I hate to say it, but these kinds of security measures do cut down on bruteforce attacks, since they have to expend extra time trying to figure out valid usernames in addition to trying to crack the passwords.
Sign In or Register to comment.