I should maybe start another thread, but my experience is related to this one, so although it might be down the list a little bit by now, I will add it. Its also just a bit of 'flame on' therapy.
Ever had your bank contact you asking to contact them, URGENTLY?
This happened to me yesterday. Via an automated computer voice message providing a phone number and a web site. So I ventured to the website. It was undoutably a section of my banks web portal - not a secured https page, but asking for bank account and sort code information. It also popped up an 'invalid server Certificate' message, which when viewed was 6 months out of date and belonged not to the bank, but another company?
So I called the number provided instead. Also seemingly genuine bank call centre (albeit with a fire alarm test at the time). Immediately asking for my bank account, sort code, name etc. Not able to tell me what the nature of the call was about until I had done this (which I objected to and did not). When I provided my surname, they confirmed I was not the person they were trying to contact after all (my number is 14 years old, I've been with the bank 25 years). It transpired that they were a debt collection department of the bank (so I hope they genuinely did have it wrong!).
So I felt the need to try to at least report the dodgy/amateur website to the Bank Fraud department. Found the number and called. Same routine of grilling for my identity first, before listening to the point I had to make, and simply diverted me to the first number I had spoken to in order to get rid of me.
By now, this was becoming a challenge. I wanted to report the shoddy processes and contacted the Bank Customer Services. This time, after providing my account number, they challenged with individual digits from my password. They actually listened to the problem, agreed with me it didn't sound very sensible and went to look at it. Unfortunately, they then got cut off from me (lost 1-way communication!) but at least I think they got the point and went to check it.
I don't really have a point except to say that Banks seem to think the need to identify every caller is their right, and that it is of detriment to the caller experience. Anyone could set up such a spamming service and use it to phish personal details with very little chance of locating the fraudsters. Just ask a user for their PIN, and some will provide it, or at least 2 digits of it! They should take a little effort to demonstrate they are actually your bank, before grilling for ID.
flame off.
28 Jan 2009 13:37 Read comment
Yes, but WHERE did the money go?
I am still trying to fathom that one. Its not just that the value of stocks has since plummetted (all our funds lost their value too as a result, and if you were an actual shareholder, then you are now looking at a loss), or that house prices have dropped 20%, but that the money that was supposedly slushing about the system and burning great holes in the banks' pockets, is simply not there any more.
Where did it do? Is it now all in gold and US stocks (hence the strength of the $) or under the mattresses of corporations? It's obviously not in the actual banks or we would not have bailed them out twice already. i.e. was it all paper money and not real at all - banks were lending to other banks lending to others, lending to you and I and taking commission and payment every step of the way. So over the past decade, I suggest that the actual 'money' has simply been paid out within the financial industry(bonuses etc) and spent.
Lets face it, if you were to look back in 100 years and consider what boom you could have invested in to make money, you might have considered the Telecoms sector over the past 20 years. But no. BT share price is less than when they floated in 1984. Many others are similarly suffering. The ONLY place that really boomed was the Financial Services sector... deregulation and computerisation of markets etc. Here is where money made money, and where half of that has just been siphoned away under the noses of the experts.
It'll take years and could cause more than a retail hardship along the way.
28 Jan 2009 13:13 Read comment
This is a rant if ever there was one. I just hope the Optus competitor(s) are not worse, or else plug into to a power outlet.
22 Jan 2009 22:30 Read comment
It's said that we all have a book in us (maybe this is the introductory chapter for yours) and these days I think we probably all have an on-line business in our minds too! So this was extremely interesting, and an eye-opener.
I can imagine that even a very small number of duff orders can be pretty damaging and time consuming. Surely there are simple ways to just block all sessions from undesired territories, but maybe that's where the trojans come in, acting as proxies?
I assume you have the solution :)
20 Jan 2009 11:57 Read comment
It happens all the time. Monopolies and market leaders resist change wherever that change is going to cut their margins or reduce their market share. They may 'play the game' and participate in regulator or consumer-body led initiatives (like GSMA MMT) but really they have little vested interest in changing the status quo just to offer a better, cheaper service to the customer. I think it takes a law or an edict from the regulators to push it through, and even then it will be challenged and delayed as long as possible - which is what is happening here. Even the best ideas can be sunk with enough FUD.
It's just how business is I guess.
19 Jan 2009 09:37 Read comment
That's funny.
Presumably these machines are 'labelled' in big letters (20's go here, 10's go here etc [they don't do fivers any more ;)] ). So no doubt the risk is passed on to the '3rd party' who made the loading goof. Either that, or the Bank simply claims on a insurance policy which you and I pay for in the first place.
We had this debate on the previous occasions this happened - but I am still curious if the bank reconciles the audit trail and rectifies the debit to those people's account retrospectively?
19 Jan 2009 09:29 Read comment
Lets also not forget that most employees see their shiny laptop as 'theirs' and corporate IT and Security are 'those people that try to hinder you doing what you want'. So in addition to the hackers trying to circumvent corporate security, the employee themselves is more than helping.
Most will revert to a direct network connection, not the corporate VPN and HTTP Proxy. They will use all manner of utilities which are not Corporate and revel in beating the many restrictions.
And yet, they sit back in the belief that their laptop is 'secured by the company' and therefore safe. So you have a double problem - the employee both resists/detests the security and yet depends and relies on it at the same time.
I still wonder why the banks and account holder do not offer a simple alerting/notification service for transactions. I would not mind a little text message every time something over a set level occurs. But as usual, its not in the service provider's interest to provide these good things, so they don't. You just become an acceptable level of risk, and accept it until it happens to you.
Good read though, but I was waiting for the killer punch where you explained how much damage the cyber-crooks could do with the info.
-j
03 Dec 2008 19:58 Read comment
I enjoyed this thought. It reminded me that we are all slaves to capitalism. Capitalism replaces ideology or religion as the control system for the masses. In the absence of other beliefs, we believe in the reality of money and focus our energies in amassing what we need (to pay the leveraged debt, mostly).
This keeps (most of) us in line and civil. Until one day we realise the money isn't as real or safe as we thought, and then you get the civil unrest / anger. Would be similar if the oil stopped, but the crunch has made that less likely for the time being.
28 Nov 2008 11:36 Read comment
Couldn't agree more. It all certainly shook up our trust in what we thought was solid. I have always resented the unfair standing that the public has in the matter of finance - its always the little people that suffer when these events happen. It won't take much for people to go back to putting money aside under the mattress at this rate, because not only do they no trust the banks, but their investments there either return so little or attract taxes in any case. I mean, BT shares were worth less recently than in 1984 when they were floated - over 3 decades of telecoms at its height, and BT one of the biggest. Now as a small invester, its quite possible that you had sat on BT shares all that time - it would have been better to stuff it in a pillow.
Anyway the real point I wanted to make as that I also don't believe the US Subprime Mortgage mess is at fault any more. It may have started the thinking and navel gazing, but I think they realised a lot more than that, and what had been built up was a pack of cards waiting to tumble. Lender to lenders who lent to more lenders, who lent to borrowers with little more than a 'trust me, I will make you money' business plan. The mortgages at least have some asset behind them. These other lendings don't seem to have, and the money has been frittered away as 'operating costs', salaries and bonuses, never to be seen again. Somewhere, back up the chain, that's our money and we are the ones that stand to lose it when these cashes happen. These business ventures come and go, but each of us is stuck holding the baby, so to speak. Banks just got greedy trying to 'keep up' with the relentless drive to keep doing deals.
14 Nov 2008 09:07 Read comment
Tell me you didn't write this just for Finextra? Its worthy of at least a Chapter in a book ;)
So Identity is not perfect. Trust is all important. And we all have a right to our identity. But (there's always a but) the scenarios you paint are the minority and make identity sacrosanct, which it can't be. Every civilisation has relied on absolute identity ('I am Alexander, the Great", "Napoleon III", "the artist formerly known as ..." etc) and so you cannot change that paradigm overnight, or ever.
The Trusted 3rd Party model says that the 'man in the middle' knows person A, and knows person B, and makes the decision if what person A wants from B is authorised or not (or vice versa).
So lets start at Person B - who is a Service Provider (say a Bank), who manages an Account for Person A. Someone accesses the Bank system to view Person A account. Person B needs to validate the access and so logs a Txn with the TTP... Person A needs to 'identify' themselves to the TTP (for that txn) and the TTP checks to see if there is a pointer or token for that person to perform that Txn. If so, confirms to Person B to allow it. Person B never knows who Person A was, except that they had authority to access Person A account.
Ah, so Person A could be 'the taxman' or the FBI with the authority to access anyones account. Or it could be a faker pretending they are the taxman. Or it could be an insider at the TTP? So all the same indentity issues and needing to have 'transparency' in the audit trail come back again. Everyone has an identity, so why the big deal about showing it to those who need to know who you are (like the Policemman). The Mega-TTP won't work (too much like a New Order Government), and the Mini-TTP (where every Bank has a TTP) is just as much of a muddle as trusting the Bank to get it right. And who audits the TTP to make sure they are not syphoning off parts of transactions, or selling data about you, or blocking you for no good reason (e.g. Credit Scoring Agencies).
It does all come down to Trust and Identity. Does Person A trust Person B, and are they really Person A and B. End of. Is 2 factor authentication enough? Probably. It depends on the context. I never ask a Bank teller the other side of a bullet proof screen to prove he/she works at the bank - its implied in that context(of me being at the bank). But if someone knocks at the door doing a police survey, I would.
Between non-related (and therefor low trust) parties, the Identification is weaker (like an ID card with a photo on it) and you make a judgement whether to trust it or not.
Between related and highly trusted parties (say customer-Bank) an authentication scheme is agreed and used. They are evolving. My bank uses a UserID, a PIN and a Password (basically a fancy one where they challenge for just a part of it). Eventually, some keylogging software will capture my whole password and send it off somewhere and my online account relationship will be compromised. But no money can be transferred because they don't have the 4th thing, which is my Bank OTP Generator for making any changes to the account or setup new payments. I do this so infrequently with this account that its always confusing to do it. I woul dmuch prefer to use my registered mobile and have the bank text me a OTP as part of my auth login... that way I would find out PDQ if someone logged in without stealing my physical phone as well. If I don't have my phone (the exception), then ask me a challenge.
Anyway, the point is that someone has to authenticate both sides, and not just me, so I know I am talking to the right Person B. At least it would be the 'business' of a TTP to be serious about Identity, so there has to be a market for outsourcing the Auth function to an Auth-Clearing house. I could use the same strong auth with the TTP to get access to a number of participating Service Providers.
So, long story short, I agree with the TTP concept, but think they are there to 'assure the Identity' not guard it. Let the Service Provider decide on level of access or service based on the assured Identity. And yes, use of a mobile is just another tool in the box that can be used.
If banks continue down the hyped road of NFC tags, the credit card could disappear from your wallet and appear inside your mobile - it still represents 'something you have'. The NFC ID will replace what used to be the WIM module idea (that MNOs again failed to use well).
This was supposed to be short, not another chapter.
13 Nov 2008 15:24 Read comment
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.