Skip to main content

Has security gone too far?

No-one would suggest that we abandon security measures that are designed to frustrate fraud. But we all hate passwords, and we are all driven mad from time to time by security questions, photo IDs, queues at airports and now endless 'opt in' requests to enable holders of our data to use it. GDPR... OMG!

I am currently screaming at brick walls in a crazy loop that's preventing me from accessing my own money. It all started simply enough. I use a gold trading service called Bullionvault. To start trading, you deposit funds from your personal bank account, buy some gold (or other precious metals) which they store 'digitally' or physically for you, and then sell some or all of it while hopefully making a profit (fully taxed of course). Any money that you want to withdraw is then deposited in the same bank account that was used to open the account. All well and good... until you change your bank account.

Here is what I have to do before I can get hold of my own money:
  1. Fill out a form declaring I've changed banks, sign and upload it 
  2. Upload a copy of my new bank account statement (I now bank online, so get no paper statements) which shows:
    1. Name and logo of bank
    2. Account name
    3. Account number
    4. Bank's address
  3. Upload a statement from my old bank account (also online)
  4. Upload photo ID
  5. Upload proof of address eg utility statement
  6. Upload a letter from the new bank confirming:
    1. My DOB
    2. Name and address
    3. Photo ID number
    4. New account details
  7. Upload my banker's business card
All of which I did (not without a great deal of teeth-gnashing and hair-tearing). But the reason they needed my bank representative's business card is because all of the above is not enough and they also need to hear his voice confirming all of the above (presuming that if I was determined enough to commit fraud, I couldn't make up a business card with a dummy number). And that is where my agonising tale of woe should have ended, but no. I'm now experiencing a whole new level of pain. My bank, Natwest Private (too Private it would appear), are refusing to talk to anyone other than me about my account. Because of SECURITY.

Net result - boxes ticked on both sides, customer enraged, money stuck.

This might be an extreme example of security gone mad, but there's a real issue here. When are security measures excessive? We can't go on increasing levels of security to prevent the latest and most devious fraud tactic. It's not just witless and vulnerable citizens being affected by this escalating arms race between goodies and baddies. It's the hassle for employees and increasingly complex and expensive process requirements imposed by legislation and consultancies alike who consequently slow down the wheels of commerce. Everyone is running around covering their own arses in a box-ticking frenzy of maximum compliance and risk reduction. And when it comes to banks, they face a double jeopardy of compensating de-frauded clients together with fines from class actions where lawyers prey on weaknesses and complicity at high levels. This is a nil-sum gain. Everyone, except lawyers of course, suffer exponential levels of pain - all to prevent baddies from grabbing what's not theirs (and now including another form of theft - loss of privacy).

So what's the solution? How are we going to get off this merry-go-round of increasing pain for all parties - albeit strengthening the purpose and value of London in its age of uncertainty and Brexit woe. What other city in the world would you trust as much for security? What a shame a place can create a reputation based on everywhere else being dodgier.

There are two approaches the world can take to make life easier and safer - ideally linked. The first is security simplification using increasingly sophisticated technology. The ability to prove who you are without delay, error, relying on memory or complication. The invention of blockchain is one example where improved verification and auditability is already being achieved. Expect lots more use of it - and cunning baddies who find ways of exploiting it. Other types of verification tech will assist including DNA, fingerprint, facial, voice and iris recognition techniques, probably combined. And not only with online / mobile verification, but also for crime detection in the environment... and then we need to question whether our governments are good guys or bad. And if bad, what can we do about it when protesting or opposing it becomes a crime? It won't just be China and Russia who use technology to protect their power bases. Trump threatened a few days ago to close media sources who weren't prepared to stop publish views of the world that didn't align with his own.

The other approach is to increase surveillance and penalties for bad guys... and thus reducing civil liberties to assist detection and prevention. You're not a baddie until you do something bad... or PLAN to do something bad. So whilst hoping they catch every baddie who is caught doing something bad, and then throw away the key (more money for solving crimes and prisons please), serious issues arise about invasions of privacy to detect changing definitions of potential delinquency.

On the radio this morning there was an interesting report about the British Health Service (NHS) refusing to share anonymised patient data for research on the grounds that it breached data protection regulations despite the potential for lives to be saved by improving research. Another example of compliance, box-ticking and arse-covering trumping plain old common sense. Someone needs to bring all of this back into perspective, and that will only happen when leadership calls foul to media (who love to sell outrage) and lawyers (whose job it is to ensure compliance without judgement about exemption).

Right now I want maximum investment by governments and business to reduce security pain whilst making life not worth living for those who believe they have the right to take what's not legitimately theirs. And I want common bloody sense to see the light of day when security has clearly become a ridiculous game of over-elaborate compliance to avoid lawyer enrichment. But longer term, our ability to do what we want, when we want, with whom we want is under attack. Some would argue for own safety, others for the safety of the systems established to protect us. The common good, or personal freedom. Which will triumph?


Popular posts from this blog

Phillips screws - yes I'm angry about them too

Don't get me wrong. They're a brilliant invention to assist automation and prevent screwdrivers from slipping off screw heads - damaging furniture, paintwork and fingers in the process. Interestingly they weren't invented by Mr Phillips at all, but by a John P Thompson who sold Mr P the idea after failing to commercialise it. Mr P, on the otherhand, quickly succeeded where Mr T had failed. Incredible isn't it. You don't just need a good idea, you need a great salesman and, more importantly, perfect timing to make a success out of something new. Actually, it would seem, he did two clever things (apart from buying the rights). He gave the invention to GM to trial. No-brainer #1. After it was adopted by the great GM, instead of trying to become their sole supplier of Phillips screws, he sold licenses to every other screw manufacturer in the world. A little of a lot is worth a great deal more than a lot of a little + vulnerability (watch out Apple!). My gromble is abo

Introducing Product Relationship Management - it's what customers want.

Most businesses these days have Customer Relationship Management (CRM) systems which store and process vasts amounts of information about us. They use this information to generate communications, amongst other things, which target us to buy their products and services. CRM is all about how a business relates to its customers: Past (keeping them loyal through aftersales and service), Present (helping them buy through bricks and clicks channels) and Future (prospecting). Most businesses will at some stage have declared themselves 'customer-centric'. They will probably have drawn diagrams on whiteboards that look something like these: But there's a problem with this whole approach of keeping the customer at the centre of your world and the focal point for everything you do. Is it what the customer wants ? Of course companies who ignore their customers eventually go out of business. And those who treat their customers well, tend to thrive. But is it really in the best inte

The Secrets of Hacker Golf

Social media is awash with professional golfers selling video training courses to help you perfect your swing, gain 50 yards on your drive and cut your handicap. They might help a few desperate souls, but the rest of us hackers already know everything we need to complete a round of golf without worrying the handicap committee or appearing on a competition winner's list. What those pros don't realise is that for us hacking golfers who very occasionally hit shots that if you hadn't seen how they were hit, end up where the pros might have put them, we already know everything we need to know - and more. Unlike pros who know how to time the perfect swing in order to caress a ball 350 yards down the centre of a fairway, we hackers need to assemble a far wider set of skills and know-how to complete 18 holes, about which pros have no comprehension, need, or desire to learn. Here are some of them: Never select your shot until after you've hit it. A variation on this is to alway