Skip to main content

Has security gone too far?

No-one would suggest that we abandon security measures that are designed to frustrate fraud. But we all hate passwords, and we are all driven mad from time to time by security questions, photo IDs, queues at airports and now endless 'opt in' requests to enable holders of our data to use it. GDPR... OMG!

I am currently screaming at brick walls in a crazy loop that's preventing me from accessing my own money. It all started simply enough. I use a gold trading service called Bullionvault. To start trading, you deposit funds from your personal bank account, buy some gold (or other precious metals) which they store 'digitally' or physically for you, and then sell some or all of it while hopefully making a profit (fully taxed of course). Any money that you want to withdraw is then deposited in the same bank account that was used to open the account. All well and good... until you change your bank account.

Here is what I have to do before I can get hold of my own money:
  1. Fill out a form declaring I've changed banks, sign and upload it 
  2. Upload a copy of my new bank account statement (I now bank online, so get no paper statements) which shows:
    1. Name and logo of bank
    2. Account name
    3. Account number
    4. Bank's address
  3. Upload a statement from my old bank account (also online)
  4. Upload photo ID
  5. Upload proof of address eg utility statement
  6. Upload a letter from the new bank confirming:
    1. My DOB
    2. Name and address
    3. Photo ID number
    4. New account details
  7. Upload my banker's business card
All of which I did (not without a great deal of teeth-gnashing and hair-tearing). But the reason they needed my bank representative's business card is because all of the above is not enough and they also need to hear his voice confirming all of the above (presuming that if I was determined enough to commit fraud, I couldn't make up a business card with a dummy number). And that is where my agonising tale of woe should have ended, but no. I'm now experiencing a whole new level of pain. My bank, Natwest Private (too Private it would appear), are refusing to talk to anyone other than me about my account. Because of SECURITY.

Net result - boxes ticked on both sides, customer enraged, money stuck.

This might be an extreme example of security gone mad, but there's a real issue here. When are security measures excessive? We can't go on increasing levels of security to prevent the latest and most devious fraud tactic. It's not just witless and vulnerable citizens being affected by this escalating arms race between goodies and baddies. It's the hassle for employees and increasingly complex and expensive process requirements imposed by legislation and consultancies alike who consequently slow down the wheels of commerce. Everyone is running around covering their own arses in a box-ticking frenzy of maximum compliance and risk reduction. And when it comes to banks, they face a double jeopardy of compensating de-frauded clients together with fines from class actions where lawyers prey on weaknesses and complicity at high levels. This is a nil-sum gain. Everyone, except lawyers of course, suffer exponential levels of pain - all to prevent baddies from grabbing what's not theirs (and now including another form of theft - loss of privacy).

So what's the solution? How are we going to get off this merry-go-round of increasing pain for all parties - albeit strengthening the purpose and value of London in its age of uncertainty and Brexit woe. What other city in the world would you trust as much for security? What a shame a place can create a reputation based on everywhere else being dodgier.

There are two approaches the world can take to make life easier and safer - ideally linked. The first is security simplification using increasingly sophisticated technology. The ability to prove who you are without delay, error, relying on memory or complication. The invention of blockchain is one example where improved verification and auditability is already being achieved. Expect lots more use of it - and cunning baddies who find ways of exploiting it. Other types of verification tech will assist including DNA, fingerprint, facial, voice and iris recognition techniques, probably combined. And not only with online / mobile verification, but also for crime detection in the environment... and then we need to question whether our governments are good guys or bad. And if bad, what can we do about it when protesting or opposing it becomes a crime? It won't just be China and Russia who use technology to protect their power bases. Trump threatened a few days ago to close media sources who weren't prepared to stop publish views of the world that didn't align with his own.

The other approach is to increase surveillance and penalties for bad guys... and thus reducing civil liberties to assist detection and prevention. You're not a baddie until you do something bad... or PLAN to do something bad. So whilst hoping they catch every baddie who is caught doing something bad, and then throw away the key (more money for solving crimes and prisons please), serious issues arise about invasions of privacy to detect changing definitions of potential delinquency.

On the radio this morning there was an interesting report about the British Health Service (NHS) refusing to share anonymised patient data for research on the grounds that it breached data protection regulations despite the potential for lives to be saved by improving research. Another example of compliance, box-ticking and arse-covering trumping plain old common sense. Someone needs to bring all of this back into perspective, and that will only happen when leadership calls foul to media (who love to sell outrage) and lawyers (whose job it is to ensure compliance without judgement about exemption).

Right now I want maximum investment by governments and business to reduce security pain whilst making life not worth living for those who believe they have the right to take what's not legitimately theirs. And I want common bloody sense to see the light of day when security has clearly become a ridiculous game of over-elaborate compliance to avoid lawyer enrichment. But longer term, our ability to do what we want, when we want, with whom we want is under attack. Some would argue for own safety, others for the safety of the systems established to protect us. The common good, or personal freedom. Which will triumph?


Popular posts from this blog

Phillips screws - yes I'm angry about them too

Don't get me wrong. They're a brilliant invention to assist automation and prevent screwdrivers from slipping off screw heads - damaging furniture, paintwork and fingers in the process. Interestingly they weren't invented by Mr Phillips at all, but by a John P Thompson who sold Mr P the idea after failing to commercialise it. Mr P, on the otherhand, quickly succeeded where Mr T had failed. Incredible isn't it. You don't just need a good idea, you need a great salesman and, more importantly, perfect timing to make a success out of something new. Actually, it would seem, he did two clever things (apart from buying the rights). He gave the invention to GM to trial. No-brainer #1. After it was adopted by the great GM, instead of trying to become their sole supplier of Phillips screws, he sold licenses to every other screw manufacturer in the world. A little of a lot is worth a great deal more than a lot of a little + vulnerability (watch out Apple!). My gromble is abo

Addictions. Porn, Drugs, Alcohol and Sex. Don't prevent it, make it safer.

In 1926 New York, during Prohibition, 1,200 people were poisoned by whiskey containing small quantities of wood alcohol (methanol). Around 400 died, the rest were blinded. The methanol they drank was in the moonshine they had bought illegally. In fact it had been added by law to industrial ethanol in order to make it undrinkable. Prohibition existed to protect everyone from the 'evils of the demon drink'. However, people still wanted to enjoy alcohol. So bootleggers bought cheap industrial alcohol and attempted to distill it to remove the impurities the state had added, but the process wasn't regulated. The state was inadvertently responsible for the suffering - although it was easy for them to blame the bootleggers and to justify escalating the war. This didn't stop the bootleggers. In fact it forced them to become more violent to protect their operations, and even less cautious about their production standards. Volumes of illicit alcohol, and therefore proportionat

The Secrets of Hacker Golf

Social media is awash with professional golfers selling video training courses to help you perfect your swing, gain 50 yards on your drive and cut your handicap. They might help a few desperate souls, but the rest of us hackers already know everything we need to complete a round of golf without worrying the handicap committee or appearing on a competition winner's list. What those pros don't realise is that for us hacking golfers who very occasionally hit shots that if you hadn't seen how they were hit, end up where the pros might have put them, we already know everything we need to know - and more. Unlike pros who know how to time the perfect swing in order to caress a ball 350 yards down the centre of a fairway, we hackers need to assemble a far wider set of skills and know-how to complete 18 holes, about which pros have no comprehension, need, or desire to learn. Here are some of them: Never select your shot until after you've hit it. A variation on this is to alway