No-one would suggest that we abandon security measures that are designed to frustrate fraud. But we all hate passwords, and we are all driven mad from time to time by security questions, photo IDs, queues at airports and now endless 'opt in' requests to enable holders of our data to use it. GDPR... OMG!
I am currently screaming at brick walls in a crazy loop that's preventing me from accessing my own money. It all started simply enough. I use a gold trading service called Bullionvault. To start trading, you deposit funds from your personal bank account, buy some gold (or other precious metals) which they store 'digitally' or physically for you, and then sell some or all of it while hopefully making a profit (fully taxed of course). Any money that you want to withdraw is then deposited in the same bank account that was used to open the account. All well and good... until you change your bank account.
Here is what I have to do before I can get hold of my own money:
Net result - boxes ticked on both sides, customer enraged, money stuck.
This might be an extreme example of security gone mad, but there's a real issue here. When are security measures excessive? We can't go on increasing levels of security to prevent the latest and most devious fraud tactic. It's not just witless and vulnerable citizens being affected by this escalating arms race between goodies and baddies. It's the hassle for employees and increasingly complex and expensive process requirements imposed by legislation and consultancies alike who consequently slow down the wheels of commerce. Everyone is running around covering their own arses in a box-ticking frenzy of maximum compliance and risk reduction. And when it comes to banks, they face a double jeopardy of compensating de-frauded clients together with fines from class actions where lawyers prey on weaknesses and complicity at high levels. This is a nil-sum gain. Everyone, except lawyers of course, suffer exponential levels of pain - all to prevent baddies from grabbing what's not theirs (and now including another form of theft - loss of privacy).
So what's the solution? How are we going to get off this merry-go-round of increasing pain for all parties - albeit strengthening the purpose and value of London in its age of uncertainty and Brexit woe. What other city in the world would you trust as much for security? What a shame a place can create a reputation based on everywhere else being dodgier.
There are two approaches the world can take to make life easier and safer - ideally linked. The first is security simplification using increasingly sophisticated technology. The ability to prove who you are without delay, error, relying on memory or complication. The invention of blockchain is one example where improved verification and auditability is already being achieved. Expect lots more use of it - and cunning baddies who find ways of exploiting it. Other types of verification tech will assist including DNA, fingerprint, facial, voice and iris recognition techniques, probably combined. And not only with online / mobile verification, but also for crime detection in the environment... and then we need to question whether our governments are good guys or bad. And if bad, what can we do about it when protesting or opposing it becomes a crime? It won't just be China and Russia who use technology to protect their power bases. Trump threatened a few days ago to close media sources who weren't prepared to stop publish views of the world that didn't align with his own.
The other approach is to increase surveillance and penalties for bad guys... and thus reducing civil liberties to assist detection and prevention. You're not a baddie until you do something bad... or PLAN to do something bad. So whilst hoping they catch every baddie who is caught doing something bad, and then throw away the key (more money for solving crimes and prisons please), serious issues arise about invasions of privacy to detect changing definitions of potential delinquency.
On the radio this morning there was an interesting report about the British Health Service (NHS) refusing to share anonymised patient data for research on the grounds that it breached data protection regulations despite the potential for lives to be saved by improving research. Another example of compliance, box-ticking and arse-covering trumping plain old common sense. Someone needs to bring all of this back into perspective, and that will only happen when leadership calls foul to media (who love to sell outrage) and lawyers (whose job it is to ensure compliance without judgement about exemption).
Right now I want maximum investment by governments and business to reduce security pain whilst making life not worth living for those who believe they have the right to take what's not legitimately theirs. And I want common bloody sense to see the light of day when security has clearly become a ridiculous game of over-elaborate compliance to avoid lawyer enrichment. But longer term, our ability to do what we want, when we want, with whom we want is under attack. Some would argue for own safety, others for the safety of the systems established to protect us. The common good, or personal freedom. Which will triumph?
I am currently screaming at brick walls in a crazy loop that's preventing me from accessing my own money. It all started simply enough. I use a gold trading service called Bullionvault. To start trading, you deposit funds from your personal bank account, buy some gold (or other precious metals) which they store 'digitally' or physically for you, and then sell some or all of it while hopefully making a profit (fully taxed of course). Any money that you want to withdraw is then deposited in the same bank account that was used to open the account. All well and good... until you change your bank account.
Here is what I have to do before I can get hold of my own money:
- Fill out a form declaring I've changed banks, sign and upload it
- Upload a copy of my new bank account statement (I now bank online, so get no paper statements) which shows:
- Name and logo of bank
- Account name
- Account number
- Bank's address
- Upload a statement from my old bank account (also online)
- Upload photo ID
- Upload proof of address eg utility statement
- Upload a letter from the new bank confirming:
- My DOB
- Name and address
- Photo ID number
- New account details
- Upload my banker's business card
Net result - boxes ticked on both sides, customer enraged, money stuck.
This might be an extreme example of security gone mad, but there's a real issue here. When are security measures excessive? We can't go on increasing levels of security to prevent the latest and most devious fraud tactic. It's not just witless and vulnerable citizens being affected by this escalating arms race between goodies and baddies. It's the hassle for employees and increasingly complex and expensive process requirements imposed by legislation and consultancies alike who consequently slow down the wheels of commerce. Everyone is running around covering their own arses in a box-ticking frenzy of maximum compliance and risk reduction. And when it comes to banks, they face a double jeopardy of compensating de-frauded clients together with fines from class actions where lawyers prey on weaknesses and complicity at high levels. This is a nil-sum gain. Everyone, except lawyers of course, suffer exponential levels of pain - all to prevent baddies from grabbing what's not theirs (and now including another form of theft - loss of privacy).
So what's the solution? How are we going to get off this merry-go-round of increasing pain for all parties - albeit strengthening the purpose and value of London in its age of uncertainty and Brexit woe. What other city in the world would you trust as much for security? What a shame a place can create a reputation based on everywhere else being dodgier.
There are two approaches the world can take to make life easier and safer - ideally linked. The first is security simplification using increasingly sophisticated technology. The ability to prove who you are without delay, error, relying on memory or complication. The invention of blockchain is one example where improved verification and auditability is already being achieved. Expect lots more use of it - and cunning baddies who find ways of exploiting it. Other types of verification tech will assist including DNA, fingerprint, facial, voice and iris recognition techniques, probably combined. And not only with online / mobile verification, but also for crime detection in the environment... and then we need to question whether our governments are good guys or bad. And if bad, what can we do about it when protesting or opposing it becomes a crime? It won't just be China and Russia who use technology to protect their power bases. Trump threatened a few days ago to close media sources who weren't prepared to stop publish views of the world that didn't align with his own.
The other approach is to increase surveillance and penalties for bad guys... and thus reducing civil liberties to assist detection and prevention. You're not a baddie until you do something bad... or PLAN to do something bad. So whilst hoping they catch every baddie who is caught doing something bad, and then throw away the key (more money for solving crimes and prisons please), serious issues arise about invasions of privacy to detect changing definitions of potential delinquency.
On the radio this morning there was an interesting report about the British Health Service (NHS) refusing to share anonymised patient data for research on the grounds that it breached data protection regulations despite the potential for lives to be saved by improving research. Another example of compliance, box-ticking and arse-covering trumping plain old common sense. Someone needs to bring all of this back into perspective, and that will only happen when leadership calls foul to media (who love to sell outrage) and lawyers (whose job it is to ensure compliance without judgement about exemption).
Right now I want maximum investment by governments and business to reduce security pain whilst making life not worth living for those who believe they have the right to take what's not legitimately theirs. And I want common bloody sense to see the light of day when security has clearly become a ridiculous game of over-elaborate compliance to avoid lawyer enrichment. But longer term, our ability to do what we want, when we want, with whom we want is under attack. Some would argue for own safety, others for the safety of the systems established to protect us. The common good, or personal freedom. Which will triumph?
Comments
Post a Comment
Thanks for taking an interest.