Take banks. We can all be the victims of identity theft and fraud. We need to be careful. So do banks. A generation ago, a few pieces of ID got a check cashed. No ID but handing over a bank book got a deposit made. In a branch across town or even across the country, a teller might call your home branch for verification. Computers made verification easier and quicker.
But in the arms race with the bad guys, banks added Personal ID numbers (PINS), verbal passwords, questions about balances and “products” (mortgages, overdrafts, loans), schools, pets, mother’s first names, and government photo ID.
For a long time, two-factor authentication would work – government ID and a bank card with a PIN. A few questions might be asked with an unusual transaction or at a new branch.
When depositing, especially a small amount, I always wonder why a teller would care if a fraudster were depositing to my account. I say let them do it. If the cheque I’m presenting seems questionable, why not use the old policy of “holding funds” until it clears? Not to be too capricious, but some of my transactions are so pedestrian that they can wait a week or two until I return home. I can mail the cheque to my bank or use a bank machine. But once in the authentication lobster trap, it’s hard to get out.
I’ve recently experienced 16+ factor authentication that still depended on the kindness of strangers.
I travel with two credit cards to try to keep personal and business expenses separate.
On a recent trip, I tapped, slid, and inserted either one or both cards depending on the machine’s preference at gas stations, restaurants, clothing stores, and hotels. Many devices which seem to offer all three (tapping, sliding, inserting) really only offered one or two. Along the route, both cards were occasionally rejected.
After a few days it became obvious that one card was not functioning at all.
I called my bank to discover a new policy at the credit card company – “three strikes – you’re out.” Three attempted uses with the wrong PIN over several years, and the card is disabled. My banker told me I had to go into a branch to re-set the PIN.
I did. The smiling teller began staring at his computer.
On came authentications:
- Access card.
- PIN for access card.
- Driver’s license.
- Verbal password.
Then over came a more senior person, or perhaps the assistant to the teller. She wanted:
- Nexus card obtained via fingerprinting, retinal scans, and such.
- Recent credit card use.
I said I couldn’t be sure what had been posted.
She only wanted items which had been posted.
I recited the motel and breakfast at McDonald’s that morning.
She stared at her computer screen, and the teller stared at her.
My motel and breakfast choices did not seem to satisfy her, but I could only guess by reading body language. She was communicating more with the computer screen than with me. I suggested that she might be looking at the wrong screen.
Finally, she noted she was asking for the most recent use of the failed credit card, not the other card. I wish she had asked.
I explained again that I’d been on the road for 10 days and used whichever card worked wherever it worked. When one failed, I used the other. Some machines processed a tap, and others wouldn’t process anything. I did not keep a diary of uses and failed uses.
- I recalled a hotel from early in the trip when the disabled card seemed to work and a McDonald’s breakfast and clothing store purchase.
There was still no feedback from the person who said she was the manager.
- I began reciting every big purchase on the disabled card from the past two months.
This produced more staring at the computer. I found the lack of reaction very odd because when I log on to web banking, I can see several months of credit card activity. I then began offering the answers to the questions I’m usually asked at a branch if I’m depositing or withdrawing:
- Line of Credit and balance
- Business Account and balance
- Balances of other accounts
- Whether I have a mortgage and how much if so.
- Joint accounts
- Loans or other “products.”
|Wake up your employees to cyber security risks
|Food industry must tighten security in face of cyber attacks
| Visual intelligence is the next wave of digital security
The manager interrupted with the usual unhelpful and challenging phrase, “I’m trying to help you.” Not knowing whether there were dozens or hundreds more authentications, I suggested that she decide whether she’d allow me to re-set my PIN and, if not, just say “No,” and I’d leave. This prompted more staring at the computer with the first teller staring at her. The conversation also prompted the security guard to check his phone while standing behind me. He may have been helping to authenticate my authentications.
The manager protested that I would not let either of them speak when, in fact, the teller was not trying to speak, and the manager was repeatedly interrupting me. Her interruptions included that if I’d gone to a hotel and used my card and they let me into a room, then I should assume my card worked. I resisted cranking up a lecture about tautology as a rhetorical device, so I just indicated this was an infantile interjection. I also noted that her interruptions were more egregious because I’m the customer, even if not equal to mine.
In the end, the manager did me a big favour by allowing me to reprogramme my PIN by:
- Using my existing PIN on the blocked card.
Let’s consider quantitative risk analysis (QRA) in which I’m trained. Yes, someone could have picked up my wallet with my card and somehow seen various authenticating pieces of information – mother’s original name, birth dates, first school, first pet, and so on. However, the total of 16, with perhaps three combinations each, would equal two to the power of the variables. Even two to the 16th power is tens of thousands of possibilities. The likelihood of fraud is very low.
How about old-fashioned customer service? What if credit card companies called (yes, a human voice call) to tell me of a new security measure for my benefit. No humans who can speak at the company? How about a letter – “To serve you better, we’ve instigated …” Perhaps they can’t keyboard or can’t afford letterhead or a printer at the credit card company. Fine.
How about programming machines to report something more than “declined.” Or how about reverse authentication – text me to tell me the problem?
How about the banker looking the customer in the eye and saying, “Shame you’re having this problem on a long business trip. I can help. I’m at the mercy of the computer program but let me go through the steps with you – probably about a dozen. Is that OK?”
I bet international banks and credit card companies can’t have any influence over software creators in California. Yet the bank manager’s access to my full file, history of credit card use, and so on, just like she has access to my verbal password and such, might give her lots of options to verify that I am me.
I’ll leave retinal scans, fingerprints, palm prints, facial recognition, and voice recognition for another column and another debate. Let’s just say that, in this quagmire, there are more than a dozen options to break the logjam.
Oh … I arrived home to find that the bank had called my home number. No message was left, so I won’t count that as the 17th authentication factor. Then, about two weeks later, I think the bank manager or someone had the last laugh. I was sent a new credit card and informed to activate it since the existing one, which was only a month or so old, would be disabled. Let’s call that the 17th authentication factor.
Then my insurance company threatened to cancel my insurance because the credit card had expired, and several other service providers threatened to cancel the service provided.
I’m thinking I might have better luck without authentication and taking my chances with fraudsters.
Allan Bonner was the first North American to be awarded an MSc in Risk, Crisis, and Disaster Management. He trained in England and has worked in the field on five continents for 35 years. His latest book is Emergency! – a monograph with 13 other authors on the many crises that occurred during the pandemic.
For interview requests, click here.
© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.