Thursday, July 30, 2015

Banks: Protecting Yourself From the Invisible - Ignorance is Bliss But Only For the Moment

Knowledge is power – Francis Bacon

Knowledge is power only if man knows what facts not to bother with. - Robert Staughton Lynd

Knowledge is power. Information is power. The secreting or hoarding of knowledge or information may be an act of tyranny camouflaged as humility. - Robin Morgan

[Important updates are at the bottom of this blog post]

Some years ago, I attempted to use my US-bank issued credit card in NYC and was surprised to discover that it had been disabled.  Calling the bank, I discovered that copies of the card had been used in Germany, the US and Brazil within a two-hour span the previous day.  In the argument that ensued on the phone, where the call center person insisted that I must have been in Germany the previous day and just didn’t remember it, I reminded them that it was physically impossible to have gotten to three countries that far apart in two hours and she finally agreed and told me a new card would arrive in two days.  I didn’t understand the argument anyway since it was their suspicion of fraudulent use that had caused the card to be killed in the first place.

The next day I received a call from the bank telling me that when the new card arrived I was to destroy it because it had already been compromised and that a third card would be sent.

I naturally assumed it must have gotten lost in the mail (thereby creating an opportunity for compromise) and so you can imagine my surprise when the now-dead replacement card arrived the next day with the envelope security seal still in place.  The card had not been intercepted and so it was obvious that it had been compromised at point of origin.  When I called the bank to understand what was going on (part of my profession is in the area of technology security architecture on Wall St), I was told it was an internal matter and that the details were none of my business.

A few years later, I had a considerable sum of money drained out of an account of a US bank, had it replaced and then had the same cycle of events repeated a short time later.  When I asked the bank what was happening, I was told it was none of my business.  However, when I informed them that I was calling the police, they relented and explained what was happening.  It was sweet, simple and frightening.

Here’s how it works.  A person presents the teller with a group of bogus payroll checks written out to a bunch of people.  The checks are knowingly drawn against a valid account in the bank that is known to be empty.  The teller, who is in on the scam, processes all the checks and pays out cash to the person.  When the bank reconciles the checks at night, they realize that all the checks are NSF and they reach into each person’s account to take the money back (since they assume they have already paid THAT person cash earlier in the day and are therefore taking the bank’s money back and leaving it to that person to deal with the NSF check that they allegedly cashed but in reality have no knowledge of).

The bank wouldn’t explain this until I brought the police in and secured bank surveillance video.  Until that moment, what was happening was none of my business according to the bank, even though it took a couple of weeks of hassle, paperwork and affidavits every time to prove that I hadn’t taken the cash and wasn’t  trying to defraud the bank.  During the first incident, one of the bank support people even suggested “Maybe your wife is taking the money and not telling you.  How strong is your marriage?”

I and a number of other people in that bank were guilty until proven innocent every time one of these incidents occurred.

In the investigation, the bank manager admitted that this happens a lot but “It’s ok, the customer always gets their money back”.  This may be so from their perspective but in addition to the inconvenience, someone is paying for the reimbursement of my money since the bank doesn’t eat the loss.  Eventually, despite CDIC, FDIC and other insurance vehicles, the responsibility for paying for it eventually trickles back to the customer.

Meanwhile in Alberta …..

A few days ago, I received two calls from my bank in Alberta.  I ignored the calls initially because the caller ID said “Alaska”, so I assumed it was a scam call or a wrong number.  When I finally played the voicemail, it said “I needed to get to a branch immediately”.  It sounded like a scam so I called the bank and they confirmed that “yes, it is imperative that you get to your branch immediately”.  When I asked “why?”, I was told politely that it was none of my business.

I went to the branch which was filled with people getting their cards replaced so I knew this wasn’t a one-off incident affecting just me.  When I asked the teller what was going on, she told me that she wasn’t allowed to tell me and that all cards (debit or credit) I had with the bank should be replaced immediately.

I asked if the cards were being skimmed (since such information would help me  avoid certain vendors or locations), if my online account had been compromised (requiring me to change my login credentials), if the bank had been compromised by an outside entity or if an internal miscreant had gotten up to no good.

I was politely told it was none of my business but as a precaution, I should change my PIN daily.  “Daily?”, I asked, “What is going on that you are recommending this?”

“I can’t tell you”, she replied.

Since I had been out of province the previous week, I asked the teller “How could I have gotten to a branch last week when this bank has none where I was?  What would happen then?  Can you kill my cards and get new ones to me where I was?”

Her answer was “No – we can’t do that.  We would try to figure something out.”

How comforting.

I asked on Twitter what the issue was and was told very politely that “We take security seriously and for this reason, we can’t tell you”.  My email to customer support politely asking for details went unanswered.

The bottom line from the bank:

“Be vigilant against a threat that we won’t tell you about.  It doesn’t matter – you always get your money back so why do you care?”

It reminds me of all the times Homeland Security would tell us to be very careful in a certain part of Manhattan.  When we would ask “What are we looking for?” we’d be told that we can’t tell you but let us know when you see something unusual or abnormal.  It’s NYC – what do you define as “normal”?

It also reminds me of the time when a bank that I was consulting to was allowing its consultants to host a porn site on the same servers as our customer-facing websites.  I reminded senior officials that not only was this not legal, ethical or moral, a compromise of the porn site (since porn sites are favorite targets for attacks) would reveal a smorgasbord of client information from the bank.  The bank indicated that “what customers don’t know won’t hurt them”.  They finally took the porn site down when the threat of a public leak became apparent.

So security wasn’t the issue – public relations was.

The Bottom Line

Security in our society, whether it be our physical safety, the safety of our bank accounts or anything else, begins when we are informed and when the institutions we work with are transparent, forthcoming and honest.  We can’t make intelligent choices if we don’t know what threatens us.

The suggestion that revealing some “secret” to the public would enable the criminal or tell the criminal that “you are onto him / her” doesn’t hold water.

Here’s a newsflash – the criminals already know how to do whatever they want.  In fact, they are likely thinking about compromises that we haven’t even thought of yet so they are actually ahead of the people and organizations that they are targeting.  They also know that the likelihood of getting caught these days is slim, making what they are doing very lucrative and risk-free from their perspective.  For every large-profile case proudly trumpeted by law enforcement as “solved”, many more are not solved in time (or solved at all) until the damage done is significant.

Groups like Anonymous and groups backed by other governments hack into government agencies like CSIS, the NSA and other groups at-will.  It’s time to be honest with people that total security doesn’t exist.  Even things like air gaps within technology architecture have been compromised.

The reality is that revealing cracks in security is very bad for business and for consumer / public confidence.  The first institution that can openly demonstrate that they are secure will be able to garner quite a bit of business from their competitors.

Well …. maybe – the reality is that security of anything is impossible.  We accept freedom and flexibility and in exchange, we trade away privacy and security.  Since this is our reality, society would be more secure if we worked together instead of the organizations who are charged with protecting us and our “stuff” forgetting about who works for whom.

As for my bank, all of my cards are chipped and yet banks insist that chipped cards have not and cannot be compromised.

Uh huh.

Here’s another newsflash – the chip technology was compromised before the banks finished rolling it out. Not only does the chip not protect you from anything, but technology exists to allow people to lift your card info from your pocket, wallet or purse without them ever seeing your cards (read Flaw in New “Secure” Credit Cards Would Allow Hackers Steal $1M Per Card).

When we can have an honest, transparent conversation, maybe then we can start working together towards a better society, each of us protecting ourselves and the other as a result of this dialog.

Until then, we will dance around security and privacy until something really bad happens.

And then we will all act surprised, angry, indignant, outraged or anything else.

But we will only have ourselves to blame, having accepted “none of your business” as a perfectly valid response to “What is happening?”, “Why did it happen” or “What are you doing to prevent it or mitigate my risk or exposure?”

What do you think of that?

With all of the enhanced technology, processes, methodologies and frameworks in the IT industry, you would think that we would be safer now than ever before but the reality is that we are less secure today than we were 20 years ago.

I’d tell you more but it’s none of your business. Smile

In service and servanthood,


Addendum – A Response – July 30, 2015

In all transparency, the financial institution in question sent me a note after this blog post was published:

Thank you so much for reaching out to us, I truly value the time you put to send us this note.

We’ve identified that there may be a compromise in an area that you’ve used your debit card. For this instance we’ve reached out to many clients to be proactive and have their cards replaced with a new pin number.

I apologize for the lack of information around this because we’ve also recognized that the areas and stores affected are victims as well. This is a precautionary measure as we want to protect our direct clients as much as we can.

Hope this sheds some more light.

I appreciate the note but have a few observations regarding it which I sent back to the bank:

  1. It would be useful if the tellers, people on the phone and on social media could have explained this – it would have avoided some confusion.
  2. It still doesn’t explain why I need to continue to change my PIN daily even though I have a new card.  It is as if they are anticipating that I will have new transactions in compromised areas.
  3. I was told that all debit AND credit cards need to be replaced.  This references debit cards only.
  4. Pursuant to the previous point, they don’t tell me where the issue is.  I understand protecting “other victims” including businesses and areas but if we are destined to conduct other transactions in known compromised areas, I and other customers will merely recreate our problems since we don’t have enough info to avoid problem areas.
  5. The teller did admit that a specific range of card numbers was affected.  A specific range of card numbers is not the same as a random selection of customers and so the information is not consistent and potentially suspect until clarified.
  6. The person on the phone said that if I didn’t receive notification of compromise for other cards, then I shouldn’t change them.  The person at the bank said I must change them regardless.  Erring on the side of safety is important but clarity and consistency in message promotion is equally important and less confusing, especially when no other details are being offered.

Knowledge is only power when sufficient knowledge is provided AND it is applied.

One of the key ways to acquiring knowledge is through asking questions that matter.  We tend to focus on asking questions about the unimportant while not asking them about the things that matter (or we accept an answer that we know is insufficient but we don’t want to press the point).

Accountability, transparency and knowledge are created and shared when the right questions are asked and appropriate answers are demanded.

Do you ask questions or do you not care?

Does it matter?

Are you sure?

How do you know?

Addendum 2 – Insider Update – July 31, 2015

In speaking to my sources in banking and law enforcement, they have indicated that a sweeping federal investigation encompassing at least 5 Canadian banks is in progress.  I was given the names of the banks but cannot reveal them here due to the nature of the investigation.

It is because the federal investigation is in progress that the institution noted here cannot reveal the areas / vendors involved, etc.  Sadly, because of this constraint, the problem has a slight risk of spreading to new victims while the investigation is going on (or ensnaring original victims).  There is some concern also about whether the losses will be covered under CDIC or not but that is a subject for someone else to debate.

That being said, secrecy around such investigations while they are in progress makes perfect sense and is often essential for the successful conclusion of the investigation.

What makes better sense for this institution in this case is to just tell the truth.  By doing so, they don’t reveal any secrets, they don’t endanger or compromise the investigation and they can assure customers using facts that the right people are looking at the issue effectively and appropriately.

Transparency works a lot better than avoidance and when done effectively, intelligently and strategically, provides the information necessary to maintain the strength of a business / customer relationship.

It just requires a little effort and resonates better than “none of your business”, especially when it’s your money, security, privacy, etc. Smile

No comments:

Post a Comment