Protect your data

Compulsory ID cards are instruments of evil. They will not make protect you from crime and will not make you safer, unless they end up produced out of bomb proof kevlar and big enough to wear. They serve no purpose for any member of the public but will cost you money. The only conceivable reason why the government is so keen to force the British public into paying for them is to allow the intelligence and security agencies unparalleled access to personal data and activity.

This is actually the only bones to the “make you safer” argument, in that by allowing the Police / Security services access to your ID card data (which would, one assumes, include all the locations where your ID has been checked and what purposes it was checked for) it will increase their ability to find criminals and terrorists. If you have read any of my previous posts you will be well aware that I think this is very, very, wrong. But this is an argument for another day. Today’s ironic turn of events is that even if MI5 have all your data and are watching your every move it wont help – because al-Qaida are actually working for MI5 in the first place.

From today’s Guardian:

A senior Tory MP today called for an investigation into whether MI5 mistakenly recruited al-Qaida sympathisers.

Patrick Mercer, the chairman of the counter-terrorism subcommittee, said six Muslim recruits had been thrown out of the service because of serious concerns over their pasts.

The MP said he was writing to the home secretary, Alan Johnson, to call for an investigation into the matter.

Two of the six men allegedly attended al-Qaida training camps in Pakistan while the others had unexplained gaps of up to three months in their CVs.

The irony here is really not lost on me and points to two issues.

First off, and possibly most importantly, no matter how much vetting takes place BADPEOPLE™ will get into the police or government. This has been the case since the dawn of secrecy. By their very nature spies are people who are able to infiltrate the highest levels of an organisation by appearing trustworthy. Equally, as the police and intelligence/security services well know, agents are people who are currently trusted by an organisation but are vulnerable to being expolited by hostile groups. This is done all the time against “enemies” (criminal or political), and it is even done in the “civilian” business world. I am sure this is stating the obvious but it is important background.

Knowing this, do you think that having all your identity data in one central location is a good idea? For ID cards to work, huge swathes of people need to be able to access the database – which causes errors. The data has to be entered and maintained, which causes errors. These are accidental problems which would be bad enough. Criminals and terrorists have the funding and will to deliberately corrupt the data. The concept of an ID card moves the burden of proof from the government to the “innocent until proven otherwise” citizen. Do you have the resources and will power of an organised crime gang or terrorist group?

If a criminal can compromise one aspect of your ID data that is a BADTHING©™® but you can take steps to rectify it, knowing that it shouldn’t lead to a cascade of ID failures. Stealing your National Insurance number, for example, shouldn’t lead to them getting access to your bank account details or your drivers licence. Crucially, should a criminal use your NI Number – and nothing else –  in the process of a crime (odd but possible) then it is unlikely that you would be the suspect. However, with a central ID card that is not the case.

Now back to MI5 and the other police and security agencies. Given the number of people involved, and recent large scale recruitment campaigns, it is unfathomable that some bad eggs haven’t slipped through the net. In the case of MI5 the pay is so pitiful by London terms that it is equally certain that there are some members of the organisation who would be open to financial corruption – not to mention the ones who could be co-opted in a million different ways. Do you trust them with all your data? Do you trust them to treat you fairly at all times?

Secondly: what sort of crazy world is it where an “unexplained gaps of up to three months” in your CV means you are a terrorist? I hope they never see my CV otherwise its Gitmo for me. Or is it just 3+ month gaps in the CV of people of middle-eastern descent? What is happening?

I’d say the world had gone mad but it seems an understatement. What really worries me is an old saying that keeps going round my head about when everyone else in the world seems mad its probably you…

Banks continue to control us

Untouched by their reckless behaviour (and blatant lack of any real knowledge of the mystical “market forces”) the true leaders of the Western World continue to flex their muscles and show that the interests of ordinary people are, on the whole, irrelevant. They remain blind to contradiction in demanding huge public subsidies, then refusing any form of public control. They continue to assert, in the face of obvious evidence to the contrary, that “they know best” over the current financial crisis. They ignore the problem of begging money with one hand, and paying out huge bonuses to their own staff. They know they are so important that whatever they do we, the public, will continue to bow to their demands. It beggars belief how most banks haven’t been declared International Terrorist Organisations – they demand money and threaten global meltdown if we don’t comply, they have a non-democratic influence in governmental policy and are happy to crush small businesses; the only thing missing is they aren’t (on the whole) Islamic.

Anyway, enough of that rant. You could easily be excused for thinking that giving a bank your money (often paying for the privileged) would mean it stayed your money and the bank just looked after it (although they would use it to make more money for themselves). You would be excused for thinking that you should be able to get access to your money.  You would, however, be wrong.

Not content with charging customers £1.75 for cash withdrawals (except those customers well off enough to be able to get to the increasingly rare free cash machines [ATM], if they can find a working one), the banks are now unveiling measures to make it harder for you to use your cash/credit card. All in the name of security though… so that makes it ok…

A few years ago we heard how Chip and PIN was being brought in to prevent card fraud. Gone were the days in which your signature was enough to prove who you were, now all it took was a 4 digit PIN. This seemed like madness, and in fact creates the current situation where my wife can use my card without anyone noticing she is not a Mr, but the banks were adamant it would prevent fraud. They added to this the demand for every Cardholder Not Present (CNP) transaction to use the 3 digit verification number (CVV) on the back of the card (ironically where the pointless signature strip lives). It was claimed that this would reduce CNP fraud and the two measures would reduce fraud to such an extent that their costs would be negligible.

Except, it never worked out like that.

People buy things over the internet, and give out their CVV with alarming ease – every time you do an online transaction you are asked for it – so after a while it becomes impossible to use this as verification. You would like to think the people you are carrying out an online purchase from are PCI-DSS accredited, but do you check? Do you read through their audits to make sure your holy grail of card number and CVV are safe? Do you assume the credit card companies are doing that? The padlock icon is just to tell you that the data link between you and the shop is secure, it says nothing about the long term storage of your data. I have even seen companies that email out a receipt with the card number in full and the CVV code used – all in a plain text email… Far from secure.

Anyway, it seems that despite these new measures the banks are still suffering almost as much fraud as before (which begs the question…)  and have now unveiled new measures. Basically they will look at your transactions and if the bank thinks you are doing something unusual they will block your card. Its crucial to note here, that this happens if the bank thinks you are doing something odd. They will monitor your activity and then make a decision as to if your behaviour falls within their idea of what is normal. The BBC report on this is interesting:

A leading bank is introducing new technology that will mean every credit card transaction is scrutinised for fraud.
HSBC is introducing the programme, which will affect 10 million card accounts and millions of transactions.

Hmm. You have to wonder what other data the HSBC will be able to mine from this, but we will leave the big brother rant for another day.

The banking industry has warned that more legitimate transactions will be queried or cancelled as a result.

So, what they are basically saying is that because the banks are losing money, ordinary people will be inconvenienced even more than normal. Imagine the scene, you are on holiday in a foreign country (several time zones away), you go for a meal and pay with your card. Only to have your card rejected. What do you do? The banks don’t care. You have to do the running to get everything sorted and cant even claim back any costs incurred from the banks mistake. Outrageous. The standard banking advice is to tell your bank when you are going on holiday but this is crap. It rarely works. From the same BBC page:

When Sally Wiber went on holiday to Borneo, she followed industry advice and told her bank where she was going.
But her credit and debit cards were blocked when she tried to use them on her first day.
“I spent much of the first day trying to deal with my bank and getting internet access, and then had a rather frustrating phone call trying to make sure that I could use my cards for the rest of my holiday,” she said.

Wonderful eh? I can support this from personal experience. My employment has me travelling around Europe a lot. My bank know this. I have told them about my travel and they know my job. However, in France last year, despite my bank being told in writing about my travel, my card was blocked on the second day. I used it on the first day to withdraw cash and make purchases, but on the second day it was decided my activity was unusual. Apparently, as I was on a family holiday, I had been committing the heinous crime of buying presents… I had told the bank I was going on a family holiday. The first days purchases (to a greater value) were fine, but the second day triggered something. The biggest problem I faced here was being stuck, in France, with no phone and no bank account and no money. How do you resolve that?

Does the banking industry care? Again from the BBC:

But Mark Bowerman of the card issuers’ trade body APACS said it was something consumers would have to accept.

That is a “no” then. He continues:

“If we as customers expect banks to do something about this we have to expect that from time to time we’ll be in a shop and the transaction will be queried or card declined. These systems are designed to stop cards being used fraudulently, so if that’s the price we have to pay I think people should be prepared to pay that price,” he said.

Crikey, doesn’t that sound like the war on terror? It actually reads that because the banks want to put a stop to card fraud people have to pay the price. I love the glib way he says that from time to time we’ll have a transaction declined. Like it doesn’t mean anything. Like it doesn’t mean embarrassment and possible legal problems for you when it happens. Try paying for a meal, having your card declined and then explaining that’s just the price you have to pay. Please let me know how far it gets you.

The BBC continues:

Spending large amounts of money or using your card frequently can trigger the alarm at the user’s bank, and with so much fraud taking place abroad, the same goes for using a card outside the UK.

So, basically, using your card can trigger alarms. This happened to me a few weeks ago when I was buying a new suit. I used a credit card that gives me loyalty points, and as I pay it off in full each month I was well within my credit. I spent a while buying an expensive new suit in the January sales, with a shop assistant fawning over me. When it came to pay, I hand my card over (knowing I had a credit limit more than £2000 over the cost of the suit and coat) only for it to be rejected. Shame is an understatement. Queue of people behind me and a shop assistant now convinced I am a petty thief. All because I tried to spend £300 in one transaction, rather than lots of £50 transactions.

There is a solution, and one which may shoot the credit card companies in the foot, but one I am heading towards more and more. Give up with the card. Credit cards are different, as it enables you to spend money you dont have, but you can live without your bank card. This is the travel advice from ABTA on the BBC, to try and get round the problem of having your card blocked at random:

Take a range of payment methods. Take cash for immediate expenses, take two cards, preferably from different banks and take travellers’ cheques as well for extra security if it goes disastrously wrong.

Why go to all this trouble. The only reason you would take the cards is to spend your money abroad. If you take cards with cash and traveller’s cheques as “backup” you are mad. The card is a back up for the other two, but now you cant trust it. If you have a backup you cant rely on, it is worthless, so don’t take the cards. Go abroad with a bit of cash and traveller’s cheques. You don’t need anything else.

Equally, given the disastrous savings rates, you could probably live your day to day life cash only. Wouldn’t that be weird?

Just to show how effective the banks previous anti-fraud measures have been:

Card fraud is rising – up 14% in the first half of 2008 – and fraud abroad now accounts for 40% of all card crime.

Not very effective then. What is the future for these new checks? Will they learn enough to allow people to go on holiday? Will they work?

What we have seen with chip and pin – it was successful for 18 months, two years – the fraudsters have worked a way round it, so we are now looking at more sophisticated means.

So then, in 18 months we will be encumbered with a system causing us problems, making sure we cant rely on our cards (defeating the purpose of them) and it wont be stopping fraud.

Wonderful.

In the kingdom of the blind

(This is my attempt to play one-eyed man in the kingdom of the blind. And rant. About money.)

The BBC’s Have Your Say invited people to comment on whether they are “worried” about the collapse of sterling to approximately the level of the Euro.

Most people – including me – understand absolutely nothing about international exchange rates beyond whether it will cost more to go on holiday. So, you could predict that most commenters would be complaining about not being able to spend as much in their fortnight in Spain. With the odd exporter or hotelier seeing it as good for their business. Fair enough.

Harder to understand are those commenters who see the collapse in the value of the pound as the fault of the UK Labour government (which they also persist in seeing as being committed to socialism, in the face of the evidence of years of NewLabour devotion to the demands of big business. )

Ignore the fact that even Bush’s government has gone further towards nationalisation than has the UK government, making at least some demands in return for the injection of billions into the banking system. Our government can’t even make the generously-supported banks respond to the interest rate cuts that were made just so that they’d pass them on and lend money.

Can people really not see that the near collapse of the western economies is:
(a) the result of the workings of capitalism, pure and simple. Capitalist economies must have boom and bust. It’s inherent in the system. How did we delude ourselves that a few years of relative prosperity in the system somehow meant the end of history?
(b ) global. We’ve been going through decades of globalisation. No one government can shape the global economy. If any one country can have a real impact, it would have to be the US. The UK is just a bit player.

Free movement of capital, freedom of currency markets, and so on. All that Chicago School economic bullshit that convinced global governments that allowing the rich to keep on getting immeasurably richer was necessarily good for everyone.

My inherent cynicism about the economic system was shown to be actually childishly naive by the Madoff story. The BBC finally gave it a billing today, under the headline “Banks hit worldwide by US fraud” (showing that the UK is just as bad as the US when it comes to ignoring any news that doesn’t involve its own nationals. It’s news, now, only because British banks have been seen to have been ripped off as well.)

Some of the world’s biggest banks have revealed they are victims of an alleged fraud which has lost $50bn (£33bn).

$50 billion dollars. A fair proportion of the amounts that taxpayers have stumped up to prop up the banking system. That’s a good few dollars for every person on planet earth, including the millions who never see a yankee dollar’s worth of cash from one week to the next.

The head of the Nasdaq. LOL seems inadequate, but I’m saying it anyway. That’s the head of the Nasdaq. Whole economies rose and fell on the whims of the Nasdaq.

US prosecutors say Mr Madoff, a former head of the Nasdaq stock market, masterminded a fraud of massive proportions through his hedge fund and investment advisory business.
Mr Madoff is alleged to have used money from new investors to pay off existing investors in the fund. (from the BBC)

Isn’t that called a “long-firm” con, in the criminal world?

Who would imagine that national Serious Fraud Offices and Securities and Exchange regulators and the heads of international banks wouldn’t spot one of the oldest scams in the Book of Old Scams? They really should have read more crime novels and “true-life” gangster confessions. Because reading balance sheets doesn’t seem to have been their strongest suit.

I love this casual aside in the BBC report. (That’s “love” in the sense of “grudgingly admire the bare-faced cheek while being incredibly grateful that I’m too poor and profligate to have any money to invest”)

Among the potential losers is Spain’s largest bank, Santander, which owns the UK High Street banks Abbey, Alliance & Leicester and Bradford & Bingley.
The bank had a direct exposure of 17m euros ($23m; £15m), but clients of its Optimal fund management unit have another 2.3bn euros invested in the firm run by Bernard Madoff.

So the bank lost 17 million euros to the scam. Small change by the standards of current losses. On the other hand, the customers who trusted the bank’s investment nous lost 2.3 billion euros. (2.3 billion euros: savings, pension funds, jobs, services, yada yada yada.)

Inside or outside the casino, it looks as if “the bank never loses.” Well, not its own money, anyway.

Bank Security?

Here in the UK things such as ID-theft and bank fraud are “big news.” It feels like almost every day there is a news item about the government or large organisations losing personal data or a scare about how many people are out there stealing our online banking details. While I have a professional interest in people worrying about information security (and will provide a wonderful consultancy service for a discount if you quote WhyDontYou Blog) I have to say there is more than a small dose of hype and overkill in this.

That said, there is a risk and it is only sensible that people are aware of the potential risks and given the correct advice to mitigate against them.

The important bit is the “correct advice.”

In the UK at least, the Banks are largely responsible for making good any fraudulent use of an account unless they can prove it was the account owners fault. This is a good thing and while the banks will suffer a bit because of some stupid people, the majority of “innocent” victims are protected.

Obviously the banks dont like this. They could take measures to improve their banking security or they could take measures that give a superficial improvement but, on the whole, only shift the burden onto the account holder. Not too long ago, in the UK, if you wanted to buy something with a card you had to sign to prove who you were. The shop owner compared this with the signature on the card and verified your ID – if they were in doubt, they could seek additional documentation. Despite what people think, signatures are hard to forge. This method also forced the shop keeper to physically check the card and read the details.

Despite this, there was still some residual fraudulent activity so the banks changed the process to “Chip and PIN” where you now enter your card into a reader and type in a 4 digit PIN. Wonderful. This is a reasonably secure system but it has a few pitfalls. The most basic is often the shop staff have no contact with the card during the transaction. This means they don’t carry out the basic authentication check of seeing if the person before them is the owner of the card. My wife regularly uses my credit card to shop, because nowhere we go checks that the person in front of them is Mr **** ****** despite it saying that on the front of the card in big letters. This is less important because the 4 digit PIN becomes the safeguard, but basically, it makes it easier to pass of a cloned / fraudently created card – 4 numbers are reasonably easy to find out or, if the card is “created” then they are irrelevant. As far as security goes, this is (largely) marking time. But it does the important task of moving the burden away from the bank.

The latest brainwave the banks have come up with actually annoys me.

Barclays Bank has decided to implement “PINSentry” when you log into their online banking or try to make online payments. Wonderful idea. Well, maybe.

In a nutshell, they have sent everyone a card reader that you use when you log in. To do online banking, you enter your password (etc) as normal, then you have to enter your card into the reader, get an authorisation code and enter that. All well and good – in fact this is a wide scale implementation of a time-worn authorisation system. Previously the entry system was username+password, then a “secret” code. Now the secret code has been replaced by this token generation system.

The problem is that it undermines one of the reasons you do online banking. For me, I like to use online banking from various locations – I often use it from work and if I am travelling. If I were a Barclays’ customer I would now be forced to carry this bloody stupid PINsentry device around with me. Should my bag be stolen, the thief would have my card and the PINsentry, defeating any security improvement it gives.

From the banks point of view, however, it is a good idea. It shifts the burden of blame in the event of a fraudulent transaction. Now you have to prove your PINsentry was compromised, not them having to prove their systems were not compromised.

This is not a good change. It doesn’t really make your transactions any more secure. It just makes you more to blame if something goes wrong. (Even, I suspect, if the bank has sold your details on eBay…)

The Telegraph’s view on Conrad Black

More from the blog’s new department of sweet irony.

The Daily Telegraph reports of the trial of Black (uncannily similar to the Guardian’s, even down to a timeline) describe his wife, Barbara Amiel as “the virulently right-wing journalist.”

No, really. It’s not a typo, for once. The Daily Telegraph did call indeed someone virulently rightwing. The mind boggles at quite how extreme you would have to be for the Telegraph to use this description.

The paper also reported that the Conservative Party had decided that Lord Black couldn’t count as a Tory in the House of Lords any more. 😀

Sweet ironing

Conrad Black, former owner of the Daily Telegraph has actually been found guilty of fraud. Well, of 3 fraud counts and one obstruction of justice.

Black, 62, was cleared of racketeering and tax evasion but could face 35 years in jail when sentenced on 30 November.

Well, you can’t win them all…..