Delivering Complexity at the Expense of Security

The DeliveryDemon is frequently flabbergasted by the sheer stupidity demonstrated by so many financial institutions when it comes to security. They obstinately pretend that imposing complexity on account access equates to security, in the face of all evidence to the contrary. At the same time they refuse to acknowledge that their own processes are often staggeringly insecure.

Some time ago after a trip abroad, the DeliveryDemon had a phone message claiming her credit card had been compromised, and asking her to ring the issuer on an unidentifiable number. It clearly sounded like a scam which needed to be reported to the issuer. So the DeliveryDemon phoned the switchboard and asked to be put through to the person who had left the message. She was unsurprised when the switchboard had never heard of this person, and asked to be put through to the security and fraud department – where she found herself talking to the person who had left the suspect message.

So how many security mistakes was that?

• Leaving a message about a card compromise on a landline answering machine without knowing who might pick it up
• Asking the cardholder to ring a number which could belong to any scammer
• Creating a situation designed to justify a request for secure information, using a process riddled with fundamental security flaws
• Preventing a customer from carrying out basic security checks by using a name not recognised by the switchboard.

But the biggest mistake of all was the fact that some time afterwards the DeliveryDemon had to deal with the identical flawed process. Needless to say, the DeliveryDemon had complained to the card issuer on the first occasion, yet the organisatioj had taken no notice of the complaint and had continued knowingly to operate processes which were fundamentally insecure.

This type of stupidity is remarkably common in the financial services sector, and a couple of very similar examples are described in an earlier post .

https://deliverydemon.wordpress.com/2012/04/02/delivering-poor-banking-security/

The other side of this refusal to operate secure processes is a determined effort to create barriers to prevent a customer from accessing their own funds. This goes hand in hand with lengthy and inequitable Ts and Cs which attempt to absolve banks from any responsibility whatsoever. The DeliveryDemon recently encountered this while opening a very basic bank account. This ‘simple’ account required no less than EIGHT authentication factors, including providing answers to some remarkably stupid questions.

• A memorable number? Seriously? Numbers are not intrinsically memorable. Those which are memorable usually relate to public domain information, which is hardly secure.
• Details of various third parties? Public domain again. It is also questionable in data protection terms whether a bank should be asking for information about third parties who have nothing to do with the account.
• Favourite TV programs, newspapers, historical person, sleb, town? Get a life! This sort of preference is transient and likely to be forgotten months or years down the line when it is eventually needed in order to deal with some call centre drone who is not empowered to think beyond the mindless detail on the screen in front of them.

This sort of pseudo security is not just stupid in its own right, it is creating a situation where complexity makes life difficult for the customer, while being used as an excuse for financial institutions to try to avoid their own responsibilities.

Put these so-called security processes in the context of today’s digital native. Basic security advice is not to use the same details in multiple places, since compromise of one account can lead to compromise elsewhere. Typically, an account asks for 4 pieces of information, even when no financial transactions are involved. Try counting them up. Even without an intricate lifestyle the following range of accounts is pretty commonplace.

• Mortgage
• Mortgage-related insurance
• Life insurance
• Health insurance
• Current account
• Savings account
• Debit card
• Credit card
• ISA
• Pension
• E-mail account
• Work e-mail account
• Mobile account
• Landline / broadband account
• Car insurance
• Car radio code
• Electricity account
• Gas account
• Water account
• Council tax account
• Supermarket account
• Amazon account
• i-Tunes account
• Comparison site accounts – up to half a dozen
• Social media accounts – another half a dozen
• Technology support arrangements – say 3
• Travel accounts for commuters – another couple
• Online information sources such as newspapers, news sites and the like – say 3.

All of these want a login ID and a password, plus several additional pieces of information for ‘security’ should you be unable to log in. Security guidance suggest that unique information should be used for each situation, and that the information should not be written down in a recognisable format, even when months or years may elapse between accesses to the account.

Put this into the context of the real world. Current security guidance expects the individual to memorise in excess of 172 unique pieces of information, and to relate each piece of information to one of 43 or more situations. Current practice is for Ts and Cs to forbid keeping written records of passwords in any useful format. This is complete nonsense, not security.

So what’s the answer? There are organisations which can be used to store multiple passwords, but these then become a single point of failure should the access password be compromised or the organisation’s own security be breached. It’s not clear whether this sort of password storage is acceptable under access Ts and Cs either.  Even if banks start to give some form of approval to these organisations, it could be withdrawn, leaving the customer with the option of dealing with multiple password holders or changing to a new one. If a security breach underlies the reason for change, that would mean working through every single account to change access details. In some circumstances that may mean the delay of going through the account provider to replace codes which they do not allow the customer to change.

The current security situation is clearly unsatisfactory, ineffective,  and unfair to the customer. The DeliveryDemon thinks it is time that organisations which are responsible for security got together with both security and usability experts to come up with a solution which is designed to protect the customer’s interests, not a solution based on allowing financial institutions to avoid responsibility.

The Avatar is NOT the User

A lot of effort goes into the user interface of laptops these days – but there appears to be a big disconnect in the thinking.

The effort goes into screen layout and display and reaction to the use of input devices – all the electronic stuff. What a pity the same effort isn’t going into design of the physical machine. After all, the user is a person interfacing with a physical device, not a dematerialised avatar.

These thoughts came as the DeliveryDemon alternated between two laptops – a five year old, small footprint, lightweight laptop and a rather more modern larger laptop which doubles as an office desktop.

The right side of the small machine is taken up by the CD reader, flush with the side of the machine and operated by a button above the keyboard. At the back of the left side is a USB slot, well out of the mouse space of a left handed user. Towards the front of the left side is another USB slot with a rather tacky plastic cover. While not a problem for right handed users, a device in this slot would tend to impinge on a left handed user’s mouse area. Apart from this, the physical interface is quite well designed, taking into account the limited physical size of the machine.

With the larger and more modern machine, it’s a very different story. Despite the extra space available, little if any thought has gone into the physical aspects of the user interface. The USB ports are to the front of the right hand side, and USB cable connections create a mouse no-go zone for about 5 inches to the side of the machine. Given the size of the machine, that makes the keyboard / mouse area about 24 inches wide, with a 6 inch dead area between keyboard and mouse.

Worse still, USB cable connections make the DVD drive inaccessible, as the cables foul the opening area, unless the user either trails the cables across the front of the machine, or reorganises every workspace to take account of the deficiencies of the laptop design.

Most of the population, like the DeliveryDemon, are right handed, which begs the question of why the much less frequently used access points are concentrated on the left side of the machine while the right side is a messy clutter.

Vaio sells itself on smooth design concepts. The DeliveryDemon thinks it’s about time they put just a bit more effort into delivery of a well-designed physical interface.

You don’t have to be paranoid……

The DeliveryDemon was looking at security settings on the laptop recently after the moderate paranoia setting started blocking WordPress cookies. To check what was happening she used the ‘prompt’ setting, requiring manual approval of cookies. Cue a very tired hand, and the site concerned was a perfectly respectable one! A big disconnect appears to have grown between website development practice and security practice. It appears that we are offered two choice

•  blind reliance on automated cookie approval / rejection
• total unusability.

This little experiment has the DeliveryDemon asking a LOT of questions:

• What are these cookies doing?
• How much of my storage / processing power are they hogging?
• What’s going on when a ‘respectable’ website (not WordPress) wants to install 20 or more cookies per screen?
• Why don’t website designers realise that a cookie plague makes the most honourable of organisations look dubious?
• Whatever happened to respecting the right of the user to choose an appropriate security setting?

The DeliveryDemon appreciates that there’s a balance to be struck when it comes to website stats and marketing requirements. But if the designers come up with something better than forcing the user to change security settings for all sites to fit the requirements of one particular site, there’s something wrong.

If the medium paranoia setting stops a website from working, then someone has delivered a very poor level of security.

Delivering Spurious Accuracy, Demanding Constant Attention

The DeliveryDemon did a double-take. The hospital receptionist had actually offered a follow-up appointment time of 8.48 a.m. Not 8.45, not 8.50, 8.48 precisely!

Great efforts were made to get the patient to hospital for the prescribed minute. As the seconds clicked by, the DeliveryDemon gazed at the white blocks on the bilious yellow screen, idly wondering whether the developers were aware that the inability to distinguish between yellow and white is a common form of colour blindness. The clock ticked over to 8.48…… Nothing happened! At 8.55 the appointment pinged up for its allotted 3 seconds then disappeared into the ether, never to re-appear.

There is a huge disconnect between the design of this system and practical reality. The underlying driver may well be a target of fitting 5 x 12 minute appointments into the hour, but that 12 minutes is an average. Pinning appointments to an exact minute means that overruns delay subsequent appointment, but nothing is gained if an appointment finishes early – an approach which increases the likelihood of targets being missed. It also invites mockery.

The mechanism for summoning patients is equally poorly conceived. It relies on the assumption that patients gaze non-stop at the single screen, waiting for their numbers to flash up for those 3 short seconds. In reality, pillars obscure the screen from some seats, and passers-by may obscure it from any position. The area, lacking sound absorption, is noisy, so any audio cue is lost. A patient with poor eyesight may need to move closer to the high-mounted screen to read it, and age or infirmity would make those 3 seconds of visibility completely inadequate. And of course real patients are chatting, reading newpapers, watching the world go by, as the clock edges beyond the allotted minutes of their appointments. That sickly yellow screen is by no means the cynosure of all eyes.

Part of the DeliveryDemon wanted to laugh at the absence of basic common sense in the design. The reason she is not still in giggling thrall to those ridiculous flaws is the context. This was an NHS hospital. Huge sums of taxpayers’ hard-earned money went into the creation of the system. The appalling design is unlikely to result in patient fatality, but the blatant absence of commonsense in a patient-facing system must call into question the quality of other systems which are life-critical.