Tag Archives: ATM

A Call for Diminished Reality

(a copy of my weekly syndicated column. Podcast from the BBC here.)

By Jeremy Wagstaff

I was walking the infant the other day, when I saw a vision of my future.  A mother and father, out with their son and dog.  The mother sat on a park bench, dog sitting obediently at her feet as she flicked absent-mindedly at her iPhone.

In the playground, the boy wove his way through a tunnel, across some ropes, down a slide–the father nearby, lost in his own iPhone. Occasionally he would waken from his 3G trance and, without looking up, point the phone at his son as if scanning him for radiation.  The resulting photo probably went straight to his Facebook page.  Ah, happy families, connected by place but detached by devices.

It’s a familiar lament.  Our devices distract so much we can’t ignore them.  We ignore our kith and kin but obey their beeps, walk into traffic or drive into pedestrians to heed their call.  And the solutions are usually less than imaginative, or practical: holidays where you check them in at the gate, where you put them in a glove compartment, or (shock), leave them at home entirely.

I have tried all these and they don’t work.  Which is why I fear I will be that family. Perhaps I already am; desperate to catch my infant’s first steps, words, or symphony, I think it more important that my cellphone camera is there, somehow, than I am. This is silly.  But I think I have found the answer in something called augmented reality.

Augmented reality is where our devices use their camera and positioning capability to add layers of information to what is in front of us: little pointers appear on the screen detailing where the nearest ATM is, or Chinese restaurant, or how far away and in what direction the nearest Twitter user is. The reality is the scene in front of us viewed through our camera, the augmented bit are these layers of extra information.

This is not new, but it’s becoming more popular.  And it’s kind of fun.  It is related to another technology that adds a layer onto what we see—so-called heads-up displays, that project information onto the windscreen of our airplane, or car, or goggles, that help us identify a target, a runway, an obstacle in the road.

Interesting, but I think they’ve got it all backwards.  Our problem is not that we need more information overlain on the world, we need to have the world overlain on the screens that command us.  We spend so little time interacting with the world now that we need technology to help us reintroduce the real world back into our lives.

I don’t think handing over our devices to well-intentioned guards at hotel gates is going to do it.  I think we need to find a way to fit the real world into our device.

Which is why, two years ago, I got very excited about an application for the iPhone called Email n Walk.  This was a simple application that overlays a simple email interface on top of whatever is in front of you.  The iPhone’s camera sees that for you, but instead of putting lots of pins about ATMs, Chinese restaurants and twitter users on the image, it puts the bare bones of whatever email you’re typing.  You can type away as you’re walking, while also seeing where you’re going.

Brilliant.  And of course, as with all brilliant things, it got lots of media attention and promptly disappeared.  The app is still there on Apple’s software shop, but the company’s home page makes no mention of it.  I tried to reach the developers but have yet to hear back.

They’re careful not to claim too much for the software. We can’t take any responsibility for your stupidity, so please don’t go walking into traffic, off of cliffs, or into the middle of gunfights while emailing, they say.  But it’s an excellent solution to our problem of not being able to drag our eyes from our screens, even to watch our son clambering over a climbing frame.

It’s not augmented reality, which purports to enrich our lives by adding information to it.  It’s a recognition that our reality is already pretty hemmed in, squeezed into a 7 by 5 cm frame, and so tries to bring a touch of the real world to that zone.  I believe that this kind of innovation should be built into every device, allowing us to at least get a glimmer of the real world.

Indeed, there are signs that we’re closer to this than we might expect. Samsung last month unveiled what may be the world’s first transparent laptop display, meaning you can see through it when it’s turned on, and when it’s turned off. I don’t pretend that it’s a good solution to the growing impoverishment of our lives, which is why I have no hesitation to call this inversion of augmented reality ‘diminished reality.’

And now, if you’ll excuse me, my daughter is making funny faces at me through the screen so I better grab a photo of it for my Facebook page.

A Call for Diminished Reality

By Jeremy Wagstaff

I was walking the infant the other day, when I saw a vision of my future.  A mother and father, out with their son and dog.  The mother sat on a park bench, dog sitting obediently at her feet as she flicked absent-mindedly at her iPhone.

In the playground, the boy wove his way through a tunnel, across some ropes, down a slide–the father nearby, lost in his own iPhone. Occasionally he would waken from his 3G trance and, without looking up, point the phone at his son as if scanning him for radiation.  The resulting photo probably went straight to his Facebook page.  Ah, happy families, connected by place but detached by devices.

It’s a familiar lament.  Our devices distract so much we can’t ignore them.  We ignore our kith and kin but obey their beeps, walk into traffic or drive into pedestrians to heed their call.  And the solutions are usually less than imaginative, or practical: holidays where you check them in at the gate, where you put them in a glove compartment, or (shock), leave them at home entirely.

I have tried all these and they don’t work.  Which is why I fear I will be that family. Perhaps I already am; desperate to catch my infant’s first steps, words, or symphony, I think it more important that my cellphone camera is there, somehow, than I am. This is silly.  But I think I have found the answer in something called augmented reality.

Augmented reality is where our devices use their camera and positioning capability to add layers of information to what is in front of us: little pointers appear on the screen detailing where the nearest ATM is, or Chinese restaurant, or how far away and in what direction the nearest Twitter user is. The reality is the scene in front of us viewed through our camera, the augmented bit are these layers of extra information.

This is not new, but it’s becoming more popular.  And it’s kind of fun.  It is related to another technology that adds a layer onto what we see—so-called heads-up displays, that project information onto the windscreen of our airplane, or car, or goggles, that help us identify a target, a runway, an obstacle in the road.

Interesting, but I think they’ve got it all backwards.  Our problem is not that we need more information overlain on the world, we need to have the world overlain on the screens that command us.  We spend so little time interacting with the world now that we need technology to help us reintroduce the real world back into our lives.

I don’t think handing over our devices to well-intentioned guards at hotel gates is going to do it.  I think we need to find a way to fit the real world into our device.

Which is why, two years ago, I got very excited about an application for the iPhone called Email n Walk.  This was a simple application that overlays a simple email interface on top of whatever is in front of you.  The iPhone’s camera sees that for you, but instead of putting lots of pins about ATMs, Chinese restaurants and twitter users on the image, it puts the bare bones of whatever email you’re typing.  You can type away as you’re walking, while also seeing where you’re going.

Brilliant.  And of course, as with all brilliant things, it got lots of media attention and promptly disappeared.  The app is still there on Apple’s software shop, but the company’s home page makes no mention of it.  I tried to reach the developers but have yet to hear back.

They’re careful not to claim too much for the software. We can’t take any responsibility for your stupidity, so please don’t go walking into traffic, off of cliffs, or into the middle of gunfights while emailing, they say.  But it’s an excellent solution to our problem of not being able to drag our eyes from our screens, even to watch our son clambering over a climbing frame.

It’s not augmented reality, which purports to enrich our lives by adding information to it.  It’s a recognition that our reality is already pretty hemmed in, squeezed into a 7 by 5 cm frame, and so tries to bring a touch of the real world to that zone.  I believe that this kind of innovation should be built into every device, allowing us to at least get a glimmer of the real world.

Indeed, there are signs that we’re closer to this than we might expect. Samsung last month unveiled what may be the world’s first transparent laptop display, meaning you can see through it when it’s turned on, and when it’s turned off. I don’t pretend that it’s a good solution to the growing impoverishment of our lives, which is why I have no hesitation to call this inversion of augmented reality ‘diminished reality.’

And now, if you’ll excuse me, my daughter is making funny faces at me through the screen so I better grab a photo of it for my Facebook page.

My War On ATM Spam and Other Annoyances

By Jeremy Wagstaff

(This is a copy of my weekly syndicated column)

You really don’t need to thank me, but I think you should know that for the past 10 years I’ve been fighting a lonely battle on your behalf. I’ve been taking on mighty corporations to rid the world of spam.

Not the spam you’re familiar with. Email spam is still around, it’s just not in your inbox, for the most part. Filters do a great job of keeping it out.

I’m talking about more serious things, like eye spam, cabin spam, hand spam,  counter spam and now, my most recent campaign, ATM spam.

Now there’s a possibility you might not have heard of these terms. Mainly because I made most of them up. But you’ll surely have experienced their nefarious effects.

Eye spam is when something is put in front of your face and you can’t escape from it. Like ads for other movies on DVDs or in cinemas that you can’t skip. Cabin spam is when flight attendants wake you from your post-prandial or takeoff slumber to remind you that you’re flying their airline, they hope you have a pleasant flight and there’s lots of duty free rubbish you wouldn’t otherwise consider buying wending its way down the aisle right now.

Then there’s hand-spam: handouts on sidewalks that you have to swerve into oncoming pedestrian traffic to avoid. Counter spam is when you buy something and the assistant tries to sell you something else as well. “Would you like a limited edition pickled Easter Bunny with radioactive ears with that?”

My rearguard action against this is to say “if it’s free. If it’s not, then you have given me pause for thought. Is my purchase really necessary, if you feel it necessary to offer me more? Is it a good deal for me? No, I think I’ll cancel the whole transaction, so you and your bosses may consider the time you’re costing me by trying to offload stuff on me I didn’t expressly ask for.” And then I walk out of the shop, shoeless, shirtless, or hungry, depending on what I was trying to buy, but with that warm feeling that comes from feeling that I stuck it to the man. Or one of his minions, anyway.

And now, ATM spam. In recent months I’ve noticed my bank will fire a message at me when I’m conducting my automated cash machine business offering some sort of credit card, or car, or complex derivative, I’m not sure what. I’ve noticed that this happens after I’ve ordered my cash, but that the cash won’t start churning inside the machine until I’ve responded to this spam message.

Only when I hit the “no” button does the machine start doing its thing. This drives me nuts because once I’ve entered the details of my ATM transaction I am usually reaching for my wallet ready to catch the notes before they fly around the vestibule or that suspicious looking granny at the next machine makes a grab for them. So to look back at the machine and see this dumb spam message sitting there and no cash irks me no end.

My short-term solution to this is to look deep into the CCTV lens and utter obscenities, but I have of late realized this may not improve my creditworthiness. Neither has it stopped the spam messages.

So I took it to the next person up the chain, a bank staff member standing nearby called Keith. “Not only is this deeply irritating,” I told him, “but it’s a security risk.” He nodded sagely. I suspect my reputation may have preceded me. I won a small victory against this particular bank a few years back when I confided in them that the message that appeared on the screen after customers log out of their Internet banking service—“You’ve logged out but you haven’t logged off”, accompanied by a picture of some palm trees and an ad for some holiday service—may confuse and alarm users rather than help them. Eventually the bank agreed to pull the ad.

So I was hoping a discreet word with Keith would do the trick. Is there no way, I said, for users to opt out of these messages? And I told him about my security fears, pointing discreetly to the elderly lady who was now wielding her Zimmer frame menacingly at the door. Keith, whose title, it turns out, is First Impression Officer, said he’d look into it.

So I’m hopeful I will have won another small battle on behalf of us consumers. Yes I know I may sound somewhat eccentric, but that’s what they want us to think. My rule of thumb is this: If you want to take up my time trying to sell me something because you know I can’t escape, then you should pay for it—the product or my time, take your pick.

Now, while I’ve got your attention, can I interest you in some of those Easter bunny things? They’re actually very good.

Power to the Consumer. (Is That All?)

Akasaka, 2008

Jan Chipchase, roving Nokia researcher, as ever inspires and provokes with this piece on the psychology of the coffee cup:

This Akasaka coffee shop includes a row of accessible power sockets (running a long the edge of the window) primarily to support laptop use – though over the course of an hour a number of people charged their phones (yes people here sometimes carry petite phone chargers). Recharging mobile devices in coffee shops is nothing new – but to what extent does the explicit nature of the infrastructure lead to new behaviours? Like? Well, maybe plugging in a printer? Or setting up a server. Or, or…

Jan points to the issues raised by offering power to consumers:

In some ways customers that don’t use the power socket are subsidising those that do – after all they pay a the same for a cup of coffee. Or do power using power-users spend more money either on more items or on items that will last longer? What if the electricity socket was a stand-alone working micro market? As you plug into the socket your devices authenticates itself to the system, negotiates how much power (or fuel-cell fuel) it needs and charges away. As with the explicit presence of the socket to what extent does the explicit presence of a micro-market for power this extend existing behaviours? And given the relaxed ambiance that this coffee shop is trying to create is it desirable to create a market in this context?

It fascinates me that the average high street these days is as likely to have as many coffee shops as it is other kinds of outlets. And that people work, live, play, cry and get divorced in them. Why do we need the hustle and bustle of others to be productive?

But for me the biggest mystery is why these outlets don’t bother to try to sell something more than just coffee, crappy CDs and bad finger food to these customers. Selling power to them might be a cheap shot, but let’s face it, you’re not really selling them coffee. You’re selling them a place to work. A noise, an ambience. You’re selling them the chance to feel cool. To show off their Air. To furtively check out members of a sexually appealing gender. To have physical proximity. To engage with engaging staff. A chance to get away from the office/family/silence.

That’s what they’re buying. But what about what they’d like to buy, that they just haven’t considered yet? A chance to meet the people around them? A way to build an informal network with other users? To be able to print from their computers? To arrange pick up by FedEx? An ATM machine?

To me, Starbucks is never really about the coffee. Well, it is for the people who go in there, queue and then take it with them (and then, I think for a lot of them it’s about delaying arrival in the office, or having something in their hands as a sort of weapon to take on the day; if it’s halfway through the day it’s a chance to get out of the office on an errand that is acceptable.) But for the people who stay in Starbucks, they’re buying something else. And who knows what else they might buy if you try to sell it to them?

Jan Chipchase – Future Perfect: Behaviours Reflected

Hi, I’m Sheila from Phishers ‘R’ Us

It amuses me that banks talk about security but rarely apply it in a consistent enough way to save people like you and me from getting scammed. Take what just happened to me this morning:

My bank rings me up (the number is a private number so doesn’t show up on my screen, but that doesn’t seem to be unusual anymore; nearly half of the people who call me seem to withhold their number these days. In any case, it’s not hard to fake a callerID.)

The woman on the phone tells me there’s been a problem with my last phonebanking transaction. Before she can tell me more, she asks me to key in my six-digit phonebanking ID, she says. I’m just about to do so, eager to sort out the problem, when I realize that I’ve not confirmed that she is who she says she is. So I ask her:

“Sorry, but I need to confirm who you are first.”

“Yes, I am Sheila and I work for the phonebanking division.”

“Yes, but how do I know you’re Sheila from the phonebanking division, and not Sheila from Phishers ‘R’ Us?”

Clearly Sheila hasn’t faced this kind of situation before.

“Er, well, if you key in your phonebanking ID, I can tell you details about your account, and that will confirm it.”

“Well, it may do, or else it would tell me you’d already succeeding in hacking into my account and were now just toying with me.”

A pause.

“Yes, but the PIN number goes straight into the computer,” says Sheila, a bit nonplussed now.

I try to explain that a) I’m not personally accusing her of being a scammer, only that I have no way of confirming whether she is a bank employee or a clever social engineering fraudster because she called me first and b) that technology makes it eminently possible that someone could capture my six digit PIN if I key into my phone. (A simple decoder attached to the phone will grab the DTMF signals (the beeps when you press a key) and figure out what digits they represent. I didn’t tell this to Sheila because she was already beginning to sense I was a ‘difficult customer.’)

In the end I tell Sheila I’m going to call her back, to which she politely agrees. When I later explain to her that the bank should think about plugging the hole in their security fence, she listens politely, thanks me for my feedback, and says:

“One last thing, Mr. Wagstaff. I don’t know if you’ve been told but we’re running a promotion at the moment that for every customer you’re able to bring in you get a $200 gift voucher for redemption at Takashimaya Department Store.”

A bank with its priorities right, it seems.

What amazes me about this is that banks don’t seem to have learned from past mistakes. A few months back I wrote about a scam in Hong Kong which uses exactly this tactic. Fraudsters stole wallets and handbags at a sporting event, removing only the ATM and business cards. The victims then got phone calls the next day pretending they’re from the bank informing them they’ve lost their card, and asking them to approve cancellation of the card by keying in their PIN number.  Voila. If Sheila was Sheila the Scammer, someone would be at least half way into my account by now.

I wish banks would be smarter about this. I wish in particular the banks I use would be smarter about this. Scammers are clever, particular about social engineering — the art of lulling people into a sense of false security. We ordinary people want to please, and we want to help solve a problem, especially if it’s connected to us, so we’re easy prey for someone at the end of the phone offering both.

The lesson is the same as the one I’m always trying to pass on: Don’t give anything to anyone just because they ask you to. Find out first whether they are who they say they are. A realtor asking for a deposit? Show me the documents that prove you are authorized by the landlord. Here to check the meter? Where’s your badge? Valet? How do I know you’re not just a guy in a red jacket and jaunty hat about to steal my car?

Authenticate, authenticate, authenticate. And if it’s someone like a banker, a real estate agent or an official, be hard on them if they seem impatient with your efforts. It’s your money, not theirs.

Goertzel, Rugby and the Sweet-talking Scam

The South China Morning Post reports (I’ve got the hard copy here; everything there is behind a subscription wall, so no full link I’m afraid) of a clever scam where the bad guys steal just enough stuff — cards + identity — from a victim to be able to social engineer their way into trust, but not enough for the mark to realise there’s anything missing before the sting. This takes some doing.

This is how it works: The fraudsters swipe a wallet or handbag from under chairs and tables at a weekend sporting event in Hong Kong. They remove bank ATM card and a business card of the owner and replace everything else. They then research the individual (presumably online, though they may have access to other information, I guess, from associates on the inside at a bank?).

They then wait a day and then call up the mark, identifying themselves as from the victim’s bank, asking some personal details and then asking if they’ve lost their ATM card. This may be the first time the mark has realised the card is lost. Along with a professional and comforting tone, and any personal details that the fraudster has been able to unearth online, this would further lure the victim into a false sense of security.

It’s then the fraudster would say he will cancel the cards and provide a temporary password once the account holder has typed their PIN into the phone. I like this bit; it would be easier and tempting, as in other scams (like this one in the UK) to try to persuade the victim to just give out their PIN verbally. But asking them to enter it into the keypad of their phone adds to the ‘illusion of formal procedure’ that social engineering relies so heavily on. The fraudster, of course, is easily able to attach a device to their phone to capture the tones of the PIN and decode it. They could even just record the tones and play them back against a set of tones. (Each digit has a different tone, according to something called dual tone multifrequency, or DTMF. Tones can be decoded using the Goertzel algorithm, via software like this.)

Once the PIN is handed over, the account is emptied. In the case cited in the SCMP, some HK$47,000 was removed with 82 minutes of the fraudster obtaining the PIN.

So, the obvious and slightly less obvious go without saying:

  • Never give your PIN to anyone, even a smooth-talking fella calling himself “Peter from HSBC.”
  • Regularly check your purse to see whether all your cards are there. If not, cancel them immediately.
  • Don’t put your name cards, or other revealing personal details, in the same place as your credit cards.
  • Don’t ever accept a call from your bank without taking down the person’s name and number and a telephone number you can verify independently (on statements or online.) Then call the bank back. Banks don’t like to do this, because it might mean you call them up when they don’t want to, but tough.
  • Give your bank hell every time they call you up and start asking you questions like “you have a credit card with us, is that right, sir? Would you like to up the limit on that card?” This is just asking for trouble, since calls like that are one small step away from a social engineering attack “Please just give me the card details and some personal information and we’ll increase that limit rightaway, sir”. If not that, it at least sows the idea in the customer’s mind that their bank phones them, and that somehow that’s OK.
  • Be aware that Google et al can, when combined, a pretty clear picture of who you are, even if you’re not a blogger or other form of online exhibitionist. So don’t be lulled by someone calling who seems to know enough about you to be able to pretend to be someone official. 

Anyone at the Rugby Sevens this weekend, take note.

Elitism’s Big Security Hole

You would expect that if you choose an elite, premium product or service that it was more secure than its lesser, bog standard one. But after an incident today I’m not so sure.

I happen to have a fancy premium account at my bank. I didn’t really want it, and object to such things on champagne socialist grounds, but it happened that way. So I arrive in town, and am looking for an ATM. I espy the logo of my bank on the airport concourse and head that way. Three members of staff stand around the branch entrance, doing that half-welcoming, half-bouncer thing that staff do. I asked if there was an ATM inside, and they said yes, but instead of letting me in, pointed me back across the vast concourse to the railway terminus. “None in here?” I asked, surprised. By then I was fishing inside my wallet for my ATM card and they caught a glimpse of its fancy charcoal greyness. Their attitude changed in a flash to one of abject obeisance. “This way, kind sire,” they said (or something like that) and ushered me inside the darkened interior, round a couple of corners to my very own ATM machine, before withdrawing to a discreet but accessible distance. Butlers passed bearing flutes of champagne; customers carrying men’s purses perused glossy brochures with names like “Managing Your Family’s Wealth So You Can Have Trouble-free Weekends in Your Phuket Condo With An Office Secretary” or something.

Offputting, but I was happy to get some my hands on some cash. Until I realised I had forgot my PIN. No problem, one of the staff said, and led me around more corners to a bank of eager customer advisor executives, or something, all with perfect teeth and wide smiles. They happily gave me cash and balances, none of it requiring any proof of identity on my part. I got to suck a sweet while they did. The three bouncers led me outside as if I was the King of Siam collecting tribute.

I was happy with all the deference and genuflecting, but it made me realise that premium service isn’t really about premium service; it means paying through the nose not to be troubled by impertinent little serfs asking me for proof of identity when I want to move millions of dollars around/see my jewelry collection in a bank vault/pass through immigration. It’s actually about dismantling security, not about enhancing it.

It’s a simple equation: Companies charge more fees to these kinds of people, providing what looks like a Rolls Royce service. People love getting star treatment, assuming that fake veneer and snow-white smiles equate quality. Of course all it really means is that the basic service — in this case the ATM machine — has been moved off to a remote corner for the unwashed who refuse to pay for the premium service. But more importantly, the actual quality that should be a feature of the improved service is severely compromised, if not entirely absent, since the implicit agreement is that customers won’t be asked for proof of identity. That may seem like an advantage to the customer, but if someone had stolen my wallet they would have been able to empty my account without breaking a sweat. They might even have been offered a shoulder massage while the staff counted the money.

There must be a name for this skewed security thinking. And it must apply to all sorts of services.

Me? I’m downgrading my account and rejoining the plebs. It’s safer there: They won’t let me in the branch without flashing my ID card.

Cash With a Human Face

Here’s a useful innovation for foiling scammers stealing money from ATMs with their heads covered to avoid identification: a system which “can distinguish between someone whose face is covered or uncovered, and only grant access to those who bare their faces.”

No face, no dosh

No face, no dosh

According to Taiwan’s Central News Agency (no story URL available; first paragraph here), the system was developed by a research team headed by Lin Chin-teng, dean of the College of Computer Science, National Chiao Tung University in Hsinchu, “and can deny ATM access to users who have their faces covered”:

The system’s developers said they hoped the device would assist law enforcers in stopping a common crime involving ATMs: thieves disguise their face with motorcycle helmets or masks, even while their images are being captured by ATM surveillance cameras.

Terror And The Hole In Our Mindset

It’s amazing how hard it is to let go of a security mindset when you’ve been living in a place where bombs are (of late) a fact of life. In Hong Kong these things don’t seem to matter so much, so when I was standing at the ATM machine in a subway station today it was only me who was mildly freaked out by a sizeable cardbox box unattended nearby.

By the time I had got to the head of the line it was a good five minutes, still no sign of anyone claiming it, or even caring about it. So I called the security guys over an intercom in the wall, and, to their credit, they sent someone down. But I don’t think they get many calls like this. The security guy, friendly but not in the prime of life, was just about to lift it up — and I about to stop him — when he had second thoughts and walkie-talkied for back-up first. I didn’t want to make him nervous by hanging around to see how he finished his job, but I’m not convinced they called in the sniffer dogs.

Some places are more aware of this kind of thing than others. Australians seems to, so do Europeans and Americans. Japan, too, I guess. And most of Southeast Asia. But Hong Kong doesn’t seem to consider itself a target, which I suppose will remain true until something happens.

Shoulder Surfing. The Old New Phishing

Stealing passwords in the old days used to involve shoulder surfing — cruising past the mark while s/he’s tapping in her/his password into the computer/ATM/cookie dispenser.

But I had a scare today that made me realise that this is still a pretty easy way to get information. Newly landed in Hong Kong, I breezed over to a cash machine. ‘Internet bank with us!’ it said, or something similar, on the welcome screen. ‘It’s safe!’

Well, maybe, but anybody who was shoulder surfing me would have had a head start on my accounts. For a good 15 seconds, possibly longer, my account numbers were fully visible on the screen, as the ATM was processing my transaction. The message was: The following accounts can be accessed using this card, and then it listed them, nice and bold with double space, just in case the shoulder surfer has poor eyesight. How safe is that?

Maybe I’ve been hanging out with social engineers like Anthony Zboralski and Dave McKay too much (more of that anon). But these guys make me realise, if I didn’t already, that a) information is really, really easy to get using social trickery, and b) the institutions we entrust with our information don’t seem to get it that this is the case. Pfft. I’m changing bank in the morning, just as soon as I’ve changed my PIN.