My War On ATM Spam and Other Annoyances

By Jeremy Wagstaff

(This is a copy of my weekly syndicated column)

You really don’t need to thank me, but I think you should know that for the past 10 years I’ve been fighting a lonely battle on your behalf. I’ve been taking on mighty corporations to rid the world of spam.

Not the spam you’re familiar with. Email spam is still around, it’s just not in your inbox, for the most part. Filters do a great job of keeping it out.

I’m talking about more serious things, like eye spam, cabin spam, hand spam,  counter spam and now, my most recent campaign, ATM spam.

Now there’s a possibility you might not have heard of these terms. Mainly because I made most of them up. But you’ll surely have experienced their nefarious effects.

Eye spam is when something is put in front of your face and you can’t escape from it. Like ads for other movies on DVDs or in cinemas that you can’t skip. Cabin spam is when flight attendants wake you from your post-prandial or takeoff slumber to remind you that you’re flying their airline, they hope you have a pleasant flight and there’s lots of duty free rubbish you wouldn’t otherwise consider buying wending its way down the aisle right now.

Then there’s hand-spam: handouts on sidewalks that you have to swerve into oncoming pedestrian traffic to avoid. Counter spam is when you buy something and the assistant tries to sell you something else as well. “Would you like a limited edition pickled Easter Bunny with radioactive ears with that?”

My rearguard action against this is to say “if it’s free. If it’s not, then you have given me pause for thought. Is my purchase really necessary, if you feel it necessary to offer me more? Is it a good deal for me? No, I think I’ll cancel the whole transaction, so you and your bosses may consider the time you’re costing me by trying to offload stuff on me I didn’t expressly ask for.” And then I walk out of the shop, shoeless, shirtless, or hungry, depending on what I was trying to buy, but with that warm feeling that comes from feeling that I stuck it to the man. Or one of his minions, anyway.

And now, ATM spam. In recent months I’ve noticed my bank will fire a message at me when I’m conducting my automated cash machine business offering some sort of credit card, or car, or complex derivative, I’m not sure what. I’ve noticed that this happens after I’ve ordered my cash, but that the cash won’t start churning inside the machine until I’ve responded to this spam message.

Only when I hit the “no” button does the machine start doing its thing. This drives me nuts because once I’ve entered the details of my ATM transaction I am usually reaching for my wallet ready to catch the notes before they fly around the vestibule or that suspicious looking granny at the next machine makes a grab for them. So to look back at the machine and see this dumb spam message sitting there and no cash irks me no end.

My short-term solution to this is to look deep into the CCTV lens and utter obscenities, but I have of late realized this may not improve my creditworthiness. Neither has it stopped the spam messages.

So I took it to the next person up the chain, a bank staff member standing nearby called Keith. “Not only is this deeply irritating,” I told him, “but it’s a security risk.” He nodded sagely. I suspect my reputation may have preceded me. I won a small victory against this particular bank a few years back when I confided in them that the message that appeared on the screen after customers log out of their Internet banking service—“You’ve logged out but you haven’t logged off”, accompanied by a picture of some palm trees and an ad for some holiday service—may confuse and alarm users rather than help them. Eventually the bank agreed to pull the ad.

So I was hoping a discreet word with Keith would do the trick. Is there no way, I said, for users to opt out of these messages? And I told him about my security fears, pointing discreetly to the elderly lady who was now wielding her Zimmer frame menacingly at the door. Keith, whose title, it turns out, is First Impression Officer, said he’d look into it.

So I’m hopeful I will have won another small battle on behalf of us consumers. Yes I know I may sound somewhat eccentric, but that’s what they want us to think. My rule of thumb is this: If you want to take up my time trying to sell me something because you know I can’t escape, then you should pay for it—the product or my time, take your pick.

Now, while I’ve got your attention, can I interest you in some of those Easter bunny things? They’re actually very good.

Social Engineering, Part XIV

image

Further to my earlier piece about the scamming potential of Web 2.0, here are a couple more examples of why social engineering is a bigger problem than it might appear.

First off, governments and organisations are not as careful with your information as you might expect them to. There are plenty of examples of CD-ROMs and laptops going missing, but often even that doesn’t need to happen. Some governments openly publish such information on the Internet. Indonesia’s minsitry of education, for example, has published the names, addresses, age, date of birth, school and education number of 36 million Indonesian students in easily downloadable XLS format.

Who might use such information? The mind boggles at the possibilities. But one hint might be found in this Straits Times article from neighboring Singapore, which reports a growing wave of faux kidnappings: Gangs phone someone with enough information about their loved one—child, spouse, or whatever—to convince them they’ve been kidnapped and the mark must pay the ransom immediately. In the past six months employees at one bank alone have foiled 14 such attempts—merely by alerting the victims trying to withdraw large amounts of money that they’re being conned.

In the first half of this year, according to the newspaper, 21 people have been scammed out of S$322,000 ($216,000) in this way. Such scams rely on having access to just the kind of information contained in the ministry of education’s database: Knowing kids’ names, their class, their home address, their school chums—all would be invaluable in doing a scam like this. Or any other number of scams.

The point is that we need to think beyond the narrow confines of single channels of data. Scammers don’t: They use a combination of techniques to build up enough information about their mark to be able to either impersonate them or convince them of something. In the above case, it’s that they have kidnapped a relative. In this (still ongoing) Hong Kong-based scam, it’s that they are their bank.

I’m not suggesting Web 2.0 is going to breed a different kind of scam, it’s just going to breed a new kind of opportunity. Social engineering relies on gathering just the sort of data that social networking and presence tools base themselves on.

Social Networks Aren’t Social

Social networks are not really social—they’re informational. While they may appear to be social, and perhaps we flock to them and participate in them because we feel a need to socially connect, the real currency is information. Whereas we might go to a bar, a cocktail party or a dinner and spend 90% of our time talking about things that are not important to us, just to maintain and keep alive that social ‘space’, and 10% exchanging really usable and useful information, online the percentages are probably inverted.

Looking at my Facebook inbox, the last 10 exchanges have been about arranging to meet a professional acquaintance who is about to move to Indonesia, chatting with a casual acquaintance about why they’re quitting their job, getting information from a professional acquaintance about her deleted blog, a request to appear on a radio show from a close friend, offering advice to a professional acquaintance about furthering their career, requesting help from a professional acquaintance about interviewing her boss, and then a handful of inconsequential exchanges with friends and semi-friends. These exchanges are data-rich, in the words of Edward Tufte, whereas the average real-world conversation is much less so.

(I’m not talking about enjoyability here, and this is not to say that social interaction isn’t important. They’re of course more fun—it’s really hard to get drunk with someone on Facebook—and In many ways the data that comes out is more useful, because it comes after vital ‘social greasing’—wine, song, ambience, comfort, shared intimacies—that lubricate the lips. I’m just talking ratios.)

This all sprung to mind reading some great notes that Ethan Zuckerman is taking at Picnic08, who quotes from a panel discussion that includes Linda Stone, Jyri Engeström, Matt Jones, Addy Feuerstein and Philip Rosedale. Jones, the founder (should that be foundr?) of Dopplr, reckons we should let go of the idea of friendship in many social tools and just focus on the exchange of information:

He quotes Merlin Mann, who describes the new feature on FriendFeed which allows you to pretend to follow a friend so you won’t create an awkward social situation, “This is a major breakthrough in the make-believe friendship space.” There are many rich ways we can build social relationships online, but we’d do better to focus on the information we already exchange, the “wear we leave on social objects”, rather than forcing make-believe friendship.

I reckon he’s right on the money there. Many of us try to create a distinction between Facebook friends and LinkedIn friends, but it’s getting harder and harder. I keep Facebook only for those people I’ve met, but increasingly, as my tight network of friends new and old thins out the people I’m adding are loose acquaintances.

The relationship we have is based on trust—after all we knew each other, once—but the usefulness trumps the warm fuzziness. We hope to make use of our renewed acquaintance, and. perhaps, we’re not so shy about exploiting it.

This was what I thought would happen on LinkedIn.  My policy there was to add pretty much anyone who wasn’t trying to sell me life insurance, a house or a bank. But at least for me it hasn’t really worked. Being LinkedIn buddies doesn’t really seem to be enough to create a connection through which business can flow. (This despite, theoretically, everyone wanting to know a journalist if only so they can pimp their product.)

The bottom line? I don’t think make-believe friendship works, and I think social networks will fail if they focus on that. It’s not about finding new friends. It’s about facilitating the exchange of information through existing ones: sharing websites, job offers, invitations, photos, whatever will help or entertain your friends and acquaintances.

Of course, friendships are strengthened through these exchanges, but it’s not the ‘friending’ that is doing it, it’s the information.

…My heart’s in Accra » Picnic08 – The future of social networks

PS Just spotted this from David Weinberger: “But sites like Facebook aren’t about information. They’re about self, others, and the connections among them.” Sounds like we’re not in agreement, but I’d say we are: information, in this case, is talking about the personal data one puts up on these sites. I’m talking about the information that is exchanged on these sites: the trading that takes place, the process. The difference is between the photos a hairdresser puts in his window display and what actually goes on inside the barber.

Books. The New Google Juice?

image

Increasingly I find that if I enter a search on Google for something that I need explaining to me, the first result is a book. Of course, the book is in Google’s Book Search, but chances are the search is in a page that has been scanned and is available without having to buy the book. What I’m not clear about are the implications of this.

(The above example is from me finding myself watching a UK quiz show from 2001 on the BBC’s Entertainment Channel, which I noticed is free this month on our local cable network. As a long-term expat I find these programs compelling viewing, because they offer a window on a culture I’ve lost access to huge chunks of. So when they ask about something old, I’m good, but if it’s a reference to EastEnders since 1987, I’m stumped. Hence the search for what ‘bank’ means on The Weakest Link.)

So back to the implications. Well, Google may be gaming the system. But it looks like a legit result to me:

image

I don’t really understand how this works—I always thought links to a page affected its prominence in the rankings, but I’m not complaining. I found what I was looking for. But what does this mean for books? For publishing? Do authors and publishers try to SEO their books? Or will it eat into sales? Is it worth book-ising a website so that it scores higher on Google? Is it worth putting ads into books so when they appear in the scanned form on Google Book Search, readers see the ads? Just some thoughts.

Banks Cross Borders, But Their Service Doesn’t

Banks always talk about being global, and thinking local, and all that tosh. And it is tosh. Really.

My bank just called me, for example, to congratulate me for linking my bank accounts in different parts of the world so I can see them from one website. Great idea, weird it hasn’t been possible until now. But I couldn’t help smiling to myself at its limits. The conversation went like this:

“Mr Wagstaff Jeremy Rupert John (they seem to call me this, I guess it sounds better), do you have any questions or feedback for us on our service?”

“Well, I found I couldn’t remember one of the passwords for one account in country X. Can you help with that?”

“Er, no, that is handled by our other office in that country. I work here.”

“Oh.” Pause.

“Any other feedback or questions?”

“Yes. I’d like to complain that I can’t ask about resetting my password in my account in another country even though it’s the same bank.”

“OK, thanks for that. Any other feedback or questions.”

“No, that’s it.”

“OK, thank you for using our service.”

“No, thank you.”

Gee, banks are old fashioned. Why haven’t they disappeared already? Still, they give me free coffee every time I drop by, so I shouldn’t complain.

Technorati Tags: , ,

Hi, I’m Sheila from Phishers ‘R’ Us

It amuses me that banks talk about security but rarely apply it in a consistent enough way to save people like you and me from getting scammed. Take what just happened to me this morning:

My bank rings me up (the number is a private number so doesn’t show up on my screen, but that doesn’t seem to be unusual anymore; nearly half of the people who call me seem to withhold their number these days. In any case, it’s not hard to fake a callerID.)

The woman on the phone tells me there’s been a problem with my last phonebanking transaction. Before she can tell me more, she asks me to key in my six-digit phonebanking ID, she says. I’m just about to do so, eager to sort out the problem, when I realize that I’ve not confirmed that she is who she says she is. So I ask her:

“Sorry, but I need to confirm who you are first.”

“Yes, I am Sheila and I work for the phonebanking division.”

“Yes, but how do I know you’re Sheila from the phonebanking division, and not Sheila from Phishers ‘R’ Us?”

Clearly Sheila hasn’t faced this kind of situation before.

“Er, well, if you key in your phonebanking ID, I can tell you details about your account, and that will confirm it.”

“Well, it may do, or else it would tell me you’d already succeeding in hacking into my account and were now just toying with me.”

A pause.

“Yes, but the PIN number goes straight into the computer,” says Sheila, a bit nonplussed now.

I try to explain that a) I’m not personally accusing her of being a scammer, only that I have no way of confirming whether she is a bank employee or a clever social engineering fraudster because she called me first and b) that technology makes it eminently possible that someone could capture my six digit PIN if I key into my phone. (A simple decoder attached to the phone will grab the DTMF signals (the beeps when you press a key) and figure out what digits they represent. I didn’t tell this to Sheila because she was already beginning to sense I was a ‘difficult customer.’)

In the end I tell Sheila I’m going to call her back, to which she politely agrees. When I later explain to her that the bank should think about plugging the hole in their security fence, she listens politely, thanks me for my feedback, and says:

“One last thing, Mr. Wagstaff. I don’t know if you’ve been told but we’re running a promotion at the moment that for every customer you’re able to bring in you get a $200 gift voucher for redemption at Takashimaya Department Store.”

A bank with its priorities right, it seems.

What amazes me about this is that banks don’t seem to have learned from past mistakes. A few months back I wrote about a scam in Hong Kong which uses exactly this tactic. Fraudsters stole wallets and handbags at a sporting event, removing only the ATM and business cards. The victims then got phone calls the next day pretending they’re from the bank informing them they’ve lost their card, and asking them to approve cancellation of the card by keying in their PIN number.  Voila. If Sheila was Sheila the Scammer, someone would be at least half way into my account by now.

I wish banks would be smarter about this. I wish in particular the banks I use would be smarter about this. Scammers are clever, particular about social engineering — the art of lulling people into a sense of false security. We ordinary people want to please, and we want to help solve a problem, especially if it’s connected to us, so we’re easy prey for someone at the end of the phone offering both.

The lesson is the same as the one I’m always trying to pass on: Don’t give anything to anyone just because they ask you to. Find out first whether they are who they say they are. A realtor asking for a deposit? Show me the documents that prove you are authorized by the landlord. Here to check the meter? Where’s your badge? Valet? How do I know you’re not just a guy in a red jacket and jaunty hat about to steal my car?

Authenticate, authenticate, authenticate. And if it’s someone like a banker, a real estate agent or an official, be hard on them if they seem impatient with your efforts. It’s your money, not theirs.

Thaksin Needs Your Help


For those of you who thought the former Thai prime minister Thaksin Shinawatra was living it up in Europe buying soccer teams, you’re wrong. He’s having serious financial problems and needs your help, according to this email I just received in his name:

Good day.

This may appear a bit surprising to you but very sensitive; as a matter of urgency, I am desperately looking for a foreign partner whom I can trust to handle some investment or fund movement under is control for security reasons. I am Mr. Thaksin Shinawatra, Former Thailand Prime Minister, I went on exile for some months over allege assassination of me and my family, and was charge for corruption and purchasing of Government lands. They also confiscate (froze) my 21 bank accounts, wealth and money I deposited with a bank firm in Thailand,

See the web link for more details:
http://www.voanews.com/burmese/2007-06-16-voa4.cfm

I have pleaded to be allowed to live freely, and with dignity, but Mr. Surayud has urge my assassination when returned to my own land for abusing the rule of law, been the current Prime Minister in power I have known objection than to remain on exile. While in exile, I have decided to move the fund I deposited with a security firm here in Europe for a reliable business purpose and also gain access to fully support the less privilege which the government of my country is against. I am calling your attention for partnerships deals towards assisting me invest this fund under your custody for security purpose till the accusation levy against me is cleared off.

All further communication of this transaction would be referred to my lawyer in your next mail to scrutinize the legitimacy of my partner (you), and also assign to you the legal protocol and modalities of this transaction.

Yours Sincerely,
Mr. Thaksin Shinawatra
thakshinw@tiscali.co.uk

Please see what you can do. Of course, there’s an off-chance this could be one of those scams, but I’ve read it carefully and checked the VOA link, and it rings true to me. Really.

Tags: , , , ,