Tag Archives: Banker

The New Normal: Constant Flux

(This is a copy of my Loose Wire Sevice column, produced for newspapers and other print publications. Hence the lack of links.)

I was reading a blog by a World Banker the other day—now there’s a phrase I wouldn’t have thought I’d use a few years ago—about our old favorite in this column: Twitter.

Now don’t get me wrong. It’s good that the World Bank is blogging, and talking about Twitter. And one shouldn’t judge the thinking of the Bank from the words of this World Bank employee—who is not part of the banking part of the Bank.

But it does reflect, I suspect, a lingering and dangerous misconception about what Twitter—indeed, social media—is among institutional thinkers.

The writer, Filipino Antonio Lambino, writes:

The point is this: norms will continue to shift around a bit (or a lot) but will eventually take hold.  The same medium or application is likely to be used differently by different people in different contexts – and rules of engagement will emerge for these various uses.  Until things settle down, however, some of us are bound to remain a little conflicted and uncomfortable.  And through this transition period, by using what we like and rejecting what we don’t, we become direct participants in the norm-setting process.

Well, up to a point, Lord Copper. The truth is that there is no norm. Or the norm is that there is no norm. We’re now in a state of constant flux. Antonio can become a direct participant in the norm-setting process, but he will be disappointed if he’s looking for some norm-setting moment. The reality is there is none.

The fact that he’s using a blog—and tweeting his post on his twitter feed—should give him a clue. Blogs were the first assault on the citadel of there being any ‘norm’. They were initially a reaction against the idea that you needed to know HTML, the formatting and design language of the web, in order to create stuff on the web.

The argument went: Why should we have to know that kind of thing to be able to share our thoughts online? We don’t have to know how to make a notebook to write things down. We don’t have to know how to make a camera to take photos. Why should we have to know the inner workings of the web in order to use it to create stuff?

So blogs were born. But they quickly evolved. There was no norm. Blog is short for web-log since it was assumed that blogs would be online journals. But they’re not. When was the last time you read a blog about what someone was up to? Blogs are a medium for ideas and reporting.

Then along came things like Flickr, YouTube, Wikipedia, MySpace, Facebook, Friendster et al.

All have had to adapt to their users. YouTube was ‘broadcast yourself’ but now is more about rebroadcasting what other people, or TV stations, have already broadcast.

Facebook was supposed to be for college kids to connect to each other. Wikipedia was originally supposed to be content produced by academic specialists. It only took off when they let anyone contribute. Now it’s evolving again, as users wrestle with each other over what constitutes a Wikipedia-worthy entry.

And this process of evolution is also evolving. Twitter started out as a SMS message sharing system. Users took it in different directions and the founders were smart enough to follow. As you know, most of the features that make Twitter what it is—hashtags, mentions, retweeting—were all devised by users themselves.

Twitter is just one: look at FriendFeed, Google Buzz etc as examples of flux, where users figure out how they want to use it and the creators of the service hold their breath. 

The point, as Antonio would say, is this: Norms were norms because they were set by a limited group of people. Those with power—either financial or political. Newspapers have all sorts of norms, from the headline size to the fact that sports are usually at the back. Norms get established because the creators are limited in number and control the means of creation.

That’s no longer the case. Now the people who create things on the web have to genuflect before their customers, because the customers determine the success of a product. The customer is the user is the creator. The customer sets the norm. The creator of a medium in this new world is not the creator of the content that makes it a success. The two have been separated.

Hence, a norm today may not be there tomorrow. It used to be the ‘norm’ that if someone followed you on Twitter, you politely followed back. That’s no longer the case (spammers put paid to that, but it also became unwieldy.) It used to be the norm that you posted links to your own content on twitter; now you do it sparingly unless you’re a Twitter god.

So, Antonio and others who are waiting for things to settle. They won’t. Already Twitter is becoming something else, and probably has a life span of five more years max. Other services will come and take its place. It’s a fast moving universe.

I’m glad the World Bank is making space for Antonio and like-minded souls to ponder the significance of these new networks. My advice: jump in and experiment, and enjoy the ride. Just don’t expect it to come to a final destination. Especially one called Norm.

Hi, I’m Sheila from Phishers ‘R’ Us

It amuses me that banks talk about security but rarely apply it in a consistent enough way to save people like you and me from getting scammed. Take what just happened to me this morning:

My bank rings me up (the number is a private number so doesn’t show up on my screen, but that doesn’t seem to be unusual anymore; nearly half of the people who call me seem to withhold their number these days. In any case, it’s not hard to fake a callerID.)

The woman on the phone tells me there’s been a problem with my last phonebanking transaction. Before she can tell me more, she asks me to key in my six-digit phonebanking ID, she says. I’m just about to do so, eager to sort out the problem, when I realize that I’ve not confirmed that she is who she says she is. So I ask her:

“Sorry, but I need to confirm who you are first.”

“Yes, I am Sheila and I work for the phonebanking division.”

“Yes, but how do I know you’re Sheila from the phonebanking division, and not Sheila from Phishers ‘R’ Us?”

Clearly Sheila hasn’t faced this kind of situation before.

“Er, well, if you key in your phonebanking ID, I can tell you details about your account, and that will confirm it.”

“Well, it may do, or else it would tell me you’d already succeeding in hacking into my account and were now just toying with me.”

A pause.

“Yes, but the PIN number goes straight into the computer,” says Sheila, a bit nonplussed now.

I try to explain that a) I’m not personally accusing her of being a scammer, only that I have no way of confirming whether she is a bank employee or a clever social engineering fraudster because she called me first and b) that technology makes it eminently possible that someone could capture my six digit PIN if I key into my phone. (A simple decoder attached to the phone will grab the DTMF signals (the beeps when you press a key) and figure out what digits they represent. I didn’t tell this to Sheila because she was already beginning to sense I was a ‘difficult customer.’)

In the end I tell Sheila I’m going to call her back, to which she politely agrees. When I later explain to her that the bank should think about plugging the hole in their security fence, she listens politely, thanks me for my feedback, and says:

“One last thing, Mr. Wagstaff. I don’t know if you’ve been told but we’re running a promotion at the moment that for every customer you’re able to bring in you get a $200 gift voucher for redemption at Takashimaya Department Store.”

A bank with its priorities right, it seems.

What amazes me about this is that banks don’t seem to have learned from past mistakes. A few months back I wrote about a scam in Hong Kong which uses exactly this tactic. Fraudsters stole wallets and handbags at a sporting event, removing only the ATM and business cards. The victims then got phone calls the next day pretending they’re from the bank informing them they’ve lost their card, and asking them to approve cancellation of the card by keying in their PIN number.  Voila. If Sheila was Sheila the Scammer, someone would be at least half way into my account by now.

I wish banks would be smarter about this. I wish in particular the banks I use would be smarter about this. Scammers are clever, particular about social engineering — the art of lulling people into a sense of false security. We ordinary people want to please, and we want to help solve a problem, especially if it’s connected to us, so we’re easy prey for someone at the end of the phone offering both.

The lesson is the same as the one I’m always trying to pass on: Don’t give anything to anyone just because they ask you to. Find out first whether they are who they say they are. A realtor asking for a deposit? Show me the documents that prove you are authorized by the landlord. Here to check the meter? Where’s your badge? Valet? How do I know you’re not just a guy in a red jacket and jaunty hat about to steal my car?

Authenticate, authenticate, authenticate. And if it’s someone like a banker, a real estate agent or an official, be hard on them if they seem impatient with your efforts. It’s your money, not theirs.

Dogbert Goes Phishing

It’s not on his homepage yet, but check out Friday’s Dilbert strip: it’s about phishing and does more than a 1,000 bank warning notices could do to show how it works and why folk are dumb to be taken in by it.

An email lands on The Pointy Haired One’s screen, Dear Customer, This is your bank. We forgot your social security number and password. Why don’t you send them to us and we can protect your money. Sincerely, I.B. Banker.

Looks legit,’ the Pointy Haired One thinks to himself.

(It’s up now: here’s the link.)

Snake Oil? Public Service? KMGI Responds

Yesterday I wrote about the odd press release from the Internet Security Foundation and the apparent conflict of interest between a foundation pointing out flaws in software (in this case, Windows) while at the same time promoting its own related software.

Today I received a response from the founder of the company that registered the site, Alex Konanykhin of KMGI. Konanykhin may be familiar to some readers as the Russian entrepreneur and former banker who fled his homeland and has since faced a long legal battle in the U.S. over extradition on embezzlement charges. Konanykhin subsequently set up KMGI to sell web advertising services and software. Earlier this year the National Republican Congressional Committee chose him as their New York Businessman of the Year.

Konanykhin, in response to my posting and a request for comment, says he erred in not making clear KMGI’s relationship with the foundation:

After reading your reaction to our news release in your blog posting, I realized that it was a mistake to limit our Internet Security Foundation site to the discussion of the password vulnerability and not include a page on what compelled me to establish the Foundation.

He says his motives for setting up the foundation were entirely motivated by realisation that users did not understand their passwords in Windows remained vulnerable even if they were concealed by asterisks:

We researched this issue further and found that 86% of Internet users believed that the passwords hidden behind the asterisks are securely protected. As we opined in our press release, this false perception may result in criminals and terrorists unlawfully obtaining passwords of unsuspecting Internet users, gaining access to bank records, and other private information such as bank accounts. So, I urged Microsoft to fix this security hole (even thought it would kill our revenues from sales of SeePassword), but Microsoft refused to do it.

I was surprised by Microsoft’s position which leaves hundreds of millions of Windows users at risk of identity theft. So, I felt compelled to fight on – and founded the Internet Security Foundation. I allocated a significant portion of our proceeds from sales of SeePassword to informing computer users about the grave but largely unknown risk they are facing. The press release you received was the first step of this campaign which, I hope, will minimize the risks to the Internet users.

After reading Konanykhin’s response to my earlier posting, I’m persuaded that he did not intend to mislead the public or conceal his company’s relationship to the foundation. I think this is more a case of someone inexperienced in the importance of ensuring all interests are plainly visible to the public. That said, I think Konanykhin needs to move quickly to implement his promise to add a page of explanation to the ISF homepage, something that has yet to happen at the time of writing.

In matters of Internet security and privacy, there are enough snake-oil salesmen, piles of skewed or self-serving ‘research’ and bad guys masquerading as good guys for users to be understandably suspicious about the motives of anyone raising alarm bells while simultaneously offering solutions.

Phishing Takes Its Toll

Is phishing beginning to take its toll on banks?

It’s been my belief for some time that this is, or would be, the case. Banks have seen the Internet as a cash cow and have been over-eager to milk it without realising that it’s not just a way to grab more customers and slice overheads. The Internet is a world unto itself, with its own rules, its own technologies — and its own scams. Banks and the Internet make sense, but not if banks think that an online department can be set up in a few weeks and staffed by a few sysops.

That’s why phishing is such an important wake-up call. It’s the first seriously clever scam that online banking has faced, and banks — and other institutions — have done a very poor job in responding to it. Sure, they’re beginning to now, but not after anything between $500 million and $5 billion has been lost to phishers. Whatever the figure, some folk made some serious money out of phishing, which means that Internet-based financial crime is going to be the main attraction for every criminal with half a brain from here to Archangel.

Which is where a new survey, reported by this month’s American Banker magazine (subscription only), comes in.

The article says that “nearly 30% of respondents to the 2004 American Banker/Gallup Consumer Survey said they think a bank has violated their financial privacy. That is the highest level since the question was first asked in 2001 and “a statistic you want to pay attention to,” said John J. Byrne, director of the American Bankers Association’s Center for Regulatory Compliance”. The article goes on to say: “A possible explanation for the increased perception among consumers that banks have violated their privacy may be the rising incidence of sophisticated identity-theft operations such as “phishing,” say experts.”

Of course, banks are going to say it’s not their fault: “Peter Cassidy, secretary general of the group, said that it is common for victims of phishing attacks to blame their financial institution for the loss of their personal information, despite the fact that the company had no involvement in the scam.” Of course banks are involved, in the sense that they did not heed the problem when it first appeared more than a year ago, but let’s not dwell on that. The bigger problem, the magazine says, is maintaining customer trust. “Dollar-for-dollar, the loss of customers’ trust that a bank is a safe place to put their money is a potentially bigger deal than all of the money people have lost to phishing attacks so far,” Mr. Cassidy said.

While the article swings between the idea of privacy as in releasing information to third parties for marketing purposes, and privacy as in “why did you let someone steal all my money from my account?”, to me the problem is pretty much the same. Any institution that plays fast and loose with your data — by letting third parties email trying to sell you stuff, to banks that see their online services as another way to flog more services (two banks I deal with try this, one by having lots of rubbish on their logout page that confuses the user who is looking for certainty they’ve logged out — admittedly better than a few months ago when they had a message along the lines of ‘you’ve logged out but you haven’t logged off’ along with a picture of a palm tree and an offer of travel insurance — while another forces me to sit through an ad for special interest deposit accounts while I call their helpline via an IDD call) — any institution that does this kind of thing is of course going to score low with the customer. “Is my bank spending time protecting my assets or trying to sell me more snake oil?” would be a reasonable question to ask in the face of this marketing onslaught.

I think banks are going to lose customers if they can’t figure out ways to make online banking more secure. And it’s not just about educating users, although that’s part of it. It’s really listening hard to people who know about some of the scams — and vulnerabilities that lead to scams — out there, and then trying to pre-empt them. In the end it’s about making a technology that is as bulletproof as you can make it.

Closing The Door After The Phish Has Bolted

MasterCard, one of several banks discovered to have flaws on their websites that would have allowed a phisher to capture passwords, says it has fixed the problem.

American Banker Online reported (subscription required) last week that MasterCard International “has confirmed finding and fixing a flaw on its web site’s ‘Find A Card’ tool that could have facilitated a phishing scam”. The flaw had been discovered by British programmer Sam Greenhalgh and published on his web site on June 28. Greenhalgh lists in a sidebar those web sites that have been fixed or the flawed code removed. It’s not yet over: He says that PayPal and several sub-domains of Microsoft.com “remain susceptible”.

Besides the failure of some web sites to tackle the problem, a few other things worry me. 

  • Why did it take MasterCard three weeks to remove the flawed code? American Banker reports that the tool was removed on July 20. As Greenhalgh writes it’s probably a case of closing the door after the horse has bolted. (American Banker quotes MasterCard as saying that “It does not believe that any scams were attempted”.)
  • Why is no mention made of the flaw or the fix in MasterCard’s own ‘newsroom’? There are two releases trumpeting MasterCard’s own ‘fight on phishers’ but nothing of its own vulnerabilities.
  • How many more vulnerabilities are out there? Did Greenhalgh’s discovery trigger a serious audit of all code on such websites, or did they just plug the holes he had found?

Anyway, plaudits should be offered to Greenhalgh (so far I’ve not seen any from the banking fraternity, but I could be wrong) for his work and others encouraged to hunt for more leaks. Such folk are not troublemakers looking for nits to pick. They perform a very useful service. Phishing has shown that all this is no longer just theory, if it ever was. Every one of these vulnerabilities will be found and exploited if the good guys don’t get there first.

More On Korgo

More on the phishing worm I mentioned in a previous post.

Mikko H. Hypponen of F-Secure has passed on a little more information. He says it’s “pretty big, but still far away from outbreaks like Sasser or Mydoom”. So far “at least 50,000 machines are infected worldwide, possibly more”. He says Korgo does “specifically target at least three online banking systems, but I don’t want to go into details”. But since it also “collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password”. That would mean a lot of data to shovel back to scam HQ; I’m assuming it limits keylogging to when the user is browsing, but Mikko doesn’t say more on that.

He points out that while this is the first automatic — in other words, it doesn’t use email or other methods to get around — worm to do this bank website keylogging, it’s not the first virus. In fact, the same Russian hacker group he believes is responsible for this worm, the HangUP Team, were also believed to be behind Webber and Banker, two other bank-related viruses.

Mikko also reminds us of the history of bank-related viruses, including the Bugbear.B worm, which contained a long list of target banks, and collected cached passwords. Which I suppose raises the old question: Does a phisher have to involve some sort of social engineering to be a phisher? Given that the guys doing this kind of thing all seem to be members of the same gang, does it matter what name we give it?