Phase One
It was Bruce Schneier (I think) who coined the phrase “security theatre”, to cover instances when people go through a meaningless routine to convince you there’s some security going on here, when in fact there isn’t. It’s a popular theme, and it’s grown into a concept that’s widely referred to as a bad thing. But you have to see it face to face to appreciate what it really means.
A few years ago, I got a letter from my bank regarding my business account. To protect their identity, let’s call them “High Street Retail Bank” – HSR.
Pete – we’re worried that you might be a Colombian drug baron, laundering money through your business account. I take a look out of my window, count the number of Lambo’s parked outside, and think, yeah, fair point.
The letter used all the standard mechanisms used by scammers, in particular scarcity – pressure to act quickly. If you don’t do what we say by the stated date, we’ll close your business account. Nice. Together with social proof – other people are doing this, working with us to prevent financial crime. You should too. And just to round things off, authority – we have the power of the law behind us, matey boy.
They wanted me to upload a bunch of documents to prove who I was. The same information I provided when I opened the account. Apparently they hadn’t lost it, they just needed to see it again. Riiiiggghhht. Things like scans of my passport, proof of address, company accounts, company registration details, a letter from my accountant, evidence of ownership, details of other shareholders including proof of address, that sort of thing. Also how much money had been moved into and out of my account in the year. Er…. you’re my bank… shouldn’t you know that? Apparently (genuine quote), they had noticed that money was being moved into my account and then moved out again. Sure. That would be invoices paid and then moved into the savings account. Also with HSR.
I was about to do all this (obviously) when I thought no, hang on – this is all the information that anyone would need to pretend to be me online. Safety first! More than happy to do what the bank wants, it’s not like I’m a customer or anything, but let’s just carry out a quick check. What does the certificate look like on the web site they want me to go to? Er… no proof of ownership. Also the url doesn’t correspond to the one I use when I do my online banking. So I take a look at their online security advice: “No bank will ever threaten to close your account if you don’t do what they say”. Also advice on not caving in, if you feel that you’re being pressured to act quickly. Hmmm… what to do? Call the helpline, obviously. Their advice? Don’t touch it with a bargepole. Obviously a scam. Phew. With the wordless nods of agreement that only two security people can exchange, I feel vindicated.
Phase Two
Then the emails started. All sent at the weekend, and/or around eight in the evening. All threatening to close my account, and pressuring me to log in right now and upload the documents. All (mostly due to their threatening nature and mentions of money), flagged up at about 8.5 out of 10 by SpamAssassin. I think – up yours! I wasn’t born yesterday!
Then the texts. Also sent at times when the banks are closed.
I start to get pee’d off. So much so, that I take the letter into my local branch, and say “You might want to provide a copy of this to your security team”. The person I speak to says “Good spot, obviously a scam”, then takes another look. He goes off for a minute, makes a call or two, then comes back saying that actually it’s genuine. When I regain consciousness, I ask – surely the bank should be abiding by their own security advice? “Can’t disagree Mr Fagan, but there we are”. I go home, sadder (if that’s possible) and maybe a little bit wiser.
I fill in all the fields, upload all the documents, and then, if truth be told, wait for a call to say that my account has been emptied, or that I’ve just taken out a mortgage on a property in Guatemala. Instead, I get a letter from the bank telling me that I haven’t provided all the information, and if I don’t do so at once, they’ll blah blah blah. I email back with a screenshot showing their own software confirming that all the documents have in fact, been uploaded. Their response? Well, we don’t have them. Er…. so where are they? No idea. Where do missing documents go? Some sort of ethereal ‘pending tray’, maybe? Anyway, upload them again, or we’ll close your account. No, seriously, where are all these documents that anyone could use to pretend to be me? Mostly silence on that one. Although they do start phoning me up.
Credit: Canstockphoto
Pete?
Yep.
HSR bank here.
All righty.
Before we go any further, I have to take you through security.
Do you [redacted]. I have no idea who you are.
If we don’t go through security, then we can’t continue the conversation…
Er, you phoned me? But, if that’s your position, ok, thanks for calling.
They call back.
Aggressive, entitled, threatening.
I think – wow, this really is a high street bank.
Ok, security, there you go. Happy? So now, let me take you through security.
What?
Can you tell me the values of the last three transactions on my account?
Ooooh, no. Data protection!
What? You’ve just established that I’m the account holder.
GDPR?
GDP my arse. That has nothing to do with it. I’m asking you to prove who you are.
You can see our number on your phone.
The number that your own web site says shouldn’t be trusted, because it can be spoofed?
We’re not spoofing it – it’s really us!
Honestly, that last bit is verbatim.
The Response
Most people who know me will confirm that I’m a reasonable, patient, tolerant kind of guy. So I call the HSR complaints department. Who are brilliant, by the way. Really good. After a short time, I get a letter saying yeah – security and compliance team, what can you do? Fifty quid make things better? I reply that we’re probably past the fifty quid stage, but can you just get them off my back? They say they’ll try.
A week later, I get another letter from the bank, threatening all sorts of stuff. So I go to the Financial Services Ombudsman. In all honesty, I figure they have bigger issues to deal with, but they look at all the evidence and go yeah, open and shut case. They are, honestly, just brilliant. A short time later, they contact me to say that they’ve delivered their decision, and I can expect a letter from the bank.
I do indeed receive one, saying – security and compliance, what can you do? Fifty quid?
No thanks.
You have to take it.
Why?
It’s been allocated to you.
Well, unallocate it to me and reallocate it to a charity.
Oooh no, can’t do that.
I think I can guess. Security?
Yep.
What do I have to do to get you to go away?
Sorry about all the inconvenience Mr Fagan. If we could just….
Mate – you, and the horse you rode in on.
The conversation ended with a hint of frost, I’m afraid to say.
A week later I get an email saying that due to the coronavirus, they’re suspending this program to avoid giving people an infection. Yep, you read that right. A largely online activity has been suspended to avoid spreading a physical virus.
Bottom Line
What conclusions were drawn? Mostly that the public practice of security is, to quote my much-missed Mum, all fur coat and no knickers. Follow this magic ritual, and you will have security. Except you don’t. What you have is the illusion of security. The veneer is ‘taking you through security’ – ‘your security is very important to us’ – ‘security is in our DNA’. But underneath that, it’s lost files, nonsensical procedures, and inconsistent behaviour. No actual security. And if I may just introduce a note of commerciality, a truly dreadful customer experience.
It would be easy to blame the people that I interacted with, but I imagine they were following the instructions given to them by the security team. Who, incidentally, despite having been given two warnings, one by an internal agency, and a second from an industry ombudsman, continued to follow the same line, one based on their inalienable right to meet their own targets and in so doing, to ignore their own advice.
All they had to do was recognise that a mistake had been made, apologise, and work with me to fix it. But the security team, obviously, don’t do customer relationships – that’s someone else’s job. Consequently there was no concept of what their actions might look like from outside, to the point of encouraging the very behaviours in account holders, that they should have been discouraging.
All in all, it seems to me that the process of security has become detached from the business, and I don’t think we’ll have anything near actual security, unless and until that connection has been re-established. Because once you enable a separation between what security is presented as, and what is actually going on, you also enable a disconnect between what the security team are saying they’re doing, and what they are actually achieving.
In case you were wondering, others I’ve spoken to have reported similar experiences. And don’t even get me started on the time I asked for a copy of my medical records…
First published 9th May 2024