Last January, I received an email purporting to come from my bank. It looked legitimate: it had a clean logo, in the right colours, but it contained a predictable spelling mistake, and did not originate from a valid bank email address. Yet I was concerned how the sender had obtained the fact that I was a customer of the bank, and gained possession of my email address. Had there been a serious security breach? Having occasionally received spoof emails from other institutions, which I forwarded to the address they gave for reporting such, and subsequently received grateful acknowledgments, I did the same with this one. I looked up the address to which such suspected spoofs should be sent (abuse@ . . .) , and waited for a response.
And waited. And waited. I lingered a couple of days, and then sent another message to that address, inquiring whether the mailbox was being monitored, and requesting a reply. There was still no response, or even an acknowledgment. That was depressing, and utterly unsatisfactory. I thus went to the website again, trying to find a manager responsible for email fraud. The website was singularly unhelpful: it did not allow any chatroom discussion of security topics, and I entered a hopeless loop of going back to being invited to send further emails to the given ‘abuse’ email address. The bank provided no lists of executives to contact, no bank head office address to write to, only a couple of telephone numbers, neither of which looked suitable for my problem.
I tried one of the numbers, and after going through security checks, I spoke to someone (in Ohio or Iowa, I believe). She could not help me, but agreed to forward me to someone who could. I was thus transferred to a number in Atlanta, where I again introduced myself and my problem, and went through security checks. That person also decided that he was not in the office that could help me, but knew which section was responsible, and transferred me to another number.
I waited about twenty minutes before someone accepted my call. I again described my problem, and went through the same security checks. I was then told that that office was responsible for ATM security, but not for possible spoofing breaches. When I described my frustration to her, she said that she did not know what the policy was, but it was maybe unrealistic of me to expect any response from the Abuse department. I replied that these days it was very easy to set up an automated email reply system that would at least confirm that a customer’s message had been received, and indicate what kind of action was being taken, and added that it seemed to me that the Bank did not look as if it took reports of spoofing attacks, and possible security breaches, very seriously. She assured me that that was not so, and agreed to track down the Abuse Department. I was then left hanging on the telephone for another five minutes.
When she returned, she gave me the name and address of a ‘Resolutions Services and Support’ office, but no telephone number, no name of an executive responsible, and could not explain why that was not so. When I asked her what I should do next if I sent a letter to that office, and received no reply, she encouraged me to write ‘Response Required’, to ensure that I did receive a reply. This I did. But I was not hopeful.
Fifteen years ago, when the Web started to become a useful communications mechanism, corporate websites were full of data about organisation, functions, executives, addresses, telephone numbers, etc. Nowadays, it seems that their prime purpose is to provide a blatant marketing presence, and to make it extremely difficult for the inquiring customer (or prospective customer) to identify a department or person he or she might wish to contact. In addition, we have the blitz of customised advertisements: I cannot bring up the BBC website to check the cricket scores, or surf to a news site to ascertain Kim Kardashian’s views on this year’s Man Booker Prize nominations, without waiting for half a minute while dopey high-resolution advertisements for car dealerships half an hour away, that I am never going to visit, are loaded. Somebody, somewhere, is paying for all this, and will one day work out that it is all a waste.
After composing a letter, and sending it to the address given, I had one last try at finding a real person’s telephone number. Eventually I found one, in the Public Relations department. I called it, and left a message describing my problem (it was a Saturday), thinking I had done all I could. And then, out of the blue, a couple of hours later, I received a very polite telephone call from a Bank employee, who said that he was the Executive in charge of Security. His friend in the PR department had picked up my message, and alerted him to it.
As we discussed my problem, Mr. Watkins (not his real name) apologised, but said that, owing to the vast amount of spear-phishing emails that the Bank received these days, it had decided not to acknowledge any messages received from its customers, as it only encouraged more traffic that could overwhelm the system, and he started to brief me on the security challenges that any bank of its size has to counter in 2017. I responded that that might be so, but in that case why did the Bank simply not include some text to indicate that it inspected every genuine message that came through to its hotline, but that it would probably not respond individually to every item? Would that not provide for a better management of customer expectations?
At this stage, Mr. Watkins started to give me another little lesson about technology, at which point I decided to explain my credentials. While I am no longer au fait with all the issues to do with website maintenance and data security, I was one of the two executives who launched the Gartner Group’s Security product back in 1999. When I described my background, Mr. Watkins became even more amenable, and we moved on to a new plane. He seemed very proud of the fact that the Bank spends millions and millions of dollars each year on security. He essentially agreed with my recommendations, gave me his telephone number, and encouraged me to stay in touch while he investigated the problem.
Over the next few weeks, Mr Watkins was jauntily positive. There had been meetings, attended by database administrators, web designers, lawyers, security experts, public relations people – even manicurists, for all I know. It was important that everyone had buy-in to this significant portal of the bank’s business, and every detail had to be examined. And then, early in March, he proudly told me that the new functions had been implemented.
But they hadn’t. There are two entries to the bank system – a public one, and a subsequent secure sign-on that leads to a private area where customers can maintain their accounts. The Bank had attempted to fix the public ‘help’ area, where they had incorporated the text I suggested (although they made an egregious spelling mistake in doing so, spelling ‘fraudulently’ as ‘frauduleny’), but they had not touched the private zone. When I pointed this out to Mr Watkins, he was incredulous, and eventually I had to send him screenshots to prove that those spaces existed. I gently pointed out to him that it was as if the Bank’s executives had never tried to log on to their system as retail customers. He was suitably chastened, and promised to get back to me. More meetings with lawyers and psychotherapists, no doubt.
Nothing happened for a while. I continued to perform my on-line banking, and regularly checked the ‘Help’ section of the secure banking site to see whether it had been fixed. On March 20, Mr Watkins wrote to me as follows: “I’m writing as a brief status update to let you know that the changes you’ve identified below are scheduled to be implemented within the next 2 – 3 weeks. In addition, I’ve had our team perform a comprehensive review of all of our web pages to ensure as much consistency as possible. I will update you again once the necessary changes are complete.”
I waited again. No update from Mr Watkins, so six weeks later, on May 2, I emailed him again, pointing out that the unqualified advice still sat there, unimproved, in the private area, but did confirm that the rubric in what was called the Security Center was now clean and (reasonably) correct. (It had new spelling problems: ‘out’ for ‘our’, but no matter . . .) I gave him the url of the offending area. Because of some personal issues, he had to hand my message over to his personal assistant to work on. He was under the impression he had already informed me about the changes the Bank had made.
I had to start again with Christine (not her real name). After she sent me an email informing me that the changes had been made, and how I should report suspicious emails, I had to explain to her that there was a discrepancy between the two zones, and I informed her of the fresh spelling problem. “Thank you for the feedback,” she replied. “We are currently working with our teams to review and will keep you posted.” More teams, more confusion. Less chance of a correct fix. I remembered Charles Wang of Computer Associates, who said once that, when a programming project started to drag, he would take a person off the team, so that it would run faster.
Another few weeks passed by. On May 25, I emailed Christine, and copied in Mr. Watkins, asking where things stood, only to receive the following reply from Mr Watkins. “I’ve tasked the multiple teams involved in producing and delivering these web pages to pull together a broad effort to reconcile all content. These teams are currently researching what this will involve and we plan to meet back with them to discuss their assessments during the week of June 12. Please rest assured that there are no idle hands involved in this work but given the significant size and complexity of this effort, I’m focused on a) updating any current pages while b) ensuring the proper controls are in place to ensure ongoing alignment and consistency.”
Well, ‘resting’ I probably was, but ‘assured’ did not exactly describe my composure. I waited again. And then, on June 21, I learned from Christine that a new executive had been brought in to ‘address the issue going forward’ (as opposed to ‘going backward’, I suppose). I was invited to join a conference call, so that my concerns could be addressed. I declined, however. I did not need a conference call, and I instead carefully pointed out again that, while the problem had been fixed in the Privacy and Security Center, the text had not been incorporated in the private area, for which I provided the link again. All that Christine did was to provide me with instructions on how I should use the Bank’s web-page to report problems (as if it were not supposed to be self-explanatory by now).
I took one final stab at explaining the problem, pointing out how badly designed the whole website was, with its circular paths and inconsistent terminology, and I provided an explicit analysis of the problems with the Bank’s customer interface. I expressed my amazement that Bank officers could not identify the anomalies in the system, and fix them. I copied the message to Mr. Watkins.
On July 1, a new communicant appeared – probably not the executive brought in by Mr Watkins, as he introduced himself as being ‘on the team that oversees the on-line banking platform’. Arthur (again, not his real name) kindly provided me with a long explanation of all the changes that the Bank was introducing, including not just my recommendations, but many other improvements, as well. I thanked him, and promised to keep my eye open.
Well, it is now July 25, as I write, and the same old text appears under ‘Report Fraud’ in the private banking section, with no indication that messages will not be acknowledged. A simple change that I could have implemented on my own website in under five minutes (literally) still baffles the combined expertise of the Bank after seven months. Is this a record? Banks complain that they are stifled by regulation, but if they cannot even manage changes of this magnitude off their own bat, what hope is there for them? Is this story not an example of corporate incompetence and internal bureaucracy gone mad?
* * * * * *
The second incident concerns a recruitment at my old Oxford college, Christ Church (an institution, I hasten to add, for the benefit of my American readers, that is not actually the equivalent of Oral Roberts University, despite its name). The Hilary Term issue of the college magazine proudly announced that Christ Church was welcoming Sir Tim Berners-Lee as a Research Student and member of the Governing Body, with a mission to ‘grow Computer Science at Christ Church’. For those readers who might not know about Sir Tim’s remarkable achievements, I point you to https://en.wikipedia.org/wiki/Tim_Berners-Lee. He is known as the ‘inventor’ of the World Wide Web, and director of the World Wide Web Consortium, and took his degree at Queen’s College, Oxford. As a retired information technologist, I admire and applaud his achievements.
Yet some things that Sir Tim wrote in this promotional piece in Christ Church Matters puzzled and disturbed me. He characterised ‘several connected initiatives’ in which he has been involved for some time as Open Data, Open Standards, and Human Rights on Web. As an expert in data management for some decades (I was a data and database administrator in the 1970s, have experienced several generations of data-base management systems, was the lead analyst and product director for Strategic Data Management at the Gartner Group for a decade, and successfully forecast how the market would evolve), I believe I understand fairly well the issues regarding data security and data sharing. I found Sir Tim’s pronouncements about Open Data naïve and erroneous, and his thoughts on the role of Open Standards confusing, and maybe misplaced. But what really provoked me was what he wrote about Human Rights on the Web. “We have a duty to ensure that the Web serves humanity, and all of humanity”, he wrote, adding, somewhat rhetorically, about the concerns of the Foundation: “Is it [the Web] open, non-discriminatory, private and available to all, including minorities and women? Is it a propagating medium for truth and understanding, or more so for untruth and discord? Can these parameters be changed?”
Now I regard such questions as reasonably interesting, although I’m not sure what ‘minorities’ he was referring to (philatelists? Zoroastrians?), or why ‘women’ should come at the end of his list of concerns. But how could computer science be sensitive to such transitory social labels, or the gender of its users? Quite simply, what he proposes is either outside the realm of computer science, or lacking any toehold in what computer science has already generated about issues of data management (for instance, in the works of Sir Tim’s outstanding forbear, Edgar Codd, another Oxford man, an alumnus of Exeter College, and also a winner of the Turing Award). I found his pronouncements about serving humanity simply arrogant and pompous. Accordingly, early last March, I wrote a letter to the editor of Christ Church Matters, and to the Dean (whom I met last year, as my blog reported), which ran as follows:
“Am I the only reader of Christ Church Matters to be somewhat surprised, even alarmed, at the expressed rationale behind the new computer science initiative? The achievements of Sir Tim Berners-Lee are spectacular, and I have no doubt his intentions are honourable, but do the goals that he espouses not tread on the space of social advocacy, even corporate mission, rather than scientific investigation?
For example, the notions of ‘web-based data’, ‘Open Data’ and that ‘we [= who?] have a duty to ensure that the Web serves humanity, and all of humanity’ are certainly controversial. Data are not exclusively managed by web applications, but frequently shared. Indeed, it is a principle of good database design (a topic frequently overlooked in university computer science courses) that data be implemented for potential shared use, irrespective of delivery vehicle. There is thus no such entity as ‘Web-based data’. Professor Wooldridge’s statement that ‘when Governments generate data, there is huge potential value of that data is made freely available and open for all to use’ provokes enormous questions of privacy and security. To assume (as does Sir Tim) that ‘we’ can be confident enough to know how ‘all of humanity can be served’ has a dangerously utopian ring to it. Etc., etc.
The point is that technology is neutral: it can be used for good, or for ill, effect, and people will even disagree what those two outcomes mean. How is ‘all of humanity’ served when Islamic fanaticists can exploit web-based encrypted information-sharing applications to exchange plans for terror? Who benefits when private medical data is presumably made available for ‘all to use’? When is data private and when open? It is all very well for Sir Tim to assert that that his main motivation is ‘the personal empowerment of people and groups’ (is that phrase not both tautological and self-contradictory?), but that is a belief derived from his own sense of mission, not from a perspective of scientific inquiry.
Maybe these matters have already been discussed, and have been resolved. If so, I think it would be desirable to have them explained publicly. I believe those helping to fund such initiatives should be made aware that the boundary between science and evangelism appears to have shifted considerably.”
My letter was kindly acknowledged by the Dean, with a promise of follow-up, but I have heard nothing more. I suspect that I am seen as a minor irritant, getting in the way of some serious boosting of the college reputation, or maybe hindering access to vital government funding. But the question remains. There are researchers into computer science, and there are commercial enterprises. They frequently enjoy a symbiotic relationship, but there comes a time when enterprise have to make risks and decisions that go beyond what consortia and standards-groups can achieve. Ironically, Sir Tim’s statements about benefitting humanity sound uncannily like those of Mark Zuckerberg, the CEO of Facebook, who also has evangelical designs on improving the world. But the rest of us should be very wary of anybody who claims that omniscience to know how ‘humanity’ is best served, and who appears to be unaware of the Law of Unintended Consequences. And computer scientists should not start dabbling in evangelism.
* * * * * *
Regular readers of this website will recall my reference to The Trinity Six, by Charles Cumming, in my March blog. Since then, I have read his first Thomas Kell novel, A Foreign Country, and this month, the follow-up A Colder War (published in 2014), both of which I recommend. (Although I do not understand why we need to know every time Thomas Kell lights up a cigarette, or that he throws the butt of one into the Bosporus.) But my point here is to describe how unmistakably set in time these thrillers are – not so much by the political climate, although Iranian nuclear secrets and rebellious Turkish journalists give one a sense of that ̶ but more by the use of technology. For the narrative is densely imbued with BlackBerries, iPhones, Facebook, TripAdvisor, SIM cards, SMS and O2 services ̶ but not the dark Web, Snapchat or Twitter (or even Sir Tim’s Open Data initiative). Will it make the book soon seem dreadfully outdated, or will it be praised for its verisimilitude?
The pivot of the plot is indeed one such technological matter. (Spoiler Alert.) In what appeared to me as a very obvious mistake by the hero, an unencrypted text message leads to the eventual betrayal. And one other passage caught my eye ̶ for a different reason. Cumming writes, about a surveillance operation at Harrod’s: “While most of the members of the team were using earpieces and concealed microphones, Amos had been given an antediluvian Nokia of the sort favored by grandparents and lonely widowers. Kell had banked on the phone giving plausible cover.”
I recognized that scene. Three or four years ago, I went into a branch of my bank to pay in a cheque (it may have been a check). The cheerful spirit behind the counter asked me whether I knew that I could pay in checks via my cell-phone (or mobile, as it would be known in the UK). Without saying a word, I then solemnly produced my venerated Motorola C155, manufactured ca. 2005, reliable, rugged, and not very handsome, and showed it to the woman. She then let out an enormous giggle, as if to draw the attention of her co-workers to this antediluvian instrument. As can be seen, it looks more like the shoebox phone from Get Smart (the 1960 TV series, not the 2008 movie).
But it did its job – just made and received phonecalls. My carrier forced me to replace it a couple of years ago, but, my fingers are too stubby for the keypad on the new thin model, and I never use my phone to access the Web. Enough woes in that. I miss my C155 ̶ ‘as favored by grandparents’.
* * * * *
Another saga started. In May, I had received a letter from History Today, inviting me to renew my subscription on-line. “Renewing your subscription couldn’t be easier”, it boasted. I thus logged on to its website, but was frustrated in my attempts. I sent an email to the publisher, listing my failures. I explained that the system did not recognise that I was in the USA, did not allow me to enter my subscription reference, and quoted a sterling fee rather than the $99 mentioned in the letter. And when I signed on to my account, it gave me no option to renew, just to upgrade to access to the archive. I received a prompt reply, which merely stated that the website had been going through some maintenance, but that once this were completed, I should be able to renew my subscription on-line.
I held off for a while, and then received another letter in the mail, which again proclaimed that ‘renewing your subscription couldn’t be easier’. It offered a price of $79, which I interpreted as a special offer, maybe making amends for the earlier technical problems. I thus logged on afresh, and made the renewal, but did notice that the confirmation came through with a charge against my US dollar credit card for £99. An obvious mistake, no doubt to be cleared up simply. I sent an email pointing out the error. After a couple of days, I had received no response apart from an email confirming my renewal, and encouraging me to contact the sender (the third name in as many messages) if I had any problems. I thus sent off another email, pointing out the discrepancy between the amount specified in the invitation letter, and somewhat impatiently requested a credit to be made against my credit card.
Yet another name replied, with the following message: “Thank you for your recent email.
I can confirm the reason they are different amounts and different currency is because it has been converted from USD to Pounds. So it will always show what we have received as payment here is England rather than the amount you paid is Dollars. If there is anything else that I can help you with please don’t hesitate to contact me.”
So, as the month wound down, I sent another message, pointing out that a fee of $79 would convert to £61, not £99. I am awaiting their reply. It is possible, I suppose, that they mistakenly took the exchange rate as 1.31 pounds to the dollar, rather than vice versa, although the letter lists the optimal online archive upgrade as a more accurate £30/$45. We shall see. If e-business speeds are predictable, I shall probably be able to provide an update to this transaction in January 2018.
The next episode of Sonia’s Radio will appear at the end of August. This month’s new Commonplace entries appear here.