Posted by: David Schneier
Regulatory Compliance, Security
I never post on consecutive days; often times I struggle to post on consecutive weeks when the ideas just aren’t flowing. But after the day I’ve just had I have no where to go with what’s swirling around in my head and so to my soapbox I run.
Without bogging the story down in needless details (a specialty of mine) I was attempting to link my personal checking account to an investment fund I maintain. Seems simple enough; I’ve done it before and as recently as last month with a different investment firm. All that was required the last time around was to complete an online application via SSL after authenticating to the financial services firms website with my user-id and password. Within twenty-four hours I was able to execute purchases and redemption’s freely and was a happy customer.
Not so today.
Today I was told that I needed to download an application in PDF format, complete it, mail it in and wait for the request to be processed. Without thinking it through I asked the customer service representative (CSR) why was it that I could conduct the same activities with their competition (actually several of their competitors) online but not with them. He replied that online wasn’t as secure as the manual process and it was for my own safety. That was the way wrong answer to give someone who earns a living the way I do. And so I hammered this poor, unsuspecting fellow with a barrage of questions about how can his company ensure the safety of my hard-copy form as it leaves my hands, enters into the US Postal system, is touched by several more hands before it lands in their mail-room, is touched by even a few more hands before winding up as a request in a computer system somewhere anyway? And what about the original document? Is it scanned and destroyed? If not, is it stored in hard-copy somewhere? If so, where would that be and is the location properly secured? And who has access to that location? And how often are the related controls tested?
He didn’t know the answers to any of my questions.
Indirectly what he did illustrate was that I would be forced to accept an unnecessary delay in the processing of my request due to the simple fact that his management has not kept current with technology. Because really, in the end, that’s what this is all about. Rather than embrace the (not so) new capabilities offered via online commerce they’ve instead continued using a poorly constructed blend of old and new capabilities to mask that fact. And instructing their CSR’s to use the stock answer of “online processing is fraught with risk” as a way to justify their decisions is wrong. The risks presented via online processing aren’t any worse than offline processing, they’re just different; a fact I can and have proven before. I have yet to manage engagements that included dumpster diving which failed to yield enough useful information to make the lingering stench worthwhile.
And to compound my frustration the PDF files were not even formatted so that they could be completed digitally and printed off prior to signing them. Honestly, it would cost them a few hundred dollars to purchase the appropriate Adobe product and save everyone a bunch of time. I asked him about that and he didn’t have an answer for me, stock or otherwise.
When I repeated the conversation later on to my wife she instantly created a new rule that prevents me from dealing with these things going forward so as to protect decent, honest people trying to make a living from self-righteous bullies such as myself.
Oh, and one more thing to share. Later on when we were at the bank getting our hard-copy forms authorized via the medallion authentication process (something new to me altogether) I was able to view the monitor as the bank CSR worked with another client. They had account information displayed, credit information (I could figure out it was about a loan request) and had I my cell phone available could have easily been recording everything on the screen. How hard would it be to angle the screen away from the reception area or use a privacy filter to block spying eyes like mine? Sensing my frustration with this total lack of basic security my wife instantly created another new rule which now prevents me from offering unsolicited free professional advice and so I didn’t when it was our turn to sit with the same CSR.
Fortunately I have my blog so that I may vent. And so, thanks for indulging me.