Wednesday, January 03, 2007

A f**ked internet bank

One of the "dark secrets"of e-commerce is about labor practices. It employs a lot of free labor -- us, that is. Instead of going to a bricks and mortar shop ($$$ for the shopkeeper), and asking the salesperson(salary $$$ for the shopkeeper) for a look at some, say, Clarks shoes, we find a website selling shoes and find the brand ourselves and figure out the size and color and fill in the order and payment details and make the transaction. A better example is books, which I have bought lots of on amazon.com and amazon.co.uk. You do all the work yourself, assisted sometimes by a robot that knows one's preferences.
Most of the work we do online at all hours (I have ordered from amazon at 1 am) is very simple, which is why, for convenience sake, we are so easily tricked into working as sales assistants, order takers and bank clerks in the middle of the night (often leaving a "tip"of personal information so that we can be approached by marketers more precisely and effectively).
Having said that, I had the most unpleasant experience with the Baltic Trust Bank, a bank thrust upon me by my new employer (for years I have been with Hansabanka and intend to stay) for the purpose of transferring salaries. I duly opened an account and got an envelope for my internet bank, hoping, as soon as possible, to set up an automatic forwarding of my salary to Hansabanka.
There were no clear instructions for using the internet bank. I guessed that one used one's bank card pin code to access the ibank. Wrong. Fortunately, I stopped doing trial and error with this before automatically locking down the account. I had to call the bank to find out that my password was, in fact, a code printed on a code card (one of these things where, as double authentication, you enter "code 26" or something after your password clears). I was then offered to change my password. Each time, I had to re-enter the original gibberish of numbers and letters, because, it seems, the system insisted I use both one capital letter and one of a defined set of symbols *%( etc and a number, of at least eight characters all together. For some reason, the system did not recognize symbols entered fromt the ordinary QWERTY keyboard, but finally responded to a symbol from the numerical keypad on my desktop iMac (will it work from a MacBook laptop? We shall see...). So after some ten infuriating and frustrating attempts, cursing the lame-ass BTB every time, I seem to have gotten it right.
I can understand the need for security, but it goes a little far to make the customer do a lot of repetitive and frustrating work. At the same time, BTB gives potential hackers an interesting formula: at least eight characters, one capital letter, one numeral and one of a limited number of symbols. Let us assume that most people will chose passwords that at least make some phonetic if not actual sense, rather than utter gibberish like &gbBzjq9, but rather fucKbtb*7 (that is not my password, btw, but I did think of this wording at one point), is it not a tractable problem to break the password? I'm not a programmer or mathematician, but it seems doable. Now BTB and other banks will say that the combination of the password plus the hundreds of thousands or more code card combos TOGETHER are impossible to crack short of using your 2070 model zillion multiverse quantum laptop. And they are probably right. But in that case, why make changing the password such an onerous chore?
Recently, BTB was acquired by GE Money. Maybe it is time to make the iBank service less of a frustrating task?

2 comments:

Anonymous said...

Juris, IT-wise BTB is one of the most sucking banks in Latvia. I wonder to guess why your employer (Leta?) sticks to this bank :)

Anonymous said...

take it easy, I would say it is a part of competition. Banks are free to choose it own solutions and IT experts. And it's mean that there will be lot of different solutions. We as users will have to cope with that. Same in telecom business where are different tariff plans or if you have changed mobile hand set brand then it will take a while to figure out how to call or send SMS. Having said that, I am actually against competition, as it is makes my life difficult.