Tuesday, May 16, 2017

It's spring time...

It's been a while since I've had to roll up my sleeves and get ready to fight with one of my banks, but after the annual "Don't have a computer call me" rule slipped again over the past few weeks, I found myself this week getting tooled up for the concomitant unpleasantness that occurs as the warm weather returns.  

Traditionally, springtime is an unpleasant affair for me.  Money gets tight for me, and usually someone within the bank with an unbendingly stiff view of their rules (and this is never their problem but always the doing of someone else) then tries to push me into a corner of fines and penalties, whilst lecturing me about that bank's terms and conditions (which are never what I originally agreed to, but what they’ve introduced in the subsequent years through arbitrary changes that you have no choice over), and this never usually ends well for either party, so things usually escalate and get heated and ultimately we end up in an early summer showdown. 

I don't normally handle being talked down to by anyone very well, or being treated just like a number, especially from banks given how connected banks are to my personal history in the first place. In the early 2000’s (during my 20s) I used to sit back and take it on the chin, but these days now I’m in my 40s I fight back when things get unjust - and I nearly always do it on a "You do x, I'll do the same" method unless I get especially riled up.   

And so it is that I’m now sitting here again with a few 800lb gorillas in front of me, where the bank can be shown to have broken its obligations too (effectively I'd be holding a mirror up to the bigger pot calling the smaller kettle black), to make the bank consider coming up with some cool-headed alternatives.  

For a number of years now when a bank customer service rep thinks that because they're a bank and I'm just one customer, I'll only bring a knife to a gun fight, they're usually surprised when I turn up with a proverbial platoon of backup.  However, a subsequent effect of how I need to plan for defending myself against a bank, is because I have to pick the smallest items first and save the larger items for later gambits (so I always have something bigger on hand to escalate up to), as the years have gone by and the smaller items are used up, these 800lb gorillas became 900lb then 1000lb and so on.  

Long gone are the minor issues that affect one or two people.  Last year we were up to phishing, mobile security failures and the types of issues that might affect a small percentage of maybe a million or two customers (so you might have an effective compromise of say a few hundred to a few thousand people).  This year, the smallest 800lb gorillas are sized like mosasaurs (basically a bus-sized angry lizard) that makes the old stuff look like child's play. 

The nature of one of the smaller issues I pulled out this time is what I want to cover today, though I'm not going to specify which vendor to which bank is the problematic one.  That information would go straight to the regulator (for obvious reasons) if I'm forced into a suitable corner.

All the banks leapt head-first into analytics a few years back now, especially on web and mobile.  It’s not uncommon for a bank app or banking website to have three, four or more analytics and marketing systems going simultaneously. Each time a bank pulls in another third party, that’s another avenue where potential problems can start.  (I covered some of this last summer - article here - http://coulls.blogspot.ca/2016/06/online-banking-and-hosts-file.html)

This time, we’re up to the scale of problem where everyone is wrapped up in the problem.  It’s no longer confined to just mobile users, or just Android users.  As usual, the public is often convinced this is all perfectly safe, and many people don't give it a second thought as a result. However, most of these systems can identify you across platforms (when you jump from mobile to desktop browser) and can identify you outside of the banking environment.  This is commonly called "tracking", and it's what people might get upset about if there's anything they will get upset about.  This is also why despite having built various portions of mobile banking apps, including in Canada, I also refuse to use mobile banking apps myself, and always opt to use online banking if I have to use something. 

What everyone forgets is a) you can screw about with this tracking once you know it's weaknesses (the implications of this are huge) and b) the third parties handling this information are not always as safe as even the banks think.

What all this equates to for a bank is if they try to come after me and really try to apply the thumbscrews then I simply drop a compliancy deflection on a regulators desk. 



That's an expensive proposition for a bank.  

The bank still ultimately gets its money from me as soon as I have it spare, but it's put itself through an unnecessary metric tonne of bad karma and been shown to hypocritical in the process.  This can come with an underlying cost that can run into thousands of times more expense than opening up a proper dialog would have cost.