Stupid Online Security Tricks: Stop them. Now.

The BBQ Pit
1

I hate paper. I hate paper bills, paper drafts, paper notes, paper anything. I hated writing until I learned wordprocessing (on an Osborne using WordStar).

I love the net.

And I, um, kinda like having security.

I am not a security activist. Nor am I a privacy activist. I really could give a rat’s ass if the FBI, Jerry Falwell, Martha Stewart or all of my neighbors and every telemarketer in the world can get a list of every website I’ve ever visited, every porn subscription I’ve ever made, and every Ebay purchase I’ve ever regretted. Why? Because In Real Life you can see where my shopping bags are from, or what porn palace I’m emerging from, or what newspaper I subscribe to. I have enough of a brain to recognize that in exchange for the enormous convenience of using credit cards, the credit card company will have a list of every purchase I’ve made. And I’m OK with that, just as I would’ve been OK for Altman’s to have a list of everything I bought on account, had I been around (a) in the days Altman’s existed and (b) they had charge accounts.

Security and privacy are nice, but neither outweighs convenience. Otherwise I’d cut my credit cards up and use cash. So, goddamnit, make your security easy for me. I don’t car how goddamn complicated that makes it for you. In particular:

Do not issue me a pin number and expect me to remember it. In each case, I create my own pin number thankyouverymuchgoodbye. I don’t care if that means you get a little less security, because I may use the same security code on every account and that makes it easy for someone to steal/guess what I use. That’s my choice. Deal.

Do not expect me to divine how your company keeps my address in your records. Remember, I’m using the net because I fucking hate paper. That means that statements go from my hands into the trash as soon as I’ve made a payment. I don’t sit around hanging on to them. Which means I have no idea which of the 35 possible variations on my address you might be using. If you do insist on something that retarded, your system had better goddam recognize every variation. If I live at the corner of 5th Avenue and 18th Street I better be able to fucking enter any possible permutation of 1/One, W/West, 18/18th/Eighteenth, and St/Street, and get my information. (After I spent half-an-hour on the website and the phone, a long-suffering Continental Airlines employee explained to me that they couldn’t add my corporate Amex card to my list of payment methods because I didn’t enter precisely the billing address, down to the presence or absence of commas. RETARDS. It’s a corporate card, I don’t get the fucking statement in the first place.)

Oh, that means more data entry hours. Boo fucking hoo.

Grrr.

2

My personal favorite is the everchanging number of permutations of further information they can request when I order something with my credit.

CC#? Expiration date? CIN#? Phone number on record for bank? Mother’s maiden name? First name of bank’s CEO? How many bricks in the bank’s southernmost wall? What type of donuts that Madge, the bank’s undersecretary for public affairs prefers to have on Tuesdays? Total number of sperm in left testicle of bank owner’s 2nd cousin’s elder brother’s pet mongoose? AAAARRRGGGGHHHHH!!!

3

Well Oxy, that’s fine as long as you accept not being reimbursed for any money you lose, have stolen, etc. The reason all that rigamarole exists is because morons use the same password for everything, get their money stolen, and then expect the bank or CC company to cover their loss.

And as for the corporate card thing, get over it. You aren’t paying the bill, you aren’t responsible for any loss or theft, so therefore you don’t get a say in how the system works. If that means you have trouble with an online system boo fucking hoo.

4

As to the former, yes, perfectly am willing to take that risk. Ideally, we won’t be using passwords for that much longer anyway - it’s an inherently insecure system precisely because it requires too much of human memory to be effective. One way or t’other we’ll have biometrics, and that will be Good.

As to the latter, you’re right in the small point - who gets to bitch - but you’re missing the larger point of bad design. (Which is really what the rant is about. I hate bad design - anything that doesn’t adequately anticipate how people will actually use it.) I’m actually not at all certain it would be that difficult for systems to recognize common variants of addresses, such as I’ve named. And more to the point, requiring someone to enter the billing address doesn’t really provide that much security, when most businesses are listed in the yellow pages. It’s window dressing: rather like having little old ladies submit to shoe-searches in airports. Completely irrelevant to the effort, but it kindasorta resembles a security measure and it’s inconvenient, therefore it must work.

5

My two sore points about security- (aside from assigning me a password that I’ll never remember)

  • one place that not only wouldn’t recognize multiple variants of my address, but wouldn’t accept the actual address. I live on a numbered street. The sign has numerals. The system wouldn’t accept the address, and after waiting on the phone for a live person, I was told that their system would not accept numerals for the street - it had to be spelled out in words.
  • companies that will only ship to the billing address, and then use UPS. All I need is the tracking number to change the delivery address, so what purpose does that serve?
6

It might not provide much security if it’s the billing address for a corporate card for a business with only a couple of addresses. But it provides a bit more security for at least some consumers ( you might get my credit card and know where I live, but that won’t help you if I get the bill at at my office, my mother’s house or a post office box) and some corporate accounts ( my corporate card has the name of my employer, and someone might be able to figure out my office address from the phone book, but they won’t be able to get the billing address in a city 3 hours away from a phone book in my area).