s2e11: Bob Rife Is Real; Digital Secure Confusion 

by danhon

0.0 Sitrep

Wednesday, July 29, 2015 and it is hot in Portland again. Cut it out, Portland.

1.0 Bob Rife Is Real

So in Snow Crash (spoilers, but at this point, *really*), L. Bob Rife is a sort of fictional Ted-Turner-slash-Bill-Gates (ie: regular 20th century broadcast communications magnate who commands the media through which the majority of people pay attention to, with a bit of owning all the comms infrastructure – fiber and a bit of proto-information superhighway thrown in) or, I suppose, if we’re updating, a sort of Rupert-Murdoch-slash-Mark-Zuckerberg-slash-Elon-Musk-slash-Yuri-Milner (ie: another rich tech billionaire who controls a global medium that commands the attention of billions as well as making an infrastructure play). Rife does a whole bunch of things, the least of which is buy up a bunch of radio telescopes:

A half-hour episode of a science news program, this one on the controversial new subject of infoastronomy, the search for radio signals coming from other solar systems. L. Bob Rife has taken a personal interest in the subject; as various national governments auction off their possessions, he has purchased a string of radio observatories and hooked them together, using his fabled fiber-optic net, to turn them into a single giant antenna as big as the whole earth. He is scanning the skies twenty-four hours a day, looking for radio waves that mean something—radio waves carrying information from other civilizations.

Neal Stephenson (2003-08-26). Snow Crash (Bantam Spectra Book) (p. 116). Random House, Inc.. Kindle Edition.[0, 1]

It turns out (spoilers, again) that Rife finds what he’s looking for – a metavirus, and then The Rest Of The Book Happens. The only reason why I’m bringing this up is to do a really long and tedious setup for the punchline to a) the re-emerging piece of news on io9 that China is building a humongous radio telescope[2] and that b) Yuri Milner, a very rich Russian[3], has put USD $100m[4] into the Breakthrough Listen[5]

In my head, of course, the idea of a country doing a giant public science project these days, especially one to do with radio astronomy just goes straight to the amusing concept of the international effort in Contact[6] to build the Machine. In other words: WHAT DOES CHINA KNOW?

[0] Snow Crash, Neal Stephenson – Amazon

[1] Snow Crash – Wikipedia

[2] China is Building an Absolutely Massive Radio Telescope – io9

[3] Yuri Milner – Wikipedia

[4] Stephen Hawking and Yuri Milner Announce $100M Initiative to Seek ET – Scientific American

[5] Breakthrough Listen – Wikipedia

[6] Contact (1997 American film) – Wikipedia (yes, the movie, not the book)

 

2.0 Digital Secure Confusion

 

So HSBC, an international bank with a UK “retail banking operation” (ie: a bank with branches and offices and a website that regular people use to pay their rent and utilities and buy food with) has embarked on a massive upgrade of its users security. It’s doing that through something called a Digital Secure Key, and my aleph-from-Global-Frequency-like (I wish) monitoring of the world’s social media (when I’m distracted or procrastinating or both, I guess) brought the whole thing to my attention through a tweet from Guy Moorhouse:

.@hsbc_uk’s flow to move people to the new ‘Digital Secure Key’ is an absolute user experience car crash.[0]

HSBC’s Secure Digital Key is, in their words, well, it’s not entirely clear. This is how they describe it, for what it’s worth:

We’re making life easier thanks to our new Digital Secure Key

At HSBC we recognise how important Online Banking is to you, so we’re giving you more options to log on securely.

If you’re new to Online Banking, you’ll be able to choose between using a Digital Secure Key on a compatible device or a physical Secure Key.

If you’re already using the physical Secure Key you’ll be able to switch to the Digital Secure Key. We’ll contact you to let you know when you can switch.[1]

Okay, so let’s just take a look at that copy first. If you’re going to say that you’re going to “make life easier”, then you’d better actually *make life easier* and have something that works and gets the basics right. We’ll see (unsurprisingly) later on that the basics have not been gotten right at all, which is only distressing for those of us who have at least some idea of what those basics might be and then look at the calendar and realise it’s 2015 and oh god what hope do we have as a species. Even more bluntly, it’s incredibly stupid and a bit of an own-goal to say that you’re going to make life easier and then make life harder.

Secondly, let’s just all sit down, take a minute and agree that “Digital Secure Key” is a stupid name for a stupid thing because there are actually two things – a Digital Secure Key or a physical Secure Key. The D in Digital gets to be capital but the p in physical doesn’t, and the Digital Secure Key *is* digital (but then so is the Secure Key because… it’s got digits and has transistors and a tiny little computer in it and looks a bit like a calculator) and anyway, HSBC can’t even figure out if it’s sometimes calling the whole thing Secure Key or Digital Secure Key. The Digital Secure Key does, in software, in the HSBC mobile banking app, exactly what the physical (no big P) Secure Key does. They both provide, er, keys.

Thirdly: “we recognise how important Online Banking is to you” just sounds weird because regular people don’t talk that way, but the kicker is “so we’re giving you more options to log on securely” – because what’s actually happening is the entire logon process has been changed and using Secure Key is a requirement, not an option. The *option* that people are getting is whether they can use a Digital Secure Key or a physical Secure Key. So, you know: don’t lie. You’re giving me an option for a thing that I have to do. People can spot lies. And then they don’t trust you. Really, “don’t lie” should be one of the basics to get right, and apparently this type of stuff is still rocket science. We’re also into the third sentence of four and the phrase “Digital Secure Key” has been used twice and we still have no idea what a Digital Secure Key is.

Lastly, if you’re using a physical Secure Key, you’ll be able to switch to a Digital Secure Key! Yay!

What it *looks* like, from the outside, and being a non-resident Brit now, is that HSBC is rolling out two-factor authentication (pick two out of something you know, something you have, and something that is you[2]) like the kind a whole bunch of other online services use where the user supplies both a password as well as a generated code that is unique to them and that frequently changes, as well as using this as an opportunity to get its users to set two security questions as well as a “memorable question and answer”. You know, the kind that are like: “Warning: the name of your first crush must contain two capital letters, a number and three special characters”.

It sounds like the way that HSBC has actually *implemented* Digital Secure Key is causing lots of trouble for people. Otherwise you wouldn’t get Facebook groups[3] (admittedly with not that many people in them) angry about having to use their new “online security key”[4].

A bit further down that page, we’ve got three tabs: “Digital Secure Key”, “Physical Secure Key” and “Two factor authentication”. The Digital Secure Key tabs lead with a heading of “Why choose the Digital Secure Key” and “Why choose the Physical Secure Key” because, as we’ve already established, we’re reveling in delight at the new options HSBC has brought us to help log on more securely that will make our lives easier. These tabs look like the’ve designed from the point of view of a choice – the user gets to choose which one they want to use, so the goal of the copy page and copy is to help them choose which Secure Key they want to use to log on more securely and make their lives easier.

But that choice is a false one: this is a forced migration. A choice that you have to make isn’t a choice you get to make. You can’t choose to not participate, so agency and control has already been removed from the user. They might not be in the frame of mind that’s excited about the new choices available to them. They might want to know, for example, just what the hell is happening in the first place.

The “Two Factor Authentication” tab – the last tab – is the one that tries to explain why all of this is happening. Amusingly, the tab is titled “What is two factor authentication?” and completely fails to answer the question “What is two factor authentication?”, other than saying that:

a) “the Secure Key is used as part of the two-factor authentication process”;

b) “[the Secure Key] offers a higher level of security”;

c) “Secure Key gives you greater peace of mind because you have this extra layer of security”;

d) “A unique code will be generated and displayed on your Secure Key, this should only be seen by you”

Look. It’s 11:06pm and I only have so much more time tonight before I’m supposed to go to sleep because I’m still supposed to be taking things easy after my meninges went viral.  But to cut a long story short, I’ve still got links to:

– the Secure Key Troubleshooting Guide[5], which says that if you’re having a problem with the Digital Secure Key, then just give HSBC a ring or if you have a physical Secure Key than haha, I’m sorry, because you’re using a piece of consumer electronics that includes error messages like PIN FAIL 1, PIN FAIL 2, bATT 2, bATT 1, and “button”.

– the Report a Problem[6] page of the HSBC Security Center which doesn’t anticipate you reporting a problem with getting through this new security process, but instead only talks about what you should do if you get a) a suspicious email; b) you don’t recognise a payment or c) your card is missing or stolen. Any other problems, like HSBC’s new security process being difficult to navigate are, as the saying goes, the user’s own.

And the fact that there’s a FAQ, because when there’s an FAQ it means someone has literally just given up and decided to not bother doing the job well or right. The FAQ, right at the bottom of the page that looks like it actually answers some questions that users might have as opposed to all the useless marketing copy at the top of the page. Amusingly, the first question is “Why is the Bank making me use a Secure Key”, to which the answer can only be “because They want to give You more Choices to Make Life Easier for You”

Anyway. There are sixty six frequently asked questions! SIXTY SIX! How bad must something be for people to have SIXTY SIX actual frequently asked questions! Maybe some of them aren’t even frequently asked! Maybe some of those questions were just things HSBC thought you wanted to know, but couldn’t figure out a way of telling you other than a convoluted question/answer dance! Who knows!

Some of the questions are valid, but only because the rest of the information on the page was so badly designed! For example, “Can I use my tablet as my Digital Secure Key” is not answered with the single word “Yes”, but instead with the phrase “Digital Secure Key is available on iPhone and Android Devices running up to date software and versions of the HSBC Mobile Banking App.” Which doesn’t answer the question! Well done, not answering frequently asked questions HSBC! Here’s another one: “Can I use my Windows Phone® as my Digital Secure Key?” to which the answer is not “No,” but instead, you guessed it, “Digital Secure Key is available on iPhone and Android Digital devices running up to date software and versions of the HSBC Mobile Banking app.”

Now, given that we’ve established that Digital Secure Key is available on iPhone and Android Digital devices running up to date software and versions of the HSBC Mobile Banking app you might be interested in asking “Which devices can I use the HSBC Mobile Banking app on?” to which the answer is *not* “iPhone and Android Digital devices running up to date software and versions of the HSBC Mobile Banking app”. No! The answer is actually “HSBC Mobile Banking supports iOS and Android devices. Apple iOS v6.0 and above. Android 2.3 and up.” So, you know. Not actually up to date software on iPhone or Android Digital devices. And remember when we asked if we could use our tablet as a Digital Secure Key? Later on, the answer to “Will the app notify me when I receive a new message,” one of the answers is “For iPad® – When you log on to Mobile Banking, a number will appear next to secure messages icon at the top of the screen.”

In conclusion, and with the little respect that is due, almost a certain minimally viable amount of respect, like a tiny tiny planck-length amount of respect, HSBC don’t know what the fuck they’re doing and don’t appear to give a shit.

(That said, it might seem like I’m singling HSBC out and making an example of them but I’m pretty sure that I could do the same exercise with most banks and find that they’re all just as shit.)

One last aside: it turns out that Which? (the UK version of Consumer Reports) did a review of UK online banking security! Which was a surprise because a) I didn’t think people actually did that and b) huh, the results are also available online for free[7]. Personally I love the idea of more accessible security reports being made available to people in a format that makes sense, if only because then everyone will understand the abject horror that is online security these days.

[0] Guy Moorhouse on Twitter: “.@hsbc_uk’s flow to move people to the new ‘Digital Secure Key’ is an absolute user experience car crash.”

[1] Secure Key: two-factor authentication | HSBC UK

[2] Two-factor authentication – Wikipedia

[3] Scrap the HSBC Secure Key – Facebook

[4] Facebook campaign by angry HSBC customers over new online security key – Yahoo Finance UK

[5] Secure Key Troubleshooting Guide | HSBC UK

[6] Report a problem: contact details | HSBC UK

[7] Online banking security rated – Which? Money

I have a big long list of things gestating slowly in my notes file, not least of which a) an article in Campaign about ad spend going up in the UK (GBP 4.7 billion, enough to buy about 10 Instagrams or 2.6 Slacks) and b) an article in Marketing Week asking if brands should focus on “digital tech” rather than digital advertising. Spoilers: the subhead of the Marketing Week article says “results show that brands should be focusing on the benefits of investing in digital technology rather than simply pushing money into digital advertising,” and ends with a threat from McDonalds’ UK and Northern Europe CMO that “If we can find ways of using the technology that people carry with them to help enhance their McDonald’s experience then that’s exactly what we’ll do,” almost like a sort of Liam Neeson who’s going to fuck up your business and make services simpler, clearer and faster. So probably, some of that tomorrow, I reckon.

Best,

Dan