They’ve an even worse card security procedure, which they continue to use despite my repeated complaints.

AIB

Picture the scene, if you will.  Something fishy is going on on your credit card (normally it’s small value internet transactions).  The transactions are flagged up to the credit card fraud department, and they call you.

The Withheld Number

They call you from a withheld number.  You answer the phone, and the caller claims to be AIB Credit Card services, and asks you to prove to them that you’re actually the card holder!

At this stage on one call (and I get many from them – often over the same repeated transaction…another fail) I pointed out that as I was in posession of a “known good” phone number (i.e. the one that was attached to the credit card), and they were in posession of nothing more than a claim to be AIB, I was the one who should be asking the verification questions.  They didn’t like that.

Anyway, if you’re not as security aware as I am, you give them your credit card number, expiry date and full billing address (having already confirmed your name at the start of the conversation), and they then proceed to query some transactions.

How to scam an AIB customer

All the would be scammer needs to do to get an AIB customer’s credit card details is dial #31#<target’s phone number>.  The call will come up on the target’s phone as “Number Witheld” or “Anonymous” or similar.

90% of customers will then give the credit card number, expiry date, billing address and probably even the CVV2 number from the back of the card without question.

If the person refuses to give the details, the scammer can even refer them to the phone number on the back of the card, where AIB’s real credit card services will confirm that yes, that is how the calls come.  But no, there’ s no flags on their account at the moment – it must have all been cleared up.

What AIB should be doing

The correct way to handle this, in so far as there is one, is to call from a verifiable number (i.e. the one that appears on the back of the card), and ask people to call back to the number that appears on the back of the card (not “call 01 654….”, but “call us on the number on the back of your credit card”), or even better, a well known freephone telephone banking number (along the lines of the 1890 242424 number).

Bruce Schneier would have a heart attack if he heard this was coming from the two largest banks in the country.  Although, given what those two banks have been up to, it’s shouldn’t be too much of a surprise…

Abstract

Low processing fluency fosters the impression that a stimulus is unfamiliar, which in turn results in perceptions of higher risk, independent of whether the risk is desirable or undesirable. In Studies 1 and 2, ostensible food additives were rated as more harmful when their names were difficult to pronounce than when their names were easy to pronounce; mediation analyses indicated that this effect was mediated by the perceived novelty of the substance. In Study 3, amusement-park rides were rated as more likely to make one sick (an undesirable risk) and also as more exciting and adventurous (a desirable risk) when their names were difficult to pronounce than when their names were easy to pronounce.

Full report available from the US NCBI Medical Library.

Hat tip to Bruce.

This is a great opportunity for the Labour Party to reinvent itself for a new century.  I’m still getting through the main points of the report (to reiterate, even as a staff member, I hadn’t seen any of the report until now).

The headlines & summary are here on the Labour website, and I’ll blog a bit more on it over the next six weeks up to Conference.

Hat tip to Bruce, originally from News.com.au.

But what’s the real situation?

In reality, the murder rate in 2008 is significantlydown on 2007.  In 2007 there were, as best as I can tell, 78 murders recorded by the Gardaí.  In 2008 to date (and it’s now past halfway through December), there have been just 46 murders.  Allowing for the year’s trend to continue for the rest of December (let’s hope it doesn’t, of course), that will still result in a 40% decrease in murders year-on-year.  So why the hysteria?

Creative Commons (by freefotouk)

The media have a lot to do with it (update: it was amusing to listen to Tom Brady of the Irish Independent on Morning Ireland on Thursday talking at length during an interview about the Howth murder about how overbearing media coverage of murders was actually responsible for the perception – what’s your job again, Tom?).  The massive amounts of print and radio coverage (TV has less time) of murders and other violent crime puts the actual statistics in the shade.

People hear about crime and particularly violent crime far more often, and in far more gruesome detail, than they do about more ‘normal’ threats, such as car crashes.  Car crashes have become ‘old news’, so to speak.

Older people, in particular, and other vulnerable members of society are being led to believe that every group of young people is a threat.  They’re told over and over again that they’re under threat, so they believe it.

We’re all guilty of misanalysing risk.  When it comes to the safety of children, in particular, people vastly over estimate the risks involved in various threats.  How many child abductions have there been in Ireland in the past ten years where the abductor and abductee were unrelated?  One – and it’s arguable whether there was actually an abduction in that case.  And yet parents won’t let their children play outside their homes.  Certainly won’t let them wander alone out of sight of the house, and many won’t even allow their children walk to school.  Bruce Schneier has written about this, and there was a good piece on the BBC website about it too.

To drill down to just one key fact – in 1970, the average British girl was allowed to roam 840m from her home unsupervised.  By 1997, that was down to 280m.  Today, it’s likely to be as far as the doorstep.  Risk has actually decreased in that time, but people’s perception is that the risk has increased dramatically.

Yes, one crime is too many.  But we have less crime today than we have had in decades.  Let’s get some perspective, people.  And I’m looking at you, journalists, to lead the charge.

This was written on Tuesday, and updated on Thursday – so apologies if 20 people were murdered on Friday morning before it was published and all my stats are wrong.  I somehow doubt it, though.

1. It takes 15 minutes to get from the runway to the terminal building.  That’s not including the time required to get the gantries in place, etc – just taxiing time.
2. Security is both shite and a pointless hassle.  Queues are very long, and they’re long for a reason.  I was coming off a flight from the US, and put into a queue specially reserved for people transiting to the UK & Ireland.  Low security risk, right?  Apparently not.  Not only did laptops have to come out of bags, so did cameras, MP3 players, laptop power supplies, spare batteries, mice, network cables, USB cables and anything else even vaguely electronic.  How come every other airport in the world can scan a bag with those things in it, but CDG can’t?  I understand laptops coming out of bags, but the rest is just a waste of time.  Not only that, but their policy on shoes is random.  The guy in front of me had the same type of shoes on as I did – he had to take his shoes off, but I didn’t.  Worse again: I didn’t bother taking my MP3 player, cables, spare battery, mouse, etc, out of my bag.  The guy manning the X-Ray machine didn’t even blink when the bag went through.  Bruce Schneier would have a heart attack.
3. Food options are poor.  There’s nowhere serving “real” food (i.e. substantial meals), just sandwiches and salads.  There’s a Fusion Wok in a food court, but they….get this…serve the food cold and expect you to heat it up in the microwave yourself!  It’s served on cardboard trays, not plates.  They give you plastic cutlery, despite the fact that I was given a metal knife & fork in economy class on the Air France flight I just arrived in on.  The prices are even more exorbitant than Dublin AIrport.
4. The hub and spoke arrangement makes it a real pain to move between gates and areas when transferring.  The distance between gates is really, really far and routes are hugely indirect.  A real pain and a waste of your time.

These are all the reasons I try to use Schiphol when I have to transit.  It’s a far superior airport.

Update:

One good thing – Orange France give you an hour’s free WiFi at CDG.  That’s the only good thing going for the place.

DC Metro Security Sign

The text reads:

Hey, is that your bag?

If you see someone leave something on a bus, in a train or station, kindly ask them “is that your bag?”.

If they don’t take it or if you see an abandoned package, please contact a Metro employee or police officer immediately.

No need to shoot someone for leaving their bag behind.  99% of the time, it’ll be a real left-behind-bag.  Treating it like that is good security.

Some of the best bits:

During one secondary inspection, at O’Hare International Airport in Chicago, I was wearing under my shirt a spectacular, only-in-America device called a “Beerbelly,” a neoprene sling that holds a polyurethane bladder and drinking tube. The Beerbelly, designed originally to sneak alcohol—up to 80 ounces—into football games, can quite obviously be used to sneak up to 80 ounces of liquid through airport security. (The company that manufactures the Beerbelly also makes something called a “Winerack,” a bra that holds up to 25 ounces of booze and is recommended, according to the company’s Web site, for PTA meetings.) My Beerbelly, which fit comfortably over my beer belly, contained two cans’ worth of Bud Light at the time of the inspection. It went undetected. The eight-ounce bottle of water in my carry-on bag, however, was seized by the federal government.

Of course, terry-rists don’t drink beer, so they would never use a beerbelly device.

Schnei­er took from his bag a 12-ounce container labeled “saline solution.”

“It’s allowed,” he said. Medical supplies, such as saline solution for contact-lens cleaning, don’t fall under the TSA’s three-ounce rule.

“What’s allowed?” I asked. “Saline solution, or bottles labeled saline solution?”

“Bottles labeled saline solution. They won’t check what’s in it, trust me.”

They did not check. As we gathered our belongings, Schnei­er held up the bottle and said to the nearest security officer, “This is okay, right?” “Yep,” the officer said. “Just have to put it in the tray.”

“Maybe if you lit it on fire, he’d pay attention,” I said, risking arrest for making a joke at airport security. (Later, Schnei­er would carry two bottles labeled saline solution—24 ounces in total—through security. An officer asked him why he needed two bottles. “Two eyes,” he said. He was allowed to keep the bottles.)

The article reaches the same conclusion that most investigations of airport security do.  If you’re a really stupid terrorist, you’ll be caught.  If you’re an even vaguely intelligent terrorist, you can do what you want.  If you’re a Joe the Plumber/Paddy the Plasterer trying to get on a plane, you’ll get inconvenienced for very little gain.

Update:

Kip Hawley, head of the TSA, responded to Schneier, and Schneier responded back.  Amazingly, he actually praises an element of Dublin Airport security (down at the end of the post).  Imagine – the Department of Transport doing something right!  Don’t worry, though.  As Iarnród Éireann always tell us, “normal service will be resumed as soon as possible”.

That’s welcome, and long overdue.  Bruce Schneier wrote about it back in 2006.  California has for some time had a mandatory disclosure law, and it’s forced companies to take notice of the cost of losing data – especially in terms of their reputation:

Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information — or to refrain from collecting it in the first place.

Think of it as public shaming. Companies will spend money to avoid the PR costs of this shaming, and security will improve. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.

So, let’s hope Dermot Ahern is serious about this.  We’ve got far stronger data protection laws than the US in most areas – they need to be extended to mandatory disclosure.  This is exactly what I was trying to get done when I first wrote those Parliamentary Questions in January, so it’s good to see it come to some level of fruition.

Update:

Digital Rights Ireland have more on this.

Today, a new series of PQs shows that they’re heading for 45 devices lost this year alone.  That’s almost one a week.  That’s bad.

What’s worse, though, is that, despite the repeated losses of personal information all year, neither the Department of Communications, Energy & Natural Resources nor the Department of Education & Science have introduced any whole disk encryption solutions.

Ruairi Quinn:

Ruairi Quinn TD (with Pat Rabbitte TD)

It beggars belief that the Department of Communications, tasked with developing our country’s IT infrastructure, has absolutely no policy on securing IT devices.

I wouldn’t even allow my personal laptop go out and about without Truecrypt encryption.  Why are two Government departments so closely associated with technology allowing my data to be left on buses and stolen from cars without any protection?  Especially when there’s little or no cost (Truecrypt is free).

What are Ministers Eamon Ryan and Batt O’Keeffe up to that they’ve missed the news all year?

By the way, if you think you can spot my fingerprints all over this, yes I did write the original PQs and this week’s followup PQs.  I wrote the Januar press release, but not this month’s one.

Update:

Mulley has a list of the actual responses.