Random musings on whatever subject strikes my fancy, published every other day.

Category: Geeky Stuff Page 1 of 55

My Banks’ Websites Suck

The following is an amalgamation based on my reluctant observation of several banks’ websites.

1) The bank website is slow. When it loads it takes so long that parts of it time out… waiting for other parts. When I perform an action I am always left to wonder if it took effect. What feels like minutes later, I see that it did. I have learned to take my hand off the mouse, sit back and wait. If I can sing the Jeopardy! song four times before it settles down, there might be a problem. And of course, controls on the screen move a hundred pixels or so, a fraction of a second after I click them. This results in my having clicked something else.

2) The bank website is buggy. When I sign off, it goes back to a login screen. It’s a trap! This login screen will not work. If you log in on this screen, you’ll get inscrutable error messages that quickly disappear, and then a new login screen. The second login screen works, but leaves behind a nagging suspicion that the first login screen has stolen your credentials.

The secret turns out to be, to click on the bank’s logo on the top left, and get a fresh login screen. That one will behave properly.

3) The bank website is arbitrary. Here’s a richly detailed example: Six months or so after changing the email address I use to have Chase Bank communicate with me, I started getting this after logging in:

A UI is like a joke. If you have to explain it, it sucks.

The redacted text is my email address. On this screen, it is selectable text but cannot be edited. The two radio buttons and the blue bar show as clickable when I mouse-over, but I am afraid to click them. Nothing else on this screen is clickable. Not that there’s much else on this screen.

The URL of this screen ends with:

intercept?name=BAD_EMAIL_ADDRESS#/intercept/addOrUpdateEmailAddress/update

If I modify the URL by removing all that crap, the website obediently reverts to its normal behavior by showing me my accounts dashboard. Solid.

This all started two weeks ago, and it seems pretty plain that Chase is having opinions about my email address. Note that this is an email address I changed to back in September of last year. I have dozens of emails from Chase using this email address.

The email address has a + sign in it to allow a Chase-unique suffix, so I can be aware if they sell my email address to spammers. I suspect, though nobody at Chase will confirm, this is why they are having a fit of pique. They don’t want me to know that they were the ones who sold my email. Unlike many people, I have another recourse from this: since I have my own domain, I can create as many unique email addresses as I want. Perhaps they will find “ChaseBankSucks@mydomain.tld” less of an issue?

Since composing the above, two interesting things have happened. One, following a looooonnng call I had with their web support line this morning, Chase sent me an email telling me that I had changed my email address. I had not. But Occam’s Razor tells me, they did. The thing is, it’s still the same email I have had all this time. So they changed it to… itself? And the second interesting thing is, the last time I logged in, the black intercept screen has not reappeared. If they actually fixed something, they have decided not to communicate that fact.

4) The bank website treats me like an idiot. Because they think I haven’t the capacity to examine more than a single item of information at once, when I want to make a payment, I must click thru five screens.
The first: Verify that the payment account I am using is the same one I have been using for six years. Next Screen!
The second: Choose an amount to pay. Next Screen!
The third: Choose the date to make the payment. Next Screen!
The fourth: Now I must review all the stuff I chose on the first three screens and then, finally, actually make the payment. Next Screen! (oh, did you think we were done? You funny!)
The fifth: Review it all again, after I have committed to it on the fourth screen. Can we escape next-screen hell now? Oh, we can? kthxbai!

5) The bank website won’t use proper two-factor authentication.
Authy and YubiKey, why do I have these? Apparently to protect my Twitter account. Because when it comes to banks, they are just not in the conversation. But sometimes in banking, news of the world can leak in a little. It’s kind of muffled and distorted but they get scraps and go with them.

So banks got the idea they should have two-factor authentication. Then they misheard the part where we were saying (out here in reality) that email and SMS were so shitty for this purpose but hey, maybe better than nothing. All they heard was “…email… …SMS…” Accordingly, I have a bank that can only email my auth code. I have one that can only text-message.

I have one that can do both, and does so every single time I log in. The “Remember this device” checkbox is a placebo, because the next time I log in from the same device, it’s the same thing again. Hey: it used to do this multiple times per session – at least they’ve fixed that for now.

One still asks “security questions.” Yeah, you forgot there were even worse things than 2FA via SMS.

Then there’s the one that can only text but if I want to sign in “with the mobile app” that’s somehow cool.

I don’t know why the bank website has to be so crap. I would hope it’s programmed to be extremely resistant to hacks, but I did not think that required a bottom-of-the-barrel UX.

Ranking

Ranking the Jeopardy! guest hosts, so far.

After Alex Trebek died in November, it was announced that a decision about the new host would be deferred until after a number of guest hosts got live tryouts. We’re almost halfway through this surprisingly excruciating ordeal, so here are my interim rankings.

#7. “Dr.” Mehmet Oz

I really can’t think of enough bad things to say about this choice. First of all, his track record of peddling quackery sullies the good name of Jeopardy!. And if that’s not enough, he’s just plain bad at this. His timing is off, his jokes aren’t funny, he talks too much. He pleads too much to get the job. He should never get the job.

#6. Aaron Rodgers

As a Jeopardy! host, Aaron Rodgers is a very good quarterback. He was workmanlike enough but there was no spark. None of the love of knowledge that most of the other candidates drip.

#5. Katie Couric

Too chipper. Too chirpy. “Katie Couric hosting Jeopardy!” sounds like something that would bring on uncontrollable giggles if we were sitting around smoking weed, and someone said it.

#4. Bill Whitaker

Technically, there are no big issues with Bill Whitaker. He does everything he’s supposed to. But his pace is a bit off. It reminds me of responses from a computer program whose CPU is a little too slow for the task set to it. And there’s one more thing about him: he makes a lot of references to the amount of money won in previous shows by the champ. It rubs me the wrong way.

#3. Ken Jennings

Seemed really nervous to start with. Never totally got over it. His voice is too thin to carry the gravitas of hosting Jeopardy!. Also he’d be lost forever as a player, which is a shame, because he’s fun to watch as a player. But maybe that ship already sailed when he took the Consulting Producer role after convincingly winning the GOAT trophy in January of 2020. Or as we like to call it, about four thousand years ago.

#2. Anderson Cooper

Anderson Cooper was very good. He showed a love of the game, and he handled his tasks very well. I really don’t have a fault to find with him as host. If my #1 choice doesn’t get the gig, I hope it’s Anderson Cooper. So far. We’re not quite halfway done with this.

#1. Mike Richards

He is the current executive producer, so would he want the job of host? Is it a demotion? Anyhow, he’s far and away the best at this – but it’s natural. He has experience hosting other game shows. We miss Divided. Richards shows the best balance of seriousness and approachability, and has plenty of gravitas without being stodgy. If he wants it, he would be the best of the ones we’ve seen so far.

This is a work-in-progress. There are nine more guest hosts to go, and they will be doing one- and two-week stints for the rest of the 2020-21 season. Beginning with Buzzy Cohen, a Tournament of Champions winner, who will be hosting the Tournament of Champions as of this coming Monday. Then, Mayim Bialik, Savannah Guthrie, Dr. Sanjay Gupta (a NON-quack), George Stephanopoulos, Robin Roberts, Internet fave LeVar Burton, David Faber, and Joe Buck. I’ll redo the rankings at the end.

Trade-Offs

Risk is handled in one of three fundamental ways:

  • Mitigated: You reduce risk by enacting some countermeasure. Network attack risk is reduced when you install a good firewall. Malware risk is reduced when you roll out anti-virus software. Shoplifting loss risk is reduced when you install cameras and hire guards in your store.
  • Transferred: The risk is reduced by paying someone else to assume it. To put it simply: you buy insurance.
  • Accepted: You realize risk cannot be zeroed out even if you spend more money than you might lose to the threats. So you find your “sweet spot” and realize, some risk still remains. We call this, residual risk.

In information security, everything is trade-offs. Usually, the trade is resources for risk reduction. Finding the sweet spot is not even the hard part. The hard part is getting management to understand why the sweet spot is found where residual risk is still annoyingly non-zero.

There are other trade-offs. Every time we transact with a company, we risk some of our private information in exchange for some benefit that company offers us. We risk the disclosure of a credit card number, to gain the benefit of a new FitBit. We risk the privacy of our home address, to gain the benefit of having delivery of that FitBit to our door. We risk the privacy of our health information by putting that FitBit on our wrist, and syncing it to an app in our phone. This gains us the benefit of the aid that the FitBit provides to our exercise program.

Personally, I consider a FitBit too risky for privacy to be worth the benefits it can provide. Maybe someday FitBit will show me that the benefits can outweigh those risks.

See what the big deal is

But the ultimate case where I wonder how people are making these risk/benefit decisions comes with things like Alexa, Google Assistant, Siri, and (shudder) Facebook Portal. We’ve already seen cases where voice recordings from people’s homes have been grossly mishandled. What about the cases where they are handled “properly?” Where the “proper” handling of this data is to build a profile of you so detailed, your spouse would be surprised to learn some of it?

Maybe I’m the most digital Luddite around. But I will have none of that in my vicinity. When I am in its presence, unwillingly, I may do something like this:

Maybe that will tip someone’s risk-acceptance decision the right way. That’s me, always looking for a way to reduce that residual risk.

Ah, Facebook

Signal is at it again*. I’m really starting to love Moxie Marlinspike.

This is an ad that Signal bought on Instagram (owned by Facebook). In lieu of using the rich bouquet of data that Facebook presents to advertisers about the user, they just passed it along to the user.

The point was not lost on Facebook, who have banned Signal’s ads from the platform. It’s all pretty delicious.

Meanwhile: this.

Oh, yeah. One piece of advice. Get off Facebook.

_______________________________________

Earlier Signal fun here.

Teacher’s Day – May 4

That’s right… in addition to Star Wars Day, it’s Teacher’s Day — in the midst of Teacher Appreciation Week. Indulge me for a moment, in one of my old-man stories.

If you dig deep on my LinkedIn profile, you will notice something funny: for most of my college career, I was a Chemistry major.

I got sidetracked by Biochem, which was really fascinating to me, but at the end of my junior year, my advisor said I was gonna be behind the 8-ball if I didn’t have Physical Chemistry (the dreaded “P-Chem”, as it’s known to chem majors) before starting my senior year.  So I signed up for it in summer school.

I went and started the course but the math required was a little… ok… a lot beyond my ability.  About the only thing I was any good at in that class was the labs, and the main thing I was good at in the labs was, writing the software to interpret and present the results.

My prof, Dr S, called me to his lab to discuss how badly things were going overall.  When I got there, what I saw were useless hunks of lab equipment in complete disarray.  Broken or simply outmoded, they had been left there by other chemists who no longer wanted them.  Dr. S didn’t care.  What was important to him was the boxes and boxes and stacks of boxes of 80-col punch cards.  On those many tens of thousands of cards were FORTRAN programs and data modelling the behavior of boron hydrides.

See, Dr. S is a physical chemist. A theoretical physical chemist.  He would work on a model, run it, and publish his predictions for the behavior of those molecules.  Then, experimental physical chemists would run tests to see how good Dr S’ predictions were.  They’d publish their results, Dr. S would have a think about what he could improve in his models, he’d tweak them and go around the cycle again.  Two or three times a year.  That was his work.  Actual lab equipment was not a thing he cared about.

Dr. S had called me to his lab because he’d noticed my one shining ability among the wreckage of my summer of P-Chem.  He suggested that I might be happier in the long run pursuing what we call simply called, “Computers.”

I thank him, to this day.

Page 1 of 55

Powered by WordPress & Theme by Anders Norén