Toy Crime Story

, , , , , , , | Right | September 9, 2020

I’m shopping for toys for our child in a famous London toy store. My husband is a few shops away doing something else. He is finished and I am nearly, as well. Instead of shopping baskets, the store supplies big, red, very visible, and branded bags to carry your purchases around. My husband calls me to try and find me.

Because the store is full of people, he goes into “husband panic mode,” saying he’ll never find me. In order to help him, I go to the entrance. Trying to locate him, I step out of the store with my big bag of stuff I have not paid for. I am literally standing still, not even an arm’s length from security, scanning people to find my husband.

Suddenly, I am grasped by a man who I realize is security. He thinks I tried to steal and is very upset about it. I find that pretty funny, considering my choice of standing right next to him with a big bag proclaiming the store name. Very quickly, a young man who is some sort of a manager arrives at the scene and also gives me a stern talking to.

I understand their initial interest in me but am really amused that they never stopped to consider the exact circumstances after they initially stopped me, so I ask them, “Do you really think this is what stealing looks like? Me standing stock still next to a security guy with a big, bulging bag provided and branded by your store?”

I had a pretty hard time convincing them that YES, I WOULD ACTUALLY buy all that stuff now, as if the register wasn’t three feet away, and as if they couldn’t quite easily check that I was going to buy it all. I honestly think people in security should have enough experience to know an honest mistake when they see it.

1 Thumbs

Gosh, We’ve Never Felt Safer

, , , , | Working | August 13, 2020

Our local bank announced a new security policy of “two-factor authentication”: you would enter your phone number, and it would send a text message to that number with a one-time code to log into your account. After several weeks of constantly entering my phone number and wondering why it didn’t just use the one associated with my account, a realization came to me.

During lunch, I entered the number for my work cell on a work computer, both of which the bank had no knowledge of previously. Sure enough, the bank sent a one-time code to the completely new phone and authenticated a completely new computer. It made absolutely no check that the phone number was valid.

Anyone could answer any phone number there and instantly have full access to anyone’s account.

I called the bank and told them how their supposedly two-factor authentication is actually zero-factor authentication, but they insisted it was working as designed. I finally moved my money to a different bank.

I recently learned that someone had hacked a whole bunch of accounts at the old bank, which they found odd, because they had recently moved to two-factor authentication in the month before, which was “more secure than a password.”

1 Thumbs

Don’t They Know What Security Is For?

, , , | Right | August 6, 2020

I work airport security, and as a rule, everyone must be screened to go from the public area to the secure area. While I am out maintaining the exit to make sure no one walks in, an older woman with her adult family approaches me.

Passenger: “Excuse me? How do we get to the other side without going through security?”

Me: “Um. You can’t.”

Passenger: “What do you mean, we can’t? We don’t want to go through security; we just want to get to the other side.”

Me: “Right. You can’t. Everyone has to go through security to get on the other end of it.”

Passenger: *Huffing away* “Well, that’s just ridiculous!”

1 Thumbs

An Alarming Lack Of Security

, , , , , , | Legal | July 22, 2020

I’ve shared this story in the comments of a few different NAR stories, so it may be familiar to some long-time readers.

About ten years ago, my hometown had a bit of a burglary problem. Several homes in the area are summer homes for rich people; they are not occupied year-round. Naturally, this made it easy for the burglar to avoid getting caught; they just broke into homes that they knew were empty. They also only stole routine items such as TVs, video game consoles, and power tools — stuff that was easy to sell in secondhand markets without drawing any significant attention.

Several of the rich homeowners had installed alarm systems through a local security/alarm company, but the company had not taken action in any of the burglaries, and law enforcement had never been sent to investigate an alarm. Naturally, the homeowners simply assumed that the alarm systems were faulty, but the company finally admitted that while each burglary had triggered the alarm, the automatic verification calls to the home had always come back as a false alarm report.

Law enforcement officers finally listened to the recordings of a few such calls to figure out what was going on. In each call, the company agent naturally went through an identity verification script to make sure they were talking to the actual homeowner. The only problem was that, instead of having the homeowner state the answers to the security questions, the company only required the homeowner to verify the information on file.

For example, instead of asking, “Who am I speaking with?”, the company would ask, “Is this [Homeowner]?” Instead of asking, “What is the address of this property?”, the company asked, “Is this the property at [address]?”

All the burglar had to do was answer yes to every question and the company recorded it as a false alarm.

Law enforcement seized the recordings of every such call and were able to use voice matching to prove that every burglary had been committed by the same man. When that man was finally caught trying to sell one of the stolen items online, he was arrested, tried, and convicted for every burglary. He spent a few years in state prison.

In the end, very few of the homeowners ever received compensation after being burgled. The alarm company declared bankruptcy and dissolved immediately after their negligent behavior was exposed, which somehow allowed them to avoid lawsuits from the homeowners. A few of the many stolen items were recovered from pawn shops and online markets, but most of the items were generic enough that they were never found again. And because the burglar didn’t have much going for him in terms of financial assets, any civil lawsuits filed against him would have earned such a small settlement that very few of the homeowners went ahead with such lawsuits.

1 Thumbs

Thank Goodness Stupidity Isn’t Contagious

, , , , , | Working | July 1, 2020

I admit that several-years-ago me was short-sighted and partially to blame here. I often have to fix her mistakes.

At the beginning of the current health crisis, I got a new phone. I transferred over all of my information and everything seemed fine. I had forgotten that one of my credit card apps required my fingerprint to sign in, and therefore, on my next sign-in on my new phone, I needed my card number and password.

This particular bank has a different policy than other banks I’ve used in Canada. I ONLY have their credit card, but to log into my account I need an “Access Card” which is a completely different number from my credit card. It’s probably “more secure” or something.

When I originally got the card, they never gave me a physical access card, just the number. In my infinite wisdom, I didn’t write down the number anywhere but in the app login. After this, it was encrypted, and not recorded anywhere else, of course, including my own brain or secure files, so it was promptly lost to the aether.

I am considered high-risk for the current health crisis due to my asthma, but I live alone and have to go out to get groceries and things, so I try to limit that as much as possible and wear a mask when I do have to go out. Luckily, I do get to work from home.

I decided to call the helpline and see if I can get my access card number as there is no other way for me to access my account and track my spending — no usernames, no “forgot access card” link, nothing. Again, security, I get it and appreciate it for the most part.

Representative: “Thank you for calling [Major Canadian Bank]. My name is [Representative]. How can I help you?”

Me: “Hi. I recently changed my phone and need my access card number so that I can log into the app again.”

Representative: “I can definitely do that for you. Can I have your access card number?”

Me: *Pause* “I don’t have it. That’s why I’m calling: so I can get my card number. Is there another way I can verify my account?”

Representative: *Sounding confused* “Oh, sure.” *Asks me verification questions* “Okay, so I can reset your password and you’ll just have to make a new one when you log in.”

Me: “What? No, I don’t need a password reset. I need my access card number, essentially the login ID.”

Representative: “Oh. Let me see what I can do for you.”

The rep puts me on hold without asking. Two minutes later:

Representative: “There’s a bit of a wait for me to get assistance, so I just want to check and see if you wouldn’t rather just go into the bank.”

Me: “Well, I’m considered high-risk right now and a lot of branches are closed, so I would rather get this dealt with over the phone if I can. I don’t mind waiting.”

Rep: “Okay.”

The rep puts me back on hold without asking again. Ten minutes later:

Representative: “Okay, so we can cancel your credit card and send you a new one to the address we have on file in five to ten business days. I just need to verify that your address is—”

Me: *Interrupting* “Wait, wait, wait. Why are you trying to cancel my card? Sending me a new one won’t help me with logging in. I need my access card number.”

Representative: “Oh. Well, we don’t give those out over the phone.”

Me: *Gritting my teeth* “Okay, well, is there a way you can mail it to me securely? I don’t mind waiting.”

For reference, the Canada Revenue Agency will sometimes send secure account verification PINs to your house when you sign up for their online services; it CAN be done here in Canada.

Representative: “No, we don’t do that, either.”

I’m getting increasingly frustrated and trying not to snap.

Me: “So, you’ll send me a new credit card, which could be fraudulently activated, but not my access card which is only ever used to log into the app?” *Sighs* “Can you tell me my other options?”

Representative: “You need to go into a bank.”

Me: “There’s no way for me to get my card number over the phone?”

Representative: “No, it’s policy to not give it out over the phone.”

I’m desperately trying to remain polite as I’ve done call service work and it can be h***.

Me: “I understand that it’s not your fault, but that is the dumbest thing I’ve heard of in the current situation. I will not be cancelling my card today. I will go into the bank to get this fixed. Thank you.” *Hangs up*

I do think about asking for a supervisor, but only after the fact as I am so incredibly frustrated that this rep couldn’t tell me initially that she couldn’t do the thing I told her I wanted. After I hang up I just don’t want to have to deal with them anymore.

I do try to log into my old phone, as it still connects to the Wi-Fi and I figure I could make do with that until it is safer for me to go to new locations, but I think the rep went ahead and actually reset the password or did something because it no longer allows me to log in at all.

The story does not end there. I do go into the bank. I wear my N95 mask — I had one for working with natural dye products from before the health crisis. I stand in the (blessedly short) line. They are letting three people in at a time, so I wait my turn. The woman at the door asks why I’m there, I tell her I’m there to get my access card number, and she looks at me in confusion. Maybe she couldn’t understand me from behind the mask.

The rest of this takes place inside the bank.

Teller: “How can I help?”

Me: “I need my access card number so I can log into the app on my new phone.”

Teller: “Did you get a physical card or a virtual one when you signed up for the credit card?”

Me: “For the access card? No, they just gave me the number.”

Teller: “A virtual one, then. Okay, card and PIN, please.”

The teller gestures to the PIN pad. I enter my card and my PIN. The teller goes off and returns with a piece of paper.

Teller: “Here’s your card number—” *shows me* “—and just keep that paper in a safe place for the future.”

Me: “Great, thanks.” 

I took the paper and left so I wouldn’t hold up the bank line, but I made sure the number worked in the app before I drove away.

Time in the bank: probably a minute after I got inside. I didn’t remove my mask, which covers more than half my face — I would’ve been willing to briefly if they needed it for identification purposes. They didn’t ask for ID.

Yeah, super-secure access card number there. I’m considering cancelling that card, since it’s my only tie to the bank, but I don’t generally have problems with them, my card has some good benefits, and I have to sort out some financial things before I want another credit check on my credit report.

1 Thumbs