Friday, November 28, 2014

The computer says no - algorithmic auto-dialer credit card security?

An acquaintance was telling me they had their credit card refused recently when attempting to purchase a couple of items online.

Minutes later the phone rang. Lucky enough they were at home to receive the call. It was an automated dialer claiming to be from the bank that the credit card was issued by. The automated voice asked if they were the holder of the credit card.

They were the joint holder of the card but the auto-dialer was asking if they specifically were the other card holder...

If yes press 1, if no press... you get the picture.

No was pressed, called ended, card continued to be blocked.

Later in the evening the auto-dialer tried again. This time the other joint cardholder happened to be the one at home and answered the phone.

Are you Jo Soap? If yes press 1, if no...

Jo pressed 1.

On it went with verification questions -

  • Here's three years, we'd like you to pick the one you were born in
  • Enter the day and month of your birth
  • Confirm whether the following transactions or attempted transactions were at your instigation
There followed, in quick succession, details of 4 transactions using the credit card in the previous couple of weeks which they were asked to verify or disown. My acquaintance's partner verified and got an automated message to say the card would now be unblocked and could be used again.

Now I don't know about you but I have very little recollection of my precise credit card transactions of the past couple of weeks. There have been some fuel purchases but I couldn't tell you exactly how much - somewhere in the £50 to £60 ballpark. Anything online? When did I get that obscure maths book via Amazon? What about the trip to the dentist? Months ago surely? Christmas presents - not organised enough for that? Don't recall exactly?

At no point did Jo speak to a real person. The machine made the decision. What would have happened s/he had not been able or prepared to verify the listed items who knows, other than having the block on the card continue and the need to get into telephone tag hell with the credit card company, through one or other of their "help"-lines.

Can credit card or security folks familiar with current practices tell me if this is for real?

What happens, particularly at this busy time of the year, if someone under pressure on the phone cannot instantly remember or confirm the precise details of recent purchasing or attempted purchasing transactions?


What happens if the card is jointly held by two card holders and the person automatically dialed is not the card holder whose transactions are being doubted?

What happens if unbeknownst to one partner, another is arranging a surprise purchase?

What happens if one partner is overseas and has their card blocked and the one home alone is not allowed to verify and can't reasonably be expected to instantly verify attempted transactions?

What happens if the person automatically dialed doesn't recollect the full details of recent credit card transactions sufficiently confidently to verify the list the auto-dialer requires an instant response to?

Well in all these circumstances the card will inevitably be blocked and the card holder gets to experience pariah-hood, inconvenience, stress and embarrassment.

All because an algorithm didn't like the look of that transaction they were innocently attempting to expedite and treated them like a criminal.

Incidentally on the other end of the scale, what happens if in the thick of the pressure of this, er, security check, the card holder confirms/verifies a purchase on which there was an overcharging error by the retailer?

I'd guess the credit card company would highlight the cardholders mistake in refusing and responsibility if the error was later noticed...

So, Dear Mr credit card company,

If you'd like to do a security check that's fine. But running it via autonomous algorithms and auto-dialers absolutely does not cut-it.

Signals and algorithmic intelligence is all very fine and dandy, really useful indeed if appropriately deployed when it comes to security. However, when it comes to people there is no match for caring human intelligence.

Thursday, November 27, 2014

UK government seek to ban extremist speech in educational institutions

One of the little commented upon sections of the UK government's latest tough-on-terrorism proposed law, the Counter-Terrorism and Security Bill (HC Bill 127), is Section 21 General duties on specified authorities. This reads (or part thereof at least);

21 General duty on specified authorities

(1) A specified authority must, in the exercise of its functions, have due regard to
the need to prevent people from being drawn into terrorism.
(2) A specified authority is a person or body that is listed in Schedule 3.
(3) In the case of a specified authority listed in Schedule 3 in terms that refer to a
particular capacity that it has, the reference in subsection (1) to the authority’s
functions is to its functions when acting in that capacity.
The "specified authorities" as detailed in Schedule 3 of the Bill includes educational institutions -

"Education, child care etc

The governing body of an institution within the higher education sector
within the meaning of section 91(5) of the Further and Higher Education Act
1992.
A person with whom arrangements have been made for the provision of
education under section 19 of the Education Act 1996 or section 100 of the Education and Inspections Act 2006 (cases of illness, exclusion etc).
The proprietor of—
(a) a school that has been approved under section 342 of the Education
Act 1996,
(b) a maintained school within the meaning given by section 20(7) of the School Standards and Framework Act 1998,
(c) a maintained nursery school within the meaning given by section
22(9) of that Act,
(d) an independent school registered under section 158 of the Education
Act 2002,
(e) an independent educational institution registered under section
95(1) of the Education and Skills Act 2008, or
(f) an alternative provision Academy within the meaning given by
section 1C of that Act.
A person who is specified or nominated in a direction made in relation to the exercise of a local authority’s functions given by the Secretary of State under
section 497A of the Education Act 1996 (including that section as applied by
section 50 of the Children Act 2004 or section 15 of the Childcare Act 2006).
A person entered on a register kept by Her Majesty’s Chief Inspector of
Education, Children’s Services and Skills under Part 2 of the Care Standards Act 2000.
The governing body of a qualifying institution within the meaning given by
section 11 of the Higher Education Act 2004.
The provider of education or training—
(a) to which Chapter 3 of Part 8 of the Education and Inspections Act 2006 applies, and
(b) in respect of which funding is provided by, or under arrangements
made by, the Secretary of State or the Chief Executive of Skills
Funding.
A person registered under Chapter 2, 2A, 3 or 3A of Part 3 of the Childcare Act 2006 or under section 20 of the Children and Families (Wales) Measure
2010 (nawm 1).
A body corporate with which a local authority has entered into
arrangements under Part 1 of the Children and Young Persons Act 2008.
The governing body of an educational establishment maintained by a local authority in Wales.
The governing body or proprietor of an institution (not otherwise listed) at
which more than 250 students, excluding students undertaking distance
learning courses, are undertaking courses in preparation for examinations
related to qualifications regulated by the Office of Qualifications and Examinations Regulation or the Welsh Assembly Government."
So all these bodies associated with education in some form
"must, in the exercise of its functions, have due regard to the need to prevent people from being drawn into terrorism."
Can anyone tell me what that actually means?

The good folk at the Guardian seem to think it will require universities, for example, to ban extremist speakers. The Bill doesn't actually say that but I guess might be interpreted as such.

Additionally the Bill, if enacted in its current form, would provide the Secretary of State with Henry VIII powers to amend schedule 3 - i.e. unilaterally decide if any other institutions should fall within the scope of the obligation to "have due regard to the need to prevent people from being drawn into terrorism."

Under section 21(4), however, parliamentarians are excused the duty to  "have due regard to the need to prevent people from being drawn into terrorism."

21 General duty on specified authorities

[...]
(4) Subsection (1) does not apply to the exercise of—
(a) a judicial function;
Counter-Terrorism and Security BillPage 14
(b) a function exercised on behalf of, or on the instructions of, a person
exercising a judicial function;
(c) a function in connection with proceedings in the House of Commons or
the House of Lords;
(d) a function in connection with proceedings in the Scottish Parliament;
(e) a function in connection with proceedings in the National Assembly for
Wales.
No obligation, then, to stop introducing extremist, overreaching draconian police-state legal infrastructures, causing untold grief and havoc to us and future generations. Specks and planks in eyes come to mind, as does the notion that what we need is not another Counter-Terrorism and Security Bill (HC Bill 127) but, given the incumbent Home Secretary, a Counter Theresa-ism And Security Bill.