A balance between security, convenience . . . and legacy

round trip question
Written By David Knott

We talk about the Stone Age, the Bronze Age and the Iron Age, and sometimes the Digital or Information Age. Perhaps one day we will talk about the Paper Age: the time when the world was run on systems and processes and information, but those systems and processes were manual, and the information was stored on paper.

Back in the Paper age, the way you proved your identity to your bank, whether to make a deposit, withdrawal or payment, was by signing a piece of paper: a paying in slip, a cheque or a letter. Today, that seems like an incredibly primitive and insecure method of authentication. Cheque books can be stolen, signatures can be easily forged, and anyone can write a letter. And, of course, banks were subject to fraud during the Paper age, to the extent that there are many slang terms for writing bad cheques: paper hanging, cheque kiting, bouncing cheques, hot cheques and so on. But many of these forms of fraud were exploiting the same feature that gave the banking system some measure of protection: it was slow. Cheques were physically transported to central sorting facilities where they were checked, reconciled and cleared. Letters could be queried. Signatures could be manually checked.

By contrast, today’s banking system (in many, but not all, countries) is fast. The first time we send money to a new payee on our mobile banking app, we may feel slightly nervous: did we get the account number right? Was the sort code correct? But then the money turns up immediately and we relax. We have become used to electronic payments being instantaneous, and have forgotten about payments that used to take days (‘the cheque’s in the post,’ ‘the payment hasn’t cleared yet’). Surely that means that the way banks understand your identity must have moved far beyond the old practice of checking your signature on a piece of paper.

Well . . . sort of. Most banks have invested in new authentication, identity management and fraud detection systems at the ‘front end’: the parts of the system that face customers and staff. If your bank’s mobile app is the modern equivalent of a branch, your bank effectively checks your identity whenever you walk into that virtual branch - and again when you try to make a transaction. But many of the ‘back end’ systems were written in the Paper Age: when we wrote cheques and you could only do banking when branches were open. These back end systems are often split according to different products (current accounts, savings accounts, mortgages and so on), and each may have a slightly different understanding of your identity - a different fragment of you. That’s one of the reasons why the fast, convenient world of online and mobile banking sometimes crashes to a halt: the computers at the back end are trying to do the job of tying your identity together across multiple different systems.

That convenient experience may also crash to a halt for other reasons. I expect that most of us have had the experience of a card being declined because of suspected fraud, or have received an alarming recorded message asking us to contact our bank. Unfortunately, there are many people who are highly motivated to take control of your digital identity. The most obvious motive is to steal your money by emptying your bank account. But there are other motives too: they might want to borrow money on false pretences, or use your identity to launder the proceeds of crime. I find the experience of getting a transaction declined as frustrating as anyone else - but I try to remind myself that, however frustrating the experience, my bank is doing the job of protecting me against attackers who get more dangerous every day.

Despite many important advances, I don’t think that the technology industry, or companies which use technology, have found the perfect solution for identity yet: a solution which is secure, convenient and resistant to attack. We still have a lot of work to do.

The Round Trip Question: Journey Map

This series of articles is driven by a conviction that computing is increasingly important to our lives, but many people don’t understand how computing works, and that those of us working  in the industry therefore have a duty to explain. It attempts to answer The Round Trip Question: what happens when you press ‘send’ on the mobile banking app on your phone?

I’m using this section at the bottom to capture the list of questions which arise as I write each article. If I go wrong, or if you have other questions, please tell me in the comments.

To-do:

Who are all these humans who write code? How do they work?

Why do action heroes ‘break into the computer room to hack the mainframe’? How realistic is that?

What’s a mainframe?

What’s a computer room?

[From Bradley Safer] Who else can see my data? What are they allowed to do with it?

[From Prakash Sethuraman] What is data? Why is it important to protect it?

There will be plenty more questions. For now, though, here’s the very rough picture of what we have covered so far:

David Knott
Previous

Shrinking space and time with dots and dashes
Next

A question of identity