Nigel's Eyes

20230628 A few notes on my "Nazification" article.

I've had several questions about the piece and surprisingly little criticism. Indeed, I have received many compliments. But some people asked some questions and so I'm happy to answer them here.

The original article is here:…

"Did you use the term "Nazification" just to shock?"

Oh, how I enjoy the chance to, almost subliminally, teach!

That's a complex question because it suggests that the correct answer is "yes" or "no."

But it's two questions:

1. Did I use the term to shock?
2. Was that the only reason I used it.

So, 1. Yes, of course.

But "shock" can mean two different things: to shock into silence or to shock out of complacency. My intention was the second.

2. No, shock is one aspect but the real purpose is to make people break their stride, so to speak. A headline is like one of those infuriating people that stand outside restaurants, bars and massage parlours, or who stop you in the street to try to interest you in a survey or something. They interrupt you as you walk, even if you are deep in conversation. A headline has to do the same and in a world of sensationalist headlines, there's basically an arms race. So, to get the thousands of people that stopped by to do that on the day it was published, it had to grab attention.

But there's a third and perhaps more important reason why I used it. In the article, I mentioned but did not concentrate on the fact that we are seeing something horribly like the Nazi ideals that there is one type of person superior to all others and those others have no value except as slaves or subject to some other form of abuse. The attitudes to those who are different led to the killing of millions in Europe and even greater numbers across South East Asia by the Japanese who had their own laboratory in Harbin to experiment on those who did not fit the ideal.

I'm not suggesting that the drive to unwarranted technology is anything like so awful but there is a distant parallel. The aged, the infirm, those with stiff fingers and poor eyesight are all excluded by mobile phone apps. A webpage can be enlarged while still displaying the relevant information.

When an app is zoomed, the amount of information that is visible in the tiny screen is reduced. So the elderly have to scroll up, down and from side to side to read a page and then have to find a box, or a button, to complete a task. On a full size screen, that's all visible at a glance. This is a difficult challenge for many and it should not be.

Those who are short or long-sighted have to remove their glasses and hold the phone at a precise distance. If the phone is being used, via an app, to grant authorisation to access a desktop app, then the phone and the screen have different focal lengths. Glasses on, glasses off, glasses on, glasses off. And all the while hold the phone and, perhaps, some written notes of, for example, the account number. The designers of "User Interfaces" of many kinds - even autogates at borders - have failed to take account of this problem.

Many people have shaky hands. Fiddling about with the keyboard on a phone is many times more difficult than using a full sized keyboard on a desk or table. Have the designers ever taken their apps to an old people's home and asked residents to perform simple tests? It seems to me that it is impossible that they have done so.

Fingerprint authentication is, on some phones, reliable. Facial recognition is amazingly unreliable. I'll use myself as an example. Two apps, one of which is a financial app and one of which is a "superapp" that I don't use as a wallet, required facial recognition. Both of them refused to recognise that I had a face. Literally. The message was to the effect that no face was present, even though I could see myself on the screen. Then again, I've had exactly the same problem at borders when trying to enrol in frequent visitor schemes and for several years the UK's border control system refused me access due to facial recognition failures so perhaps I really don't have a face.

But I'm pretty sure I do have a face and that the tech is rubbish.

How can the industry expect an elderly or infirm person to hold a phone and follow instructions? The truth is that the industry is concentrating on the iPhone generation and ignoring the hundreds of millions of people around the world who don't fit into the ideal that is imposed. That's what tyrannical regimes do.

It is absolutely baffling that several countries have made it a legal requirement for websites to be "accessible" but no thought has been given to that in relation to apps.

It's the same thing: people who are different have no place in that world.

I haven't mentioned here, because I've talked about it often elsewhere, the fact that around the world, even in developed countries, many people don't have a phone, and if they do they don't have credit, or if they do they don't have a signal. In an industry which is pushed towards "inclusion" the method of achieving that is fundamentally exclusionary.

So in answer to the unanswered question, do I regret aligning the current state of the financial sector with the Nazis? No, it was, on several levels, exactly the right thing to do.

You talked about security for online banking and credit cards. Are there areas you didn't talk about?

Gosh, yes. Many. Let me start this answer with a premise. While financial services businesses are pushing the burden of security onto customers, and as I said in the article, that's a flawed course of action, the problem that has to be faced is to define the company's own security perimeter. If, as is claimed, the compulsion to move to apps and away from independent two-factor-authentication for web users moves and fragments the perimeter.

That's a challenge that has been met before, first with credit cards but also in online banking before the internet.

Oh, I know, only the old folks reading this will know that online banking long predated the internet as we know it today. In fact, online banking was available in the UK in the early 1980s using a dial up terminal and teletext and in France, albeit in very rudimentary form, via Minitel.

One of the earliest notable online attacks on a bank was when Russians used nominees to open accounts in mainstream US banks in the USA and operated them from Russia via dial-in modem.

Remote access to bank accounts has always been problematic. I was involved in a case where a dual-key system was required to make certain transactions. A busy CFO gave his key to an accounts clerk who held the second key and who made a series of fraudulent transactions.

Telephone banking has improved its security checks: once, standing in a busy exhibition hall, I wanted to buy an early tablet computer with a keyboard and touchscreen (think of the newish folding Microsoft thing but this was in about 2002) and I had to do a security check on my card. One of the security questions was "what is your company's postcode?" I said "I can't remember. Hang on, I'll look it up on the internet" and the chap on the other end of the line said he'd wait. Now it's gone the other way: I failed an identity check for one of our corporate accounts and couldn't use my company card for more than six months until I went to the UK and threw a hissy fit at a person who really didn't deserve it. But sometimes you just have to make a fuss when you've spent hour after hour after hour on international phone calls and never managed to get to a functioning human and when you walk into a branch, you are told that there are no business account staff in branches but there's a bank of telephones and you can sit and waste time in exactly the same way as you have been doing but at least the call will be free.

I absolutely hate telephone banking. I don't have a record of what it said and I don't trust the people on the other end to get things right. And, sorry to say, I know enough about the industry to not trust someone in a call centre who is paid a few hundred USD a month but can earn thousands by passing account information, including the answers to security questions, to criminal syndicates.

So people are the weak link?

People are always the weak link. It might be me, it might be someone working at the bank or it might be someone working on the development of an App. At some point, there will be failures and all too often the systems are not designed to deal with failure.

I have another example: last week, I used a debit card and my bank in the UK uses various forms of two factor authentication. One is to telephone me but there is rarely any signal in my flat. I can opt for SMS so I do. As usual, my phone wasn't where I was so I went to look for it and I opened the thread to which the bank sends its One Time Passwords. There was a message. I carefully entered the code three times and then the system kicked me out. Then five minutes later a message arrived. It turned out that the number I had used was from a message that was two weeks old from the previous time I had used that card. It's absolutely not the bank's fault but here's a thing. Another bank using SMS says that I must use the code within three minutes. Sometimes it take three or even four goes to get a message delivered promptly enough for it not to time out. Sometimes all those three or four messages arrive together. Again, it's not the bank's fault that the messages are delayed. It's just that the tech isn't designed to take account of unusual events and the bank's own systems - including human systems - don't do it either.

But while SMS isn't perfect, there is one group of people for whom it is by far the better option: those who travel. SMS reaches places that data does not reach, especially for those who are cautious about roaming data. So, back to people being the weak link: if the only way of getting that OTP is through an app, it's a pretty fair bet that most people will simply logon to their internet banking via the app from any random coffee shop, bar, etc. that has free wifi.

Oh, I know, there will be shouts of "use a VPN" but the fact is that you don't know who is monitoring traffic passing through a Virtual Private Network. It's not the all-encompassing secure system you think it is unless you are certain that the people operating it aren't criminals. I came across a case where a well known VPN which did not maintain the secrecy and security it promised. Guess what happened? Someone hacked their credit card database which stored the information needed for renewals. Well, "came across" it is a bit misleading. My card details were in the database that was hacked.

There's another wrinkle. Sometimes banks have an adverse reaction when a customer logs in through a VPN. There are many reasons for this but the most common is that customer's choose VPNs in a country which the bank considers to be an elevated risk. So, when you try to access an American bank through a VPN in Thailand, the bank might shut you out, locs down your system and do nothing while you struggle frantically to find a number to call and to work out how to do it now you can't use your card to buy credit to make a call that might cost USD2.50 a minute. Then of course, it might have had the same reaction if you'd connected using the wifi in a not-exactly-girly bar in Sukumvit.

And if that's not enough, think about how your electronic wallet would be treated, especially when it's designed to operate internationally.

Sometimes companies just lie about what they hold. A major South-East-Asian online marketplace says that no card information is attached to an account and stored. Yet at checkout stored cards are listed and the user is invited to select despite notices served under data protection legislation requiring their removal. This particular marketplace, like Amazon in the UK, charges cards without two factor authentication.

So nothing is secure?

Things are secure until they aren't. Or at least that's the hope. But there are other concerns. One is that the development of apps has coincided with a dramatic change in attitudes to work. With a combination of gig working and rapid turnover of full time jobs, there is remarkably little continuity of personnel during the development cycle of apps.

The marketing men don't care: they are bulding new features and pushing both risk and compliance and IT security to get them to market as fast as possible. Get it out and fix it later is the mantra by those who have chosen to be "Agile."

But the short-term nature of the workforce - some begin applying for their next job as soon as they start a job - means that there is no consistent overview of the actual coding. True, it is possible to use automated tools to identify things that shouldn't be there but the use of such tools is far from universal. The risk of data leaks, back doors and vulnerabilities is far greater than anyone wants to admit.

These are all issues that central banks should be taking account of but they have been sold a dream of a cashless, frictionless, all-inclusive financial sector.

That dream is likely to become a nightmare for the simple reason that every tech becomes insecure at some point - and three or four years into this crazy experiment, we are already seeing breaches.

To continue as if nothing is happening, or will, happen isn't just madness. It's utterly irresponsible.

Add in the large numbers who are excluded by the tecnnology and it really does beggar belief.