Robert John Morton
The Internet Website Hosting
Internet Insecurity
Spam Email
Digital Exclusion
Security Warnings
Modern Websites
Semantic Indexing
Router Problems
About ISPs
Introduction
W@y Internet
NET,
Oi,
Blink
Claro,
TIM,
GVT
Conclusion
Internet security is becoming increasingly complicated. While it provides an extremely secure environment that is ever more difficult for hackers to penetrate, it has, by so doing, left me, as a user, extremely vulnerable in that I can easily be permanently denied access to my data and money.
The use of passwords, one-time access codes and multi-factor authentication has given service providers a bullet-proof means of meeting their obligations to keep users' personal data safe from access by hackers and other data thieves. But it has thereby left me — and others like me — in the very vulnerable position of becoming irreversibly locked out of my own service accounts, and hence, denied access to my own data. Below, I discuss some of the pit-falls, self-tips and solutions.
I never use Two-Factor Authentication [2FA] under any circumstances. I think it is extremely insecure for the following reason. If my phone battery dies and I don't have my charger with me, I won't be able to receive a 2FA verification code. As a result, I will become instantly locked out of my email, webspace, cloud storage and whatever other services I have on the Internet.
In the above case, the lockout is only temporary. However, if my phone fails or is stolen, the lockout will most likely be permanent. Certainly, in Brazil, where I live, having my phone stolen in the street at gun-point is currently very likely and is becoming ever more so.
Furthermore, if an Internet cloud or email service sends a 2FA code to my stolen phone, and the robbers can find the passwords to my services, they have ready access to all my stored files and emails. They can then pose as me via my email account. I may have stored my passwords in a file on my phone or the robbers may have coerced me, at gun point, into revealing them. Or they may have been able to 'phish' my passwords beforehand in a completely separate operation.
If I have 2FA active, and I lose my phone, my only way back in to my cloud or email accounts is by answering questions posed to me by the service's robotic AI, which, as I shall relate in detail later, can be impossible to answer to the AI's satisfaction because the scope of the AI's 'knowledge' is doubtless limited and its limits are unknown to me.
I could buy a new phone and ask for the number to be transferred. However, to do this, I would need to install — or at least, surrender — the SIMM from my old phone, which I no longer have.
What I must never do is use back-to-back alternative email addresses. For example, I have a Yahoo email and a Proton email. My Proton email address acts as the alternative email address for my Yahoo email. My Yahoo email address acts as the alternative email address for my Proton email. My tendency is to use only one of them, leaving the other as the alternative in the event of the first service deciding to ask for verification of my identity. I mostly use my Yahoo email because I can use it with my Thunderbird desktop email client, whereas I can only use my Proton account by logging in longhand via a browser.
In this situation, the following scenario could easily occur. I log into my Yahoo account but the service decides to make a periodic check. It asks me to enter a validation code, which it has sent to my Proton email. I haven't used my Proton account for some time so the account has been locked down so that, in order to gain access, I must enter a validation code, which it has sent to my alternative email address, which, of course, is my Yahoo account. So I can't get into either.
The above scenario hasn't happened to me yet with my Yahoo and Proton accounts. However, I recently had to access my wife's year-end tax statement from her former employer. For this, I had to enter the employer's official web site and log in with my wife's user name and password. This I did. But then the site required me to enter a 2FA code, which it had sent to my email address. I accessed my email. But that too required me to enter a 2FA code that it had sent to another email address. So I had to access the second 2FA code from there.
Luckily — and luck is the correct word here — the second email did not, on this particular occasion, require me to enter a 2FA code, which it would have sent to the first email address. So, luckily, I was able to download the year-end tax information. If the second email account had required a 2FA code from me as well, then grid lock would have occurred. I would have been locked out from being able to obtain the tax information. I would have been forced to make a journey to my wife's previous employer, prove to their satisfaction I was who I said I was, and ask for a printout, all of which would be quite an undertaking at my age. They don't send this information by post any more.
Notwithstanding, it did happen with my Hotmail and 20m accounts. These two accounts are now eternal information puss-balls cut off from the outside universe, accumulating messages that I can never access.
The only way that the notion of the alternative email address can work reasonably is if the alternative email address I supply is that of another person. But I must remember that it is that other person that will be receiving my verification codes. So my security bubble is now much bigger and is consequently more open.
Besides, during a verification, I will need to contact this friend [assuming he is instantly available at the time] and ask him to check his email for my security code and send it to me. This I will have to complete before my opportunity to enter the security code times out, which is usually not very long.
I signed into another Microsoft Hotmail account, just now as I write, to get the only intimation of the monthly bill from my ISP. I signed in from the same machine from the same location in exactly the same way that I always do. It wouldn't let me in, saying that it had detected suspicious activity and that it had sent a security code to my alternative email address, which I should enter into the web page's entry field in order to get access. I don't see how it could possibly have found anything suspicious about my sign-in. Fortunately, my alternative email account let me in and I got the code. Otherwise, I would have been permanently locked out. I can never manage to satisfy Microsoft's AI that I am who I say I am.
I have all but abandoned that Microsoft account because it did gridlock me once. To resolve the gridlock I had to used the only option left open to me of receiving a 2FA via cellphone. Although I no longer have the vision or dexterity to use a cellphone, I managed to get the 2FA code the last time I used the account. However, with my lack of vision and dexterity, plus the fact that, where I live, the current rate of cellphone theft [usually at gun point] is 1680 per hour, it's all very risky.
NOTE: this figure is derived from population poll surveys and includes the majority unreported thefts. Officially reported cellphone thefts are only 107 per hour. Most don't file an official report [boletim de ocorrência].
So what do I do if my cellphone is stolen? 2FA also relies completely on the guaranteed continuity of the cellphone service, which I have discovered to my great inconvenience cannot be relied upon. Not what I would call secure!!!
Because of what seems to me as its constrictive one-sided focus, Internet security from the point of view of the user is nowadays a game of clowns. I feel increasingly vulnerable to becoming permanently locked out without warning or a practical recourse. As a long-time Internet user, my experience advises me never to trust any account I may have for an Internet service to remain accessible to me.
Though I won't go into it here, doing the Boolean probabilities, it is easy to calculate that any two-stage logical lock is far more likely to gridlock than not, even if you have an infinite number of alternative email addresses. However, it would seem that what would be the good sense of engineers is overridden by the desires of bureaucrats to go in wide-eyed and legless with their embrace of new technology, without a care for the ramifications.
There are purported solutions to 2FA gridlock but they add ever-increasing complication and incomprehensibility to the process. From my experience, I cannot see email as being any longer the reliable means of communicating that it once was — and increasingly so.
Before the days of smothering Internet security, I could send and receive emails and access on-line storage from anywhere in the world without any problem at all. This was extremely useful. I could upload vast amounts of data in one country and simply download it at my foreign destination. If I emigrate or move temporarily to another country, I upload my latest changes to my cloud storage, hard-erase all my local data, sell my computers and catch my flight. Then, upon arrival at my new destination, I buy a new computer and download all my intellectual property from the cloud. And I'm all ready to continue.
But not any more. The moment I access a service from another device, or the same device at a vastly different location, in jumps the security robot saying that it has detected "suspicious activity" on my account. So it asks me to enter the verification code, which it has sent to my alternative email address. Of course, when I access my alternative email, it too has detected access from a different device or the same device from a different location and asks me to enter the verification code, which it has sent to my first email address. Or I have to find some unknown external means of contacting the friend whose email I use as my alternative email address to get the verification code. So I can't download my data. It is permanently trapped on an inaccessible cloud.
I try another way to access my data on my cloud while at a foreign location. This asks me to enter my email address and password, then go through an IQ test to prove I am not a robot program. Usually, this involves selecting certain pictures out of a group of pictures that contains a named item. Often, the name of the object to be selected is some colloquialism that is known only to Americans within the context of their day-to-day urban lives. And I don't know what they mean. So in order to gain access to my data, I must embark on a quest of familiarisation with Americanisms. Additionally, the resolution of the pictures is often so bad that I cannot even discern what objects are in the pictures. So, I'm still locked out.
If I had 2FA, I would have to take my phone abroad with me, even though it would not work as a phone in a foreign country at the other side of the world. Unless, of course, I pay out for international roaming just to receive one SMS, which may or may not work in a particular locality. And again, what happens if my phone is lost or stolen during my trip?
Becoming locked out of my email or cloud accounts is systemically akin to a ransomware attack. However, instead of demanding a payment for the release of my emails or data, the attackers require me to prove, by the means they specify, to their own satisfaction, that I am whom I say I am. This can be a long and arduous process over which I have little or no control and can even, as in the case of my Hotmail and 20m.com email accounts, remain permanently unresolvable. From my point of view as the user, this is the very antithesis of security.
Certainly for me, the prospect of a hacker getting at my data or messages is practically insignificant compared with the spectre of becoming locked out from access to my own intellectual property, which has taken me a lifetime to build and perfect.
Besides, protecting my data from hackers is simple. I only ever store my data in a cloud [external Internet storage service] in the form of strongly encrypted 'pgp' files. I encrypt my data on an 'air-gapped' computer, so that unencrypted data is never present on any computer that is connected to the Internet. Easy. This is my standard procedure.
If a hacker succeeds in accessing my files on a cloud, he can never know what's in them. Of course, he may be able to make a ransom attack by further encrypting them with his own key. I would then be unable to decrypt my own files to retrieve my own open data. That's why I always need several backups. But it is impossible for the hacker ever to see or use what my files contain.
In this context, I remember a comment made by the CEO of one of the first cloud services. He said that it would be madness for anybody to store data on a cloud storage service that the user himself hadn't strongly encrypted beforehand. Any encryption done by the cloud service itself, on the user's behalf, can easily be compromised by such as a disgruntled or bribed employee of the cloud service or its third party maintainers, or through a government-imposed back-door or judicial order. So, strictly from the user's point of view, encryption effected by the cloud service itself is full of potential security leaks. It is not private.
Thus, the only sure way to protect my privacy is to encrypt my own data myself, as I have described.
Consequently, what I need from a cloud service is as follows. I need to be able to freely download my files from anywhere in the world without restriction. That means without the need to enter a password or any form of security check. That is the only way I can be sure of not getting locked out and losing access to my own data if I move from one country to another either temporarily or permanently.
Notwithstanding, I do need a means of preventing a hacker from uploading files to my cloud account. This is because a hacker could upload a bogus 'pgp' file with the same name as one of my legitimate files and thereby cause me to lose my original data in that file.
The solution here is to note the file hash of each file before I store it on the cloud. Then, if I later download a file, I generate its hash and compare the hash with the hash I took just before I uploaded it. If the two hashes are the same, all is well. If not, then I will know that a bogus version of that file has been uploaded by a hacker. I therefore discard that file and download another copy of it from an alternative cloud store.
The absence of assurance that I will not get locked out in this way is the whole reason why I have not progressed to a paid account with either Mega or Dropbox.
The danger — or rather, gross inconvenience — with encrypting your own data beforehand is that Draconian regimes are, or are planning, the rapid and relentless erosion of the individual's right to privacy, through legislation that renders such closed end-to-end encryption illegal within their jurisdictions. A prime example is the UK's "Online Safety Act of 26 September 2023". As I understand it, the clauses that ban end-to-end encryption are included within the Act but the government 'assures' everybody that these clauses will not be enforced. What?
Since this Act, I, for one, don't consider the United Kingdom to be any longer part of the free and open Internet. Having vast amounts of intellectual property in writing, computer code, diagrams and animations; I do not trust anybody — least of all, a government — with a back door into my encryption, to somehow respect my private property and to 'gentlemanly' refrain from passing it on to its chosen private interests, where it is to its or their advantage. Haven't we already seen this happen?
But apart from this, I consider that I have the same right to privacy on the Internet that nature has provided me by limiting the range of discernibility of human speech to that of a group of up to about 8 people in physical proximity. And also for the same reason that my bathroom walls do not comprise floor-to-ceiling windows and that there is no camera connected to the security services network allowing voyeuring young agents to spy on me while I'm on the toilet.
The prohibition of end-to-end encryption is purportedly done to combat terrorism and paedophilia. Thus, to stop a few terrorists and paedophiles from exchanging data privately over the Internet, certain governments prohibit everybody from doing so. Their strategy is as sophisticated as American carpet bombing. "Never mind the collateral genocide, just so long as we get the few bad guys!"
If they really wanted to stop terrorism and paedophilia, they would ask themselves, with perfect honesty, why these malaises exist within their society. Then, surgically remove the causes by making the self-sacrifices necessary to right the wrongs of the past and create a benign social order that is universally inclusive. Messing with personal privacy on the Internet will never remotely achieve this.
Combating terrorism and paedophilia is the despicable excuse to — with deviously-engineered public approval — legitimise a degree of totalitarian public surveillance, which is way beyond what even George Orwell could possibly have imagined. It is the final choke pull of the noose, around the neck of personal privacy, as the means of at last attaining totally watertight social control, which has been the unswerving quest of the faceless elite since the dawn of antiquity.
In order to give my data its best shot at survival and privacy, I do the following.
I always originate, and work with, my intellectual property and sensitive information on an 'air-gapped' computer. That is, a computer that is not connected to the Internet and preferably does not have Wi-Fi or Blue Tooth functionality or an RJ45 Ethernet socket. My encrypting/decrypting software [such as pgp or gpg] together with my public and private keys are installed only on this computer.
My house or office could get burgled or catch fire and be destroyed. Local copies of my data would then be lost. I therefore backup my data on a cloud storage service because it is off-site [a long way from my home or office] and is a super-reliable storage medium.
When I need to back up anything on a cloud, I first encrypt it then transfer the encrypted file via a memory stick or portable hard drive to my on-line computer. Then I upload the encrypted content to my cloud account. Of course, I could not safely do this if I were in a country, like the UK, where it is illegal.
I suspect that there is a far greater danger than one would expect of pgp keys becoming lost, erased or otherwise destroyed and of passwords becoming forgotten or lost. This is why I also make unencrypted copies of my work on external hard drives and memory sticks for storage locally and also with trusted friends at various secure remote locations. This way, if I lose my encryption keys, my data can still be recovered from somewhere. The important thing is that I myself have direct access to my backed up data without having to go through any security procedure.
Consequently, whenever I go to another country, I take several copies of my data with me on my laptop, portable hard drive and memory sticks.
I live in Brazil. In 2005, I opened an account with a local branch of an international bank into which I placed capital that I transferred from the UK. In 2007, I was able to open a spur account in the UK with the same bank. I needed this UK spur account in order to be able to receive my small British pension.
I had full access to and control of my spur account in the UK via Internet Banking. To gain access to my account, I must enter a 6-digit security code into a small Physical Secure Key device, which looks like a very small calculator, supplied by the bank. This device then generates a different one-time security code that I must enter into a field on the bank's website in order to gain access to my account. This provides an excellent level of security.
Over the 12 years I have had the account, I never had any problem with this method of security; except that, since 2018, a change to the bank's security procedure now prevents me from investing my UK money in bank bonds and other kinds of interest-gaining product. For this, I would now have to visit a branch in person.
During this 12 years, I have had two or three of these Physical Secure Key devices. It seems that their internal batteries last me 4 to 5 years. Each time, registering and activating the new Physical Secure Key was simple and straight-forward. I successfully followed the clear on-screen procedure on the bank's website.
In 2016, the international bank closed its branches in Brazil and transferred
my accounts to a Brazilian bank. Consequently, my only means of access to my UK spur account into which my pension was paid was via Internet Banking. I had no physical access to any branch of that bank.
Notwithstanding, I now get the distinct impression that the bank wants to cease using these Physical Secure Key devices and force customers to use instead a security system built into the bank's smartphone app. The bank had always sent me a new Physical Secure Key device well before the previous one's battery expired. However, it stopped doing this and, on 06 October 2023, I found myself unable to log on to my Internet banking because the battery of my Physical Secure Key device had become exhausted and so, without warning, the device stopped working. Its numeric display remained blank. I thus became locked out of my bank account.
Like many [or perhaps even most] people my age, my eyesight and physical dexterity are no longer adequate for me to be able to use such a ridiculously small device as a smartphone for banking purposes, for the following reasons.
I can no longer read clearly and effortlessly the inevitably microscopic print on such a small screen.
I can no longer enter account numbers and monetary amounts with adequate precision and confidence via an on-screen touch-only 'keyboard', whose keys are less than a quarter the size of my fingertips. I cannot avoid activating at least two keys at once or in quick succession.
Because its small size imposes a much lower 'per-page' content limit, the number of logical steps involved in conducting a transaction is inevitably greater on a smartphone than with a full-sized computer presentation.
I would therefore be in fear of falling victim to the circumstances in which so many people have found themselves, who have inadvertently despatched large amounts of money from their bank accounts to 'who knows where?'. News reports of these tragedies are rife. There was one just today, as I write, of a man who transferred R$680,000 into an unknown account. It was intended to pay for his new house.
A strong fit man in his early 40s once concurred with me. Although he uses a smartphone every day, including for his work, he said that he too found using a smartphone difficult and much more fatiguing than a computer or reading documents printed on standard A4-size paper. And it seems that at least one person about half his age objects to being passively railroaded into having to use a smartphone.
So why, I wonder, doesn't government and commerce now standardise on A7-size paper for printing everything — reports, legal documents, bank statements, books, maps — using 4-point type? It would save such a lot of paper and printing ink. And it provides a generous 10 by 7 cm printable area just like a smartphone screen. No need to hump a briefcase around. It would all fit in your inside jacket pocket or handbag.
Notwithstanding, I require the Physical Secure Key device so I can access my bank account via my full size computer.
All I needed to do was contact the bank, but I couldn't. At least, not easily. I currently live in a different country from where my account is located and my phone won't let me make trans-oceanic calls. In 2016, the bank closed all its branches within my country of residence. As far as I am aware, my nearest branch must now be about 8,000 km distant. I tried to download the bank's app into my phone. But, after the download, a message was displayed saying that the bank's app could not be installed because it was incompatible with my phone.
Whether this incompatibility be due to my geographic location, a problem with my phone's Android operating system, or for another reason, I don't know.
I expected the bank to at least have an email address through which I could make contact without having to log on to my Internet banking. But I could not find one. I had to write a letter to the bank and despatch it by DHL, which I did on 06 November 2023. The DHL tracking service indicated that it was delivered to the bank on 09 November. The bank replied by email on 14 November, saying that a new Physical Secure Key device was on its way to me.
The reason I had delayed a whole month from when I first discovered that I could no longer log on to my Internet banking account to when I actually despatched the letter via DHL to the bank was primarily due to a pressing family health issue, which demanded my time and presence.
A letter from the bank arrived on 06 December. It contained an activation code for my new Physical Secure Key device. This code had already expired on 28 November. I did not receive the new Physical Secure Key device until 22 December 2023. That is 43 days since the bank received my letter advising it that I was locked out of my current account.
On 23 December 2023, I embarked on the task of trying to activate the new Physical Secure Key device and thereby regain access to my current account. Having spent the whole morning fiddling about on the bank's website I was ultimately unsuccessful in activating the Physical Secure Key device. I was still locked out of my account. The letter from the bank that conveyed the expired activation code instructed me as follows:
To activate your secure key, please visit [web address]. On the log-on page, enter your user name and follow the instructions.
If the activation code expires, you'll need a new one. To do this choose either SMS or post and select 'Send activation code'.
I entered the bank's website as instructed and clicked the 'Log on' button. The 'log on' page was displayed. It asked me to enter my username, which I did. I clicked the 'Continue' button. Then, distracting me from the task in hand, it displayed an overlay, inviting me to change over to a smartphone app, which, as I have mentioned, I can't use anyway. Nevertheless, I had to divert into reading this 'invitation' to make sure it didn't contain some instructions buried within it that may be relevant to my task in hand. I dismissed the invitation.
The following page wished me good afternoon and then asked me to enter my security code. This, of course, I could not do because I did not yet have an active Physical Secure Key device. The page had a link to tell me how to generate a security code, so I clicked on it. The resulting overlaid display simply told me what I already knew and assumed that I already had an active Physical Secure Key device. Apart from another invitation to switch to using a secure key on a smartphone banking app, there were no other options displayed on the page. I here again sensed the distinct pressure to force me off the secure key + computer option on to the smartphone app, which I can't use because of my age.
So, at this stage, I had drawn a blank. I could not proceed further. So I returned to the bank's home page. There, I had to trawl all through the flashy advertising relating to, what were to me, concerning the task in hand, irrelevant financial products, in order to try to find some clue as to how I should proceed. Eventually, towards the end of the page, I found the rhetorical question:
"How do I set up and activate a Physical Secure Key?"
to which the answer was given:
"To set up or activate a Physical Secure Key (PSK), go to our Digital Banking Help Tool, select 'How do I activate my new Secure Key', choose the option you need and follow the steps. Alternatively, select 'Log on' above and enter your username, you should see directions on what to do next."
NOTE: some days later, the bank's homepage was changed to display only a link called "Secure Key", which transferred to another page, which included the above content. But the functionality was the same.
The 'alternative' option above doesn't work. When I log on and enter my username, no option is presented as a route for activating a new Physical Secure Key. At least, search as I might, I couldn't find one.
I clicked on the link. A new page was displayed containing selectable options, one of which was "How do I activate my new Secure Key[?]". I selected this and pressed the 'Continue' button. On the next page I selected "Physical Secure Key (PSK)" and clicked 'Continue' on this page. On the next page I was asked if I had another Physical Secure Key. I answered "No" because the one I have is now dead: it doesn't work. I clicked 'Continue'. Then it told me to continue if I already had a new secure key. I clicked 'Continue'.
I am instructed to enter my username and then select 'Continue'. Problem: there is no active field in which to enter anything. There is only a small 'jpeg' image of what is, presumably, an active entry form. Using rather a strong magnifying glass, I was able to see that the image of the entry field was asking me to enter my username. Of course, I couldn't do this because the 'jpeg' image wasn't interactive.
Notwithstanding, I had already encountered this display during my first foray after pressing the 'Log on' button on the bank's home page. Consequently, I surmised that I should just continue and try to remember the whole procedure for when I re-entered the real 'Log on' screen afterwards. So I just pressed 'Continue'.
A new page appeared displaying a 'jpeg' which wished me "Good morning" and then showed an entry field, above which was displayed "Please enter your password". Earlier, when I followed the real 'Log on' sequence, the second page did not ask for my password: it asked for my security code. This, I would have to generate using an already-activated Physical Secure Key, which obviously I did not have. Since I could enter nothing here anyway, I pressed 'Continue' again.
The next page to be displayed contained a 'jpeg' entitled "Secure Key activation" and what looked like an entry field with the words "Please activate your Secure Key now." There was a red button labelled 'Activate now' and also a link "Don't have your Security Key". Obviously I could not enter or activate anything, so I pressed 'Continue'.
On the next page was printed "Enter the serial number from the back of your Secure Key". The wording on the 'jpeg' image on this page was below the resolution of my 4K 25-inch screen, so I don't know what it said, even with the aid of my powerful magnifying glass. I presume that the ghostly entry field was for typing in the Security Key's serial number. I pressed 'Continue'.
The new page said "Follow the on-screen steps to create your Security Key PIN. This 'jpeg' illustration was just a blur. So I pressed 'Continue'.
I finally got to a page that said "Request a new activation code, or select 'Already received'. Then enter it in the 'Activation code' box. If you choose to receive the code by post, you'll need to wait until it arrives before you can continue." Of course, in my case, requesting a new code by post is pointless since the code will undoubtedly have expired before it arrives. The 'jpeg' illustration of the supposedly active entry form was a total indecipherable blur, except that there appeared to be a text field into which one was presumably supposed to enter one's activation code. So I clicked 'Continue'.
The next page tells me to "Generate a security code on your new Secure Key Then: Enter the code. Select 'Activate now'". Again followed by an indecipherable illustration. I clicked 'Continue'.
The next page told me "Your Secure Key has now been activated". How?
I returned to the bank's home page and attempted an exhaustive search among the impervious mess of flashy ads and instruction links and found nothing. I tried the so-called 'virtual assistant'. This, as always, was useless. I really don't know why they put it there. It was merely a stepped menu that reiterated the links on the bank's home page. Thus, on Day 50 of being barred from access to my own bank account, I am no closer to a solution. I emailed the person who had replied to my original DHL letter... Now I must wait.
Some days later, a new link "Digital reset" appeared further up the bank's home page. However, this simply took me directly to the Digital Banking Help Tool instead of indirectly via the Secure Key help page.
I tried again to log on to my Internet Banking account on 27 December 2023. This time the sequence of information requests was different. As before, it asked me for my username, which I presumed was still the IB number that I had been given when I opened the account. I entered this and pressed 'Continue'. This time, however, I was presented with a new form requesting my date of birth, which I entered.
Below the date of birth field, I was asked for my [one-time] security code, which, as I do not have a working Physical Secure Key, I have no means to generate. And there was nowhere presented on my browser screen any other option whatsoever for me to proceed with logging on or activating my Physical Secure Key.
The only thing I could finally think to try was to enter the security PIN of my old defunct Physical Secure Key. What else could I do other than close my browser there and then? So I entered the security PIN and clicked 'Continue'. This took me to a display that intimated that the bank couldn't verify who I was, so it had locked my account there and then "for safety!". Why? I was already well and truly locked out. So now the bank has made my money totally safe from me.
Sat 30 December 2023: I almost always use the Mozilla Firefox web browser. Even now, this is still the de facto standard against which browser functionality must be tested. At the time of writing, WebKit-based browsers still have albeit diminishing issues. Notwithstanding, I decided to attempt to use the bank's website with the open-source Chromium browser on Linux XU22.04 and the Microsoft Edge browser, the Google Chrome browser and again Firefox on Microsoft Windows 10. These tests were to eliminate the possibility that the dysfunction on the bank's website be due to the new use of proprietary code extensions, such as Microsoft extensions, which, of course, one should never do on a public-facing web service.
By chance, I had a copy of Microsoft Windows 10 on a laptop. I booted up into MS Windows 10. So difficult to use after having been used to Linux for almost a couple of decades. I accessed the bank's website using the Microsoft Edge browser. I went to the Digital Banking Help Tool page and clicked the button for "How do I Activate my Secure Key?" The button click didn't register. It appears that Microsoft Edge couldn't sense that the button had been clicked. I tried several times, even exiting and re-entering the page. Thus, with Microsoft Edge, I could proceed no further. I then tried Firefox running on Microsoft Windows 10. The result was exactly the same as with Firefox on Linux. Microsoft Windows 10 refused to download Google Chrome, at least, it was sufficiently obstructive to put me off.
I then re-booted my laptop into Linux and tried all the experiments I had conducted on my main computer [which only runs Linux anyway]. However, here I decided to install Google Chrome and re-conducted all my experiments with the bank's website using first Firefox and then Google Chrome. The results were the same as with Firefox and Chromium on my main computer.
My findings in trying to follow the procedure for activating my new Physical Secure Key are summarised in the following table.
| LINUX XU20.04 | Firefox and Chromium | 'radio' button selectors work but all active data entry forms are mere 'jpeg' images. |
|---|---|---|
| LINUX on laptop | Firefox and Google Chrome | 'radio' button selectors work but all active data entry forms are mere 'jpeg' images. |
| Microsoft Windows 10 | Microsoft Edge | 'radio' button selectors didn't work, so couldn't even access the data entry forms. |
| Microsoft Windows 10 | Firefox | 'radio' button selectors work but all active data entry forms are mere 'jpeg' images. |
I began to suspect that the bank had placed a geographic restriction on the IP address of the user, thereby limiting the functionality of its website to people outside a predetermined geographic region. So on Sunday, 31 December 2023, I asked somebody in the UK to access the bank's website and go through the same procedure as I had done to see if the entry forms that were displayed to me as mere 'jpeg' images were indeed live entry forms when accessed from within the UK.
The person in the UK verified to me that the procedure for activating a Physical Secure Key presented him also with only 'jpeg' images in place of active entry forms. He thought that perhaps, in order to activate one's new Physical Secure Key, it was first necessary to log on, using one's old Physical Secure Key, in order to see the live forms. However, since the battery in my old Physical Secure Key is exhausted, obviously I cannot do this.
Notwithstanding, the first two steps of the activation procedure, were it live, seemed to me to constitute a log-on sequence, using one's username and password [in place of a one-time secure code generated by a Physical Secure Key]. I have my password, but obviously I have no way to enter it into a mere 'jpeg' image of the entry form.
From what I can gather, the Physical Secure Key [PSK] is supposed to give warning messages if it malfunctions or the battery is running low. At this stage, I assume that I am supposed to order a replacement PSK. But my PSK would still create a one-time security code. This must be why I cannot get past the log on stage without entering a secure code generated by a functioning PSK.
However, the bank seems to me to have overlooked the possibility of a customer's PSK working perfectly, without displaying any error message, for one log on; then the very next time it is used, its numeric display simply remains blank, as in my case here.
On Friday 19 January 2024 at 10:50 I received a telephone call from a woman, who worked for the bank, to try to resolve my problem with logging on to my Internet banking account. The telephone call lasted 35 minutes and at the standard British Telecom rate of £1.01·8 per minute must have cost the bank £35.63. The woman first verified my identity by asking me to state my postal address, my date of birth and the serial number of the PSK device I had received.
She then asked me to go to the bank's website. There, I briefly scrolled the home page. It looked very different and was far shorter than it had been only two days before. She asked me to click the 'Log on' button at the top right of the page, which I did. A page containing a text box appeared. It requested that I type-in my username, which I did. I then clicked the 'Continue' button.
The next page told me that my account was locked and that I would have to phone the bank. However, since the woman from the bank was already on the phone to me I told her the situation. I could do nothing more. She asked me to hold. I listened to jingle music for ages while she consulted the bank's technicians. Then she told me they had fixed that problem and that I should return to the bank's home page and log on again.
On the first log-on page, I entered my username as before. This time, however, the second page presented me with a text box in which it asked that I enter my password. This was new. All the previous times I had tried to log on this way, no password entry box appeared: only a request for a one-time security code. I entered my password.
The system would not accept my password, which I had accurately marked and copied from the secured text file where I keep all my bank data. The password was exactly as it had always been. However there was an error message saying that a password must contain at least one upper case letter and a numeric character. I added a capital letter and a number to my existing password in my file and then clicked the link for the case of my having forgotten my password. I entered my augmented password, which the system then accepted.
An overlay display appeared. This consumed a lot of space showing me how to set up a Digital Secure Key on a smartphone. It was different from the presentation I had seen on the site two days earlier. Quite a long way down this overlay display was an option to activate a Physical Secure Key. It gave me the distinct impression that the bank was trying its best to sideline the Physical Secure Key option, without actually failing to provide it.
This was not there when I had accessed the 'log on' procedure in the past. Nor was it in the sequence presented in the Digital Banking Help Tool as provided at that time.
On selecting the physical Secure Key option, an entry field was presented asking me to type-in the serial number on the back of my PSK device. This I managed to do, once I realised that the field would not accept the dash characters within the PSK's serial number as printed on the device itself.
I was then asked to devise an up to 8-digit PIN [Personal Identification Number], which I did. I recorded the PIN in my secure text file. I was then asked to press the green button on the PSK device and enter my PIN into the PSK itself. Then I was asked to press the yellow button on the PSK and enter the PIN again. These I did.
Next, the on-site instructions told me that if I did not already have a non-expired activation code, I should request one by SMS or post, for which radio-style selection buttons were provided on-screen.
Then suddenly, the content disappeared from my screen, being replaced by a page telling me that my Internet banking session had timed out. I was thus unable to complete the PSK activation process. Time-outs exasperate me, making me rush what I'm doing, thereby increasing my likelihood of error. Working against a timer is always very stressful for me.
I couldn't log on again to return to the procedure because part of the activation process had already been done by the technicians earlier for my account. So the woman on the telephone said she would ring off and contact the technicians to resolve the problem and email me with the outcome later. She emailed me at 12:23 [almost an hour later] asking me to try to log on to my Internet banking account. At 13:00, I managed to log on to my Internet banking account and informed her of the success by reply email.
After having been locked out of my bank account for 105 days, I'm finally back in.
The restoration of access to my Internet banking account was successful. Notwithstanding, it obviously involved a lot of abnormal behind-the-scenes intervention by technicians at the bank. I certainly could not by any means have done this myself, despite the fact that I was a programmer all my working life, and indeed still write programs. The customer's task in using Internet banking should not be so prohibitively difficult. There is no technical need for it to be so convoluted and complicated.
Notwithstanding, some things about this episode appear very strange to me. At first, the bank's web site changed appearance here and there. Then all of a sudden, a couple of days ago, it all changed significantly. Was the bank all this time doing a complete live revamp of its web site without saying anything and just leaving customers to suffer the consequences? From what I have seen and experienced, it certainly seems so to me. And it well illustrates the systemic lunacy of Agile Development: the practice of updating a system or re-designing a website bit by bit while it is running live.
After over 12 years of trouble-free use of the bank's website for my Internet banking activities, the following occurred.
| DAY 00 | Fri 06 Oct 2023 | Couldn't log on to Internet banking: Physical Secure Key dud. Found no way to contact bank. My phone won't allow trans-oceanic calls and I couldn't find any way of contacting the bank by email or WhatsApp. |
|---|---|---|
| DAY 27 | Thu 02 Nov 2023 | Decided that the only option was a letter via DHL. Wrote, printed, signed letter to the bank. |
| DAY 31 | Mon 06 Nov 2023 | Went to the DHL despatch centre to send the letter to the bank R$150.48 taxis R$72.90. |
| DAY 34 | Thu 09 Nov 2023 | DHL letter delivered to the bank at 09h45 GMT [Waybill 73 7859 2270] |
| DAY 39 | Tue 14 Nov 2023 | Reply by email from the bank saying Physical Secure Key should arrive in 5 to 10 days. It took 38 days. |
| DAY 61 | Wed 06 Dec 2023 | Received letter from the bank with the Physical Secure Key's activation code, which had already expired on 28 November [8 days before]. |
| DAY 77 | Fri 22 Dec 2023 | Received a postal pack containing the Physical Secure Key device. |
| DAY 78 | Sat 23 Dec 2023 | Tried in vain to regain access to my bank account. Sent an email about the continued problem to the address from which I received the bank's reply email. |
| DAY 82 | Wed 27 Dec 2023 | After trying desperately to activate my new Physical Secure Key each day since 23 December, I made one final attempt and ended up with the bank actively locking me out of my account. |
| DAY 85 | Sat 30 Dec 2023 | Accessed the bank's website using different browsers and operating systems to see if new proprietary coding extensions were causing the problem. This appeared not to be the case. |
| DAY 86 | Sun 31 Dec 2023 | A person in the UK verified that he also saw only 'jpeg' images of the entry forms of the activation procedure. So problem isn't geographic IP lockout. |
| DAY 100 | Sun 14 Jan 2024 | No reply to my email of 23 December 2023. Verified that bank's PSK activation was still not working, so emailed the bank again referencing this article. |
| DAY 103 | Wed 17 Jan 2024 | Drafted a letter to the UK Financial Ombudsman Service ready to send by DHL on Monday 22 January. |
| DAY 105 | Fri 19 Jan 2024 | 10:50 received phone call from a functionary of the bank and resolved the problem. But it all seemed a bit of a dodgy process involving technicians. I still wouldn't be able to repeat the process myself. |
I did not need to send my letter to the UK Financial Ombudsman Service, for now.
On 03 February 2023, only 15 days after I had regained access to my bank account after 105 days locked out, I actually managed to conduct a transaction. But what a rigmarole! I was hoping to visit my son and his wife and their children, one of which I had never met because she was born just before the Covid pandemic struck. They live in Canada. I therefore had to obtain a Canadian Electronic Travel Authorization [eTA] for my passport. This all went comparatively smoothly on the Canadian government website until the very end at which I had to pay C$7.00 fee.
I entered my debit card details. Then I was taken to a page that asked for my email address and phone number. It had to be a cell phone [mobile] number. Then I was told to enter a numeric sequence that had been sent by SMS to my phone.
This in itself is problematic. Fortunately, I was at home in Brazil. Otherwise I would not have been able to receive an SMS. However, naturally, my phone was switched off. This is to avoid having my concentration interrupted all day long by commercial nuisance calls [mainly from large corporations] interminably pestering me to buy their useless products and service plans.
So I had to go get my phone, switch it on and wait for a seeming age for it to boot up. All this was, of course, adding to the delay, which was obviously exhausting the limited time I was allowed for entering the code before the bank timed me out. Fortunately, I made it. I managed to receive the SMS and get the numeric code typed into the web page's code field in time. But what a stressful experience!
Having obtained my eTA, the next thing to do was to book my flight from Brazil to Canada. My son was in a better position to select an appropriate flight for me because he had an account with Air Canada. He found a suitable flight and so, on 24 February 2024, he booked my flight on the understanding that I would reimburse him for the cost, to which I naturally agreed. So, later that same day, I entered my Internet Banking account and attempted to transfer the money to him.
Note: this is only my 2nd attempted transaction since I regained access to my account on 19 January 2024 [31 days ago] after having been locked out of my account for 105 days.
While in the middle of this convoluted process [which, as well as filling in the details of my son's account and the amount to be transferred, involved selecting various options to say that I was not being told by somebody else to do what I was doing and that I was well aware of all the types of fraud and scams that could possibly be taking place] I was eventually timed out and asked if I wanted to continue. I answered 'Yes' to continue. This happened twice. Finally, the bank's web site terminated my session and I was booted out. I got a message banner saying that, for some reason unknown, the transaction had not been completed and the payment had not been made.
What struck me as rather strange here is that before the revamp of the bank's website, all the account details of my daughter and two sons had been on my payees list for donkeys' years. Why had they disappeared? I also noticed that the entry field for the payee name had an enforced limit of 18 characters whereas my son's full name has 28 characters. I don't know if this would result in an 'invalid' identification. The SMS [see below] truncated his name to 18 characters.
Greatly frustrated, I logged into my Internet Banking account again. Feeling pushed by knowing I was working against a timer, I made an error while entering the security code. I got a message saying that the bank had not been able to identify me. I tried for a second time. I entered my PIN again into my PSK device and immediately wrote down the secure code on my pad before it disappeared. I then entered it into the secure code field on the bank's website. This time, it let me in. I had to go through the whole process all over again of entering my son's account details and the amount to send to him. Having to work quickly, I was very worried about mistyping his name, sort code, account number or the amount to transfer. I rapidly selected what I had selected before on the overlays about scams and security and finally clicked the 'Confirm' button. It all seemed to have gone well and the following message was displayed at the top of the Confirmation document.
Your instruction has been sent and will be credited to the payee's account immediately, subject to our standard checks. This cannot be recalled. [emphasis mine]
I printed out the confirmation document as a 'pdf' file and placed it in my banking folder for this bank. Then I thought "Thank goodness that's done. Now I can relax." I messaged my son, saying that the payment had been made and that please would he check its arrival in his account. He checked several times and after 3 hours we began to suspect that something had gone awry.
As I have said, I don't leave my phone switched on in order to avoid the constant torrent of commercial nuisance calls and SMS messages. All — and that means ALL — the SMS messages I receive are unsolicited commercial rubbish which I delete at the end of each day. That is, unless I am previously advised to expect a code or something important at a particular time by SMS. I cannot imagine that anybody nowadays would expect SMS messages to be of any importance because the abuse of their use by commercial pests has nowadays rendered SMS a modum ingratum for serious communication. Hence, perfectly reasonably, I think, I did not become aware until much later that the bank had sent me the following SMS.
AAAA Payment Fraud Alert. Possible unauthorized payment: Reference: 99999999. Amount:, 9,999.00 Date 23/02/2024 to Beneficiary: .Aaaaaa Aaaaaa Aaaa Please call our Payment Fraud team on 55555555555 (intl +445555555555). Please respond by 8pm UK Time today or your payment will NOT be made. Please do not reply by SMS. [specifics masked]
I finally saw the message less than a minute before its stated expiry time, which meant that it was futile for me to attempt to do anything about it. Does this mean that I am expected to make a £30 to £50 transoceanic phone call for every transaction I make from now on? Sorry, but being on a measly British pension of only £92.49 a week, this is clearly impractical.
Furthermore, I cannot think why the simple transaction of reimbursing my son for the flight he bought for me should be seen as a 'Payment Fraud'. I accessed my Internet Banking account using a PSK [Physical Secure Key] device, which is unique to me and which only I have and which I keep in a locked filing cabinet in my home study room. Perhaps the bank could explain to me how a fraudster could get into my account. Of course, he could dive in at system level and patch the appropriate HTML or JavaScript file, but I think that is diminishingly unlikely.
I emailed the bank's complaints team again, this time about my failed attempts at making the transfer to my son's account. I await their reply...
I had intended to buy my flight myself, but then a red flag appeared in my mind about the real and present problems that could present themselves if I tried to use my Visa debit card to buy an air ticket. I remember years ago when I actually had to hack the 'Verified by Visa' system in order to buy a flight to go to my daughter's wedding. I thought that they would probably have closed the loop hole I found by now, so I thought better of it. That is why I accepted my son's offer to buy my flight and then reimburse him. Think of the problem if I had tried to buy the ticket directly using this bank.
The next day [Monday 26 February 2024], I logged on to my Internet banking account again. I had had a eureka moment during the night. I thought that perhaps, in the field where the website asked for my son's full name, I should put the name of his account as specified on his bank card. So, I tried this. Unlike with the previous attempts, I got a message saying the name didn't match. So, yes, I needed to enter his full name. This I did and it was accepted. I continued with the procedure exactly as with all my previous attempts. But when I clicked the final 'Confirm' button, I saw a message saying that there was an [unspecified] error and the transaction was yet again refused.
Beginning with the second attempt the day before, I did not type in the required infill for the fields on the bank's web page. I had prepared all the information in a text file beforehand, which I thoroughly checked. Then, each time I attempted the transaction, I copied and pasted the content for each field, in turn, into the appropriate web page field. This was to make absolutely sure I could not make any typing errors.
I decided to make one final attempt. I logged off the bank's web site, relaxed and had a coffee, then logged on again. I went through exactly the same procedure with exactly the same data as always. And this time, it seemed, the transaction was successful. I checked my current account display and indeed it had been debited with the payment to my son.
But I was sceptical. The day before, I had managed to get to the point where the transfer had been confirmed and the confirmation document printed before I received the subsequent SMS message saying the transfer had not taken place because of suspected fraud. I therefore asked my son to confirm that he had received the money into his account. He confirmed that he had but said that the transaction had yesterday's date, which seemed strange. Does this mean that yesterday's transaction finally went through and that I have paid him twice? We'll have to see, although my current account seems to have been debited only once.
The following day, my son confirmed that he had received the money that I had transferred to him. So hopefully, that is the end of the matter. I sent a second email saying that the transfer had finally taken place but that the whole process left me feeling very insecure about my access to my money.
On 28 February 2024, I received a reply email from the bank's complaints team. It was singularly unhelpful. It was blindingly obvious that the replier had not read my email fully or mindfully. It told me that if I had any other questions I should telephone the bank's help line. OK, so this old age pensioner [who simply cannot afford to live in the UK] has to make a £30 to £50 transoceanic phone call because the bank is too lazy to send a proper explanatory email.
My intuition is that they are still messing with the system in an ongoing 'agile development' project. The problem for me, with this new paranoid level of security, is that the on-site bureaucratic procedure for performing a transaction is now vastly more complex than the transaction itself. As one whose work has always been to minimise the logical footprint of a task, all this subjects me to increasing confusion.
The foregoing has raised further concerns. My plan was to use my Visa debit card while in Canada for my incidental expenses there. But what about SMS checks? My Brazilian cell phone will not work in Canada on the Canadian telephone network. I will be able to use it for WhatsApp and Signal if I am connected to a local Wi-Fi. However, the bank uses SMS, which only goes via the telephone network and not via the Internet. So how can I enter codes sent by SMS to verify transactions?
Obviously I can't. Not that is unless I set up an international roaming account, which I cannot afford and cannot do on my pre-pay phone. So no debit card: I'll have to take cash. Perhaps that is a much safer thing to do nowadays. You never know when the bank will block a card and leave you destitute in a foreign land, as I found out in 2019 by bitter experience with a different bank. Perhaps the bank is unconcerned about this because it is not a situation that can occur in the local high-profit sector of their day-to-day market.
However, as I understand it, SMS validation codes are still only required for purchases via the Worldwide web. I don't think they are [yet] needed for purchases via a Point-of-Sale credit/debit card machine. Notwithstanding, the bank may require some kind of verification if its Artificial Imbecile detects some kind of 'irregularity' with the purchase, like it being made in Canada instead of the UK. I wonder if informing the bank about my trip to Canada via their secure messaging service will work. It may or may not, depending on whether their AI reads — and understands — my message.
About a year before, I had received by post a new debit card. However, I never received the usual separate letter revealing to me its PIN. Upon investigating, I found that the only way I could obtain my debit card PIN was via the bank's smartphone app, which of course I can't use. There seemed to be no other way of obtaining the PIN. There was no provision on the bank's Internet Banking web site for obtaining the PIN for my new debit card. So, no PIN. This naturally left me feeling extremely insecure.
Consequently, as I had had no reply to my secure messages to the bank, I felt unable to trust the bank debit card while travelling alone from Belo Horizonte-MG Brazil and Quebec City, Canada. I therefore refrained from buying anything during my two stops in São Paulo and Toronto. However, while in Quebec City, in the company of my son and daughter, I decided to try my debit card. If it didn't work then one of them would pay our restaurant bill. To my great surprise, my debit card worked! Obviously, the PIN for the old debit card had been transferred to the new card. But how was I supposed to know this? Notwithstanding, I still wouldn't trust it not to lock up if I were travelling alone.
Another great concern I have is as follows. I am getting old such that I now wish to distribute the little money I have saved to my three children. However, if I transfer any money from Brazil to my bank in the UK, it will, in effect be being transferred into a Black Hole, out of which I may not be able to retrieve it.
If I cannot make transfers because they are regarded as fraudulent activity by the bank, then, in effect, my money has simply been confiscated. If I can't pay it to anybody, the money isn't really mine. Bank security has reached a level of paranoia that renders bank accounts impervious to the very customers to whom the money each contains rightly belongs.
A hacker in São Paulo officially registered a smartphone with my bank to enable him to freely conduct financial transactions within my bank account using the bank's smartphone app[lication program]. It gave him complete freedom to transfer money and pay for purchases with my money.
At 11h15 on Friday 30 August 2024 I received a telephone call from the bank's security department [Protocolo 202401040610]. The caller asked if I had registered a smartphone with a São Paulo number ending in 8610, manufactured by LG, in order to be able to use their Internet banking app on that phone.
I live in Belo Horizonte, which is over 580 km from São Paulo. The few occasions I have visited São Paulo have been merely to transfer between domestic and international flights at the international airport on the way to or from Europe or North America.
I told the caller that I had never registered any smartphone for the conduction of financial transactions via the bank's Internet banking app and that I did not recognise the São Paulo phone number ending in 8610. The caller said he would remove the bogus transactions from my account but that I would need to de-register the said phone using the bank's Internet banking app. I told the caller that I was unable to do the latter.
As I have already said in this essay, I am 82 years old. I cannot see the minuscule print on a smartphone screen with adequate clarity for conducting financial transactions. And I certainly do not have the dexterity to type in account numbers and monetary amounts, with sufficient reliability, on a touchpad whose keys are less than a quarter the size of my fingertips.
A few years before, this bank's browser-based banking app would no longer function on my computer because the bank would not allow its app to work without the bank's own mandatory 'security' module. This tried to disable and take over the operating system's own security system, which, quite rightly, it would not permit. Besides, my research showed that the security module used by this bank has serious security issues.
For this reason, in order to be able to view the transaction trail of my bank account, I installed the banks smartphone app on my smartphone but I didn't register it for conducting actual transactions. It could only be used for viewing my transaction trail [extract] and bank statements.
I was able to log in to my account via the smartphone app using the original username and password I had set up years before for the browser-based service. Then, sometime after Wed 21 Jun 2023 my username and password would no longer grant me access. I was remiss in that I didn't note the precise date this actually occurred.
My first thought was the bank [as is its want] was probably conducting some form of 'agile development' of its system and had changed the log-in functionality such that it no longer worked on my smartphone's current version of hardware or operating system. Or something of that ilk. Since I was now locked out of the bank's smartphone app, I decided to uninstall it, which I did.
This is the reason I had to tell the caller from the bank's security department that I could not log in to my smartphone app to de-register the bogus phone. I couldn't have logged in anyway, even if I had left the app installed, because my password would no longer grant me access. The caller then said he would have to try to find another way to de-register the bogus phone. The call dropped and I never heard anything further.
I had noticed that the log-in field seemed to be expecting a password of one less character than my password. It started to check the password before I had entered the final character. It only occurred to me after the phone call from the bank's security at 11h15 on Friday 30 August 2024 that this could be because my password had been changed by a hacker.
If this be the case, the hacker would have had access to my bank account to freely conduct transfers and make payments since Wed 21 Jun 2023. That's well over a year!
This leads to another problem created by the digital exclusion of the old, infirm, deficient and inept. Over the past two or three years, banks have all but ceased to provide paper statements and extracts sent by post. The only way to be able to see what is going on in my bank account is either via the bank's Internet banking website or via the bank's smartphone app.
There is still a branch of this bank just over a kilometre from my home. I have no choice but to walk there and back. At the age of 82, I am thankful that I still have the health and energy to do this. But for how much longer I will be able to do this, I don't know. At the bank, I can use an ATM to get a statement printed on an electrostatic tally roll. But this is not a permanent record. The print fades after only a few months, eventually becoming illegible. It wouldn't be acceptable for providing evidence of what had taken place on my account. Also, characters are often missing off the rightward edge of the tally roll. These are usually monetary amounts and code numbers, which are vital to the context.
From what I am seeing, I have a distinct sense that the banks, including this one, are evermore down-playing their web-based Internet banking services. Functionality is disappearing bit by bit, slowly but surely remaining available exclusively via the banks' smartphone apps.
Of course, it was always possible in the past to print a statement from a bank's website. However, when this option disappears, the only way to obtain a statement will be via a smartphone. Since I have been a programmer for over 60 years, it took me very little time to work out how to do this, although the various possible procedures are what I would call overly complicated and quite messy. I can't imagine old people in general or the infirm, deficient or inept being able to do this.
Since the bank's browser-based application wouldn't run on my computer and since I had been locked out of the bank's Internet banking app on my smartphone and had therefore subsequently uninstalled it, I couldn't get my bank statements this way anyhow. The only option was to get the fading tally roll printouts from an ATM at the physical bank, which was a 2 km round trip walk. The only way to get a hard copy of my bank statements is to cut and paste the tally roll printouts physically, with glue, onto blank pieces of A4 paper and scan them into my computer as an image file. I can then print this if or when the need arises. But what a rigmarole!!
The upshot has been that I don't get to do this other than for the year-end statements. Thus, in practice, I am for the most part totally blind to what is taking place in my bank account most of the time.
Consequently, I have no way of knowing for how long the hacker has been conducting bogus transactions on my account since the time the password to my smartphone app was changed on or after Friday 21 June 2023. All I have been able to check is that there were no bogus transactions on my account for August 2024, which the bank has obviously removed. But how far back do they go? I don't know.
From this occurrence, I take away the two following conclusions:
Internet based banking is extremely unsafe: at leased for the user. The bank will nullify any bogus transactions its security department suspects and verifies with me. However, I myself can't flag possible bogus transactions on my account without any practicable way of having sight of them.
Considering this occurrence from a technical standpoint, I cannot see how it could be other than an inside job. In other words, the invasion of my account was conducted either by a bank employee, an outsourced worker or subcontractor, or by an external criminal who was supplied with sensitive data by such an insider.
Modern encryption is impregnable. I've heard modern strong encryption techniques described as so secure that it would take all the computing power in the world five times the age of the universe to crack it. Notwithstanding, sensitive information is completely open and vulnerable before it passes into, and after it passes out of an encrypted communication channel. It's at such places that employees, outsourced workers or subcontractors of malicious intent are able to intercept it.
Using the Internet for banking and commerce [which is contrary to the Internet's original design intent] is a veritable minefield of insecurity. But people can't see it — or don't want to.
It seems to me that banking — indeed society in general — has become overly and dangerously dependent on the guaranteed continuous functioning of the Internet. Since November 2015, my Internet connection has been down 17 times. The longest continuous outage was over 50 days during October to December 2021. All interruptions in service were always for reasons totally beyond my control.
In my view, the vulnerability of users of Internet banking has been further exacerbated by a Beeching-style rash of branch closures spurred by the increasing ubiquitousness of Internet banking. So, although my situation may be considered to be far from the norm for banking customers, I would expect that in today's global socio-economy, there must be thousands of people in an equivalent situation. Besides, it naturally leaves the old and other mobility-challenged people with no reasonably practical means of buying, selling or paying taxes other than via the Internet. This is particularly so if, like me, they can't use a smartphone.
In my experience, Internet service is unreliable. Interruptions can occur at any time, without warning, leaving me unable to access my bank account, rendering me physically unable to meet legally obligatory payments of debts and taxes, for which it is I who am held responsible. But furthermore, on top of this, I can be prevented from accessing my money by an over-zealous bank security system that locks me out from access to my own money. The current lockout has, so far, spanned more than 100 days. This too, renders me physically unable to meet legally obligatory payments of debts and taxes, for which it is I who am held responsible.
During such interruptions and lockouts, I am unable to see what is happening on my account, including the presence of any suspicious transactions, nor can I receive any communications from the bank because I have no access to read messages sent to me via its site's secure messaging service.
The upshot of getting locked out of my bank account for all this time has made me feel very vulnerable. It feels to me as if my money has been [hopefully only temporarily] confiscated. Since I am unable to spend it, the money isn't really mine for the duration. Being unable to access it could result in my being unable to meet civil obligations and even become the object of criminal proceedings. In some cases it could precipitate a real and present danger to my life and survival.
As with my email and cloud accounts, becoming locked out of my bank account is systemically akin to a ransomware attack. However, instead of demanding a payment for reinstating access to my money, the attackers require me to prove, to their satisfaction, that I am whom I say I am. This can be a long and convoluted process [105 days in my case here] over which I have little or no control. Again, from my point of view as the user, having my money confiscated this way is the very antithesis of security.
Twenty years ago, my parents were 8 years older than I am now. They had no problems with banks. They paid all their bills and withdrew cash by cheque, which they had no trouble writing out. They cashed cheques at their local branch which was still represented in their local village. My father died around this time. My mother lived a further 8 years. Smartphones did not exist at the time. However, she could not even use a computer because her motor skills were not sufficient to guide a mouse pointer onto a hyperlink or entry field. She could still type, albeit very slowly, on the keyboard. However, right up until her death, she could still write cheques.
For my parents — and indeed for me throughout my entire working life — Internet banking did not exist. In those days, the banking and financial system was functional and its use was self-evident. But it seems to me that, since that time, to maximise their profits, banks have reduced their costs by the wholesale adoption of information technology and use of the Internet. But this has not saved work; at least, not for the customer. It has not made the process of banking simpler but far more complex. The banks have simply used technology to externalise, onto the shoulders of the customer, substantial tasks that were formerly done by banking staff.
The result is that the customer's task is now far more difficult and complex. And for many old people, it will be impossible to do alone. Thus, if I become forced, surreptitiously, by my bank to abandon computer-based Internet banking and access my bank account solely via a smartphone, I, for one, will be forced to engage an implicitly trusted younger person to whom I must grant power of attorney to conduct my day to day banking on my behalf. This would obviously be cumbersome, time-consuming and far to expensive for me to bear.
An obvious example of this increased complexity and dysfunctionality is security. The bank staff knew my parents personally. They knew who they were and where they lived. Security was not a problem. It was automatic and unimposing. Attendance was calm and occupied the time required, without pressure.
By contrast, with information technology and the Internet, I have to go each time through a complex stress-ridden procedure of looking up and entering a username, generating a security code by looking up and entering a security PIN into a Physical Secure Key device, then entering the security code it displays into a field on the bank's web page. And, all this does, is to gain me access to my bank account for a predetermined limited time.
Note that I do have to look up my username and security PIN. What banks don't seem to realise when they tell customers to memorise and never write down usernames and passwords is that theirs is not the only username and password a customer has to "remember". With all my Internet activities, I have two A4 pages full of usernames and passwords.
Throughout the ensuing session, I am stressed by my awareness that I have to work quickly because my on-line session is on a timer. This makes me nervous and consequently far more prone to making a mistake. Being old, I am slower than the average customer for which the time I am allowed was decided. So, finished or not, I can be cut off before I have finished what I need to do. I have to go all through the same rigmarole of logging on again.
For me, and, as I suspect, for many my age, banking via an app on a smartphone is a non-starter. Even on a full-sized computer I find the Internet-based customer/bank communication interface problematic. I would go so far as to call it dysfunctional.
The intermixing of flashy advertisements for financial products, with instructions and procedures for conducting transactions, is a recipe for fractured concentration, which can precipitate mistakes.
I think the accelerating rate of branch closures cannot do other than leave Internet banking the only way for an increasingly ageing population to access its accounts, which it must do, in order to comply with and fulfil its financial obligations.
The one enormous lesson this sorry episode has taught me, as old as I now am, is that, just as I should never put all my eggs in one basket,
I MUST NEVER PLACE ALL MY MONEY IN JUST ONE BANK.
I can never know when I am going to get locked out — long haul.
In my view, the banking industry has promoted an over-reliance on the Internet. I think, therefore, that it's time for society to apply some serious lateral thinking to the task of devising a more universally workable alternative to banking and remove the provision of the basic needs of human life such as food, clothing and shelter from the financial system all together.
As I understand it, the Internet, as originally conceived, was for the purpose of the free and open exchange of information and knowledge among all who had access to it. Originally, each participant had a unique and permanent IP address and all computers — both routers and end-points — ran continuously: 24 hours per day; 7 days per week.
The original Internet services were Electronic Mail [email] and the Worldwide Web, followed later by Internet Relay Chat. All universal software was open source, so any programmer could know exactly what it was or was not doing. Each end-point computer had its own email post office and web server that ran all the time.
For the Worldwide Web there existed search engines. These were programs running in some of the computers connected to the Internet. These trawled all participants' web servers, noting the author's submitted keywords for each document they encountered. A participant could post a search query by email to a search engine and promptly receive a list of relevant documents in a reply email. The participant could then examine the relevant documents in a web browser. In other words: he pulled in the information he wanted.
All the functionality a participant could want was there. He could find information on whatever subject he wanted. He could find and contact — and even chat with — whichever other participant he wanted. There was no reason or motive for pestering people. Although, if one really wanted to, one could find out exactly who each participant was, the participant could largely expose his identity only to the extent he wished at any given time. And all was well. Security was never an issue.
No one would have believed in the last years of the twentieth century that the Internet was being watched keenly and closely by intellects devious and cool and unsympathetic, who regarded our domain with envious eyes, and slowly and surely drew their plans against us. And early in the twenty-first century came the great disillusionment. — Adapted from the opening paragraph of War of The Worlds.
Our Martians here are, of course, the invasive surveillance of governments and the covert racketeering of commerce. And hard on their heels, commercial email pests, social media hits, identity thieves, phishers, false websites, ransomware attackers and purveyors of fake news. And the poison on which all of them feed? Money.
The first broad commercial incursion into the Internet was the provision of Internet access services to Joe Public by what are termed Internet Service Providers [ISPs]. Notwithstanding, this was not really full access in the sense for which the Internet was originated. Through ISPs, Joe Public was provided with only passive access to the Internet.
This meant that he could send and receive email point-to-point. But he could not run a web server to give himself a public voice or universal visibility. He could listen but he could not speak. That is, unless he paid another commercial interest called a Web Hosting Service.
This was because he had no fixed IP [Internet Protocol] address at which outsiders could always find him. His ISP provided him only with what is termed a dynamic IP address. This was an IP address that was allocated to him by the ISP for what is called a lease term, which could be a few minutes or hours at a time. His IP address could change at any time. Thus, on the Internet, Joe Public was, strictly by design, of no fixed abode.
For many years, an ISP I had in Brazil either forgot or couldn't be bothered to enable the dynamic leasing function on its routers. Consequently, I had by default what was effectively a fixed IP address. Notwithstanding, I still could not run my own web server. This is because ISPs shut the standard listening ports necessary for Joe Public to run his web server and other servers on his computer. So again, on the Internet, Joe Public may listen but he may not speak.
Nevertheless, Joe Public could make himself visible by hiring a Web Hosting service. He paid so much per month or year for a commercial organisation to host his web site on its server, which also naturally hosted the web sites of lots of other people. He could place keywords in his published documents, which Internet search engines would pick up and index so that anybody else on the Internet [specifically the Worldwide Web] could search for and find according to the document's content type or subject matter.
But not for long. The unbridled motive to attract potential customers to their web sites drove commerce to put what are called false attractors in their keywords lists. False attractors are keywords that people most frequently enter into a search term that bear no relation to what a person is searching for. Thereby, the site owner drives lots of traffic to its site in the hope that, seeing what it has to sell, will impulsively decide to buy it.
I remember about 20 years ago that I searched for the term "ellipsoidal basket". I was investigating the idea of using basket woven cord structures for reinforcing light concrete. The search results led me to a Russian child pornography site and an American second-hand car lot.
The search engines tried to combat this by ignoring the keywords specified by the document author and trying to analyse the text of each document. This led to the dubious search results we still get today. Indexing experts have known since the days of Cruden's Concordance of the Bible [around 1740] that keywords that most likely come to a searcher's mind are unlikely to appear in the actual text of a relevant document. Unless, of course, the document is a short simple business promotion document or advertisement.
A commercial site naturally always strives to come as near to the beginning of a search results list as possible. This is in order to improve the likelihood of the searcher selecting a site for viewing in his browser. False attractors are one clandestine means to do this. Another way that was used for a time was for site owners to pay a search engine operator to rank his site higher than other equally-relevant [or even more relevant] sites in a search results list.
But there are yet other ways that distort the true relevance ranking of a web site in a search results list which are perpetrated by the search engine itself. One is to increase the ranking of a web site according to how many other important web sites link to it through in-text hyperlinks. This is a distortion because it has nothing to do with the subject matter or quality of the site's content, which is the exclusive reason the searcher is searching for it.
The latest means of distorting the relevance ranking of web sites, which is currently enforced by search engines, is penalising sites that are not what they call phone-friendly. Because the majority of searches nowadays [so they say] are from people with smartphones, web site owners are apparently supposed to design their page content to fit on the screen of a smartphone — be it plain text, photographs, illustrations, paintings, complex diagrams, flow models, maps, wiring diagrams, mathematical simulations, transceiver controllers, signal analysis displays. So, why not replace everything in the Tate and Louvre with A7-size prints? No comment.
Thus, though a web site owner should naturally be able to assume that his web site is on a level playing field within cyberspace, in fact it is not. Like a small business in the so-called Free Market, it is a little boat in a tempestuous ocean of pirate battleships, rife with danger and insecurity. So there is an enormous tendency for mainstream and commercial sites only to appear towards the top of search results lists.
I think that, on the Worldwide Web, anybody should be free to have his uncensored say, with a degree of anonymity of his own choosing, and with a degree of visibility for what he has to say determined by himself, as expressed through the keywords under which he chooses each of his documents to be indexed.
If, having expressed an opinion that could seem too radical for the mainstream of society, he reveals too much about his background and identity, malignant forces within society could present a real and present threat to him. This would constitute a censorship of free speech and hence the suppression of free thought and intellectual progress. In my opinion, this should not be allowed to happen.
In this scenario, the task of a search engine is to harvest keywords from documents on the Worldwide Web and place each document accordingly within its worldwide index ready for any searcher to search for documents on his subject of interest, as expressed by the search term he entered into the search engine. And nothing else. It is not the job of a search engine to manipulate or censor search results.
Nonetheless, it appears to me that a search engine today is not merely a search engine: it is a search and censoring engine tasked with providing search results that its proprietors [or those who ultimately influence and control them] deem that the searcher ought to receive.
Furthermore, to get more favourably listed, the website owner must register with a search engine, thereby losing control of his anonymity. A search engine does not need to know the identity of a website owner in order to index his website. So why is registration rewarded? Somebody must want to keep tabs on website owners who publish content that is not liked or approved of by that somebody. Why else?
Further still, by prioritising websites that are phone-friendly — i.e. they can be displayed adequately on the screen of a smartphone — search/censoring engines inductively force website owners to restrict the size, depth, quality, clarity, diversity and readability of their content. If a website be more intellectual than commercial, this necessarily pushes content to become ever more trivial.
Nevertheless, a determined searcher could still find valuable less approved content by taking the time to look ever further down his results list or by using academic or other non-commercial search engines. The powers-that-be had to plug this leak. Their solution was to divert the attention of Joe Public from the open Worldwide Web by inductively capturing his attention by publicity to corral him within the orbits of a handful of vast social media sites. So now, instead of having his own web site, Joe Public simply has an 'account' on a gigantic social media site.
But on social media the graphic format of Joe Public's cyber-presence is extremely restricted compared to that of a proper web site. It is suited only for publicising or exchanging trivia. I remember when, out of curiosity, I ventured onto a social media site and into some guy's blog, which read:
"Woke up this morning.
Had a quick slash.
Steak and eggs for brecky.
Plonked a brownie.
And off I went."
Certainly no deep intellectual discourses about life, the universe and everything. A prime example of how the push onto social media sites has gagged Joe Public's potential for discussing anything meaningful over the Worldwide Web.
He may still be able to mount a website. But nobody's looking. The majority of significant web content is thereby passively excluded from public view. Thereby, potential insurrection against the status quo through in-depth open discussion is dissipated because everyone's just swapping stupid quips through the narrow semantic bandwidth of social media.
And to be able to participate in this pointless silliness, Joe Public has to register with the social media site by giving personal information — name, photograph, email address, phone number — from which his whole personal profile can be built and cross-referenced. But more importantly, it gives the social media site [or whoever influences and controls it] the elements from which to build a network map of those with whom he communicates and associates. An intricate model of the anatomy of human society worldwide. And that spells total power.
A free account on a social media site isn't given out of philanthropy. There's no such thing as a free lunch. It looks to me like a clandestine social engineering project to control and exploit human society, which opens up incisive details of the life and activities of private individuals, not only to commerce [for the purpose of targeted advertising] but also to governments — home and foreign — [under the pretext of combating terrorism and paedophilia] and to all kinds of cyber-criminals. On social media, one is naked in a bathroom with glass walls on the stage of the world's biggest theatre with a full audience.
However, the real source of danger in all this is that Joe Public, beguiled by his daily intravenous drip of mainstream propaganda from the public media, is entirely complacent about it all. "Does it matter?", he rhetorically retorts, categorising any who show concern as 'conspiracy theorists', which mainstream media has successfully made a derogatory term. Notwithstanding, though a conspiracy theory may be, at any given time, as yet unproven, it can, nonetheless, be true and accurate.
An example of how criminals exploit social media and the Worldwide Web is through the bogus web site. They message people by email, WhatsApp or other social media saying there is some irregularity on the person's bank account. They tell the recipient to click on a web link, which leads to a bogus web site that looks exactly like that of the person's bank. The site asks the recipient to enter their personal bank access details and other personal information. The criminals thereby gain access to the recipient's bank account. And he is robbed.
An example where I was almost caught was when I subscribed to a new internet service provider. During the period in which I had ordered the service and its being installed, I received a bogus message via WhatsApp, with an exact replica of the provider's logo, which asked for my bank details 'just for reference'. The senders of the message knew intimate details of my new service purchase. It cannot possibly have been other than an inside job. This was followed by messages from a swarm of fly-boy businesses offering to provide all kinds of services such as insuring my modem against lightening strikes, which is, of course the entire responsibility of the service provider.
There is no end to the torrent of hits made through social media on innocent people who have suffered consequent ruination by false vendors. The news commentaries are full of them every day. Things are not OK. All is not well. Joe Public's head is in the lion's mouth.
His complacency indicates to me that Joe Public accepts everything the way it is. This could be because he has actually been conditioned by the media to believe that everything is great and the way it should be. But I think that it is because he has lost hope. He feels overwhelmed by the world order and the powers-that-be. He knows not, and he is too ignorant and lazy to find out, how to do other than just accept things the way they are. But if his insecurity and exploitation are ever going to be conquered, he must re-kindle hope and fight for change.
Hope has two beautiful daughters: Indignation and Courage. Indignation teaches us not to accept things as they are. Courage empowers us to change them. — paraphrase of words generally attributed to Saint Augustine
But into what should they be changed? How should they be changed? How can we change them?
The process of free and open distribution of information and knowledge is fundamentally incompatible with government and commerce. The two can't coexist on the same network. They must be implemented on separate networks. This does not necessarily mean separate physical infrastructure. It means simply that they must use separate mutually incompatible Internet protocols. I suggest the original Internet open protocol be kept for the free and open distribution of knowledge and information and a new inherently secure protocol be specifically designed for use by government and commerce.
The logical infrastructure of the present-day Internet is a mess. It comprises mega-server installations juxtaposed with individual end-point PCs and smartphones, where only the mega-servers of ISPs, email servers, cloud services and web hosts have open listening ports. This is the way it can be on the government and commercial Internet. But certainly not on the Internet of knowledge and information.
On the latter, all end-points must be treated the same, as alluded to in the Brazilian Internet Bill of Rights [LEI Nº 12.965, DE 23 DE ABRIL DE 2014], which states:
Art. 9º The agency responsible for the transmission, switching or routing has the duty to treat all data packets equally, without distinction by content, origin and destination, service, terminal or application.
...
§3. Subject to the provisions of this article, the content of data packets may not be blocked, monitored, filtered or analysed in Internet connections, either paid or free of charge, or in transmission, switching and routing.
Thus, on the intellectual Internet at least, everybody can both talk and listen and thereby be able to operate their own email post office, web servers and whatever other programs that need to listen for signals from other Internet subscribers. All can see and hear; all can be seen and heard if they wish to be.
Ideally, for seamless operation, the global Internet infrastructure should be in the hands of a non-commercial non-political international custodian. One-per-household permanently active end-point units should be of a standard design that is as user-maintainable as possible down to component level, with replacement parts readily obtainable.
With 8·1 billion people in the world at an average of 4·9 people per household, there would need to be 1·7 billion Internet end-point units, which is less than half the 4,294,967,296 available within IPV4 address space. So with government and commerce on a separate protocol, there is plenty of address space for both without resorting to the confusion of running IPV6 alongside. The world population is predicted not to pass double its present amount, so there should always be sufficient. Each household could then have of the order of 32,000 computers connected to its Internet end-point unit, which again, is well sufficient.
With each household having a permanent static IP address, participant identification is robust, rendering personal interactions and transactions inherently secure. The infrastructure of the intellectual Internet could be implemented solely on the household end-point units as a fine-grid WiFi-style network in which each householder had a public duty to maintain and sustain the operation of his end-point unit node. True keyword search engines could then be implemented in distributed form.
The intellectual Internet operates in pull fashion like the old Internet. On it, commercial soliciting push modality is prohibited. That is reserved for the government and commercial Internet. Anybody caught so doing is banished from the intellectual Internet. However, any suspected infractor must have his fair trial. No lynch mobs.