Antepenultimate
For many reasons, I've never wanted to use my mobile phone for banking. For one thing, I have a desktop machine with three 24-inch monitors and a full-size functioning keyboard; why do I want to poke at a small screen with one finger?
Even if I did, the corollary is that mobile phones suck for typing passwords. For banking, you typically want the longest and most random password you can generate. For mobile phone use, you want something short, easy to remember and type. There is no obvious way to resolve this conflict, particularly in UK banking, where you're typically asked to type in three characters chosen from your password. It is amazingly easy to make mistakes counting when you're asked to type in letter 18 of a 25-character random string. (Although: I do admire the literacy optimism one UK bank displays when it asks for the "antepenultimate" character in your password. It's hard to imagine an American bank using this term.)
Beyond that, mobile phones scare me for sensitive applications in general; they seem far too vulnerable to hacking, built-in vulnerabilities, SIM swapping, and, in the course of wandering the streets of London, loss, breakage, or theft. So mine is not apped up for social media, ecommerce, or anything financial. I accept that two-factor authentication is a huge step forward in terms of security, but does it have to be on my phone? In this, I am, of course, vastly out of step with the bulk of the population, who are saying instead: "Can't it be on my phone?" What I want, however, is a 2FA device I can turn off and stash out of harm's way in a drawer at home. That approach would also mean not having to give my phone number to an entity that might, like Facebook has in the past, coopt it into their marketing plans.
So, it is with great unhappiness that I discover that the combination of the incoming Payment Services Directive 2 and the long-standing effort to get rid of cheques are combining to force me to install a mobile banking app.
PSD2 possibly will may perhaps not have been the antepenultimate gift from the EU28. At Wired, Laurie Clark explains the result of the directive's implementation, which is that ecommerce sites, as well as banks, must implement two-factor authentication (2FA) by September 14. Under this new regime, transactions above £30 (about $36.50, but shrinking by the Brexit-approaching day) will require customers to prove at least two of the traditional three security factors: something they have (a gadget such as a smart phone, a specific browser on a specific machine, or a secure key,, something they know (passwords and the answers to secondary questions), and something they are (biometrics, facial recognition). As Clark says, retailers are not going to love this, because anything that adds friction costs them sales and customers.
My guess is that these new requirements will benefit larger retailers and centralized services at the expense of smaller ones. Paypal, Amazon, and eBay already have plenty of knowledge about their customers to exploit to be confident of the customer's identity. Requiring 2FA will similarly privilege existing relationships over new ones.
So far, retail sites don' t seem to be discussing their plans. UK banking sites, however, began adopting 2FA some years ago, mostly in the form of secure keys that they issued and replaced as needed - credit card-sized electronic one-time pads. Those sites now are simply dropping the option of logging on with limited functionality without the key. These keys have their problems - especially non-inclusive design with small, fiddly keys and hard-to-read LCD screens - but I liked the option.
Ideally, this would be a market defined by standards, so people could choose among different options - such as the Yubikey, Where the banks all want to go, though, is to individual mobile phone apps that they can also use for marketing and upselling. Because of the broader context outlined above, I do not want this.
One bank I use is not interested in my broader context, only its own. It has ruled: must download app. My first thought was to load the app onto my backup, second-to-last phone, figuring that its unpatched vulnerabilities would be mitigated by its being turned off, stuck in a drawer, and used for nothing else. Not an option: its version of Android is two decimal places too old. No app for *you*!
At Bentham's Gaze, Steven Murdoch highlights a recent Which? study that found that those who can't afford, can't use, or don't want smartphones or who live with patchy network coverage will be shut out of financial services.
Murdoch, an expert on cryptography and banking security, argues that by relying on mobile apps banks are outsourcing their security to customers and telephone networks, which he predicts will fail to protect against criminals who infiltrate the phone companies and other threats. An additional crucial anti-consumer aspect is the refusal of phone manufacturers to support ongoing upgrades, forcing obsolescence on a captive audience, as we've complained before. This can only get worse as smartphones are less frequently replaced while being pressed into use for increasingly sensitive functions.
In the meantime, this move has had so little press that many people are being caught by surprise. There may be trouble ahead...
Illustrations:
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.