STEVE CASSIDY
It’s nothing personal, Steve reassures himself, as a worrying series of events make him consider adopting a false identity.
This month has been the oddest in my life. Not just for the deluge of fake GDPR opt-in/opt-out spam emails, but because in the midst of all that contralogical, unnecessary and fabricated flapping about protection of personal data, I think I was the subject of a traceable case of misused, AI-filtered personal data-trawling.
But I’ll come back to that later. First: let’s talk GDPR. Its heavy fines are partially meant to tackle firms that have allowed information about their customers to leak. Most people have a foggy understanding of what’s done with their data after a breach or “loss” (copying, to IT insiders like us): it’s taken by the shadowy, archetypal hacker, who then… does things with it, sometimes culminating in emptying your bank account or ordering four tonnes of coal delivered to your house.
As GDPR bites, companies are revising their systems, in ways that have nothing at all to do with the direct impact of stolen data. As I found out, when I tried to book a hire car for a press trip using some air miles.
On completing the booking via the prominent UK airline website, I received an instant email response. Booking was cancelled, it said, due to a payment problem. Now, I have a posh bank, and it’s on constant alert after an incident of fraud a few years back so large it hit the mainstream news, of which some of my relatives were victims. We all get called, very quickly indeed, if there’s a transaction problem. I looked expectantly at my phone. And waited. Overnight, in the end.
After two days and an accumulated four hours on hold listening to my bank’s plinky-plonky guitar theme tune music, and some evidently determined and intense investigation by my bank’s fraud team – who hadn’t rejected any such transaction – we concluded that the hire car transaction had been stopped because one of the mega-corporations involved (the airline or the car rental company) were now checking credit cards against lists of those stolen from other retailers in data breaches. Mine was apparently on such a list, even though it hadn’t been used for any dubious transactions
To say that my bank was annoyed with the combined idiocy of the airline and the car hire firm would be an understatement of massive proportions. Most people on business trips book cars at the last minute, and if this transaction-rejection thing kicks off, the only valid response for the bank is to kill off that card and issue a new one. A procedure that can take over a week. Well inside the time horizon for a business trip to be messed up by the delivery delay.
I put this to the assembled technocrat horde, at breakfast in San Jose. Lots of them talked about using smartphone apps that apply all sorts of restrictions to your credit card, like not working in other countries or only being usable to buy fuel. But none of those apps can combat a reasonless transaction refusal by a vendor, and national restrictions no longer make sense. When I buy internet access on
the Harwich to Hook ferry, Stena Line processes the transaction in Norway. I don’t want to make a call to my British bank to authorise it.
Worse still, my bank spent some of the two-day research interval worrying about whether telling me the cause of the problem counted as a GDPR violation! This was because the refusal was based on a service outside GDPR’s legislative reach, which is a collected database of credit card details and identifying information clawed back from the dark web. Isn’t that supposed to be exactly what GDPR protects us against?
There is no approved, centralised, charitably run open-access site on the normal internet that can tell you authoritatively which data breach included you. Sure, there’s Have I Been Pwned – but that’s focused on email addresses, not credit card data. Searching the dark web for signs that you’re a victim of this mechanism is akin to the search for weapons of mass destruction in Iraq. You can’t guarantee that you missed something, and there’s no handy way to view the data: in a lot of cases, you’re expected to pay with Bitcoin for access and maybe – possibly – be sent a download in due course. There’s no Consumer Association for the dark web to handle non-delivery complaints.
My only response is to adopt a completely different card, ideally with a fake identity that has no searchable link back to my real-world persona. Of course, to do this, I’d then need accompanying ID in the same fake name, because a lot of places now want to see photo ID before they’ll even present the card to the machine. From the initial fraud case a few years ago, my family already know our data is out there – and that the banks won’t extend us the protective measures they use with mega-celebrities.
We’re constantly told that FinTech is disruptive and transformative, and can handle the problem of credit card theft, duplication, and so on. So far, all my incidents have been based on transactions that don’t pass through the modern IT estate in any way – the French boat-hire firm whose embezzling staff waited until my holiday started to use the card number on its manual booking form for purchases in Francophone countries only, to take one example.
The current truth seems to be that almost every business concerned with consumer purchasing is desperate, beyond endurance, to show any kind of protective measure. Not to the consumer, but to their shareholders. Solutions that use cloud systems, AI searches and shady business relationships with apparent reason to stay in the shadows, without any form of communication with the customers whose good character and credit rating they blithely traduce, are being taken up in the absence of any more sophisticated solution. This is, as the younger technocrats like to say, genuinely disruptive – just not in the way they think.
The last time I had unwilling participation in online fraud, when some 1990s raver decided to steal money from the Cassidy clan, he ended up in jail. This incident became a signal trial in the history of online fraud and an investigation that broke all the preceding laissez-faire rules about computerised identity theft. Judging by my bank’s reaction to my latest encounter with the long tail of internet fraud, I have some hope that this new idiocy will come under much pressure, although I rather suspect no-one will be locked up as a result. Apart from me, that is, when some hotel booking in a country with non-English-speaking policemen suddenly goes sour at the whim of a plonker with a list of credit card numbers.
Family values
For someone with zero reputation as an expert in the ins and outs of online personal data, I’ve been getting an awful lot of questions about this topic. I’ve lost count of the number of times that someone believes they’ve caught out Facebook with some immense global datawashing conspiracy, and ignores my explanation that a distributed transaction-processing system will look exactly like what they’re seeing and griping about. Battling through their conspiracy theories to explain how the tech actually performs is such a thankless task that I rarely make the effort these days.
In the first incident, both the battle and the final revelation were worth the effort. One of my nieces has inherited the argument gene that’s been so apparent in me from the day I could talk: put us in a room (or worse still, online) and it will develop into a full-scale shouting session. Nevertheless, I wanted to bring her into the little-used Facebook Family Group feature. So, because she’s fiercely independent, I searched by her name and sent her a private message. We briefly agreed to friend up, so I could put her in the group, and then we defriended again, so she could guarantee her mates that no wrinkly old uncles were snooping.
Initially, this seemed to work well. She could participate in the family group, chatter about births, deaths and funerals, and do her social thing with her peers. Except that a few weeks later, I wanted to follow up on some of her initial security questions, so I searched for her name again. I found a group chat she’d participated in – and much to my utter incredulity, I could join and read that group chat, without inhibition from Facebook.
It turns out that group chats
“Searching the dark web for signs that you’re a victim is akin to the search for weapons of mass destruction”