Security Theater for Fraud Protection

 Many of experience processes where there's an appearance of 'something' being done, when the reality we're just experiencing 'theater'. Security theater, where we experience some 'safety procedure' that actually, when you think about it, isn't really making things safer. A close friend of security theater is shifting liability. They'll often go hand in hand - some 'security' process actually is just shifting liability from the company to you. We experience this with things like license agreements and terms of use (you read those, right?), or with hitting OK on the car navigation agreeing that it won't be used by the driver when driving. If something happens, well now, there's evidence you accepted or clicked, so it couldn't possibly be our fault, could it.

Fraud in banking is increasingly, with significant upticks since 2023.  There are many reasons for this, but an obvious cause is the increase in the possible ways that we can be fooled - from text messages, app notifications, unsolicited phone calls, the modern world is a wonder. So it's reasonable to think that banks would be reacting by providing better ways to protect us from fraud, no? Sadly this is not the case, with the banks falling cleanly into the "let's ensure we can reduce our liability" camp.

Let's step through an example (note, I won't name the bank, as the patterns are shared among many banks). I had occasion to do a wire transfer (domestically to another US bank). Given all the details (ABA routing number, account number, address etc), I decided on the following process.

1. Send a small wire transfer through to verify fund receipt.
2. Go to a bank branch in person and execute the wire transfer using the same details as in (1).

I reasoned that if the first is successful then the second (bigger) transfer would go through without problem as all identification / verification would occur in branch, and they'd re-use the same transfer details on my account, so all should be fine.

Step 1 goes flawlessly. Step 2 is less smooth than I would like, as despite having done the smaller transfer, the bank staff had to re-enter all the details again, requiring me to re-check the ABA routing and account number etc. Poor, but OK.

As I'm leaving the branch, the very helpful bank member is embarassed to explain that I may receive a call from fraud prevention to followup before this is sent. "Even though I'm physically here and you've verified everything?". "Even so.".

So, 20 minutes later I receive a call from "Scam Possible". I let it go to voicemail and review a message from fraud prevention, and please could I give them a call back. I call the number on the back of my bank card,  and then have to spend 15 minutes stepping through verification and a fixed set of questions around the purpose of the transfer, was I coerced, do I know the recipient, have I transferred money to them before, have I received money from them, until finally, do I acknowledge and accept the risk in making the transfer.

Then 30 minutes later I get another call from "Scam Possible", which is a repeat of the first. When I call up and ask why I'm having to repeat myself, there's no explanation.

So let's just break this down.

1. The bank is calling me from a number that someone has identified as "scam". More bluntly, the fraud department is trying to educate its clients that it's a good idea to pick up calls and hand over PII.
2. The bank had information about the recipient (in this case the receiver was me) and whether I'd transferred or received money before, but ignored it.
3. There's nothing in the questions that bank is asking that protects me. In theory I could be being held at gunpoint and be forced to answer the questions the way I did.
4. The bank is incompetent in its record keeping and has to go through the process twice.

I would argue that even if we sigh and accept that they want to shift liability, prompting within their banking app would be a much more secure (tied to biometrics) method. If we actually want to protect me, then having some mechanism for indicating 'held at gunpoint, don't transfer' that looks like I'm OKing the transfer would potentially be a better method.

It's clear though that the bank just wants to use security theater to shift liability, and doesn't care if it makes my life less safe when doing it.

Apple Cored

Beyond time at university, I've used Apple devices for much of the last 25 years. Use as a personal computer started when I worked at Microsoft, mainly as an easy defense against the "Oh, you work at Microsoft? I have a problem with <X>, can you help?" (a corollary to "You're from England, do you know <Y>?"). Far easier to say "So sorry, I use a Mac so I can't help you".

There was always a trade-off using a Mac. Apple's promise of giving the best experience by controlling both the hardware and the software sounded good, but the reality was Apple did a good job of optimizing for 'most people'. An Apple machine 'just worked'. Apple users rarely expected to have to type weird incantations or wield tools like Windows RegEdit to get their machines to work. Pretty much the machine worked and you could do what you needed to do, without worrying about the computer part. The trade-off came in the cost and the performance - you typically paid more for Apple's engineering, and weren't getting the highest performance components. For years, for example, Apple navigated the shift to Intel CPUs, high performance CPUs would come out that could be built into a Windows PC, whilst delays and premium pricing awaited the Apple faithful.

Then came the iPhone and other Apple devices, and I'd still argue Apple was operating by the same playbook. It wasn't that the same technology wasn't available elsewhere. It's just that Apple packaged it up and made it work so you could just use it seamlessly. I've used Android devices (part of working for Google) on and off, but iPhones have been a reasonable constant, with upgrades every 2-3 years.

With Steve's passing, Tim's supply chain management expertise became even more apparent. From the delayed migration to USB-C (really, the iPhone 14 Pro was lightning?), through to TouchID->FaceID migration (Android devices have both, but no, that's not the Apple way) and the slow rollout of better camera lenses, everything is at Apples pace, managing the bottom line.

There's unfortunately some rot in this world, and the iPhone 16 debut is the bifurcation point for me. Let's lay out a few things.

Firstly, with the launch of the Apple Watch and tying the watch to the phone (and the iCloud account), Apple gained a lot of stickiness. But unfortunately Apple just seemed to be less focused on quality. Health data (into which the Apple Watch pours its sensor info) can get very large (over 7Gb for me currently, without any abnormal use), which means transitioning a watch over to a new phone can be fickle. It was not great with the 15, but I had two weeks of failure to try and migrate to the 16 Pro. Just wouldn't migrate across. There are other bugs with the Apple Watch (I have a badge on day 2751 of 2750 towards a goal, for example), but getting the smooth migration to the 16 Pro wasn't working.

It's about now I should introduce the next flank of Apple's decline, and that's the troubleshooting experience. Search the forums, attend any genius bar, and the starting point will be "Have you backed up your device? Because what we're going to do is do a factory reset and restore.", The software version of "Turn it off and turn it on again". I'm sympathetic to a point - definitely a valuable tool in the fix it arsenal, but it's become the starting point (and often ending point) of troubleshooting. Here's the problem though - from a computer science perspective, what that process says is "We have something inconsistent in our software state that we're not going to try and debug. It could be a memory leak, or a data corruption error, or something more insidious in terms of how system, applications and data are interoperating. And we're not going to try and figure out why and make sure it doesn't happen again."

The reset and restore is going to lose any of that diagnostics, and just start again - meaning there's no explanation for the issue, or whether it might occur again. Users will often leave the Genius bar with their device working again (after waiting a while for the reset/restore purchase), without a thought to whether the issue will happen again. Try that approach with cars, or healthcare equipment, and I think you'd want a different answer.

So now you start doing more research and you find that other alternatives are quite attractive really. A Garmin watch which has days or even weeks of battery life for the same sensor data. An android phone with better cameras, biometrics (face and fingerprint both) at less than half the cost. So you conduct an experiment, and the final defense against switching - the applications, crumbles away.  The Android application versions of what you use are essentially the same, except that two of them don't crash the same way the iOS versions do.

So it feels like Apple's push into generative AI and rushing out iOS 18 and then point releases to get generative AI features in place, to consume more resources, is at the expense of platform quality. It's sad to see that Apple devices don't "just work" anymore.