UK Banking, Fineco is not enough

You may remember that the last time I blogged about UK banking I had just dismissed Barclays in favour of Fineco, the Italian investment bank, branch of UniCredit, This seemed a good move, both because people spoke very good of Fineco in my circles, at least in Italy, and because the sign up flow seemed so good that it sounded like a good idea.

I found out almost right away that something was not quite perfect for the UK market, in particular because there was (and is) no way to set up a standing order, which is the standard way to pay for your rent in the UK (and Ireland, for what it’s worth). But it seemed a minor thing to worry about, as the rest of the features of the bank (ability to spend up to £10k in a single transaction by requesting an explicit lift on the card limits with SMS authentication, just to say one).

Unfortunately, a couple of months later I know for sure it is not possible to use Fineco as a primary account in the UK at all. There are two problems, the first being very much a problem to anyone, and the second being a problem for my situation. I’ll start with the first one: direct debit support.

The direct debit system, for those not used to it in Europe, is one where you give a “debtor” (usually, an utility service, such as your ISP or power company) your account details (Sort Code and Account Number in the case of the UK), and they will tell the bank to give them money at certain time of the month. And it is the way Jeremy Clarkson lost £200, ten years ago. There is a nearly identical system in the rest of the EU, called SEPA Direct Debit (with SDD Core being the more commonly known about, as it deals with B2C, business-to-consumer) debits.

After I opened the Fineco account, I checked on Payments UK’s Sort Code Checker which features were enabled for it (30-02-48) and then, as well as the time of writing, it says «Bacs Direct Debits can be set up on this sort code.» So I had no refrain in closing my Barclays account and moving all the money into the newly created account. All of my utilities were more than happy to do so, except for ThamesWater that refused to let me set up the debit online. Turns out they were the only ones with a clue.

Indeed, when in January the first debit was supposed to land, instead of seeing the debit on the statement, I saw a BACS credit of the same amount. I contacted my ISP (Hyperoptic, with the awesome customer support) to verify if something failed on their side, but they didn’t see anything amiss for them. When even Netflix showed up the same way, and both of the transaction showed up an “entry reversal” of the same amount, I knew something was off with the bank and contacted them, originally to no avail.

Indeed, a few more debits showed up the same way, so I have been waiting for the shoe to drop, which it did at the end of January, when Fineco sent me an email (or actually, a ticket, it even has a ticket number!) telling me that they processed the debits as a one-off, but to cancel them because they won’t do this again. This was professional of them, particularly as this way it does not hit my credit score at all, but it still is a major pain in the neck.

My first hope was to be able to just use Revolut to pay the direct debits, since they are all relatively low amounts, which fit my usual auto top-up strategy. When you look at the Revolut information page with your account details for GBP, the text says explicitly «Use this personal UK current account to get salary and to pay bills», which brought me hope, and indeed the Payment UK’s checker also confirmed that it supposedly accepts Bacs Direct Debit. But when I checked with the in-app chat support, I was told that, no Revolut does not support direct debits, which makes that phrase extremely misleading. At least TransferWise explicitly denies supporting Direct Debit in the sort code checker, kudos to them.

The next problem with Fineco is not actually their fault, but is still due to them not having the “full features” of a UK high street bank. I got contacted by Dexters, the real estate company that among other things manages my apartment and collects my rent. While they told me the money arrived all good when I moved to Fineco (I asked them explicitly), they sent me a scary and threatening email (after failing to reach me on the phone, I was going to be charged excessively high roaming charges to answer an unknown number)… because £12 were missing from my payment. The email exchange wasn’t particularly productive (I sent them a photo of the payment confirmation, they told me «[they] received a large sum of money[sic] however it is £12.00 that is outstanding on the account.» So I called them on Monday, and they managed to confirm that it was actually £6 missing in December, and another £6 missing in January.

Throwing this around with colleague, and then discussing with a more reasonable person from Dexters on the phone, we came to figure out that Barclays (as the bank used by Dexters to receive the rent) is charging them £6 to receive these transfers because they are “international” — despite the fact that they are indeed local, it appears Barclays apply that fee for any transfer received over the SWIFT network rather than through the Faster Payments system used by most of the other UK banks. I didn’t want to keep arguing with Dexters over the fact that it’s their bank charging them the fee, I paid the extra £12, and decided to switch the rent payment over to the new account as well. I really dislike Barclays.

I’ll post later this month on the following attempts with other bank accounts. For now I decided that I’ll keep getting my salary into Fineco, and keep a running balance on the “high street” account for the direct debits, and the rent. Right now for my only GBP credit card (American Express) I still pay the balance off Fineco via debit card payment anyway, because the credit limit they gave me is quite limited for my usual spending, particularly now that I can actually charge that card when booking flights on BA without having to spend extra money in fees.

Barclays and the single factor authentication

In my previous post on the topic I have barely touched on one of the important reasons why I did not like Barclays at all. The reason for that was that I still had money into my account with them, and I wanted to make sure that was taken care of before lamenting further on the state of their security. As I managed to close my account now, I should go on and discuss this further, even though I have touched upon the major topics of this.

Barclays online banking system relies heavily on what I would define as “single factor authentication”.

Usually, you define authentication factors as things you have or things you know. In the case of Barclays, the only thing they effectively rely upon is “access to the debit card”. Okay, technically you could say that by itself it’s a two-factor system, as it requires access to the debit card and to its PIN. And since the EMV-CAP protocol they use for this factor executes directly on the chipcard, it is not susceptible to the usual PIN-stripping attacks as most card fraud with chip-and-pin cards uses.

But this does not count for much when the PIN of the card they issued me was 7766 — and to lament of that is why I waited to close the account and give them back the card. It seems like there’s a pattern of banks issuing “easy to remember” 4-digit PINs: XYYX, XXYY, etc. One of my previous (again, cancelled) cards had a PIN terribly easy to remember for a computerist, at least not for the average person though: 0016.

Side note: I have read someone suggesting to badly scribbled a wrong PIN on the back of a card as a theft prevention. Though I like that idea, I’m just afraid the banks won’t like it anyway. Also it would take some work to make the scribble being easily misunderstood for different digits so that they can try the three times needed to block it.

You access Barclays online banking account through the use of the Identify method provided by CAP, which means you put the card into the reader, provide the PIN, and you get an 8-digits identifier that can be used to login on the website. Since I’m no expert of how CAP works internally, I will only venture a guess that this is similar to a counter-based OTP, as the card has no access to a real-time clock, and there is no challenge provided for this information.

This account access sounds secure, but it’s really not any more secure than an username and password, at least when it comes to dealing with phishing. You may think that producing a façade that shows the full Barclays login, and proxies the responses in real time is a lot of work, but the phishing tools are known for being flexible, and they don’t really need to reproduce the whole website, just the parts they care about getting data from. The rest can easily be proxied as it is without any further change, of course.

So what can we do once you can fool someone into logging in to the bank? Well, you can’t really do much, as most of the actions require further CAP confirmation: wires, new standing orders, and so on so forth. You can, though, get a lot of information about the victim, including enough proofs of address or identity that you can really mess with their life. It also makes it possible to cancel things like standing orders to pay for rent, which would be quite messy to deal with for most people — although most of the phishing is not done for the purpose of messing with people, and more to get their money.

As I said, for sending money you need to have access to the CAP codes. That includes having access not only to the device itself, but also the card and the PIN. To execute those transactions, Barclays will ask you to sign a transaction by providing the CAP device with the account number and the amount to wire. This is good and it’s pretty hard to tamper with, hopefully (I do not make any guarantee on the implementation of CAP), so even if you’re acting through a proxy-phishing site, your wires are probably safe.

I say probably, because the way the challenge-response is implemented, only the 8-digits account number is used during the signature. If the phishers are attacking a victim that they studied for long enough, which may be the case when attacking businesses, you could know which account they pay every month manually, and set up an account with the same number at a different bank (different sort code). The signature would be valid for both.

To be fair to Barclays, implementing the CAP fully, the way they did here, is actually more secure than what Ulster Bank (and I assume the rest of RBS Group) does, with an opaque “challenge” token. While this may encode more information, the fact that it’s opaque means there is no way for the user to know whether what they are signing is indeed what they meant to.

Now, these mitigations are actually good. They require continuous access to the card on request, and that makes it very hard for phishing to just keep using the site in the background after the user logged in. But they still rely on effectively a single factor. If someone gets a hold of the card and the PIN (and we know at least some people will write the real one on the back of the card), then it’s game over: it’s like the locks on my flat’s door: two independent locks… except they use the same key. Sure, it’s a waste of time to pick both, so it increases the chances a neighbour would walk in on wannabe burglars trying to open the apartment door. But there’s a single key, I can’t just use two separate keychains to make sure a thief would only grab one of the two, and if anyone gets it from me, well, it’s game over.

Of course Barclays knows that this is not enough, so they include a risk engine. If something in the transactions don’t comply with their profile of your activity, it’s considered risky and they require an additional verification. This verification happens to be in form of text messages. I will not suggest that the problem with these is with GSM-layer attacks, as that is still not (yet) in the hands of the type of criminals aiming at personal bank accounts, but there is at the very least the risk that a thieve would get a handle of my bag with both my card and my phone, so the only “factors” that are still in my head, rather than tied to the physical objects, are the (provided) PIN of the card, and the PIN of the phone.

This profile fitting is actually the main reason why I got frustrated with Barclays: since I had just opened the account, most of the transactions were all “exceptional”, and that is extremely annoying. This was compounded by the fact that my phone provider didn’t even let me receive SMS from the office, due to lack of coverage (now fixed), and the fact that at least for wires, the Barclays UI does not warn you to check your phone!

There is also the problem with the way Barclays handle these “exceptional transactions”: debit card transactions are out-and-out rejected. The Verified by Visa screen tells you to check your phone, but the phone will only ask you if it was your transaction or not, and after you confirm it is, it’ll ask you to “retry in a couple of minutes” — retrying too quickly will lead to the transactions being blocked by the processor directly, with a temporary card lock. The wire transfer one will unblock the execution of the wire, which is good, but it can also push the wire to after the cut-off time for non-“Faster Payments” wires.

Update (2017-12-30): since I did not make this very clear, I have added a note about this at the bottom of my new post, about the fact hat confirming these transactions only need you to spoof the sender, since the content and destination of the text message to send are known (it only has to say “Y”, and it’s always to the same service number). So this validation should not really count as a second factor authentication for a skilled attacker.

These are all the reasons for which I abandoned Barclays as fast as I could. Some of those are actually decent mitigation strategies, but the fact that they do not really increase security, while increasing inconvenience, makes me doubt the validity of their concerns and threat models.

UK Banking, Attempt 2: Fineco Bank

So after a fairly negative experience with Barclays I have been quickly looking for alternatives. Two acquaintances who don’t know each other both suggested me to look into Fineco, which is an Italian bank also operating in the United Kingdom. As you can tell from their website, their focus is on trading and traders, but turns out they also make a fairly decent bank in and by themselves.

Indeed, opening the account with Fineco has been fairly straightforward: a few online forms, uploading documents to their identity verification system (very similar to what Revolut does, except using an Italian company that I already knew and was a customer of), and then sending £1 from a bank account that is already opened in your name. I found the forms also technically well-designed, particularly the fact that all the “I agree to” checkboxes automatically trigger JavaScript downloads of PDFs with the terms agreed, whether you clicked to read the agreement or not — I guess it’s a «No excuse, you have a copy of this» protection on their side, but it also made it very easy to archive all the needed information together with everything else I keep.

I should note here that it looks like Fineco’s target audience is Italian expats in the UK explicitly. It is common for most services to “special case” their local country as the first entry in the country drop-down, and then add the rest in alphabetical order. In the case of Fineco, the drop-down started with United Kingdom and Italy for all the options.

One of the good thing about this bank being focused so much on trading is that the account is by default a multicurrency one, similar to TransferWise Borderless Account. Indeed, in addition to the primary Sterling account, Fineco sets you up right away with accounts in Euro, Swiss Francs, and US Dollars, all connected to the same login. And in addition to this, they offer you the choice between a Sterling debit card, an Euro credit card, or both (for a reasonable fee of £10/yr). The two debit cards that are connected to the respective currency accounts (and no card is available for Francs or Dollars), and there are no foreign transaction fees for the two. While Revolut mostly took care of my foreign transaction fees, it’s always good to have a local debit card with a much higher availability, particularly as ATM access for Revolut has a relatively low monthly limit.

One of the interesting details of these currency accounts is that they all have Italian IBAN and BIC (with a separate SWIFT routing number, of its parent group UniCredit). For the main Sterling account, UK-style Sort Code and Account Number are available, which make it a proper local account.

This is actually very useful for me: for the past four years I have been keeping my old Italian account open, despite it costing me a fair bit of money just in service, because I have been paying the utilities for my mother’s house. And despite SEPA Direct Debit having been introduced over two years ago, the utilities I contacted failed to let me debit a foreign (Irish) account. Since I left Ireland, and the UK is not a Euro country, I was afraid I would have to keep my Italian account open even longer, but this actually solved the problem: for Italian utilities, the account is a perfectly valid Italian account, as for the most part they don’t even validate the billing address.

An aside: Vodafone Italy and Wind 3 Italy are still attached to my Tesco credit card, which Tesco Bank assures me I can keep using as long as I direct debit it into an Euro account anywhere. They even changed my mailing address to my new apartment in London. Those two companies insist that they only ever accept Italian credit cards, but they accepted my Irish credit card just fine before; in the case of Vodafone, they have an explicit whitelist of the BIN (for whatever reason), while Wind couldn’t get a hold of the concept that the card is Irish at all. Oh well.

Speaking of direct debits and odd combinations, while I should have now managed to switch all the utilities, including the council tax, to direct debit on this new account, I had some trouble doing the setup with Thameswater, the water provider in my area. If I tried setting up the direct debit online, it would report Fineco’s sort code (30-02-48) as invalid. The Sort Code Checker provided by the category association says it’s valid and it works for everything beside the cheque and credit clearing (which is unneeded). I ended up having to call them and ask them to override the warning, but they have not sent me confirmation that they managed. This appears to be a common “feature” of Thameswater — oh and by the way their paper form to request the direct debit was a 404 response on their website. Sigh.

The UI of the bank (and of their app) is much more information-dense than any other bank I’ve ever used. It’s not a surprise when you consider that they their target audience is investors and traders. It does work well for me, but I can see how this would not be the most pleasing interface for most home users. The only feature I have been unable to find yet in the interface is how to set up standing orders – I contacted them this weekend and will see what they say – so for the moment I just set up a few months worth of rent as scheduled payments, which work just as fine for the moment.

The Android app supports fingerprint authentication (unlike Barclay’s) and does not come with its own NFC payment system. Unfortunately the debit cards also appear not to be enabled for Android Pay, which is a bit of a shame. They also don’t leverage the app to send notifications, but they do send free SMS for new offline1 transactions happening on the debit card, which is great.

All in all, I may have found the bank I was looking for. It’s not a “cuddly” bank, but it appears to have what I need and it appears to work for my needs. With a bit of luck it will mean by Q1 I’ll be done with all the other bank accounts in both Ireland and Italy, and finally it’ll be simpler to keep an eye onto how much money I have and how much of it is spent around the place (although GnuCash does help a bit there). I’ll keep you all posted if this changes.


  1. Confusingly enough, a transaction happening over the Internet is an “offline” transaction. The online/offline is referred to the chip for chip’n’pin cards. If the chip is connected to a terminal that is in turn connected to the bank, that’s an online transaction. Otherwise it’s offline. If you read or type the number manually, it’s also offline.
    [return]

UK Banking, Attempt 1: Barclays

You may remember that back in August, I tried opening a NatWest account while not living in the UK yet, and hit a stonewall of an impossible declaration being required by the NatWest employees. I gave up on setting up a remote account, and waited to open one once I got in the country. Since the Northern Irish account seemed to be good for all I needed to do (spoiler: it wasn’t), I decided to wait for the Barclays representative to show up on my official starting date, and set up a “Premier” account with them.

The procedure, that sounded very “special” beforehand, turned out to just be a “Here is how you fill in the forms on the website”. Then, instead of sending you to a local branch to get your documents copied and stamped (something that appears to be very common in the British Isles), they had three people doing the stamping on a pre-made copy of the passport. Not particularly special, but at least practical, right?

Except they also said it would take a few day for the card, but over a week to have access the online banking as they need to “send me more stuff”. The forms were filled in on Monday, set up by Tuesday, and the card arrived on Wednesday, with the PIN following on Thursday. At that point I guessed that what else they told me to wait for was a simple EMV CAP device (I did not realise that the Wikipedia page had a Barclays device as an example, until I looked to link it over here), and decided to not wait, instead signing up for the online banking using my Ulster Bank CAP device, which worked perfectly fine.

On the Friday I also tried installing the Barclays app on my phone. As you probably all noticed by now, looking for a new app from the Play Store is risky, particularly when banking is involved, so I wanted to get a link to it from their website. Turns out that the Barclays website includes a link to the Apple App Store page for their app, but not for the Google Play one. Instead, the Play Store badge image is not clickable. Instead the option they give you is to provide your phone number and they will send you a link to the app as a text message. When I tried doing so, I got an error message suggesting to check my connection.

The reason for the error became apparent with developer tools open: the request to send the SMS is sent to a separate app running on a different hostname. And that host has a different certificate than their main website, which at that point was expired for at least four days! Indeed, since then, the certificate has been replaced with a new one, an EV certificate signed by Entrust, rather than Symantec as they had before. I do find it slightly disconcerting that they have no monitoring on the validity of the certificates for all of their websites, as a bank. But let’s move on.

The online banking relies heavily on “PINSentry” (that is, CAP) but doing so it makes it fairly easy to set up most things, from standing orders to transfers and changes of address. Changing address to my new apartment was quite straightforward, and it all seemed good. The mobile app on the other hand was less useful at first. The main problem is that the app will refuse to do much for the first ten days, because they “set it up” for you. I assume this is a security feature to avoid someone to get access to your account and have the app execute the transactions instead of the website. Unfortunately it also means that the app is useless if your phone dies and you need to get a new one.

Speaking of the mobile app, Barclays supports Apple Pay, but they don’t support Android Pay, probably because they don’t have to. On Android, you can have a replacement app to provide NFC payment support, and so they decided to use their banking app for the payments as well. Unfortunately the one time I tried using it, it kept throwing errors, and asked me to login, with network connection. I don’t think I’ll use this again and will rather look for a bank that supports Android Pay in the future.

Up to here everything sounds peachy, right? The card arrived, it worked, although I only used it a handful times, to buy stuff at IKEA and to buy plane tickets where Revolut would push an extra £5 due to it running on the credit card circuit1, rather than the debit card one.

Then the time came for me to buy a new computer, because of the one ““lost”” by the movers. Since Black Friday was around the corner, and with it my trip to Italy, I decided to wait for that and see if anything at all would come discounted. And indeed Crucial (Micron) had a discount on their SSDs, which is what I ended up ordering. Unfortunately, my first try to order ended up facing a Verified by Visa screen that, instead of trying to get more authentication factors for myself, just went on to tell me the transaction failed, and to check my phone for messages.

Indeed, my phone received two text messages: one telling me that a text message would be sent to confirm a transaction, and one asking me whether the transaction was intentional or not. After confirming it was me doing the transaction, I was responded to try the transaction again in a few minutes. Which I did, but even if this went through the Verified by Visa screen, PayPal refused the payment altogether. Trying to order directly through Crucial without using PayPal managed to get my order through… except it was cancelled half an hour later because Crucial could not confirm the details of the card.

At this point I tried topping up my Revolut account with the same card, and… it didn’t go well either. I tried calling them then, and they could only tell me that the problem was not theirs, and that they couldn’t even see the requests from Revolut, and they didn’t stop any other transactions, giving the fault to the vendor. The vendor of course blamed the bank, and so I got stuck in between.

Upon suggestion from Revolut on Twitter, I tried topping up by UK bank transfer. At first I got some silly “security questions” about the transfer (“Are you making this transfer to buy some goods? Is someone on the phone instructing you to make this payment?” and so on), but when it supposedly completed, I couldn’t see it in the list of transactions, and trying again would lead to a “technical problem” message. Calling the bank again has been even more frustrating because the call dropped once, and as usual the IVR asked me three times for my date of birth and never managed to recognize it. It wasn’t until I left the office, angry and disappointed, that the SMS arrived telling me to confirm if it was really me requesting the transfer…

The end result looked like Barclays put a stricter risk engine in place for Black Friday which has been causing my payments to not go through, particularly not from the office. Trying later in the evening from my apartment (which has a much more clear UK-based geolocation) allowed the orders to go through. You could say that this is for my own protection but I do find this particularly bothersome for one reason in particular: they have an app!

They could have just as easily sent a push notification to my phone to confirm or refuse the transaction, instead of requiring me to be able to receive text messages (which is not a given, as coverage is not perfect particularly in a city like London), in addition to me knowing my access code, having my bank card with me, and knowing its PIN.

At the end of the day I decided that Barclays is not the bank for me, and applied to open an account with Fineco which is Italian and appears to have Italian expats in the UK as their target market. Will keep you posted about it.


  1. But I found out just the other day that the new virtual cards from Revolut are actually VISA Electron, rather than MasterCard. This makes a difference for many airlines as VISA Electron are often considered debit cards, due to the “Electronic Use Only” limitation. I got myself a second virtual card for that and will see how that goes next time I book a flight.
    [return]

Opening a bank account in the UK

As I foretold in the post where I announced my move, here is the first of the rants with the problems of moving to the UK.

The banking system of the UK, which is already a complicated pain in most countries, appears to be even more complicated. One of the problem is that almost all debit and credit cards have a nearly 3% foreign transaction fee. For those wondering what foreign transaction fees are, they are fees levied on payment executed using a currency different from the “native” currency of the card/account. The term “foreign” is often a misnomer in Europe since within Eurozone transactions may be “foreign” but there is no fee connected, since it’s a single market. Of course this does not apply for UK accounts, as the Sterling is only used in the one country.

This makes it worse than the equivalent 1.75% foreign transaction fee of my Tesco Credit Card, since that would not apply for any expenses incurred in most of the European continent. So I really need to find a good alternative to that.

Of course, there already is Revolut, which I spoke of before. This provide a bank account equivalent and a prepaid MasterCard that has no foreign transaction fees. Unfortunately this has a couple of limitations. The first is that this is a prepaid card, rather than a credit card. And this matters.

In particular, hotels and car rentals (though I don’t have a license, which means I don’t use the latter) generally require you to use a credit card, because they pre-authorize a higher amount of money than you’re meant to pay at the end. if you were to do that with Revolut, you’ll end up with more money locked in for a number of days until the complete charge happens. Since at least in one case I had multiple hundreds euro locked in a pre-authorization of a credit card for two weeks, it’s not the kind of experience I would like to repeat out of habits. Most hotels would allow you to provide a different credit card for deposit and payment, that would mean I could use a normal credit card at check-in time, and then just settle the account with Revolut, but you can imagine that this is not really very handy, particularly at busy hotels during conferences, or if I’m checking out in a hurry because I’m late for my flight.

So I started looking for various options of 0% foreign transaction fee cards, and I identified two cards in particular that fit my requirements, one from Barclays and one from NatWest. Both are premium cards that cost extra money, or require you to have a more expensive bank account, but a quick calculation shows me that I will probably make up the difference in price reasonably easily. And between the two, I focused on the NatWest, because it is part of the same group (RBS) as my current Irish bank, and I was hoping that they would make signing up for it easier.

I couldn’t be more wrong. Even though I’m a customer of Private Banking at Ulster Bank (ROI), they couldn’t help me to set up a UK account at all. It took them one full month to find the name of a colleague of theirs I could contact in London, who then pointed me at the Global Employees service that was supposed to help me. A month after that, I still have no bank account in London, because the process requires my employer to provide a document stating not only my transfer salary, but in no irrevocable terms that the transfer will happen, and how much time I’m meant to spend in the UK.

This is clearly impossible. First of all, since my employer does not own me, I can always change my mind, and leave the company before my transfer finalizes, so they will never declare that there is no chance I would do that (despite the fact that I don’t want to do that and I want the transfer to go through). Secondly, nobody can tell how much time I’ll be spending in the UK. It may be that I’ll live there for the rest of my life, or it may be that I will leave before the two years from Article 50 terminate, because they would make my life impossible, or the crashed economy would make it infeasible for me to keep living in the country.

Both declarations are not really possible to provide, and the fact that the assigned contact has been contacting my HR department multiple times even though they told her twice at least that I’m the only one who can request that information have at the end ticked me off enough that I might try once to escalate this to a supervisor, but otherwise will just stop considering NatWest a feasible banking option, because the last thing I want to do is dealing with drones.

Europe and USA: my personal market comparison

While I have already announced I’m moving to London, I don’t want to give the idea that I don’t trust Europe. One of my acquaintances, an eurosceptic, thought it was apt o congratulate me for dropping out of Europe when I announced my move, but that couldn’t be farthest from my intention. As I said already repeatedly now, my decision is all to be found in my lack of a social circle in Dublin, and the feelings of loneliness that really need to be taken care of.

Indeed, I’m more than an Europeist, I’m a Globalist, in so far as I don’t see any reason why we should have borders, or limitations on travel. So my hope is not just for Europe to become a bigger, more common block. Having run a business for a number of years in Italy, where business rules are overly complicated, and the tax system assumes that you’re a cheater by default, and fines you if you don’t invoice enough, I would have seriously loved the option to have an “European business” rather than an “Italian business” — since a good chunk of my customers were based outside of Italy anyway.

This concept of “European business”, unfortunately, does not exist. Even VAT handling in Europe is not unified, and even though we should have at least a common VAT ID registration, back when I set up my business, it required an explicit registration at the Finance Ministry to be able to make use of the ID outside of Italy. At the time, at least, I think Spain also opted out to registering their VAT IDs on the European system by default. Indeed that was the reason why Amazon used to the run separate processes for most European business customers, and for Italian and Spanish customers.

Speaking of Amazon, those of you reading me from outside Europe may be surprised to know that there is no such thing as “Amazon Europe”, – heck, we don’t even have Amazon Ireland! – at least as a consumer website. Each country has its own Amazon website, with similar, but not identical listings, prices and “rules of engagement” (what can be shipped where and for which prices). For the customers this has quite a few detrimental effects: the prices may be lower in a country that they may not usually look at the store of, or they may have to weight the options based on price, shipping restrictions and shipping costs.

Since, as I said, there is no Amazon Ireland, living in Dublin also is an interesting exercise with Amazon: you may want to order things from Amazon UK, either because of language reasons, or simply because it requires a power plug and Ireland has the same British plug as the UK. And most of the shipping costs are lower, either by themselves, or because there are re-mailers from Northern Ireland to Dublin, if you are okay with waiting an extra day. But at the same time, you’re forced to pay in GBP rather than Euro (well, okay not forced, but at least strongly advised to — Amazon currency conversion has a significantly worse exchange rate than any of my cards, especially Revolut) and some of the sellers will actually refuse to send to Ireland, for no specific reason. Sometimes, you can actually buy the same device from Amazon Germany, which will then ship from a UK-based storehouse anyway, despite the item not being available to send to Ireland from Amazon UK. And sometimes Amazon Italy may be a good 15% cheaper (on a multiple-hundreds euro item) than Amazon UK.

So why does Amazon not run a global European website? Or why doesn’t an European-native alternative appears? It looks to me like the European Union and its various bodies and people keep hoping to find European-native alternatives to the big American names all the times, at least on the papers, probably in the hope of not being tied to the destiny of American with what comes down in the future, particularly given how things have gone with the current politics on all sides. But in all their words, there does not appear to be any option of opening up opportunities for creating cross-Europe collaboration on corporations.

The current situation of the countries that make up Europe and the States that make up the USA, is that you are just not allowed to do certain types, or levels of business in all the countries without registering and operating as a company in that country. That is the case for instance of phone operators, that get licenses per country, and so each operates independent units. This becomes sometimes ludicrous because you then have Vodafone providing services in about half of Europe, but with such independent units that their level of competence for instance on security and privacy is extremely variable. In particular it looks like Vodafone Italy still has not learnt how to set up HTTPS correctly, and despite logging you in a TLS-encrypted connection, it does not set the cookie as secure, so a downgrade is enough to steal authentication cookies. In 2017.

If you remember, when I complained about the half-baked roaming directive results, I have suggested that one of my favourite options would be to have a “European number” — just give me a special “country code” that can be replaced by any one member’s code, and the phone number is still valid, and appears local. This is important because, despite the roaming directive allowing me to keep my regular Irish (for now) SIM card on my phone while travelling to either UK or Finland, it prevents me from getting a local phone number. And since signing up for some local services, including sometimes free WiFi hotspots from various cafes and establishment, relies on being able to receive a local SMS, it is sometimes more of an hindrance than a favour.

Both Revolut and Transferwise, as well as other similar “FinTech” companies have started providing users with what they call “borderless” accounts: Euro, Sterling and Dollar accounts all into one system. Unfortunately this is only half of the battle. Indeed, while I welcome in particular Revolut’s option of using a single balance that can provide all the currencies in a single card is a great option. But this only works to a point, because these accounts are “special” — in particular the Revolut Euro account is provided with a Lithuanian IBAN, but a UK BIC code, which makes a few system that still expect both throw up. And this is not even going into how SEPA Direct Debit just does not work: my Italian services can only debit an Italian bank, my Irish services can only charge an Irish bank, and my one French service can only charge a French bank. Using credit cards via VISA has actually better success rate for me, even though at least Vodafone Italy can only charge a specific one of my credit cards, rather than any of them. Oh yeah and let’s not forget the fact that you just can’t get your salary paid into a non-Irish bank account in Ireland.

Banks in Europe end up operating as country-wide silos, to the point that even Ulster Bank Republic of Ireland cannot (at least, can no longer) provide me with an Ulster Bank Northern Ireland bank account — or to be precise, cannot act on my already-existing foreigner bank account that is open in Northern Ireland. And because of all these things happening, the moment I will actually move to London I’ll have to figure out how to get a proper account there. I’m having trouble right now opening an account there already not because I don’t have the local tax ID but because they need proof of employment from a UK company, while I’m still employed by the Irish company. Of the same multinational. Oh my.

You could say that banks and telcos are special cases. They are partial monopolies and there are good reasons why they should be administered on a country-by-country basis. But the reality is that in the United States, these things are mostly solved — plenty of telco stuff is still pretty much local, but that’s because of network access and antitrust requirements, as well, to a point, the need of building and servicing local infrastructure (a solution to this is effectively splitting the operation of the telco from the provider of physical infrastructure, but that comes with its own problems). But at the very least, banking in the US is not something that people have to deal with when changing State, or having to work with companies of other states.

These silos are also visible to consumers in other forms, that may not be quite obvious. TV, movie and similar rights are also a problem the same way. Netflix for instance will only show a subset of the programming they have access to depending on the country you’re currently located in. This is because, except for the content they produce themselves, they have to acquire rights from different companies holding them in different countries, because different TV networks would already have secured rights and not want to let them broadcast in their place.

I brought up this part last, despite being probably the one most consumers know or even care about, because it shows the other problem that companies trying to build up support for Europe, or even to be started as Europe-native companies, have to deal with. TV networks are significantly more fragmented than in the USA. There is no HBO, despite Sky being present in a number of different countries. There is nothing akin to CNN. There are a number of 24-hours news channels that are reachable over more-or-less freeview means, but the truth is that if you want to watch TV in Europe, you need a local company to provide you with it. And the reason is not one that is easy to solve: different countries just speak different languages, sometimes more than once.

It’s not just a matter of providing a second channel in a different language: content needs to be translated, sometimes adapted. This is very clear in video games, where some countries (cough Germany cough) require cutting content explicitly, to avoid upsetting something or someone. Indeed, video games releases for many platforms, in the past at least including PC, but luckily it appears not the case nowadays, end up distributing games only in a subset of European languages at a time. Which is why I loathed playing Skyrim on the PlayStation 3, as the disk only includes Italian, French and German, but no English, which would be my default option (okay, nowadays I would probably play it in French to freshen up my understanding of it).

For American start-ups – but this is true also for open source project, and authors of media such as books, TV series or movies – internationalization or localization are problems that can be easily shelved for the “after we’re famous” pile. First make the fame, or the money, then export and care about other languages. In Europe that cannot possibly be the case. Even for English, that in the computer world is still for now the lingua franca (pun intended), I wouldn’t expect there would be a majority of users happy to use a non-localized software, particularly when you consider as part of that localization the differences in date handling. I mean, I started using “English (UK)” rather than the default American for my Google account years ago because I wanted a sane date format in Gmail!

All of this makes the fragmented European market harder for most projects, companies, and even ideas to move as fast as the American or (I presume, but have not enough detail about it) the Chinese market, in which a much wider audience can be gained without spending so much effort to deal with cross-border bureaucracy and cross-culture porting. But let me be clear, I do not think that the solution is to normalize Europe onto a single language. We can’t even do that for countries, and I don’t think it would be fair to anyone to even consider this. What we need is to remove as many other roadblocks as it’s feasible to remove, and then try to come up with an easier way to fund translation and localization processes, or an easier way to access rights at a Union level rather than on a country-by-country basis.

Unfortunately, I do not expect that this is going to happen in my lifetime. I still wish we’ll end up with a United Federation of Planets, at the end of the day, though.

Musings on bank security: part 1, authentication for account access

A couple of months ago I promised a post on bank security. The topic is not an easy one to write about, as I would not say I have the chops to talk about it. After all I have never worked at a bank, and unlike Andrea I have not spent years researching into payment processing security.

I am, though, confident enough to write about some of the user side security implementations (and blunders) of banks, for the simple fact that I have had more interaction, than the average person, with multiple banks in different countries. I can thus compare notes about these different banks and countries, so I can point out what is good and what is mental in their implementations, as I see it.

If you are looking for more in-depth security analysis, such as Point-of-Sale security or Chip-and-PIN analysis, I would suggest you look up talks of people like Andrea Barisani, linked earlier, or Krebs on Security — who should probably write an ATM skimmer guide, companion to Spam Nation. Both of them spent real time digging into the inner working of banks, which I haven’t done.

In my discussion of security features, I’ll be accepting as valid the research on security questions, published earlier this year by Google. Not only I find the results pretty consistent with my personal experience (even though this could be counted as confirmation bias), but once again because I accept the results and information coming from people who have had more time, and more data, to think about the problem.

The objective of this blog is to discuss which security features are in use by banks to protect customers, and whether these features work towards or against that goal, but before I dig into the nitty gritty details, I think it’s important to define what these security features are meant to protect in the first place. It might sound obvious, but talking about this with different people showed it not to be the case.

The obvious part is that you don’t want a random attacker to gain access to your bank account and transfer your money to their account. This is the very minimal protection you expect from your bank. You also don’t want people to know how much money you have, or where you spend it — leaving aside the favourite talking points of privacy advocates on the matter, knowing this kind of information is a treasure trove for blackmail.

There are many more pieces of information that should stay private, and often are not. Most people (but of course, not everybody) know to keep the number of their credit/debit card safe. What is not that obvious is that your IBAN (and BIC) should be kept secret, too — for my readers in the United States, these vaguely correspond to account numbers and ABA. People are used to see IBANs for various companies and utilities displayed on websites or invoices, explicitly so you can make payments to them, but that does not mean personal accounts should be advertised the same way. Jeremy Clarkson fell for it, too: he assumed that having someone’s IBAN, Sort Code – which is actually already part of IBAN, but let’s move on – and registered address would at most let people sending money to him.

What he found out is that, in addition to sending money to him, someone could set up a direct debit against his account. In this case, the “prankster” decided to set up a £500 direct debit, if my memory does not betray me, towards Diabetes UK. And he probably didn’t even notice that until he went to check his statement. On the other hand, if you think of doing the same to a person on a regular income, you can easily cause them trouble. This is a kind of attack I like to call Denial-of-Cash: it is a similar attack to a Denial-of-Service — it does not gain the attacker anything directly, but it’s a common tactic to set up blackmailing, or just to cause (big) inconvenience to a target. Protecting against Denial-of-Cash is in my opinion just as important as protecting against blatant theft.

As I’ll show later, most banks have proper protection in place against theft, but Denial-of-Cash is a different story. Usually there is tight security against transferring money to a new account, but transfers to a known account require minimal or no security. An attacker may not be able to take the money from the victim, but they may still be able to remove economic means from the the victim, at least for a while — I say this because I’d expect most of the frequent payees would allow you to get your money back at some point, even if they are utility companies rather than family members.

You could think that nobody would have time to waste in this kind of attacks, since it still require going after access to a bank account. But then I would point out that the Internet is full of people spending time, and money, to achieve what is at best nuisance and at worst terror: (D)DoS, SWATing and doxxing. Given how much time people have to spend going after public figures they don’t like, this kind of attack is far from unlikely.

Now, before I start talking about the actual security features, I should provide the list of banks I’m going to talk about. These are going to be split across four different countries: Italy, USA, Ireland and (in a very small way) UK — these being the countries I spent considerable amount of time living in, or having contact with.

My longest-serving bank is my Italian one, as I’ve been a customer of UniCredit Banca for well over ten years; you may know this bank from some of their branches in other european countries, including many in the former Eastern block. I doubt it shares infrastructure or security features between these branches though.

In Ireland, where I currently live, I have tried three different banks: AIB, KBC Ireland – a Belgian bank, although I’m not sure if it shares anything with their main branch – and Ulster Bank. The latter is part of RBS Group, and so is my only UK bank – Ulster Bank, Northern Ireland – and I know for sure they do share lots, if not all, the systems between them.

To complete the picture, in the United States I have and use a Chase account. I also used to have the City National Bank account, a smaller Californian bank, from when I lived in Los Angeles, but I have no idea what their systems look like at all now, so I’d rather not talk about them.

In addition to the banks themselves, I can provide some comparison with other financial services: Charles Schwab (a stock broker), Transferwise (a service that allows you to transfer money across currencies at acceptable rates and fees) and PayPal. I should probably count Tesco Ireland as well, since they are my credit card provider, but I’ll just add a note later about that.

Also, before I continue, I would point out that this is already making me uneasy. My paranoia would push me to hide where my money actually is. I will continue, though, under the assumption that anything that happens would be proving my point, and I hope I have enough redundancies, so that a Denial-of-Cash attack would not really be feasible. I will also point out that my birthdate is not strictly a secret, also my mother’s maiden name is not very well known and that’s going to stay that way — it is obvious to the people who know me in person from Italy, but other than that there is no online connection between me and my mother. This should appear obviously relevant pretty soon.

Let’s start with accessing the websites of the banks — all the six banks have an online banking system: this is actually a requirement for me, especially as I’m traveling for a good part of the year, and not even live in the country the bank is in for most of them. With the exception of Chase, the other banks provided me a numeric-only user ID.

For both KBC and Ulster Bank, the user ID was formed by my birthdate followed by four allegedly random digits; but in the particular case of Ulster Bank, you can lie on your date of birth at registration time, as I found out by making a mistake.

Chase is the only bank that let me chose my own username — they insisted in a alphanumeric one, so it’s not my usual one either. Transferwise and PayPal, as they are essentially “born on the Internet”, use email addresses as identifiers, which I like, since it’s one fewer parameter to commit to memory, but is obviously not secret. Charles Schwab generates usernames based on names.

The situation with passwords is more interesting. The Internet companies are the ones that act the most natural by allowing a single password, with all kind of characters and a fairly high length limit. Chase is the second most sane by allowing me to select my password, although it is case-insensitive – and I’m not sure if they use a hashing that normalizes the case, do a case normalization on the client side, or if they store passwords unencrypted, I hope for one of the first two.

Ulster Bank comes third by allowing me to choose both my password (long, alphanumeric, case sensitive) and a numeric-only PIN, but then they mess it up by doing something crazy. Then it’s followed by Charles Schwab (8-characters alphanumeric password), UniCredit (8-digits numeric-only PIN) and AIB (5-digits numeric-only PIN, and the same craziness as Ulster Bank). KBC is not in the list by not having a password and doing something slightly more insane, which I’ll get to later.

What Ulster Bank and AIB both do, which I find crazy, is asking you to provide them with only parts of your password and/or PIN. For example, they may ask you the 1st, the 6th and the 13th characters of the password — in the case of Ulster Bank they ask three out of four digits of your PIN, and three out of at most 20 characters of your password, together, to log into their Anytime Banking website.

This is not a completely mindless choice: it finds its reasoning in dealing with phishing attacks — if you know your bank will never ask you for the full password, the attacker can only hope to get parts of it, and it’s then unlikely they’ll be able to enter your online banking, as they’d have to be asked exactly those characters they just phished out of you.

Unfortunately this improves security only in theory. In practice it makes it worse. The first problem is that lots of people will not consider “my bank will never ask me the full password” as an absolute truth, and because of that, phishers can still just ask for the full password and be done with it. The second problem is that it requires people to come up with passwords that are not only memorable (and those are bad passwords), but also easy to count into, for example by joining together very short words, or other similar mnemonic tricks. The third problem, which honestly bothers me the most, is that this stops me from using a password manager like LastPass to auto-fill the password for me. See also this Wired article that was published while this blog post was still in draft.

As for the phishing this technique is supposed to prevent, I’m sceptical. The base idea is that a phishing attempt would only easily get three characters from the password by phishing the form, and thus it would require an incredible luck for them to be asked exactly those three characters. I can find multiple ways to invalidate this precondition, take for example the 5-digits PIN of AIB, the phishers only have to tell the user that they were mistaken in one of the digits and then ask for new challenge, asking the two missing ones.

But even more importantly, there are more sophisticated phishing attempts — say that you are going through a malevolent VPN or proxy, the attacker can implement a pass-through to your bank and still let you access all its functions — I’ve seen the proof of concept for similar sites, and heard colleagues in IT security talking about similar phishing attempts. In this case the attacker only needs to make sure to not close your session when you’re done, and just before the session gets interrupted by your bank, take control of it. Most people wouldn’t notice the added latency, and not everybody figures out something is wrong if the full name of the bank is missing on the location bar.

These requirements thus do nearly nothing to stop cybercriminals, but they weaken both the password quality and the password management, the worst of both worlds. My suggestion, based on both experience and the research brought by other groups and experts, is to allow people to set their passwords, at least alphanumeric ones (allowing symbols is good, requiring them not so much), and stop using PINs — phishing will happen anyway, make it harder for criminals to gain access to accounts by guessing numeric 6- or 8-digits passwords, which end up most likely as dates, either date of birth of the owner, or friends and family, or simply important dates in their life.

When I started this discussion I explicitly left KBC alone; the reason for this is that they don’t use passwords, and instead rely on their mobile application for authentication — and this is going to be the next topic of discussion for all the banks. To login on the KBC online banking from your computer you need first to have the mobile app configured, and log into that one. Then you can use their one-time PIN generator to use for login, together with the user ID that the bank gave you.

It may sound at first like a good idea, but it requires you to not lose access to your mobile phone, if you want to access your bank for any reason. The easy case if your phone crashes, or breaks, and you have to reset/replace it, in which case you just need to get another SMS on the registered phone to set up a new copy of the application (but it does not help if you’re traveling and the phone number is not actually available.) Worse, if you get your phone stolen, you now will have to first wait for a new SIM to take control of the phone number before you can gain access to your bank account.

At this point I think it makes sense to point out that there are two “schools” in dealing with mobile banking applications: AIB, Ulster Bank, and Chase allow you to install many copies of the app on different devices, so you can always have one at hand set up to access your account. On the other hand, KBC and UniCredit only allow you to set up the application on one device, and if you need to install it on a different one you have to deauthorize the one already installed.

The best, in my opinion, mobile app is the one from Chase: you simply install it and then login with the same credentials as the online banking website. It’ll ask you the password every time, but it does work fine with LastPass, and you can switch accounts as needed, which I find great.

All the other banks require setting up the application for one account only. I hope this is because they generate client-side secure credentials, but I’m too scared to actually try to figure out what the apps are doing. But nonetheless, it means that to set up the application you need access to the registered phone number. Luckily, none of them require to read the SMS out of the device store, which means you can use them on phone-like devices that can’t receive SMS, or even on a device that is not configured for the given phone number.

This becomes important when you have bank accounts spanning different countries (four in my case, but only three need a local phone number); to solve this problem, I ended up buying a Nokia 130 featurephone which is dual-SIM, and allows me access to my 3 UK and Wind Italy phone numbers — if I had kept my number on 3 Italy I would have had a three-of-a-kind! This by the way works out fine unless I’m physically in the UK, as then the 3 UK can’t connect, as the phone is not 3G.

If the user is tied to the device, for most bank, what password you use with it is quite different. As I said, Chase lets you login with the same credentials as the online banking, which makes it the most sane solution. AIB also follows the same setting as the website, and it allows you to login with the same three out of five digits of the PIN. UniCredit, while forcing you to register your account number with the application at setup time, it also uses the same PIN you use on the website (with no support for LastPass filling the form, but at least allowing to paste the password copied from it.

Ulster Bank and KBC instead ignore your online banking password (or precisely in the case of KBC it does not have one to begin with), and instead ask you quite explicitly for a PIN (digits only) that is tied to the device itself. I would hope that this is actually use to encrypt the client side certificate, but I’m not sure i I want to verify my hopes.

The problem with mobile PINs is, once again, that it’s one more separate piece of authentication to remember. And with the exception of Chase and UniCredit, as I pointed out, none of them allow you to use LastPass to store the involved PIN. The end result is that people either re-use another set of numbers, like their birthdate, or someone else’s, or even re-use the PIN of the device if there is one at all — and since figuring out the PIN based of oily pattern on the screen is far from impossible, you just have given up access to your bank account details.

Let me make something clear here: if you think that the people around you are all your friends, then you’re mistaken. I would love to live in the world you’re thinking of but I don’t. There are bastards around you just as much as there are great people, and the people you list as “friends” on Facebook are often not. Not only my birthday is not a secret, nor should my sister’s or my mother’s or whatever else. Facebook makes it easy to declare important dates for you — if something is an important date never use it as your PIN! I guess I could write a post about the dangers of 8-digits PINs.

I think this is going to be already quite the post, so I’ll follow up with the rest of my musings on bank security in a separate post.

LastPass got hacked, I’m still okay with it

So LastPass was compromised and so they report. I’m sure there are plenty of smug geeks out there, happy about users being compromised. I thought that this is the right time to remind people why I’m a LastPass user and will stay a LastPass user even after this.

The first part is a matter of trust in the technology. If I did not trust LastPass enough to not have easy access to the decrypted content, I wouldn’t be using it to begin with. Since I do not trust the LastPass operators, even in the case the encrypted vault were compromised (and they say they weren’t), I wouldn’t be worrying too much.

On the other hand I followed the obvious course of not only changing the master password, and change the important passwords just to be paranoid. This is actually one good side of LastPass — changing the passwords that are really important is very easy as they instrument the browser, so Facebook, Twitter, Amazon, PayPal, … are one click away from a new, strong password.

Once again, the main reason why I suggest tools such as LastPass (and I like LastPass, but that’s just preference) is that they are easy to use, and easy to use means people will use them. Making tools that are perfectly secure in theory but very hard to use just means people will not use them, full stop. A client-side certificate is much more secure than a password, but at the same time procuring one and using it properly is non-trivial so in my experience only a handful of services use that — I know of a couple of banks in Italy, and of course StartSSL and similar providers.

The problem with offline services is that, for the most part, don’t allow good access while from phones, for instance. So you end up choosing, for things you use often from the phone, memorable passwords. But memorable passwords are usually fairly easy to crack, unless you use known methods and long password — although at least it’s not the case, like I read on Arse^H recently, that since we know the md5 hash for “mom”, any password with that string anywhere is weakened.

Let’s take an example away from the password vaults. In Ireland (and I assume UK simply because the local systems are essentially the same in many aspects), banks have this bollocks idea that is more secure to ask for some of the characters of a password rather than a full password. I think this is a remnant of old bank teller protocols, as I remember reading about that in The Art of Deception (good read, by the way.)

While in theory picking a random part of the password means a phishing attempt would never get the full password, and thus won’t be able to access the bank’s website unless they are very lucky and get exactly the same three indexes over and over, it is a frustrating experience.

My first bank, AIB, used a five-digits PIN, and then select three digits out of it when I log in, which is not really too difficult to memorize. On the other hand, on their mobile app they decided that the right way to enter the numbers is by using drop-down boxes (sigh.) My current bank, Ulster Bank/RBS, uses a four digits pin, plus a variable length password, which I generated through LastPass as 20 characters, before realizing how bad that is, because it means I now get asked three random digits off the four… and three random characters of the 20.

Let that sink in a moment: they’ll ask me for the second, fifth and sixteenth character of a twenty characters randomly generated password. So no auto-fill, no copy-paste, no password management software assisted login. Of course most people here would just not bother and go with a simple password they can remember. Probably made of multiple words of the same length (four letters? five?) so that it becomes easy to count which one is the first character of the fourth word (sixteenth character of the password.) Is it any more secure?

I think I’ll write a separate blog post about banks apps and website security mis-practices because it’s going to be a long topic and one I want to write down properly so I can forward it to my bank contacts, even though it won’t help with anything.

Once again, my opinion is that any time you make security a complicated feature, you’re actually worsening the practical security, even if your ideas are supposed to improve the theoretical one. And that includes insisting on the perfect solution for password storage.

My approach to paranoia: electronic bills

One thing that I’ve been told about my previous post is that I sounded paranoid. I may be, I”m not as paranoid as the kind of people who fear the NSA in my book.

We have plenty of content out there (I would venture a guess that most of it is on reddit, but don’t take my word for it) where paranoids describe all the kind of shenanigans they go through to avoid “The Man”. I thought I may as well put out there what I do in my “paranoia”, and I’ll start with my first tenet: Email is safer than snail mail.

We all know the Snowden revelation made people fret to find new email protocols and all that kind of stuff. But my point of view is that if someone wants to steal my mail (for whatever reason), they only have to force the very simple lock of my mailbox, or use some tool to take the envelopes out from the same opening that is used to put content in.

This might be not so obvious for my American readers, as I found recently that the way USPS’s monopoly on mail delivery is enforced is by not letting anybody put stuff in your mailbox but the postman. Although I’m pretty sure that you can find black market keys for it. In Europe at least, mailboxes are not accessible by the postmen, and anybody can put envelopes in. In Italy in particular, TNT (the Dutch company) for a while ran a delivery service for mail, rather than packages. Both my bank, my mobile phone provider and me (to send mail to customers) used it because of the higher reliability.

So in this vein, I favour any kind of electronic communication over paper trail. This is not difficult in most countries right now; in particular in Italy it started more than five years ago with my landline and ADSL provider: not only they allowed me to receive their bills by email rather than snail mail, but they waived a €1.5/bill fee for delivery. Incidentally, this only worked if you had direct debit enabled, which I did because the bills kept arriving late, after expiration date passed, and we kept paying fines for that. As of today, the only bill that still arrives in the snail mail to my mother in Italy is the gas bill, and that’s only because we don’t use a city gas feed. This is especially handy as I’m the one paying said bills, and I’m no longer in Italy.

In Ireland, things are mostly okay, but not perfect: both my previous and current electricity and gas providers allow electronic bills, but the new one only allowed me to opt-in after I received the first two bills. Banks are strange — my first bank in Ireland was fully electronic, with the exception of inbound wires (which were pretty common for me due to Autotools Mythbuster and expense reimbursement for work travel); my current bank sends me the quarterly statements by mail, even though I have access to them on their website, but they do seem to have some problem with consistency and reliability. My Tesco VISA unfortunately does mail me the monthly statement by post, as they don’t have an online banking site for Irish customers (they do for British ones, but let’s not go there.) My American bank is totally paperless (which is very good for me, as I need to have my US mail forwarded), to the point that receiving rebate checks, I only needed my mobile phone to deposit them.

But there is a much more important piece of paper, that I kept receiving after I moved to Dublin: my payslip. It’s probably not obvious to everybody but this is my first “proper” employment. Before I had contracts, and freelanced, and had my own “company”, so I would send and receive invoices, but never received a payslip before joining the company I work for now. And for a few long months I would receive the paper copy of it in my mailbox at the end of the month. I don’t think there is much more private than your salary, so this was bothering me for a while — luckily we now moved to an external online provider, so no more paper trail for this.

The question becomes how to handle the paper that you do receive. I already wrote a long time ago about my dream of a paperless office, and I have bought a professional EPSON scanner, as having your own company generates a huge amount of paper. While I don’t use it with the same workflow as I had before, I still scan all the paper I receive in the mail, and then destroy it fully.

In Italy I had a shredder: I would shred any paper at all, whether it contained personal information or not; my point is that even if someone was dumpster diving into my personal shredded paper, they would end up finding the most recent promotional spam from TeamViewer or MediaMarkt. There are nasty problems with having a shredder: it’s extremely noisy, it creates tons of dust, and you have to clean it manually which takes a lot of time. You have no idea how bad my home office was after I finished running the whole set of historical documents of the family!

Here things got lucky, instead of dealing with a home shredder, my office uses a shredding company services, so I just need to bring the papers with me and throw them in the dedicated bins. This makes it much simpler to deal with the trickling paper trail of mail (and boarding passes, and so on…).

I have multiple copies of all the PDFs scanned documents: Google Drive, Dropbox and an encrypted USB flash stick, to make it safe. So unless the interested attacker gets access to my personal accounts, there is no way to access that information.

Debit and credit cards in the USA

Credit Cards
Photo credit: Sean MacEntee

I know it’s a long time now, maybe an year or two, but I still remember clearly that after one of the many card data breaches in the US – maybe Target’s – I ended up exchanging comments with some Americans on the difference between debit cards and credit cards. Turns out that for people who never had to face that choice before, it’s not obvious why would anybody pay with a debit card at a store such as Target, rather than a credit one. So it might be worth writing it here, given that I talked about credit cards before. But be warned that this is pretty much limited to the United States, so if you’re not interested, feel free to skip.

So first of all, what’s the rokus about credit versus debit? The main difference between the two, on an user point of view, is the protection: in the case of fraudulent transactions on a credit card, most issuers will revert the charge and block the card without costing money to the consumer — who’s going to eat that loss depends on a number of different factors including, as of recently, whether the bank issued an EMV card, and whether the point-of-sale used the chip to execute the transaction. On the other hand, fraudulent charges on a debit card are usually a loss for the cardholder.

So generally speaking, if you have a choice, you should pay with a credit card. Which is generally not what vendors want, as they would prefer you pay with a debit card (it costs them less in fees). As much as I feel for the vendors – I had my own company, remember? – the inherent risk of breaches and the amount of PoS malware makes it sadly a consumer protection choice.

But the relative ease to get debit and credit cards is also a factor. Getting a debit card is trivial: you walk into a branch, ask them to open a new account, give them enough information about yourself, and they will mail you a debit card. They won’t look into your financial data – including your credit score – because they are not giving you credit, they are just giving you a mean to access the funds you deposited at their bank.

This, among other things, means that you can get a card number in the US without being a resident: if you’re a non-resident in the US, but you have a permanent address of some kind, such as an office or a friend’s, you can just enter a branch and open an account with a US bank. They’ll need your documents (passport, and another credit/debit card with your name, or another non-photo ID), and a proof of address in your country of residence, but otherwise it’s usually a quite pleasant experience.

To provide more information on the topic: since you’re not a resident and you’re not working illegally in the US, you’re not receiving a fixed paycheck on your US account, which means that most fee-waiving programs that count on you receiving a given direct credit per month won’t apply to you. Instead you should look into fee-waiving by the deposited amount — Bank of the West has a minimum deposit of $1000, which is the lowest I have seen, but when I asked them they tried to send me from Sunnyvale to San Francisco to open an account; the Chase next door was happy to have me as a client, even though their minimum deposit is $1500.

If you plan on transferring money often between the two accounts, you probably want to use a service like Transferwise, that converts currencies and transfer funds between USD, EUR, GBP and other currencies at a much cheaper rate than most banks, and definitely much cheaper than the banks that I have.

But things get complicated if you want a credit card, even more so if you want a rewards credit card, such as Amazon’s, or any airline or hotel chain — which generally wouldn’t be very useful to foreigners as most countries with the except of Ireland have some card that you can get, American Express being the worst case.

To get the most common credit cards in the US you need to be in the credit system somehow; you probably want to have some credit history and a rating too. If you’re resident in the US, they will find you up through the Social Security Number (SSN), but it’s more complicated for non-residents (unless they were at some point residents of course).

In either case, the simplest form of credit card you can request is a secured credit card — which is essentially a glorified debit card: you pay the bank an amount, and then then make that amount available to you as a credit line. The main difference between this and a debit card is that it does have the protections of a credit card. It also allows you to build up credit score, which is why it’s usually the choice of card for immigrants and young people who don’t have a history at all. They generally don’t come with any kind of rewards system.

Immigrants here include techies, by the way. Even when working for big companies in the Silicon Valley, the lack of a credit history means you have to build it up from scratch. I know some of my American acquaintances were surprised that it’s not as easy as showing your employment information to get credit.

Not all banks provide secured credit cards though. In particular when I asked Chase just the other day, they told me to try with the nearby US Bank or Wells Fargo – both walking distance – and I seem to recall that Bank of America does it as well. The idea is that you’ll use a secured card for at least an year to build up positive history, and then get a proper, better credit card after that. And that’s why you need a SSN to correlate them.

What I said up to now would imply that you have no option to get a credit card if you, like me, are just a visitor who happens to be in the States every few months. That is not strictly true: the requirement for the SSN is a requirement for an identifier that can be reported across multiple banks and with the IRS; there is another identifier you can use for that, and it’s the ITIN. This non-resident identification number has some requirements attached, and it’s not exactly trivial to get — I have unfortunately no experience with getting one to retell yet. It is usually assigned by filing a US tax return, which is not something you want (or need) to do if you’re a foreigner. Especially because it usually requires a good reason, such as having an ebook published and having Amazon withhold 30% of the royalties for US taxes, when a treaty exists between the US and your country of residence.

I do indeed plan to look into how to declare my royalties properly next year to Ireland, and file a US tax return to get the (cents) back — if nothing else to request an ITIN, and with it a rewards credit card. After all, a lot of the money I spend ends up being spent in the US, so why not?

Well, to be honest there are a bunch of reasons why not. You risk getting audited by either or both of your country of residence and the USA — and for the USA there is no way to escape the IRS, or they wouldn’t consider only two things certain. You have paperwork to file, again for both countries, which might be unwieldy or complex (I have yet to look at the paperwork to file with Irish authorities, they are usually straightforward). And you end up on the currency market; right now between EUR and USD it’s pretty stable and doable, but if you don’t keep an eye out it’s easy to screw it up and ending up wasting money just on the exchange. So it’s still an investment in time.

Myself, I still think it’s likely it’s going to be a good idea to try to get an ITIN and a proper credit card, since I come to the States every few months between conferences and work travel. But I won’t make any suggestions to anybody else. Your money, your choice.