26. ágú. 2007
Too Many Numbers!
"Ekki geyma leyninúmerið, PIN, að kortinu á þér, í veskinu eða annars staðar."
"Vinsamlegast leggðu meðfylgjandi leyninúmer á minnið og eyðileggðu síðan þennan miða, svo aðrir komist ekki yfir þessar upplýsingar."
These are very everyday exhortations, one from an article about debit and credit cards in the consumer section of the newspaper, and one from the instructions which came with a new credit card I just got.
But both quotes are also examples of how what we think of as progress in electronic commerce has created unreasonable demands on consumers -- in Iceland and all over the world.
Just one more PIN
Fifteen or twenty years ago, most people had just one or two bank cards. The Internet had not begun to influence everyday life. When your bank asked you to commit a four-digit number to memory in order to get access to your account by phone or at a bank machine, it was not that hard to do.
When your pension fund, or your Internet provider, or the automobile club, or the newspaper you subscribed to asked you to remember a four-digit number for them too, that was fine. It just meant remembering one more number. One more number didn't seem like so much of an extra burden.
But by now, if you are like me, you have probably amassed dozens of such numbers. And here's the catch: you are theoretically supposed to remember each of these numbers and avoid writing them down.
These numbers often come in pairs. There is a personal identifier or user name, which might be your account number, e-mail address, or (in Iceland) your kennitala and which usually doesn't have to be kept secret. Then there is an "authenticator," which might be called your password, personal code, or PIN number, and which is normally supposed to be kept secret.
Too much to memorize
I now have far more usernames and passwords than I could possibly memorize. I have had to start keeping them, as scholars of usability would put it, "in the world" instead of "in my head."
For me, this means that I have put all my personal identifiers and authenticators into a computer file that I print out from time to time and keep with me in a folder I carry in my backpack. I try, as much as possible, to list the authenticators in a sort of code, which I do still need to memorize, so that if the piece of paper were found, no one would be able to decipher my passwords without knowing the code. Unfortunately, I can't apply my code to all my authenticators and sometimes I have to list them raw.
I just took a look at my cheat sheet, and here's a partial list of the numbers I have on it: My passport number and expiration date. My Icelandic kennitala and my American Social Security number. The usernames and passwords to my several e-mail accounts. The administrative passwords for my computers. Several online forum userids and passwords. The passwords for managing my web site and domain name. The PIN number for my Icelandic library card. My account information for various web-based businesses and services (such as telephone subscriptions, Amazon, Skype, Ebay, Deutsche Bahn, Íslendingabók). Alumni website IDs and passwords for my high school and university. My Icelandic online tax return password. Account numbers and IDs and passwords for six bank accounts plus two credit cards plus PayPal plus the two Icelandic pension funds that I have contributed to. A number of work-related passwords for computers and computer systems. All the account information for the building association I am the head of. Eleven frequent flyer account numbers plus IDs and passwords. Three building security system codes.
If, as I suspect, I am not alone in having lost my ability to cope with all my numbers, this means that it is practically almost impossible for the public to comply with the terms of customer agreements which require that authentication numbers be kept secret. That also means that any terms or conditions with statements such as “consumers are responsible for any transactions where correct PIN numbers are entered” are effectively absolving institutions of their responsibilities to use consumers' memory power sparingly. As a conscientious consumer, I would like to be able to refuse to agree to such terms, but as long as I act alone, I would be only hurting myself by doing so.
The consumer burden
Code overload is a so-called "tragedy of the commons," in which the way that banks and other instutitions try to overuse their customers' memories is like the way that jointly held pastureland tends to be overgrazed by the farmers who have access to it. Anyone who asks you to commit a number to memory is, in effect, free-riding on your brain. The elderly, whose memories are worse than average, surely come off worst in this game.
Some people try to simplify their lives by reusing the same authenticator over and over. Unfortunately, each institution sets constraints on the form of its computer system's authenticators, and these constraints are not standardized. If you try to use the same ten-character password everywhere, this may backfire if you encounter a system that allows a maximum length of eight characters (as Lífeyrissjóður starfsmanna ríkisins does). If your favorite password contains two numerals, this is no help on a system that requires that passwords contain at least three. Some institutions, such as Landsbanki, make things even harder by require customers to change their passwords every few months. (I always change mine right back to what it was before.)
Reusing the same PIN number is also a particularly problematic strategy in Iceland. A peculiarity of authenticator use in Iceland is that bank customers are often asked to state their PIN numbers to bank employees as part of the process of proving their identity. Although bank employees are bound by an oath of confidentiality, it seems unlikely to me that there won't be a bad apple in the lot sooner or later. (In other countries, customers in comparable circumstances type their numbers on a keypad that the bank employee can't see.)
And a word about the new auðkennislyklar. They surely increase bank security for Icelandic customers, but they are also burdensome in the pocket, clumsy to operate, reduce the convenience of online banking, and cause problems for couples with joint accounts. I thought it was a bit odd to introduce auðkennislyklar and yet to leave unsolved the problem of having to disclose PINs to bank employees. And the coordinated introduction of auðkennislyklar by all Icelandic banks amounted to a kind of collusion, which left no room for consumers to decide themselves what kind of security assurances they themselves would like.
The Internet has definitely changed my life for the better, and probably yours too. But isn't it time for all of us to give up the fiction that customers can commit all their access codes to memory?
Ian Watson (www.ianwatson.org),
member of the icelandic Consumer Spokesman's Advisory Council.
Í næsta talhorni verður fjallað um þá grundvallarreglu að neytendur þurfi að samþykkja það sem þeir greiða fyrir þannig að þögn er ekki sama og samþykki.
Heimilt er að birta greinar af vef talsmanns neytenda ef heimildar, höfundar og dagsetningar er getið.