Short takes: running apps from unidentified developers on a Mac; Dropbox stuck importing photos on a Mac; and virtual card numbers in Apple Wallet

A collection of snippets that don’t make a full blog post on their own…

Mac apps that won’t open because the developer is unidentified

Every now and again, I’ll download an app on my Mac that gets flagged as unsigned on my Mac (“can’t be opened because it is from an unidentified developer”. It turns out that, if you hold down the Control key at the same time as clicking its icon, you can open it.

Dropbox (Mac) stuck importing photos

I use Dropbox to upload my photos from my phone (it names them nicely for me by date!) and then copy them across to OneDrive (where I have more storage). A few months ago, I had a problem where I couldn’t upload my photos to DropBox. I’d plug my phone into a Mac, and the import would never finish. It showed a camera icon and said it was importing photos but didn’t show any progress, as though the DropBox app had hung. Looking around on the ‘net this is a common issue – but there’s no sign of DropBox fixing it…

In the end, my workaround was to upload the images directly from my iPhone, which seemed to clear the bottleneck, whatever it was…

Virtual card numbers in an Apple Wallet

Those who use their mobile phone for contactless payments (Apple Pay, etc.) may not be aware that each registered card has a virtual card number – the 16-digit card number used is not the same number as the physical card. That’s why (for example), if you touch in to pay for travel in London using contactless on a card but finish the journey with contactless on your phone, Transport for London won’t realise that the two transactions are linked.

I’m not sure how to find the full card number for the device, but you can find the last 4 digits of the virtual card number by pressing the “information icon in the lower right of Apple Wallet. That will give a whole host of information, as well as transaction history.

Device Account Number in Apple Wallet on iOS

Consumer banking security: two (or three) tales of farce

I’ve written before about the nonsensical nature of UK banking websites, with security theatre that’s supposed to make us feel that a sequence of restrictive usernames, passwords, passcodes and memorable words (all passwords of one form or another) linked with publicly available information (date and place of birth, etc.) is somehow keeping us safe.

Unfortunately, that farce looks set to continue for some time to come…

Second factor authentication

Recently, my bank (First Direct) went a step further in an attempt to introduce a second factor to its logon process (i.e. something I have, in addition to something I know).

“Bravo”, I thought, “at last, similar security measures for consumer banking, to those that are used on the back-end by employees”… except I was wrong.  At least, I hope I was.

First Direct gave me three options:

  1. Send me a device to generate a secure key.
  2. Use an app to generate a digital secure code.
  3. Continue using the old methods for Internet Banking logon, with reduced functionality.

On the basis that any device sent to me is unlikely to be where I am when I need it, I elected for the app option and, after upgrading the First Direct app on my phone, I went through a registration process.  I don’t recall the details of the process but the end result is that I now have a “Digital Secure Key password” (oh goody, another password!) in the mobile banking app, that can be used to generate a code to log on to the full website via my browser.

And how complex is this “Digital Secure Key”? Just 6-9 alphanumeric characters – no better than a very simple password – and as that’s now the only level of security between a mobile phone thief and my bank account (aside from a PIN on the phone), the app on my phone actually less secure than it was previously with the username/memorable data combination!

Still, at least there is some kind of second factor for website access…

Never write down your PIN (except when the bank does that for you…)

We all know that we shouldn’t write down the PIN for our cards, yes?

Ever.

It’s in the terms and conditions for your account – and if the bank suspects you have compromised security in this way they are unlikely to be able to help if there is fraud.

I have a Hilton Hhonors Visa card, provided by Barclaycard and, a few weeks ago, they sent me a new card as part of the rollout for Visa payWave (contactless) functionality.  The card had a sticker attached, telling me to use it from 23 June – and in the meantime I could use my old card. Separately, they sent a new PIN (quite why my new card couldn’t use my old PIN is beyond me) and, as soon as I received it, I went to an ATM to change the PIN to one I would remember.  Except I couldn’t – because the card wouldn’t work until 23 June!  I even tried using a Barclays ATM.

In the end, I had to keep the card and the PIN in my house for a few weeks until they were both valid.  Doesn’t seem very secure to me… and I wonder who would be liable if the card and the letter had both been stolen in the meantime?

And don’t get me started about 3-D secure

Verified By Visa.  Mastercard SecureCode. Just another password to remember – and as far as I can tell just a way for the banks to pass fraud risk on to merchants!

More retail banking security theatre

Yesterday, I bought a new suit. Nothing remarkable there but I paid on my Lloyds TSB Duo Avios credit card. A card that I will shortly be cutting into little pieces because it’s useless to me if the bank declines transactions on an apparently random basis…

You see, I also wanted an extra pair of trousers and they were out of stock. The very helpful guy at John Lewis went through the online order process, I supplied my credit card details and all was good. Then we went to the till and paid for the suit jacket and first pair of trousers.

The £250 transaction for the suit went through OK but a short while later I was called by John Lewis to say that the £80 order for the trousers placed a few minutes earlier had been declined.  That seemed strange – especially as it was placed before the larger transaction (I’d expect the large one to be declined if there was some sort of anti-fraud flag triggered by a small purchase and then a large one) so we tried again. No joy. Declined by the bank. So I supplied some different card details and all was OK.

I was annoyed. I use multiple credit cards for good reasons but at least I had been able to use a different card even if that does mean that my personal and business transactions are mixed up. Fast forward to this morning and I was incensed.

Sunday morning, 10am: enjoying a rare lie-in whilst the kids are away; the phone rings – it might be my in-laws and it might be important, so I answer.

“This is an automated anti-fraud call from Lloyds TSB…” (or similar). I’m angry now, but I comply with the whole process as I think I might be charged twice for my trousers.  This process involved:

  • Confirming that I was (imagine robotic voice) “Mr Mark Wilson”. 1. Yes, that’s me.
  • Confirming my year of birth. Not exactly a secret, especially not to anyone who might answer my home phone.
  • Confirming my day and month of birth. Again, public information, and known to all in my household.
  • Listening to some details of some possibly fraudulent transactions: two declined for £80 and one approved for £250; both flagged as Internet purchases at John Lewis, a “grocery or supermarket” retailer. Not much help there as John Lewis is a department store (Waitrose is their supermarket brand) and clearly store transactions are incorrectly flagged as Internet purchases – which means the information is unreliable at best and confusing if it had been a different retailer with whom I was less familiar.
  • Confirming I had made those transactions. Tempting to say no but that would be fraudulent. I said 1 for yes, anyone in the house who answered my phone could have answered anything…
  • Supplying my mobile phone number for future anti-fraud calls (I probably didn’t supply it in the first place because I was concerned they would use it for marketing…). Well, at least my mobile is more immediate, and more secure than the home phone (only I use it).

Pure security theatre.

I can understand the banks wanting to reduce fraud – it costs them millions. But my account has a significantly larger credit limit than transactions I attempted in John Lewis yesterday and they could go a lot higher before declining transactions and inconveniencing me as a customer. I can see some patterns that might have flagged the anti-fraud systems but not the sense in declining the first and third transactions yet accepting the second (larger) one. It’s possible that John Lewis stored my card details and applied them after a short delay but, even so, I’d think it’s pretty common for people to make in-store transactions and place orders through the retailer’s online channel at or around the same time (in scenarios like the one I described).

I’ll make the most of the interest-free period until my next bill, pay in full (as always) and then I’ll be closing my account with Lloyds TSB. “Security” that stops me using my cards when I want to, and disturbs my privacy at home (with an automated call using publicly-available information!) is “security” I can do without…