Being the CEO of a small Danish company that works internationally, I cannot avoid being abroad while some bank transactions are due.
Recently, while taking part in a workshop at one of our pilot municipalities in the EU, I had to make a payment using our bank’s internet access. This is a fairly common thing to do, and I have done it several times before while traveling, as I do at home. This time however, the bank apparently had introduced an extra cybersecurity measure, namely geoblocking of locations outside Denmark.
The introduction of this cybersecurity measure was not consistent: Sometimes, I could log in, see the account contents, but never access the list of transactions nor pay anything, and sometimes I could not log in at all. The error messages were very inconsistent as well. Somehow this had not been tested at all, it seemed.
At the same time, the user interface of the website had been re-designed and changed significantly recently, and as there were no warnings or error messages, I thought at first that it was just a problem with the first version of the website, but as the trouble prevailed I decided to do a little more to get in.
Guessing that it was just geoblocking, i.e. hindering direct access from outside a given range of internet locations, I started a so-called virtual private network (VPN) with endpoint in Denmark and – poof, the issues were gone, and I could do all the tasks I needed. Overcoming geoblocking is very easy if you know how.
The problem with geoblocking is that system administrators can prove that they have done something that works – although they also know how little effective it is, and managers, who often do not, can add it to their list of bonus-creating KPIs, and it only creates frustrated customers.
Maybe this is keeping some script-kiddies out of the banking system, but the bad guys who know what they do, are still getting through, and the trouble I unexpectedly got, seemed to show that the bank did not know what they were doing, at the same time giving their customers a very bad user experience – one that I shall not forget when comparing the bank against others.
For someone working with cybersecurity, this is an intriguing issue, and it did raise my awareness of their threats – albeit badly handled, but for users with less cybersecurity focus, it works the opposite way, seemingly showing that the bank has less control over the system and losing confidence in the banking system as such.
It is a good lesson to remember when trying to help resolve cybersecurity threats in the real world, as we do in CS-Aware.