January 2008


Bank Paranoia

One of the great features of the Internet Age is online banking—only its getting more complicated and less convenient than ever, especially with my bank here in Germany.

And it’s doubly complicated, all at once.

First my bank decided that my credit card had been hacked and, without warning, decided it could not be used for internet transactions or for cash withdrawals. I don’t know if this is legitimate, but I fear that my somewhat bizarre combination of transactions has led them to decide it has been hacked. I didn’t use it in México or The Netherlands, but I did use it at Amazon.com, Kohl’s, King Soopers, and T-Online Hotspot Service in Germany all within a week. I was rejected when I tried to contribute $10 to WBEZ in Chicago—supporting This American Life and its podcast.

Hopefully they won’t reject my dentist’s bill in Denver since trying to pay that would be a nifty trick—I don’t keep that much money in my bank account in the states and moving money is a pain.

The second thing that has happened is that they have new TINs and they are more annoying, and consequently less secure, than ever before.

When I first opened my account at the local Weimar bank, I was mailed a list of some 60 or so Transaction Identification Numbers. Each time I would make a transfer using my online account I would enter the next one in the column, wait for authorization, and then cross out the number to remind myself that I’d used it. It was mildly annoying and I kept a short list of five or six TINs in a secure part of the Internet so that when I was away from my desk, say in Lisbon, Denver, or Timbuktu, I could reference the next number on the list and make my transaction without having to carry around the complete list of TINs.

Now I am fucked.

In the mail I’ve received a list of 180 TINs, each one numbered and according to the instruction sheet, which is mildly complicated, for each transaction I undertake, I will be given a number of a TIN number, for which I must then refer to my list of 180 TINS in order to determine what the correct secret magic TIN number is; which I then enter in the magic box.

This is really awful news. It means that I am doomed to either carrying around my list of 180 TINs (oooh, if that gets stolen, the only thing standing between me and my bank account getting raped is the actual PIN number I use to log into my account); not carrying around any TINs at all (“Oh, I owe you money? Sorry, but I cannot transfer money until I am back in Weimar in a month.”), or finding some way of scanning and encrypting my list of 180 TINs (What was the password I attached to the TIN PDF file? I forget now…).

I wonder if there really have been that many security problems with my bank that they’ve elected to impose upon me not just a PIN/Password for accessing my account online (plus one of those freaky swirled number things to prove I’m human), but also a list of 180 TINs that will, in theory, protect me from having my account hacked.

All I know is that I am going to feel a whole lot less secure having to carry around a list of TIN numbers with me. The Bank Account number is on my ATM card—so all it takes is guessing the PIN number and the thief will be in.

7 comments to Bank Paranoia

  • Now I am fucked.

    A co-worker of mine glowed that his numbered TINs fell by the wayside when his bank offered him TINs by SMS.

    Sounded interesting to me; I too am wary of carrying the entire TIN list around in any form (paper, electronic, etc.).

    The Bank Account number is on my ATM card—so all it takes is guessing the PIN number and the thief will be in.

    Part of the problem is banks’ insistence on user-entered codes being simple. A string of characters — determined by me, or my bank, that I enter into an automated teller or internet site usually has a max length of 4-6 characters and a limited character set. People will observe your keystrokes or catch a glimpse of the PIN taped to the back of the card (yes, there are people who really do that).

    If, however, to move money around from your account, you were required to enter a password of the caliber of


    …I bet all those TINs and iTINs and things would be unnecessary. It’s really hard to observe me entering that into a keyboard.

    How do I generate passwords like that and remember them for future use? Well, I read a lot. I often generate my passwords based on books I’m reading. The example above isn’t (and now won’t ever be) a password I’ll use (but you are welcome to it if you like). It’s based on A Heartbreaking Work of Staggering Genius by Dave Eggers. Throw in a little substitution and punctuation and lots of book titles and authors make great passwords.

    The ones I really need to remember on the fly stick in my mind because I use them a lot. The ones that I create one-time and rarely use get written into a little hard-bound notebook I keep on my desk smaller than a 3×5 card in area. In true German style, it’s got graph-paper ruling in it, which I find helpful for passwords involving spaces.

    But alas, teh intarwebs and banking systems are supposed to be usable for people who can only remember the month and year of their birth, or the date of their wedding, or something equally easy to enter (and sneakily observe, or carelessly make conspicuous) at the drive-up ATM.

    I think it would be cool to do use a Speedpass for things like ATM and internet banking. I loved buying gas that way. I even recall using my Speedpass at a McDonald’s along an interstate in one of those states starting with ‘I’ once. Neat stuff. Now why can’t that be introduced as a token to be presented in tandem with simple digit-based PINs (which you’d be require to update once a month or more frequently) for everyday use?

  • I see German efficiency has struck again.

  • The upside, though, is that aside from a few high-profile capers involving fake ATMs installed over real ones to steal overnight customers’ PIN numbers, bank customers here are really safe. Phisching doesn’t work here thanks to the PIN and TAN (now TIN, I guess) cross-referencing system. Look into that SMS system. I know hypovereinsbank offers it.

    OH and btw – transferring funds a hassle? Not these days. I use xetrade – once you’ve registered your account in the states and the one in europe you want to transact between, it’s simple.

  • @cliff1976: I have too many PIN numbers: My US Credit Card, My US ATM Card, My US Bank Log-In, My German Credit Card, My German ATM (EC) Card, and My German Bank Log-In. Of these six, I can safely say I never bothered to memorize the PIN number for my German Credit Card. Two of the remaining five PINs are identical (by choice), one is stuck in my head despite the fact I never use it, and the other two I use semi-regularly. As for passwords, I have a set of four that I use depending upon the system constraints. One of the four is used only on Bahn.de because it had such strange requirements. The other three all rotate and occasionally are switched; about once a year I phase out the oldest one and introduce a new one into the mix. It’s still annoying and messy. (BTW, German words on US systems work well and English words on German systems work well.)

    Tomorrow I will find out if my account was really compromised or if it was my pattern of transactions.

    @cq: It’s unbelievably complicated.

    @ian: Actually they are TANs, specifically in the case of my new TANs, they are actually “iTANs” — I switched it to TIN in order to make it more understandable in English. Tomorrow when I am at the bank I will ask about SMS TANs.

  • Lee

    Recently I used my USA Visa debit for flowers on line over there. A few hours later I tried to use it here in Hamburg in the ATM machine. Rejected the first attempt…and the second …. (thinking I had the wrong PIN) I tried the third time …. and the card was gobbled up by the machine. THEN found out the computer for THAT card could NOT understand how it could be used in North America and then Europe four hours later. Well, duh! I was leaving for the States in four days without a VISA debit card FOR the States. A bit of a mess. Glad it is watchful … but!

  • @Lee: That is my worst nightmare–and why i actually try not to use my card too soon before or after crossing the ocean. I think that is what happened to me with my credit card though…

    I need to tell them I travel a lot, and this upcoming year includes some new destinations for me…

  • disenchanted

    All I can say is “UGH!”