IB usability, repeated authentications, "internal review"

I've just requested a withdrawal from IB (Interactive Brokers).  The process in total required around five authentications, depending on how you count.

There seems to be a basic problem around authentication.  Customers on the whole are poor at managing credentials.  Businesses, meanwhile, try to mitigate this, by making authentication more complicated, unreliable, time-consuming, depend on more external factors, and so on.  It would be better to have a clear mechanism and clear division of responsibility.  After evey major incident, a business case is probably made to add another "step" to the process.  But degrading the chance of legit authentication, or increasing its cost, is wrong.  If every authentication involved infinite steps and always failed, there would be no incorrect authentications, and there would be no authentications at all.

For IB just now, I had to enter my username and password to start.  Annoyingly, my browser tries to fill this in, and gets it wrong.  I'm not sure whether to blame IB or the browser.  It's because of a different using the same name.  So before I can even paste my password, I have to do extra work to clear the field.

Next comes the "two factor", and some typical business "security engineering".  In my case, the second factor (notrly, it's still something I know not something I have) is a list of numbers against three-character alphanumeric strings.  This originally arrived in card format.  For example, 55 might be "o2n", up to 224 which might be "ypp".  Their "security engineering" is that instead of just telling what you to look up with text, they do it with distorted captcha-style pictures of text.  Jesus fucking wept, this is the level of retardation we have to live with, every day.  Having "solved the captcha" and looked up the strings, I entered the values in the field.  One little time-saver is that you are allowed to concatenate them without spaces.

I found the page for withdrawals, and I had to add a new bank account.  This required reauthentication.  As a matter of policy, this is extremely stupid.  If you can't trust that the logged user is indeed the right person, you might as well give up on the whole thing.  It also required me to type my name into a text box just so, with the right title and capitalisation of the title and everything, to "sign" my request to add the bank account.  Having entered the password, I was then asked to reperform the card lookup captcha ritual.  Only after doing both these steps of the reauthentication did the web site tell me I had typed my name wrong in the "signing" field.  It didn't exactly match what they required, character for character.  Having corrected this, it was naturally time for.. reauthentication!  By mistake, I went with the browser's suggestion in the password field, which, as described earlier, is wrong.  Luckily this didn't chuck me out of the whole session, but I was allowed to retry the inner reauthentication.  This time I got it right.

Now to request the actual withdrawal.  This needed an amount and a reauthentication.  Again.  Both parts.  I deleted the browser suggestion from the field, copy and pasted my password, and went on to the captcha card stage.  I got it right!

The prize for completing this ordeal, tho, is not the queueing of the withdrawal for execution.  Instead, I am told:

Your SEPA withdrawal [..] exceeds your account's normal limits and is pending an internal review.

All that faff, and a fuzzy "might happen" kind of conclusion.  This is the world we live in.  None of the shitfrastructure works properly, it is all getting increasingly tedious to use, fuzzy, and unreliable, and it is all getting worse.




Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI
Read more

google is giving more and more 500 errors

Image
Total state capture and moral bankruptcy are not the only problems facing Google.  They are also giving an increasing rate of 500 Internal Server errors.  This is the sort that means they've messed up, but not in a way that they should have messed up.  On the other hand, they have drawn a lovely picture of a robot falling apart. Today's example is from Google Calendar under calendar.google.com.  I was trying to make an appointment, and now I'm doing this. I remember, in 2018, a friend trying to convince me that 500 Internal Server Errors no longer happened, or if they did it was my fault, and that they hadn't seen any for years, and some other things.  They assured me that they would love to see screenshots of such a rare specimen, which I bored them with for a while.  That friend happens to be a Google employee. Well, there are plenty of others posting about Google Calendar on twitter today, including screenshots of 500 Internal Server errors, so I doubt this one is en
Read more

Guernsey Waste in incorrect bag-rejection horror May 6th, 2024

Image
The rubbish collection folk at my new place seem pickier than at other places on Guernsey. Last week, they removed some card packaging that I'd included in the card and paper (plastic) clear bag, and left it on the lane.  This week, they have attached a rejection label entitled "Polite Notice".  Just like modern software-engineered error messages (see attached tag "extremely_general_error_handling"), this does not give a specific reason why the bag was rejected, but instead lists miscellaneous possible "reasons", leaving the victim guessing, or perhaps trying to follow a process of elimination. In this case, some possible reasons, which the label does not claim to be exhaustive ("was most likely because ..."), and of which none apply, are: (i) "did not have the required payment sticker" -- no, I applied to 90 litre sticker; or  (ii) (a) "too heavy" -- no, I estimate it was 3kg, and I easily supported the bag's weight o
Read more