PW - Picking a fight with the banks

[Music] uh people in the back if you can hear me via the microphone please nod there's nodding thank you very much uh I'll be brief when it comes to me uh this is the slide that I hate the most but um I grew up online my teenage years was spend on a computer on the internet so when I was going to University I decided Well I would don't want to study what I already know so I'm going to study something else and I studied something else and people keep ask me about this uh what's your education my education has nothing to do with it I studied uh psychology that's my bachelor degree educational psychology for those who are really into

details and I have a master in what's called philosophy of technology I decide to study what I don't know uh I did however take the uh introduction course to programming and two and that got me a job that's not what I do I don't program my field of specialty what's called Abus ability when I look at your system I'm interested to know how what what can go wrong with this system how can I mess up people's life with this system and because I am actually a nice person I want to figure this out not to hurt people but because I want to change it so we don't hurt people with the technology that we make

if I'm going to give you an advice when it comes to uh having a hobby uh if you're going to fight pick a fight you can win I was stupid I've been picking a fight with a bank don't go after Banks that's a very bad idea it's a bad idea because banks have money they have money they have lawyers they have legislations they have loss they have all kinds of resources you don't so if you want to go and start trouble with them be prepared for them to push back um yeah it's a very uphill battle so far uh I'm going to explain to you why it's an uphill battle but I'm also going to tell you what's the problem and I'm

also going to show you uh what is going on and why maybe the ball is rolling so um in every system that we make there will be design flaws some are small some are big some are proper security issues not every issue is serious so when I spend my free time looking into other people's system I will call it bug hunting without the Bounty there's nobody in Norway pays you money for anything it's it's 100% uh as a um volunte chair basis yeah but I do this because I care about humans and I care about humans lives and I absolutely adore people in general there are individuals that I really loathe but people and humans I like them

I like you so I spend my time thinking about what's the worst that can happen how can this system hurt you it's a bit of a sad State of Mind to be in so I don't recommend for everybody I spent a lot of time thinking about domestic violence abuse child abuse grief death sickness poverty and all the other awful things that can hit someone my main question whenever I look into thing is what would the worst person in the world do with this Tech and I hope you take a note a mental note at least of this because this is my one guiding question that I think summarize what is Abus ability and uh when I talk to Tech

students I will tell them think about this and if your boss is not impressed about what the worst person in the world you can show them a picture of me and say h but what can she find in our system we should fix that before she finds it so you can do that I give you the permission to use my picture as a threat that's okay yeah um um I did a project uh a while back I did this very cute little project uh together with p uh and another awesome human called Yun or John that he keeps introducing himself as man Yun in Norwegian um we did a project where we trying to figure

out what kind of old stuff is lying around and still operative and one of the old stuff that is still R lying around when it comes to in is paper forms I know I know uh by the way how many of you are from the US could you put your hand up or living or from yeah perhaps easier how many of you are not living in the US awesome uh but the US banking system is slightly further down the timeline than a lot of the other countries uh so you may still have paper forms that are being paid attention to but in Norway we have paper forms that are still valid you can fill them out

and send them into the bank but nobody's really paying attention to this so what happened to summarize it very fast I got access to his account and his money uh and that was fun thank you for the money pad that paid my coffee um but in addition to getting access to his money I discovered I got access to a lot of other things as well so I started pting around and seeing what can I do when I have access to someone's account uh I think somebody L dropped their

glasses anyways and I found a lot of small issues small issues are everywhere but I also found some big issues my problem as an external volunteer yeah uh let's not say hacker uh in this context but yeah as a external person I have absolutely no leverage when it comes to the banking in Norway I don't get to set the order of the day I don't get to change their priorities at all so all the big issues that I found I made a note of it I took a screenshot of it and I check up on the issues did they fix it uh once in a while uh but there's very little I can do because to change anything I need to

get somebody's attention and it's difficult because Banks don't care about you they don't pay attention to anything that doesn't cost them

money I can of course go to the media and I have done that in the past when I thought it was ethically sound and a good idea going to the media is not a straightforward thing to do because journalists may not understand what you're talking about and then they won't make anything out of it that happens all the time they were like and like will uh the bank stop working no they won't then why should we write about it you know in addition they absolutely love the whole story hacker found security issues but when I talk about my type of issues Abus ability type of issues uh they will call the bank and they say hey do you have a

statement because this hacker person or this security person says that you have security issues and they will say that's behind login it's not a problem they're overdoing it it's it's a feature and then there's no story so I just had to hang on to my knowledge to whenever the time is right and the time was right a few months ago because one of the directors of personal banking in Norway got made an interview in the biggest news channel that we have and she talked about his her campaign about making women invest their money not in Saving accounts but in uh stocks and font which is a good that's a good project but she was blaming women for

not having a good overall insight into the uh economy their personal economy and she was being I think pretty unfair so I did this really old school thing called um a reader post where you write and you send it into a newspaper and I choose to send it into the biggest financial newspaper in Norway and they said yes thank you and they made a huge page out of it this is paper newspaper but they did also come online uh and it was great because they started to listen and the biggest news agency who did the interview the day before called me and said do you want to be on TV and radio in a debate with that

director and I said of course I want to which is terrifying cuz she has a team of people that will back her up and give her PR advice and I had to complete my workday and then maybe brush my hair before I got on TV that was horrible um but I did and the debate went well for me I think um and things started happening uh it triggered a lot of other um reader posts and social media and other financial institutions start to have opinions and people started calling me and things well the ball is starting to roll and it's great maybe we can have better banking for private individuals and of course I'm doing this

talk and I'm doing one at Crypton privacy Village uh together with p and I'm also going to this we'll call it a political convention it's a weird thing a bunch of politicians and lobbyists and journalists are meeting up perhaps it should be a Meetup it's called aruk and somebody invited the new director of banking in that bank to have a debate with me again great they're starting well they're I wouldn't say listen but at least they're not ignoring me anymore and fighting me is better than ignoring me when they're fighting me they're starting to pay attention and also doing a national security conference in Norway they invited us to talk and it's great it's we're getting

somewhere but let me talk about the issues because securing a bank banks have a lot of security systems like whole heaps of measures in place there's a saying I guess uh I translate it into English and I'm pretty sure you have it here as well uh as secure as in the bank is it does it make sense yeah there's a nodding thank you uh we have that in nor Norwegian as well banks are supposed to be super secure and by the way I love this picture because as a lot of you know you don't have to open all those lucks you only need to open the one but before you try spend time opening the one check if the door is

already opened anyways um the security measures that the bank has is not your security measures a lot of the time this is an overlap between your interest and their interest because you don't want to get robbed and they don't want to be the bank that got robbed but this talk is when it's no longer an overlap of interests about security measures that are not there but you

need oh yeah you should go ahead and take pictures I don't mind um because you can get robbed even though the bank doesn't get

robbed basic banking if you're a single person or living in the 1970s would be like this you have a key to an account I call it Vault for this occasion um but most of us live in household with other adults not everybody but a lot of us um if you live in a household with other adults um they may be your romantic partner your children or your parents or relatives in some kind and in Norway at least um we most families are two income families it may be different where you're from I know uh you Americans have much more single income families than we have um but it doesn't really matter um because you are sharing your finances

even if you say that you have a split economy because you will probably only have like one bottle of ketchup you will have one utility bill one internet bill and so on you don't have two it doesn't make sense to have two power bills to your house so you are sharing even if you don't intend to share so when you've been living with the same person for a while you build trust with them and you start realizing well we are sharing so instead of having this hustle every week or month or whatever let's share an account it makes more sense oh by the way um equality I know people disagree about equality um and I don't think it matters what you

think of equality because I think you can agree with me that um shared access to Shared assets is fair and also it should be possible to secure your assets if you want to when I say asset if you you're the one who's making money that will mean money but if you're the one who's living as an adult in a household with other adults and not making money you will probably be contributing in other ways so your asset is the money being made to the household that M that is money that matters to you you should make take measures so that you secure that you're not homeless or starving right and if you want to do that access

control to a bank is not enough this is sharing a bank account we call it power of aternity sorry attorney um I keep calling it eternity but it's not for eternity it's attorney um it's a fun little trick sharing a bank account like this because in Ence there are two locks but you only need to open one of them to get access to the

money what you get access to you intend to share your money probably for paying bills food bills or uh utility bills but what also happens is that the other person or the other persons you're sharing with get access to your history and that's fun because you may be having a new relationship do they need to know what you've been up to the latest 10 years maybe not um and of course the money and depending on your local loss um by giving them access to one of your accounts that is a declaration of that you have shared finances even though you don't intend to have it what you don't get get access by uh to uh by with um power of attorney is

the bills they're still coming to that one person in that one person's name and of course that is very unpractical and in the US you got something called a joint account instead joint accounts are not available in every country I have not seen them in Germany and Denmark and Norway and a few others I only seen them here um I would love feedback on that if you have joint account as a concept in your country let me know and also I will like the name of the bank joint accounts are nice because when you're setting up a joint account you're setting up a new account so there's no history they don't need to know what you've been spending your

money on um and you're making sort of like a third legal person when you're paying your bills it's no longer your or the other person but whatever that account is registered as that is paying the bills and they can uh receive bills as well it's neat makes sense but again depending on your local laws you're declaring that you have joined finances and this matters when life gets harder anyways um joint accounts and a power of attorney will let you uh opens up for you to be robbed and if that happens you can complain you want to the bank or your mother or whoever but they would just tell you well you gave them access to your money

you gave them legal access to your money of course you get get going to get robbed it's your problem you trusted the wrong person and I think that's really unfair this is a feature by the way trusting the wrong person is the feature in the banks because even if you trust the right person uh life happens you may have change in priorities that may not always mean a divorce but a lot of the time people fall in love and fall out of love or feel different about priorities in the Life grief when you lose someone you your mental state are impacted by it accidents happen um that can leave the other person that was the right person now

longer choosing the right things or the things that are in your both interest and I will be very direct when it comes to illnesses because it's very common that people have either diabetes cancer dementia anxiety addictions depressions and a whole other things that will affect their mental capacity to making good financial decisions so even if you chose the right person the love of your life this can unfortunately still happen to you and they can also be um scammed so we need more measures in place in banking that take care of your interest not just the bank's

interest to add insult to injury banks have this they have account types that have all the measures that you want that have double signing or triple signing even if you want that have transaction limits daily limits monthly limits weekly limits and so on they have alarms they have notifications so you can have uh either on email or on your phone or wherever even in your banking app uh and they have logging logs of who logged on and did watch but you don't get access to it as a private person you only get access to it if you are a business you don't have to be a big business you can be a really small business you can earn less than

your household and you still get access to this if you're a business and I think that is unfair and I want this for private personal banking yeah if you have a bank that do any of this for personal accounts I would love to know because in order to well win or at least make the fight harder for the bank where I'm at I would like a good role model or um a little pair pressure to put them under so that they uh give me this because I know technically speaking this is quite possible it's just a matter of priorities so yeah um that was it I I was super fast this time do you had any

questions yes I can I can

make thank you one of the things that I find that's in our country that is a banking issue and no offense to any parents here but when your parent um when you want to initiate a banking I remember one of my friends she was 17 uh she had to have her parents sign for it um now that that person I think she's in her 50s uh till this day she can't get her mom removed so of course her mom is asking her you know uh what did you spend that $100 on and you know it's kind of annoying to her not me but her and um that's something that you know she's bank with this company or this

banking system for over 40 years but she she can't get her mom removed yeah so I think that's that's a issue and vice versa if you have a person who a child and you open an account with them for 17 years and they still have that banking account and that person is um is not very stabled in our finances overdraft you know all matters of issues then that parent is still signed to that account y um I'm guessing you're in the US yes yes uh you have a credit system here that is um different um than other countries uh first of all uh when you grow up or if your life Chang a lot start over when it

comes to banking in the sense that get another bank because that's how you sanitize access um trying to tell the bank that they should do something different they don't listen I'm sorry they don't listen uh start over uh be a good consumer threaten them tell go to another bank and say you know what um give me a good offer you may not always be in the position where it's um you you are the best uh customer but they don't know that yet so try be bold um yeah

yes the last comment question was actually kind of tied to um my thoughts around the credit coring the the credit scoring system here so in that case if she starts fresh right her credit tanks because it's based off age of accounts too here for different FICO levels cuz FICO sucks I hate FICO yeah if you want to talk to me about FICO I plan to have a rage campaign against it but it's another story but as far as like credit scoring and and say I'm sorry Norway right yeah so how does that how does like account age and stuff like that impact accounts in like Norway and I don't I don't know what the credit

system looks like there but I assume it's better very different um but I can talk a little bit about it because um in Norway we have a well first of all we have a um credit system where you can um you have a credit score there but it's only available for businesses usually and they have to have a solid good reason for checking your credit we also have a registry for all your debt we didn't used to have that but now we have that uh it is so that you cannot take up a lot of credit around everywhere and be deeply in debt um because it's unfair to put you in that position and it's also very

unfair to put your loved ones and people you're sharing your economy with in that position um so we have that um both in Norway and in every other country I've talked to or people um as a romantic partner I cannot do a credit check of my uh love interest um I'm not sure if you should be able to but it's an interesting thought to follow through uh or think about um because when you're starting a relationship you're entering it with trust and that trust may not be um um what we call it uh valid or a reasonable warranted thank you um so yeah on the other hand it's very important for personal freedom to be able to take up credit without your

current romantic partner or parents know about it because you might I need those money to get away domestic violence uh Financial violence is a huge part of it um so it's not a easy thing to change things but I will support you if you want to Riot for a better solution yeah uh and also when you're changing Bank you can do it slowly like ghosting them you don't have to do it like on day one just ghost them slowly hi um so I guess for your last slide what I guess what I'm trying to take away from it is you know a lot of fexs now have that for personal accounts even um where I work does the same um I

I guess what are you trying to like gain out of that uh because for your your last example a lot of that would show that someone's trying to set money aside if they're trying to escape a situation like you have all the like where do you want that line so um the line is a whole debate uh because it depends on your local laws and it depends on um other context uh like your income and how that is in so on um but one important part of this is that if both need for everyday money like for cash like pocket monies and so on you can have your own account that's not a big deal but for savings um it's kind of

absurd that my spouse can take all all our savings and run away with them or drink them up or buy that Bloody motorcycle um without me knowing and approving so if both have to sign for things uh don't do that for all your money that will be insanely impractical but do it for the huge amounts and yes then you end up in a debate where you probably will have to divide assets called a divorce or a splitting of assets um um if you cannot agree but if you cannot agree you're not agreeing but at least one person is not robbing the other one and leaving them without any money um

yeah oh and by the way this happens so many times hi Cecil great presentation thank you your super very nice um I just happened to leave in Norway and we had the chance to meet for I was just wondering during your presentation it came to my mind if you have any insight from um related to AB usability applied to the bank ID system have you would you have any thought to share and if of course if you could just SP spend like 30 seconds explaining to people what bank ID is which in my opinion is pretty robust yeah so Bank idea is the um well I I was the ciso for bank ID for 3 years that was my previous job

Bank bank ID in Norway is uh the system that all Norwegians are using to identify not only to Banks but all to every single government service you can think of and insurance companies and so more bank ID has 95% market share in Allway at least so it's the solution being used uh and it's a digital solution ID solution uh that comes in in uh two levels high and should I say uh medium security um and you use that and as an example when I sort of we we did our little attack that we are also going to talk about at the crypto privacy Village at Defcon on Friday um I was you know um I wanted Sicilia to obtain legal

access to my account but we didn't want to do anything illegal uh so I asked would you like uh access to my account and my money and she happily accepted that we fill out a paper form on one single uh one single sheet of paper with my information and her information and two witnesses that were absolutely clueless to what they were signing for we sent the paper form to the bank and suddenly she got access and uh additional bonus after the access had been set up I didn't receive any message from Bank from my bank that they had given her access and she didn't receive any information either from them like a text message email or anything that she

had access to my account and after I gave her account I suddenly realized I have 10 years of payment history on that account as well and she can see everything all the money I have ever received and all the money I have spent for anything that was like okay well so you're a good trusted friend uh but Facebook would love that info yeah so she's going to auction that off later on today I guess my personal information yeah but yeah that's the bank ID system uh and from there it's uh it's interesting to see that you still need Alternatives like paper forms for people that are not digital people that cannot use bank ID for many different reasons

like you having a legal guardian being sick uh we still have you know a one challenge to us is as an example we are taking in quite a few uh Ukrainian refugees and they are not immediately allowed to have bank ID because we don't have any credit history we don't know who they are it's difficult to verify that identity so we don't give them immediate access to using bank ID as an example and then we have paper forms yeah um there's there's a lot of good reason to have paper forms for now anyway uh the EU is doing a very interesting project that if you have a passport uh and you have a established ID uh you also get an digital ID uh bank

ID has been doing that for 95% of the population in Norway for a while but the last five is still uh significant amount of people um so there's there there needs to be something done for them and for for now they're living on their parents' accounts or other relatives or romantic partners and so on and so on and it's a mess it's not a good mess um and I accept that paper forms has a function but nobody's paying attention to them so that's a problem um but most of all uh there is no way that I can give anyone a little bit of access to my money it's either nothing at all or everything and that is too

binary um yeah do you know do you know raise your hand do you know anyone any business or any Corporation and a government organization that actually verifies written signatures on a piece of paper well that's fun um one one two three okay yeah we haven't seen anyone in Norway for several years that was one of the fun parts of that project I was I was signing this paper and they're going to well if they was checking my if they were checking my signatures against what when I was five um it didn't make sense at all cuz we have digital banking so much digital banking um so yeah that was and when I was going to fill out the

paper form I I looked around my entire apartment I didn't have a single pen I haven't used a pen for for many years I'm All Digital so I had to go out and buy a pen to fill out a paper form just trying to do social engineering against the bank it's we don't do that anymore yeah uh the future uh two things uh you can find me on socials and everything uh LinkedIn is probably the easiest way to get in contact with me if you want to I would love to drink coffee and had conversations with you um but also I'm hoping the banks will start giving me at least a way of making two signatures

happen because it's possible um and uh also I'm hoping with modern banking that maybe my next bank is not a Norwegian one but a German one who possibly may have maybe maybe these uh control measures in place I don't know but I think um I think banks are in deep water uh it's a global market now yeah yeah thank you Cecilia