Mar 29 2009

PayPal crime vs. False Authority Syndrome

Speaking with an air of authority doesn't actually make you an authority
No Gravatar

Vmyths reader Sean P. Reiser published a great anecdote about False Authority Syndrome. He describes an incident that could have played out on an episode of “Friends.” At a restaurant gathering, a woman (let’s call her “Phoebe”) ends up berating a man (let’s call him “Sean”) with a healthy dose of fear, uncertainty, and doubt:

“The person on my right said, ‘your bank is right you should change your account, it’s the only way to be safe.’ I replied, ‘I’m not sure, [but] I’m pretty sure that paypal obfuscates the bank account and credit card information in their interface.’ She looked at me and then said, ‘it’s not that, you don’t know what was attached to the transaction so they could track it back. They could track the transaction through the banking system based the the size of the transaction.’ I sort of nodded because I knew where this was going…”

Sean’s column describes a situation I run into all the time. It’s not enough for Phoebe to win the debate — Sean must lose.

“I sort of nodded because I knew where this was going…”

Imagine you’re sitting in the restaurant with Sean & Phoebe. You know he’s got two decades of IT experience. One of your buddies turns to him, perhaps knowing he’ll empathize & advise with a level head. Suddenly Phoebe berates Sean for not adding a pinch of hysteria to spice up his meal. You look on as Sean graciously lets Phoebe win the debate.

Don’t ask yourself “who’s the IT expert at this table?” You need to ask “who’s more competent at this table?”

Is it Phoebe for saying “jump overboard because we don’t know the danger”? Or is it Sean for saying “I can’t rattle enough facts off the top of my head to know if you should jump overboard”?

If you’re sitting in a restaurant and Phoebe blurts out “you need to close your checking account immediately,” do you honestly think the victim’s local bank will be open at that late hour to do all the necessary paperwork? “Good grief, I hate to eat & run but time is of the essence! I’ve got to call my bank’s 24hr cybercrime hotline and get them to haul a notary public out of bed so I can scribble my signature on a half-dozen forms to close my checking account before Snidely Whiplash delivers my death blow. Does anyone have a ballpoint pen I can borrow? I need to press hard on each form because I’ll be making three copies. Now where did I put my second form of identification?”

There’s some­thing about com­pu­ter crime that turns first-world societies into super­sti­tious cave­men — and False Authority Syn­drome per­pet­u­ates it.

If the bank already told you “we’ll reverse the fraudulent transactions on your account,” then a few more hours won’t make any difference. You’ve got time enough to do some research on PayPal fraud. So just relax and enjoy your dinner.

(Waitaminit. “Enjoy your dinner”? How can you pay for your meal after Snidely Whiplash forged your digital signature and transferred your life savings to a Swiss account and pilfered the deed to your home & property and declared himself the sole beneficiary on your life insurance policy? Ah, but I digress…)

Listen to me, folks. I once unexpectedly closed a checking account when my wife passed away. It absolutely positively sucks to do it. First you write a check out of the old checkbook to open the new account. Then you file paperwork with your employer to auto-deposit your wages to the new account. Your employer invariably disclaims “it may not take effect this coming payday” and you end up worrying your paycheck might evaporate into thin air. Then you balance the old checkbook 93 times in a row because you fear something will bounce if you’re off by a single penny. Then you wait for the new checks to arrive. Someone’s got to pay for the cost of printing those checks and the bank will debit it from your new checkbook, assuming of course you left enough in the account to cover it. Later, your safe deposit box goes into arrears because your bank forgot to make you do the paperwork to assess the fees from your new checking account. Then your bank asks you for more time off work so you can sign the papers to accept 31¢ of interest that accrued before you closed out the old checkbook…

Come, now. Who would willingly put themselves through this rigmarole based on the advice of a friend sitting in a restaurant who breathlessly insists “better safe than sorry”?

Sadly, too many people will put themselves through this kind of rigmarole. They don’t care enough to collect the facts before they overreact.

There’s something about computer crime that turns first-world societies into superstitious cavemen — and False Authority Syndrome perpetuates it. Quoting myself on the most effective way to combat this problem:

“I want you to question a person’s expertise if he or she claims to speak with authority… This way we can prevent all the ‘blind leading the blind’ techno-babble. And we can reduce the number of people who believe all the myths out there.”

Ah, but questioning a person’s expertise is often easier said than done. Sean can’t exactly tell a waiter “the chef put too much FUD in my friend’s meal.” (He’s not filming an episode of “Friends” if you catch my drift.) It would increase tension in the group if he called out Phoebe’s expertise right there in the restaurant.

I’ve come to realize you can’t always question someone’s expertise at the most opportune time. For example, I’d warn you to never call out your CIO while he’s on stage talking about “his” new email security policy. Take it from me: you’ll make a powerful enemy if you raise your hand and say “sir, your firewall ‘workaround’ would be labeled as an incorrect answer on both the CISSP test and the CompTIA Security+ test…” Ah, but again I digress.

(Pardon me while I scrape the wince off my face. Seriously: whenever I need a dose of Prepara­tion H, I just think back to my cute little CIO altercation and zap! my butt cheeks seal up like a space station airlock. Hmmm, too much info?)

So, yes: I think Sean did the right thing when he deferred to Phoebe. Great job, dude.

Personally, I would’ve jumped up out of my chair and shouted “good grief, where do you bank and who’s got a ballpoint pen?!? We need to take you right now to the nearest branch office so you can close your checking account before Snidely Whiplash strikes a death blow!” But hey, that’s just me…

  • By Sean ReiserNo Gravatar, 30 March 2009 @ 2:47 pm

    It’s Sean, the author of the source material. Thanks for picking this up, and validating my opinions. It isn’t often I see my name on one of my favorite security blogs.

    I considered trying to go toe to toe with her to refute her “they can attach something to the transaction” thing for a second but I had 2 things against me:

    1) I wasn’t sure that Paypal didn’t leak account numbers in their interface, so I wasn’t absolutely certain that closing the account wasn’t the best course of action.

    2) I was only dealing with facts, she, OTOH, could also invoke the plots of CSI and 24 episodes to “make her case”. Quite frankly Jack Bauer’s adventures are more compelling then my “facts”.

    In a refereed match I would’ve been fine, fiction without sources would’ve been called out of bounds. In a no holds barred street fight I knew I was never going to convince her. The innocent bystanders were more interested in the score of the hockey game on the TV then this little debate. Long ago I learned to stop fighting this type of battle. And that wasn’t the mission…

    I knew I could call my friend after the dinner, when I could’ve done 10 mins of research and speak from a position of strength. At the end of the day her real question was “am I at risk?”, even if it isn’t the question she asked. I wanted to say “yes” or “no” and here’s why. Have her understand the issue and not succumb to the hysteria.

Other Links to this Post