I woke up yesterday to find that a string of mysterious credit card payments had wiped out my checking account.
I spent the next few hours as a prisoner of the phone tree, being interrogated on the transactions that I wanted answers about. No, I did not have a Banana Republic credit card. I didn't have a Capital One credit card either. And I had no idea who Michael was, or what he was doing with all my money.
The woman on the other end of the phone flagged transaction after transaction. For each one, she read me a long, pre-written paragraph of instructions and disclaimers—verbatim, even if she had repeated the same words just before. "Okay, so," I said, when she was finally done. "It looks like this person is paying off credit cards through the web. What… am I supposed to do about that? What information do they have that lets them do it?"
"It looks like they have your routing number and account number," she told me. "You should close this account and get a new one."
I thanked her and hung up. Then my head exploded.
These things clearly only exist to torment me.
I cannot count the number of times I've freely given out my routing and account numbers—in emails, in webforms, in paperwork. This is because it's necessary for other people to know my routing number and account number in order for them to send me money. But apparently, with that same information, they can also snatch money straight from my account. What kind of insane system is this?
There's two factor authentication, there's one factor authentication, and then there's this, which I think I can call zero factor authentication.
Like any journalist who reports on security and privacy, I am an exceedingly paranoid person. This is not the same thing as careful or secure. I know just enough about computers to be dreadfully afraid, but I'm not knowledgeable or disciplined enough to actually take care of myself. I live day-to-day in a permanent miasma of fear, calculating my risk every time I download an app, connect to a new wifi network, or visit a site with an out-of-date HTTPS config.
Then I just go ahead and do it. I take the sticker off my webcam so I can video conference with editors, and then forget to put the sticker back on for days. I turn on OTR and then neglect to double-check fingerprints. At night I run through these personal failings in my head, self-flagellating while envisioning the worst-case scenarios. In my head, a ticker moves closer towards my own personal information-armageddon.
I live in a world where the NSA secretly compromises encryption standards, where the FBI remotely hacks computers in the Tor network, where hackers hold the contents of your hard drive for ransom. And meanwhile, my bank is treating my routing and account numbers like "Open Sesame"—magic words that work whether you're trying to get into the cave, or get out of the cave.
We are shambling through a broken world, relying on the fact that most people aren't scammers and thieves. There is literally nothing I can do about this random person who has my routing and account number, other than close my account down. This morning I got hit with another charge—to the same Banana Republic credit card that got flagged as fraudulent yesterday. How is this for real?
After shutting down my account, I will get to embark on the delightful task of updating my information with a bunch of companies that have direct deposit (hello, VICE Media!) set up with me. Once again, the magic words get dispersed far and wide—irrevocable credentials without any form of authentication.
Tonight, I'm not going to lie in bed and recount all my security failings. I am simply going to nestle under the covers and seethe. This is why I fucking hate security, computers, and the entire goddamned banking system. These things clearly only exist to torment me.