2009-12-29

But this is me, really!

I had an errand to do at my Swedish bank today. I always dread these, because there is usually some problem involved with my lack of a proper Swedish personnr, personal identification number. Swedish programmers use it as a primary key for everything, so those who don't have them (like tourists) run into lots of problems.

We have had a bank account here in Sweden for the past 13 years. One has to pay one's bills somehow! This bank was nice enough to open an account for us years ago when we were standing there with our pockets full of cash that we had brought for the down payment on our house and we wanted to put it into a bank account. Without a personnr two banks refused us before we were able to bank it, but that is a long, old, other story.

Our bank uses Internet banking, so I can pay bills online using a PIN generator. The PIN generator is a piece of security theater - it always generates the same number for the challenge number put in. The login numbers are always chosen from a small group of numbers, and once you are in and have set up some bank transfers, the number for the signing the transfers is just the sum of the amounts in SEK. If I pay a bill for 250 SEK I always have to use 0002 5000 as the challenge. Duh. It would be trivial to set up a trojan to always fill up amount to transfer to a specific sum for which I already know the code.

The little box that generates the PIN was getting old - cover cracked, keys don't respond, display fading. I wanted a new one. Should be simple, shouldn't it?

No. We are in Sweden. They have to make sure that it is me. The young man at the desk gets his boss. She knows me. She's had to deal with every bank problem I have had in the past few years. We move off to another counter.

- May I have your ID?

Sure. I hand over my German identity card. She frowns as she scans it. Look, lady, you've done this before. We don't have a personnr in Germany in general use. Yet.

- If you need my personnr, here it is.

I scribble it on a scrap of paper. She lights up, types it in, frowns. Hmm. It is not in the database. Of course not. The Swedish government only has active personnr in their database. I am marked as having moved to a foreign country, so I am inactive.

- I need more identification, she says.

Let's see. I have my credit card, issued from this institution. I have the old PIN generator that has a number on it. I have the bank book that I got when we opened the account. It is in my husband's name, because at that time he was the only German citizen, I was an American.

It dawns on me. I was an American when I got the PIN generator. Now I am German. So I am not longer the me they have in their database. Identity is quite a hard problem, it seems, not just for teenagers!

She gets out paper forms. We make photocopies of my ID card. No fingerprints, though. She frowns at her computer screen again. I make small talk, about me being a professor from Germany and all. She asks in what field. I say computer science. She jokingly offers for me to come around and help her make this thing behave. I would love to!

She finally finds another form, prints it out, I sign that I am me (!), and we carry on. She first "destroys" the old one by pressing in the magic code "88888888". I wonder what would happen if I purchased something for 888 888,88 SEK? That would have invalidated my generator.

The new PIN generator is a one-time pad generator. It has to be initialized with the bank page when I log in. There is a button that has three different functions. There is an instruction booklet to accompany it.

I just tried it - it actually works, although it is not intuitive. It writes "APPLI" at you. That means "application". And you choose 1 to log in with the one-time code, 2 if you need an answer code. I wonder what 3, 4 and 5 do .... The instruction booklet is very good about telling you to choose a good PIN. 1234, 4321, and 7777 are bad. And your last 4 digits to your personnr are also not a good idea. I wonder how many Swedes do that? I would guess more than 10% use these 4 digits as their PINs. But this is just conjecture, no way to know unless one asks them.

No comments: