I discovered a card skimmer on a cash machine on Sunday morning.

bank card skimmer

It looked mostly convincing on the outside, and I might well not have realised that anything was amiss if not for the fact that

  1. I frequently use that ATM and recognised that it was different,
  2. there is a pair of identical machines, and its neighbour hadn’t been altered, and
  3. a whirring noise seemed to be coming from the slot.

I probably wouldn’t have been able to hear the whirring at a busy time of day, but it’s quiet at half past nine on a Sunday morning. On closer inspection, there were a couple of other peculiarities: peering into the slot, I could see a small ribbon cable hanging down; around the edge of the retrofitted bezel, the fascia had been gouged.

Put together, there were enough clues for a naturally suspicious person in broad daylight, but I doubt that many of the Saturday night punters would have been so observant.

I phoned the operator of the ATM, RBS. That turned out to be a wholly unsatisfactory experience: the phone number listed on the screen took me through to a generic customer service line, on which I had to cut in on their script to explain that I wasn’t a customer. There’s no kind of identifying number on the cash machine, so they asked me for the postcode, which, of course, I didn’t know either. I was eventually able to communicate the location, but an unambiguous code would really have helped.

RBS said that they would send someone to look, but I didn’t perceive much urgency on their side, so I opened a second front.

As the cash machine is attached to a supermarket, and some of the staff were turning up for their shifts, I went to the staff entrance to tell them about it, and suggested that maybe they could put a sign on it until RBS turned up to check. I showed the machine to a member of the security staff, who agreed that it looked different from its twin, but said that he’d used the machine the other day, and that it had looked like that then!

I left for my appointment feeling rather disappointed at the lack of response. In retrospect, I think I’d have been better off calling the police non-emergency number.

Walking past the same ATM today, however, I saw that it was out of order. A hopeful sign! The skimmer still looks to be in place, though whether that’s waiting for the operators to return and incriminate themselves or whether no one really cares, I can’t say.

I find it very disturbing. Although there were signs that something was amiss in this instance, a more competent criminal would have been able to avoid gouging the ATM fascia, and might have chosen a solitary machine—or fitted a duplicate dummy bezel to its neighbour—in order to make the alteration less distinctive. The kind of microelectronics that you’d need to read and store card numbers can be made very small, and there seems to be no technical reason why a retrofitted bezel couldn’t be completely convincing.

Card skimmers are difficult to spot, and it seems to be hard to get people to take them seriously. I have some suggestions for mitigation, though:

  • ATM operators should provide dedicated phone lines, with unique identifying numbers on the screen, so that it’s easy to report a specific device.
  • ATM operators should remotely disable machines that are reported to have been tampered with.
  • ATM manufacturers should eliminate device fascia fussiness. There are so many protruberances and bits of plastic that additional ones don’t stand out, and no one knows what the real thing is meant to look like. It would be a lot harder to glue a bezel or camera on if, for example, the entire fascia were a single piece of steel with a card-sized slot cut into it.

This problem doesn’t seem likely to go away. I’m going to stick to using machines inside bank branches as far as possible.

Read the update!

Constitutions and passports

Northern Ireland is a great place to have been born, at least back when I was. You get to have two nationalities. (And, unlike UK citizens born elsewhere, you’re eligible for the US Diversity green card lottery.) I mean, sure, nationality based on the place in which you happened to be born is kind of arbitrary, but what else do you think nationality is?

Anyway, you get the right to choose two nationalities, which gives you the right to one passport. That’s right: I said one. No one has the right to a British passport.

In Ireland, it’s a constitutional right:

You also have a broader right to travel and to obtain a passport for the purpose of travelling.

Meanwhile, in the UK:

There is no entitlement to a passport and no statutory right to have access to a passport.

Say what?

The British passport is issued in accordance with the Royal Prerogative, which is laid before Parliament from time to time.

The fact that all political power in this nation is vested in a kindly old great-grandmother whom everyone respects is not just a theoretical concern.

How do I know all this? Well, earlier in the year, for some reason that no doubt made sense to me at the time, I decided to renew my British passport, which had expired several years earlier. One of the oddities of the British passport renewal process is the demand that you list and send in all passports (including foreign ones) when renewing. This does take away some of the convenience of having multiple passports, when you have to send them all away and can’t travel at all, and is one of the reasons why I hadn’t bothered to renew it before.

The situation with the Irish passport is very different: if your current passport is valid for less than six months, you can just send a photocopy, meaning that you can still travel. You can see which one is more convenient and more attuned to the needs of citizens, and oh, look, it’s the country with an actual constitution.

In order to avoid having to be without any passport at all for an unspecified duration, I elected to pay the handsome fee for the one-day UK passport renewal service. This costs 77% more, but in exchange you turn up in person, hand over the documents at a desk, go away, and come back six hours later to pick up your freshly printed passport. If you can afford it, it’s worth it; as a dual national, it rankles.

I chatted with the chap at the desk, and observed that I was only paying extra for this process so that I wouldn’t have to be without any passport at all. He glanced at my Irish passport, handed it back, and told me:

There’s no actual basis in law for requiring foreign passports, and we don’t have any way to tell if you have another passport.

I felt like a bit of a mug. Why didn’t I just send away the form neglecting to mention my other passport, wait a few weeks, and save the extra £55.50?

So I submitted a Freedom of Information request to Her Majesty’s Passport Office.

You can interpret their response as you like, but note that they didn’t do anything more than look at my Irish passport, so the biometric excuse seems unconvincing.

I don’t wonder why the opportunity to remake the state afresh appeals to so many in Scotland.


Scottish flags flying in London, September 2014

I was in Aberdeen at the weekend, but I think I saw more Scottish saltires flying from flagpoles in a fifteen-minute walk through Westminster this evening than I did all weekend.

Every government building in London is flying the Scottish flag now, it seems, as part of a desperate last-ditch attempt to head off the increasingly real possibility of Scottish independence. I think they might have left it a bit late to start taking things seriously.

I’ve been telling people for the past year that I think Scottish independence will happen. I may still be wrong, but I’m looking a lot less wrong now! If I were a gambler, I’d have put money on it back when it was 7/1. (But I’m not, and betting shops scare me a bit.)

I’m not sure how I feel about that. Scotland will still be there, of course, a short flight or a longer (and much dearer) train journey away. It’s always been a different country, but after independence I’d be visiting as a foreign national rather than a citizen. Without Scotland, this would no longer be the United Kingdom of Great Britain and Northern Ireland. Would we even be British any more? Geographically, yes, obviously, but perhaps not politically.

But it’s not my choice, and those are all bad reasons to deny a group the right to self-determination. I envy Scotland the chance to escape from the staid, unchangeable it’ll-never-work-here of British politics. It’s a risk, full of unknowns, and there’s no guarantee of what will actually emerge at the end of the process, but I can see why you’d would want to try. I think I’d feel the same.

And if independence happens, it’s going to change things down here too. Quite a lot, I think.

Encrypted application configuration

If you want to automate a process that requires a lot of sensitive information—passwords, a PIN, the second, πth and eleventy-first letters of your so-called ‘memorable word’, and so on—then you probably don’t want to type all of them in separately every time. On the other hand, you probably also don’t want them to be stored in plain text on your computer, even if you’re using full-disk encryption.

It’s easy to encrypt the configuration securely so that you only need one password when running the program. I’ll show you how to do it in Ruby using AES256 encryption and JSON as the configuration file format as an example. All you need is GnuPG installed and available in your path, and to have generated a keypair. (This is optional: see the end for how to use symmetric encryption instead of a keypair.)

To generate the configuration file, run (using the email address corresponding to your key):

$ gpg --encrypt --cipher-algo aes256 \
--recipient --output config.json.gpg -

and type (or more likely paste) your JSON configuration and press Ctrl-D.

In your application, you can read the configuration using:

config = JSON.parse(%x{ gpg --decrypt config.json.gpg })

You’ll be prompted to enter your secret key’s password. Depending on your environment, this may be a GUI dialog box or a shell prompt. If you’re using an agent, your system may remember this password for a time.

Handling the failure case is left to the reader, but that should be enough to get started.

If you don’t want to deal with a keypair, you can generate the configuration file using symmetric encryption instead:

$ gpg --symmetric --cipher-algo aes256 \
--output config.json.gpg

Decryption is the same regardless of the encryption method.

Scottish banknotes

Million-pound banknotes exist, as do hundred-million-pound ones. They’re used to back the notes issued by commercial banks in Scotland and Northern Ireland.

This is explained by the Committee of Scottish Bankers, a trade body three of whose four members are the Scottish note-issuing banks:

In accordance with the terms of the 2009 Act and the associated Banknote Regulations and Rules, issuing banks require to fully back their notes at all times with ring-fenced assets held partly in Bank of England notes and UK coin and partly in deposits held at the Bank of England. This, of course, means that holders of banknotes issued by the Scottish banks receive the same level of protection as that provided to holders of Bank of England notes.

So, given that all banknotes issued by Scottish and Northern Irish banks have to be backed by Bank of England notes and deposits, what’s in it for issuers? Why do they bear the costs of printing, distribution, and disposal?

This question had puzzled me for a long time, until I found what seemed to be an explanation in a Scotsman editorial:

However, Scottish bankers being clever types, they spotted that the value of their note issue was calculated on its value at the close of business on a Saturday. So they figured if they put the necessary deposits into the BoE on a Friday and took them out on Monday, the letter, if not the spirit of the law, would be complied with. Why do this? Because when their money is in the BoE, no interest can be earned on it, but for the other four days it can be deposited in an interest-bearing account, thus earning money for the note-issuing bank.

But what does the law say? First, the original Bank Notes (Scotland) Act 1845:

VI […] it shall not be lawful for any Banker in Scotland to have in Circulation, upon the Average of a Period of Four Weeks, to be ascertained as herein after mentioned, a greater Amount of Notes than an Amount composed of the Sum certified by the Commissioners of Stamps and Taxes as aforesaid and the monthly average Amount of Gold and Silver Coin held by such Banker at the head Office or principal Place of Issue of such Banker during the same Period of Four Weeks, to be ascertained in manner herein-after mentioned.

Or, stripped of some of its floridity: the limit of the value of banknotes that may be issued by a Scottish bank is the average of its holdings over a four-week period. The next clause elaborates:

VII […] every Banker who […] shall issue Bank Notes in Scotland shall, on some One Day in every Week […] transmit to the said Commissioners a just and true Account of the Amount of Bank Notes of such Banker in Circulation at the Close of the Business on the next preceding Saturday, […] and also an Account of the total Amount of Gold and Silver Coin held by such Banker […] at the Close of Business on each Day of the Week ending on the same Saturday, and also an Account of the total Amount of Gold and Silver Coin in Scotland held by such Banker at the Close of Business on that Day; and on completing the first Period of Four Weeks, and so on completing each successive Period of Four Weeks, every such Banker shall annex to such Account the average Amount of Bank Notes of such Banker in Circulation during the said Four Weeks […].

So: once a week, Scottish note-issuing banks must report:

1. the value of banknotes in circulation on the preceding Saturday;
2. the value of their holdings at the close of each weekday;
3. the value of their holdings at the close of that day; and
4. the average value of banknotes in circulation over a four-week period.

This all seems a bit sketchy to me, especially as it’s written in that impenetrable dialect of English used only by people drafting laws, but if you interpret the averages of notes and coin to be based on (1) and (3) respectively, and ‘that day’ to mean Saturday, then I think it works.

Or at least, did work: the Banking Act 2009, introduced after the financial crisis of 2007-8, probably in response to the fact that several of the UK’s note-issuing banks had been bailed out by the taxpayer, repeals most of the 1845 Act. To ensure that private banknotes would continue to have worth regardless of the business practices of their issuing banks, the Act requires banks to back their notes with cash or Band of England notes or deposits.

What keeps Scottish and Northern Irish banknotes being printed is an agreement between the Treasury, the Bank of England, and the note-issuing banks:

Under the deal revealed last night, the banks will have to deposit 100 per cent of the value of their notes seven days a week, but they will get interest on 40 per cent of that.

As far as I can see, this agreement is not enshrined in law, and is therefore subject to the continued agreement of the parties involved.

Finally, if you’re thinking that printing your own notes and getting interest sounds like a good deal, I have bad news: the 2009 Act only allows banks that were already issuing banknotes to continue to do so.

Adding to the default Rake task

You have a Rails app with a Rakefile. When you type rake, it runs all the tests (or specs if you prefer). You want it to do something else as well: let’s say you want to run RuboCop on your codebase.

Don’t do this:

task default: [:spec, :rubocop]

Do this instead:

task(:default).prerequisites << task(:rubocop)

Update or just this: as Avdi points out, it’s the same.

task default: :rubocop

With the first pattern, you need to collect together all the tasks in one place, and it’s easy to accidentally redefine the prerequisites so that something that you thought was running isn’t any longer.

With the second pattern, however, you can configure each additional task in a self-contained file in lib/tasks/[name].rake, and they won’t step on each other.

Keep Ruby Weird

My talk proposal for Keep Ruby Weird was accepted, so I’ll be in Austin, Texas at the end of October, speaking about (human language) writing systems.

Obviously, I’ll be spending all my time between now and then practising—I mean practicing—a Texan accent so that I can make myself understood.

First they came for our vacuum cleaners …

The evil, domineering, nanny-state EU wants to BAN powerful vacuum cleaners! Cue shock, horror, xenophobic outrage etc.

From next month, vacuum cleaners with motors that draw more than 1.6 kW will no longer be made or sold.

I was so appalled by this imposition on my liberties that I was driven to go and check the power consumption of my own very effective and rather industrial vacuum cleaner. It takes 600 W, or 1.2 kW on high-power boost mode. It works just fine.

Unless you’re running a dog kennel, I’m not sure this is going to be much of an issue. And if your vacuum draws enough power to heat a room, perhaps it really is indecently inefficient and not very well designed.

A proposal for renaming Greenland pier

Greenland pier is confusingly named, but I think there’s a reasonable alternative with historical provenance.

I’m working in Whitehall at the moment, and my current commute is: walk to the end of the road to Greenland pier; take a boat to Embankment; walk through a couple of parks to the office. It’s very pleasant, and I say that as someone who despises all commuting.

At this time of year, there are a lot of tourists on the boats in the evenings, and many of the ones going east are travelling to Greenwich. Every day, several of them confuse it with Greenland, two stops earlier. They’re spelt similarly, and, if you’re not a local, they’re often pronounced similarly, too.

In what I assume is an attempt to make things easier, Thames Clippers (who operate both the boats and the pier) have written ‘Surrey Quays’ in big letters across the pier, but that only makes things more confusing, because now there are two names. It’s inaccurate, too, because Surrey Quays Overground station is still fifteen or twenty minutes’ walk away.

From some time before 1723 until it was destroyed in the Second World War, a pub called the Dog and Duck stood on the spot now occupied by Greenland pier. (You can see it on the 1896 layer of Southwark Council’s maps of the area.) The pub also gave its name to the adjacent Dog and Duck stairs, which still stand next to the pier today.

I propose that the pier should be renamed. Greenland is too confusing; Surrey Quays is too misleading. There is, however, a unique, distinctive, unambiguous, historical name for the exact location, and that’s why it should be renamed Dog and Duck pier.


As if keeping modern mobile phones charged wasn’t hard enough already, it’s about to get a whole lot more annoying.

For ‘security’, passengers flying to the US will now be required to demonstrate that their electrical devices turn on, and gadgets with flat batteries won’t be allowed on the plane. This is, apparently, so that al-Qaeda can’t replace the batteries with something even more explosive than lithium-ion cells.

However, I see a problem:

1. Modern electronic devices use lithium-ion cells.
2. Lithium-ion cells have a standard voltage, which is determined by their chemistry.
3. Higher voltages (multiples of the cell voltage) are obtained by connecting multiple cells in series.
4. The difference between a large lithium ion cell and a small one is that the bigger one lasts longer. (You also have to worry about the maximum discharge rate, but my back-of-the-envelope calculations suggest that’s not a problem.)

In other words, it seems quite possible to strip out most of a laptop battery, replace it with a solid block of C4, and fit enough small cells in the space that’s left to power it on long enough to get through security.

Now, I don’t know where to get a block of C4, and I’m certainly not interested in blowing up any aircraft, least of all one I’m flying on! However, I do know where to buy small lithium-ion cells, and if I can order them from China via eBay, terrorists can probably manage it too.