Wednesday, April 19, 2017

Financial Cyber Security: #2 The "Safer Than Your Neighbour" Theory

Okay, I know a lot of cyber security experts don't really believe that this is a real thing, but I believe that it is.

Example 1

When I was in the Netherlands (the land of bicycles), I was always told that the safest place to park my bicycle is NOT a well-lit, highly trafficked place.

It is in fact to park it in between bicycles with smaller locks and thinner chains.

If a bicycle theft is going to steal a bunch of bicycles, he is going to go for the easiest ones. The marginal ones. He has a physical real-world limitations of just how many bicycles he can steal and how much time he has to steal them.

So this theory works by not analyzing only what security measure you have taken, but by looking at others and strategically making yourself excluded from being targetted by being comparatively a harder target.

The idea of this can be very easily summed up in this age old story that I am sure you have heard before:


Sometimes different animals are used in the story, like a lion or tiger, but the point is still the same.

For me to be safe, I only need to be a harder target than the rest.

Cyber security experts don't really believe this because a hacker doesn't really have real-life constraints. If he wants YOUR "bicycle", he can send his machines (or network of machines) to run multiple attack vectors to try and get your bicycle. In that sense, it is true that just having slightly better security than the next does not keep you safe.

However, this theory still does work in a general sense.

Example 2

Say for example, if a whole bunch of encrypted credentials were leaked, hackers could work on breaking these encryptions.

Was your encryption done with a 56-bit key? It takes 6 minutes to crack
64-bit key? 8 minutes.

Damn.

But wait, what if I was using a 256-bit key? How long would that take then? The world's fastest supercompuer would have to run for 9 years straight to break that encryption. I would put that as pretty safe and I'm pretty darn certain that after 10 minutes they are just gonna skip yours and continue onto the rest.

Example 3

If you saw a bunch of handphones lying neatly in a row, and I told you that your mission was to access the handphone and search for private information, which of these would you choose to target?

Handphone 1: Fingerprint scanner
Handphone 2: Iris scanner
Handphone 3: Alphanumeric password
Handphone 4: 8 digit PIN
Handphone 5: 6 digit PIN
Handphone 6: 4 digit PIN
Handphone 7: Pattern
Handphone 8: No password

I'm sure that you would go straight for #8, and then choose either #7 or #6 and then just get stuck. You wouldn't even bother to attempt to try any of the rest.

Conclusion

Unless you are a high-profile person or are being specifically targetted to be attacked, understanding and utilizing this "safer than your neighbour" theory can help you stay relatively secure. Using this theory does require you to understand what is the "norm" that people do and to try and keep yourself at least one, if not, several steps ahead of them.

This theory works based on deterrence. If no one decides to attack you (because they have decided to attack other relatively easier targets), you don't even have to worry if your defenses can hold.

Of course, this is not a complete solution by itself. It just helps knowing how attacks select their targets and how to avoid painting yourself as an easy target.

QUIZ TIME! Practical example:

An identity theft is looking at a list of emails to find a good target for his attacks. There are 4 men named John Tan. Who would the identity theft think about attacking first? Who would be last?

1) JohnTan95@yahoo.com
2) John_Tan_Ah_Huat1995@hotmail.com
3) johntanah@gmail.com
4) jtah@protonmail.com

Winner gets... practical understanding of how this theory works!

Saturday, April 15, 2017

Don't Fall For This Insurance Agent "Trick"

Don't mind the title, just trying to use the click-bait sort of titles to pull in the views, because this is a trick that most, if not all, of the slimy agents out there will use.

The TL;DR is at the bottom, so jump there if you don't want to see my amazing story telling skills.

----------------------------------------------------------------------------------------------------------

I am just minding my own business walking around when I am suddenly approached by this cute girl.

Quite tall, slim build, nice tan and quite cute. Why got cute girl come talk to me? I spot the lanyard "ABCXYZ Insurance".

Chey. Insurance agent. No wonder. The more cute they are, the more careful you must be, I remind myself.

I insist that I am a damn hard sell and there is a very low chance that she can sell me anything. She persists. Just listen only, no need to commit. I shrug.

Her opener is not bad. She ambiguously described this product until it sounded damn good. She asks for 2 minutes of my time. I was actually early for my next appointment, so okay what the heck. Let's see what sort of "product" this is. See guys, I suffer and tahan insurance agents so that you all don't have to waste your time. (It TOTALLY has nothing to do with her being cute)

Okay, I sit down at the table. Aiyo why all the other tables empty? Why only got me? I'm the only stupid fella that kena tricked into the lion's den?

Suddenly the agent appears from my left. Eh wait, she looks different?! More mature looking (but still young), shorter hair and even more tan, but I can easily tell that she is also still the kind that must be careful. Senior insurance agents got more experience "dok" people. This one must be careful. I cannot let my guard down.

What happened to the agent that talked to me? Don't tell me that this is a bait and switch... not that I really mind since this agent also seems quite pleasant, if you know what I mean... plus since I'm just killing time...

Then the original agent popped up from my right. Walao, what is this? Double team? 2 insurance agents vs 1 GMGH? Unfair matchup! Nevermind, GMGH is strong, GMGH will listen. I have defeated insurance agents before, I can do it again if I have to!

Anyway, from here on I will refer to them as Senior and Junior.

Junior introduces me to Senior. Both have English names. Should be easy to remember.

Senior quizes me on bank deposit rate. 0.05%, nailed it.
Senior quizes me on my bank interest rate. 1.85%, nailed it. (OCBC 360)
Senior says OCBC 360 interest is only up to $60,000. I correct her that it is $70,000.
Senior then talks about the product features and the different product options.
I have already forgotten both their names, dammit.

Junior just sits beside me and keeps nodding her head. I worried it might fall off.
Senior says that "with bank interest rates so low and inflation rate being 2.6%..."

GMGH almost triggered.
GMGH clears throat and Senior stops talking. "Erm, inflation rate is NOT 2.6%?"

Senior looks confused. Junior jumps in for the save. "Yes, inflation rate is 2.6%!"

GMGH GETS *TRIGGERED*


GMGH looks at them blankly. Then replies firmly, "Er. No. Inflation rate is definitely NOT 2.6%."

This goes on back and forth for a bit. I can tell it is going nowhere.

"Inflation rate is not 2.6%. It is 0.7%. You guys are both wrong. Inflation has been negative for the longest time. Inflation at 2.6% is an impossible number. Where do you get your 2.6% number from?"

Both are a bit stunned. Junior volunteers to fact check. Senior continues to explain to me the product. She is doing a pretty bad job.

In case anyone was curious, it was a regular savings endowment plan, participating plan, no guaranteed returns, only capital guaranteed. Just more complicated than usual with its withdrawal features.

Senior confirms all these facts. Senior continues to explain how I can make withdrawals from my plan if I need to... go on a holiday with my girlfriend. Geez. That was the example she used! I'm not sure what kind of financial lifestyle she is advocating... but it is definitely not the prudent lifestyle. I can see how dumb millennials would fall for that though. Anyway, the number which she kept using over and over again might as well be pulled out from her butt since it isn't guaranteed

Junior finally reports back. It must have been tough to type "Singapore Inflation Rate" into Google. Apparently we are both correct.

"Both correct?", I choke, half in disbelief, half in confusion.

Historical inflation rate is 2.6%. Latest yoy inflation rate is 0.7%.

Oh. So we are both correct? LOL. Is she freaking kidding me? Deep down inside, unless they are both super goondu and don't really understand what inflation is, I think that they both know that only one of us was right.

(Hint: It was me)

They change topic. What is my profession? How come I know so much about inflation rates and financial products?

Part of me is secretly happy that they find me a challenge. Part of me is also sad knowing how many people would not be able to defend themselves from such an attack. Let alone an attack by 2 cute female agents. Jialat. This floor underneath where I'm sitting at must have a lot of spilled blood from all the previous guys that sat here before me and kena "dok" by them.

Anyway, they tried their best but they could not succeed. I could tell they were a bit disappointed. They did just spend waste 15 minutes trying to sell me an endowment plan.

Damn. 15 minutes already? Basket, I thought only 2 minutes! Kena scammed already, haha.

I thanked them for their time and I showed myself out while they both just sat in their seats trying to figure out what just happened. They literally just sat there and stared at each other.


I'll tell you what just happened.


I wonder if they honestly did not know the current inflation rate, or if they were just acting like they did not know. Oh well, we will never know.

I check my watch. Just on time for my appointment. It's going to be a good day.

---------------------------------------------------------------------------------------------------------

TL;DR - Insurance agent gave FALSE information that the inflation rate in Singapore is 2.6%. That figure is actually the average inflation rate since independence. The actual inflation rate (CPI-All Items) is 0.7%. Historical average inflation rate is NOT an useful figure to decide if you should buy an endowment plan. The historical average is being presented as if it is the current situation.

Why is this a problem? By giving such a big (and false) number, especially when compared to the current low bank rates / fixed deposit rates that most of us are familiar with, it scares and shocks people to quickly take action because the difference seems so huge. However, they would be taking action based on false information.

Is this ethical? I think not. But then again I think close to no one gives a shit.

Are they "wrong"? Oops, they forgot to say "average". You're the one signing the piece of paper to sign away thousands of dollars every year. Whether it is a good policy or a stupid policy, it is up to you to decide since it can potentially become YOUR policy. You better understand what you get yourself into, or you're going to end up literally paying for your mistake.

Source: Average Inflation Rate in Singapore since 1962 tracked by Trading Economics
Source: Feb 2017 y-o-y Inflation Rate published by MAS
Fun fact: The CPI-All Items was negative for almost the 2 years.

I prefer using the CPI-All Items because.... it tracks all items? Be my guest to use MAS Core Inflation if that suits you.

Recommended reading to level up:
Should I "support" my insurance agent friends?
Should I buy an Investment Savings Plan?
If something is 10% insurance and 90% investment, why do people call it Insurance?

Friday, April 14, 2017

Financial Cyber Security: #1 The Security-Convenience Continuum

Okay, there is one thing is we need to understand when we get down to looking at Financial Cyber Security, or anything that requires security at all. And that is the good ol' Security-Convenience Continuum. It's very, very complicated, so let me draw a diagram for you:


So on one end you have Safety.
On the other end you have Convenience.

Basically, this is a gave-and-take relationship. If you want more convenience, you get less security. If you want more security you get less convenience.

Let's take a bicycle for an example.

#0: The most convenient way to access your bicycle is to keep it on the ground floor, with no locks.
Pump up security, cut back on convenience #1: Add locks to your bicycle located on the ground floor
Pump up security, cut back on convenience #2: Keep your bicycle on your floor corridor
Pump up security, cut back on convenience #3: Keep your bicycle outside your house, with CCTV
Pump up security, cut back on convenience #4: Keep your bicycle inside your house
Pump up security, cut back on convenience #5: Dismantle bicycle and hide the parts separately

Is #0 the most convenient way to ride your bicycle? Of course!
Is #5 the most secure way to prevent your bicycle from theft? Seems like it.

But of course you can see that #0 is ridiculous because your bicycle has no security, while #5 is also ridiculous because it is so inconvenient, you would probably never ride your bicycle.

Other examples? How about your usernames and passwords? The most convenient combination is your email as your username and just recycling Password123, but of course, how secure is that? Not very, I must say.

Hmmm, what else is convenient? Just hopping onto a free internet computer terminal and logging into your emails, ibanking, etc. No need to log in and fumble around through your phone with that tiny screen, and no need to worry about any data charges too, right?

Personally, I believe that when it comes to Financial Cyber Security, it is better to be more on the secure side as compared to the convenient side. With every step up and down the convenience ladder, you should also be aware what sort of security you lose and gain. Honestly, it is more art than science to decide on a sweet spot for you and it largely depends on personal usage, experience and tolerance for inconvenience.

Sometimes by moving along the continuum, you get a massive increase in convenience with an insignificant drop in security. You might want to consider to make this change.

Sometimes you also get a huge drop in security with an almost indifference user experience for convenience. You might not want to make this change.

However, no matter what, I believe that it is important to have a personal minimum threshold when it comes to security.


I like to think as a huge plot of land being your kingdom (all the personal information about you), while there are information about you that is scattered across the land. You can relocate the information if you want. People is access and invaders, attackers are well... invaders and attackers.

First, I need to identify what information about me is lying around. Is it freely accessible by anybody? What are the controls I have to make sure that this information is not abused? Can I protect and prevent free access to these information?

For me, all my information that I want to secure should have a castle built on it at the very minimum. A castle allows me to have the infrastructure to control and monitor people that move in and out of my castle (accessibility), but also ensures that my "information" within the castle is not being freely accessed by anybody.

Each castle (containing information) can have enhanced defences, such being built in the heart of your kingdom, being clustered together for group defence (but also group vulnerability), having part of your army patrol between castles, hiding the castle in a forest or in the mountains, having walls which are higher or thicker than usual, re-inforced gates, wall archers, boiling pots of tar, dummy castles, secret escapes, etc...

How you decide to "defend" your castle and your kingdom is really up to you.

But of course, with more defences (security), you also eat up a lot of resources (convenience) which could be better used to do other more productive things.

Sure, you can have a secret, hidden, impenetrable castle, but how would people access it? It's the same as dismantling your bicycle and hiding the parts separately. Safe and secure, no doubt. But useless in terms of access and convenience.

Anyway, that's just a little bit of rambling. Maybe my analogy might be a little bit confusing and a bit stupid, but bear with me because I just thought of it on the spot to make it a bit more visual for people who have difficulty visualling without examples.

Tuesday, April 11, 2017

Shield Plan with NCD?!

Props to D&S for highlighting this news. I found the ST article about it and read more.

In a nutshell, Prudential is gonna roll out a different pricing structure for their Private Hospital tier Shield plan rider. It's a mouthful, but that's what it is.

If you are healthy, 10% NCD on the rider.
If you sick af, 200% premium increase.

Lolz.

Personally, I like the idea of implementing some sort of pricing element as a way to counter moral hazard, but the pricing seems absolutely retarded.

Get a slighttttttttt discount if you are healthy. Get screwed if you're not.

I don't know, doesn't sound too good to me imo.

I personally would rather see all the insurers to have a co-pay option like Prudential or NTUC.

(Link to super long post about co-pay vs no-pay Shield riders)

Actually my dream would be to have a stripped down no-frills rider like AXA Basic Care, but with a co-pay flavour.

Anyway, I'm in the midst of finalizing and wrapping my switch from NTUC to AXA. Hopefully I can post an insurance update soon!

Monday, April 3, 2017

Nostramoney 2017


It's been a while since I've done one of these. I got Trump right though, 7 months before elections. Maybe it's luck, but I did make a bet with a friend and pocketed some nice money because of the insane odds.

US equities head lower within the next 2 quarters (at least a ~10% drop in the indices)
Short term rates hit a ceiling
Long term rates continues to stay low
Oil bounces around $40-60
USD has peaked and will slide for the next few YEARS
Gold starts surging

Locally, unemployment starts heading higher
STI falls back under 3000
Property begins to finally correct

Contrary to popular belief, risk-off will be triggered not by a political risk or act of terrorism, but simply due to extreme valuations.

Hehe, anyway these are just play-play predictions. Actually, more like my personal wishlist. Oh well, we shall see how things pan out. I'm just a small fry waiting for the right opportunity to capitalize on what happens when the big boys starts to move things around.