I’d made an appointment with the hairdresser – but still had to wait for an hour. It was one of those days.
The customer before me -an old lady- asked the business owner for bank account details to transfer her payment.
“Do you have PayID?” the hairdresser asked. She didn’t.
“It’s okay! I can login to my bank using my laptop,” she announced.
She opened her suitcase (literally one you’d use for travelling, complete with multi-directional wheels) and produced a large notebook.
The unwieldy laptop was handed to me – more accurately shoved in my face with haircut in progress; my hands unenthusiastic receivers.
On the screen was the woman’s logged in banking account.
“Are you sure your details are correct?” she asked the hairdresser.
Scrolling across the screen I saw that she’d entered the account details into the BPAY option. I selected the Bank Transfer option for her, and entered in the details provided by the hairdresser.
This also resulted in an error. Double and triple checked. Same error. The old lady looked at me and motioned for me to “fix it”.
I was considerably uncomfortable being shown her finances, and even more so touching her laptop and entering transfer details on her behalf.
“Sorry, you’re going to need to speak to your bank’s support hotline. I can’t help you.” I said firmly. “I can’t troubleshoot a system I have no admin access to,” I offered as explanation.
She accepted my advice to call the support hotline later, and before she left she mentioned the other locations she would visit during the day – including the bank. I suggested completing the bank transfer the old fashioned way; with the assistance of a teller.
Someone’s logged in bank account screen is a very private view into their life. It’s difficult to put into words the level of discomfort I felt.
It was also a strangely familiar sight – with all the scam baiting videos I’d watched on YouTube. Being -effectively- handed control of someone’s finances as a complete stranger is a scammer’s endgame.
Sure, I could have tried other browsers, cleared cache and cookies, install different browser or help her set up BPAY/a phone app.
She was a sweet old lady – very talkative and energetic (to wheel a suitcase around!). But far, far too trusting.
In the hands of a bad actor, a few seconds could be all that’s needed – inspecting/dev tools to quickly edit balance amounts, F5 to refresh.
Instigate panic and anxiety, open the victim’s psyche to a social engineering attack.
It’s possible to rationalise the risk of this situation repeating itself being a qualitatively low risk, but this bizarre story serves as a reminder that it’s imperative to educate our aging population of the risks associated with technology and how to manage them.