Computer Learning Zone CLZ Access Excel Word Windows

Science is based on experiment, on a willingness to challenge old dogma, on an openness to see the universe as it really is. Accordingly, science sometimes requires courage - at the very least the courage to question the conventional wisdom.

-Carl Sagan
 
Home   Courses   TechHelp   Forums   Help   Contact   Merch   Join   Order   Logon  
 
Back to Captain's Log    Comments List
Upload Images   @Reply   Bookmark    Link   Email   Next Unseen 
Overzealous Security Strikes Again!
Richard Rost 
          
6 months ago
It all started with hope, excitement, and goosebumps...

The Citibank pre-sale for Rush tickets. I was ready. Logged in early. Queue position 134. Perfect. The gods of prog rock were smiling. I had my eye on the front row, meet-and-greet package. A once-in-a-lifetime chance to get a photo with Geddy Lee and Alex Lifeson. Pricey, yes, but you can't put a dollar value on lifelong fandom. Clicked checkout. Declined.

What?!

Plenty of credit, no fraud, no reason. Just a cold, heartless decline. Tried again. Declined again. I logged on to my Citibank account. No warnings. No notices. Nothing. I even made an extra payment on that card just in case that was it. No help. And then, like an ambulance showing up long after the patient has flatlined, Citibank texts me five minutes later: "Was this you?" Yes, it was me, damn it! I replied faster than Neil Peart's 16th-note fill. "Great," they said, "try your purchase again." But by then, Ticketmaster (or as the ancient tongues call it, TicketBastard) had already released my seats. Gone. Evaporated into the scalperverse. And now there's 51,972 people in the queue in front of me. FML!

I filed complaints with both Citibank and Ticketmaster, because this wasn't just a minor inconvenience. This was corporate incompetence wrapped in the self-righteous banner of "fraud prevention." It's like getting mugged by a security guard who apologizes and says it's for your own safety. Citibank delayed, Ticketmaster punished me for it, and both ended up helping the very bots they claim to fight. I told Citi: "Your system's delay directly caused me to lose a once-in-a-lifetime experience." I told Ticketmaster: "Your release window is too short. Give people a grace period to fix a payment issue." Will either listen? Probably not. But Ticketmaster will still get paid because some scalper bot farm halfway around the world has grabbed the tickets.

This isn't the first time I've complained about overzealous security. I've written about it before (see footnotes). The irony is that the more you try to "protect" customers, the more you end up punishing them. There's a fine line between security and stupidity, and we've long since crossed it. These companies act like every login attempt is a potential act of cyberterrorism. It's a concert ticket, not a nuclear launch code. Nobody's stealing state secrets to hear Tom Sawyer.

Citibank should have responded much quicker with that "is this you?" text. It was over 5 minutes before I received it. I know for a fact that American Express gets those texts to me within seconds in similar situations. When I went to the UK a few months ago, it happened a few times. Ticketmaster should have given me at least 5 to 10 minutes to complete my order. I realize they can't hold the tickets indefinitely, but 90 seconds? Come on. You'd think a company that charges $200 in service fees could afford a 5-minute timeout buffer.

And it's not just banks and ticket sites. You can't even log in to social media without a "just to make sure" verification text. Want to check your account? Better have your phone, your backup code, your mother's maiden name, and your childhood pet's blood type ready. Every login now feels like I'm trying to defuse a bomb. Cut the red wire, confirm your identity, prove you're human, identify all the motorcycles, spin three times... At this point, if someone did hack me, I'd probably hand them the password just to see if they could get through faster.

Now, here's where it gets relevant for my students and fellow developers: this is exactly what NOT to do when designing software. Don't make your systems so secure that they're unusable. If you build an Access database, ask yourself what's actually at risk. If someone breaks into a customer's account on my site, the worst they can do is watch video lessons and maybe request your next Learning Connection lesson. I don't store credit cards or sensitive data online. I can reverse a charge if need be. So no, you don't need two-factor authentication for every click. Right-size your security to the risk.

This lesson goes beyond security and coding.

In business, overprotection kills opportunity. Companies that require ten meetings, three signatures, and a blood oath before approving a new idea usually get left behind by competitors who just try things. Risk management is good - risk paralysis is fatal. Somewhere out there, a committee is still meeting about whether to schedule the next meeting. The same goes for customer experience. If your website has 14 login steps and a CAPTCHA that looks like a Rorschach test, people will just go to your competitor. Security that drives customers away isn't security - it's sabotage. I've had clients before where I spent hours with a manager going over specs for their new database system or network. After putting in all that time, he needed to "run it up the chain" and deal with superiors who didn't know squat, were worried about upsetting the status quo, and had to themselves get everything signed-off on in triplicate. I got to the point where I started refusing to meet with anyone but the decision-maker.

Overprotection in relationships looks like jealousy disguised as care. The partner who checks your phone, wants constant updates, or insists on knowing where you are every minute tells themselves it's love, but it's really control. Healthy relationships require vulnerability and a little risk. If you lock someone down so tightly they can't breathe, they'll eventually find a way to escape. Usually through the back door, right after you've installed the GPS tracker. Trust is like a muscle - it only strengthens when you give it some freedom to move.

Speaking of muscles, overprotection shows up as fear of injury or obsession with perfection. The guy who never lifts heavy because he's afraid of pulling something never gets stronger. The woman who doesn't lift heavy because she doesn't want to get "too bulky" is doing herself a disservice. Trust me, you need to lift a lot and eat a ton of protein to "get jacked." The person who eats so "clean" they never enjoy food eventually burns out. You can't bubble-wrap your body and expect it to grow. Muscles, like minds, adapt to stress. Progress requires calculated risk - enough strain to challenge you, not so much that you break. Though at my age, sometimes just tying my shoes qualifies as progressive overload.

In politics, overprotection turns into overreach. Leaders claim they're "keeping citizens safe," but too often it means watching, censoring, or restricting them. We trade privacy for the illusion of security. It's the political version of Citibank's fraud alert - protecting you from something that might happen by making sure you can't do anything at all. Real freedom includes a little risk. A society afraid of everything eventually stops moving forward. Part of the risk of having a democratic society is that you have to balance security with freedom.

In religion, overprotection becomes dogma. When people are told not to question, not to think, and not to read anything outside their sacred book, that's not faith - that's fear disguised as faith. It's like installing so many spiritual firewalls that no new ideas can get through. If your beliefs can't survive honest inquiry, they're not strong - they're brittle. Real enlightenment requires curiosity, not quarantine.

So yeah, Citibank and Ticketmaster, thanks for the life lesson. You taught me that trying too hard to prevent loss is the fastest way to cause it. In your noble quest to save me from imaginary hackers, you managed to block the one person actually authorized to spend the money. Well done. You didn't stop fraud - you stopped fandom. You protected my account so effectively that even I couldn't use it.

You built Fort Knox around a credit card purchase, then handed the keys to a chatbot. Citibank's algorithm decided to guard me from myself, and Ticketmaster's system decided that 90 seconds of inactivity meant I had vanished into the ether. Bravo! Your digital gatekeepers worked perfectly. Take a bow, Skynet. You've officially protected me from joy. The bad guys were stopped, and so was I. At this point, your security is like a knight guarding the castle long after it's already burning down - loyal, vigilant, and completely missing the point.

But hey, you did give me something priceless: a perfect case study in how not to design a system. Every day I tell my students to build software that serves people, not policies. To think through the human side of design. You reminded me what happens when you forget that. A good system protects users without treating them like suspects. Yours failed that test spectacularly.

Captain Kirk once destroyed a computer named Landru because it "protected" its people by taking away their freedom. Maybe Citibank and Ticketmaster could learn something from that. Safety without freedom isn't protection - it's paralysis.

So thanks, Citibank and Ticketmaster. You may have cost me front-row Rush tickets, but you gave me something else: a masterclass in corporate face-planting, or as I like to call it a front-row seat to your own incompetence. And for that, I'll take a slow clap from the back row - where apparently I belong in the great hierarchy of "customers we care about, but not too much."

LLAP
RR

Other Articles:
- 2FA is Dumb!
- Dead Phone, Again!
- Modern Authentication is a Mess

P.S. I did finally manage to score seats to a different show. So I'm happy about that at least. It's not the front-row meet-and-greet that I was aiming for, but I suppose the meek shall inherit the 2nd row.


Richard Rost OP  @Reply  
          
6 months ago

Richard Rost OP  @Reply  
          
6 months ago


My second attempt at getting tickets. Are you kidding me?

Richard Rost OP  @Reply  
          
6 months ago


Checked StubHub this morning. These scalpers are out of their damn minds...

Kevin Robertson  @Reply  
          
6 months ago
I am assuming you DIDN'T buy the $46,540 tickets.
Sami Shamma  @Reply  
             
6 months ago
lol
Richard Rost OP  @Reply  
          
6 months ago
Kevin I'd need to take a 2nd mortgage out on my house to afford that - or signup 1,552 new Platinum Members right now. LOL.
Kevin Yip  @Reply  
     
6 months ago
A purchase can be "flagged" as suspicious for whatever reason -- amount, location, merchant, your account history, "pattern" of charges, etc.  It's rare (for me anyway), but I should say it is pretty mundane.  Hoping these companies to lower their security is probably futile. They will most likely raise it instead, as many people lose their entire savings due to security breaches, while your missing a concert, as upsetting as it is to you, is still just an inconvenience by comparison.
Richard Rost OP  @Reply  
          
6 months ago
Kevin I get what you're saying, and I'd agree if we were talking about something like wiring $40,000 to an account in Bangladesh or even making a large debit card transaction where real money leaves your account and might be hard to recover if it turns out to be fraud. But this was a credit card transaction for essentially a digital product that doesn't even physically exist until the day of the concert. If it had been fraudulent, the credit card company could simply reverse the charge and Ticketmaster could cancel the ticket. Nobody loses a dime.

That's why I said in the article that the key is to manage the amount of security based on the actual risk. This was an extremely time-sensitive purchase - I had about 90 seconds to complete checkout before losing the seats. When the potential downside is essentially zero, but the upside is a once-in-a-lifetime experience, cranking up the security to eleven just doesn't make sense.

I'm not saying throw security out the window. I'm saying right-size it. This wasn't my life savings or a wire transfer to a foreign bank. It was a digital concert ticket, and the amount of friction they introduced to "protect" me ended up causing the very loss they were supposedly preventing.
Kevin Yip  @Reply  
     
6 months ago
Richard   There is no "right-sizing" this.  Even if a $1 fraudulent charge is made on your account, you will still be warned about it.  Criminals don't necessarily withdraw large sums of money.  If you're okay with them stealing $1, $5, $10 from you every now and then, be my guest.  I've had banks warn me about $10-20 charges that did turn out to be fraudulent.  And I've had legitimate purchases flagged as suspicious as well.  As I said, it depends on your buying "patterns," history, and probably a lot more analytics.  Maybe this time you got burned, but when you have an actual fraudulent charge made and caught, even if it's just a penny, you'll be grateful they do their job.
Richard Rost OP  @Reply  
          
6 months ago
Kevin I completely understand where you're coming from, and I think we'll just have to agree to disagree on this one.

I've actually had my card used fraudulently before, and because I always use credit cards for online purchases, I'm at zero risk financially. Worst case, the bank cancels the card, sends me a new one, and I update a few autopays. Mildly annoying, but that's it. I never use debit cards or anything tied directly to my bank account for exactly that reason.

This particular purchase, though, was incredibly important to me and time-sensitive. Because of their overzealous fraud screening, I lost an opportunity I can't get back. Of course I'm grateful when security systems stop real fraud - especially when it involves an actual loss of money - but in this case, there was no potential loss to anyone. The system was guarding against an imaginary threat and, in doing so, caused real harm.
Matt Hall  @Reply  
          
6 months ago
What Citibank is actually selling to you is convenience.  You are right that they have face-planted on this.  You nailed the fact that they were never at risk either.  What you described would require nothing more than for Citibank or the card company to negotiate this kind of arrangement with TicketMaster, since their product is highly first-come first-serve.

I am a huge proponent of voting with my feet.  I just leave, GoDaddy style.  I have yet to find a company whose services couldn't be replaced with a company that is doing a better job.

Large corporations like Citibank aren't evil.  They are just dumb.  They don't recognize a problem until it shows up in their profit margins.  Customers leaving does just that.

As for Ticketmaster, when they find their tickets on scalping sites, it would be easy enough to issue a refund to the purchasing credit card, based on row and seat, and return the tickets to the pool.  Maybe they could do like airlines and issue the ticket to the named recipient at the time of purchase.  If they REALLY wanted to make a dent in the scalping, they wouldn't tell the scalpers about returning the seats to the sales pool and only honor the valid tickets at the venue.  The scalper customer base would shrivel instantly, once news broke out about losing money dealing with them.

I am sorry to hear about your front row tickets.
Michael Olgren  @Reply  
      
6 months ago
Matt I'd love to vote with my feet. Problem is, there are too many situations where you're up against a virtual monopoly. Cable? One provider or else go with a satellite disc. Not really a choice. Airlines? Maybe two companies fly direct, and they're both bad because they know they can be. Almost like they had an agreement... Congressperson? I live in Massachusetts, where I can choose a Democrat or an automatic loser. Thanks to gerrymandering, most people have a similar single realistic choice.
Richard Rost OP  @Reply  
          
6 months ago
Matt yeah, the problem was this was a Citibank pre-sale event, so unless you had a Citibank card, which fortunately I have the Citibank American Airlines card - which I really only use for tickets when I fly in American Airlines for the extra perks and miles. Just like I've got a Delta American Express card for when I fly Delta. But I don't think that they would notice or care if I cancelled my card with them. I figured my only best chance of getting any kind of consideration out of them would be to write a strongly worded complaint to customer service, if that even ever gets read.

Michael our system of politics gives people the illusion of choice.

This thread is now CLOSED. If you wish to comment, start a NEW discussion in Captain's Log.
 

Next Unseen

 
New Feature: Comment Live View
 
 
The following is a paid advertisement
 Computer Learning Zone is not responsible for any content shown or offers made by these ads.
 

Learn
 
 Access - index
Excel - index
Word - index
Windows - index
PowerPoint - index
Photoshop - index
Visual Basic - index
ASP - index
Seminars
More...
 Customers
 
 Login
My Account
My Courses
Lost Password
Memberships
Student Databases
Change Email
 Info
 
 Latest News
New Releases
User Forums
Topic Glossary
Tips & Tricks
Search The Site
Code Vault
Collapse Menus
 Help
 
 Customer Support
Web Site Tour
FAQs
TechHelp
Consulting Services
 About
 
 Background
Testimonials
Jobs
Affiliate Program
Richard Rost
Free Lessons
Mailing List
PCResale.NET
 Order
 
 Video Tutorials
Handbooks
Memberships
Learning Connection
Idiot's Guide to Excel
Volume Discounts
Payment Info
Shipping
Terms of Sale
 Contact
 
 Contact Info
Support Policy
Mailing Address
Phone Number
Fax Number
Course Survey
Email Richard
[email protected]
 Blog RSS Feed    YouTube Channel

LinkedIn
Copyright 2026 by Computer Learning Zone, Amicron, and Richard Rost. All Rights Reserved. Current Time: 4/30/2026 10:29:55 AM. PLT: 1s