Things By Simon

Show Me The Money

I was offered a three month gig in Macau. I accepted it partly for the experience, partly for the stories, but mostly because I needed the money.

During employee orientation, the company set us up with accounts at the Bank of China. We would be paid monthly into these accounts in Macanese Patacas, then could transfer the money at will into our US accounts. Given that dealings with China are always a little hairy, I’d already asked around the underground magic network for people who had already done the gig. All reported that it had been fine. Checks had cleared, payments had been made, and everyone had transferred their money out without problems. I relaxed. This was my first mistake.

An employee liaison walked us through the account setup process at the Bank of China branch in the Casino itself. Forms were signed, passports were shown, and everything went smoothly. I set up a netbanking account and password, checked that I could sign in (since this would eventually be the medium via which I would transfer my money out to the USA), and all seemed good.

Since payday was monthly, my last payment would enter my account a couple of weeks after I left Macau. That was fine; the accounts remained our property for as long as there was money in them. We could transfer the funds any time via netbanking. Since each foreign transfer incurs a fee on top the exchange rate, I figured I would just wait until all the paychecks had cleared and then transfer the entire three months’ wages at once, thus saving on fees for multiple transfers. This was my second mistake.

Before transferring a large sum between two bank accounts, it pays to first do a smaller test transfer. The additional transfer fee is more than worth the peace of mind to check that you have all the routing numbers and so on correct in the tangled mess that can be international banking. I fully intended to do that before I left Macau, but in the chaos of packing and preparation for departure, I never got around to it. That was my third and by far worst mistake.


Online Security

Two weeks later, back in sunny California, basking in the joys of democracy, I finally sat down to do my bank transfer. I went to the Bank of China website, and logged in. Or attempted to.

I couldn’t log in. Ok, no big deal. Maybe I forgot the password. Maybe the login name itself was wrong. All modern websites have a relatively simple password reset system, right? Right?

I followed the links on the site. The only information on login/password reset said to call the technical support phone number in Macau. I did so. I navigated through the nightmarish automatic phone menu, and finally reached the right extension. It was closed. The time zone difference had taken us out of Macau business hours. It took me several days to get the right time zone slot – I had a lot going on in LA at the time – and when I finally did… it was a bank holiday in Macau. I then had to fly to cruise ship gig the next day, which left me in international waters for a week and hence unable to make phone calls.

This cycle repeated a couple of times, until after several weeks I finally managed to get through. I explained to the tech support guy that I couldn’t log in to online banking. He confirmed – in semi-broken English – that I would need to reset my password, and that to do so I should come in to the bank in person with my passport as proof of identity. I explained that I was 8,000 miles away, and hence coming in was going to be difficult. He said I should come in when I’m back in Macau. I explained that that wasn’t going to happen for a while, if ever, and I would like to access my money before then. He then became confused and put me on hold. After apparently researching the Bank of China protocol for this inconceivable situation, he explained that the process for a remote password reset was for them to email me a form that I should print, sign, scan, email back, and then they would mail me a new password. Not email. Mail. In the post. From Macau to Los Angeles.

I guess they take security seriously.

They emailed me the form. I printed it, signed it, scanned it, and emailed it back to them. They replied saying that my signature didn’t match the one they had on file. I suddenly had a horrible flashback. Way back when opening the account, there had been a moment where the teller asked me to re-sign a form because it didn’t exactly match one I’d previously signed. I had looked at the first signature, noticed that oh yes, it did have a slightly wider loop on one letter. I re-signed accordingly, and didn’t think any more of it. Like most people, my signature varies a bit between individual writings. Nobody in the western world really pays that much attention. It turns out that the Chinese banking system, steeped in a cultural history of imperial seals, name stamps, and very precise calligraphy, feels differently.

I filled out a second form, signed it with more care and attention, scanned it, emailed it, and received another reply saying that it still didn’t match. I tried to think back to four months ago when I’d opened the account. I had absolutely no memory of how I’d signed the form. Was it my hasty scribbly signature that I do when in a rush? Or my more careful measured one that’s a bit more legible? Or, more likely, some indefinable hybrid that I had almost no chance of exactly recreating?

I tried a third form, with the same response. I started to try and think of other ways to access my money. I had an ATM/debit card, but soon learned that Chinese ATMs work on a completely different network than the normal Switch/Maestro system that most countries use. No good. I then had an idea. A quick Google search revealed that Bank of China has a Los Angeles branch. After multiple false starts with their equally nightmarish phone system, I finally made it through to a teller, who helpfully explained that Bank of China *Macau*, while owned by the same parent company, runs on a completely separate system of accounts and databases to Bank of China proper, and that there was nothing they could do to help me.

I started looking up prices for plane tickets to Macau.


Alternative Approaches

Over the next few months, which didn’t have any wide enough time windows for a theoretical Macau fight, I tried a few other things. I called Bank of China Macau again, trying to find another possible path to my funds, but ran into standard mindless Mainland Chinese bureaucracy. I tried calling my contact at the House of Magic, who was helpful and sympathetic, but unable to do anything to influence Chinese banking regulations. I tried my debit card in various brands of ATM, hoping maybe I’d find one that would work (and gradually withdraw the entire 3 months’ salary in innumerable multiples of the daily limit), but no dice. I tried every imaginable permutation of logins and passwords on netbanking, but by now my account had been locked out for suspected hacking.

Meanwhile, things were getting tight financially. Working on the assumption I’d be leaving Macau with three months of income saved up, I had budgeted accordingly for the rest of the year. I had committed to several show development projects that wouldn’t earn anything short term, but could potentially pay off hugely in the future. But as the months passed and the money stayed locked in the Bank of China’s vaults, I had to dip further and further into my savings to stay alive. By mid year I was starting to worry about being able to pay rent.

Then an opportunity arose.

A magician friend called me, asking if I could join him on a short notice 12-day creative consulting project in Beijing. Decent day rate, travel and accommodation provided, and as a secret side project it would get me to the right part of the world to finally take care of this increasingly Kafkaesque quest for my money. I took the gig.

We arrived in Beijing. I was now just a (relatively) short domestic flight from Macau. Before booking it though, I thought I’d at least try a Beijing Bank of China branch. Maybe being in the right country would help. I’d be there in person with my passport, able to prove my identity, and have them verify that to their very close sister division in Macau. After two hours in a bank branch on the phone to Bank of China Macau via a Bank of China Beijing employee in a mix of her very limited English and my even more limited Mandarin (while my project team waited for me to come back from this now suspiciously long lunch break), she finally spoke the words I’d been dreaming of.

“Yes, they can… do… password reset for you.”

My heart soared. At last. I wouldn’t have to fly to Macau. My much needed cash pile was in reach. It had all been worth it.

“Yes… they will… email you a form to sign, then you send it back.”

She looked so happy to have been of help to this hapless foreigner. I couldn’t bring myself to tell her how far I’d already gone down the “sign this form” road. I thanked her, left, and went back to the fly-to-Macau plan.

Beijing and Macau are about five hours apart by plane. With the work schedule we had in Beijing, there was exactly one free day that I could use. There was no room to extend the trip (due to a gig back in LA), so that one day was my only window. I looked at flights. If I left on the earliest morning flight and came back on the latest evening one, I would have… three hours in Macau. Three hours to get to the bank, deal with whatever insanity awaited there, get my money, get back to the airport, and get back to Beijing.

It was… theoretically possible. But it would also, it turned out, cost nearly as much money to get those flights as it would for an entire round trip from LA. If this were a movie, I would absolutely have taken the gamble, failed barely to make it back in time (thus giving even more weight to subsequent scenes), but after several minutes of very deep breathing, I decided that gambling on a three hour time window was just not worth it. I’d have to come back again, with enough time to make sure it got sorted properly.


Brute Force

Then, a couple of nights later, after several drinks, I said “fuck it,” grabbed a sheet of paper, and signed my name about thirty times in as many slightly different variations as possible. I scanned a copy of the password reset form in to Photoshop, scanned in the page of signatures, and generated a huge number of identical-except-for-the-signature-field forms.

I spend the next several days sending them to Bank of China IT support. The moment they replied that the signature didn’t match, I immediately sent the next form, and planned to continue doing so indefinitely. I hoped that either A) one of them might actually match, or B) the IT support team would be so worn down by the bombardment that they’d eventually see the ridiculousness of the situation and let me in.

Miraculously, (A) happened first. I was about to finally be mailed a new password. To avoid said password getting lost en route to Los Angeles via the moderately janky Macau postal system, I gave them the address of a close and fully trustworthy friend in Hong Kong.

(Side note: when you think of someone as “trustworthy”, there are really two separate components to that. There are plenty of people whose integrity I trust, but wouldn’t necessarily trust their effectiveness to get a weird but critical job done right. The reverse can be true as well: people I trust to get something done, while knowing full well they’re only doing it because their interests happen to align with mine, and they wouldn’t hesitate to screw me over if that weren’t the case. This friend in Hong Kong is one of the tiny handful of people I know who rates maximum on both trust scales. It’s good to know people like that.)


Final Boss

After a few days, said friend messaged me to say the letter had arrived. I told him to wait. We were about to send incredibly valuable banking information over the internet, and I wanted to leave the narrowest possible window for anything to be intercepted, hacked, phished, or otherwise screwed up. I sat down, Bank of China login page at the ready, and asked him to send me (via the securest encrypted messenger app we could find) photos of the letter.

First page: “Thank you for being a Bank of China customer. Here is your new temporary user ID and password. Once you’ve logged in, please change it to a new one immediately.”

At last, after all this time! I typed in the ID and password and hit Enter.

“Error: incorrect login.”

I retyped the ID and password, double checking that I’d matched the random string of letters and numbers correctly.

“Error: incorrect login.”

I then noticed that there was a photo of a second page of the letter.

“In order to activate this temporary password, please first sign the enclosed approval form, and send it back to us in the enclosed addressed envelope.”

I stared at the screen for a very long time. I looked over at my page of thirty or so signatures, and thought about the eight months it had taken to get to this far. Eight months of stress, frustration, and financial anxiety, banging my head against the walls of an irrational and implacable bureaucracy, only to stumble again at what had looked like the final hurdle.

I went back to my chat window and typed “How do you feel about signature forgery?”

Even if it had been me doing the signing, I would have carefully copied my own signature from the the form that they finally accepted (luckily I had kept track, and had a digital copy of the sacred matching signature close to hand). We discussed printing the signature digitally on to the form to make sure it matched flawlessly, but the paper was too flimsy to risk running through a printer. We discussed using a light bed to trace it precisely, but though flimsy the paper also had a security pattern on the back that let almost no light through.

In the end, my friend practiced a few times, did it freehand, and nailed it exactly. Trustworthy, in all the ways. A few days later I received an email from the bank, saying that my password was now active for use. It worked. I logged in, and did the small test transfer that I should have done way back before leaving Macau. It cleared after a couple of business days, and I logged back in to do the final transfer.

A few days after that, and slightly more than eight months after finishing the gig, I finally had the money.


TL;DR

In summary, I navigated probably the most arduous password reset in the history of IT security. If you ever go banking in China, please learn from my mistakes. Make your transfers early, and practice the hell out of your signature.




Leave a Reply