Defending The Kingdom

I’ve heard of and personally encountered a number of e-commerce websites like the one described in this NYTimes article. The proprietor of DecorMyEyes.com promises the cheapest designer eyewear on the net, intentionally delivers something other than what customers order (a cheaper or counterfeit model, for example), and then stalls, threatens, cajoles, and harasses people who try to get their money back. He makes money when customers give up trying to get a refund, allowing him to pocket the difference in the amount he charged their credit cards and the value of the goods he shipped.

I believe that the majority of e-commerce websites deliver what they say they will, but you need to know how to avoid the few that won’t. Interestingly, the huckster who runs the site described in the NYTimes article provides the answer:

Selling on the Internet, Mr. Borker says, attracts a new horde of potential customers every day. For the most part, they don’t know anything about DecorMyEyes, and the ones who bother to research the company — well, he doesn’t want their money. If you’re the type of person who reads consumer reviews, Mr. Borker would rather you shop elsewhere.

Mr. Borker doesn’t want cautious, conscientious customers because those customers reduce his hourly wage. Why bother selling to these people when there are plenty of shoppers who will give up trying to get their money back without much fuss? That is why, amazingly, the owner of this scam website isn’t troubled by the bad publicity that makes it easy to protect yourself.

Before clicking “Buy”

Just as changing your password to something marginally more complex than the typical internet user’s password makes you an undesirable target, doing a bit of research on the net makes you vastly less likely to fall victim to an e-commerce scam.

When I say “a bit”, I really mean it. It takes two seconds to type “decormyeyes fraud” into Google’s search engine. Every search result I got when I did that clued me in to the fact that this website is bad news:

A Better Business Bureau search piles on the evidence:

So that’s it. The next time you are thinking of buying from an online retailer, just do a quick Google search like “companyname fraud” or “companyname scam” and then check out the Better Business Bureau rating. Most people spend a good amount of time researching their internet purchases — allocating just a couple of seconds to protecting yourself from fraud should not be too much of a burden.

I can’t. Not always, anyway. Take a look at all the clever ways scammers skim ATM cards and PINs.

If you’ve seen one of those semi-transluscent, green card slots with an image of a padlock on it, you know that banks are aware of the problem and are doing something to prevent it. Still, it seems like banks and other ATM owners could be doing more to let their customers know, at each ATM machine, how to avoid getting suckered by a skimmer. A picture of an unsullied model on the side of every ATM would be a big help. That way, you could compare the real-life model you’re looking at with the image, and hopefully you would notice any material discrepancies. I suppose evil-doers could simply replace the image with their own, but at least their jobs would be made more difficult for having to take that step. And it would provide ATM users with one more chance to notice a sloppy installation of an add-on to the machine.

Another option is a bit more high-tech, and would involve the ATM flashing a number on the screen that should match a number being displayed on the lip of the ATM card slot. This could be hacked, of course, but it would require gaining access to the ATM’s guts. Anything that increases the cost to would-be thieves in time and technical know-how is a good thing.

Anyhow, in the event that banks and other ATM owners do not put in a lot more effort than they currently do to stop this problem, what should you, the average ATM user, do?

Tips for avoiding ATM skimmers

I wish I could give some really solid advice here, but there are no foolproof methods. Here are the things I do to avoid card skimmers:

1. Try to use ATMs inside banks, where it’s less likely that someone will install a skimming device.
2. Quickly look at the parts of the ATM. If you see cheap looking components that seem like they could come off with a slight tug, beware.
3. Cover the keypad with your non-typing hand as you punch in your PIN. Scammers need the information on the magnetic strip of your card and your password to gain access to your bank account. If you deprive them of your password, they’ve only got half of the information they need. Watch out for fake keypads placed over the real keypad, though, since this can allow scammers to get your password no matter how well you cover up when you key it in.

Have you ever heard that free anti-virus programs skimp on their virus definitions so you aren’t as protected as you would be if you were using the paid version? It seems somewhat plausible as an incentive to get the free users to become paid users, right?

I’ve heard that claim from friends, but I’ve always been a bit skeptical. I haven’t seen any published reviews of free anti-virus programs that mention this sort of issue, nor have I seen any anti-virus company highlight advanced threat detection rates as a feature of their paid products that isn’t available in their free products. And if they want people to pay to upgrade to more advanced detection, they would have to actually tell their customers that there is a difference in that realm, wouldn’t they?

Anyway, I thought of that claim when I read this portion of an interview with AVG’s CEO:

The basic detection rates in our free product and our paid product are exactly the same. We’re not giving you less protection. We’re just giving you less functionality. The paid products have antispam and firewall and a few other bits. But the core features–the Web protection, the cloud protection, the virus protection–is all the same between free and paid.

I have no way of knowing for sure if that’s true for all free anti-virus providers, but I’ve used and been very happy with a number of free anti-virus programs including AVG, Avast, and, recently, Malware Bytes. Each of these, incidentally, is currently in the top five of CNet’s most popular downloads list, which is an excellent source of suggestions for high quality software.

The NY Times has an interesting article about targeted advertisements that follow people around the web:

Julie Matlin was tempted by a pair of shoes on Zappos.com. Then the shoes started showing up in ads on other sites she visited.

Then the shoes started to follow her everywhere she went online. An ad for those very shoes showed up on the blog TechCrunch. It popped up again on several other blogs and on Twitpic. It was as if Zappos had unleashed a persistent salesman who wouldn’t take no for an answer.

That sounds creepy. Nobody wants to feel watched while surfing the web — it’s just too much like having your mind read. Perhaps that’s not too worrying when you’re shopping for shoes, but what about when you’re looking for information about that skin rash that won’t go away?

It used to be easy to prevent the problem described by the woman in the Times story, but now there are sneakier ways to track users across websites. Now you need something like this Firefox add-on to thoroughly purge your browser of tracking technologies.

But does anyone really care?

There’s nothing easier than drumming up a bit of indignation for a news story. But does anyone really care about being tracked this way? Sure, all else equal, most of us would pick more privacy rather than less. But the real question is whether anyone is willing to pay for that privacy.

The metaphor of a persistent salesman who won’t take “no” for an answer is an illuminating one. Just as some stores try to attract customers by telling them about their easy-going, non commission-based salespeople, some websites could differentiate themselves from the competition by telling internet users that they won’t install invasive tracking technologies.

We may yet see something like that, but I have my doubts. People like privacy, but they like getting great content and services cheaply, too. Websites that earn extra money by intruding on their customers’ privacy are likely going to outcompete websites that don’t if web user preferences lean more toward getting stuff cheaply than maintaining privacy. There is no easier place for experimentation with business practices than the web, so the dearth of websites that compete on the margin of privacy suggests that there probably isn’t much demand for it.

Government regulation of privacy

Right now, there is a debate at the Economist about whether governments should more heavily regulate online privacy issues. This blog has always been in favour of things that help people protect their privacy, but I have also stressed the importance of considering the costs of doing so. To my ear, government intervention to enhance privacy protections online sounds like forcing internet users to accept a different bundle of cheap content, quality services, and privacy than they currently want.

A quote from the primary proponent of regulation in the Economist debate highlights this:

…it is hard to imagine that the typical internet user can really do much to safeguard their privacy when companies purposefully make it so difficult.

Let’s imagine an (admittedly weird) alternate world where the current Economist debate is about the problem that all brick and mortar stores must be entered via doors that measure a mere 3 feet in height. One of the proponents of government regulation for bigger doors says:

…it is hard to imagine that the typical shopper can really do much to improve their shopping experience when companies purposefully make it so difficult to fit in the entrance.

It’s laughable because we know how easy it would be for stores to install larger doors and capture the customers who are dissatisfied with the doggy door experience. When you realize that privacy is something that can and is bought and sold today just like any other commodity, you have to admit that a lack of concern on the part of businesses when it comes to privacy issues may just mean there is limited demand for it from most consumers’ point of view. And, in fact, it is possible that the current equilibrium is pareto optimal.

On Tuesday last week, The Economist keenly observed that:

Whenever you read about a dispute between a web-based service and a country, you need to ask yourself only one question: where is the server located?

BlackBerry servers are located in Canada, and data is encrypted when it is sent from one phone to another. That’s a problem for countries that want to intercept and monitor information sent across BlackBerry networks. From The Economist article:

Countries have two basic technical methods of controlling the flow of information over the internet. First, they claim legal jurisdiction over information stored on servers within their own borders. Second, they can read or block traffic moving through the choke-points where internet cables cross the border.

Neither of those options is available to countries wanting to spy on BlackBerry users, which is why Research In Motion, the makers of the BlackBerry, have been getting flack from the governments of India, Lebanon, Saudi Arabia and now the UAE:

The UAE’s Telecommunications Regulatory Authority said it would suspend BlackBerry Messenger, email and Web browsing services beginning on October 11th if RIM does not provide a solution for local messaging control.

Fortunately, Research In Motion told its customers not to worry:

The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM, or any wireless network operator, ever possess a copy of the key.

Unfortunately, Research In Motion quickly made a deal with the government of Saudi Arabia that undoes those fine intentions:

The agreement, which would involves placing a BlackBerry server inside Saudi Arabia, would allow the government to monitor users’ messages and allay official fears the service could be used for criminal purposes.

A similar deal with the UAE is likely to follow.

Staying secure when eavesdropping is a risk: VPNs

This brings up a general point about safe internet use in any setting where third parties — including governments, your ISP, or the guy next to you in the coffee shop sharing that WiFi hotspot — may be able to peek at your communications. A commentator at The Economist’s article wisely noted that:

…one can go to any hotel in Dubai, hop on its wifi with your laptop and use your own VPN (or company VPN in my case), effectively blocking them from seeing your communications.

Although it may be illegal to do so depending on your location, and I’m in favour of following the laws in the country you’re in, using a VPN may be a good idea in some scenarios.

The best explanation of VPNs I’ve read is from HowStuffWorks.com, which suggests the analogy of the internet as an ocean and most internet traffic as being like a ferry from one island to another. When you’re on a ferry, everyone can see who you are and what you are doing. It’s public.

A VPN, on the other hand, is like a submarine that allows you to travel underwater from island to island. Some savvy observers of the ocean (your ISP, for example) may know that you are in a submarine, but they won’t know your ultimate destination or what’s inside of the submarine (i.e., the information you are transferring from your computer to the destination computer).

To use a VPN, you simply need to install VPN software on your computer (some suggestions are provided below), connect to the internet, start the VPN software, then proceed to browse the net.

Drawbacks of VPNs

As with any security solution, VPNs have some drawbacks:

1. You have to trust the VPN provider more than you trust your current connection. There’s no way around this if you’re using a commercial VPN (highly technical users can set up their own VPN servers to get around this problem, but the process is too difficult for most of us). The best assurance any VPN company can give you is something like this:
   

   What needs to be understood, is that our livelihood depends on keeping you safe and honoring your privacy. If we ever compromised that, unwillingly or with bad intent, I would imagine word would get out pretty fast. I can say that here at WiTopia, we take it very very seriously.

2. They slow your browsing/VOIPing/messaging. Because of the encryption/decryption process and because your internet communications are first routed to your VPN’s servers before being routed to the ultimate destination, you’ll probably notice some lag.

A few VPN companies

I can’t promise that these companies will keep your information secure. There is no such thing as perfect security. If it’s important to you, you need to do the background research and decide for yourself if using a VPN is safer than the alternative. That said, here are two companies that were discussed by CNET and one that a friend recommended to me:

1. WiTopia
2. HotSpotVPN
3. proXPN, which is free and has a Facebook page where the company often answers user questions

Added 10 Aug 2010: U.S. authorities are already able to tap BlackBerry messages. And Bruce Schneier noted a few days ago that:

The UAE can’t eavesdrop on BlackBerry traffic because it is encrypted between RIM’s servers and the phones. That makes sense, but conventional e-mail services are no different. Gmail, for example, is encrypted between Google’s servers and the users’ computers. So are most other webmail services. Is the mobile nature of BlackBerrys really that different? Is it really not a problem that any smart phone can access webmail through an encrypted SSL tunnel?