Why ebay does not care about security

The Past

I have been on eBay since 1997.

For the past ten years, I have been using two-factor authentication to protect my eBay, Paypal and other accounts.

It started with the Paypal Security Key, also affectionately known as the “Paypal Football” because of its shape.

Introduced in 2007, the football is a $5 hardware device that displays a quasi-random six-digit number when the button is pressed. The code changes every thirty seconds and makes it impossible to get into your Paypal account without the “Football”, which lived on my Key-ring and went everywhere with me. When eBay bought Paypal, the football could be used to protect access to my eBay account as well.

Four years went by. The battery in the football ran down, and the device fell to pieces when I tried to replace it. Alarmingly, eBay no longer offered the “Football”, offering instead A Credit-Card device that fulfilled the same function at the somewhat higher price of $30.Getting the feeling that eBay was trying to turn a profit out of (in)security, I looked elsewhere… and found the Yubikey VIP.

I had been using a Yubikey in the past to protect, among other things, my Gmail account (The epic Hack of the famous Wired Journalist Mat Honen, could have been thwarted, by his own admission, had he done the same). Now the good folks at Yubico were offing a Yubikey that also doubled as a Verisign VIP key (the technology that PayPal used in the football). I purchased one and have used it ever since. I am still using it to this day.

The Present

I got the following email from them yesterday.

Let me be clear: This is a really, really bad idea for a whole bunch of reasons. Let me enumerate a few:

1. Texting is insecure. SMS is not encrypted, and SMS messages can be readily intercepted with the right equipment. Using SMS as a one-off mechanism to sign up for something is not too bad, but sending out a text every time you want to log in is a really bad idea.
2. Not everybody has a texting plan. I am on Verizon’s ancient (not offered since 2012) un-capped, un-throttled, un-limited data plan. Verizon charges extra for text messages, so I have disabled text messaging.
3. My phone is not always available. I may be able to take a call. I may be in a meeting. I may be in a basement or out of coverage. I may be overseas.
4. I purposefully purchased serious security… and now eBay are replacing it with something that is less secure.

In an age where websites are becoming more and more secure, this is a retrograde step. So why did eBay do this astoundingly bone-headed thing?

1. Money. It is my understanding that eBay have to pay Verisign to use this system, while a text message/voice system would be far cheaper.
2. Support: Security, it is said, is the enemy of convenience. The previous system had some potential shortcomings that allowed users to easily revert to less secure options (“secret questions”, etc) if they didn’t have their hardware token with them. A properly-designed secure system would make it impossible to turn off two-factor authentication without extended vetting… which means hiring Customer Service people to establish the identity of the customer. Given the choice between “good” security and “CHEAP” security, it is hardly surprising that eBay went with the “less-good-but-dirt-cheap” option.

So what *should* ebay be doing?

• If it ain’t broke… offer the $5 footballs again, or admit that you don’t know or care about security.
• Use a known and trusted out-of-band key-generation system: If you don’t want to pay Verisign, use the Google Authenticator system, which runs in software, and is already trusted with Google, WordPress, DropBox and others who apparently care about security more than you do.
• Roll your own like Blizzard and others. The technology is tried and trusted. Just do it.

But what if…What if the user cannot, for one reason or another, use the second factor? In addition, it should be possible to allow the users print out a set of recovery codes to use when the second factor is unavailable. Talk to Google about this; they obviously know something you don’t.

Microsoft breaks Hotmail. Again.

As they are wont to do from time to time, Microsoft made a change to its Hotmail web email service today. As part of their never-ending quest to make all of their products look like all of their other products, they completely overhauled the UI. Again.

This would not be an issue if not for the fact that this change also broke all Android apps that access Hotmail, Including Microsoft’s own Hotmail App.

This is hardly surprising, the app has been deprecated for over a year. In 2013 they released a version that claimed to have “minor bug fixes” but broke the application entirely, replacing it with one button exhorting the user to “upgrade”. Only the upgrade was a completely different application — the Outlook app — which starts its life by staging a a blatant and brazen attempt to scarf all of your contact data.

This ‘upgrade” is different. More than just cosmetic, it replaces the web UI — yet again — with something that looks awful, and is slow and prone to barfing (throwing random errors) at every opportunity. It also finally puts a final nail in the coffin of the long-deprecated-but-still-functional Hotmail App, along with every other application that checks your email.

Smart move, Microsoft.

Going to the Dark Side?

Yesterday I did something I swore I would never do.

I got a FaceBook account.

I have written before of my vehement disdain for FaceBook, and of why I would never get one. And yet, here I am with a FaceBook page.

Sort of.

No, you can’t be my “friend”

No, I will not “like” your product, service or company. Not unless you offer me money, anyway.

No, I have no intention of raising FaceBook’s market capitalization by investing my life in this website.

 

You see, this particular FaceBook account was set up to play an online game, and for no other purpose. It has next to no information on me. E-mail address, Date of Birth, that’s about it. The rest is fake – including my name. No information is available to anyone who is not a “friend”, and they are all players. And when I am done playing the game, I will deactivate the account.

So,,, have I gone over to the dark side?

You decide.

Security done right

Just got a message from LivingSocial.

The bad news is that somebody apparently hacked into their server and got their hands on names, e-mail addresses and passwords.

The good news is that the passwords were salted and hashed.

I’m not worried.

And even if I was, the password they stole is quasi-random and never used anywhere else.

Nicely done, chaps!

The Large Print Giveth…

Got this in my inbox:

The Large Print Giveth…

One day I was feeling peckish and decided that Pizza would be nice. So I clicked on the big friendly-looking “Order Now” button. On selecting my local Pizza Hut Emporium, I got this interesting little pop-up:

…the small print taketh away.

Would I like to check out their current offfers? Er… no.

No.

HELL NO!

Way to go Pizza Hut! You just drove me straight into the arms of the competition. Papa John’s, here I come…

How (not) to sell stuff on Craigslist

I recently got an iPad for her Ladyship (no, it was not a trade). I purchased it from a seller on Craigslist. After more than a week of sorting and searching through listings, I finally found the deal I was looking for.

The reason this was so irksome was because so many ads on Craigslist – particularly high-demand items like iPads – are scams, meant to entice you into responding to an e-mail, thereby harvesting your e-mail address for spamming, phishing and other nefarious purposes. So for those of you who are trying to sell an item, I make a few suggestions.

• Put in the important details, like what the item is (including make and model number), where in town you are and why are you selling it.
• Link to the manufacturer’s product page – don’t just cut-and-paste it.
• If you are selling a laptop, don’t call it a “labtop”, a “laptob”, or, God forbid, a “labtob”. You will be lumped in with the I’m-too-stupid-to-spell” crowd, and worse, our searches will miss your ad.
• Include a picture. I have seen so many ads from people who have a $400 iPad to sell… but apparently don’t have access to a camera or camera-phone. That’s screams “SCAMMER” or “IDIOT”.
• Don’t use stock pictures. I have seen dozens of iPad ads, all with the same pictures — all shot down in minutes by enthusiastic flaggers like me.
• If you are selling a big-ticket item, put in a phone number. Most of us initially reply by e-mail anyway, but if I am about to buy an  expensive item, a lack of a phone number looks like the seller does not want to be found. It just smells wrong.
• Don’t say “I don’t accept e-mails”. This is annoying as those corporate emails that end with “this message was sent from an unmonitored mailbox”. You just posted the ad on the Web, for Heaven’s sake – use it!
• Don’t advertise your business, pawnshop, computer repair store, flea market or eBay auction on CL. There are a thousand hustlers like you, all trying to Freeload off Craigslist – and no, you are not the exception. Pay for a proper ad on eBay.
• Don’t put up a whole bunch of ads at once. One a day is fine. Any more and you will get flagged.
• Don’t put up “Wanted” or “Begging” posts in a “For Sale” area – there is an “Items Wanted” area for that.
• And finally, Take the ad down when the item is sold. Unless you want to be bothered by folks weeks or months later…

Dead Man Walking

I’ve been a fan of TiVo for a looong time…

More than ten years ago, I first found out about the product when it was featured on Oprah. Three years later I picked up a Series 2 TiVo at CompUSA for $150… with a $150 mail-in rebate.

Over the years I have paid tribute to TiVo here, here and here. I have also paid money to them to the tune of $13 per month – over $1200 in total – for the TiVo service over the years. A good product, a worthwhile service. It was money well spent. The TiVo has served me well.

Recently, when my 27″ Tube TV died, I replaced it with a 42″ LCD… and suddenly, Standard Definition was no longer good enough. So I started looking for a replacement TiVo that could handle high-definition TV.

A few months ago, I helped a friend to order and install a TiVo Premiere XL. As a result, I was familiar with the current state-of-the-art. Last week, I got hold of  a TiVo Premiere. I also picked up a CableCard from my Cable TV provider.

And that was when the trouble started. You see, TiVo chose last weekend to take their site down for maintenance, so it was not possible to connect the new box. I went onto chat and asked about this; all I got was lots of “I’m Sorry”. when I asked if this apology had “teeth” – like a month’s free service for the inconvenience – but the answer was the lamentably predictable “Sorry-but-no” that I have come to associate with too many Customer Service departments.

When Monday rolled around, I went to TiVo’s website to get the new TiVo set up. It was not possible to simply transfer the account from one TiVo to the other – that would be too easy; according to this page, you cannot simply transfer service from an S2 to an S4 (Premiere). There’s no reason for this; you just can’t. Activating the “new” device was easy enough, but I could not deactivate the old one online, and you cannot do it via a Customer Service “Chat” feature – you have to call Customer Support for that. The trouble is that they are not answering the phone; I have called three times, with hold times ranging from 20 minutes to an hour before I gave up in disgust. How convenient.

It takes years to build a great reputation — and only one bone-headed decision to ruin it.I don’t know what is wrong with TiVo. Maybe they have a new CEO who is trying to wring profits out of the company without pursuing excellence. Maybe they are trying to save a few dollars by skimping on Customer Service. Maybe they have just given up and are just milking this old brown cow for as long as they can before it falls over and dies.

If anyone at TiVo is reading this,I beg you to consider the following:

• Invest in world-class customer service. Netflix has done it, why can’t you? “Sorry-but-no” just does not cut it.
• Empower your CS Department: It doesn’t have to cost much – giving reps the authority to give out a free month of service to customers who have experienced inconvenience is an cheap, easy win: for only a few dollars of lost profits you get a whole lot of goodwill, and can turn a critic into a fan.
• Build Decent Hardware: In a world where you can buy Wi-Fi enabled refrigerators, for you to expect customers to cough up an extra $90 for a proprietary Wi-Fi add-on is insanity. And putting gigabit Ethernet ports on your equipment costs only a few dollars but massively upgrades the top speed.
• Match your product warranties to the contract length. Asking customers to sign up for a one-year contract while offering only 90 days of warranty coverage is a joke.
• If you are going to take your system down for a whole weekend for maintenance, you had better have new features on the site when it comes back up.
• The true measure of a company’s openness is how easy they make it to leave. Google, with their “Data Liberation” feature, shows how this should be done. Your website makes it easy to sign up, but incredibly difficult to leave.
• Try to remember that you have competition: Ten years ago, TiVo was the only game in town. Now there are alternatives: Roku, Slingbox and other DVR solutions abound.
• ANSWER THE DAMN PHONE! Before someone else does….

TiVo, I believe in your product, your service and your business model. But you badly need to get your act together, or you will be ground into dust by the competition.

Is eBay… eVil?

I just got an e-mail from our friends at eBay that I felt was worthy of mention. It is a change to their terms of service. Normally these things are just small changes or adjustment, but this one had two things that raised my eyebrows:

The User Agreement contains an Agreement to Arbitrate, which will, with limited exception, require you and eBay to submit claims to binding and final arbitration, unless you opt-out of the Agreement to Arbitrate by November 9, 2012. Unless you opt-out: (1) you will only be permitted to pursue claims against eBay on an individual basis, not as part of any class or representative action or proceeding and (2) you will only be permitted to seek relief (including monetary, injunctive, and declaratory relief) on an individual basis.

Hmmm…. looks like a fairly transparent attempt by eBay to avoid class-action lawsuits. While I am no fan of class-action lawsuits where the lawyer gets $10M and I get a voucher for $0.89 off my next purchase, I don’t like any thing that takes away my right to join one. I also have a bug problem with  compulsory-arbitration clauses. Not only are they unconstitutional (Amendment 7: “In Suits at common law, where the value in controversy shall exceed twenty dollars, the right of trial by jury shall be preserved, and no fact tried by a jury, shall be otherwise re-examined in any Court of the United States, than according to the rules of the common law.“), but there is something of a conflict of interest; if the arbitrator is being paid by eBay I question their ability to come to a fair and unbiased decision.

You don’t need to take any further action to accept the updated eBay User Agreement. If you choose not to accept the new terms, visit this help page for further direction.

And the link points to… TERMINATE YOUR ACCOUNT! That’s not “further direction” that’s “Grasshoppa, time for you to leave…“.You can opt out of the agreement to arbitrate without opting out of the updated user agreement, but they don’t exactly make it easy. Rather than giving you an “Opt-out-of-it-now” link, you are required to opt-out in writing by a specific date. They don’t exactly make that information easy to find, either – so in the interest of public information, here it is.

Sincerely,

Braden Dong, Senior Counsel
Marcus Morissette, Privacy Counsel

Ah. Written by the lawyers – why am I not surprised? Something smells funny here, and the whole thing seems very very sneaky.

Of course, this is all academic to me; earlier this year I decided to top selling things on eBay, since they seem to have become the buyers’ friend and the sellers’ enemy.

But it seems that every time they change their terms they become a little more… evil.

The 5 REAL Worst Customer Service Mistakes

I recently stumbled across an article entitled “The 5 Worst Customer Service Mistakes“, written by no less of a luminary than the CEO of a company. While it admirably addresses the top-level view, it struck me as “ivory-tower” thinking, and does nothing for a typical customer like me.

Sadly, the author does not invite comments, which is alarming in itself. So in the interest of completion and respectful rebuttal, here is my “sea-level” version of “The 5 Worst Customer Service Mistakes”

1. Trying to keep your customers away from real people: When I hear “Our options have changed”, I interpret that as meaning “someone got through to a real person and we changed the system to block that path”. Solution: pay someone to answer the phone. The customer will be pleasantly surprised.
2. Outsourcing customer support: Outsourced customer support does not care about your business. If they are paid by the number of calls they field, they will do anything to get the customer off the phone as fast as possible. We can tell if they are juggling calls, and that does not impress us. And yes, we can tell if English is not their first language, and that impresses us even less. (Hello Dell!)
3. Not answering the question: How many times have you e-mailed customer support and got a boilerplate reply that does not answer the question? (EBAY/PAYPAL ARE YOU LISTENING? Evidently not…)
4. Disempowered CSRs: “I’m sorry, I’m sorry, I’m sorry” does not cut it. Sorry does not solve my problem. They need to be able to fix the problem. And often they either cannot or will not. There is more to Customer Service than telling the customer: “Sorry, but NO”.
5. Biased Surveys: Most post-support surveys dwell on whether the CSR was polite and respectful, not whether they were competent. “Are you satisfied, and if not why not?” is the only question that matters. Offering the option for a callback would be a win here.

Floral Tribute

I tried to order some flowers online a few days ago. We tried several different sites, from the big boys (proflowers.com, FTD.com) to a couple of smaller players. It was an interesting experience.

Many of the websites were quite badly designed, some had a habit of forgetting all the details that you had just typed in if you went back to change anything. But those were relatively minor gripes.

What really annoyed me, however, was the way that all of them sneakily hid the delivery and handling fees until late in the process. One successfully hid a $15 delivery fee until the very last screen before placing the order, presumably in the hope that the customer would not be paying attention and would blindly click “submit order”. NEXT!

Perhaps the scariest example was FTD. They used this graphic on their page, which looks like they are offering “free shipping or no service fees”.

On further investigation they wanted you to take out an “FTD Gold” Membership at $30 a year. The fact that this is one of those “auto-renew subscription” deals is a red flag for me. Nothing illegal here, but very, very sneaky. NEXT!

Proflowers added TWO delivery fees, a “care and handling” fee and tax, turning a $30 order into $52. NEXT!

And so it went on… here is my advice if you are purchasing flowers online:

• Don’t bother creating an account – you may not be completing the order. Once you know you can trust them, go ahead and create one if you want.
• Never assume anything: As we have seen from FTD, they will use phrasing to suggest that something is free when it isn’t.
• Watch for the upsell: Sometimes they have a choice of three sizes, and “accidentally” select a larger size than the one you selected.
• Triple-check before submitting the order – just in case a charge (or two… or three!) somehow sneaked into the order.
• Don’t reward bad behavior: You my be tempted to just pay the charges and get it over. Don’t do it. Once they know the order and the delivery address, they have enough information to tell you the delivery charge. If they try to surprise you with a “Gotcha!”, give them a “Gotcha!” of your own – take your business elsewhere.
• And finally… Check your e-mail: Sometimes one of these outfits will notice that you left without ordering and will offer to waive the shipping fee. This is what happened to us, and they got the business.

The winner was fromyouflowers. The flowers arrived on time and they were lovely. they have my recommendation and I will be using their services again.