Hey Dell, your vending machine is broken

broken_vending_machine_126

For the past 48 hours, I have been trying to give Dell Computer my money but it has been a very frustrating experience.  The story should read: I pick out my computer online, I pay for it with my credit card, they ship the computer to me and the transaction is complete.  It went nothing like this and in this blog post I want to show how online fraud and cybercrime has affected the honest consumer just trying to do business.  It’s obvious no one is counting these costs because I have never experienced something so broken.  As criminals get become clever in their ways, both vendors and consumers need to also evolve and this obviously was not the case with Dell over the past few days.

Day 1: I do my research and end up selecting a Dell computer, configure it just the way I want it, enter all my information and click purchase.  Within minutes I get a confirmation of the purchase and an estimated delivery of the unit.  The next action should be tracking the package and getting my merchandise.

Day 2: I’m at a coffee shop first thing in the morning and I open my email to find a message from Dell saying the ordering is being ‘held’.  1) while it is my first email , the subject says it is the 2nd notify.  WTF? And 2) the reason is that there are ‘difficulties processing payment for your order’ which we will later find out that was complete lie after speaking to my bank who had already authorized the purchase.

So the instructions say to contact Dell at a 1-800 so I do.  Person who I will call A.L. answers, gets my order # and asks me to verify 4 or 5 different things about myself and the order.  I answer all the questions correctly and then she says: “What I need you to do is to send me an email from your business account please.”   If you are paying attention so far, you will know that they already sent me an email which I validated with my call into A.L. So I tell her I am using my business address, it is the one I entered in the order, it is the one I used to get the number to call her.  She says (don’t laugh), no, that is your gmail account, I need you to send me an email from your business.  2xWTF?  I kinda lose it at this point and explain again that I use my gmail account for my business and she finally says ok ok ok, just reply with a statement that this is my order and that I confirm that the order is valid.  I make her stay on the phone with me while she confirms that she received it.  I ask if there is anything else and she say no, the order is no longer on hold.

Get ready to punch yourself in the face.  Approximately 5 hours later that same day I get an email explaining THAT THE ORDER WAS CANCELED!  The explanation being that they could NOT GET IN TOUCH WITH ME to “ensure the security of the transaction”.  Really?  Oh, wait, it gets even worse.

I call Dell again, give them my order number and explain to the agent that earlier in the day, I played 20 questions with a person that said the order was off a hold status and then just now received an email saying “ORDER CANCELED”.  She says “Oh, that is because your credit card company did not fund the transaction and cancelled the order”.  I asked “Are you sure because my other purchases went through”.  She says “There is nothing Dell can do at this point because you will need to work this out with your bank”   I thank her and say that I will get to the bottom of this.

Ring ring ring…I get on the line with an agent at my bank and ask her about this transaction.  She confirms the amount and says “Sir, this transaction was authorized a few days ago (the initial online purchase).  I ask her for the authorization number and she give it to me.  I ask if she would be ok speaking with the merchant because they just flat out lied to me.  She said no problem and was there to help.  (love my bank)

Ring ring ring…hopefully final call to Dell.  I get to an agent and explain the entire history of the transaction, and highlight the fact that I may want to speak to a manager because the last agent I spoke with lied to my face saying that the credit card company cancelled the transaction and I needed to start the entire buying process over again with another credit card.  They put me on hold….waiting…waiting…they come back on the line and say they will create a new order, and ship it next day for free.

You would think at this point, I would be done but it has been 12 hours from my last call with Dell and still no confirmation.  I will update the comments as this story unfolds.

So here is the deal, throughout this entire transaction, being the security person I am, I can name half a dozen places where little to no authentication was performed.  In fact, the first email that came to me from Dell could have been spear phished putting me in the position of divulging all my personal information to a bad guy.  What a mess.  You can really see the scar tissue that online fraud has caused Dell and unless they change their processes, more valid customers will experience what I went through.  I’m just trying to buy something from them.

I.T. phone home

old_mobile

 

One of my predictions for 2013 back in 2012 was the smartphone playing a larger role in security.  While it itself will need to be secure, it is always with a person second to maybe car keys and wallet – even those items could be integrated one day to your smart phone.

Do you know of anything else with a processor, memory, and connectivity that is as personal to one’s daily life?  I don’t.  I imagine that in 2013 we will see more tech on our bodies with smart watches, smart glasses (I want my Google glasses), chips in shoes, maybe something in a hat or belt.  In a few years, I’ll need 10 to 20 IP addresses just for my wearable network.  This brings a new context to link-local.  I like the term on-body.  Today my on-body network consist of my smartphone and my heart rate monitor but I am ready for more please.

Today on a tech podcast, I heard that someone in Taiwan had leaked rumors of a fingerprint reader on the new iPhones.  It is about time.  The smart phone is in such a great position to deliver multi-factor authentication that is both convenient and can be made secure.  Let’s look at a few:

  • Something you know.  This is the classic password problem that we have been struggling with for years.  Make the password strong and it is too hard to remember, make it easy to remember and it is weak.  Only when coupled with other factors can we overcome these shortcomings.
  • Something you are.  Fingerprint reader is such a no brainer.  Retina scanners might be hard but not impossible and I have already seen facial recognition work pretty well.  You can imagine that when more precise body system monitoring comes in to play, markers like the heart rate patterns, blinking patterns, all those things that a sensor can monitor could generate a unique signature for your identify that can be used for this factor and also have the added benefit of delivering hearth related telemetry.
  • Something you have.  The phone itself is unique so it can count for this factor.  Others include soft cryptographic tokens, all of this is based on the feasibility to remain unique in some manner.
  • Somewhere you are – location based information.  Given that all phones now have some form of GPS, you could even have a policy that would geo-fence an area requiring lower or higher forms of security.

Many Internet services are already using SMS and other out-of-band communication channels to deliver a two factor authentication based on a challenge-response one time password scheme.  Bravo and lets not stop there.  I can’t tell you how much harder they have made it for the bad guys.  If you are using a service on the Internet that does not offer some two factor authentication, demand it from them.  Apple, Dropbox, Google all have done their part and more need to follow.

Yes there will be successes and failures but again I remind you that never before has there been so much capability, so connected, and so personal.

Crime Report as Marketing

crime-map

In 2012, I moved to a new area in Austin and within the first week, several home security companies showed up at my door soliciting their products.  At first I thought it was because I was new to the area but then I found out that they monitor these crime reporting websites and solicit their services in areas that have certain crime sprees.  This makes perfect sense right?  Its not like they are performing criminal acts, they are just marketing to people who don’t want to be the next victim.  Lets take a closer look.

Take a look at these:

http://spotcrime.com/

http://www.krimelabb.com/_basic/view/v_welcome.php  (local to Austin but very cool)

https://www.crimereports.com/

Type in your zipcode and you can get a report sent to your phone every day – all kinds of stuff to be worried about.

Now lets think about this from the perspective of marketing your goods and lets use the spotcrime.com classification

crime-bar

Obviously, if I were running a home security firm, I would want to monitor the Burglary category, but one can imagine other services like security guard services or even people who sell pepper spray monitoring some of these other categories.

My goal in this post was to show you that there are information sets being published out there from public records that drive services to your door.  How is this different from your actions on Facebook or Gmail that drive services to your screen? In all cases, your location, your online identity, so much of your metadata will be used to drive products and services to you that one can imagine a threshold or breaking point for the consumer.  Have you hit yours yet?

And so it begins…

headphone-head

mic check 1,2,1,2, is this thing on?

yup, that’s right, this is my blog and I’m about to make some noise.  With enough coffee, anything is possible.

Gaming, Fitness, Information Technology, if it is in our daily life, I’m certain I can find a security angle on the topic.

I’ll try and keep it short and interesting.  It would be nice if you folks would comment, retweet, all that stuff.  I’m currently unemployed so the next few weeks will be the uncut funk as G. Clinton would say.

So much to post, so little time.

twitter: @tkeanini