The Spy Who Loved Me (be tracked and earn points!)


Almost every task you perform is online and almost every online service you subscribe to is tracking your behavior in detail.  And, the reality is that this is happening offline as well.  How many loyalty cards are you carrying around to get points?  Guess what all those businesses are doing with the data they gather from your loyalty cards? That’s right, they are tracking your every move.

Everyone is freaking out about the NSA tracking US citizens, but their local grocery store, Amazon, and their favorite search engines are likely to have a longer history of “spying” on their behavior.  Beyond these obvious data collection mechanisms, bike computers, fitness monitors, and mobile phones are all publishing location data to systems that are not very well protected.

As a consumer of online and offline services, do you have a choice about being tracked?  Not really.  I dare you to try and be proactively anonymous.  The effort alone, not to mention the discounts you will forfeit, will be significant.  On average, you save about 10% to 20% in loyalty programs and that can really add up. If you really want to be anonymous, you’ll need to pay in cash and that’s not very convenient. You’ll also need to enter all your personal accounting data manually and as Sweet Brown would say: “ain’t nobody got time for that!” Of course, cash will also limit your vendor selection.  Anonymity, or even it’s close approximation, will take practice and skill that you just don’t have and the people tracking you are banking on this fact.

Parents, employers, governments and online vendors all want to “spy” on you so they can “make” you a better son or daughter, student, employee, citizen, or customer.  No matter which role you fall into during a specific transaction, the “spying” is supposed to be for your benefit.

My point is that if you accept the fact that spying or tracking is a given, then instead of complaining about it you can get proactive. This makes it possible to make conscious decisions about who is allowed to “spy” on you. I think consumers should approach this decision by evaluating these criteria:

1) Make sure you are the one getting a tangible benefit. This doesn’t have to be a discount, it could be priority access to information or better status. Whatever it is, it should be meaningful to you – don’t give your data away for nothing.

2) Demand that the data being collected on you is protected in some way.  Some people tracking you are absolutely careless about how they store and protect the data and this is not going to change until consumers collectively demand a change.

One other issue that hasn’t been addressed by most vendors tracking your behavior is ‘identity noise’ or ‘profile pollution’ caused when multiple people using a single login. Most systems assume a one to one relationship between users and logins, or are based on an incorrect assumption that you only shop for yourself. When you start allowing others to make purchases using your login or buy things for your children or friends with very different tastes, stupid recommendations start to appear rendering recommendation engines annoying instead of helpful.

Netflix recently came to terms with the fact that multiple people were using the same Netflix account and instead of fighting it, they introduced the concept of multiple profiles associated with the same login/password.   Now a single account can have up to 5 profiles, so your kid’s unicorn or pony cartoons and your wife’s romance flicks don’t pollute your quality sci-fi recommendations.  Good job Netflix!

Believe it or not, it’s possible (and maybe even likely) for us to become even more traceable. Just wait until Tiles are available and used by the masses.  All I have to say about this is that the people behind Tiles better have badass security people working on the design and implementation or it has the potential to make really bad things happen.  Tiles could get very creepy very fast; for example, they could be hidden in gifts so subsequently something in your proximity can be tracked.  Give a gift that keeps on spying – ugly but extremely possible.

Are you paranoid yet?  I’m not sure you will ever be sufficiently paranoid because so many of these monitoring acts are being sold with major benefits. Deep discounts, rewards, recommendations that you would have not found on your own — all of these things are the positive side of vendors “spying” or tracking your actions.  Marketing and business intelligence systems require more precision about customer behavior so businesses have become very effective in their communications in order to remind you that every action they are taking is “for your own good”.

This battle is being won or lost in the hearts and minds of consumers, not in the bits and bytes of the data vendors are collecting. And all hope for privacy isn’t completely lost. Eventually, it will all works itself out but the issues are more social than technical.  Just remember this: You are a person of interest to someone and that someone will want to track you.  This has been true since the day you were born.

Happy Change Your Password Day

Actually, Feb-1 is the official date but if you have not changed your password since Feb-1, time to do it.  You know it sucks but until everything is Two-Factor, we have to deal with this silly password hygiene.

I love how Intel is promoting this.  Keeping it top of mind is a good thing because again, no one wants to do it until it is too late.

Here is the deal, you are now asked to manage more than 40+ accounts online with everyone wanting you to have a login/password and everyone of them presenting the bad guys an account to compromise.

Do yourself a favor and tool up.

If you have not employed a password management tool, find one you like and start using it.  If you don’t like it, try a different one but trust me, you want to be using a tool to manage all these accounts.

Also, I found this tool recently and I like it a lot.  Wolfram make an app I keep on my iPhone that helps me generate ridiculously strong passwords that are simple to remember.

But in the end, you really want to make sure you are pushing your services like your bank, credit unions, all the important online accounts to two-factor authentication.  If you think it is a pain in the ass, it is less pain than the comprise of your accounts and the clean up that follows.


Hey Dell, your vending machine is broken


For the past 48 hours, I have been trying to give Dell Computer my money but it has been a very frustrating experience.  The story should read: I pick out my computer online, I pay for it with my credit card, they ship the computer to me and the transaction is complete.  It went nothing like this and in this blog post I want to show how online fraud and cybercrime has affected the honest consumer just trying to do business.  It’s obvious no one is counting these costs because I have never experienced something so broken.  As criminals get become clever in their ways, both vendors and consumers need to also evolve and this obviously was not the case with Dell over the past few days.

Day 1: I do my research and end up selecting a Dell computer, configure it just the way I want it, enter all my information and click purchase.  Within minutes I get a confirmation of the purchase and an estimated delivery of the unit.  The next action should be tracking the package and getting my merchandise.

Day 2: I’m at a coffee shop first thing in the morning and I open my email to find a message from Dell saying the ordering is being ‘held’.  1) while it is my first email , the subject says it is the 2nd notify.  WTF? And 2) the reason is that there are ‘difficulties processing payment for your order’ which we will later find out that was complete lie after speaking to my bank who had already authorized the purchase.

So the instructions say to contact Dell at a 1-800 so I do.  Person who I will call A.L. answers, gets my order # and asks me to verify 4 or 5 different things about myself and the order.  I answer all the questions correctly and then she says: “What I need you to do is to send me an email from your business account please.”   If you are paying attention so far, you will know that they already sent me an email which I validated with my call into A.L. So I tell her I am using my business address, it is the one I entered in the order, it is the one I used to get the number to call her.  She says (don’t laugh), no, that is your gmail account, I need you to send me an email from your business.  2xWTF?  I kinda lose it at this point and explain again that I use my gmail account for my business and she finally says ok ok ok, just reply with a statement that this is my order and that I confirm that the order is valid.  I make her stay on the phone with me while she confirms that she received it.  I ask if there is anything else and she say no, the order is no longer on hold.

Get ready to punch yourself in the face.  Approximately 5 hours later that same day I get an email explaining THAT THE ORDER WAS CANCELED!  The explanation being that they could NOT GET IN TOUCH WITH ME to “ensure the security of the transaction”.  Really?  Oh, wait, it gets even worse.

I call Dell again, give them my order number and explain to the agent that earlier in the day, I played 20 questions with a person that said the order was off a hold status and then just now received an email saying “ORDER CANCELED”.  She says “Oh, that is because your credit card company did not fund the transaction and cancelled the order”.  I asked “Are you sure because my other purchases went through”.  She says “There is nothing Dell can do at this point because you will need to work this out with your bank”   I thank her and say that I will get to the bottom of this.

Ring ring ring…I get on the line with an agent at my bank and ask her about this transaction.  She confirms the amount and says “Sir, this transaction was authorized a few days ago (the initial online purchase).  I ask her for the authorization number and she give it to me.  I ask if she would be ok speaking with the merchant because they just flat out lied to me.  She said no problem and was there to help.  (love my bank)

Ring ring ring…hopefully final call to Dell.  I get to an agent and explain the entire history of the transaction, and highlight the fact that I may want to speak to a manager because the last agent I spoke with lied to my face saying that the credit card company cancelled the transaction and I needed to start the entire buying process over again with another credit card.  They put me on hold….waiting…waiting…they come back on the line and say they will create a new order, and ship it next day for free.

You would think at this point, I would be done but it has been 12 hours from my last call with Dell and still no confirmation.  I will update the comments as this story unfolds.

So here is the deal, throughout this entire transaction, being the security person I am, I can name half a dozen places where little to no authentication was performed.  In fact, the first email that came to me from Dell could have been spear phished putting me in the position of divulging all my personal information to a bad guy.  What a mess.  You can really see the scar tissue that online fraud has caused Dell and unless they change their processes, more valid customers will experience what I went through.  I’m just trying to buy something from them.

And so it begins…


mic check 1,2,1,2, is this thing on?

yup, that’s right, this is my blog and I’m about to make some noise.  With enough coffee, anything is possible.

Gaming, Fitness, Information Technology, if it is in our daily life, I’m certain I can find a security angle on the topic.

I’ll try and keep it short and interesting.  It would be nice if you folks would comment, retweet, all that stuff.  I’m currently unemployed so the next few weeks will be the uncut funk as G. Clinton would say.

So much to post, so little time.

twitter: @tkeanini