Author: Eliot

Credit Card Protections and Privacy Eroded Yet Again in the USA

When we got married, we ordered our invitations over the Internet from a company that seemed fairly reputable.  Apparently, however, their ordering process was screwed up because we didn’t get the invitations until 6 weeks prior to the wedding.  No big deal to some, perhaps, except that almost nobody was going to be local to the wedding location, and many people were going to have to book airline reservations.  I asked the credit card company to stop payment to the vendor because of the late delivery.

Yesterday’s Wall Street Journal reports on a new service that vendors can use to spot consumers who stop payment through their credit cards.  Sometimes consumers will stop payment when they have received products in time, and used them.  This is particularly common this time of year, when lots of vendors sell lots of crap about which they know nothing.  The consumer gets pissed off because they’ve just bought a no-good product, and the vendor gets pissed off, because they have to spend time fighting the consumer instead of selling.

The new service blocks consumers’ credit cards due to this so-called friendly fraud.  In most cases, the consumer will likely have no idea why their card is being turned down, and will simply pay with cash (a vendor who accepts a different card from such a consumer would be stupid).

Is this the way things should be?  Vendors are reporting credit card information to third parties without the consent of the consumer, and then that third party turns around and makes a profit on that information.  The consumer is the loser for having availed himself or herself of her rights under the credit card agreement.  What’s more, what is to stop a bad vendor from reporting a good customer?  Who will have the last laugh?

Now some will say that a good customer can always fight, and the article does say that these new services often offer avenues of appeal.  And I bet it will work not quite as well as credit agencies handle it.  At least in those circumstances, there are laws.

Unwitting Mules and Computers

Scales of JusticeWhen I first traveled through Switzerland some 16 years ago, I went to France for the day, leaving from Geneva.  On entering France, the guards saw a long, curly haired, American in a rental car, and they assumed I would be carrying drugs, so they took apart the car.  I didn’t mind it until it occurred to me that perhaps the last guy who rented might have left something behind.  Fortunately, none of that happened.

Last year, I attended one of my favorite conferences, the Workshop on the Economics of Information Security (WEIS08).  I met there a number of good folk from the law enforcement community, and some talked about some of their successful investigations into crime on the computer.  In one case, the investigators found megabytes of illicit material on someone’s hard drive.  An astute and bright man from Microsoft by the name of Stuart Schechter pointedly asked the question how the investigators knew that the owner of the PC had stored the illicit material.  The implication here would be that bad guys could be using the computer without the knowledge of its owner.  The  detective answered that such evidence is only one component used to charge and/or convict someone.

Now comes a case reported by AP in neighboring Massachusetts where this scenario has been brought to the fore.  Michael Fiola, an employee of the state government, was fired, arrested, and shunned because some criminal broke into his computer.

What are the lessons to be learned?  There is this common notion by many that end users aren’t generally the victims of the people who break into their computers.  Not so in this case.  There is also a belief that faith in government prosecutors alone will get an innocent person out of trouble.  Not so in this case.  They did eventually drop the charges, but only at the cost of his entire savings, large amounts of stress, etc.

This is not the only such case in which this has happened.  So, do you know what’s on your computer?  Are you sure?

What is a Cruel and Unusual Punishment for Youths?

Scales of Justice

[Corrected information, thanks to Ken Durazzo.]

The punishment should fit the crime.

This is the general basis for the Eighth Amendment, and it’s one that has been largely ignored in the United States.  Now the New York Times reports on a case that the Supreme Court has decided to hear, regarding people convicted as youths who are serving life sentences.  As the Times mentions, all 100 such people in the world live in the United States, and of those, 77 are in Florida.  One case involves Terrance Graham who committed armed burglary at the age of 16.  In another instance, a child was sent to prison for life for rape at the age of 13.  That’s a terrible offense, but is it worth a life term?

It is often the case that the pendulum starts swinging the other way, when absurd cases such as Graham’s comes to the fore.  Here now is an opportunity for the Supreme Court to challenge the state on whether the punishment suits the crime.  Explain to me the circumstances under which a child should go to jail for life for robbery.  I can’t fathom such a situation.  I hope the Supreme Court won’t either, in which case, we may see some very interesting new doctrine on the subject in the next year.

Paypal follow-up

Some people wonder whether the situation with PayPal is that bad.  Well, at least the phishing part is.  Today’s mail included this little gem from points unknown pretending to be PayPal:

Attention! Your PayPal account has been limited!

[…]

[Link to a phishing site]

This is the Last reminder to log in to PayPal as soon as possible. Once you log in, you will be provided with steps to restore your account access.

[…]

How did I know this was a forgery?  Let’s take a look at the email headers:

Return-Path: <paypal@service.com>
Received: from mail.realinterface.com (mail.cecreal.com [66.101.212.157])
	by upstairs.ofcourseimright.com with ESMTP id n9GAJ9h3022332
	for <lear@ofcourseimright.com>; Fri, 16 Oct 2009 12:19:31 +0200
Received: from dynamic.casa1-15-233-12-196.wanamaroc.com ([196.12.233.14]) by
         mail.realinterface.com with Microsoft SMTPSVC(5.0.2195.6713);
	 Fri, 16 Oct 2009 06:32:45 -0400
From: "PayPal Services" <paypal@service.com>
To: "lear" <lear@ofcourseimright.com>
Subject: Your PayPal account has been Limited
Date: Fri, 16 Oct 2009 10:18:53 +0000
Organization: PayPal
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"
Message-ID: <RI1BvDvIMYk5XYA4IyF00002a42@mail.realinterface.com>
X-OriginalArrivalTime: 16 Oct 2009 10:32:45.0859 (UTC) FILETIME=[00099730:01CA4E4C]

The first thing we note is the From: line.  While this line can be easily forged, in this case, the miscreant forged not paypal’s domain but service.com‘s.  Well, that’s not PayPal.  This one was easy to establish as a fraud.  But had we any doubts we would need look no further than the previous two lines (the last Received: header).  If we look at the address 196.12.233.14, which is claimed to be dynamic.casa1-15-233-12-196.wanamaroc.com, we note that the name it has begins with “dynamic”.  That name, and the numbers that follow in it, indicate that this is probably someone’s house or office PC, and not paypal’s email server.  Note I’ve highlighted to “To” line, with the address lear@ofcourseimright.com.  But that is not the address I’ve given PayPal.

What’s more, I happen to have an actual paypal.com set of headers to compare against.  Here is what it looks like:

Return-Path: <payment@paypal.com>
Received: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231])
	by upstairs.ofcourseimright.com (8.14.3/8.14.3/Debian-6) with ESMTP id n9E8KIwI026171
	for <xxx@ofcourseimright.com>; Wed, 14 Oct 2009 10:20:39 +0200
Authentication-Results: upstairs.ofcourseimright.com; dkim=pass
	(1024-bit key; insecure key) header.i=service@paypal.ch;
	dkim-adsp=none (insecure policy)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=paypal.ch; i=service@paypal.ch; q=dns/txt; s=dkim;
  t=1255508439; x=1287044439;
  h=from:sender:reply-to:subject:date:message-id:to:cc:
   mime-version:content-transfer-encoding:content-id:
   content-description:resent-date:resent-from:resent-sender:
   resent-to:resent-cc:resent-message-id:in-reply-to:
   references:list-id:list-help:list-unsubscribe:
   list-subscribe:list-post:list-owner:list-archive;
  z=From:=20"service@paypal.ch"=20<service@paypal.ch>
   |Subject:=20Receipt=20for=20Your=20Payment=20to=XXX
   |Date:=20Wed,=2014=20Oct=202009=2001:20:17=20-0700|
   |Message-Id:=20<1255508417.22290@paypal.co
   m>|To:=20Eliot=20Lear=20<paypal@ofcourseimright.com>
   |MIME-Version:=201.0;
  bh=q82fwVBPBq26WHflKsNcdbCIf3Vcc5wRznZ9tfI8+8k=;
  b=OPyR7evc/VcnTZyDZSlYCh9oLm+vmKt8qsocqMrAr7y/kg3P5+DhO3mB
   UDbhkCvqu+owm45X1te+PxoREXR9aMEuuD20ltP2B5f5JWf/MjICk6zc6
   gYv6pY6ZRFKclXFGvtViJwv0LsW8N7uaoiZCAh5mxrjfuJaF+SmNyX23c
   I=;
Received: (qmail 22290 invoked by uid 99); 14 Oct 2009 08:20:17 -0000
Date: Wed, 14 Oct 2009 01:20:17 -0700
Message-Id: <1255508417.22290@paypal.com>
Subject: Receipt for Your Payment to XXXX
X-MaxCode-Template: email-receipt-xclick-payment
To: Eliot Lear <xxx@ofcourseimright.com>
From: "service@paypal.ch" <service@paypal.ch>
X-Email-Type-Id: PP120
X-XPT-XSL-Name: email_pimp/CH/en_US/xclick/ReceiptXClickPayment.xsl
Content-Type: multipart/alternative;
  boundary=--NextPart_048F8BC8A2197DE2036A
MIME-Version: 1.0

A few things to note: first, there my own mailer adds an Authentication-Results header, and in this case you see dkim=pass.  It’s done that by looking at the DKIM-Signature header to determine if Paypal really did send the email.  This is a strong authoritative check.  Knowing that PayPal does this makes me feel comfortable to discard just about any email from paypal.com that lacks this header.  Also, this email was addressed to the correct address (I’m not actually showing the address that I use).  Not every site uses dkim and that’s a pity.  One has to know in advance when to expect dkim=pass and one has to look at the headers to check.

Just by comparing email headers we can see that this is a poor forgery.  And yet it takes time and effort for people to determine just that.  And this is the risk that we consumers face.  If one decides that any email one wasn’t expecting from PayPal is in fact a forgery, then should someone break into one’s account, one may not notice that there is a problem.

Summarizing, here are the things that I’ve done to limit the chances of something bad happening:

  1. I use a single email address for PayPal that forgers are unlikely to know about.
  2. I look for the Authentication-Results header.
  3. Even if I think this is an authentic email, I will not click on links, but instead go to PayPal.com.

But it’s not all that easy for me.  It certainly isn’t easy for those who haven’t been paying attention to all of this stuff as part of their job.

The Saudis would like some handouts, please.

OilHere’s a rich idea reported by the New York Times: Pay oil producers for not producing oil.  That’s right.  Saudi Arabia wants “rich nations” to pay oil producers to help wean themselves from their dependency on oil.  That is- oil exports.  It’s just like paying farmers not to plant, right?  Wrong. In this case, oil producers still sell what the market demands, it’s just that since the market will be demanding less, OPEC and the like will get less.  According to the article, the Saudis have in the past gummed up the works on climate change protocols because of other nations’ refusal to accede to this sort of extortion.

Do the Saudis have a real problem?  Yes.  They and other large oil producers like Libya lack a sufficiently diversified economy, such that when oil prices dip, everyone suffers.  This is known as Dutch Disease, and oil exports are right to be worried about it.  Dutch disease happens because the demand of oil alone drives up national currencies, making all other industries in that country uncompetitive by price.

So here are a few questions:

  1. Can oil producers wean themselves off of oil without economic assistance?  After all, they’re taking in all of this money.  Can’t they use some of it to develop other industries?  It seems Dubai has been somewhat successful at this.
  2. Would economic assistance actually help?  If consuming countries gave them more money to compensate for losses of oil revenue, would producers just become dependent on the subsidy?
  3. Isn’t there a broader picture here surrounding to the West’s relationship to the Middle East?  Doesn’t good will count for anything?  And don’t we need some of that good will in that part of the world?

Dutch Disease requires complex solutions.  Simply providing a subsidy won’t do the job.  In fact, providing a subsidy could in fact prop up the national currency and compound problems.

And then there’s the fact that most of us feel as though we’ve been held over a barrel by some of the countries in question, and would like to have done with entanglements in the middle east.  Oil or no, however, the people in those countries are not going away.  They and we need an equitable way to live together in the future.