Friday, August 28, 2015

Bank Of America: Major Grief

All I wanted was a paper bank statement so I could use it to establish Oregon residency. I need something official looking with my address on it and a postmark so that I can get things like a driver's licence here.

So, I went to their web site and there was an option to request a paper statement even though my account is set to paperless. I ordered the statement and waited. And waited. Finally I called their customer service.

Calling customer service was fun. First, it asked me to enter my ATM PIN number, which I did. The system happily informed me that the PIN number didn't match the phone number on file.What? I had to look up my full account number on their web site and key it in to the phone system just to proceed.

So, when I finally got to talk to a person, he asked me my first and last name, full address, date of birth and last 4 digits of my social security number. This is almost as much information as I opened the account with.

We started with me asking what was the problem calling into the phone system. We went over my phone number on their system and he said it looked right, but it was the telephone access PIN I needed to key in, not my ATM PIN, which the system specifically asked me for.

To setup a telephone PIN, he gave me a temporary PIN, and asked me to call the system, key in my full social security number plus the number 1, and then enter the temporary PIN, at which point it will supposedly let me create a real PIN. Seriously? The CSR didn't believe me that the phone system specifically asked me for the ATM pin number for the card ending in XXXX. But this can of worms wasn't even why I was calling, so I moved on.

I next asked the CSR if he could see what happened to the paper statement that I requested and which never arrived. He told me that it looked like they had sent it to my North Holly Street address in Anaheim. Which is great, but I haven't lived there in almost 20 years, and I didn't give them that address.

So, after discovering that they were using my 20 year old address that I never gave them, not even 20 years ago, and informing me that the problem was corrected, we started to order the paper statement. He supposedly verified everything and after a waiting period of 5 business days, their system will send me a paper statement for my most recent account period.

What a nightmare. I only chose "BofS" because they are the closest branch to where I moved, and two of my siblings bank there. I love my hillbilly Banner Bank but they don't have many branches near where I live, so I wanted something closer.

Thursday, August 13, 2015

Windows 10: The War On Privacy

Companies like Microsoft, Apple and Google should be the champions of our privacy. But these companies throw us under the bus just like every other company.

Windows 10 ups the ante by taking out options where you can tell it not to phone home, and even worse, phones home sometimes even where there are options to tell it not to. The folks over at Ars Technica have a great story about this issue.

It gets even more insidious. Reading the comments, it appears that Windows will selectively ignore the HOSTS file, which has been around as long as Windows has been around. This HOSTS file lets you map Internet address to other address.

Using the HOSTS file, you could for example make your computer stop connecting to "ads.somecompany.com" by mapping it to the IP address of 0.0.0.0, making all application and browser requests for that address simply fall into the void.

This mechanism of Windows has rarely been used, and today you'll mostly see it in adware blocking type apps and other situations where you don't want an application in Windows phoning home.

Now, the real story here to me is that Microsoft is now selectively bypassing HOSTS in the cases where you add Microsoft's own servers to the list in order to stop Windows 10 from phoning home without your permission.

 Below you can see the stock file that comes with Windows. It was a great feature for many years and still can be as long as you don't put an address that Microsoft will bypass the HOSTS for, and right now that list of exceptions is unknown.

HOSTS is typically located at c:\windows\systerm32\drivers\etc

Now that HOSTS can't be trusted, the only way to stop Windows 10 from phoning home is to use a dedicated firewall on your network, whether it be features built into your router or a dedicated machine. If you have the right router, you can flash it to DD-WRT open source firmware and turn it into a $1000 router.

In the war on privacy, pretty much everyone is your enemy, and the battlefield is sitting on your desk. And in the war on privacy, you are a combatant whether you wish to be or not.

Saturday, August 1, 2015

No, I Don't Want A Target Credit Card

I've been saying this for a while now: Most big businesses at some point have just dropped all pretense of caring about their customers in the name of short term profit.

Today I was in Target just grabbing a couple of quick items. The two people in front of me didn't have much either, but it took 20 minutes to checkout because all of us had to sit through a very clumsy presentation on the glory that is the Target credit card, with its 5% cash back. But wait, there's more! Somehow this magical credit card can be used just like a debit card. Yep, it does everything.

The woman in front of me was obviously uncomfortable and trying to be polite, though she was cornered by the pushy cashier. He was putting her on the spot, to where she would need to be gruff to escape the situation, but she didn't want to do that, so she half played along until she found her moment to flee and said "ok I'll think about it, thanks" and practically ran out of the store.

When I got to the front, I was asked if I was prepared to save 5% today. I informed the cashier that I was prepared to save zero percent and that my savings of zero percent was intentional, and by design. The cashier happily treated me like I was on drugs. "Zero percent, huh? Why wouldn't you want to save 5% on all your purchases at Target? There's no reason not to."

I leaned in a little, looked him in the eyes and said "because I really don't want a Target credit card." Defeated, he said "well, let me know if you change your mind" and a quick, sarcastic "yeah, I'll do that" ended the exchange.

The real answer of course is that I don't think much of Target, or any company that would put more effort into sales of its credit cards than actual customer service. I don't blame the poor guy who was taking his corporate mandate and running with it. A brother's got to eat. No, this was Target clearly putting him in the same position he was trying to put me in.

Huge, publicly traded companies must continue to grow for no real reason other than they are expected to grow. Even if they have to resort to being obnoxious, and even if that level of dickery will harm their profits in the long term.

 It was nice in the old days where stores at least pretended to care about their customers. You could chit chat with the store employees and it was almost like everyone was an actual human being. Nowadays, every transaction at every store is a high pressure sales pitch, once only reserved for used car lots.

There's a few exceptions of course, and some stores have varying levels of class, like the low key "savings cards" you'll find at stores like Safeway or Fred Meyers. No pressure, but you'll just overpay on about half your items.

Wednesday, July 22, 2015

AT&T Spam

Most companies have just dropped all pretense of pretending to respect their customers. The goal of most companies these days is to grab your attention and get you to buy something before your attention is lost. I'm pretty sure they think you and I are too stupid to remember something like a company trying to trick you into buying their products or clicking on their links. Besides, everyone else is doing it. What phone company, bank, insurance company, etc. treats anyone like a valued customer these days? They treat you like you are a rag to wring out is how they treat you.

And AT&T didn't care if you hated them when they were the only phone company in the country before they were broken up for being a monopoly, and they don't care if you hate them now. So, it's not surprising that they would try to trick their wireless customers, especially the under-privileged prepaid customers.

I got this email with a subject saying "Prepaid: Action Required" and I thought "WTF, I  better read it in case they suddenly think I didn't pay my bill." since they play so many shenanigans with their prepaid non-customers.

The email says:

Because you're a valued customer, we'd like to keep you up to date with announcements and service updates throughout the year. To make sure you're receiving these notifications, we're writing to confirm we have your current email address.


This is so full of wrong. First, they don't even treat me like a customer in the first place. Prepaid is totally different from their main wireless operations--you even pay your bill at a different web site. I don't think I'm technically even an AT&T customer--I think it's "go" something. Second, they know my phone number and already use text messages to give me notifications (and spam).

Just today I got this super awesome notification in the form of a text message, so I know they have no problem reaching me.


Great news! They caved into marketing pressure from their competitors and decided not to screw me out of data I paid for. 

And third, what part of their email required action? 

What I think happened is that they put "prepaid: action required" to scare me, a lowly under-privileged prepaid phone user, into looking at an email that was only confirming they have the right email so they can start sending me email spam in addition to text spam. By the way, I did send "Stop" as a reply to the above text, so we'll see if they honor it.



Tuesday, July 14, 2015

Experian: The Spammer's Friend

Many of you will know Experian as one of the three credit scoring bureaus. This mega-corporation compiles vast amounts of data on every human being it can, all without their permission, and sells this info along with a "score" to show that human's financial worthiness.

But Experian also runs one of the largest email marketing firms, Cheetahmail, which they bought more than 10 years ago!

Here's a quote from their press release:
The acquisition is designed to help Experian, Costa Mesa, CA, bolster its direct marketing services, particularly in aiding clients in sending more highly targeted e-mails to their opt-in subscriber lists. Terms of the deal were not disclosed.
Sweet! Who doesn't love highly targeted emails? Notice above that they said "opt-in" as part of the press release wording.

They have a Corporate Privacy Policy which states that clients are not to send unsolicited spam:
Corporate email client anti-spam policy: Clients of Experian CheetahMail have agreed to not send unsolicited commercial email through our systems. Any client who violates this agreement is subject to privacy review, services termination and potential legal action.
So far, so good, except that I have been receiving spam from one of their clients as detailed in this blog post. I recently sent them an email asking them to look into their spamming client, but it was returned 3 days later as "Undelivered Mail Returned To Sender".

Their email provider, Cheetahmail, does provide a way to report abuse, and I sent them this email.

But now the abuse email abuse@cheetahmail.com bounces back as undeliverable! It's not hard to find others leveling criticism at their operation.

Notice their bounce mail indicates that I should contact the postmaster, but also notice there's no contact info provided. That is my next project: to find someone to report the problem with the abuse mechanism so I can stop being spammed by one of their clients. The "details.txt" attachment from the bounced mail also looked a little wonky. "delivery temporarily suspended" sounds fishy to me. I wonder if I tried again...

I will update this article if/when I get their attention.So far running a Google query on "Cheetahmail Postmaster Address" and I found a couple people saying that Cheetahmail ignores reports to the abuse or postmaster addresses. I'm surprised anyone even knows their postmaster address.

UPDATE 7/20/2015: They contacted me a few days ago and told me that they had me taken of their spammy client's mailing list. Nice. It only took thousands of keystrokes to make that happen. One of my readers commented in the other post that they had the same problem with emails to their abuse department bouncing. Oops.

It just seems really fishy that one of the world's largest email service providers can't properly configure their account that receives notices of abuse about their clients, while their their spammy clients seem to work fine. It's one thing if a hair salon doesn't seem very savvy with email, but this is an email service provider.

It's almost like some of these companies are saying "Oops, we did what was financially in our best interest, even though it was ethically questionable. Oops, we did it again. Oops, we did it again. Oops, our stock price went up." It just seems fishy.

Sunday, July 5, 2015

Miniinthebox.com Spammers

A couple years I did a couple small orders with miniinthebox.com and I've regretted it ever since. The orders actually shipped and were fine, but I've been constantly email spammed by them since that time, and their emails have been getting progressively more obnoxious. Unsubscribing from their email has no effect.

Not only does unsubscribing from their email offers have no effect, this is one of the few companies I've found that does not appear to have a single contact point that I can find. They get horrible reviews, and I'm not the only one accusing them of being spammers.

Notice below that the email from miniinthebox doesn't even have a return address to their domain.

It has the word 'trust' in the subject line, better open it soon!


On the site gethuman.com, it lists Mini In The Box's reasoning for not having any email address to contact the company:

- Few miniinthebox.com customers have wanted it
- They simply don't use email for support
- They don't feel email is secure

...and yet they have no problem filling my inbox with email I don't want and have no way of turning off or contacting them to turn off. Smells a little funny to me. I've seen these Chinese super-stores have some pretty nonsensical behavior, but I haven't seen one stoop this low or lay it on so thick.

This is not a good company by any stretch of the imagination and I highly recommend avoiding them like you would an infectious disease.

Notice below that when you unsubscribe, it's not even the same domain, and you can see the second hint of trouble by the wording it gives you. Like "You've unsubscribed but don't worry, you'll still enjoy our spam."

Wait, what?
From this point on I'm going to definitely pay attention and document all the spam they send me, and will try to come back to this article.

Below is the domain registration information for miniinthebox.com. Notice that they have enabled privacy protection to obscure the public information about their web site. Who a web site belongs to has always been public record, until the registrars decided they could milk the shit out of their customers and sell them privacy. Mini in the box is a Chinese company that's definitely not located in Florida with any phone numbers that ring anywhere in America.


A shady company that's done everything they can to make themselves hard to contact, say it aint so!

UPDATE 7/12/2015

Here they are again in my inbox. I'm not going to try to unsubscribe anymore. That ship has sailed. They appear to have a legitimate email provider and I have sent an email to their abuse department to  see what they might think of their client's spammy habits.


UPDATE 7/20/2015: After the email request to Cheetahmail's abuse department bounced and I blogged about it, they contacted me and told me that they took my name off the Miniinthebox mailing list.

Wednesday, June 24, 2015

Your ISP Could Be Using Javascript Injection Attacks Against You

You are sitting at your computer surfing the web like the time waster you are. You click on a web site link and the web site comes up. But another tab opens asking you to take a short survey. Even novice computer users are skeptical these days with all the hacks, attacks and phishing attacks.

But you are not on a shady site. You just got a popup from a legitimate site asking you to take a survey from your local Internet provider. Maybe you close the popup and ignore it. But an hour later, the same popup appears on a different web site.

Are all those companies in cahoots, or is your computer infected? What's going on?

What's happening is that your Internet provider is using hacking techniques on you in order to put that survey tab in front of your eyeballs. When you go to load a web page, your provider gives you the web page you asked for, but injects its own code into that web page, masquerading as part of the page.

Now, your browser doesn't think there's any security issue because that injected code is pretending to be part of the page you asked for. The browser has no way of knowing what should be the legitimate content of that legitimate site you are trying to browse.

You trust your Internet provider to give you the content of web sites you visit. That's the whole point of their service. But your trust is misplaced for several reasons, and one of these reasons is these man-in-the-middle style attacks where they trick the browser into accepting code that's not part of the site you are browsing.

Does it sound like hacking to you? It sounds like hacking to me. I'm not lawyer but I was under the impression that these type of attacks are exactly what the Computer Fraud and Abuse Act was created for, if only for high-value computers. Again, I'm no lawyer, but since the ISP is injecting these surveys into everyone's traffic, doesn't that mean any bank or government employee who sees this survey is a victim of a man-in-the-middle hacking attack under the CFAA?

Other than the recent backbone shown by the FCC comminsioner with net neutrality, when it comes to technology, the law for the most part does not apply to large corporations. It's usually the Aaron Swartz's of the world that technology law applies to.

They threatened Aaron Swartz with 30 years for making copies of public domain documents before he took his own life. What jail time do you think anyone at Comcast will do for using black hat hacking techniques against you in order to show you surveys?

And everything in this post so far ignores the security implications of not being able to verify the authenticity of this on-the-fly injected javascript code. How do I know the difference between this opportunity to tell my provider how much they suck and a black hat attack, trying to steal my identity?