racoma.com.phJ. Angelo Racoma on technology, economics, writing, problogging, and getting things done

Here’s one UI peeve of mine. It’s when a web application—or any software for that matter—asks you for something, and gives you no option otherwise.

Take for instance tagged.com. After signing in with your desired username, password and other details, it will then ask you for your web mail credentials (in my case Gmail) so it can send invites to everyone on your list (read: spam everyone!).

One correction. Initially, one would think that the point of submitting your webmail credetnials is for Tagged to check if any of your contacts is already on their database. It’s in the wording, after all:

Enter your password and we’ll search your address book for friends on Tagged.

However, it appears that my first hunch is correct. The point of this is for you to allow Tagged to spam EVERYONE on your contact list. See here.

What bugs me is that they don’t give users the option to NOT harvest your mail contacts. First thing that popped in my mind was this could be a phishing site. Had I not known better, I would have just keyed in my Gmail password. I wonder how many users had been fooled into doing just that.

Tagged should have given me the option of skipping this step, much like other social networks. I would rather just invite friends after I’ve tested the waters and determined whether the service is worth sending email invites/solicitations to people.

Some people do the stupidest things with information entrusted to them. Take this case for example. PTB contributor Arnold Gamboa discovered that a certain website purporting to belong to the Commission on Elections NCR (National Capital Region) has published the entire list of registrants for the region.

I think COMELEC made a terrible — make that stupid — mistake by publishing the personal information of thousands of NCR’s registered voters. Comelecncr.com — NOT .gov, take note (is this even sanctioned by the government?) is a partnership between a COMELEC official named Dir. Ferdinand Rafanan and San Miguel Corporation (yes, what does a multi-million peso company has to do with Philippine elections?).

Dir. Rafanan said the goal is transparency. Ok, sounds like a noble intention. But the big question is, does publishing someone’s name, registration number and home address over the internet where billions of people can access a violation of the right to privacy?

If I were a stalker (which I sometimes am), this makes for good resource material. I’d better save the entire list then on my hard drive, for future reference! Now more dangerously—if I had a grudge against someone but I didn’t know where he lived, I could check out the list. Or if I’m a politico, and I want to send out campaign materials via snail mail (a.ka. SPAM) to people, I could use this info. Or what if I run a business? I no longer have to buy address lists. I just check out the registrants list and I now have people’s full names, birth dates and home addresses.

Oh, and their web design sucks. Frames? Tables? Animated GIFs? Marquee text? Oh my God Looks like the site was made with MS Frontpage. Wait. It is!

Happy new year, everyone! The turn of the year is quit busy for me. Lots of celebrations attended (family gatherings) and lots of work done (and still to be done).

Here’s something to do for the new year. If you use WordPress to run your blogs, you’d better do some fixes, as an XSS vulnerability has recently been discovered. The vulnerability entails insertion of code into WordPress core files by passing some arguments onto the URL.

You can check out my post at the Blog Herald to learn what’s actually involved, and how to fix it.

After reading my post about online payment systems not being as easy to implement as we think, Marhgil earlier emailed me about how he discovered Xoom accounts are potentially vulnerable to cracking. He details in his blog how a user’s password can easily be changed if a malicious hacker (or “cracker” in this case) correctly figures out three things: the user’s email address, bank account number and ZIP code.

Not really easy, but can be done

I tried it out myself, and it was so shockingly simple. Of course, you would need to correctly input the email account that a person uses for Xoom, and since people usually give out their email and IM addresses on their blogs or email/forum signatures, it won’t be too difficult to guess. Xoom makes it even easier by helping you out. The system even tells you when you’ve guessed incorrectly!

Bank account numbers aren’t as easily guessed, however. But with a bit of social engineering or stalking, you can easily figure out a person’s bank account details. For instance, some ATMs print receipts with the full bank account included. Or perhaps you can call or email a potential victim posing as a bank employee (don’t get any ideas here).

ZIP codes might not be readily available, but you can check out any zoning references (available online), and if you know where a person lives, you can easily guess his ZIP code.

The point here is that a combination of an email address and bank account number are difficult to correctly guess. But it’s not impossible to do so. And to the determined thief, any effort exerted would be worth it, if only to get into the e-wallet of an individual.

Level of risk

You have to consider the level of risk and the vulnerability here. What exactly does access to another person’s Xoom account entail? Xoom doesn’t serve as an e-wallet like PayPal does (you cannot load it up with funds, like PayPal). However, if you have already registered a credit or debit card on your profile, then the cracker can use your Xoom account to transfer funds to his own account (by using the Send Money feature) or pay for merchandise online.

How to mitigate this risk / A simple change of procedure

Marhgil suggests you change your ZIP code to a different value to make it difficult for a potential attacker to reach the change password screen. This is only a stop-gap measure, though. Xoom should make its password retrieval procedure more secure by either sending the retrieval link to the user via email or requiring another form of verification, such as via SMS.

The fact that Xoom directly allows you to change your password once the correct detials are keyed in adds to the risk. Perhaps if Xoom emails the user a link to a password-reset form, the system would be more secure. It’s easy enough to acquire an email address, but it’s not as easy to enter a user’s inbox.

Around the blogosphere

As of this posting, here’s what other people think about this issue:

• Yugatech
• Techno Pinoy
• PinoyTechBlog

One of the benefits of blogging for advocacy is the attention one gets from the movers and shakers. My being part of the PayPal for the Philippines campaign has caught the attention of execs in the electronic payments industry, as well as business owners who are into e-commerce (either planning to start selling online, or already have ongoing e-commerce setups). In fact, whenever I attend EBs and blogger get-togethers I’m usually referred to as the PayPal guy. It’s good to be identified with something.

I had dinner—and a few beers—with the top honchos of YES Payments last night to discuss the possibility of their offering P2P e-payment facilities in the country. This is my second meeting with them, so far, and it was great that we were able to exchange ideas freely. I related the needs of the freelance/problogger/developer community in the country, and they told us about the issues that e-payment providers continually face in the line of their doing business.

It’s All About Risk!

The foremost concerns of any business doing e-payments are security and fraud. When money is involved, there is always the chance of one party defrauding another party, or one party defrauding the system itself. So there is always risk. And the issue is determining which party bears the risk, for the system to work. In some cases, it’s the seller that bears the risk. In some, it’s the operator of the e-payment facility.

Fraud can be perpetrated a number of ways.

• Buyer uses stolen card/card details. Card owner disputes. Chargeback is paid (paid back by seller). If the seller has already sent the goods, it’s his loss.
• Seller does not send the goods or goes under. Card owner disputes. Chargeback is paid by the facility. It’s the facility’s loss.
• Buyer uses legitimate card to pay for transaction. Seller sends the goods. Buyer receives the goods, but claims otherwise. Buyer files a dispute. Seller pays chargeback thru the facility. It’s the seller’s loss.

There are even more ways—don’t get any ideas from me! The point is that there are loopholes that can be exploited. So there the system has to consider the trust factor.

For the most part, dealing with the risk is a big headache to the e-payment facility because of regulatory requirements. I never realized that the banking system asks so much of these companies—there are big guarantees, there are limitations, and there are requirements for compliance with several laws, both local and international. And even the card companies like Mastercard and Visa require a lot, such as security of transactions, regular auditing and subscription costs—something in the range of $15,000 per year (or is it monthly?), which, while affordable to big companies, can be a steep amount for small players.

Social Engineering

On top of these risks, there is one difficulty faced by e-payment businesses particularly in countries like the Philippines without a strong judicial system. Fraud is not so difficult to detect. YES cites cases where fraudulent transactions were flagged, but allowed to push through so the perpetrators can be caught in the act. The problem is once the criminals were caught, the inefficient and corrupt judicial system was not capable of warranting adequate punishment.

Hence, perpetrators can expect be let go with just a slap on the wrist. I can also imagine cases where either the judges or the police personnel could be bribed.

We come back to the issue of risk. E-payment facilities may not be so keen on setting up shop here because they know the risk of fraud is high. Even worse, the risk of fraud not being properly addressed by the law is even a bigger threat. Fraud can be minimized if the legal system is good enough to be a deterrent to people planning to commit crime. But if one knows the system can be gamed, then people will go lie, cheat and steal their way to getting a fast buck.

A Problem of Circularity

So which came first? The chicken or the egg? (Sorry for using a cliché—it sucks, I know.)

I earlier made a bold claim that having good e-payment facilities here in the country—particularly PayPal—would be beneficial to the Philippine economy. However, it turns out that most players (probably PayPal included) would only be open to servicing the country if they can be mitigate or minimize the risks of fraud.

Perhaps for large players like PayPal it’s a bit easier. For small players, it could be a challenge.

Facilities for SMEs and Individuals

YES is considering opening a facility for P2P transactions for the purpose of business and commerce. While they don’t have such a system in place right now, they do have YES Payments for SMEs and YES Pinoy for remittance. None of these services can be used by individuals like myself for receiving payments for goods or services rendered, though. YES Payments works for businesses (well, this does not preclude individuals or groups of individuals from registering as a business). YES Pinoy, meanwhile works for P2P transactions between people with existing relationships—you have to prove you’re related to the person sending money, whether he/she is a family member, relative or friend.

I had been mentioning existing services that could do P2P, like Xoom, which fellow problogger Abe has been recommending, and which I’ve also been using. YES is positioning itself as a strong player in the country because of its presence and support. They actually do have an office here, and they do accept support calls. I think that’s an advantage. I actually tried calling Xoom support once thru their 1-800 number, but since they’re based in California, their office hours are quite off when calling from the Philippines.

What’s Next

If—and once—YES gets their planned P2P service up and running anytime soon, would there be people willing to be part of a test group? Just tell me, so we can make the necessary arrangements.

As for PayPal for the Philippines, it’s a continuing advocacy. PayPal may have already set up here, but it’s still very limited. We can only use the service to pay or send money online, and not receive (not even to load up the account). We’re still pushing for full functionality. If you have not yet signed up, please do so. We would also appreciate any support (such as linking to us and/or displaying our banners).