Online banking security

Banks still don’t get security for their online sites. A long time ago, I signed up for online banking with BANK_X (I’m not giving out any information that would help phishers here) and noticed some worrisome signs, including a sudden increase in directed phishing spam, so I cancelled the service. About a decade later I figured they might have improved things, so I tried again. It’s a little better, but there’s still at least one significant problem.

After getting my account initially working, I had to activate the bill payment feature separately. This involved a delay, and I got an email from “Bill Pay” this morning saying it had been activated. It’s a lucky thing the email from Mr. Pay didn’t get marked as spam.

I logged into my account in the usual way, from the bank’s website (never blindly click on email links!) and found that the page didn’t look the same as usual. Only my checking account was showing; and then I noticed I was in a different domain from the one that normally services my online banking. I was logged out in the middle of navigating it, and I went back to the BANK_X site and logged in again. This time things looked normal. This had me worried, so I sent an in-site message stating my concern. The response said that I should be seeing the image I had selected when setting up the account on each page, and if I wasn’t seeing it, there might be a security problem.

I discovered that by clicking on the bill payment tab I got taken to the same odd-looking page on a different domain as before, and confirmed my recollection that I wasn’t seeing the image in question. This was sounding seriously worrisome, so I called the bank. The person I talked with told me that behavior sounded wrong and asked me to try again from another computer. I booted up my laptop, found the same behavior there, and called back. The person who answered this time got the information from the one I’d talked to at first, and this time I was talking with someone who understood the system better. She said that bill payment is in fact handled by a different service, and that I won’t see the selected image there. I pointed out that this was contrary to to the instructions on the BANK_X website; she agreed with me and suggested I send in feedback, which I’ll be doing shortly.

Most customers are oblivious to all suspicious behavior on a bank’s website and will just forge blindly ahead, which is why phishers are able to scam people so easily.

I have serious doubts about using this bill payment service, even after my most pressing fears were assuaged.

Update: A representative of BANK_X replied to my feedback and said that once you’ve logged in and see the security image once, nothing can possibly go wrong, so you don’t need to see the security image again and you shouldn’t worry if you find yourself on a different domain. Idiots.

Advertisements
Posted in General. Tags: , , , . Comments Off on Online banking security

Mozilla’s political intolerance

Mozilla CEO Brendan Eich has been pressured into stepping down. His offense: a political contribution which he made years before he took that post. Mozilla’s Executive Chairwoman has announced this in terms which are either vicious mockery or plain gibbering, I can’t decide which.

Mozilla believes both in equality and freedom of speech. Equality is necessary for meaningful speech. And you need free speech to fight for equality. Figuring out how to stand for both at the same time can be hard.

Our organizational culture reflects diversity and inclusiveness. We welcome contributions from everyone regardless of age, culture, ethnicity, gender, gender-identity, language, race, sexual orientation, geographical location and religious views. Mozilla supports equality for all.

We have employees with a wide diversity of views. Our culture of openness extends to encouraging staff and community to share their beliefs and opinions in public. This is meant to distinguish Mozilla from most organizations and hold us to a higher standard. But this time we failed to listen, to engage, and to be guided by our community.

While painful, the events of the last week show exactly why we need the web. So all of us can engage freely in the tough conversations we need to make the world better.

If Mozilla values freedom of speech and contributions from everyone are welcome, that should be an argument for not sacking someone whose views are different. At Mozilla, though, these terms apparently have the opposite meaning from their actual one. “Diversity of views” means that if your views are different, you’ll be tossed out the door. A “culture of openness” means that you had better conform. “We need the web” so your boss can find out what you think and send you packing if it’s disapproved.

Progressivism has grown steadily more intolerant in the past decade or two. The abandonment of the word “liberal” is fitting. For years now it’s been common to hear blanket denunciations of anyone who registers or votes Republican. I’ve been writing here about the recent appearance of speech codes in science fiction convention policies, and their growth out of speech codes at educational institutions. Recently there was a case of outright political violence at the University of California at Santa Barbara, and I was able to find only one article critical of it that didn’t come from a libertarian or conservative viewpoint.

If businesses with a left-leaning culture start imposing political standards, the right is entirely able to do the same. A couple of years ago there was a vicious campaign in Cranston, Rhode Island, against a high school student who brought a lawsuit against a religious display in a public high school Florists were afraid to deliver flowers to her. An article on Slate calls for an all-out witch hunt against thousands of people who have made Proposition 8 donations, and the author says they shouldn’t have jobs at all.

It’s still mostly true that employers don’t care what your political views are, at least as long as you don’t take them to work. This may be changing, and it would be to everyone’s detriment. In a job market like that, I don’t know who’d hire me, since my views are far outside the standard left-right spectrum. A lot of creative people hold unusual views which others might find offensive. I think Richard Stallman’s politics are crazy, but that doesn’t stop me from recognizing the work he’s done. If people had to hide their political views to get jobs, this would be a sadder, even more easily manipulated country.

This post composed with iCab. I can’t easily give up Firefox, but I can at least avoid it for the present.

Posted in General. Tags: , , . Comments Off on Mozilla’s political intolerance

Mac disconnection

I ordered a Lenovo F360 disk drive from MacConnection. Note that carefully: from MacConnection. For a Macintosh. With a MacConnection logo showing on the page, and nothing to say it won’t work with a Mac. After a few weeks of being out of stock, it arrived, and I plugged it in. All it will do is beep at intervals; it shows no sign of appearing on my computer. A look at the manual reveals that it only works with Windows.
Lenovo Nothing I do gets the computer to recognize it. A search on the drive name with “OS X” or “Mac” turns up nothing relevant.

I don’t think I’ll buy any more alleged Mac stuff from MacConnection.

Update: They apologized and authorized a full refund with no restocking fee. I’d still rather deal with a business that checks the products it offers more carefully.

Posted in General. Tags: , . Comments Off on Mac disconnection

The risk of Comcast’s home hotspot feature

This week I got a letter from Comcast informing me of a new feature:

Your XFINITY® Wireless Gateway broadcasts an additional “xfinitywifi” network signal for use with XFINITY WiFi. This creates an extension of the XFINITY WiFi network right in your home that any XFINITY Internet subscriber can use to sign in and connect.

In other words, Comcast is turning its customers’ cable modems into WiFi hotspots that other customers can use. They provide assurances that “we anticipate minimal impact to the in-home WiFi network.” In my case, that’s probably true. I live in a condominium, and any other Comcast customers in Wi-Fi range presumably have their own equipment. Still, there is a risk. The police are sometimes dumb when investigating criminal activity that’s been connected to an IP address and assume that the holder of the address is responsible for anything that goes through. I wouldn’t want my house raided and my computer impounded if someone accessed child porn through my equipment.

For reasons I don’t understand, unless it’s just to make it difficult, you can’t opt out online; you have to call 855-845-6834. I did that, and the process was reasonably straightforward. One thing I didn’t like was that I was asked to give the last four digits of my Social Security Number (or my “social,” as people like to call it when they want you to feel comfortable about giving it to them). I wasn’t asked for my Comcast account number. There’s really no excuse for asking for a Social Security Number for anything that doesn’t involve a financial transaction or official government business. Give the last four digits, and the search space is reduced to 100,000 possibilities.

As a related issue, I might have occasion to use Comcast’s Xfinity hotspots, and I wonder how I’m supposed to tell a real one from a spoof. Anyone can call their hotspot “xfinitywifi” and set it up to ask for a Comcast username and password. It’s inevitable that some crooks will try it.

Posted in General. Tags: , , , . Comments Off on The risk of Comcast’s home hotspot feature

I learned about them from the NSA

If it weren’t for the NSA, I might never have learned about Liberty Maniacs. An article on Salon reports that the NSA issued a takedown notice to Zazzle against a Liberty Maniacs shirt which mocks the agency. It’s no longer available on Zazzle, but Liberty Maniacs has lots of amusing merchandise on Cafe Press. I’ve just ordered a couple of shirts, including the NSA one.
T-shirt image with mock NSA logo and 'The only part of the government that actually listens'
Don’t expect deep or fully consistent philosophy there. It’s simply a shop where, if you value liberty and free thought, you may find some clothes, stickers, and posters you like. I can’t say anything yet about the quality of the service or products, but I hope both will be good. Order while you still can.

Thanks for making them known to a wider audience, NSA.

Posted in General. Tags: , , , , . Comments Off on I learned about them from the NSA

How not to get screwed by Harvard Pilgrim

Here’s the tl;dr version: If you need to terminate health insurance which you’re buying yourself, first stop any payment, then talk to the insurance company. You’re in a much better position if they don’t already have your money.

Here’s the story: In late July I started a new job. Its benefits include health insurance through Harvard Pilgrim. Before this I’d had been paying for my own insurance in a COBRA arrangement from my earlier employer, Harvard University, also with Harvard Pilgrim. Crosby Benefit Systems administers it.

My new insurance card was slow in coming, and I didn’t feel safe cancelling my old insurance until I had the new card in hand. That was a mistake. By the time I had it, the August payment had been deducted from my checking account. Crosby told me, after I provided the needed information, that my insurance would be cancelled. What they didn’t tell me was that it wouldn’t be cancelled till the end of the month; I only found that out when I got a letter over a week later. This means that for five weeks, I’m paying two premiums to the same insurance company for the same coverage. Harvard Pilgrim has hundreds of dollars from me that pay for nothing.

I contacted Crosby. They told me they couldn’t do anything about it because those are the terms that Harvard puts on its insurance. I contacted Harvard Pilgrim. They told me that the money is collected by Harvard, not them (they just happen to get it from Harvard), so they can’t (read: don’t have to) do anything either. There may be someone at Harvard I can talk to, but I doubt it will do any good.

What I should have done was to stop the payments from my bank account as soon as I knew I had new insurance. Then I could cancel the old policy and have the leverage of still having the money. What’s the worst Harvard Pilgrim could do to me? Cancel the policy I was trying to cancel?

Payment plans where the money is deducted from your bank account are a dangerous thing in general. They have the advantage that you don’t risk missing a payment as long as you keep your balance up, but you’re giving away the key to your cash box. You don’t have much recourse once they have the money.

As Arlo Guthrie said, you may know someone who’s in a similar situation, or you may be in a similar situation, now or in the future. Pass this advice along as you see fit. With Obamacare forcing people to deal with insurance companies and taking away the option of high-deductible, low-premium insurance, we can only expect health insurance companies to get more arrogant. (Massachusetts already has forced insurance thanks to Romneycare, so Harvard Pilgrim is ahead of the curve.) Assume they will try to screw you and do whatever you can to prevent it.

Posted in General. Tags: , , , . Comments Off on How not to get screwed by Harvard Pilgrim

Shortage in the midst of plenty

Employers can’t fill technical jobs for lack of people with the necessary skills, yet skilled professionals often can’t find work. How can both of these happen at once? A big reason may be that employers put out long lists of specific skills as job requirements, and they can’t find anyone who has years of experience with Java EE, C#, SQL, XML, and JavaScript. Or rather, it’s that they take those lists seriously. Job listings have had bloated requirements as long as I can remember, but I get the impression that companies now actually expect to find someone who meets them.

Why? Probably it’s because selecting candidates has increasingly become the province of HR departments. The people who work there may be good at what they do, but they don’t have domain-specific knowledge, so the only thing they can do is take the requirements literally.

There’s a company I won’t name that had a job listing in March for which I’m very highly qualified and which I think I would have loved. I applied and got a form response on April Fools’ Day. Several different attempts to follow up, including a letter to the head of engineering, produced no further results. The position is still posted on the company’s website!

So why has this happened? The most obvious reason is that the Internet lets applicants spam out their resumés. Employers get huge numbers of applications for any opening they publicize, and managers can’t plow through them all. HR people have to do it, and all they can really go by is checklists. But resumés that have every possible buzzword are usually phony, so the people who top the checklist screening aren’t qualified either (unless you go by yesterday’s Dilbert).

There may be other reasons for this approach. Companies don’t want to be sued for discrimination, and using a mechanical procedure can help to shield them. It wouldn’t surprise me if checklist reviewers are most careful about people who appear to be in groups that are in the best position to sue. If so, those who are ostensibly protected by anti-discrimination laws are hurt the most.

Job listings include very specific skills such as programming languages and frameworks, but the most important skills in software engineering are transferable to any body of code. These include sound design practices; good use of paradigms such as OOP, reusability, and testing; ability to explain and document; and factoring code intelligently. In addition, attitudes such as dedication and enthusiasm are important. No checklist lets anyone judge these qualifications.

The businesses that can win in this situation are the ones that look beyond buzzwords to find the people who will do the best job. There’s risk in doing it, but risk-takers usually beat cautious people. The applicants who can win are the ones who can find the businesses smart enough to do that.

Posted in General. Tags: , . Comments Off on Shortage in the midst of plenty

FairPoint Energy’s false-front operation

I’ve been digging up some information on FairPoint Energy. This article provides some interesting information, starting with the instruction “NOT FOR DISTRIBUTION IN THE UNITED STATES OR OVER UNITED STATES WIRE SERVICES.” At first I figured broadcastermagazine.com put this restriction on all their material for some lawyer-related reason, but browsing through their news, I can’t find it on anything else. We’re not supposed to know this in New Hampshire, I guess.

The article tells us what FairPoint Energy is in business terms:

FairPoint Energy, LLC is a subsidiary of the Crius Energy, LLC, a competitive energy provider that is unaffiliated with FairPoint Communications or its subsidiaries. FairPoint Energy is a local provider of affordable, retail energy that offers 100% green energy options to customers in Maine and New Hampshire. FairPoint Energy was created through a strategic relationship between Crius Energy, LLC and FairPoint Communications and uses the FairPoint Energy name under a license agreement with FairPoint Communications, Inc. FairPoint EnergySM is a service mark of FairPoint Communications, registration pending.

This agrees with the fine print on FairPoint’s own website. It’s operating under the name of New Hampshire’s local telephone monopoly, having gotten permission to. To me, since I’ve had to deal with FairPoint Communications’ unreliable ADSL, the name was a negative point, but I suppose the familiarity of the name gives Crius’s operation an unearned advantage in many people’s minds. In an earlier letter, That same web page gives 866-984-2001 as its phone number, even though that number belongs to FairPoint Communications. When I called to get my account cancelled, it was clear I was initially dealing with people who had nothing to do with FairPoint Energy, though they eventually got me to the right place.

I wonder if that was part of the marketing agreement, and what FairPoint Communications employees think of having to answer calls by people upset with a company they don’t work for.

Posted in General. Tags: , , . Comments Off on FairPoint Energy’s false-front operation

FairPoint Energy overbills customers it illegitimately acquires

I’ve posted a couple of times about the practices of FairPoint Energy, which snagged me as an unwilling customer without my consent. Today I received a notice that it also overbilled me. The notice doesn’t say for how much.

There is no acknowledgement that I have instructed Fairpoint to terminate my service, and my last electric bill still shows them as collecting it. Since Fairpoint was never legally entitled to bill me, anything it charged me is really overbilling. But this just helps to show that FairPoint is a complete sleaze.

Update: On its homepage, FairPoint Energy says that it is “is unaffiliated with FairPoint Communications or its subsidiaries,” though it has a “marketing relationship” with FairPoint Communications. So why did they give me the phone number of FairPoint Communications in their previous communication?

Further thought: I don’t know the details of how these alternative power companies work in New Hampshire, but it smells like the kind of false deregulation that bombed in California years ago. Evidently they get to use PSNH as a billing agency, allowing dubious startups to get into the business without having to engage in normal business communications with their “customers.”

Update, June 7: I’ve re-titled this post to make it clearer that it’s about FairPoint Energy and not FairPoint Communications.

Click the “Fairpoint” tag under this post for earlier posts on the subject.

Posted in General. Tags: , , . Comments Off on FairPoint Energy overbills customers it illegitimately acquires

More dubious stuff from FairPoint Energy

In my posts of February 20, 23 and 25, I wrote of my problems with getting switched to FairPoint energy without my consent. I thought I’d had it all straightened out and was rid of them, when today I got a letter starting, “Thank you for choosing us as your energy supplier. We are proud to provide you with an electricity plan that offers significant benefits…”

The letter gave the number 866-984-2001 to call if I had any questions. That number gave me four options, none of which were really right. I picked the one about having trouble, which got me repair service. They switched me to another number, where I had to talk to an idiot who asked if I wanted to add FairPoint service when I just said I wanted to get rid of it. The third person I talked to was helpful, though, and processed cancellation of my account. However, there should have been no account to cancel.

The act of involuntarily switching people to another service provider is called “slamming,” and it looks from here as if that’s what FairPoint is doing. If not, it’s serious incompetence. The last person I talked to sounded as if she’d been getting a lot of these calls.

I think it’s time for me to contact the Public Utilities Commission. I just hope this doesn’t result in my power or Internet service (where I’m stuck with FairPoint) suddenly being termina