Visa payment processing case study: network flaws

On July 20, 2011, I went to purchase the new Macbook Air in Delaware -- the home of tax free shopping. My Visa card was declined and I called to confirm the purchase. After returning home, I investigated the matter and found that my account had been put on hold due to suspicious activity. (They could have called me first, but problems with calling credit card customers to confirm purchases is already a documented problem.)

Someone used my card for a purchase at McDonalds for $1 (probably small fries), then a $400 purchase at Target and then another $400 purchase at a different Target -- all in Virginia. I was also buying lunch at Chick-fil-a and buying a MacBook in Delaware at the same time. Naturally this triggered an alert because why would anyone who has access to a Chick-fil-a also eat at a McDonalds during the same meal period?

I called Target security at the store and asked them to find a purchase under my name that day... none found. Then I asked to look up any purchase for $417.36 on that day. Within seconds they had two camera angles of the purchase, on register #27 at 1:17:10pm. (They start counting registers at #20, they don't actually have 27 registers). The security person would not send me the video, due to problems in the past with them being uploaded to YouTube, but she would let me see them if I filed a police a report.

The security person confirm that this was a swipe purchase, so obviously someone has copied my Visa card. But then the next obvious question: if there were no search results for my name, what name WAS on the card that made this purchase? The answer: there was no name, this transaction was posted as a gift card with no name. Visa later confirmed this. So the security flaw is this:

In the processing payments on the Visa network, information on the card regarding the authorized signer and card type can be recorded and trusted by the merchant, but this information is never sent to or verified with Visa.

In other words, the design of Visa's network allows the following types of exploits assuming the attacker has access to print credit cards.

• Copy a real credit card as a gift card and make purchases without needing ID
• Copy a real credit card and change the authorized signer to make purchases using a different ID

Naturally, this could be fixed easily by verifying ALL credit card details against a central database at the time of purchase.

iCloud interface case study: How to only show reminders

Stop using Google Tasks, switch to Apple Reminders

The result is clear: Apple releases a new product with one sexy new feature and a better interface but it's not compatible with any Google products, Google is left in the dust. Next year Google will copy all the innovation and Apple won't improve anything.

Google Tasks	Apple Reminders
Can input tasks, due dates, reminders	Can input tasks, due dates, reminders, and location based reminders
Switching task lists requires two clicks (Google Calendar & iPhone web page)	Can view all task lists at once (iCal) or swipe to switch lists (iPhone)
Can view tasks online at https://mail.google.com/tasks/canvas (looks better than Apple)	Can view tasks online at https://www.icloud.com/#calendar (interface sucks)
Viewable on iPhone through slow website	Viewable on iPhone with fast app
Integrates with Gmail and Google Calendar	Integrates with iCal
Printing looks retarded, one page per list (can print from link above)	Printing looks semi-retarded, but you can print all lists at once using iCal
Will copy all Apple's features and improve, someday	Won't ever improve their product and will never sync with Google

===========================

You can view the reminders online at iCloud.com, but it bothers you will a full size calendar in the middle of the screen. To fix that, use this bookmarklet:

Hide calendars

Basically, save that as a bookmark open iCloud to your calendar and then run that bookmark.

iPhone/Exchange/Gmail how to delete messages instead of archiving

When I was a kid, "delete" meant you were going to get rid of something... as in it would be gone after that. Google changes this definition. If you configured Gmail on your iPhone using Exchange with push support, the delete paradigm breaks down and instead your messages are "archived".

The solution is to create a new label called "gmailcantdelete". On your iPhone, move your messages there and then when you are on a real computer, clear out that folder all at once. Use that exact name, so Google employees can track how many users are upset about this workaround.

The official Google complaint thread: http://www.google.com/support/forum/p/Google+Mobile/thread?tid=0388614a7d4ba43d&hl=en&fid=0388614a7d4ba43d00047456d9a99bf0&hltp=2
The SupersUser thread: http://superuser.com/questions/196773/gmail-in-iphone-how-to-delete-on-swipe

Giving away all your customer details because of a checksum

Philadelphia Parking Authority is one of the worst ("best?") at taxing everyday people in Philadelphia. With a revenue of $192 million in 2007 and their expansion of $11 million in annual red-light camera revenue, they are collecting on average $212 per local driver per year (1, 2). How can you process that many tickets? Through a convenient online ticket payment website at http://philapark.org.

With only inputting a ticket number into this website, you can collect the offender's license plate number, the date and location of the infraction and a description of the offense. However, the tickets follow a predictable sequence. Since tickets are uploaded immediately to the website, you can enumerate all tickets to find a list of all license plates with parking violations, their physical location, and a list of infractions. Practically, since so many cars get tickets, you could even use this system to track vehicles.

Here is a list of valid ticket numbers:
550491336 550491344 550491351 550491369 550491377 550491385 550491393 550491401 550491419 550491427 550491435 550491443 550491450 550491468 550491476 550491484 550491492 550491500 550491518 550491526 550491534 550491542 550491559 550491567

The last digit is a checksum based on digit weights of 1,2,1,2,1,2,1,2,1, with an offset of 5 on the last digit.

A recent ticket is 554682872, so you can start enumerating from there.

The solution

Of course, the way to fix this is to either not give away so much information on a public web interface -or - require the user to type in their license plate so that this would not be possible.

How to export your Gmail account (or any other email account) to a ZIP file

You can save all your emails to a single ZIP file using Mac, Windows, or Linux (30 minutes set up max).

Instructions for Mac & Windows:

• Install Virtual box
• Install Linux
• Continue as below

On Linux:

• Run KDE
• Open Konqueror and navigate to imaps:example@gmail.com, with your username
• Open a connection to a network share running on your main operating system
• Copy over (2 hours for my 10,000 messages, 2Gb)

Comcast internet FAQ communication case study

The Comcast High-Speed Internet website lists top customer questions as:

• What can I do from my Email toolbar in the SmartZone Communications Center?
• How do I prevent spam?
• How do I determine my blocked IP address?
• Want to change sign in options?
• What does "keep me signed in" mean?

But actually, the most frequent Customer questions are:

• Why does my internet keep going down? 
• Why is my internet so slow? 
• Why does Comcast have a monopoly in my market? 
• What does "keep me signed in" mean?

Google Tasks API case study

This post is an update of http://privacylog.blogspot.com/2010/07/api-for-google-tasks.html

Update 2011-05-12 the official API is now at http://code.google.com/apis/tasks/index.html thanks to Josh for the ping.

There is no official API for Google Tasks at this time. But, below is full read-only access to all your tasks across all your lists. I am including a simple app that sends this to you via email (This mail WILL go to your spam folder). I have this running at home to automatically print out a copy of all task lists periodically.

#!/bin/bash

cd /tmp
rm -f message; touch message

curl https://www.google.com/accounts/ClientLogin \
-d Email=YOURUSENAME@gmail.com \
-d Passwd=YOURPASSWORD \
-d source=privacylog \
-d service=goanna_mobile > token

AUTH=$(sed -n '/Au/s/A/a/p' token)
HEADER="Authorization: GoogleLogin $AUTH"
URL="https://mail.google.com/tasks/m"
curl --header "$HEADER" "$URL" > main

for list in $(grep -o '"[0-9:]\{20,25\}:0"' main | tr -d '"' | sort -u)
do 
curl --header "$HEADER" "$URL?listid=$list" > list
echo >> message
title=$(sed -n 's|.*selected="selected">\([^<]\+\).*|\1|gp' list | head -n1)
echo "### $title ###" >> message
sed -n 's|\([^<]\{1,\}\).*|[ ]  \1|p' list >> message
# This one below indents sub tasks but only works on Linux
# sed -n -e 's/.* .*//p' -e 's|\([^<]\+\).*|\1|p' list | sed -n -e '/./!{N;s/\n/  /}' -e '/./p' | sed 's/^/[ ]  /' >> message
done

mail -s "Weekly review" YOURUSERNAME@gmail.com < message

rm token main list message

Notes for Mac: use * instead of \+,