We interrupt this 2010 predictions column to predict trouble ahead, first for mobile banking apps, second for ISPs who stupidly piss-off my readers, and finally for buyers like me of Dell Vostro A90 netbooks. I further predict we’ll return with more prediction columns within hours.
First the mobile app problem. My friend Stephen Schaubach just noticed something about mobile banking apps that is very scary. He wrote about it tonight on Slashdot, but since he’s my friend (Stephen introduced me to my wife — I think that qualifies him as a friend, don’t you?) I feel okay about the duplication. As for that introduction many years ago, Stephen was just showing her off, not realizing that I would see in her great potential as the mother of difficult children.
“While checking out Google’s Android app store I searched for a banking app to use with my bank, ” wrote Stephen. “I was surprised to see three mobile apps listed and none of them released from the bank itself. I cannot say what any of these apps are doing behind the scenes for sure but the mobile app could certainly swipe your credentials and connect you to the bank at the same time a lot more convincingly than any phishing site could. Is this the beginning of mobile app phishing? It’s hard to believe nobody at the app store end is checking to see if the app has been legitimately released/signed from the actual bank it’s representing. It makes me wonder what other apps are out there mining people’s personal data, phishing, etc. and what can be done about this potential risk to safeguard the general public? Has anyone else run into similar situations? Anti-phishing software like Nokia’s Free Anti-Phishing app or mobile Safari’s similar feature wouldn’t protect the mobile user from an application doing something via code behind the scenes. Perhaps only a code walk-through or a legit digital certificate would remedy this situation. Any thoughts?”
I think this is potentially a huge problem that snuck up under our noses. And there’s more of it than just at banks. On my iPhone, for example, I have apps for Netflix and Red Box video rentals, neither of which was produced by those companies and both now know my account numbers and passwords.
Yes. there are outfits like Mint.com that ask for all our account numbers and passwords, but Mint at least has a lot on the line as now a part of Intuit. With many mobile app developers being one-man outfits, it’s easy for a bad guy to get away with murder by offering a service that appears to be a heck of a deal but is really being used for identity theft.
I just wrote a paragraph here explaining how I would go about running such a scam then realized that was just encouraging crime. Needless to say there are a number of common user habits that can be leveraged quite easily to obtain the most private user information. And what can be done probably is being done right now.
Remember that while your bank may cover financial losses that are their fault, your signing-up for a bogus third party mobile banking app counts as your fault and the bank probably owes you nothing.
Second complaint: Time-Warner Cable doesn’t seem to care about helping its customers fight crime. Here’s the story from reader Andy Barr back in my old stomping grounds of Holmes County, Ohio:
“My parents house was robbed and their computer stolen. I had installed www.logmein.com on the computer so when it showed up on the internet 18 hours later I was able to get the IP address and give it to the police, which in turn asked Time-Warner cable, the ISP for that IP address, for an address for the thief. Time-Warner has a web page specifically about how to get this information.
“It seems straight forward. However the police are computer illiterate. They had no idea what an IP address was but I explained it to them. The police submitted a request and then 10 days later Time Warner came back saying they don’t have a computer with that IP address. It seems the person who submitted the paperwork listed the wrong IP address.
“So they resubmitted again, waited two more weeks and this time Time-Warner said they needed a time and date when the computer was on the internet with the given IP address. I had told the police about the above web page but in spite of this they evidently did not put any the time or date on the subpoena.
This is Bob again. We’ll get back to Andy’s story in a moment but my experience with cable modems and cable ISPs is that while their IP addresses are technically dynamic — that is subject to change at every login — in practice they hardly ever are changed. Most cable Internet users have exactly the same IP address for years. Just to be sure I ran this information past another friend who was one of the architects of Time-Warner’s Roadrunner system and he confirmed that IP addresses are essentially permanent. So this particular dodge from Time-Warner is nonsense.
Back to Andy: “They resubmitted again and waited another three weeks. This time Time-Warner came back saying they now need a search warrant. The police submit a search warrant and now three months since the IP address was given to the police they still have no information from the cable company.
“After a few weeks of waiting, I used logmein’s pro version to connect to the computer and downloaded all my parents’ documents and pictures. I found a picture of the likely thief in front of the computer. I also have the person’s name and Myspace page, though the police don’t seem interested in tracking down the person using that information. ”
I feel Andy’s pain, don’t you? Time-Warner Cable appears not to want to be bothered. In fact they are probably annoyed at the persistence and technical capability of Andy. If anyone from Time-Warner Cable is reading this or if you are a Time-Warner Cable customer who doesn’t want to have a similar experience, now would be a great time to speak up.
Third complaint: My son Fallon’s Vostro A90 netbook, which I wrote about right after Christmas, was finally repaired successfully by Dell but now the Vostro thinks it is an Inspiron 10V.
It took Dell a few days to notice my column about Fallon’s A90 that wouldn’t charge and my many attempts to get it fixed. I eventually got a call from a very nice guy in Dell PR who became my official contact, whatever that means. It sure didn’t mean better customer service. I got a call from Dell support saying that had received the Vostro for a second motherboard replacement and I’d be getting an update from them just as soon as they heard from the repair depot, probably within minutes or hours. Five days later, still having heard nothing more from Dell support, the little A90 reappeared on my doorstep.
This time the netbook appears to have been repaired successfully. I can tell work was done because the SSD this time was reinstalled with the proper two screws instead of just one screw last time. I could tell work was done because the case, which hadn’t been scratched before, now had lots of little scratches on it. Or maybe the scratches came because Dell didn’t use the padded foam envelope they’d asked me to use to ship the system to them. It was there, crumpled in the bottom of the box, but they didn’t bother to use it. Not using it meant the A90 was too small for the foam padding and knocked around inside the shipping box. But I knew most obviously that work had been done when I booted the A90 and it told me as the BIOS loaded that it was now an Inspiron 10V.
Maybe this is no big deal. Maybe I should be glad that my $200 netbook now has the motherboard of a $350 netbook. But frankly I found it annoying. The last time I got a shuffle like this was when a Chevy 350 engine appeared inside my new 1976 Oldsmobile. GM paid customers millions to cover that executive decision.
Fallon also had a couple apps (this is Linux remember) that he’d compiled specifically for the Vostro and its A04 BIOS. Well the Inspiron BIOS is A05 and the apps no longer work right, so I guess Fallon will be recompiling again, which at age three is a non-trivial event.
This is just slipshod support. Maybe they’ve already discontinued the A90 and are out of motherboards. I don’t care. Dell is supposedly committed to supporting my machine and they didn’t do it. Worse still, when I reported this back to my “official contact, ” he quoted Customer Support as saying that they had sent me an e-mail that I never got.
If they are lying to him and lying to me, then they are lying to you, too. Worse still, if they’ll play this fast and loose with a tech blogger with 300,000 readers, then Dell simply doesn’t give a damn about any of us.
I’ll be waiting for your call, Michael.