Sunday, 10 January 2016

Dear Argos...

Dear Argos, If I am checking for something on your site it is because I want to pick it up in the next thirty minutes or next day at 08:30 when your store opens. If you tell me it is not in stock, but I can order and collect it, I will just go straight to Amazon. Don’t tell me to order it for home delivery for only £3.95. Again, I can use Amazon to get the product cheaper and they will delivery it to me free. If I am looking at your site it is because you have stores with stock that I can walk in and purchase right now, a convenience Amazon simply can’t match. So how about you put some of that stock in the stores? Because when every store in a ten mile radius doesn’t stock any of the nine product variants I am looking for, but all can order it in within 24 hours, that rather means you have it in a hub, not one of the stores where people can buy it. That doesn’t make you look very competent. And because Boots actually have it in their shop, even at £10 more expensive, that 24 hours has just cost you the sale. Because if someone if looking at a Bricks and Mortar store, it is because time matters. Regards, Me


This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Dear Argos... - http://rablogs.co.uk/tirial/2016/01/10/dear-argos/ was published on January 10, 2016 at 9:05 pm.

Wednesday, 23 December 2015

Joys of Christmas

Not going to be a good Christmas really.

Last year we had a breakout site that was doing really well. This year we have a mess that is dying on its arse, pardon language.

In 2015 we put together a roadmap of things to be done. All the work on it for me and in my area has been done.

Unfortunately there are parts that require the intervention of a third party our database handler. Who has done precisely one piece of work, after I threatened to sue.

When asked to do their part, they instead asked:

– why can’t I also do the databases instead of them? (You know, as well as all front end work, feeds, set up, membership, provide all the content, etc.) Because I’m flat out doing my work for the year and building work-arounds to get round the work they haven’t done.
– why do they have to do anything? Let’s see: agreed roadmap, costs and more.
– does this really need to be done? Yes, that’s what was discussed and signed off. – and he’s worked really hard for two weeks, so why am I still an unhappy customer?

Well…
  • The roadmap and agreed work covered twelve months
  • The site’s traffic has halved,
  • It has lost 600,000 Alexa ranks,
  • Ad revenue has collapsed and it is no longer supporting itself
  • We’re losing subscribers over persistent bugs and promised features that have not arrived
  • And I’ve been on two hours sleep a night for the last four weeks trying to fix it all.
And then at the weekend I learned he was claiming to have completed work that he hadn’t. I ended up in his office forcing him to actually look at the code, at which point he did the “Oh no, you’re right, it doesn’t work” and added a note to a pad. No apology, no indication he would actually do it.

Unhappy? I want this guy’s head and a competent coder!

And he now wants to take on video production for us. Somehow I don’t think so…

And I have will be logged in on Christmas Day to try and fix the mess from home. Did I mention I won’t get paid for this? I suspect there may be a damning post after Christmas naming and shaming the company.


This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Joys of Christmas - http://rablogs.co.uk/tirial/2015/12/23/joys-of-christmas/ was published on December 23, 2015 at 9:47 am.

Tuesday, 20 October 2015

Search Engine issues

So, Google has now added a new feature.

Originally in the dim and distant past, Google was a search engine.  Then it started collecting details from users’ searches and serving ads. It could charge more based on these details. So it bought other sites, like youtube, and then tried to make users put everything under one sign-in, which creates ad profiles which can be sold for even more money.

And in the last few days the inevitable happened. If you don’t have a google account and don’t give them permission to track you, good luck using their search engine.

google-2015-10-22  Over the last few days I’ve been through this a few too many times.

Let my summarise it:





  • Click next
  • Get told that it will take your data, so click Other options
  • Click edit settings under search customisation and turn search off
  • Click edit settings under ad preferences and get a 302 error.
  • Click edit settings under youtube and turn off.
  • Click edit settings under Privacy and get asked to download Googles code. Non, no, no.
  • click back.
  • Get told that you still have to agree to let it track you to get to the search screen.
The really good thing, of course, is that after turning all this off I went to youtube. You know google claims that its default settings are child safe, and if you see porn its your fault? Nope. With history on I see tech demos and science vids. With history off I get lots of half-naked women. Unless they’re bio-roids with spec info, I’m really not interested.

But what can you do?

Oh yeah, you can
  • Use duckduckgo.com to get a google search without giving google your data.
  • Use altavista
  • Use yahoo.com
Because seriously, given the poor quality of google’s recent search results (and before this screen came up I was averaging one report a day under their feedback of just how inaccurate their results were, and then having to go to duckduckgo anyway) and don;t see any reason to pay them for poor performance.


This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Search Engine issues - http://rablogs.co.uk/tirial/2015/10/20/search-engine-issues/ was published on October 20, 2015 at 9:46 am.

Thursday, 10 September 2015

Disabling Contactless Cards

Contactless card security – or the lack of it – is back in the media. There are three main items that the card firms say make these cards secure. Sadly I would disagree with each.

1) Short Range.
Which said that while industry standards specify a maximum magnetic-field strength for card readers of 5cm, some may be able to read cards at greater distances. Their test rig read it from 45 cm. (http://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which)

"It may be possible for a small percentage of cards to be read 15 to 20cm from the reader," he said. "Even if this was to occur in 0.1% of cases, with more than 300m transactions taking place last year, many consumers could be affected."

So the only limit on how far a card can be read from is whether the person building the reader wants to stay within the guidelines. People planning to break the law by stealing credit cards will, of course, follow guidelines rigidly.

So your safety with a contactless card depends entirely on the honesty of the person who plans to steal it.

2) That the amounts are so small no one would be interested.
I’m going to use an actual live case that I observed here, regarding an online site and its payment. Squidoo was an article site that paid monthly for articles with the most traffic. As its monthly payment increased, so did the amount of click-fraud etc.

When the payment for a top article on squidoo was $10, fraud was very low.
When the payment was $30, coders built and sold tools just to get the payment, and sold them for $50 (e.g. SquidooBlaster).
When the payment reached $50, it was hard to get that payment without fraud.

Likewise, when the payment for a contactless card was £10 no one bothered. Now it’s £20, and they want to make it £30. At what point does it become worth the outlay for a cheap phone and wide range receiver – less than £100?

With Squidoo there was a cap – only the top 10,000 lenses got that type of royalty. With credit cards, they could get that many in an hour walking around a city street or station.

3) That after a certain number of transactions, you have to use your PIN.
Not only do they still get the funds for the first transaction, but this is where long term cons get nasty.
Once they’ve got your data, they can make a number of transactions and then get locked out.
If they’ve made small transactions, so transport or whatever else, they simply have to stop using your card, wait for you to use it and unlock it, and then they can harvest £20 off it again the next day.
£20 every day for a month is around £600 per card. The equipment for Which? cost under £200. Think the fraud is worth it yet?

And since thieves often s tore the cash by buying gift-vouchers, which are hard to trace, it provides an ongoing benefit.

The final safeguard: Insurance
If all of these safeguards fail and your card is used without your consent, the banks state they will refund you. There are a lot of issues here.
From the user’s point of view, they refund from the point where the user tells them there’s an issue. Unlike a physical card where you notice you’ve lost it, with contactless you could lose quite a bit before you get a statement or indication that something is wrong. 

However from a societal point of view there’s another issue. In the TJX case one woman lost $45,000. She reported it. The card firm refunded her. The firm then either claimed insurance, or reclaimed it from the retailer, who then claimed on their insurance.

The thieves still had the original $45,000. They still benefited, so there was no reason for them not to con tinue to steal credit cards, which in fact they did. If insurance means the theft can be seen as stealing from banks and insurance, not retailers and little people, it might even encourage it – you might have noticed the number of online groups spelling ‘bankers’ with a ‘w’.

And then more recently, the possibility of a whole new field of fraud was opened up.

While RFID Journal says that the contactless chip does not contain the entire data for the card (http://www.rfidjournal.com/blogs/rfid-journal/entry?7870), InfoSecurity Journal states that it does, and that they have accessed it through a legacy profile (https://www.infosecurity-magazine.com/magazine-features/how-secure-are-contactless-payments/).

Now if this is true, it re-opens a whole field of card cloning. The security issue is simple – the RFID contactless chip contains the same details as the magstripe. This is enough for someone who scans the details to clone the card for signature use with a generated magstrip. Put a faulty chip on the cloned card and most card readers revert to the magstrip. Then the person who created the cloned card just has to swipe and sign the slip – like they signed the cloned card fifteen minutes before… It might not match the real owner’s signature, but that won’t be revealed until the slip reaches the bank in a few days.

So, no, the more I look into it, the less happy I am about the security on contactless cards. Many of the more complex technical security solutions seem to assume that a fraudster will never acquire a physical card from that bank to reverse-engineer it (because, you know, thieves never have or steal real physical cards…).

Then Visa asked to be able to track cardholders movements and transaction locations by their phones “for security” (https://nakedsecurity.sophos.com/2015/02/ 18/visa-asks-to-track-your-smartphone-to-help-sniff-out-credit-card-fraud/). And that data about where you are at what times of day every day couldn’t be abused at all, could it?

So when the bank refused to replace mine with a non-contactless card, I have just field-tested disabling my card’s contactless. My solution works. 

I’ll post it here in a few days.




This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Disabling Contactless Cards - http://rablogs.co.uk/tirial/2015/09/10/disabling-contactless-cards/ was published on September 10, 2015 at 9:47 am.

Thursday, 3 September 2015

EUVAT - a last thought

I’m not going to define EUVAT again (daft legislation that even the EU admit was not thought out and is killing small business, but may not fix for 2 years), but I was going throw out a last thought before the EUVAT Symposium in September. The problem with the proposed solution of adding a turnover threshold to EUVAT is that VAT thresholds vary country to country. A threshold was already rejected when it was originally proposed, so it won’t go through this time. So why not link EUVAT to company behaviour, so that only companies acting against the European Digital Single Market get hit? Small firms sell online by Paypal button or similar low cost one-click option. They offer the same thing to all countries and rarely even know where the customer is based. Large firms like Amazon select by country, offer different or restricted services in each country, and block users from accessing their content outside that country. So why not link EU VAT directly to this? If a company geo-selects within Europe on services, they pay EUVAT rates – i.e. they have to pay VAT at the point of supply: the customer’s location since they are obviously already collecting enough data to know this. However, if a company is using a single click payment option and not changing their offering by country, all sales are counted as domestic and VAT is paid at the rate of the company’s home location. Since few (virtually no) larger firms use PayPal or single-click payment processors that aren’t linked to an account with details and customer location, this would effectively remove small businesses from EUVAT. The benefits:
  • This removes small businesses from EU VAT, saving time and hassle without needing a threshold.
  • It encourages larger firms to provide identical cross-border content, promoting the DSM, and penalises those that don’t.
  • It makes it harder for multi-nationals to dodge VAT.
  • It makes it unnecessary to have a turnover threshold.
The disadvantage is proving that the offering is identical, but that should be easily done just by visiting the website from multiple countries’ IP addresses. If prices (not including shipping) change and products vary significantly, that’s EUVAT liability. Yes, this may be borderline for larger bookshops etc. or DVD and game sellers due to the issues of licences and overseas rights. However, since it is not illegal to sell a printed book or DVD created in one region to another, just to mass-produce or mass-retail them in a third party country without rights, most should be unaffected. Larger sites that might escape it are Flattr and Patreon, but then both are a way of moving funds directly to small creators, and they don’t care where the donors or creators are based. It’s better than people being threatened with extradition of 5p, and grannies selling knitting patterns having to pay VAT.


This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  EUVAT - a last thought - http://rablogs.co.uk/tirial/2015/09/03/euvat-a-last-thought/ was published on September 3, 2015 at 8:53 am.