PayPal send out emails about policy updates. Here is one of them:
There’s a few strange things going on.
1) I’m not in Singapore but get sent their Singapore address.
2) They link to their site when they could have just said “go to PayPal’s website”. Getting people into the habit of clicking on links asking them to log in, especially ones with weird extensions doesn’t seem good.
3) If you’re going to include a link, at least link to the changes. Why do I have to log in and go to notifications to see them?
4) On the same note, why aren’t the changes just included in the email to begin with?
Here’s one of the changes listed in notifications:
It is the whole PayPal User Agreement. What has changed? Who knows.
To their credit, a more recent January change just has the part of the policy that has changed.
Update 28 September 2012: This post was written before I started working for a bank (who I love dearly), and at least some views expressed in this post have changed since then (eg. case-insensitive passwords (and ASB isn’t the only bank that does this) are irrelevant when users are locked out after three incorrect login attempts–Facebook does something similar to this, accepting the actual password, the password with the first letter capitalized (to account for automatic capitalization on mobile devices), and the password with the case of letters reversed (to account for the caps lock key being on), and that a charge for a bank cheque is not so unreasonable in the context of a lot of bank cheques being for a large amount). Also some bank policies have changed since this post was published (eg. ASB no longer charges $2 for automatic payments added/amended online–progress!) There is, however, no way of getting around ASB’s $0.20 fee for a Netcode over-$500-transfer-authorization if you don’t have a token–it is charged even if you call the 0800 number and ask them to release the payment. Except for a note regarding the previous sentence, this post hasn’t been edited from the original form.
And useful (see: next day bank transfers).
What it said.
I’m with ASB and they are great, however no one is perfect. Here’s some things that I hate about banks in New Zealand. Many of these problems are shared by the entire industry.
Or the fact that ASB keeps trying to convert me to one even though I’m not allowed one.
Here’s mailer number one, received the week of my 17th birthday:
And mailer two, from today:
Irrelevant: check. Impersonal: check. You know how to make a guy feel special ASB. (Case in point: I’m not 18 so they couldn’t give me my own credit card even if they really really wanted to).
This is upsetting because I have a feeling tertiary accounts have less fees than youth accounts. At least, it isn’t emphasized that service fees apply to tertiary accounts like it is for youth accounts on ASB’s fee exemption page. Service fees apply for everyone, see comment from ASB below.
Stupid bank fees
ASB isn’t the only bank that charges stupid fees, but here are some examples of theirs:
$2 to set up or amend an automatic payment or add a person you might want to transfer money to again (like the power company, or mum). Online. On the internet. Changing an entry in a database. By yourself.
20 cents for each time you use Netcode, ASB’s text verification service, which you can choose to happen on login. Google, who isn’t even in New Zealand doesn’t charge for this (see below). Probably get charged 20 cents again by your mobile service provider for receiving the text. Some sort of verification is required for some transactions that take you over a $500 daily transfer limit, or if you’re sending money overseas. Alternatively, you can ring their call center to get transactions verified for free11@!! I wonder if the time of the person you speak to on the phone is worth less than 20 cents?See update at top of post–20 cents is charged even if you call the 0800 number.
Alternatively you can pay $12 a year for a physical Netcode token, which you’d need if you are regularly out of cellphone reception and probably if you travel overseas. RaboDirect provides these for free. BNZ provides the NetGuard card for free.
5 cents for each email alert. For the virtual stamp. Or the person who licks it. Or something.
20 cents for text alerts and text banking. I think they charge you when they receive a text banking message from you. Plus you probably get charged to send texts to them by your service provider. In contrast, Westpac provides a certain number of text alerts free per month as long as you log in to online banking that month.
$5 for bank cheques. Plus because you probably have an “electronic” account, and if you’re not a youth/student, a fee of $3 because that’s a manual transaction.
Password policies
“Please note, your password must be eight characters long, and contain at least two letters (a-z) and at least two numbers (0-9). For example, redbus73 and 8cube224 are valid passwords.”
This is ASB’s. I assume other banks are as ridiculous. Would you like a nine character password? YOU CAN’T. MUST BE EIGHT.
Microsoft’s (now defunct) password checker says both of their examples are weak. ASB lets you use both of their examples as real passwords, because security.
@MothershipNZ and @FromAQuasar point out that ASB passwords aren’t case sensitive and also that some symbols aren’t allowed.
Stupid marketing policies
Here’s an entry form I picked up from BNZ’s tent at The Show:
Note the classy clause at the bottom: “By providing your details, you consent to use contacting you about our products, services and promotions, from time to time (including via text message without an unsubscribe facility).”
Once you’re in, they have you.
I guess if you rang them they’d remove you from their text messaging scheme, but really, why not let people unsubscribe via text using common keywords like stop, or unsubscribe?
Visa Debit cards
And their annual fees. $10 a year for having the card. National Bank got half of the memo and isn’t charging the annual fee if you have their Freedom account. But you have to be earning $30k+ a year and pumping it into that account. Anyway, I like the image they’re using in their ads for it (see top image).
Sure, debit cards are great if you are under 18 or don’t trust yourself with a credit card. But really, if you can, you should just get a credit card.
Banks (looking at you Westpac and BNZ) seem to love converting people to these debit cards, even if the person already has a credit card with the bank. I don’t understand. Family members have received Visa Debit cards in the mail from Westpac, even though they have a credit card with Westpac. If you already have a Visa or credit card, why would you want a Visa Debit?
It’s a bit of a have, because people naturally think this is their replacement EFTPOS card and start using it, probably not realizing that once they start using it they’re going to be charged an annual fee. If they’re lucky, maybe the fee will be waived for a year or two!
When you go into BNZ to request an EFTPOS card, the tellers like to order you in a Visa Debit card instead*, because, you know, they know best.
*May have happened just once.
Lack of security
That’s Google’s 2-step verification programme.
There’s a number of ways to use it. I have the Google Authenticator application on a couple of devices (it works without needing an internet connection), I can get a code sent to me by text (for free!!@@) if the application isn’t working, I can use the backup codes if I have to, and I can tell Google that it doesn’t need to ask me for a verification code on the computer I’m using for another 30 days if I trust it.
It works, it’s good, it’s free. And it’s not even protecting my money.
Side note: security has to actually be built-in by design and be compulsory for it to be useful. Kerry Thompson points out that security conscious people probably have limited use for 2-factor authentication systems, because they already take precautions. The people who aren’t security conscious are also the people who don’t think they need 2-factor authentication, they think they’ll be covered by the bank, or won’t use it because of the cost (hi ASB’s 20 cent per text charge).
See also: Google doesn’t have an eight character password policy and Google gives a detailed account of recent account activity (ASB shows the last time I logged in, but I rarely look at it, and out of context it’s kind of useless).
How about encouraging people to set up an automatic payment to a savings account every pay period and sign up for Kiwisaver?
Also, you would think an application that consists of one button would be easy to set up, but Westpac’s Impulse Saver requires you to apply to use it, and makes you wait for a callback from a customer service person.
Phone banking on mobiles
Westpac and BNZ seem to be the only two banks who try to ban calls from mobile phones to their phone banking numbers. It’s trivial to get around this with Westpac, just call their main 0800 number and press one to get to phone banking. On BNZ it seems like that works too, at least after their call center hours.
Visa and MasterCard undermining credit card PINs
Visa and MasterCard aren’t banks, but whatever.
McDonald’s, in association with Visa and MasterCard has the policy of not requiring a PIN or signature for credit card transactions under $35.
How they can guarantee security, I’m not sure, because they just took away the only security of a PIN or signature. I’m not sure why Visa and MasterCard don’t make this opt-in or opt-out.
Zero liability can’t apply if you don’t realize there’s a fraudulent charge on your statement, so good luck everyone.
Next day bank transfers
Or please stop relying on a cron job for transfers.
10 years after one-off payments were introduced, they still take up to the next business day to go through to accounts at other banks. I realize this might require some consultation with the People In Charge Of The Money, but can we please get rid of this? Thanks. Also, could we please do transfers on non-business days to accounts at other banks and get rid of the 10pm cut off for not-my-bank transfers?
Update: Last rep I spoke to talked over me and implied I just wanted free stuff. First time I’ve lost my cool in a customer service call. But, if all else fails, send an email and a text message to the CEO: “Thanks. I have received the email and I will get it dealt with ASAP.”
Update 2: “I will arrange for a 50Gb datablock to be added to your account, and for your broadband access plan charges for November and December to be credited.” Took a couple of days, but a positive response to a negative situation.
Our internet is currently slowed to dial-up.
We are on a 40GB plan with Slingshot which will change to a new plan next billing cycle.
We get free off-peak data usage.
We used to be on plan with a lower GB limit.
Because of that old plan, we regularly bought data blocks, which roll over from month to month.
The last time we bought a data block was in February – 20GB.
This month is the first time we have used up 100% of our data since January.
‘My Account’ shows that no datablocks were used up this month (0.00GB allowance)
Bro, you know I can’t use your ghost data
This means that some time between February and this month the data block disappeared from the account. It wasn’t used up this month when we used 100% of available data. And it shouldn’t have been completely used up any other month because the last time we used 100% of available data was before the data block was purchased.
I suspect it disappeared when we changed plans at the start of this month.
Slingshot called us about changing to a new plan. They spoke to the account holder first, then spoke to me. I ended up changing the plan, but this wasn’t noted under the account.
Not the account holder
I called them about this and they refused to speak to me about it at all because I’m not the account holder, even though I didn’t want them to share any information with me – I have it all up in ‘My Account’ anyway, and I’m calling from the phone number associated with the account (I know, I know, caller ID can be forged@#$!!11 but again, I wasn’t asking for personal information).
After I told them I’d just pretend to be the account holder because they were being ridiculous, and proceeded to do so they “terminated” the call and said they’d call the account holder on their cellphone. In an act of hilarity, it ends up that my cellphone number is the one listed on the account. That call was terminated too.
The account holder gets home, talks to them and adds me to the account. He gets lectured by the rep that the reason I wasn’t able to talk to them about it was to protect the account holder’s personal information, even though I wasn’t asking for any personal information (and would’ve been able to tell them the account holders name, address and DOB anyway).
WE HAVE TABLES TO PROVE IT
After lots of holding I’m told that they are definitely right and that we have gone well over our data usage (even though that overage would’ve happened on speedy dial-up). I suspect that they can only see what I can see in the history part of billing – the total amount of data used per month: plan + data blocks + free off-peak + zero rated, because past data usage isn’t split up into categories.
Just because it says we used x amount of GB more than our plan doesn’t mean that we actually went over the plan’s allowance, because of free off peak. That’s also supported by a lack of 100% data usage used emails.
The rep said they could email me what they are seeing showing the significant overage. I say great. He says that it will take two days and mentioned printing. I state the ridiculousness of this and ask to speak to whoever he talked to. I get put on hold and he quickly comes back saying they can actually send it within 30 minutes – 6pm.
The spreadsheet
At 7pm I get an email from tier 2 customer support. Attached is a spreadsheet of our hour by hour data usage over this billing period. Interesting to look at, but not helpful to the situation. The issue isn’t with us using up all of our plan data this billing period, which I’m not debating and I can clearly see from ‘My Account’. What I am debating is that we shouldn’t have been slowed to dial-up because there should have been a data block on the account.
A group of researchers have published a very interesting paper: Click Trajectories: End-to-End Analysis of the Spam Value Chain (pdf). Using three months of spam data and by purchasing over 100 products advertised by spam emails, the researchers followed the life of a spam email and investigated where the money from purchases actually goes. They found that the people behind 95% of spam-advertised pharmaceutical, replica and software products are using just a handful of banks for their merchant services. Anti-spam efforts focus on the delivery aspect of spam, but there is potential for the quantity of spam to be significantly reduced if the banks the spammers are using are targeted.
Purchasing from spam emails
The researchers collected spam-advertised URLs and data about the hosting infrastructure and DNS of the spammed websites. They grouped the sites by content structure, category of goods and affiliate program and/or storefront brand. The most popular goods advertised in spam: pharmaceuticals, replicas and software were focused on. Pornography and gambling weren’t focused on for “institutional and procedural reasons”.
Purchases were made from each major affiliate program or store “brand” and they tried to order the same types of products from each site to try to gain insights into the differences or similarities in product suppliers that are used. A specialty issuer of prepaid Visa cards teamed up with them and let them use a different card and obtain the authorization and settlement records for each transaction. For legal reasons pharmaceutical purchases were limited to non-prescription goods like herbal and over-the-counter products. Software purchases were limited to products which the researchers already possessed a license for.
120 purchases were made, 76 of which were authorized and 56 of which were actually settled, though half of those failed orders were from one affiliate program which researchers attribute to the large order volume raising fraud concerns.
The honest spammers
A finding I found interesting from the paper is that the likelihood is quite high that you’re not going to be ripped off when ordering through spam emails.
Out of the 56 “successful” orders, 49 of the products were delivered and received. Only seven of the products weren’t delivered. Out of those seven: four sites either sent packages or said they’d send packages after the mailbox lease had ended, one said that the money had been refunded (however the refund hadn’t been processed three months later). Only two “lost” orders received no follow-up email.
The researchers explained the reasoning behind actually fulfilling orders would be so the site would get any potential repeat orders and because their relationship with payment providers could be jeopardized if chargebacks were made by customers who didn’t receive items.
Update: One of the researchers, Stefan Savage, confirmed to me that none of the Visa cards used on the spammed sites were subsequently used fraudulently. It also looks like the pharmaceutical products were legitimate. He says “we only ordered a small subset of goods so any results aren’t representative. However, we did some limited mass spec testing of a few pills against reference samples and the active ingredient was found to be the same and in a similar proportion — note we only tested for the active ingredient and didn’t look at things like binders, contaminants, etc.” Software was pirated, but malware free.
Research done by F-Secure supports this: almost all of their goods ordered from spam emails were delivered, none of the credit cards they used for orders were “stolen” and email addresses used to order the goods didn’t receive an increase in spam.
New Zealand’s fulfillment role
By volume, most herbal products shipped from the United States, but China and New Zealand were also in the mix.
A Christchurch based company turned up in results—Etech Media Ltd. Ironically, this: is the email address listed in their whois record.
Perhaps unsurprisingly, the company in question and its owner aren’t new to the spam game. Sole shareholder and director, Shane Atkinson was fined $100,000 in 2009 for sending spam under the name ‘Herbal King’. His occupation listed in the 2005 electoral roll was “pro spammer”. The Herald “understands” that Etech Media’s office was one of the addresses searched in spam raids in 2007. In 2003, Shane admitted to sending up to 100 million spam messages a day, that spamming allowed him to have a nice car and house and said he “had no qualms about it”. “In a later interview, Atkinson said he had given up spamming.”
Perhaps not entirely?
I’ve emailed Etech Media to see if they’d like to comment.
The spam bottleneck
The researchers tried to identify bottlenecks in the spam value chain—stages where few alternative options are available and ideally where switching costs for spammers are high. Which intervention would have the most impact?
For the 76 authorized transactions, there were only 13 banks acting as “acquirers”. Herbal and replica purchases generally cleared through St. Kitts & Nevis Anguilla National Bank. Most pharmaceuticals through Azerigazbank in Azerbaijan and DnB Nord (Pirma) in Latvia. And most software purchases through Latvia Savings in Latvia and B&N in Russia.
The researchers say that the banking/payment component of the spam value chain is the most critical. Payment infrastructure has “far fewer alternatives and far higher switching cost”.
Only three banks provided payment services for over 95% of the spam-advertised goods in the study:
There are only two main payment networks in Western countries—Visa and MasterCard.
The replacement cost of a bank is high in setup fees, time and overhead. Acquiring a merchant account requires a lot of coordination and time. Banks used by the major affiliate programs were either still the same four months later or had changed to another one in the set identified above (only one new bank appeared four months later—Bank Standard in Azerbaijan).
Perhaps a solution is for banks that issue credit cards in Western countries to refuse to settle certain transactions with banks that support spammed goods with specific Merchant Category Codes when the card is not present. All software purchases were coded as Computer Software Stores and 85% of all pharmacy purchases were coded as Drug Stores and Pharmacies. There were some exceptions however “generally speaking, category coding is correct”. “A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods.” Similar policy has been implemented with MasterCard and Visa not allowing US-based customers to transact with online casinos.
The paper concludes: “the payment tier is by far the most concentrated and valuable asset in the spam ecosystem, and one for which there may be a truly effective intervention through public policy action in Western countries.” However spam is probably profitable for banks and payment processors too, so they might be hesitant to do anything about it.
How much spam do you receive at the moment and how much makes it to your inbox? Do you know anyone who has bought something through a spam email?
A group of researchers have published a very interesting paper: 
is the email address listed in their whois record.
The researchers say that the banking/payment component of the spam value chain is the most critical. Payment infrastructure has “far fewer alternatives and far higher switching cost”.