Shopping online

Lost two hours of my life today when tried and failed to shop a new digicamera online.

I found a reasonably priced camera from warehouseexpress.com to replace my fairly new, but broken Panasonic Lumix DMC-TZ7. Display of TZ7 broke and I found out that it's not covered by warranty and replacing the display would cost nearly as much as a new camera. So, it made sense to cover the damage from home insurance and buy a new camera.

Unfortunately I found out, that Warehouseexpress, paying with Visa using Verified-by-Visa and authenticating VbV with Finnish banks authentication standard, Tupas, doesn't work nicely together.

Problem was, that when I tried to actually pay the camera, Tupas-authentication information was only partially visible. Especially the OK-button was not there to use.

I tried with three different browsers: Chrome (my primary browser), Firefox (backup browser, since Chrome doesn't support all features and plugins) and IE (last resort for badly design web-sites). None worked.

Finally I did some guessing when I can safely press Enter and the payment went through (I think). Unfortunately the online shop's display was still messed up and I didn't get to the final stage for order number and receipt. So, I don't know if I managed to order my camera or if I actually ordered it several times. I'm waiting confirmation from both Warehouseexpress and bank's customer service.

This was a bad example, how three separately designed functions doesn't work together. Warehouseexpress designed online shop and wants to enable credit card payment. Visa has designed VbV and allows integration of separately designed Tupas-authentication.

I don't know what really went wrong, but my guess is the following. Tupas-authentication is done by redirecting web-browser to bank's web-site, which returns information about success/failure and user identification. I guess that Warehouseexpress didn't want to show customer the web-site change and tried instead to embed Tupas-authentication using some tricks (frames or similar). Problem was, that Warehouseexpress didn't know how Tupas works. VbV supports several authentication methods and Tupas is just one of them. Warehouseexpress should have allowed authentication to happen in separate window instead of trying to fool customer to think that authentication is part of web-site's own functionality.

I haven't used VbV + Tupas for a long time, since I have used Finnish electronic identity card (smart card) for authentication to online bank and VbV + Tupas combination was not supported with eid-card. However, Finnish eid-card is going down to drain and it's not supported by online banks anymore. Therefore I had to downgrade authentication back to paperslips and OTP/TAN.

I also noticed that because Tupas uses social security number for user identity, online shop will get my SSN too! In this case the Warehouseexpress got both my credit card data and my SSN, which is unnecessary and stupid. I also wonder, why I need to give not only credit card number, but also expiry date and security code? It should be enough for online shop to get CC number, use VbV and get banks verification without SSN. But what I know?

Maltego

Played with Maltego. It's a powerful tool to dig out information from the net. Especially interesting is it's ability to find connections between objects. Below are couple of example graphs created, when I searched tweets with phrases "H1N1", "swineflu" and "sikainfluenssa" (swineflu in finnish). Tool shows for example which word is mentioned most, who's sending most tweets, what urls are mentioned and how these are connected. It would be possible to go further and create a graph showing who's following who in Twitter.

Nice example, how all your personal information on the net can be dug out, correlated and analyzed. Because of my security background, I can't help thinking how useful this tool would be for planning targeted attacks.

It's not enough to Google yourself anymore, you have to Maltego yourself also:-)

More Twitter

Maybe I was too quick to close my Twitter feed. I think that tweets want to live free, so I opened my account again. I'll see for a while how much Twitter Spam (in form of sleazy followers) I'll start to get. Haven't really found any useful tweets yet. Twitter seems to work for fun, marketing and self-promoting mostly. I guess I have to dive in head first and start following couple of known security experts and see how it goes from there.

Checked out OpenId. I have known the idea and existence of OpenId for a long time, but now I gave it a try. Nice idea, but unfortunately many sites I use didn't support it.

Twitter

I've played with Twitter a bit - just to get feel of it. I had a Twitter gadget on my homepage for a while, but had to remove it. Twitter has options to either allow anyone to follow you posts or require an approval. Gadget required to allow anyone to follow you. However, that option also attracted suspicious followers (read: porn tweets). I really don't want to show on any porn tweet timeline, so I had to change Twitter to "closed mode" and approve each follower separately. This shouldn't be a huge task, since I don't expect to get too many followers:-)

Having all these social networking sites connecting to each other creates a huge security problem. In order to get all benefits, you need to give out your username & password for all connecting sites. Do you really trust the site owners to keep your credentials secure? Even if they promise to do that, do they know how to? Easy-to-use universal Id with strong authentication protocol will be needed some time in the future. Meanwhile I need to give a closer look to OpenId.

Geek & Poke about homepages

I was worried about using term "homepage" already when I changed to blog-mode. It took just two weeks and Geek & Poke made fun about old-timers who still blog or - God forbid (note, I didn't use OMG) - have homepages.

Great cartoon, by the way. I especially enjoy its trashing of SOA and Cloud Computing.

Blog is a new homepage

I've had my web homepage since '95. I've made some facelifts to it during the years, but haven't had energy to do all HTML-coding required to keep it hip & hop.  So - I finally gave up and used an easy way out by creating this blog to be my "homepage". Why bother coding, when integrating ready-made components is enough?

I probably won't blog a lot. Instead I use this page as a portal to my business profile, pics, book recommendations, etc.  Let see how this works out.