Sanspoint.

Essays on Technology and Culture

The Great PayPal Email Hack That Wasn’t

This past Saturday, as I headed into town for a concert, I stopped to check my email and found two messages from PayPal UK, saying someone had set up an account, and added a mailing address, with my gMail address. Well, almost my gMail address. Instead of the gmail.com domain, they’d used googlemail.com as the domain. I assumed it to be some kind of phishing scam, logged into my PayPal, changed the password and removed my gMail address from the account for safety. Then, to be sure, I forwarded the emails to PayPal’s spoof checking address. Content I’d done the right thing, I hopped the subway and was soon having my eardrums split open by the Buzzcocks.

Still a bit concerned, the next day I initiated a password reset of the account with the googlemail.com email. I got the password reset email with a verification code. Upon providing the code, I was asked to send a message to a strange phone number. Weird. When I logged into my PayPal, everything looked kosher. No new addresses, no new emails, no new phone numbers. My account was untouched, as far as I could tell. Later in the day, I got an email saying the new account was “ready to shop” and that’s when I called PayPal.

It took some explaining. This wasn’t just “my account has been compromised.” This was someone creating a brand new account with an alias of my email address. Known to me, but unbeknownst to PayPal, is that gmail.com and googlemail.com are aliases of each other. If you have gMail, and send a message to yourusername@googlemail.com, it will show up in your gmail.com inbox. Since my gmail.com address was on my account as a secondary email, if PayPal knew the two domains were equivalent, the stranger should have gotten an error. What really confused me was that they were able to log in, add an address, phone number, and credit card to their account. Which lead me, and the first manager I spoke with at PayPal, to conclude my gMail had been hacked.

This seemed impossible. I have a huge, complicated 1Password-generated Google account password. I use two-factor authentication. Google showed no unusual login activity, or anything of that nature. Even if someone had access to my Google account, I can think of a million more interesting, useful, and subtle ways to use it than to set up a new PayPal account. In any case, I changed my Google password, re-set up two-factor authentication, and revoked all third-party access to my account. That was Sunday night, and I went to bed paranoid and angry.

Monday, while at work, I figured I’d try again. Knowing they had a phone number on the account, I hoped I could reach someone who could try to contact the ersatz account holder. I called PayPal and began trying to get help via angry messages on Twitter. Multi-tasking, as best I could, I spoke with a manager on PayPal’s fraud team and someone on the AskPayPal Twitter account, trying to explain the situation and see what could be done. Both agreed to contact the person in the UK, and it looked like the AskPayPal person got to them first. I got one final email, saying the account was deleted, and that was it.

Turns out, it was a fat-fingered email address after all, and the account wasn’t actually activated and verified. I gave myself a full security audit for nothing, it seems.

Part of my anger and paranoia was that this came hot on the heels of the iCloud security nightmare. The other was the incredulity of the people I spoke to at PayPal, and the lunacy that they were unaware that gmail.com and googlemail.com were aliases, and had been for the better part of a decade. At least, now that it’s sorted out, I’ve added my gMail account back to my PayPal account with both domains, just to make sure this can’t happen again. I covered my bases, and did everything right. Someone else dropped the ball on account and data verification, leaving me to wonder if I’d left a hole somewhere in my defenses.

When a user’s sense of security can be violated by someone else mistyping their email address, it’s the fault of the company whose security the user has put their trust into. Sure, it’s also a limitation of email, as a technology, but a known limitation that should be worked around. Why was this person able to even interact with PayPal, adding their personal data, without verifying their email first? Because of that lapse, I had access to the personal data of a stranger: their name, their mailing address, the last four digits and brand of their credit card. Information I neither need or want. In this paranoid age, companies—ones that handle our finances, especially—must be on top of the dangers. What happened to me, and to my mysterious UK stranger, is unacceptable.

An Even More Personal Computer

The piece that so many other smart watches have failed thus far is the personal aspect of such a device. It’s not just that they have failed to understand fashion or even interface design. It’s not just that they thought it being a computer on your wrist was enough. They failed to understand that such a device has to be an even more of a personal computer than what he’s existed before. It has to have a more personal purpose and meaning to the wearer.

Patrick Rhone – “An Even More Personal Computer”

Patrick’s thoughts on the Apple Watch are interesting, too. The human element of the Apple Watch is something that sets it above the competition. I don’t know if the 1.0 is quite to where it would need to be to get mass adoption, but it’s further along than any other.

Apple Watch and the Wearable Use Case

If you’re a regular reader, my skeptical stance on wearable computing should be no surprise. Of course, those pieces were on Google Glass, of which the glow is now far, far off. Now, the excitement is in the “smartwatch” space. It’s the new hotness, and I write this on the day Apple announced their entry into the game.

Like all good Apple fanboys, I watched the announcement of the new iPhones, and new Apple Watch, and was impressed. The Apple Watch looks to be a neat piece of kit, and combines a lot of technologies in an exciting way. It also looks pretty cool, though I was hoping for a round face. Problem is, the Apple Watch is just doing the same stuff most other products are doing in the smartwatch space. It’s doing them in a flashier, more integrated, and Apple-like way, but the main features are the same as most other smartwatches. It’s a second screen for your iPhone. It’s a fitness tracker. It’s a NFC device for Apple Pay. It can run apps. Great. That’s going to be enough for some people.

How many people, though? Even ignoring the $349 stating price.

A few days ago, on September 4th, I attended a panel on wearables, run by local tech group Digital Dumbo. Despite my skeptical stance on wearables, I figured it would be worth my time to attend, even if my worst fears came true and the whole thing was just a bunch of tech douchebags singing the praises of Google Glass. I was pleasantly surprised to find the discussion, which included Robert Genovese of Kenneth Cole, Dick Talens of Fitocracy and Pavlok (more on that later), and Gareth Price of digital agency Ready Set Rocket, was plenty questioning and skeptical.

Criticisms ranged from the problem that current wearables are just “slapping smartphone technology on someone’s wrist” to the evolving social norms around wearables. The meat of the panel, however, came around use cases for wearables. They came up short. Dick Talens was critical of fitness wearables as a behavior changer, and as a co-founder of Fitocracy, he has some insight into this. Data alone does not change behavior, unless you’re the sort of auto-didactic nerd who eats up Quantified Self stuff. It’s interesting that Talens current endeavor, Pavlok is a wearable that’s about changing habits… through electric shocks (and social pressure).

There’s two questions that need to be answered with wearables. The first is what it means when we wear something, which was raised by Robert Genovese early in the panel. The second is what value it adds to someone’s life. When you look at the current state of wearables—including the Apple Watch—the answer to both questions is a little fuzzy. Apple’s “Digital Touch” feature, which uses the Watch’s “Taptic Engine” to communicate through sending touches, or by feeling someone’s heartbeat. It’s the sort of touchy-feely—no pun intended—thing that you’d expect from Apple. In other words, Apple’s answer to the meaning of wearables is the human element, the smartwatch as an interpersonal device. It makes for a neat demo, but I don’t know how much it would be used in the real world. Maybe you have to try it to get it. As an answer to what wearables mean, it might be a success. As an answer to the value add of wearables over phones, I’m still skeptical.

It’s the value-add that we’re still going to be figuring out over the next few years. If I were a betting man, I’d be putting my money down on Apple to figure out the right value add, at least if you’re in their ecosystem, before anyone else. Back in June, I speculated on an “Adjacent Possible iWatch” that added smarts to the traditional watch form factor, in the vein of the Withings Activité. My theory was that it would execute supremely well on a small set of functions, possibly incorporating them into the body of an analog watch.

I was wrong. The Apple Watch is very much a full computer, with apps and an interface, and the whole shebang. The “Digital Crown” UI is interesting in the light of this thought from June:

[Apple] combine a lot of pre-existing technologies with a knack for aesthetics and UI that other companies miss, and they often do so in ways that seem painfully obvious in hindsight.

I wonder if the variety of built in functions and app ecosystem are Apple hedging its bets on what will be the value add of a wearable. Much like how there are a million watches to fit everyone’s aesthetics and needs, a more general purpose device does give the owner the ability to make it theirs and use the features that suit their lives. Dismissive as I was of the “Digital Touch” feature earlier, if I had the money, I’d buy an iPhone and Apple Watch for my girlfriend so we could feel each others heartbeat. Haptic feedback for walking directions would be wonderful too, as would some of the fitness features. I’d probably never bother with the photos and messaging stuff, though.

A few years from now, when the prices drop, the battery life improves, and the feature set grows, we will certainly be having a different discussion. Well, I hope we will, at least. I look at the pre-Apple Watch smartwatches and see devices that are trying to overreach in what they can do from a hardware, software, usability, and utility perspective alike. The Apple Watch, much like the original iPhone, is underreaching. It’s leaving head room that will be filled in upcoming years and with hardware and software updates. The best we can hope from Android Wear and other smartwatch is catching up to their potential. Apple’s likely to get to where they want to be first, if history is any judge. And, maybe, when they get there, I’ll put my Casio F–91W out to pasture and send someone my heartbeat.

Is There Really a War On Privacy?

More and more, I’m of the mind that “Internet” problems are just old problems happening in a new way. They can be larger in scale and scope, or occur in a way that confuses people not up on the world of technology, but they’re fundamentally the same old problems. The battle over privacy is one of these problems that has bubbled up in the public consciousness over and over again.

After all, domestic spying is nothing new, and arguably reached a peak in the US (before the current one) during the height of the Cold War. As long as there’s been ways to track what consumers are watching and buying, companies have been doing it. Even before Internet tracking was a thing, I came home from school at age 14 to find Gillette had mailed me a razor. I’m sure Photomat employees would develop copies of any vaguely pornographic pictures that customers dropped off for development. None of this is new.

What’s new is that we know more about it. The same technology that lets corporations and governments get all the data they want on us, also lets us share what we’ve learned—and do it without the news media as a go-between. The question is if people care. If you live in the bubble of technology, there’s two main opposing voices: the “embrace surveillance” view of Kevin Kelly and his ilk, and the lock yourself down view of privacy advocates. Though, truth be told, there’s also a spectrum of middle positions in the tech world.

But for ordinary people? Many of them aren’t even in the discussion. They don’t care what Facebook does with their data, if they get tracked by Google, or if the NSA is peeking through their phone records. Privacy for them is a matter among their social groups. If a nude pic gets sent to the wrong person, maybe to an ex-lover, that’s cause for alarm. When it comes to the systematic privacy violations they’re subjected to, I doubt many of them care.

And that’s just the way that Facebook and the NSA alike would like to keep it.

Sometimes There Isn’t An Easier Way

“There has to be a better way.”

It’s the sentence that’s inspired countless inventors, entrepreneurs, and shysters alike. The lifehack is, in it’s ideal form, an better way to do something that’s a pain in our lives. Better in what way? Maybe it’s faster, more reliable, more consistent, cheaper, or just plain easier than the alternative.

It’s the sort of thing that, in an era when efficiency and productivity are valued over all other things, people will latch onto. So we find those better ways, force them into our lives. We iterate our workflows, automate repetitive tasks on our devices, and buy books that promise us ways to turbocharge our professional and personal lives. We do more, and we do it faster—maybe not always better, but at least faster. And so we have more time to do… what, exactly?

Often, it seems like we’re just freeing up time to do more of what we’ve been trying to do better. Get your work done in half the time? Do twice as much work. Found a better exercise routine? Do it at lunch, and get back to your desk for more work. Or do it twice. Or both. If “efficiency” is the hammer, you’ll never run out of things that look like nails.

But not everything can be lifehacked, refactored, streamlined, and automated into efficiency. It’s a lesson I’m seeing as I try to get in better shape. No matter what promises your training regimen makes or how “efficient” it is, from the Seven Minute Workout to
Couch-to–5K, you can’t make your body improve faster. At least not without dumping more time into it, and that’s exactly the sort of thing we’re trying to avoid, right?

You can take a crash course in a new skill, or join a programming boot camp. The syntax for some programming languages you can learn in an afternoon. Sure it’s fast, but it’s an easy way to get stuck as an advanced beginner, unaware of what you don’t know, overconfident in what you do.

Some things in life are going to take time. The process is doomed by it’s nature to be inefficient, slow, tedious, and frustrating. That’s the whole point. When you rush through it to get to the goal, overlooking the things you’re doing wrong from either ignorance or carelessness, you sell your endeavor short. Efficiency isn’t the end-all and be-all of our lives. Slow it down.