|
It's summer time and the living is easy. Or so it would seem. You see, by
tradition, my wife and kids are visiting her parents in Europe. While some
guys are openly envious of my temporary bachelor status, I generally like to
stay in touch with my family as much as possible.
Years ago, when calling Europe was an expensive activity reserved for
aristocrats, my wife and I relied heavily on postal (snail) mail and we
limited our conversations to just a few minutes on weekends. Then MCI and
Sprint entered the long-distance market and prices began to drop. Fax
machines added another tool to our arsenal. And then the Internet gave us
e-mail and text chat. With overseas calling prices at historic lows I can
now afford to call my family during the weekend, and we can talk as long as
we want. But I wanted it all, that is, the ability to call them from
anywhere at any time! Of course, I could always call from work, but our
company has some silly rule regarding no lengthy overseas personal calls. So
this summer I finally decided to give inexpensive calling cards a chance.
Thanks to Internet telephony and the Telecommunications Act there are a bevy
of calling card companies to choose from, each offering competitive
per-minute prices.
Here's where things begin to get complicated. With so many choices, how
does one choose? First, I screened them based on price. Since calling from
U.S. to Germany was my only criteria, that made the selection simple. At
least that's what I thought until I read the small print. Some had
connection charges, others had no toll-free numbers to start the call, and
some had other restrictions. Then I began to wonder exactly who was
operating these calling card companies. Were they backed by trusted
companies, or were they scams being operated out of some Third World
backroom? The Web certainly makes it difficult to distinguish the legitimate
deals from the scams. Being impatient and somewhat curious, I decided to
throw caution to the wind and pick one that seemed to be trustworthy. I
charged up my newly created account with $15 from my credit card and gave
the service a try. It worked. A recording alerted me of my account balance
and the number of remaining minutes. The quality was decent. I was happily
surprised, and I patted myself on the back for selecting such a good
company. To be sure, I checked my account online and everything also seemed
in order.
Unfortunately, my confidence was short-lived. The next day none of my
calls were going through. I spent my entire lunch hour engaged in the futile
exercise of dialing and re-dialing. Sometimes I just got dead silence. Other
times a U.S. ring tone, which no one picked up. And yet other times the call
got crossed into other conversations being carried on in different
languages. But worst of all, I started to notice that my remaining minutes
were dwindling fast. Apparently, their system was charging my account on
every attempt regardless of the connection success. Concerned, I jumped on
their Web site in the hopes of finding a customer support number.
After scouring the site for a few wasted minutes it was apparent that
there was no such number to be found. Now I was beginning to get angry --
not only at them for not having a customer support number, but also at
myself for not having realized this before signing up with the company. At
least they had a customer support form on their Web site. So I typed up a
letter explaining the situation and clicked on the "Send" button:
DATABASE ERROR! The feeling swept over me then: I'd been had, and there was
nothing I could do about it. It was time for me to lick my wounds and slink
away with my tail between my legs.
But then it hit me -- "I am a database programmer and I can dig into
this issue. Maybe I can figure out what's going on with the form."
Using a simple known security hole, I had the page's server-side source code
on my screen in seconds. Database table names, connection parameters,
passwords, and other information were right there in front of me. With a bit
of effort I could now circumvent their system and list their entire
database, credit card numbers and all. Of course, having been a target of
a... umm... "circumvention"
in the past, I knew not to cross the line. But this was a clear case of a
company implementing no security steps to safeguard vital customer data --
including my own! This was proof that no patches had been installed, no
maintenance was being done, and perhaps no audits were active. My best guess
is that the company hired a consultant to design and program the Web pages
and never went back to them again, leaving their servers open.
So I found out what was causing the database error, and I successfully
sent them the e-mail. Surprisingly, I received an e-mail back stating that
they will reimburse my account for the unused minutes. As of my last
statement it seems that they have indeed credited my account. While I am not
considering my experience with this company a disaster (and I still use
their service), I have come to believe that some sort of a uniform law
requiring a minimum amount of customer service and privacy protection should
be required from these small phone companies. Some may view such laws as a
retardant to industry growth but I wonder how much this industry can grow if
customer service is not elevated to an acceptable level. I have yet to alert
this company of their security flaw.
In the meantime, I keep checking my credit card transaction statements
expecting the first unauthorized charge any day now.
Robert Vahid Hashemian
provides us with a healthy dose of reality every other month in his Reality
Check column. Robert is vice president of Web Development and Director for TMCnet.com
-- your online resource for CTI, Internet telephony, and call center
solutions.
|
