It's summer time and the living is easy. Or so it
would seem. You see, by tradition, my wife and kids
are visiting her parents in Europe. While some guys
are openly envious of my temporary bachelor status, I
generally like to stay in touch with my family as much
as possible.
Years ago, when calling Europe was an expensive
activity reserved for aristocrats, my wife and I
relied heavily on postal (snail) mail and we limited
our conversations to just a few minutes on weekends.
Then MCI and Sprint entered the long-distance market
and prices began to drop. Fax machines added another
tool to our arsenal. And then the Internet gave us
e-mail and text chat. With overseas calling prices at
historic lows I can now afford to call my family
during the weekend, and we can talk as long as we
want. But I wanted it all, that is, the ability to
call them from anywhere at any time! Of course, I
could always call from work, but our company has some
silly rule regarding no lengthy overseas personal
calls. So this summer I finally decided to give
inexpensive calling cards a chance. Thanks to Internet
telephony and the Telecommunications Act there are a
bevy of calling card companies to choose from, each
offering competitive per-minute prices.
Here's where things begin to get complicated. With
so many choices, how does one choose? First, I
screened them based on price. Since calling from U.S.
to Germany was my only criteria, that made the
selection simple. At least that's what I thought until
I read the small print. Some had connection charges,
others had no toll-free numbers to start the call, and
some had other restrictions. Then I began to wonder
exactly who was operating these calling card
companies. Were they backed by trusted companies, or
were they scams being operated out of some Third World
backroom? The Web certainly makes it difficult to
distinguish the legitimate deals from the scams. Being
impatient and somewhat curious, I decided to throw
caution to the wind and pick one that seemed to be
trustworthy. I charged up my newly created account
with $15 from my credit card and gave the service a
try. It worked. A recording alerted me of my account
balance and the number of remaining minutes. The
quality was decent. I was happily surprised, and I
patted myself on the back for selecting such a good
company. To be sure, I checked my account online and
everything also seemed in order.
Unfortunately, my confidence was short-lived. The
next day none of my calls were going through. I spent
my entire lunch hour engaged in the futile exercise of
dialing and re-dialing. Sometimes I just got dead
silence. Other times a U.S. ring tone, which no one
picked up. And yet other times the call got crossed
into other conversations being carried on in different
languages. But worst of all, I started to notice that
my remaining minutes were dwindling fast. Apparently,
their system was charging my account on every attempt
regardless of the connection success. Concerned, I
jumped on their Web site in the hopes of finding a
customer support number.
After scouring the site for a few wasted minutes it
was apparent that there was no such number to be
found. Now I was beginning to get angry -- not only at
them for not having a customer support number, but
also at myself for not having realized this before
signing up with the company. At least they had a
customer support form on their Web site. So I typed up
a letter explaining the situation and clicked on the "Send"
button: DATABASE ERROR! The feeling swept over me
then: I'd been had, and there was nothing I could do
about it. It was time for me to lick my wounds and
slink away with my tail between my legs.
But then it hit me -- "I am a database programmer
and I can dig into this issue. Maybe I can figure out
what's going on with the form." Using a simple known
security hole, I had the page's server-side source
code on my screen in seconds. Database table names,
connection parameters, passwords, and other
information were right there in front of me. With a
bit of effort I could now circumvent their system and
list their entire database, credit card numbers and
all. Of course, having been a target of a... umm... "circumvention"
in the past, I knew not to cross the line. But this
was a clear case of a company implementing no security
steps to safeguard vital customer data -- including my
own! This was proof that no patches had been
installed, no maintenance was being done, and perhaps
no audits were active. My best guess is that the
company hired a consultant to design and program the
Web pages and never went back to them again, leaving
their servers open.
So I found out what was causing the database error,
and I successfully sent them the e-mail. Surprisingly,
I received an e-mail back stating that they will
reimburse my account for the unused minutes. As of my
last statement it seems that they have indeed credited
my account. While I am not considering my experience
with this company a disaster (and I still use their
service), I have come to believe that some sort of a
uniform law requiring a minimum amount of customer
service and privacy protection should be required from
these small phone companies. Some may view such laws
as a retardant to industry growth but I wonder how
much this industry can grow if customer service is not
elevated to an acceptable level. I have yet to alert
this company of their security flaw.
In the meantime, I keep checking my credit card
transaction statements expecting the first
unauthorized charge any day now.
Robert
Vahid Hashemian provides us with a healthy dose of
reality every other month in his Reality Check column.
Robert is vice president of Web Development and
Director for TMCnet.com
-- your online resource for CTI, Internet telephony,
and call center solutions.
[ Return
To The October 2001 Table Of Contents ] |