×

TMCnet
ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells
 

Reality Check
October 2001

Robert Vahid Hashemian Call At Your Own Risk

BY ROBERT VAHID HASHEMIAN


It's summer time and the living is easy. Or so it would seem. You see, by tradition, my wife and kids are visiting her parents in Europe. While some guys are openly envious of my temporary bachelor status, I generally like to stay in touch with my family as much as possible.

Years ago, when calling Europe was an expensive activity reserved for aristocrats, my wife and I relied heavily on postal (snail) mail and we limited our conversations to just a few minutes on weekends. Then MCI and Sprint entered the long-distance market and prices began to drop. Fax machines added another tool to our arsenal. And then the Internet gave us e-mail and text chat. With overseas calling prices at historic lows I can now afford to call my family during the weekend, and we can talk as long as we want. But I wanted it all, that is, the ability to call them from anywhere at any time! Of course, I could always call from work, but our company has some silly rule regarding no lengthy overseas personal calls. So this summer I finally decided to give inexpensive calling cards a chance. Thanks to Internet telephony and the Telecommunications Act there are a bevy of calling card companies to choose from, each offering competitive per-minute prices.

Here's where things begin to get complicated. With so many choices, how does one choose? First, I screened them based on price. Since calling from U.S. to Germany was my only criteria, that made the selection simple. At least that's what I thought until I read the small print. Some had connection charges, others had no toll-free numbers to start the call, and some had other restrictions. Then I began to wonder exactly who was operating these calling card companies. Were they backed by trusted companies, or were they scams being operated out of some Third World backroom? The Web certainly makes it difficult to distinguish the legitimate deals from the scams. Being impatient and somewhat curious, I decided to throw caution to the wind and pick one that seemed to be trustworthy. I charged up my newly created account with $15 from my credit card and gave the service a try. It worked. A recording alerted me of my account balance and the number of remaining minutes. The quality was decent. I was happily surprised, and I patted myself on the back for selecting such a good company. To be sure, I checked my account online and everything also seemed in order.

Unfortunately, my confidence was short-lived. The next day none of my calls were going through. I spent my entire lunch hour engaged in the futile exercise of dialing and re-dialing. Sometimes I just got dead silence. Other times a U.S. ring tone, which no one picked up. And yet other times the call got crossed into other conversations being carried on in different languages. But worst of all, I started to notice that my remaining minutes were dwindling fast. Apparently, their system was charging my account on every attempt regardless of the connection success. Concerned, I jumped on their Web site in the hopes of finding a customer support number.

After scouring the site for a few wasted minutes it was apparent that there was no such number to be found. Now I was beginning to get angry -- not only at them for not having a customer support number, but also at myself for not having realized this before signing up with the company. At least they had a customer support form on their Web site. So I typed up a letter explaining the situation and clicked on the "Send" button: DATABASE ERROR! The feeling swept over me then: I'd been had, and there was nothing I could do about it. It was time for me to lick my wounds and slink away with my tail between my legs.

But then it hit me -- "I am a database programmer and I can dig into this issue. Maybe I can figure out what's going on with the form." Using a simple known security hole, I had the page's server-side source code on my screen in seconds. Database table names, connection parameters, passwords, and other information were right there in front of me. With a bit of effort I could now circumvent their system and list their entire database, credit card numbers and all. Of course, having been a target of a... umm... "circumvention" in the past, I knew not to cross the line. But this was a clear case of a company implementing no security steps to safeguard vital customer data -- including my own! This was proof that no patches had been installed, no maintenance was being done, and perhaps no audits were active. My best guess is that the company hired a consultant to design and program the Web pages and never went back to them again, leaving their servers open.

So I found out what was causing the database error, and I successfully sent them the e-mail. Surprisingly, I received an e-mail back stating that they will reimburse my account for the unused minutes. As of my last statement it seems that they have indeed credited my account. While I am not considering my experience with this company a disaster (and I still use their service), I have come to believe that some sort of a uniform law requiring a minimum amount of customer service and privacy protection should be required from these small phone companies. Some may view such laws as a retardant to industry growth but I wonder how much this industry can grow if customer service is not elevated to an acceptable level. I have yet to alert this company of their security flaw.

In the meantime, I keep checking my credit card transaction statements expecting the first unauthorized charge any day now.

Robert Vahid Hashemian provides us with a healthy dose of reality every other month in his Reality Check column. Robert is vice president of Web Development and Director for TMCnet.com -- your online resource for CTI, Internet telephony, and call center solutions. 

[ Return To The October 2001 Table Of Contents ]



Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
MSPWorld
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas