Silicon Shecky

Infosec Practitioner

Connect

Oh Verizon, You are screwing up

By Leave a Comment

Extra charges for single online pay, 4G outages, the FTC starting to look at their business practices. Verizon, what have you done?

I was going to give a review of the Motorola Droid Razor today, but decided to push that off. See the Razor is available only through Verizon, and I noticed yet the start of another outage of 4G services this morning. Verizon has said these outages are growing pains, and were the 4G network brand new, I would accept that, but it is not. Verizon has had their 4G network up for just over a year, and should know how to handle growth. They were the ones who didn’t have the issues AT&T had with the explosion of smartphones. Of course that was CDMA vs. GSM. Now its LTE vs. LTE, and AT&T might have the advantage.

See both are using the LTE network, which requires the use of a SIM card. AT&T, whose network is still known for poor quality, and lots of drops, at least has a head start in dealing with the issues of a network that requires the SIM cards. I wish I had proof, but it seems that the SIM cards, or at least networks that require them, are not as stable here in the States as a network like CDMA which has no SIM card. (At the time of writing this, the 4G network just came back up after being inaccessible for an hour). It would be interesting to hear from someone on the differences between the two networks and why the ones that need SIM cards seem to be more unreliable.

Now this is on the heels of the FTC announcing it was probing Verizon over the $2 convenience fee it was going to charge and then pulled back on. Verizon’s statement is that even paying online has its costs. And they are right, there is equipment and software costs, maintenance on the systems, and hardening the equipment against hackers and other forms of data breaches. Still the costs are the same, whether for an automated system or if people pay individually. That is, unless they have to use 2 separate systems, or the company that is processing the payments is charging them an extra fee. Either way, there are other options to reduce the cost. If you think about it from a security standpoint though, the single payment, which I use, is a safer bet, not just from people knowing they have the money in their account, but from a security breach standpoint.

Just think about it. If you sign up for Automated payments, Verizon and the third party who processes the payments, both have your bank account or credit card information saved on servers. These servers are supposed to be PCI compliant. Even if they are, PCI compliance is a joke. Think of the banks (all of which have to follow at least PCI compliance) or stores (Which have to be PCI compliant) or anything that does online transactions, and how many breaches we hear of. Now think about how many breaches we don’t hear of, at least not immediately. Now look at single payment options, where you can choose not to save the payment info on their servers. Yes there are still problems that can arise from man in the middle attacks, spoofed SSL certificates, etc.. but once you make that payment, the info is not supposed to be stored anywhere. That means if Verizon, or their third party payment processor, has a security breach, your payment information should not be compromised. In reality it might just me being paranoid, but from a logic standpoint it does seem safer.

Now, Verizon did withdraw the $2 fee idea pretty quick, but expect to see it show back up again and again. The bigger thing Verizon has to worry about right now is the amount of bad press they are receiving. They need to remember that pissing one customer off means that customer is going to tell their friends and family, and eventually it can and will take a toll on business.

Androids Biggest Weakness

By Leave a Comment

I have an Android phone, and I enjoy it. I don’t care for the iPhone. That being said, Apple has one huge advantage over Android.

The Android Smartphones are popular. The work well (for the most part), and are reliable (again for the most part). The open development community for apps has produced some great free applications, that you would have to pay for on iOS. There is a drawback to Android though, and it is something that by all rights should be more of a strength.

When you look into the world and history of Operating Systems, you see a bloody trail over security. Which OS is more secure, which one addresses security problems the fastest, etc. The Open Source community has always claimed that because more people can look at the code, patches can come out faster, and in the Desktop arena this definitely seems to be true. In the world of Smart Phones though, this “advantage” is lost.

The problem is not directly Android or Google, or the Open Source community. The problem is in Manufacturers, and even more so on the carriers. There is a process for patches and updates. Google writes an update, tests, sends to the manufacturer who tests, approves and then sends to the carrier. Android is so customizable, and on so many different manufacturer’s phones that this process has to happen for each model, each customized OS, and each carrier.

Now we are getting into a situation with this long protracted system of updates. Holes being found in the systems are there for months, possibly years before a patch gets pushed out. In this age of phone upgrades every 18 months, of more mobile applications for smart phones, more people banking and shopping off smart phones, and the upcoming Near Field Communications, updates for security need to happen a lot faster. The risk of more and more identity theft is growing, and the slowness of the pipeline is maddening.

Now add on that every manufacturer has been customizing the Android OS to try and differentiate itself from the others. How many more security issues can this raise. How many of the mods are creating security holes (we won’t go into other issues these mods cause)?

Yes, Apple has to go through the same sort of pipeline, but Apple has only piece of hardware (with different chips for GSM or CDMA) and just the carriers to deal with. Its a much shorter pipeline, and Apple can cut a carrier off from future iPhone releases if it wants to. Android needs to come up with something similar soon, especially with all the malware that has been coming out for the platform already.