My mind is blown. Reflecting on a lifetime of getting declined filling web forms in with a wrong CC number, billing address, expiration or CCV, I...don’t think I’ve ever misspelled my name.
Fun fact (from 2012): some credit cards had more than one CCV. You could find out by simply trying all 1000 combinations on some web shops. Back then, I did security consulting and we knew a shop or two where it was possible to enumerate the CCVs without submitting an order and without being blocked.
Not sure if this is still valid nowadays, but it blew my mind as well.
As a Swede, with both my CC and direct debit I'm transfered to the Swedish "Bank ID" service to do mfa with my phone using a 6+ digit code before any online purchase goes through. Kinda privacy invasive, but it's also impossible to steal money from me without these things: my card, my cvv, my phone, my phone unlock code, my bank ID code.
Absolute quantifiers shouldn't be used in the context of cybersecurity. Yes, it's more difficult and would most likely require a SIM swap. But there are some gullible people who willfully gave their one-time code to attackers identifying as their bank after some initial groundwork had been done (calling them previously from a number identifying as their bank and warning of a fraud, the victim verifying the number is correct, the attacker calling again and redirecting them to a form requiring a validation with the code).
> impossible to steal money from me without these things
First of all, "stripe" pushes information to the BankID app asking for confirmation, there's no code to input to the site, the verification happens on my phone where I'm asked if i wanna authenticate X or Y to happen (logging in, or transferring money)
But yes, they actually saw an attack vector where people could be fake challenged at the same time they're logging in themselves if someone knows they're about to log in.
This was solved by putting a QR code on the Bank website (and others that have implemented this so far) to be scanned by the BankID app. So now to steal money you would have to pwn the HTTPS between the bank and "me" or pwn my browser, or pwn my entire machine.
Also if you get 2 BankID challenges at the same time they cancel both of them.
Anyways, point is that without my phone and my own personal code being entered after a challenge where I see who's challenging me it's impossible to get money out of my account. It's designed to be REALLY hard to be tricked into authenticating someone else.
This system doesn't care about SIM swaps because it doesn't use the carrier network for anything other than encrypted communications with the BankID service.
I don't think there's a more secure system deployed on this wide of a scale anywhere and I'm quite happy with it. It's a PITA if you lose your phone though since there's no fallback method other than getting a new smartphone.
Nitpicking on words seems a bit below the standard of discussion I want to have though, and it seems like you thought it was just SMS verification. We're not cavemen across the pond, we're people just like you.
A nice benefit of this system is that when I call my bank I'll input my social security number in the system and it'll challenge me with a BankID challenge meaning the bank person knows they're talking to me. It's useful for a lot of things and at the same time VERY privacy invasive. Also doesn't work without a connection on your phone, but we're quite connected here so it's usually fine.
CC purchases in person are not authenticated with this system, we rely on the NFC thingy or chip. Magstrip isn't used anywhere here anymore. The bank covers all fradulent NFC charges without pin entry (which is why they're limited to 40$).
If you're curious for more information about BankID they have a site: https://www.bankid.com/en/ I think it's owned as a collab between "all" Swedish banks.
We also have electronic mail via a system called "Kivra" that the government will send mail through to me so that i don't have to rely on someone not dropping my mail. Also privacy invasive of course, but quite convenient.
> If you're curious for more information about BankID they have a site: https://www.bankid.com/en/ I think it's owned as a collab between "all" Swedish banks.
I'm not sure if it's the same technology as in Norwegian banks:
It turns out they are not the same thing[0], they just share the same name. The one you use in Sweden is different from the one in Norway that was cracked already in 2008 (and fixed somehow since then). I'm sure the one in Sweden will show its weaknesses sooner or later, all these systems do.
Actually, it looks like some scammers have already exploited it using a variant of the method I've already described above[1].
Since then banks (at least my bank) has changed so that the Bank presents a QR code which I scan with the BankID app, meaning there's no "prewriting my social security number for a challenge".
Also, even if I authenticate someone to my bank account they're unable to transfer money out of my own accounts without me approving a transaction, where the BankID app will show me the amount and the destination for the money.
So this issue is mostly solved as we move towards the QR code thing and people stop giving their money away. It's impossible to fix layer 8, if someone "willfully" gives their money away it's their fault when the UX is as good at preventing this as it actually is.
Someone could be tricked into giving their money away in person or by other means, look at Theranos, Nikola (I would argue anything Elon Musk touches too) and the likes. They're also scammers. I didn't invest in Theranos or Nikola because i called bullshit directly, same same but different.
My colleague tried to get me in on "Onecoin", he walked away with a loss and I didn't because I called the bluff straight away.
What I'm trying to say is, the system isn't insecure at all. There are many failsafes people have to ignore to get scammed.
This was a really frustrating experience moving into a new townhouse as the first-ever occupant. It took nearly three years for the city's property records to be correct and propagate everywhere. We couldn't even pay our property taxes at first, and the US Postal Service would not process my move request, insisting my address did not exist, in spite of me being physically in the house.
Many do validate the address or at least postal code, however, although American Express doesn’t appear to in my experience. I assume it also depends on the issuer for Visa/Mastercard considering many have their own two-factor verification portal.
Note - AMEX does verify cardholder name. In my original comment I am referring only to VISA/MC. They do not verify cardholder name. They do, however, verify other things related to address, etc.
Even for Visa/Mastercard, this seems to depend on the issuer to some extent. Issuing banks often handle two-factor fraud portals (Verified by Visa, etc.) differently, and these portals are increasingly common especially in much of Europe and other regions. As you noted, American Express typically seems to depend on the name but not the address.
When I requested this back in August, it took 5 days to get the results.
You get a long list of links that each triggers a download. It's a bit annoying to bulk download by clicking each link one by one, so I made a Browserflow flow that clicks all the links and downloads everything automatically: https://browserflow.app/shared/61e979ed-47f4-4c94-b5a5-3ade0...
I know I'm not supposed to comment when it doesn't add to the conversation, buuuut, your reply made me literally laugh out loud. Thank you for this! I often forget being ~40 means I'm no longer ~20 and that there are people who are actually ~20 out on the internet...
Hey while we're here in this closet shhhh posting non-additive replies... I have a website that's still up from 1996. Older than so many Kids These Days. :P
It was requesting my personal information from Amazon that made me decide to dump all my Alexa smart devices.
We had bought one for my in-laws and the Echo had picked up entire conversations between them even though the wake word had not been said. They were categorised under "Not intended for Alexa". My father in-law is at the end of his life, and I really hated the fact that deeply private and incredibly poignant conversations would probably be listened to by a human somewhere to better calibrate the device.
Wow, that's bad. It seems obvious that something like Alexa would transmit some amount of data not intended for it and that would be listened to by someone for training purposes. And probably enough data that someone remotely privacy conscious would not voluntarily install some 24/7 listening device into their inner sanctum.
But what on earth would posses Alexa to record entire conversations without either piping up ("sorry, I did not understand this request") or figuring out after a few seconds that this was probably a false alarm and turning itself off? How would this be remotely excusable?
How long was the longest recording not really intended for Alexa?
I've switched off all voice-activated devices in my home.
I'm not sure how long the longest recording was...I'll go back over the data to have a look, but the one that really broke my heart was about 20 seconds during which my mother in-law was upset because my father in-law was not waking up.
I'm sorry that you went through this. I think even a really short recording (under 20s), of a distraught, close person at some critical junction would feel very unsettling to me especially with the knowledge that it shouldn't really exist, I shouldn't be able to listen to it, and it probably was listened to by some complete strangers as well as part of some routine megacorp work.
"We’ve received and are processing your request to access your personal data.
We will provide your information to you as soon as we can.
Usually, this should not take more than a *month*.
In exceptional cases, for example if a request is more complex or if we are processing a high volume of requests, it might take longer, but if so we will notify you that there will be a delay."
I built a system just like this at another company whose products or services you likely use often or everyday.
This pessimistic view assumes the worst about people like me who build these kinds of systems, as if we’re evil or corrupt or somehow doing this to take something from you.
In reality, data is stored in disparate systems, under the custodianship of different organizations. Once you can find everything and account for it, you need to query every single system - many systems which aren’t built for this kind of “on demand” workload. Then you need to parse the data, turn it into some kind of useful values, especially if the internal representation contains flags, enums, or other magic or pseudo values that wouldn’t be meaningful to anyone but the logic or programmer who wrote it. Systems go down. Things break. Pipelines get clogged. It’s one thing to build a god system that can decrypt, read, and perform etl on every application, table, db, or whatever storage used anywhere in your entire company. It’s exponentially harder to solve this problem when it’s all legacy integrations with shit that’s duct taped together and will easily tip over.
Now you have to do this at scale - except these systems have millions of lines of code and can’t just be rewritten into a solution that can handle hundreds or thousands or even tens of thousands of queries per second… not without a Herculean effort not even accounting for all the tribal knowledge that’s been lost on how the system is expected to work.
If 30 days is too long for you, essentially you’re wanting these companies to spend potentially hundreds of millions of dollars to rearchitect a significant chunk of their systems that were built prior to all these privacy laws coming online.
Honestly, the legal landscape changes often. Some of the law is open to interpretation. My own experience working in this are require working closely with a team of lawyers. Honestly, even the Staff Engineers in my larger org getting paid $700k a year would have preferred any other project but this.
I imagine there's also some manual steps going on.
Making sure it's not an account compromise(also just waiting to give the actual owner a chance to notice), checking with compliance, manually getting all the data that's not been automated yet, getting data out of cold storage, checking over the final data set, etc. Many of which would be sequential
Stories like this are what keep me using strong passwords (in Keepass) instead of MFA. I'd love to hear more details as I'm finding more and more services push the MFA aspect, and I don't use a smartphone. Thanks.
Most password managers can also store TOTP tokens. A few services support registering redundant Yubikeys. Failing that, they usually give you a recovery code with which you can restore access to an account you're locked out of.
> We’ve received and are processing your request to access your personal data.
We will provide your information to you as soon as we can. Usually, this should not take more than a month. In exceptional cases, for example if a request is more complex or if we are processing a high volume of requests, it might take longer, but if so we will notify you that there will be a delay.
I wonder what the formats are.
Also, is there a team of poor souls navigating internal bureaucracy to manually fulfill these requests? Is it a black hole?
A nice policy would be to decree "Every [property] in Amazon must provide an internally registered [endpoint] that speaks [protocol] serving requests consistent with [schema]. Request volume will be limited to at most [limit]." Require it for new stuff, and add it to the backlog for existing stuff.
Ah, but it wouldn't increase revenue, and everything is existing stuff. Still, I like the idea.
I requested my Amazon data a year ago or so and it was a few different Excel files. One file for orders, one for digital orders, one for returns, etc. They included everything back to my first order in ‘99. Took a few days to process, but certainly less than a week.
I think there are two sides to a service like that: on the one hand it provides more transparency to the individual customer (good), on the other hand, any external or internal malicious actor now has a very convenient tool to gain access to lot of very personal information about a single individual (bad). It was probably not even possible without a tool like that, not even for jeff bezos.
I clicked on the link in the confirmation email and just got a big "Sorry, we couldn't find that page" with a picture of a dog and the caption "dogs of Amazon".
I feel like this.
https://www.youtube.com/watch?v=RfiQYRn7fBg
Yes, but "having a human in the system" isn't answering the original question: what does Amazon benefit from introducing excess cost into this equation? Surely there should be nothing clandestine in your own usage data, search queries etc.
> Yes, but "having a human in the system" isn't answering the original question
It does. There is a human manually running queries to copy your data into an Excel spreadsheet (or equivalent) then passing that onto the next part in the chain. This is done quite a few times and stalls the process.
> what does Amazon benefit from introducing excess cost into this equation?
It's cheaper to have the already existing employees do this. They haven't hire a new team to do this.
> Surely there should be nothing clandestine in your own usage data, search queries etc.
I suspect there's more than you own personal data mixed into these systems. Your personal data is mixed in with Amazon's company confidential data so they need to separate these out before sending you only what's required by law.
Thanks. I still find it surprising a company of Amazon's stature wouldn't have figured out how to fully automate something relatively trivial like this.
> What benefit does Amazon get out of delaying giving out this information?
The same as the German police gets: the opportunity of checking if they actually are allowed to store the data they have on you.
There are next to no audits on the big data warehouses... not of cops, not of corporations, not of enterprises that are a mixture between cops and corporations (cough Palantir), which means they will scoop up all data they can get their hands on, and keep it as they like (Europol is currently under fire for that one [1]). And only when people actually inquire on the data that the cops, Amazon or whatever else have on them, then they look if they are actually allowed to keep the data - if not, it gets quietly deleted. But as it's only a tiny fraction of the population that exercises their GDPR rights, the big data warehouses get away with keeping 99.999% of stuff they should not legally be allowed to keep.
As for Amazon: they, for example, still have my orders from 2011 on their system, despite the legal mandate to keep these around being only for ten years [2].
There should be a legal requirement for all corporations and government agencies to send out a "data dump" to every citizen every year. People have absolutely no idea what troves of data exist about them.
I don't see anything interesting to choose from in the likes of Amazon knows me better than I know myself — Basically it's just a dump of your profile setup.
Please notice, at all companies (I don't know about AWS) that I have worked for each GDPR request eats up a few man-days of work internally.
Some companies getting hit a lot by GDPR have likely automated it, but even a big company (that I know of) with 100k+ private customers (that all have the right) only receives a few requests a quarter, usually by angry customers..
This AWS thingy might not be GDPR, but it might have the same impact on internal resources..
Just because it is free and your right, please consider if you wanna to be a resource hog..
Yes, and? What about all of the data that is kept not owing to legal/regulatory requirements? That's the key issue here, not some trite truism about regulatory record-keeping requirements.
All data they process are required by law, but they have to collate a dozen systems manually and the legal department has to go thru everything and block out data the customer is not allowed to see (also by law)...
No all companies are evil and the GDPR has really made a significant change all the places I know of.
> Just because it is free and your right, please consider if you wanna to be a resource hog..
Oh poor Amazon and Bezos... They must be struggling on the resources. Please think twice about exercising your legal right, as it might affect the profit margins of a monopolistic megacorp.
That argument proves too much [0]. If you accept that reasoning, it's impossible to truly tax or fine Jeff Bezos, he's only going to make his customers pay more, so we should give him a 0% tax rate, shouldn't we?
(I actually sort of like the occasionally-suggested idea of abolishing all taxations on legal entity and collecting taxations only on individual profits, i.e. don't tax Amazon Inc., only tax its shareholders' dividends and capital gains. But that would be a radical restructuring of the economy and very far from what we're talking about.)
Please don’t feel guilty asking what information a company like Amazon knows about you. They have the engineering, human and computing resources to make this as scalable as it needs to be. If anything you’ll be creating more jobs for people who need it. I say this as a stock holder and someone who believes this information should be available.
[edit: very small amount of stock but relevant I suppose]
Seriously??? Amazon has huge AI's making strategic business decisions based on agglomerating all this data, sifting it, grouping it, heat mapping it, chewing it up and processing it a 1000 which ways. All AUTOMATED. And you are suggesting accessing the raw data for a single person and zipping it up and sending it in one email might cost them business days?
I would encourage people to do so for the exact reason. Personal data should be managed in a way that such requests can be processed. It is OK if it hurts a bit. It is the idea of the GDPR that companies establish scalable processes that allow things like requests, migration and deletion. The only thing you need to do is to verify that to the best of your knowledge it is complete. What should not happen is that companies process those requests partially to save time.
Do you also check your grocery stores preparedness for fire for the same reason? Or your local banks preparedness for robbery? Hopefully not.
In business all decisions are made based on a risk tradeoff. Like people it never has enough money to do everything it wants.
Not all companies are started 12 months ago and hence cannot (by definition) do this right "from the beginning".
Also some businesses have a requirement (bound by law) and a wish (bound by corporate secrets) of not disclosing too much information. That cannot be easily automated.
Also, all the costs of that just goes to the other customers, so thank you.
Btw. I am not pro facebook(meta)/amazon/spamhosts/ai-driven web3.0 sell-your-customers-data... etc.. I talk about regular, honest businesses that two decades ago had no web presence but have it now and for some reason or another need to handle your data..
If all data can't be handed over to the users, why are they relying on fallible humans to do the filtering? They should be itching to automate it, and have had half a decade to accomplish it by now.
Note that "bound by corporate secrets" is not a legit reason to not hand over or data. There are legit reasons for not handing data over, but just the interests of the company are not it. It sounds like you've been working with bad actors who are not only refusing to invest in regulatory compliance, but are wilfully using bad processes to mask their non-compliance. Why are you making excuses for them?
"That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software."
Btw. I am not a laywer, but I have worked with this stuff for half a decade..
This specific customer spends around two days of worktime (including legal) on every request.
They are unfortunately for them bound by a lot of regulation (and governmental oversight) that normal companies are not and the take the GDPR extremely serious.
My relationship with my neighbourhood grocer is vastly different from the one I have with Jeffrey Preston Bezos and the unfathomably wealthy AMZN shareholders.
I would never burden a small family-owned shop by ordering five things that I may or may not need for the weekend, then leaving four of them un-picked up to get a free refund when it rains. It would be a dick move.
But to Amazon (or Ikea, or Mediamarkt, or what have you), I will glady do that without batting an eye. They're an unfeeling legal entity that thrives by exploiting every letter and loophole of the rules. It is absolutely fair to treat them the same way in return.
If this is true, knowing this makes it your moral imperative to do so. It will excert some pressure on them to streamline the process, or pressure them to store less data as it becomes a liability instead of an asset
"Many and sharp the numerous ills
Inwoven with our frame;
More pointed still, we make ourselves
Regret, remorse and shame;
And man, whose heaven-erected face
The smiles of love adorn,
Man's inhumanity to man,
Makes countless thousands mourn."
Amazon has a pseudonym with a dedicated Twilio number that delivers to a private postal box.
I burn the pseudonym every few years. Which reminds me ...
This is simple because VISA/MC do not validate cardholder name. Everyone thinks they do and most merchants believe that they do but ... they do not.
You can use your card with "Mickey Mouse" and it will work just fine.