Quis custodiet ipsos custodes?

Defensoría del Consumidor is the institution that protects consumer rights in commercial transactions. One is able to file a complaint via telephone or by using an online form. The latter will ask for previous registration. It's free! However, it's neither easy nor secure.

As you can see, the online form is composed of various sections. Each one is reachable at any time while filling the form. Some validations are imposed whenever trying to navigate away from some pages.




While it's pretty obvious that an ASP.NET session is being handled (hint: a Sesame Street character crave for these ;-) ), the design during this navigation is flawed. Parameters are passed through simple HTML. I actually typed "meinpassword" as my chosen password in two password-type text fields.




As a user, this imposes a risk if you're in a public computer or network. Your password travels along the network via HTTP (no "S" here, sorry), and it will be saved in the browser's history. The user is never warned of such risk. So, who could prevent identity theft? Is there a public institution that audits these services?

We need protection from the protectors.

Data Leakage from Voting Sites

OK, so I finally got some minutes to publish this "finding".

Some of you may know that on January 18th, 2009, El Salvador had elections for mayors in all districts, and for parliament representatives. Aside from other questionable aspects of operations (personal IDs not being exhaustively checked for falsification, and others), one thing caught my attention: how easy it was to "steal" citizen information from boards near voting booths, where one was supposed to look for one's ID and photo.

I actually took some pictures of some boards with my cell phone. I was expecting to be asked to hand them over, but this was not the case. I just walked away. Here are a couple of photos (the phone camera is actually 2.0 MP, and it doesn't have any image stabilization technology, so no need to defocus or alter them to make data illegible).

 


Government entities that handle this kind of information, should be more cautious about it. Information security does not necessarily refer to IT controls and countermeasures; it really means information governance, as the valuable asset it is. Extortion cases and identity theft are common in some cities in the country, so it should make perfect sense to protect pictures and IDs.

Service Level Agreements for the Final User

We recently hired a broadband Internet service from Turbonett. Like most companies here, they hand out a contract which is more liability-oriented, and they force its validity for a year or more, with excessive penalties for the customer if he/she should finish the contract before the specified period. There's a huge flaw in the whole business, nevertheless: there are no service level agreements (SLA).

SLAs for an ISP would include guaranteed uptime, penalties for downtimes that exceed such uptime, technical support levels like response and resolution times, information privacy, penalties for service misuse, etc. It is common sense to even include a contract invalidation statement in the aforementioned document. As with most companies here in El Salvador, this is not the case.

The Turbonett ADSL broadband Internet service contract, includes a statement that implies that the contract could be terminated if a "low quality" has been observed in service delivery. This would be fine if it wasn't so general. At the end (according to the sales representative that handed us the contract), the company would analyze any complaint the customer has regarding service, and, if such is desired, would terminate the contract. With such poor specification of "quality", it just doesn't make sense that liabilities of the service provider are at the sole discretion of it. Service could be poor, but the company wouldn't just want to lose to the customer and damage its position in the market.

We have been with one of the competitors for more than seven years. They didn't specified any SLAs, either, and I bet we could have forced a termination of one-year contracts by solely basing on the quality of the service delivered. In the first year, we experienced lots of downtimes and bandwidth problems.

Mobile and telecommunications companies alike don't usually have SLAs for the non-corporate customer, in any of their services (fixed phone lines, mobile phone lines, VoIP, hosting, etc.). We really need a change of such imposing, one-sided contracts, where the customer is hand-tied and with no options after signing. We are just tired of such bad treatment.

Transaction Brokerage and Security

Due to some work on E-Commerce for my master's degree, it has come to my attention that there's no such easy-to-use, architecturally complex and well-designed credit card transaction service in Central America as Google Checkout.

For those of you who don't know about the service and/or don't want to browse the technical pages and cookbook, Google Checkout allows for payment processing, and seamless shopping cart and fulfillment systems integration. This is done by implementing Web services to interact with Google's. There are great advantages to this, and one of them is that the merchant won't need to handle cardholder information; they wouldn't need to worry (too much) about security and compliance.

There's is one similar service being offered in the region: Ez Pagos Centro América (as in E-Z Payment Central America). Internally, they might be using Web services, but externally, they use a PHP interface to receive variables from customers (subscribed merchants), and they process credit card payments on their website. Considering the implemented technology, it should be tougher to integrate existing backoffice systems to their service.

On the security side, nonetheless, Ez Pagos doesn't really talk too much about it on their website. An online demo of an E-Commerce site using their system has been defaced for a little while.

There are still some challenges to overcome in the region, most importantly in the way business plans are developed. As in any planning process, if you overlook (or simply forget) little aspects, they could become big issues after deployment, not only in the IT area, but also in marketing, customer service, etc. Hopefully, we may see more offerings in transaction brokerage in the future.

As a region, we need to focus on obtaining the right technical personnel, whether it's outsourced or internal to the organization. Schools, colleges, and the private sector, should see the need for more specialized certification, as in information security, E-Commerce, and E-Business in general.