Mobile Computing Bill Shock: $685? Are you kidding me?
This post is slightly off topic, but it does have some connection to my blog topic of trust, and is something I wanted to speak out about.
I recently had the shock of logging into my mobile provider’s website (T-Mobile) to review and pay my most recent statement, and realized that my current bill which is normally in the $100 range had exploded to $685. This after I had recently changed plans and was expecting my bill to be even smaller than it had been recently.
So I got to looking at the details and realized that the majority of the excess amount resulted from a single charge for “roaming data services”. It was at this point that I remembered that I had made a business trip to Winnipeg during that statement period.
I called my provider to inquire about this charge, and learned that I had been charged a premium rate for data services used while roaming, that the unlimited rates for data and SMS included in my service plan do not cover roaming charges, that I should have known this, and they could have helped me avoid these charges if I had called them prior to international travel. Despite various degrees of complaining, railing, and pleading on my part, they are not going to reduce the charge, and I will have to pay it. They did offer to set up a payment plan for the excess charge to be paid over several billing periods (gee, thanks).
Here’s what’s going on
Mobile providers need to engage in capacity planning. Like any service provider they need to be able to operate their networks with some logical relationship between revenue and cost that results in a profitable business. I have no problem with this.
So for mobile operators this means that providing services for roaming subscribers of other mobile operators is a big unknown in their cost model. They know how many subscribers they have on their own network and they have lots of usage data that they can use for capacity planning, in order to arrive at a logical revenue model that drives what they then charge their subscribers. It’s difficult to know how much roaming usage they need to plan for. The solution is to charge a high wholesale rate to a roaming user’s home operator when they provide services to roaming subscribers. The home operator in turn marks up that wholesale rate to arrive at a retail rate charged to their subscriber. Which in my case noted above, resulted in a rate in excess of $10 per Megabyte.
The problem is, it appears to me, that this system has become exploitative and predatory in practice. Instead of being a cost/revenue projection problem, it has clearly now turned into a huge revenue stream for mobile operators.
In my mind there are three key elements that make this an egregiously exploitative and predatory business model: first, the wholesale rates being charged are far in excess of the foreign operator’s actual costs; second, the markup being earned by the home operator is excessive; and third, these rates are being paid without any notification to the subscriber at the time of consumption. Is there any other situation where an individual consumer makes a purchasing decision in the range of hundreds to thousands of dollars without knowing he is making that decision? Not many that I know of.
So the European Union has figured out that this is a problematic practice that needs to be addressed. The European Regulators Group has passed regulation, which goes into effect in early 2010, providing limits on wholesale roaming rates, and requiring notification to subscribers when they first initiate a connection subject to a roaming rate. Glad to see this, and hoping to see North American regulation follow suit.
Meanwhile, I’ve determined how to set my phone to avoid roaming for data services. For anybody interested, on a G1 it is as follows:
Settings -> Wireless Controls -> Mobile Networks -> Data roaming (connect to data services when roaming)
:: 
:: 
:: 
:: 
:: 
:: 
:: 
:: 
:: 
:: 
:: 
Some of My Favorite Quotations About Trust
- Let every eye negotiate for itself and trust no agent. – William Shakespeare
- No way of thinking or doing, however ancient, can be trusted without proof. – Henry David Thoreau
- Trust not yourself, but your defects to know. Make use of every friend and every foe. – Alexander Pope
- Watch a cat when it enters a room for the first time. It searches and smells about, it is not quiet for a moment, it trusts nothing until it has examined and made acquaintance with everything. – Jean-Jacques Rousseau
- You must trust and believe in people or life becomes impossible. – Anton Chekhov
- Every kind of peaceful cooperation among men is primarily based on mutual trust and only secondarily on institutions such as courts of justice and police. – Albert Einstein
- Se non è vero, è ben trovato (Translation: “If it’s not true, it’s a good story.”) – Italian Proverb
- R2-D2, you know better than to trust a strange computer! – C-3PO, in The Empire Strikes Back
- Trust? You want me to trust you? Do me a favor, Ed, don’t use big words you don’t understand. – Erin Brockovich
:: :: :: :: :: :: :: :: :: :: ::
What Responsibility Does an Account Holder Have In Avoiding Identity Theft?
As reported on Wired.com, an Illinois district court has allowed a couple to to sue their bank on the novel grounds that it may have failed to sufficiently secure their account.
Trust and Untrust
This case is rife with issues of trust and untrust
Frankly, although I sympathize with the plaintiff, I think this is a winnable case for the defendant.
At some point in the past, the bank implemented technology that would allow their customer to access her account information and provide account-related instructions to the bank via a publicly-accessible electronic method (i.e. a website).
When the bank made that technology available to their customers, they understood the importance of user authentication. In other words, they understood that they needed a reliable way to ensure that customer accounts could only be accessed by the legitimate account holder. They chose what was at the time an accepted industry-standard method: unique account passwords.
Based on the language quoted from their online user agreement, the bank also understood that the the need for user authentication presented them with a moral hazard problem.
Once the customer has chosen a password known only to her, she has a responsibility to protect that password from other persons. If the customer faced no potential financial harm resulting from her own negligence in protecting that password from exposure, there would be at least a tendency to behave less diligently with respect to protection of the password, thereby exposing the bank to greater potential losses.
This is a classic case of moral hazard.
The bank addressed their moral hazard problem through the provision of their online user agreement quoted in the article, stating to the customer that it would “have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice.”
If that provision is lawful in the jurisdiction(s) under which the contract was executed, then the bank should win this case. Although they might be well-advised to settle, to avoid the chilling effect on their relationship with all of their customers.
What Is This Case Really About?
I would argue that none of the participants in this process (including, and perhaps especially the judge, based on her comments) really understand the fundamentals of the disagreement.
There is an argument about the efficacy and sufficiency of the authentication method, and whether the bank ought to have migrated all of their customers to a stronger method. But there is also an argument about the responsibilities of each of the parties as participants in the security system.
It should be noted that, while a multi-factor authentication method is obviously significantly less susceptible to impersonation, this does not change the fact that both parties still have responsibilities as participants in the security system.
With multi-factor authentication, the bank still has the same moral hazard problem, they likely have a similar contract provision (which now says “PIN and token” instead of “password”), and the account holder still has a responsibility to protect those authentication factors from unauthorized access.
What happens when the same case is brought against a bank where the fraudulent impersonation occurs because an attacker has acquired both the PIN and the physical token? Who will be at fault then? The account holder whose own inadequate security measures led to that, or the bank who is accepting those authentication factors?
What responsibility does the account holder have in avoiding identity theft?
Another important question the judge is not asking: Whose security failed? And how can the court know whose security failed? Should the court order a forensic assessment of the banks systems and the account holder’s systems (i.e. their home PC) to determine how the attacker obtained the password?
If the impersonation occured because the account holder wasn’t diligent in protecting her password, how does this automatically equate to a failure on the bank’s part?
Who trusted who here? Which systems did the bank trust? Which systems did the customer trust? And which systems turned out to be untrustworthy?
:: :: :: :: :: :: :: :: :: :: ::
Have You Ever Lugged Three Laptops Through An Airport?
I have.
In fact, I have lugged three laptops through four airports in three days.
It wasn’t fun.
And if I had my preference, I would never do it again.
But what does this have to do with untrusted systems? Bear with me for a few more paragraphs…
How many personal computers does one person need?
Most of the people I know (and granted this tends to be a pretty geeky crowd) maintain and use no less than two laptop computers.
They own one, which they use for their own personal pursuits. And they have one that’s been assigned to them by their employer, which they use for the work they do for that employer.
And sometimes people (like me) may have a work-related need for yet another separate laptop (or even more), which when combined with work requiring travel can lead to airport adventures like mine mentioned above. (I know – it’s a silly state of affairs.)
I have recently made it my goal to reduce this to one single personal computing device (not including smart phone, which is a matter for another post). I want to own and operate (and secure) my own mobile personal computer, one single physical device to serve all of my networked computing needs.
And then when some other entity (such as my employer or a client) needs me to use a computer that is configured and managed to their specifications by their IT personnel, that computer will simply run in a virtual machine on my own computer.
For a guy who has been caring for three (sometimes four) laptops…this would be Nirvana.
I was beginning to feel that I was the only person in the world who wanted such a thing, until I read Stephen Shankland’s article Get ready for virtualization to affect you, too, yesterday on CNET, in which I’ve had my first encounter with the term “employee-owned IT”. Apparently I”m not alone.
Can your employer trust your computer?
As a person whose life revolves around computing, I love this idea, and I want it in the worst way. However, as an Information Security professional, I’m also painfully aware that there are significant obstacles to be overcome.
For most organizations, and especially those that are conscientious about information security, employee-owned hardware definitely falls into the classification of untrusted system.
So what do you think?
If you’ve ever had to juggle multiple laptops, does the idea of running your employers “blessed image” in a virtual machine on your own personal laptop appeal to you? Have you ever asked for this and been turned down?
How much in the way of “requirements” would you be willing to put up with? What if your employer wants to periodically or even automatically “audit” your security configuration?
If you’re responsible for information security in an organization, does this notion have any legs at all?
Is there a way to establish trust in an employee-owned laptop as a vm platform on which to run your organizations secured systems? What would it take?
If you’ve already gone down this path, how did you get there?
:: :: :: :: :: :: :: :: :: :: ::
What will produce better Information Security? More trust? Or more untrust?
Who am I?
All I’m offering is the truth…nothing more. I’m Arthur Badger, and in my day job I help Fortune 500 companies wrestle with information security and compliance. Welcome to un-trusted.net.
Here I will think out loud about, and attempt to illuminate, the topics of trust and untrust in inter-connected computing systems. I’ve become convinced that the current approach to establishing trust is at best poorly thought out and poorly scalable, reliant on a variety of assumptions needing to be challenged, and very likely unsustainable.
I hope to find common ground with both sides of the security versus compliance debate, and provoke new ways of thinking about the problems.
By the way, I make no claims to any great or profound wisdom on these topics. Only a body of experience that has put me personally and professionally in the cross-hairs of these problems, a burning desire to participate in a more rational and reasoned process around these issues, and a willingness to share my ideas.
Welcome to my soapbox. Hope you enjoy it.
Who are you?
Since you’re here, you are likely someone with at least a passing interest in or association with the fields of Information Security, Information Assurance, Privacy, Compliance, or just Information Technology in general; or you are a fellow professional in one of these fields. Like me, you may also be frustrated with the status quo. In any case, there will be something here for you.
Certainly some of my musings will be written with other Information Security Professionals and technologists in mind. But increasingly, virtually everyone is technical to some extent and impacted by the problem of trust in computing systems. So, even if you are not involved in the business of Information Security, but find yourself impacted by it, I intend to have useful, practical, hopefully interesting, sometimes entertaining information for you as well.
Expect to see at least one major post per week, building on the theme outlined below, based on current events, trends, etc. I hope to be provocative and compelling, so please comment , and please subscribe to my RSS feed. You can also follow me on Twitter. (wow, groundbreaking, huh?). If you want to contact me personally, I can be reached at the name arthurstuff at the domain gmail dot com.
I’ll be attempting to make sense of the following questions:
The Basics
Trusted, trustworthy, and secure are related things; but they’re not the same thing.
- What does it mean for a system to be trustworthy or untrustworthy?
- What does it mean for a system to be trusted or untrusted?
- What does it mean for a system to be secure or insecure?
- How are the terms untrusted, untrustworthy, and insecure related?
- In this context, what is a “system”?
Down The Rabbit Hole
Albert Einstein (one of my heroes) changed the world’s way of looking at the universe by being willing to turn problems upside down and consider unorthodox solutions. This is where things might get a little weird (you’ve been warned).
- Do we regularly derive value from untrusted systems? Is this a valid thing to do?
- Do we regularly trust systems that are not trustworthy? Is this a valid thing to do?
- Is there value in the concept of subjective trust?
- Trusted or untrusted…by whom? Trustworthy or untrustworthy…to whom?
- What are the differences between subjective trust and objective trust? Do these distinctions matter?
- What does it mean to establish trust? What is involved in this process?
- Does this mean establishing that a system is trusted? Trustworthy? Secure?
- How do subjective trust and objective trust affect the results of trust establishment processes?
- What produces better Information Security: More trust? Or more untrust?
Getting To The Point
In an increasingly inter-connected and technology-dependent world it seems as though the ability to innovate is increasingly at odds with the ability to trust. The ongoing debate about “security in the cloud” is one example of this, and there are others. What are we going to do about this?
- What is the relationship between the concept of trust and the concept of risk?
- Do the terms untrusted, untrustworthy, and insecure all have the same effect in the context of the evaluation of risk?
- What is the concept of third-party risk?
- How do the terms untrusted, untrustworthy, and insecure affect our understanding of third-party risk?
- How do the terms untrusted, untrustworthy, and insecure relate to the concepts of policy… and compliance? (You had to know that’s where I was going, right?)
Let’s see just how deep the rabbit hole goes.
What?…Don’t you trust me?
:: :: :: :: :: :: :: :: :: :: ::
Latest Comments