Janet

@Janet

22/9/22

log inask

posts from @Janet tagged #bugs to regret

also:
Janet
@Janet
TalenLee
@TalenLee
cathoderaydude
@cathoderaydude

Once a-fucking-gain: Legislate One Domain Per Business Or Phishing Will Never, Ever End

today i get a text on my phone from a local number (not an SMS quick number) i've never seen before in my life, saying my car payment is overdue. that's true, i did forget to pay it.

so i go to my browser and click the link I've been using to pay my loan for a year. naturally, it's not on the lender's website, because they're a podunk bank in the middle of WA state whose IT staff is probably the owner's son, so PCI compliance is out of the question. they use some godforsaken SaaS that took me a week to even get signed up for, because it is not their system.

i'll be making up the names of these vendors due to Privacy, but let's say the link I've been using since i bought the car is "paynow-bankname.loanpayment.com." it's a completely barebones site that feels very much like it's supposed to have a lot more Content, but since i'm not actually a member of the bank, huge swaths of the page have been deleted to only leave the loan payment options

which, in this case, are missing. there's just no button to pay my loan. it's always been there before, but it's gone now. i can see my payment history and payment methods, but there's no way to pay.

i go back to the SMS, because it said "for payment options click this link." maybe if you're almost-overdue they turn off the normal web payment link for some reason?

so i tap that, and it opens a browser to... "bankname.paybytext.com", a domain i've never seen before. it then asks me to input my date of birth and create a PIN.

if your proverbial grandmother came to you and said "i think this one's a phish," you'd high five her. great job! she followed your instructions to the letter: it's an SMS with very little information, sent from a number she doesn't recognize, linking to an unknown domain which her bank never previously told her about. there is no clearer indication of a phishing attempt. except this isn't one.

i went to the bank's website and found no mention of the old service, but there is a link to paybytext.com now. i cautiously followed the new-account flow with a different PIN than the old site, just in case, and was deposited into a new, legit-looking payment interface... which is totally unaware of all my payment methods or history. which, again, is a pretty strong suggestion that i've been phished, but hey, the bank says they're legit!

i click the button to add a payment method, and i get taken to ANOTHER domain i've never seen before, "paynow.com." and i realize that the old URL had "paynow-bankname" as the subdomain, meaning that

A) this whole thing is a twisted spiderweb of dozens of SaaS providers who don't talk to each other, don't even know each other exist, and aren't authorized to communicate on behalf of the bank. all the information is one-way

B) the reason all this happened is because, since the last time i paid, the bank finally got out of their contract with the last SaaS vendor (who they realized had fucked them weeks after they signed the contract, but they had to wait for it to expire) and signed up with a new one, but they had no power to make the old vendor put any kind of message on their site stating that it's been shut off, nor can they (or should they) compel them to get rid of any of my account data, so now there's this zombie account

C) the only possible way i could have known about this is if i opened the paper statements the bank keeps sending me even though i told them not to. i throw them straight in the trash as soon as i get them, and probably tossed some fucking "welcome to our Great new Website which solves no problem you were aware of (but switching to it sure did get us out of a shitty contract)" notice. they wouldn't have emailed me this because the bank does not know my email. i'm nothing more than an SSN and a street address to them. only the fucking SaaS sludge vendor knew my email.

this shit has to stop. fix it. i don't care how, just fix it. it's not my fucking problem to care about how hard it is. it will not be fixed until there's legislation that says "no business may conduct online commerce or communication of any kind through more than one domain name, optionally with any number of subdomains."

once that law exists - in the US at a federal level, and in the EU - the problem will, from my perspective, magically go away. yeah, thousands of people will have to be hired and put through daily stress year-round to keep whatever horseshit solution working - i can't overstate this: it's not my fucking problem, I don't fucking care, fix it.

Janet
@Janet

being a fan of tad williams' books otherland, i like how this looks like it would pan out kinda like in that story, sure, sans the evil plot pls, but u know, not some megacorpo owning the means of communications, but a naturally evolved sociesphere ontop the many old ones, many in parallel.