Tag Archives: hacking

Seeing red over autorenewals

This is going to be a very angry post, so be warned.

Some time ago I posted about being caught out by an autorenewal from a pet supply site [online]. Well, it seems that the latest money making scam is to make a lot of online purchases ‘subscriptions’. Then, those subscriptions are set to autorenew…BY DEFAULT. You are forced to opt-in whether you want to or not, and the information is often hidden way down in the fine-fine-fine print.

The reason I’m frothing at the mouth today is because I’ve been stung, again.

Until November, 2021, I was using BitDefender Antivirus. I thought I’d bought a standalone product the same as I’d done for many years. I thought I’d paid for a one year licence, and that if I wanted updates after that, I would have to buy the product again after it expired.

Nope. Apparently BitDefender is now a subscription ‘service’ that’s set to renew automatically. To renew manually, you have to consciously opt-out.

Despite being a literate computer/internet user, I had no idea I’d ‘agreed’ to an autorenewal, and I had absolute not idea the product I’d bought was being administered by a company called 2Checkout. In fact, I switched to Kaspersky Anti Virus about a month before the BitDefender licence was due to expire… -hollow laughter-

When I demanded a refund I was offered sweeteners I did not want. I’m still waiting for a full refund.

Then today I thought I’d do a post on how renewals should be done. I thought I’d take some screenshots of how Kaspersky does it. Imagine my horror when I discovered that Kaspersky is now doing exactly the same thing. But at least it’s being more upfront about it….

The link circled in red above says ‘Subscription 321 days remaining’. Clicking on the link took me to:

Ah hah! Manage subscription. Just what I wanted…

Or not. Hmm… what the heck does ‘Initialize your credentials’ mean?

I tried using the id and password I had for kaspersky.com but it didn’t work. What followed was a LOT of frustration as I tried to work out how to cancel my autorenewal. In the end I found this:

When I clicked on the blue ‘How to disable license auto-renewal for Kaspersky solutions for home’ I was taken to this screen:

What the? Where did I buy it? Why, I bought it from Kaspersky…didn’t I?

The following is a close-up:

Dear god…had I kept the confirmation email??? Panic!

I did find the confirmation email, and this is what the ‘bottom’ looks like:

To get to the bottom, I had to scroll quite a long way down, way past the point you see when you open an email normally. Apparently, a company called Nexway handled my purchase. News to me:

Excuse me? Method of payment??? What the bloody fuck? How can buying something online with a credit card constitute an acceptance of autorenewal????? But, of course, it’s all there in black and white at the bottom of a very long email where NO ONE ever looks….

By this stage I have to tell you that I was getting very anxious, but at least there was a ‘hassle free cancellation’ link to use…

<<cue screaming and rending of hair>>

The ‘hassle free’ link took me to a page that seemed to require a login…but the only login I had did not work. That left me searching for technical support from Kaspersky… This is what I wrote in the online contact form that took forever to find:

I still have almost a year to go before my Kaspersky Anti Virus autorenews, and I may choose to stay with Kaspersky, but I will not be forced into doing so.

More importantly, I will not allow my credit card details to remain with a company I know nothing about [Nexway]. Those credit card details are an open door to my bank account, and I have no idea whether Nexway will be the next global company to be hacked. Fear of hacking is one reason I’m so very careful with direct debits.

Oh? You didn’t realise that autorenewals were direct debits? They are, but direct debits require a formal acceptance. Funny how a name can change things…

And just for the record, I am very familiar with the subscription model and the concept of autorenewal:

  • I have a domain name with Godaddy, and I choose to autorenew every year. Despite that, Godaddy sends me an email notification well ahead of time. It does not send the notification and take my money on the same day, the way the company out-sourced by BitDefender did. Yup, 2Checkout, another company I know nothing about has my credit card details.
  • Elder Scrolls Online has a subscription option that I use once or twice a year. It autorenews as well, but cancelling the subscription is so easy you could do it in your sleep:

After clicking ‘Manage Membership’ I get:

And that’s it. Easy. Maybe it has to be easy because by and large, gamers are very computer savvy. If Elder Scrolls Online tried to make it hard for gamers to cancel their subscriptions, they’d lose gamers by the thousands. Plus gamers are a very vocal lot.

Getting back to anti virus autorenewals, I have no idea yet how Kaspersky handles notifications when a subscription is getting close to autorenewal. I hope they do it better than BitDefender, but given how much time I’ve already wasted trying to opt-OUT of this bloody autorenewal, I’m not feeling very sanguine.

Autorenewals can be very convenient. They can also be a very expensive trap. As for this new thing of making customers accept autorenewal by default – without any formal acceptance! – and then forcing them to jump through hoops to opt-out, that is just a fraud.

Let me repeat that. Autorenewal by default, often without the customer being aware of it should not be legal. Why companies are allowed to get away with it I do not know.

Why is no one complaining?

Why are consumer rights groups not jumping up and down like me?

We have always lived in a buyer beware world, but when the corporates keep changing the goal posts to hoodwink us out of our money, that skirts right on the edge of the criminal. If you have subscriptions, check them now, otherwise you could find yourself out of pocket.

Whatever you do, do not chalk any losses up to experience. We are Davids in a world full of Goliaths. Get angry. Fight back, if not for yourself, then do it for all those people who are more vulnerable than you…the elderly, young kids, teens who never read the small print…

The abuse we ignore is the abuse we condone.

Meeks


Wifi hack

Just in case you haven’t heard/seen the news on the internet, a basic exploit has been discovered in the Wifi architecture, and that exploit has been hacked. That means potentially everything that uses wifi to communicate is vulnerable.

And that includes:

  • computers via their router
  • smartphones
  • tablets
  • Amazon’s Alexa [I think]
  • and even cars

Apparently Windows based computers should already be updated against this exploit, although how Microsoft managed to find out so quickly is a worry. However, that is only the computer operating system itself. The router also handles things like internet banking and I have no idea how secure that is now.

Android and Linux are both vulnerable. I believe Apple is too.

As most people these days have wifi routers [the box with the flickering lights that sits between your computer and the internet], I would strongly recommend checking with your ISP* about when you can expect a security update for the router. ISPs are your service providers – e.g. Telstra, Optus etc. Until you get one, I would keep internet transactions dealing with money to an absolute minimum.

Actually, you might consider going around with wads of cash for a while. No seriously.

Oh, and don’t use the free wifi in your local shopping centre because such locales are plenty big enough to make them worthwhile for hacking.**

If any of my techie friends has info to share I’d really appreciate it.

cheers

Meeks

* When you sign up with an ISP, they usually provide you with a router [for a fee] so the ISP should provide info. on updating the router.

** Although this hack is universal, it is constrained by the hacker’s need to be physically within reach of the wifi he/she wants to hack. So home wifi is not that ‘worthwhile’, but a large shopping centre probably would be.

 


Phishing in 2014

cat burglar picDon’t worry, I haven’t taken up creative spelling!

‘Phishing’ describes a process whereby hackers ‘fish’ for information by sending bogus emails to unsuspecting netizens. These emails purport to come from legitimate companies, and are designed to scare netizens into divulging their Account IDs, and passwords.

Rather than trying to describe the process in detail, I have an example to show you. I received the email below just today. The nasty bits have been taken out.

From : Blizzard Entertainment <tvestt@gmail.com>

[The email reply-to is the first big giveaway. Blizzard Entertainment is a legitimate gaming company, and produced the highly successful MMO – World of Warcraft. BUT! All official Blizzard emails use email addresses linked to their website, NOT gmail!]

Greetings

An investigation of your World of Warcraft account has found strong evidence

that the account in question is being sold or traded.

[I did have a World of Warcraft account – about five years ago. Oddly, I didn’t start receiving these emails until a year or so after I stopped playing.]

As you may not be aware of,

[Awkward grammar and sentence construction can often be a dead giveaway as well]

this conflicts with Blizzard’s EULA under section 4 Paragraph B which can

be found here:

WoW -> Legal -> End User License Agreement

and Section 8 of the Terms of Use found here:

WoW -> Legal -> Terms of Use

[The email references genuine, Blizzard Entertainment web pages, but does not actually link to them]

The investigation will be continued by Blizzard administration to determine the

action to be taken against your account. If your account is found violating the

EULA and Terms of Use, your account can, and will be suspended/closed/or

terminated.

[This is the big stick designed to scare players into quickly clicking on the link provided]

In order to keep this from occurring, you should immediately verify that you are

the original owner of the account.

To verify your identity please visit the following webpage:

[To verify your identity, you will be asked to enter your Account ID and password. The minute you do that, the hackers will have all your account information and will be able to enter World of Warcraft as youThe consequences can range from annoying to devastating.]

xxxx//www.baltte.com/xxxxxxxxxxxxx

[Look carefully at web site name. ‘baltte’ is NOT a typo. URLs with typos do not work. Blizzard does have an account with ‘battle’ in the address, but this is definitely not it.]

Only Account Administration will be able to assist with account retrieval

issues. Thank you for your time and attention to this matter, and your

continued interest in World of Warcraft.

Sincerely,

Account Administration

Blizzard Entertainment

***

The above example is actually a rather amateurish job, with fairly obvious clues to its origins – if you know what to look for, and don’t panic. The problem is, most normal netizens don’t know what to look for, and phishing is not restricted to online games.

In the past couple of years, I’ve received more than one phishing email – supposedly from my bank – with the right logos and graphics etc, and no easy giveaways. In fact, the only thing these highly professional phishing emails had in common with the example above was that they required me to follow a link and SIGN IN.

Now, if you don’t use internet banking, this warning probably doesn’t apply to you. However if you do use internet banking, then please understand that once you follow one of these bogus links, and sign in to your banking account, your money will be gone in minutes.That is how serious phishing can be.

So, two very important facts to learn and remember :

1. If you get an email from your bank telling you there is a problem, and asking you to login to your account via a link in the email – DON’T DO IT!

2. Always login to your account via the normal, legitimate web address. Having to type in the URL may not be as convenient as clicking on a link, but it is far, far safer. If there is a genuine problem with your account, it will show up once you are safely logged in to your account. 99.99999% of the time, however, there won’t be a problem, and the email you received will have been bogus.

The internet is a wonderful place, but even the best anti-virus software cannot protect you from hackers if you aren’t aware of the danger, and don’t exercise some common sense.

Play safe, bank safe!

cheers

Meeks


%d bloggers like this: