By Chris Cardinal on December 17th, 2012
UPDATE, 12/18/2012: Amazon emailed me this morning to tell me they’ve terminated my account and let me know that I may have been phished. I was also told by the other woman I reference in this post that her account had been terminated as well. My Amazon Web Services account is in limbo, so I’ll be posting more about this shortly.
UPDATE #2, 12/18/2012 PM: It appears that the termination email was inaccurate. The account was only “frozen” and has since been restored to me, thankfully. (And moved to a different email address.) I’m following up with the other Amazon user to see if she’s had a similar outcome.
Someone has devised a relatively simple way of defrauding Amazon.com and they require very little hard information to pull it off. While this story is still developing, I’m writing this up in an effort to make Amazon aware of the problem and hopefully help them tighten their call center and live chat security.
You may recall that Amazon was implicated as the weak link in the Mat Honan iCloud hack, wherein a gadgets blogger had his entire online identity nuked from orbit because Amazon gave up the secondary identifying information necessary to issue a password reset over at Apple. (The last four of your credit card, incidentally.) I’m sad to say that Amazon has clearly not improved their authentication protocols in any meaningful way, but this time it’s hurting them directly.
I woke up this morning to find four tightly spaced emails from Amazon apologizing for the premature termination of our live chat session. They all differed slightly but were along the lines of “I couldn’t gather enough information to take action.” At first, I figured this was a bizarre phishing scheme, but the post-chat emails were true to Amazon’s normal format and linked to valid Amazon post-chat survey links. I did notice that the emails were being sent to my name with a dot bisecting the first and last name: GMail is “dot-blind”. You can literally email [email protected] and it would get through to the [email protected] account with no issues. But Amazon is NOT dot blind. [email protected] is a distinct Amazon account from htmlist[email protected], even though the email account is the same. (Because many providers are NOT dot-blind, this is actually normal practice.)
This was of particular interest to me as I have never given out my email address with a dot in it. Ever. More on that soon.
Finally, the last email indicated that “I did check on your account and found that no orders are present on this account. However if you’ll be able to provide us the order numbers, we’ll be able to proceed from there.” Someone is sniffing out order numbers.
Something wicked this way comes
Two hours later I received yet another post-chat email from Amazon Customer Service. Here it is:
Posted in: Rants
By Chris Cardinal on August 16th, 2012
Mobile credit card payment provider Square announced a big shake-up today: instead of paying a per-swipe charge for taking credit cards (of 2.75%), you can now opt to pay $275 per month and pay literally nothing per swipe. This is pretty big news, but just how big is it?
First off, Square limits the total transaction volume in a given year to $250,000. It also limits you to $400 per transaction. That puts it out of reach for a software company like us who is sometimes asked if we take credit cards. (The answer: yes, if you want to pay another 3.1%.)
It also should put it immediately out of reach for anyone processing under $120,000 in volume in a given year: that’s the cut-off point for the new scheme to still bring you value. If you’re processing under $120,000 in a given year, you’re better off paying their standard 2.75% swipe fee, which is still offered with no additional per-transaction charge.
Let’s examine how the rates play out at different volumes:
|Volume/year:||Rate:||Processing Cost Difference:||% Cost Difference (of sales):|
Put simply: If you’re earning over $120,000 a year on Square (with sub-$400 transactions), it’s a no-brainer to switch. If you’re not sure and you’re merely on the cusp, it might make sense to hold off. Once you hit the $250,000 limit, new transactions revert back to the 2.75% pricing, which is still quite competitive, and when you consider that you’ve paid 1.43% for your first $250,000 of volume, it’s still a great deal. One more benefit: Consistency. You’ll now know exactly what your credit card/merchant expenses will be every single month, and that every penny you’re charging is going straight into your bank account.
Most rates with traditional payment providers begin around 2.2%-2.9%, but it’s very difficult to completely grasp what your total costs are: for one, different cards charge at different rates. You also don’t necessarily know the real damage until you receive your statement. And the volume necessary for significant discounts is usually some point quite higher than $250,000 and I still think you’d be hard-pressed to find someone able to offer anything close to 1.43% for that volume.
Posted in: Tech News
By Chris Cardinal on June 25th, 2012
By Chris Cardinal on February 16th, 2012
Synapse Studios was called upon by Dan Spindle with Fox 10 News to discuss the “app economy” around the Phoenix and Tempe, Arizona area. As one of the few custom software and application development firms left in the Phoenix metropolitan area, we had a great time explaining our perception of the explosion in people’s desire to create applications, and our current hiring needs:
Posted in: Cool Stuff
By Chris Cardinal on January 19th, 2012
Whilst in the throes of exploring my favorite airfare booking site (Hipmunk), I noticed their live chat tool looked a little… different. It was bouncy, fun, and unassuming. Turns out, they use Olark: by far the most impressive live chat tool I’ve ever had the pleasure of dealing with.
The fun doesn’t end there: Olark allows you to actually redirect a user to a different URL, including external addresses, all while maintaining persistent chat. This is absolutely fantastic, as you can literally direct a user to the page they need while still helping them out. Olark reports what page they’re currently looking at, and their new co-browsing feature allows you to literally see what your users see, scroll the page for them, and circle certain elements.
This level of interaction is fantastic: it can help clinch a waffling pre-sale customer who has a small question but isn’t able to find an answer and doesn’t want to go through the trouble of filling out a contact form. Or it can assist with the on-boarding process: new users are the most likely to encounter experience-ruining burrs, problems, small barriers to entry that can be resolved with a simple chat.
The ability to transfer conversations, native Jabber/XMPP utilization (such that I can use Trillian for managing my chats), and a robust API round out the core features of a very compelling product. Olark is free for up to 20 conversations a month and one operator, but the clients we’ve signed up on Olark needed the Gold plan, since it’s the lowest plan that supports SSL.
Check out Olark for pre-sale potential customer engagement, and post-sale onboarding/getting started assistance. Reducing friction for new and potential users is the surest way to build a loyal following or make a sale.
Tagged with: olark
By Chris Cardinal on July 13th, 2011
When writing and testing code, it’s really tempting to put in junk data or in-jokes or other fun bits. As a development company, we’ve banned that outright, even in development environments, because we’ve discovered that somehow, some way, our little joke will end up live, released to clients or their customers, or even worse, appear in big bold letters in the middle of a demo. Nothing quite matches the sheer terror and stomach-pit feeling as having “stupid mcassface” show up during a demo.
Clearly, Off and Away’s devs/founders have a sense of humor and since this is source code and not customer-facing, this isn’t really a big deal. It’s not even vulgar. But it’s amusing to stumble across these sort of gems, as long as they’re not in the middle of a demo. For more fun, search swear words on Google’s Code Search. You’ll find some exasperated comments, angry rants, and outright bitterness, to be sure. (Hell, even Microsoft’s done it.)
Posted in: Development
By Chris Cardinal on July 4th, 2011
Google’s Plus release represents their first legitimate effort at a coherent social experience. Right out of the gate, they’ve got a few things incredibly right: amazing notifications unified throughout all Google products, good integration with Picasa and Android, Circles, Hangouts, data portability, and a feeling like this might be around for some time.
Now they need to focus on what’s necessary to make this a second nature, everyday product for people, like Facebook is now for most people.
If anyone can get scale right, it should be Google. Admittedly, scaling instantly in to the millions is a challenge for even the largest companies, and there’s surely a method to their madness here, but they need to be doing whatever they can to get this thing open to as many people as possible. They’re framing the current experience as a “Field Test”, but it’s difficult to test a social networking product if you can’t get your friends onto it. Early adopters are the type of user who will shift their more reluctant friends to a new system. They’re kneecapping their momentum with their limited invitations.
Figure Out Sparks
By far, the most confusing element of Plus is Sparks. It’s an interesting hodgepodge auto-aggregator of news and blog posts on individual topics (or “eccentric hobbies” as their video goes), but it’s presented in a bit of a sloppy way. Since it’s curated automatically, it’s not terribly great at it, which is a bit disappointing as well. Fortunately, Sparks is a nice-to-have within the Plus experience. Perhaps some integration with Reader would help make Sparks shine.
Make Huddles Amazing (Read: Copy Beluga)
I’ve got basically every single friend I speak with regularly on Beluga now. We use it to plan events, see what’s happening for the evening, and coordinate shared rides and the like. It’s a great tool. We also have fun with it. We share photos and links and such. And we can access it from our desktop if necessary. Huddles don’t currently let you access them from the Plus site itself, only from the mobile app. Since Plus isn’t available in the iPhone App Store yet, I can’t try to convert my friends to Huddles yet. And since Huddles don’t let us share photos or set Huddle photos, I don’t know if I’d want to yet. Location sharing is really useful too, and here Google has a definite leg up: it already shares location on posts… why not on huddle updates? Moreover, why not tie directly in to Latitude? Let me navigate right to a real-time-updating friend if I’m picking them up from someone, right from within our Huddle!
Import Profile Pics from… Somewhere!
Most of my connections/friends on Plus are faceless. Make adding a profile picture a required first step. It’s important to associate faces with names, but moreover, it’s WAY less usable to see a bunch of placeholder graphics throughout the product. Import from Gravatar, or, if you won’t violate TOS (heh), from Facebook directly. Either way, make it required, or constantly nag until it gets done.
Release a Stream Notifier or API
If you want us to engage, we need to know things are happening. Right now, it appears the only way to see new posts is to load up the Plus site or app and look at the Streams. Facebook and Twitter have apps or APIs that allow us to get pinged with updates as they happen. You’ll lose momentum and people will stop coming back to Plus if we can’t see what’s happening without having to call up the site manually every time.
Let Me Cross-Post Content Easily
Since Plus isn’t going to overtake Facebook, Twitter, or Linked In overnight, let me cross-post to those places with a click of a button. Better yet, blow everyone away and make it as easy as choosing a “Circle”. Add the Facebook “Circle” and the post auto-cross-posts there. Add the Twitter “Circle” and the shortened form is available for preview before it ends up there. By keeping up the walled garden, Google may be intentionally discouraging this sort of behavior, but this is what will trigger buy-in immediately and ease the transition. Social networks aren’t necessarily a zero-sum game, but two is likely very close to the limit for most.
What’s Next for Plus
Plus is off to a great start. Better than Buzz or Google Wave could ever hope for. It’s exciting, clean, original, and well-executed, with a lot of great features available right out of the gate, and some really innovative concepts. With a bit of polish and a bit more hand-holding, I think Google can convince people to begin using Plus as part of their daily interaction. But the elements needed to keep us checking in and coming back every day aren’t quite there yet. The notifications are a great start, but they only tell part of the story, keeping me informed only after I’ve already engaged. I need a reminder to check in on Plus and see that my friends are using it, and that’s sorely lacking right now.
Google also needs to integrate single-sign-on/Google Authentication with Plus, the way Facebook Connect can be used to allow people to log in or register on a site. It’s not necessary to have a complete app platform available right out of the gate, but Facebook is definitely on to something with Facebook Connect and it’s an important element for any social networking site to drive engagement.
Hopefully we’ll see swift continued development on Plus. It’s a great product out of the gate, but building the product isn’t the hard part in social networking: that’s left to getting users to buy in and keep coming back for more. Plus solves a lot of the qualms people have with Facebook on the privacy, data portability, account deletion, and sharing side of things, and that’s amazing. But it’s not an instant win, and they’ve got a long way to go. Making Huddles indispensible (and consider integrating them with group gTalk) would help, but I’m hoping they’ve got some other unique features up their sleeves to introduce into the Plus fold. I’m disappointed that the Slide-inside-Google-developed Pool Party and Prizes products weren’t built with Plus in mind. It might be time for the left hand to clue the right hand into what’s going on, and to get everyone on the same page.
Posted in: Cool Stuff
By Chris Cardinal on March 10th, 2011
HTMList primarily focuses on the technical side of the web development work we do here at Synapse Studios. We’re mixing things up a bit with the announcement of the launch of Nestablish.com, a comprehensive loan officer workflow management system, built as a startup for a few loan officers who wanted to make life easier for their fellow loan officers.
Loan officers frequently have to generate and sign pre-qualification forms and other specialty forms (such as Arizona’s Loan Status Update form) for each and every offer a real estate agent makes on a house. This can often come at inconvenient times, such as nights and weekends, when loan officers are typically off-the-clock. Nestablish allows loan officers to configure a maximum value for the pre-qualification documentation. The real estate agent is then granted the ability to generate the forms at the value they require, automatically limited to the maximum allowed by the loan officer.
This project presented a few interesting challenges for us, including working with the Fannie Mae 3.2 file specification to allow for the easy import of loan information into the system, and some complex PDF generation. Since each loan flows through a complex process with a lot of steps and required documents, we built Nestablish to allow the loan officer, real estate agent, and home buyer alike to track the progress on the loan approval and see exactly where they are in the process. This ensures faster closings with fewer back-and-forth during the typically-stressful home buying process.
We’re incredibly proud of our team here at Synapse who helped make Nestablish a reality, including Jeremy Lindblom, Andrew Reida, and Bob Eagan. We’ll be working with the fantastic team at Nestablish to deliver a whole new suite of features to the site very soon, but loan officers can get started today by registering for a free 60-day trial. (Nestablish is free for real estate agents and home buyers, and only $29.95 for loan officers after the free trial.)
Posted in: Announcements
By Chris Cardinal on January 25th, 2011
As a web development firm, we frequently have to manage passwords and other credentials for multiple clients and their projects. This includes everything from SFTP and SSH information, database passwords, DNS managers, domain registrars, and everything else under the sun. We’ve moved to a policy of good password practice across the board at the urging of common sense, and one of our former developers, Alan Hogan. (Our previous system was not sharable, and wrought with other shortcomings.)
We needed a password system that was secure but which would allow us to share client passwords across our team, while ensuring limited access within the organization, and unique, complex passwords every single time. We ended up making use of the wonderful KeePass tool, synced through Dropbox.
KeePass is a wonderful password manager (though not as much for Mac or Linux users, for reasons I’ll get to) in general. And it has some pretty great features, some unique to KeePass, others relatively standard fare: