2018-02-20

Vodacom se komplekse datatariewe en R58,29 per gig


Vodacom is nogal „goed” daarmee om hulle gunstige tariewe te verberg. Ek gebruik al jare lank die peperduur databondels op die webwerf (tussen R100 en R150 per gig) maar het toevallig hierdie week gesien dat deur die USSD-kanaal *111# 'n mens baie goedkoper tariewe kan kry. Vir R1399 eenmalig is dit 2 gig per maand vir 12 maande, m.a.w. R58,29 per gig wat nie sleg is nie, hoewel nog baie duurder as op die netwerke met meer beperkte dekking soos Telkom en Cell C.



 

Hier bo is die kieskaarte van die USSD-kanaal en hier onder die opsies op die webwerf. Tensy ek baie sleg soek, het Vodacom blykbaar glad nie 'n eenvormige manier waarop hulle produkverskeidenheid deur die verskillende kanale gepubliseer word nie. Die 7-dag en 14-dag opsies is ook nie deur die webwerf beskikbaar nie maar die dagopsie is (snaaks genoeg!) wel.


Die vraag onstaan by my of SA-verbruikers (onder ons belaglike verskeidenheid wetlike reëlings) nie dalk 'n aanspraak daarop het om volledige inligting te ontvang oor die opsies (veral op 'n elektroniese kanaal) wat vir hulle beskikbaar is, nie. Ons weet almal dat die verkopers in die klein elektronika-winkels of die motorhandelaar (of eiendomsagent) baie mooi en kundig besluit watter opsies en pryse om beskikbaar te maak aan enige klant maar hulle doen dit darem nie op skrif nie...

2018-02-13

MTN's password policy is bad – even for the top network in Iran, Syria and Afghanistan

South Africa's MTN Group "has licences from some very unattractive governments, to which it pays taxes, provides wire-tapping, collects metadata and censors content" (to quote my friend, Ewan Sutherland in his paper on the group). Not only that, it operates under a very unattractive shade of yellow and it is also allowing deductions of R15 per day from a relative's mobile account and not making it possible to cancel the "service". The telephone number that MTN provides (in the text message shown) for the scam factory "does not exist" when you try to dial it, incidentally.

Now, the next desperate step was to attempt to register on their website. The first part was relatively easy but it transpires that to view account details, it is necessary to log onto something called "MTN Acive" for which you are supposed to use the same username and password as for the original site. This failed dismally (it turns out) since the password which I registered does not comply with the password policy for the second site, although it was checked and did for the first. We are now locked out on the second site because we "entered the incorrect password" three times.

Needless to say, the incoming South African president has close links to MTN, about which more can be read at the M&G: Ramaphosa and MTN's offshore stash.

2018-02-01

Companies and Intellectual Property Commission website leaks sensitive information

The CIPC's (South Africa's Companies and Intellectual Property Commission) is one of those websites where I routinely have to reset my password. While going through the usual motions today, it occurred to me that the process allows personal data of registered users to leak out. Registered users can of course create new companies and change the details of (their) existing ones.

In order to get a password reset, you have to enter your CIPC username. The system then sends a web address to your e-mail and a one-time pin (OTP) to your mobile phone number. Somewhat surprisingly, both of these are displayed on the screen after you have entered your username, divulging the private contact details of users to anyone who knows the username.

Why is this a serious problem? Well, usernames can be easily constructed from the surnames and initials of registered users. For example, the usernames consist of a small number of letters and I was easily able to find quite a few by trial and error. Subsequently, I retrieved cellphone numbers and e-mail addresses (none of which I stored, of course) as in the accompanying image. Someone really determined to hijack a company by changing the identities of directors might start with this and continue to then obtain access to the e-mail and cellphone number of a user responsible for the details of a company they are targeting.

My knowledge of the relevant legislation is relatively limited but I can well imagine that the CIPC does not comply with applicable South African legislation on the protection of personal information. If a key organ of state struggles to comply with the edicts of parliament, how could the courts possibly expect ordinary citizens and companies to do so? As usual with vague legislation and sporadic enforcement (and with sharks and other predators) it is simply bad luck if you are caught, basically.