federalcto.com The Blog of a Federal CTO


Meant to mention

I put up a post on 2-factor authentication here: http://www.idmwizard.com/2011/10/31/quest-on-2-factor-and-3-factor-authentication/ that can be considered an addendum to the last post I had here.

Going forward, this blog is going to be more about my travel and observations in my job as Quest's Federal CTO, and the IDM Wizard site will be for the more technical, identity-focused activity. With any luck, that site may have a new contributor as well, which is why I'm looking to revive it.


Gogo does away with 30 day pass, so going from GoGo is a no go

As a pretty regular traveler, I find the need to use GoGo from time to time. Pretty decent service, and if I had a bunch of flights in 1 month, or several long haul (east to west coast) flights, I would buy a 30 day pass. However, they took that away, and now only allow me to do their regular monthly plan, with a recurring charge. So if I forget to cancel the service in 30 days, they charge me for another 30 days. Lovely. And how do I cancel? Apparently, removing my stored credit card is a way to do it, but not outlined on their site. The only way I could find to do it was to select 'Live Help' which opened an FAQ. Now, I hate dealing with people when something can be automated, so for a brief moment, I thought they had what I wanted. But, alas, I still had to waste time in a chat session, as the only option provided was:

How do I cancel my Gogo Unlimited or Gogo Traveler Flight Pass?

If you would like to cancel your Gogo Unlimited or Gogo Traveler recurring subscription, simply click the Chat With Us link to speak to a Customer Care representative.

Here is the chat session:

Graeme: Welcome to Gogo. My name is Graeme.
Graeme: Hi, Dmitry!
Dmitry Kagansky: hi
Dmitry Kagansky: please cancel the monthly charge
Graeme: I do see that you've removed your stored payment card from this account, so your subscription will expire automatically. You won't need to do anything else.
Dmitry Kagansky: you could point that out in your FAQ
Dmitry Kagansky: this is a real nuisance
Dmitry Kagansky: so in order to do a '30 day pass' as I had in the past, i'll need to add and then remove my credit card
Dmitry Kagansky: or chat with one of you guys every time
Graeme: Yes, you need to contact us to cancel your subscription.
Dmitry Kagansky: that's just lovely
Graeme: What other questions can I answer for you?
Dmitry Kagansky: no others
Dmitry Kagansky: thank you
Graeme: Thank you for choosing Gogo. Fly classy.
Graeme has disconnected.

Good times; thanks for wasting more of mine, Gogo. Way to make things easier. I'll definitely have second thoughts on that hour long flight as to whether I want to put in my credit card number, and have to remember to cancel it within 30 days.


NFL Game Pass – not very good at keeping commitments, or giving any info out

As you probably expected, no one contacted me from the NFL this week. Despite my last post, where the anonymous person said I would be contacted by a supervisor, nothing showed up in any mailbox. And I was even checking my spam folder diligently. However, last night, they did manage to send me a reminder that my account is set to auto-renew, and will be charged again! What is wrong with these people?

So I tried to call, but after 20 minutes of waiting, decided to go down the chat route again. And here is the result of that session:

You are now chatting with NFL Game Pass

NFL Game Pass: Hello, how may I help you?
Dmitry Kagansky: I have 2 problems. The first is that I got an email that reads: "Your NFL Game Pass - Season subscription is currently set to auto-renew on 8/3/11 for the 2011 NFL Season." I specifically asked for a cancellation last week in a chat session. Also, a manager was due to contact me by this past Tuesday about my second problem. You can find the details here: http://www.federalcto.com/2011/07/nfl-game-pass-charging-credit-cards-they-have-no-right-to-charge/ .
NFL Game Pass: What is the user name for your account?
Dmitry Kagansky: xxxxxxxxxx
NFL Game Pass: Your account has already been taken off of automatic renewals and is not set to renew for this season.
Dmitry Kagansky: ok - then 2 questions
Dmitry Kagansky: 1. why did i get this email yesterday?
Dmitry Kagansky: 2. when will a manager contact me, as you committed to last week?
NFL Game Pass: The email was sent out to all previously subscribed GamePass users.
NFL Game Pass: In regards to your second question, I would be more than happy to forward your contact info along to a manager for follow up support.
Dmitry Kagansky: that's fine - but you committed to have a manager contact me last week
Dmitry Kagansky: you, or one of your colleagues
Dmitry Kagansky: did you have a look at the link I sent you?
NFL Game Pass: Well sir, it was not me. What I am able to do is what I have stated, and I would be glad to do that for you.
Dmitry Kagansky: The short story is that you charged me in august with a card that had been expired in may. You were never authorized to make that charge.
Dmitry Kagansky: terrific - when will the manager contact me
NFL Game Pass: Yes sir, I read the chat history that your supplied.
Dmitry Kagansky: please do not say 48 hours as you did last time
NFL Game Pass: The normal response time is within 48 hours.
Dmitry Kagansky: and please give me a contact name, or a reference of some sort
Dmitry Kagansky: who will contact me?
Dmitry Kagansky: you realize this chat session will go up on that site, yes?
Dmitry Kagansky: feel free to call me, as well, at 770-xxx-xxxx
Dmitry Kagansky: i got tired of waiting on hold when I tried to call
Dmitry Kagansky: but I'll warn you that the call will be recorded
NFL Game Pass: No need to warn us of that sir, we record all calls as well.
Dmitry Kagansky: i'm happy that you do, but I'll record it on my end for publication
NFL Game Pass: Again, I have passed your information along to my supervisor, and you can expect to be contact back within 48 hours.
Dmitry Kagansky: how will I be contacted?
Dmitry Kagansky: and by whom?
NFL Game Pass: The first contact is typically via email.
Dmitry Kagansky: fantastic
Dmitry Kagansky: now, i didn't get contacted last time
Dmitry Kagansky: so how do I know I won't be having this same chat again next week?
NFL Game Pass: All I can offer you is my word as an employee of Neulion that I will preform the requested tasks as promised.
Dmitry Kagansky: terrific, mr anonymous employee of a company other than the nfl
Dmitry Kagansky: or ms anonymous employee
Dmitry Kagansky: i look forward to the email
Dmitry Kagansky: cheers
NFL Game Pass: Thank you sir, and you have a wonderful day.
Dmitry Kagansky: Were you going to leave the conversation, or is there any more to add here? I busy prepping the current blog post now.
Dmitry Kagansky: I just want a nice, clean "your chat has completed" message for the blog, and it's been about 5 minutes since you wished me a wonderful day


Well, I didn't have any more time for the silliness, so I closed the window at this point. It'll be interesting to see whether I get contacted within 48 hours. Something tells me that I'll have yet more chats posted up. And I did find an interesting iPhone app, as well, by www.recordacall.com . Unfortunately, I didn't have the patience to sit on hold past the 20 minutes, or this whole thing would have been an audio post.


NFL Game Pass – Charging credit cards they have no right to charge

When I lived in the UK, I subscribed to the UK Game Pass plan. It's actually a neat option for ex-pats, however, it's not available in the US. About an hour ago, I got an email from Game Pass saying that my account was "auto-renewing." Given that I'm quite diligent in making sure I don't auto-renew anything, I was a bit surprised to see this email, and figured it was a mistake, as the last season I would have subscribed to was 2008, and I was pretty certain I read the fine print. In fact, I remember having to renew the 2008 season, even though I'd subscribed the previous year.

So, I decided to use the chat feature, and figure out what was going on. Here is the complete chat thread:

You are now chatting with NFL Audio Pass

NFL Audio Pass: Hello, how may we help you?
Dmitry Kagansky: I just got an email that read "Your NFL Game Pass - Season subscription is currently set to auto-renew for the 2011 NFL Season at $239.99 USD." I haven't been in the UK for the last 2 seasons, and should not be set to 'auto-renew.' I cannot use Game Pass in the US, or I'd gladly subscribe.
NFL Audio Pass: can we have your user name
Dmitry Kagansky: Please cancel this subscription.
NFL Audio Pass: can we have your user name please
Dmitry Kagansky: xxxxxxxx
Dmitry Kagansky: or yyyyyyyy
NFL Audio Pass: one moment
Dmitry Kagansky: not sure which i used - the email address is xxxxxxxx@gmail.com
NFL Audio Pass: The auto renewal feature has been removed. There will no further billing for Game Pass on your account
Dmitry Kagansky: Have I been billed for Game Pass the last 2 seasons?
NFL Audio Pass: Our records show your account was charged on 8/10/09 and 8/02/10
Dmitry Kagansky: You have got to be kidding me - I never asked for the auto renewal option
Dmitry Kagansky: there's no way I could have used the service in the US
Dmitry Kagansky: and I moved back in sept of 2009
NFL Audio Pass: The renewal feature is explained at the time of purchase
Dmitry Kagansky: Plus, the credit card you guys used was expired
Dmitry Kagansky: you should not have charged it
Dmitry Kagansky: and i would not have given you a new one
NFL Audio Pass: We are unable to refund an a transaction after 7 days of the charge
Dmitry Kagansky: right, but you charged an expired credit card - that's certainly against your contract with Visa
NFL Audio Pass: The card on file was active at the time
NFL Audio Pass: it expired on 5/2010
Dmitry Kagansky: right
Dmitry Kagansky: so how did you charge me on 8/2/2010?
NFL Audio Pass: Ufortunately i do not have that information
Dmitry Kagansky: exactly
Dmitry Kagansky: so you need to issue a refund for the 8/2/2010 charge
Dmitry Kagansky: as it was unauthorized
NFL Audio Pass: We can escalate this to our manger, so he can look into it furrther'
Dmitry Kagansky: last i checked, may came before august
Dmitry Kagansky: please do
Dmitry Kagansky: what is his/her name and contact information?
NFL Audio Pass: Can we have an email to contact you at
Dmitry Kagansky: you have it
Dmitry Kagansky: xxxxxxxx@gmail.com
Dmitry Kagansky: what is your contact information?
Dmitry Kagansky: and the reference or case number?
NFL Audio Pass: Thank you. He will be in contact with you within 48hrs
Dmitry Kagansky: what is the reference or case number, please
NFL Audio Pass: one moment please
NFL Audio Pass: We have no reference number to give. The information will be escalated, and the manger will be in contact with you. He will then provide his contact information. We apologize for any inconvenience this may have caused.
NFL Audio Pass: Your account will be noted also
NFL Audio Pass: Thank you for contacting NFL support

NFL Audio Pass has left the chat conversation
Click Here to Leave a Message

That is the entire and actual conversation, with just my username and email address redacted. There were some rather long pauses by "NFL Audio Pass" in all of this, as well. But this chat system is awful. No time stamps, no references as to who I "spoke" to, and certainly no feeling that this will get resolved. We'll see what happens in 48 hours, but I'm not holding my breath.


The battle for online taxes – the devil is in the details

Let me start by saying that I work for Quest, and we have no formal partnerships with Amazon, nor do we compete in any way that I can tell. Personally, I happen to be a satisfied (retail) customer of Amazon, but have done very little with their IT/Online services, beyond putting a bunch of MP3s in their CloudDrive.

The purpose of this post is to get everyone thinking about the complexity of online tax collection. Everyone sees it as a black and white issue, and it's not. It's not just the retailers "protecting their customers" and it's not just a single state or county that is having a revenue shortfall that needs this money. There are a lot of nuances that people do not consider when making their arguments in either direction. Personally, I'm on the fence as to whether online businesses ought to collect local taxes but I think my experience can help shed some additional light on the topic, as a whole.
I had a colleague on the State & Local Government side send me an article about how Amazon needs to just "man up" and help the states. The full title and link for the article is:
Why Amazon is winning online retail and should fold on this silly sales tax fight

One of the last paragraphs of the article states:

"Rather than fighting it out on a state-by-state basis, and yanking on the incomes of their affiliates while they’re doing it, Amazon needs to man-up and do what’s right."

And my response to the whole article was, "It's an interesting, if light, article." I went onto say that the author, whilst championing the States' case for collecting online taxes, completely overlooked the real problem with doing this. The problem is not just the fact that consumers wouldn't like the 5-10% hike in prices. The problem is that it would drive up prices considerably, and take any competitive edge Amazon has away. David Gewitz overlooks a key financial factor that is a huge obstacle for anyone collecting taxes for online sales. And that is the cost of manning and maintaining a "Sales and Use Tax" department. What's that, you say? Why would you need a "department?" Can't all this be automated?

Well, not quite. For a retailer of Amazon's size, you're talking about getting dozens of tax analysts and clerks to handle this because there are thousands of jurisdictions. And because you're talking about thousands of jurisdictions, with millions of different rules, codes and policies, often open to interpretation, you need humans. You would need to add more labor, (and supporting systems) to deliver the same products and services. I know, as I was one of these humans at one point.

In a previous life, I worked for a company called Tax Partners as a Data Development Manager. Tax Partners has since been bought by Thomson, and it's impossible to find a nice, clean link on their site for what Tax Partners did, but what they did was manage outsourced Sales & Use Tax filings. These would often be for companies that deal with consumers in retail, telecomm, automotive, travel and other sectors. These were Fortune 1000 companies, that had a presence in hundreds and thousands of locations. And my job was to manage the development team that would write systems to take the client's tax data, and normalize it to fit into our system, which was then used by our internal tax analysts.

Now, here's where the details come in, and I'll use a single client as an example. Imagine you're a telecommunications company, and you provide cell phone service nationwide. You have to collect a ton of taxes, and all those taxes are a liability. You have to pass them onto the respective jurisdictions, so you really don't want to hang onto this money. The short term interest sounds interesting (pun intended) but it's not nearly enough to justify having to deal with this money. So while you get this money, it is only a burden to you, and you really don't want anything to do with it. I can tell you that one large, US telecomm was paying $80-95 million per month in taxes. However, that money would have to get divided among 5,000-9,000 different tax returns! Just try to wrap your head around those numbers on a monthly basis for 1 customer.

In some cases, the returns would only total as little as $5 or $10, but they were required to submit them. And everything had to be accounted for, with the money divided properly among the various jurisdictions in a state, even though you collect a lump sum from your customers. Oh . . . and those returns . . . often, they were a specific form, written by some policy maker, that said the form, in that exact format, must be submitted on the 10th of the month after business was closed. And perhaps even in blue ink! Now spread that out over more than 9,000 jurisdictions. And if you don't file, you not only get hit with interest, but a potential penalty. And that penalty may be $500 for a $10 return.

So, while each jurisdiction wants it's money, they're not exactly the easiest group to work with. It's one thing when you're a business with a physical presence in a location, and know what's going on in that location, but when you sell to people in places you've never heard of, it's rather hard to keep up with the rules and regulations that jurisdiction puts out. There's a cost to that, and it's not as easy as a company in the UK, that simply adds the same amount of VAT to everything. My colleague added:

"The states believe there is a river of tax money flowing by and they aren’t dipping into the stream.  They’re very thirsty right now."

They may be thirsty, but they're not very accommodating. Would that every jurisdiction used a common form, accept electronic feeds and transfers, and provided their rate information in an easy to use manner, it might be feasible. But the way things stand now, the cost (to a business) for collecting online taxes is very high, and there's one more thing. I mentioned before that if you get the taxes wrong, you could be facing a penalty. That penalty is often arbitrary, set by a judge in that very jurisdiction. Which means the odds are stacked against you, even if you make a good faith effort to help the states, as Mr Gewitz suggests that Amazon do. At best, you can "meet expectations" at a considerable cost to you. At worst, you could get it wrong, and get hit with enough fines and penalties to put you under, all while trying to "help the states."

I do agree that the states and other jurisdictions need help, and that there is a revenue stream they could tap into. But it's not by applying 20th century rules and methods to a 21st century problem. I have my own ideas on what can help, but this post is long enough as it is. Thanks for taking the time to read it.


Best Buy Security Breach waiting to happen

Seems like there's one breach after another these days, and organizations are leaking data. You would think that a retailer would want to minimize this sort of thing to keep up relations. Apparently, not Best Buy.

I bought a $35 game on BestBuy.com only to find out I already purchased this earlier. So I took the online purchase, that only arrived at my door 2-3 days ago, back to the local Best Buy (the Mall of Georgia one). I handed over the game (unpackaged) and the packing slip when the gal behind the return counter asked for my driver's license. I showed it to her, thinking she just wants to verify me, but she starts typing in the license number.

"Wait, what are you doing? You don't need my driver's license number," I say as I hide my license before she finished. "Sorry, but this is required. Would you like to speak to a manager?" is her reply. "Yes, please," I say.

Christie Bee, the manager, waddles over and just says "I cannot process a return without a license." And there's no way to return something without some ID. I offer up the American Express it was bought on, but that is not good enough. I've got other things to do, and don't have time to argue with Christie about the silliness of all this, and that it violates their agreement with American Express, so I leave in a huff.

About 10 minutes ago, I came home, filed a dispute with AmEx, and told them the store is unwilling to take the return. It looks like American Express is doing the right thing, and I have no doubt they'll resolve this for me.

But the bigger question is . . . Why would Best Buy take on this risk? I understand the whole fraud issue, which is why they're doing this. But the minute they get hacked, every person's driver's license, along with street address and other info, is going to get taken. I have a Rewards Zone account, as well as the credit card it was purchased on. And this is a $35 item from long time customer.

So to Best Buy, I pose these questions to you; Why on earth would you ask me to give up my identity to you like this? Do you really expect me to trust you with this information? And why would you want to store this information in the first place? Surely you can think of a better way to handle fraud without taking something so sensitive.

Until this changes, Best Buy won't be getting any more of purchases.

Copyright (C) 2010-2011 Dmitry Kagansky – All opinions expressed are those of the respective author and do not reflect the views of any affiliate, partner, employer or associate.