Spam now leverages social networks

I've been getting spam lately purporting to be from a former co-worker. Apparently they harvested her MSN Messenger list – it impersonates her hotmail account and sends to my work account.

This was probably due to a virus which hijacked MSN messenger, it's a notoriously problematic service: between the service outages, trojans and viruses, its usefulness is debatable. But even as Microsoft gets its security act together a decade too late, the attack is inevitably shifting someplace else.

With social networking sites asking for email passwords to "import connections", people respond quickly. After all, they say it's safe, and you can always change your password later (but you don't). As it has been pointed out, as an industry we've trained people to type passwords, and that's what they do – whether it's a good idea or not, and that's why phishing is so successful. But once they have your contact list they can keep that forever, and it's a wonderful tool for a spammer.

Facebook and Twitter are unlikely to misuse this data too egregiously, they are connected to real money and companies with reputations to protect. But Pownce, which is going out of business – what about their data? And tacky little utilities like Twitterank which spam your stream, you'd better believe they're warehousing your connections. And your private messages. And everything else. You can put these things together and draw meaningful conclusions about the people involved.

Science fiction has been talking about spambots impersonating your family and friends for years, but now it's happening for real, and expect to see a whole hell of a lot more of it. Expect to start seeing requests from friends and family, asking for money through new and unfamiliar websites (or even familiar websites that have been compromised). Expect increasingly strange and subtle requests: you may not even know what they're really trying to get you to do, or why. In short, this is going to get deeply weird, really fast.

Tropicana: How not to run a loyalty campaign

Tropicana has a long-running loyalty campaign for their orange juice: you get 10 Aéroplan miles for each bottle of sugar-water you buy. They print a little code at the top of each carton, and you go to their website and enter the code to get your points. Sounds great, right?

The problem is that Tropicana can't seem to print the codes legibly. Every single time you try to enter a code, there's some problem or other: either the code is completely illegible, or the code isn't recognized, or a cosmic ray strikes their server, but whatever it is, you don't get your points. Furthermore, if you're trying gamely to puzzle out the code, the system locks you out, figuring you're trying to guess the code randomly. Check out these beauties:

Although I don't like to ascribe to malice what is more easily explained by negligence and sheer incompetence, this has been going on for years. I can't help but suspect at this point Tropicana's behaviour is willfully fraudulent: they print the offer on the carton to influence buyer behaviour, but they make it too irritating, difficult and time consuming to actually get the points. They could easily prove me wrong by fixing this problem, but something tells me they won't.

Not your PayPal

Sometimes the best service can be ruined by greed. I find it particularly insulting how PayPal continually defaults to direct debit from chequing instead of paying through my credit card. I've been burned by this, trying to make a purchase quickly and realizing after the fact that I've just hit my bank account instead of my credit card. I have repeatedly set my primary method of payment to credit card, yet PayPal continually and consistently ignores this preference and requires me to override chequing at every purchase. This practice is misleading and dishonest, and illustrates the lack of respect that PayPal has for its customers.

When you set it back to credit card, PayPal tries to convince you not to, stopping you in your tracks:

Paying with your bank account offers the highest level of PayPal protection and security, plus these advantages:

• No Fees -- Payments made using your bank account don't accrue interest fees
• Instant Payment -- Bank account payments are processed instantly
• Convenience -- Paying with your bank account means that your payments always go through -- instantly.
  Note: Sellers with Personal accounts cannot receive credit card payments. Any PayPal user can receive bank account payments.
• Safety -- Your bank account information is kept safe through the highest grade commercially available encryption and is extensively covered against unauthorized use

Do you still want to make this payment with a credit card?

Fear, uncertainty, and doubt. PayPal tries to muddy the waters here, raising the spectre that the recipient might not be able to get the money. Um, if they have a personal account you can't even send them money with a credit card, so there's no danger of them not being able to receive their money. They also try to give the impression that using a credit card might delay the payment, when actually they use the credit card to guarantee the slow bank account transfer. They even flash the terrorsafety card, implying that the terroristsmafia will get hold of your credit card number, when in fact the merchant has no idea which method you're using. (If the merchant were able to find out, they'd probably avoid PayPal like the plague.)

See, this is how PayPal makes money. They withhold 2-3% from what they pay the merchant for the transaction whether it comes from your credit card, your bank account, or your PayPal balance. So of course they want to take it from your bank account – ACH fees are much cheaper than credit card settlement fees. But don't worry about poor little PayPal. They also make money from foreign exchangefees, transaction fees, and float.

If PayPal provided some incentive to use direct debit over credit card (like, maybe, a discount) that would be another story, but instead PayPal presents bogus benefits of direct debit that just don't make sense. Because they cannot legitimately convince someone to forgo thirty extra days to pay to have the money sucked immediately out of their bank account, instead they engage in this sort of chicanery.

Believe it or not, I use PayPal quite a bit because it is convenient. As annoying and opaque and arbitrary as they can be, they almost always beat the banks for immediacy and limited hassle. For example, they make foreign exchange relatively cheap and easy – heck, they make it simple as hell. But the little touches sometimes colour the whole experience, and I think PayPal suffers from contagion from its prematurely sclerotic and abusive corporate parent.