Sunday, December 10, 2023

TymeBank online “security” sucks

“If you are happy with your security, then so are the bad guys”
A few days ago a friend sent me a WhatsApp voice message warning about the dangers of “tap to pay” cards. I had a look on my TymeBank app but it provides no information, so I contacted them on Twitter. Big mistake. Someone saw my post and told me that they have a “very helpful” WhatsApp number: 081-591-8538. Turns out it was fake, but I didn't know that at the time. Now the crooks are using 064-022-6823, 062-858-2151, 064-121-8862, 083-539-9981 and 076-847-4973
Fairly convincing: helpful options, no spelling mistakes. But here's the kicker: once you choose your option, you have to provide your ID number and the last 4 digits of your card number. That's all they need to login to your account and steal your money. They left R0.87 behind. How kind. Plus they changed my login password and my login PIN.
  • My first problem is this: all the OTP are carefully crafted to fit into less than 160 characters (SMS length), but provide little or no meaningful information:
    TymeBank. Never share this One Time PIN with anyone. Use OTP 9411 to change your Login PIN or Internet Banking password. For help 0860999119. 09Dec 22:14
    Had I known that my ID number and the last 4 digits of my card number were all that is required to log in to my account and reset the login password, I obviously would have been more careful.
  • My second problem is that neither the SMS messages nor the banking app on my phone bothered to tell me that the login PIN had been changed. They sent me an email. Except I don't receive emails on my phone, and I wasn't in the office on a Saturday evening. They may as well send it by registered letter for all the good it did.
  • My third problem is that in order to send money to someone's phone, no OTP is required at all. Nothing. I have checked the OTP messages sent to my phone and there is absolutely nothing referring to sending money to anyone. But the app conveniently told me that the money had been sent, after it was sent. Too late of course, but still. And once it has been sent, the money voucher cannot be cancelled or reversed.
  • My fourth problem was when I realised I had been defrauded. I called 0860999119 and reported the fraud. The first lady who answered the call was basically clueless, and didn't ask for my email address or home address, just my ID number. That only happened later when I checked that 0860999119 was in fact a genuine number for TymeBank. On the second call I was asked for my details, and told that I would receive an SMS with the fraud reference number GFD-126181. I'm still waiting for that SMS from the first call, or the second call.
  • Another problem: TymeBank claims to be concerned about my security, but my account cannot be protected by secure second factor like a Google Authenticator code. It's simply not an option. Nor is there any option to limit the size of a tap-to-pay transaction. SMS is not secure. Everyone in the financial sector knows that. But they choose to use it anyway. Insecure by design.
Naturally, I will have to wait until Monday for anything to happen. And it will take a week or so for them to think up a weasel excuse for not refunding me the money. In the meantime, my Christmas is ruined.
No one can explain why the SMS messages don't tell you what the code is for. Nor can they explain why there isn't a security check when you send money, or why the fraud case number hasn't arrived by SMS. Maybe that only happens when someone actually looks at the case, by which time it is too late to reverse the transaction, naturally. Their system is designed for fraud to take place.


Update Sunday 10 December: TymeBank doesn't appear to monitor their own Twitter feed for scammers like this:

Update Monday 11 December 2pm: I got a call from the fraud department (010-241-1363), who can't explain why the message with the fraud case number was not sent, but can assure me that I received and read all their OTP messages. They don't have a facility to disable tap-to-pay, but I do: it's called a microwave. Pop it in for 1 second and the tap-to-pay (and the chip-and-pin) will never work again. “I'm sorry about that we do apologise sir” is a phrase they use often and repeatedly, along with “I hear you”, but until they change the way their systems work, it means nothing and they “heard” nothing. Apparently it's easier to refund R769 than to improve the security of the business. It's not the employee's money they are wasting.
They are an internet business that doesn't have any branches, but they don't operate on internet time, only government time. That leaves plenty of time for the crooks to do their dirty business. They have 4 cell phone numbers from this blog, and they have probably seen these numbers before, but they have not found out from FICA/RICA who owns those numbers, or made any arrests. And they don't seem interested in finding out either.
The lady who called asked me to remove this article. Apparently I will still get a refund if I refuse. We will see. The refund will most likely happen within the next 5 working days. I'm not holding my breath.
Update Tuesday 12 December: TymeBank Twitter account hadn't blocked @Hajra32021956, until I suggested it, even though they are supposed to monitor the activity on their own Twitter feed. Hopeless. And they seem to think that if I block @Hajra32021956 the criminal activity will somehow stop. Clueless.
They block their critics warning of their problems, but allowed the scammers to operate for weeks with impunity. Clueless.

Further update 12 December: I received the following email:
From: Fraud Operations Mailbox <FraudOperations@TymeDigital.com>
Sent: Monday, December 11, 2023 3:34 PM
To: Donn Edwards
Subject: Liability letter for GFD- 126181

Good day

Thank you for contacting TYMEBANK.

Your Fraud Dispute with Case number GFD- 126181 has been finalized.

Kindly find attached outcome letter

Regards

Fraud Operations

Phone +27 (0)87 286 8833
Email fraudoperations@tymedigital.com
4th Floor, 30 Jellicoe Avenue, Rosebank 2196

www.tymebank.co.za

TymeBank is an Authorised Financial Services Provider (FSP49140).
Tyme Bank Limited Reg no: 2015/231510/06
To which I replied:
From: Donn Edwards
Sent: Tuesday, December 12, 2023 6:54 PM
To: 'Fraud Operations Mailbox' <FraudOperations@TymeDigital.com>
Subject: RE: Liability letter for GFD- 126181

Dear “Fraud Operations”

At what point is this process do you acknowledge that I was not informed in a timeous manner that my login PIN and password were changed, in the same way that I get a notification when the balance changes?

Please can you supply me with the police case number, or do I need to open one myself?

How many times do you get LEGITIMATE withdrawals where:
1. The login PIN was changed;
2. The login PASSWORD was changed; and
3. All the money in the account was sent to a mobile number not used before on the account,
All within a short period of time, such as 30 minutes?

If not, why does your system not throw up a fraud alert when this happens?

When do you plan to obtain the FICA/RICA details of the following phone numbers used by these fraudsters impersonating the bank?
081-591-8538
064-022-6823
062-858-2151
064-298-8774
081-043-4791

I await your prompt reply, and will be visiting your offices tomorrow.

Best wishes
Donn Edwards

I'm still trying to figure out how to sign the outcome letter which is a read-only PDF format document. I don't think these muppets throught it through, do you? As it turned out, I was unable to visit their offices to deliver the signed letter. But I have scanned it and sent the scanned image containing my signatures.

Update: 14 December 2023: I just received the following email message
In the meantime I have replaced my TymeBank debit card with a Pick 'n Pay Smart Shopper card.
Update: 16 December 2023: According to the outcome letter they sent, my account has been blocked. Perhaps that would explain why they have not refunded the stolen money yet. I'm not holding my breath.
Update Monday 18 December: The refund finally arrived. I have transferred it to my FNB account.

Monday, October 23, 2023

522 113 hours without electricity!

Trying to get work done at the Wimpy in Cresta

The joys of living in ANC-run Joburg! Extended outrages in between load shedding. Last year in September we had a 66 hour power outrage. During CIDC2023 in September, I had to use a studio flat with solar power (normally R7,500 per month rental) to attend the conference because we were having load shedding several times a day. Fortunately for me, the flat was empty and the owners generously allowed me to use it for free, including the Wi-Fi. Wonderful neighbours.
As I write this, we have just finished an ordeal of 113 hours without power, despite there being no national load shedding at all! The power went off unexpectedly on Wednesday 18 September, around 14h50. I logged a ticket (reference no CPWEB4032200) along with the rest of the suburb, and we waited for news. A cable had shorted out and caught fire at the Windsor substation, so naturally City Power had to wait for Eskom. And that's where the lying, cover-ups, PR speak and obfuscation began. At 01h30 on Thursday  City Power closed the ticket. Very sneaky.
By the time I woke up in the morning (Thursday) it was too late to "escalate" the ticket, so I got a new reference number: CPWEB4032870. I spent several hours (and R150) at Bootleggers in Cresta, using their WiFi and recharging my phone and laptop. It turned out that they didn't have any decaf coffee, so I had to settle for some lemon iced tea and a delicious chocolate brownie. I could catch up on emails and get some work done until 6pm.
On Friday I decided to try the Wild Falcon Spur at Heathway (R300), in the hopes they would have decaf coffee. No such luck with the coffee, but the service was good, and the rooibos tea and hamburger was fine. My waiter had the politeness to leave me alone, and few interruptions.
The power came back at 2pm, and so I went back home to carry on catching up with work. All was fine until 20h10 when the power went off again! This time Eskom and City Power were determined to ruin our entire weekend. CPWEB4033907.
On Saturday I went to the gym for a shower and some sanity. Another neighbour offered anyone in the suburb the chance to use their solar power, so I made use of the opportunity for a few hours while my phone recharged and I could use my laptop. Excuses and various (inaccurate and misleading) ETR promises were made and broken by City Power, who naturally tried to shift the blame to Eskom. We listened to the Rugby World Cup semifinals by candlelight on the radio. Another win for the Bokke by a single point, and SA is in to the finals against the All Blacks.
On Sunday I decided to try to take the day off, and went to the gym again, to get rid of my frustration as much as getting some exercise. Eskom were still busy cutting trees (you can't make this stuff up) and then all of a sudden we were given a 17h00 ETR that came and went, and still no power. By this stage four City of Joburg Wards were being affected by the outrage(s). Later we heard that Eskom had restored power to Windsor substattion, just in time for City Power to switch on the Cresta substation and cause another trip. Then City Power needed to wait until Monday for a testing team to come and see what the problem was at Cresta.
On Monday City Power closed my ticket with "Repairs Completed" at 05h16, and I managed to "escalate" it at 07h19 when I woke up. After sleeping in late and making breakfast on a gas cooker, I decided to try out the decaf coffee at the Cresta Wimpy.
Finally! A decent decaf cappuccino, power, and Wi-Fi (but a bit slow). I could hardly believe my luck when I heard that the power had been restored at 1pm. Let's see how long it lasts.
In the meantime, I have learnt a few things about Eskom: they hadn't done maintenance on an "oil cable" for over a year. The contractors they used dug through a live cable in the dark because they didn't bring any lights with them. A real professional outfit! They only inspect their overhead power lines for trees that cause shorting when a short actually happens, and on the weekend, so they have to pay extra for the trees to be cut back. Eskom has no guards for their urban substations, and they usually take 8 hours to show up when called by City Power.
Things I have learnt about City Power: their infrastructure is crumbling at such a rate that they deal with an average of 4000 tickets per day. They do little or no maintenance, and if they can "back feed" a substation or area instead of fixing it, they will do that. They lurch from one fiasco to the next, and never return to do proper repairs. Likewise, they don't have enough cable testing teams, even though most of their problems involve faulty cables. In our suburb they don't lock the substations, so we provide locks for them. In the neighbouring suburb, they insist on using their own padlocks, but they don't always lock them. Go figure. They don't seem to have any lights for working at night, other than the torch on their cell phones.
The ANC has succeeded in damaging and sabotaging more infrastructure since 1994 than they managed in the decades of "armed struggle" before 1994. They are a disgrace and a national embarassment.
Both City Power and Eskom are "run" by ANC "cadre deployees", who are usually lazy, corrupt and clueless. Most ANC municipalities are bankrupt and dysfunctional, as are all State Owned Enterprises, of which Eskom, Transnet, PRASA and the SABC are prime examples.
The Joburg municipality is being systematically run into the ground by the ANC politicians and municipal employees for the last 3 decades, so none of this should come as a surprise, but still it is shocking to have experience it hitting you in the face for 5 days in a row. So I have decided to delay my rates payments by 5 days every month, in a quiet gesture of reciprocity.

Update Tuesday 24 October: Beeld newspaper published this article:

Update Monday 13 November: Yet another City Power blackout. Started at 13:10 on Monday. Still no power on Tuesday, so I enjoyed the Wi-Fi and coffee at Bootleggers in Cresta from 09:30 to 17:00. It finally came back after 30 hours, at 19:30.

Unplanned outrages in Aldara Park for 2023

excluding load shedding:

1. 12 Jan CPWEB3678171 1 hour
2. 13 Jan CPWEB3682778 7 hours
3. 23 Jan CPWEB3694706 3 hours
4. 27-28 Jan CPWEB3698875 12 hours

5. 04 Feb CPWEB3707256 11 hours
6. 12 Feb CPWEB3718828 2 hours

7. 03 Mar CPWEB3788482 2 hours

8. 05 Apr CPWEB3783338 1 hour
9. 08 Apr CPWEB3785526 2 hours
10. 26 Apr CP2989110 9 hours
11. 28 Apr CPWEB3810728 7 hours

12. 02 May CPWEB3813314 5 hours

13. 22 Jul CP3032305 8 hours

14. 01-02 Sep CPWEB3982795 9 hours
15. 03-04 Sep CPWEB3984580 12 hours
16. 11-12 Sep CPWEB3997968 26 hours
17. 29 Sep CPWEB4018162 13 hours

18. 18-23 Oct CPWEB4032200 CPWEB4032870 CPWEB4033907 113 hours (6 days)
6 Nov: City Power "successfully" takes over load shedding switching duties from Eskom.
19. 09 Nov CPWEB4057606 6 hours
20. 13-14 Nov CPWEB4057606 30 hours
21. 22 Nov CPWEB4076387 8 hours
23 Nov: City Power modifies "successful" load shedding schedule after massive outcry from residents.
22. 23 Nov CPWEB4078336 1 hour
23. 26 Nov CPWEB4081778 8 hours

24. 6-14 Dec CPWEB4097231 204 hours.
25. 18-19 Dec CPWEB4110976 22 hours.

Total 522 hours (21 days, 18 hours). Outrages on 44 days. That's an average of nearly 12 hours per outrage. So my 5 day delay in paying my rates has escalated to a month.

Editor's note: I have deliberately misspelt outage as outrage to make a point. Not that anyone at City Power or the City of Joburg will get it.
Update Friday 24 November: Eskom has declared Stage 6 load shedding for the weekend and City Power can't switch everyone on or off on time because they don't have enough qualified staff to flick the switches without electrocuting themselves. So last night (CPWEB4078336 - cancelled) we came on 50 minutes late, and on Tuesday (CPWEB4075389 - cancelled) it was 25 minutes late off, and 50 minutes late back on.
Update Sunday 26 November: The power "tripped" at 14h50 but since "load shedding" was supposed to be from 14h00 to 16h30 we only reported it at 16h45. It came back on after 8 hours at 22h40.
Update Wednesday 6 December: Power went off at 7am on Wednesday. CPWEB4097231, CPWEB4097063, CPWEB4095858, CPWEB4095833, CPWEB4095843, CPWEB4097214, CP3099926, CPWEB4100022, CPWEB4095809, CPWEB4101046. Power still not back after 8 days, and no sign of anything being done anytime soon.
On Thursday the "test team" disconnected one of the phases, and then left the substation unlocked. We haven't seen them since.
On Saturday afternoon there was some brief excitement when this truck arrived and then left a few minutes later.
On Saturday evening the "test team" arrived, and determined exactly the same as the Thursday test team: the cable is faulty.
They left the cable in this condition: one phase running hot to supply some of the houses, The rest are still without power, and the generator for Carvers Restaurant is still running after being shut down when the restaurant closed on Sunday at 5pm. Finally at 7pm power was temporarily restored to all but one home: CPWEB4101046 and the restaurant CP3191075. Now we wait for a new cable, and pray the faulty one doesn't burn out with too much power on the yellow phase.
On Tuesday a team arrived to start digging. A resident wrote: "They have no work permit. No excavation permit. No lock out permits. No diagram of how the wires are in the ground. ... Not sure what would happen if they hit a live wire." At some point the cable tripped, so Cheyne Road is without power again.
On Wednesday they struck a Vumatel cable, so the restaurant now has no power and no fibre connection. I noticed that they seem to have damaged one of the cables:
It's difficult to tell if the damage was done this time or when the cables were dug up in April 2020. I have sent the following email update to City Power:
From: Donn Edwards
Sent: Wednesday, December 13, 2023 11:19 AM
To: 'Tshililo Nefale'
Cc: 'Sipho Gamede' <sgamede@citypower.co.za>; 'Charles Tlouane' <ctlouane@citypower.co.za>; 'Tshifularo Mashava' <tsmashava@citypower.co.za>; 'Nikki van Dyk' ; 'Beverley Jacobs' ; 'Nthabiseng Moloi' <NthabisengMol@joburg.org.za>; 'Jacob Gaongallwe Mashilwane' <jmashilwane@citypower.co.za>; 'Isaac Mangena' <imangena@citypower.co.za>;
Subject: 7 days without power
Importance: High

Hi all
Ignoring these emails will not make them go away. Now we have people digging outside the substation (and disconnecting the fibre link to 45 Cheyne Road) but no one is willing to explain what is going on or providing an ETR.

Then there is this mess:
CP3099926
CP3191075 45 Cheyne Road
CPWEB4094835 46 Cheyne Cancelled/Closed/Completed
CPWEB4094843 44 Cheyne Canceled
CPWEB4095809 49 Cheyne
CPWEB4095821 46 Cheyne Cancelled/Closed/Completed
CPWEB4095833 44 Cheyne Canceled
CPWEB4095843
CPWEB4095858
CPWEB4097063 46 Cheyne Cancelled/Closed/Completed
CPWEB4097214 47 Cheyne
CPWEB4097231 44 Cheyne Job "Completed"
CPWEB4100022 46 Cheyne Cancelled/Closed/Completed
CPWEB4101046 40 Cheyne Road "Completed"
CPWEB4101064 44 Cheyne Job "Completed"
CPWEB4102459 46 Cheyne Cancelled/Closed/Completed
CPWEB4103655 44 Cheyne Closed
CPWEB4105636 44 Cheyne Allocated
CPWEB4105763 46 Cheyne

Some houses in Doring Close and Cheyne Road have been restored for a while, but a switch has tripped somewhere, and 40 and 45 Cheyne Road have been without power for 172 hours and counting.

Please can we have some feedback?
Thanks in advance
Donn Edwards
(City Power customer and ratepayer)
Update 14 December 2023: It turns out that two people did not ignore my emails. Tshilio Nefale (General Manager) and Beverley Jacobs (Ward 98 Councillor) showed up at the substation and started asking difficult questions. Suddenly things started getting fixed. What's more, Tshililo actually listened to her customers, particularly the ladies at 40 Cheyne Road, who have been having power cable issues for years. She got the testing team to show up for the third time, and diagnose the problems properly. By 7pm on Thursday everyone was reconnected, even if it was a "temporary" fix for some of the houses.

Saturday, October 14, 2023

Clarion Fixer (Part 1): Using the App

One of my pet peeves with Clarion is that the applications it generates by default look like they were written for Windows 95, and not for current versions of Windows. In modern versions of Windows, Microsoft has "fixed" the old look by making all the buttons and controls flat, but Clarion insists on using the "Microsoft Sans Serif" font that was introduced in 1997.
It looks old, especially since I have already used and discarded Verdana and Tahoma, for much the same reason. I never liked Arial (1982): it shipped with Windows 3.1 and has been severely over-used. "MS Sans Serif" is a bitmap font from a 1992 version of Windows. I want my programs to look like they were written recently, not 30 years ago.
My first attempt at fixing the fonts in my application didn't work. I was trying to fix things in the wrong place. But I later discovered that I could use a file utility called Search and Replace to fix the Clarion styles and templates. So when I create the app, I don't have to waste time fixing up fonts all over the place. This got me thinking: can't I automate this? Whenever I install new or updated accessories for Clarion, I don't want to have to fix up the fonts yet again.
Introducing clFixer, which is freeware. It's not signed, and some anti-virus engines on VirusTotal think it's a trojan, but I think they are getting false positives. Naturally, it is written with Clarion 11.1, and uses the CapeSoft StringTheory 3 ($97) and WinEvent 5 ($169) accessories. If you have those, you can download and modify the code here. The .rar file doesn't contain any exe or dll files. The zip file contains those. If not, you can read the code in the module files. Extract the zip file into a suitable folder to try it out. The code is also available on GitHub.
The first thing you need to do is make a copy of your Clarion folder, so you can see what changes have been made, and how they work. I have copied mine to "d:\Clarion11.1pe".

Exploring clFixer

Run the clFixer app, and from the main menu choose "Data"  -> "Application Settings".
Click on the ellipse to the right of the "Root Folder" field:
Select the backup folder and click "OK". Note there is a list of "Exclude Files". Some changes, such as the "Courier New" change, will cause trouble in the PDF related files, so you can decide whether a particular action must avoid modifying these files. Click "OK".
From the "Data" menu, select "Replacement Actions". This is a list of actions to be performed on the files. All of these replacement actions are performed on files in the "Root Folder" and subfolders, matching the file name extensions
*.inc;*.clw;*.txa;*.dctx;*.def;*.equ;*.tpl;*.tft;*.tpw;*.red;
If you add an action to modify "readme.txt" it will not be modified because "*.txt" is not one of the file name extensions listed.

General Actions

Here is the first and one of the most generic actions. It applies to all files, except a small number on the "Exclude Files" list.
This is even more general because it applies to the excluded files as well as any other file that still mentions "MS Sans Serif".

Specific Actions

This action is specific to one file, and fixes up a form where the font names wrapped around over 2 lines.
This action is specific to the TFT extension only. It fixes a general replacement from "Arial" to "Segoe UI" intended for forms, and changes the font to "Calibri" for a setting to do with reports. If you use a wild card like this in the file name, be sure to omit the ";" after the wild card, and use only one file name. The software isn't expecting multiple file names in this field.

Line-Based actions

Sometimes a search and replace across an entire file is not what we had in mind, and can cause havoc. Here is an example. The term "#SHEET,HScroll" appears in multiple places, so I only want to change this specific one. Note that I have included the first part of the next line as well, to prevent the same replacement happening again if the file is scanned more than once.
Here is another example of a line-based replacement. You may wish to disable it altogether because your IDE font settings will specify the font anyway if you have them set as follows:

Running the Changes

From the "Data" menu, select "Main Dashboard" to view all the settings. Then click on "Process the Files" to read the file structure and make the changes. Most of the work is now being done by StringTheory and the process is pretty fast. When done, there is a file canned "clFixer.txt" in the root folder, which is automatically opened for you. This lists all the files affected by changes.

Checking the Changes

It's important to check the changes, especially if you have added in new ones. before clFixer saves a changed file it checks to see if a "before" file exists. This is a file with the ".bf" added to the end. It's the original file that was renamed, and will still have the original date on it.
Here is a file comparison using the ExamDiff Pro utility, but there are others you may prefer. The original file is at the bottom, and the new file is at the top. It's important to do this because you don't want to screw up your actual working environment and have to reinstall things.
Once you apply the changes to your working environment, remember that none of your existing apps' forms and reports will have changed. Only new forms, reports and apps, and template-generated items will be affected by these changes.
Why not just pay CapeSoft $97 for their AnyFont product? My main objection is that this product allows the user to make bad font choices, and select something horrible like "Comic Sans". Horrors! Also, fonts have different widths and spacing, and I don't want text in Verdana to be truncated because someone is trying to fit it into the space intended for Arial Narrow. Legibility is more important than style.
In the next part, we will take a look at some of the programming techniques (good and bad) used in this application.

Update 20 October 2023: Following feedback and further insignts from Geoff Robinson and ClarionHub, the download is updated to version 0.2