Irresponsible And Grasping

I have to hand it to the Data Scientists: after a quarter century the Internet is finally serving me ads for products and services that I end up buying.

But that is only tangential to this post which is actually about protecting your credentials and encouraging responsible behavior.

Phishing remains a potent vector for initiating exploitation workflows and the first line of defense is Internet user education and hygiene.  Worrisomely we see powerful actors encouraging sloppy security practices in this realm for the sake of workflow expediency and intelligence gathering.

Consider a model that has become common within the FaceBook iPhone app that starts with an inline ad that includes a “Shop Now” button.

Clicking that button launches not the default web browser but rather an In-App Browser.

As I prepare to check out I am steered toward PayPal as an option.

And then I am asked to put my PayPal login credentials into this sub-window.

Let’s stop and reflect on that…  I am inside the FaceBook app, nested in which is an in-app browser that says I have a secure connection to a third party merchant, and I’m supposed to feel good about entering the password to a third party financial account.  We are in a world where Phishing Countermeasures 101 is “Don’t Click Links In Emails” and we have a consumer facing Big Tech company with a billion users of widely varying sophistication training people to enter sensitive credentials into unverifiable places.


My workaround: Leave the FaceBook app and go directly to the merchant’s web site.  And if I am going to use PayPal then I will log into it via a discrete tab in my for-realz browser so that I know the connection is secure and my PayPal credentials are only going to PayPal.

This had been bugging me for a while but now let’s get to the even more egregious example that goaded me into writing this morning when I attempted to link a bank account to Expensify.

Alright, let me plug in my bank routing and account numbers…


Er…  Log into my bank account?


Plaid…  Um, ok…


Whoah.  Fuck.  You.  NO!  I have no idea what is happening to my bank password in this workflow.  And even if I did I don’t want anybody but me to have it!


Wow.  As I back out from their credential harvester app I discover that the more responsible workflow is available as an Easter egg!


Yay!  I can get reimbursed without doing something that feels excessively dirty.


But, again, what are we training Internet users to do by subjecting them to workflows like this?

Or, to ask another question: Why are we desensitizing Internet users to engaging in highly risky security practices?

Two answers: to retain attention and to harvest intelligence

In the case of the FaceBook app it all comes down to keeping you in-app and clicking.  Having you divert to an external browser risks disruption to your social media flow state which affects FaceBook’s bottom line.

In the case of Expensify and Plaid it appears even more nefarious.  A perusal of Plaid’s privacy policy makes it seem like they have bigger designs on your account credentials than just  performing systems integration.

It starts off sounding warm and fuzzy…


But breezing past the marketing and getting down to brass tacks it reads a lot more scarily…


Gross!  All I wanted to do was configure Expensify to push payments to my bank and Plaid is trying to get in the middle and hoover up EVERYTHING.

On a personal level this feels manipulative and violating.  On a societal level this feels like an externalization of costs, a form of cyber pollution in which certain commercial entities are acting in narrow self-interest in a fashion that harms the overall security of the Internet and its users.

Do not fall prey to this manner of thing.  Practice defensive surfing to keep your credentials safe.

Leave a Reply