In search of better browser privacy options

Posted on by
1

A new browser privacy study by Professor Doug Leith, the Computer Science department chair at Trinity College is worth reading carefully. Leith instruments the Mac versions of six popular browsers (Chrome, Firefox, Safari, Edge, Yandex and Brave) to see what happens when they “phone home.” All six make non-obvious connections to various backend servers, with Brave connecting the least and Edge and Yandex (a Russian language browser) the most. How they connect and what information they transmit is worth understanding, particularly if you are paranoid about your privacy and want to know the details.

If you aren’t familiar with Brave, it is built on the same Chromium engine that Google uses for its browser, but it does have a more logical grouping of privacy settings that can be found under a “Shields” tab as you can see in this screenshot. It also comes with several extensions for an Ethereum wallet and support for Chromecast and Tor. This is why Brave is marketed as a privacy-enhanced browser.

Brave scored the best in Leith’s tests. It didn’t track originating IP addresses and didn’t share any details of its browsing history. The others tagged data with identifiers that could be linked to an enduser’s computer along with sharing browsing history with backend servers. Edge and Yandex also saved data that persisted across a fresh browser installation on the same computer. That isn’t nice, because this correlated data could be used to link different apps running on that computer to build an overall user profile.

One problem is the search bar autocomplete function. This is a big time saver for users, but it also a big privacy invasion depending on what data is transmitted back to the vendor’s own servers. Safari generated 32 requests to search servers and these requests persist across browser restarts. Leith proposed adding a function to both Chrome and Firefox to disable this autocomplete function upon startup for those who have privacy concerns. He also has proposed to Apple that Safari’s default start page be reconfigured and an option to avoid unnecessary network connections. He has not heard back from any of the vendors on his suggestions.

So if you are a privacy-concerned user, what are your options? First, you should probably audit your browser extensions and get rid of ones that you don’t use or that have security issues, as Brian Krebs wrote recently. Second, if you feel like switching browsers, you could experiment with Brave or Authentic8’s Silo browser or Dooble. I reviewed two of them many years ago; here is a more updated review on some other alternative browsers done by the folks at ProtonMail.

If you want to stick with your current browser, you could depend on your laptop vendor’s privacy additions, such as what HP provides. However, those periodically crash and don’t deliver the best experience. I am not picking on HP, it is just what I currently use, and perhaps other vendors may have more reliable privacy add-ons. You could also run a VPN all the time to protect your IP address, but you will still have issues with the leaked backend collections. And if you are using a mobile device, there is Jumbo, which helps you assemble a better privacy profile. What Jumbo illustrates though is that  privacy shouldn’t be this hard. You shouldn’t have to track down numerous menus scattered across your desktop or mobile device.

Sadly, we still have a lot of room to improve our browser privacy.

So you wanna buy a used IP address block?

Posted on by
21

For the past 27 years, I have owned a class C block of IPv4 addresses. I don’t recall what prompted me back then to apply to Jon Postel for my block: I didn’t really have any way to run a network online, and back then the Internet was just catching on. Postel had the unique position to personally attend to the care and growth of the Internet.

Earlier this year I got a call from the editor of the Internet Protocol Journal asking me to write about the used address marketplace, and I remembered that I still owned this block. Not only would he pay me to write the article, but I could make some quick cash by selling my block.

It was a good block, perhaps a perfect block: in all the time that I owned it, I had never set up any computers using any of the 256 IP addresses associated with it. In used car terms, it was in mint condition. Virgin cyberspace territory. So began my journey into the used marketplace that began just before the start of the new year.

If you want to know more about the historical context about how addresses were assigned back in those early days and how they are done today, you’ll have to wait for my article to come out. If you don’t understand the difference between IPv4 and IPv6, you probably just want to skip this column. But for those of you that want to know more, let me give you a couple of pointers, just in case you want to do this yourself or for your company. Beware that it isn’t easy or quick money by any means. It will take a lot of work and a lot of your time.

First you will want to acquaint yourself with getting your ownership documents in order. In my case, I was fortunate that I had old corporate tax returns that documented that I owned the business that was on the ownership records since the 1990s. It also helped that I was the same person that was communicating with the regional Internet registry ARIN that was responsible for the block now. Then I had to transfer the ownership to my current corporation (yes, you have to be a business and fortunately for me I have had my own sub-S corps to handle this) before I could then sell the block to any potential buyer or renter. This was a very cumbersome process, and I get why: ARIN wants to ensure that I am not some address scammer, and that they are selling legitimate goods. But during the entire process my existing point of contact on my block, someone who wasn’t ever part of my business yet listed on my record from the 1990s, was never contacted about his legitimacy. I found that curious.

That brings up my next point which is whether to rent or to sell a block outright. It isn’t like deciding on a buying or leasing a car. In that marketplace, there are some generally accepted guidelines as to which way to go. But in the used IP address marketplace, you are pretty much on your own. If you are a buyer, how long do you need the new block – days, months, or forever? Can you migrate your legacy equipment to use IPv6 addresses eventually (in which cases you probably won’t need the used v4 addresses very long) or do you have legacy equipment that has to remain running on IPv4 for the foreseeable future?

If you want to dispose of a block that you own, do you want to make some cash for this year’s balance sheet, or are you looking for a steady income stream for the future? What makes this complicated is trying to have a discussion with your CFO how this will work, and I doubt that many CFOs understand the various subtleties about IP address assignments. So be prepared for a lot of education here.

Part of the choice of whether to rent or buy should be based on the size of the block involved. Some brokers specialize in larger blocks, some won’t sell or lease anything less than a /24 for example. “If you are selling a large block (say a /16 or larger) you would need to use a broker who can be an effective intermediary with the larger buyers,” said Geoff Huston, who has written extensively on the used IP address marketplace.

Why use a broker? When you think about this, it makes sense. I mean, I have bought and sold many houses — all of which were done with real estate brokers. You want someone that both buyer and seller can trust, that can referee and resolve issues, and (eventually) close the deal. Having this mediator can also help in the escrow of funds while the transfer is completed — like a title company. Also the broker can work with the regional registry staff and help prepare all the supporting ownership documentation. They do charge a commission, which can vary from several hundred to several thousand dollars, depending on the size of the block and other circumstances. One big difference between IP address and real estate brokers is that you don’t know what the fees are before you select the broker – which prevents you from shopping based on price.

So now I had to find an address broker. ARIN has this list of brokers who have registered with them. They show 29 different brokers, along with contact names and phone numbers and the date that the broker registered with ARIN. Note this is not their recommendation for the reputation of any of these businesses. There is no vetting of whether they are still in business, or whether they are conducting themselves in any honorable fashion. As the old saying goes, on the Internet, no one knows if you could become a dog.

Vetting a broker could easily be the subject of another column (and indeed, I take some effort in my upcoming article for IPJ to go into these details). The problem is that there are no rules, no overall supervision and no general agreement on what constitutes block quality or condition. IPv4MarketGroup has a list of questions to ask a potential broker, including if they will only represent one side of the transaction (most handle both buyer and seller) and if they have appropriate legal and insurance coverage. I found that a useful starting point.

I picked Hilco’s IPv4.Global brokerage to sell my block. They came recommended and I liked that they listed all their auctions right from their home page, so you could spot pricing trends easily. For example, last month other /24 blocks were selling for $20-24 per IP address. Rental prices varied from 20 cents to US$1.20 per month per address, which means at best a two-year payback when rentals are compared to sales and at worst a ten-year payback. I decided to sell my block at $23 per address: I wanted the cash and didn’t like the idea of being a landlord of my block any more than I liked being a physical landlord of an apartment that I once owned. It took several weeks to sell my block and about ten weeks overall from when I first began the process to when I finally got the funds wired to my bank account from the sale.

If all that seems like a lot of work to you, then perhaps you just want to steer clear of the used marketplace for now. But if you like the challenge of doing the research, you could be a hero at your company for taking this task on.

Taxing cryptocurrency transactions

Posted on by
1

For the past several years, I have prepared my taxes using the H&R Block software. This year I noticed something different, a series of questions about any cryptocurrency holdings and transactions. Ruh-oh, I thought to myself, those crypto-chickens have come home to roost. The IRS wants its tribute.

Actually, the IRS has had some ruling on cryptocurrencies for several years, but last fall wrote some new guidelines that have clarified some things and made others more confusing. One of the pitches I recently got from a PR person started off with this line: “The IRS is cracking down on properly reporting taxable crypto transactions, even going as far as issuing tens of thousands of audits.” It was time to get some advice, so I asked my accountant, who does my business tax filings, what was up.

She told me that “Tens of thousands of audits is probably an exaggeration – as they don’t have the manpower. What is probably more likely is that they have sent out many letters to taxpayers” asking for clarification. But not full-blown audits. The Next Web reported last summer that taxpayers got these letters and some were told they owed thousands of dollars in back taxes.

The form that the IRS requires is called a 1099-K, which is what my tax software was trying to figure out if I needed filing. “The IRS has used 1099-K information in audits – although they had at one time said they wouldn’t. I haven’t seen a crypto audit based on a 1099-K. The important thing is – if you have cryptocurrency, do keep track of it. Do  report to the IRS your sales if you’re using it as an investment. And do report your income from it if you’re using it for business. If you have crypto transactions showing up on a 1099-K just make sure you can document what the transaction is.” Some of the coin exchanges now automatically generate an annual 1099-K form, like your mutual fund or IRA operator.

But the problem that isn’t yet solved by the IRS is what happens when your coin account forks because the developers have a food fight and split into two separate coins. This creates what the IRS calls a taxable event and “That means that anyone who forks a blockchain can, without warning or notice, create new tax obligations for every holder of coins on the old chain,” says one coin news site. The taxpayer holding the coin hasn’t done anything to acquire this new asset. That isn’t great, but I think it is somewhat analogous to holding shares in a pre-IPO company. When such a company goes public, those shares are now worth something and that is a taxable event that is outside the control over the taxpayer. Many of you know exactly this situation, and had to sell off your shares to pay the feds during that particular year.

So make sure if you have significant holdings in crypto, you track it when you bought it — or when you got it as payment for services rendered — and when you traded it in for hard currency.

“People don’t seem to realize that Bitcoin was designed as an immutable evidence trail. It is anything but an anonymous system,” says Craig Wright in his blog post here. “If we want to be treated like adults, we need to start acting in such a way and understand that we live in a world of rules.” I agree.

Red Cross blog: Volunteer serves Red Cross at home and abroad through his high-tech skillset

Posted on by
Reply

Over the years, David Sewell has worked for many different Red Cross departments, including a shelter worker and a damage assessment worker. With this history, it is no surprise that he has done about 40 different deployments all across the country. He now has two positions with the Red Cross where he is both the Disaster Services Technology Chief and a member of the international Information Technology and Telecommunications disaster response roster. As part of these assignments, he manages between 40 and 60 volunteers across the western part of the U.S. and puts in roughly three hours per day on Red Cross activities.

You can read my profile of his activities for various Red Cross chapters here.

Yep, I got cancer

Posted on by
6

Last week I got my biopsy results back and yep, I got prostate cancer. I know — “the good cancer” or “the one cancer to get” or “very slow moving and curable cancer.” 

But it still is cancer. Or CANCER, which is how I and many of us think about it. It is larger than life itself. Here is a brief introduction to my journey.I was going to say that it all began last May, when I got my PSA results that “something was wrong.” Actually, that timeline isn’t completely true. I should go back further in time, when I wasn’t able to control my urine one night. I will spare you the details for now. I was so ashamed of myself. What is happening to me? Did I have too much to drink? Was I losing control over my bladder? Was I becoming an “old man?”

Well, yes to all above. But it turns out that my prostate is ginormous. I didn’t know that at the time, at least not until last May, when I got my PSA and got checked physically. I will spare you those details here. But that just meant more tests, starting with more PSAs.
These were high but not consistently higher and certainly not as high as I have seen elsewhere in conversations with friends and associates. That meant another blood test called 4K, which also confirmed that I had a higher-than-normal result. Next stop on the diagnostic train: a MRI. That happened in January. The scan didn’t find any cancerous lesions, which meant that if I had cancer it was going to be hard to find.That meant my next step was a biopsy. My doctor took ten samples, four came back with cancer. It turns out that have a little bit of it, I can wait a few months to figure out what I need to do, but I definitely need to do something. That officially began the “end of denial” period for me.

Denial is a great management tool: I see this all the time in the IT world where managers deny that they will be a hacking target, or that their aging Windows 7 infrastructure will be the digital equivalent of a welcome mat and punching bag. But when it comes to cancer, you have to make the move at some point from denial to action. Writing this blog officially marks my transition.

Why I am I telling you this? When I wrote a few years ago about my first hearing aid, I got a lot of feedback and encouragement about sharing my story. So it seems like here we go again, into the medical/industrial complex.
I have come to realize that my newly minted membership into Cancer Fight Club means that I have to operate with different rules than regular Fight Club. If you haven’t seen the movie you probably still know the first (and second) rule of Fight Club is not to tell anyone about the club’s existence. Well, Cancer Fight Club turns this (and some of the other rules) on their head: tell everyone you know you have cancer. Don’t keep it to yourself. So here we are.
I have already written a bunch of posts on a CaringBridge journal and you are welcome to send me a request for access, or to share your own cancer journey here (in public) or via a private email if you’d like. And thanks for your support.

FIR B2B podcast episode #134: Fred Bateman on the evolving role of PR in a fragmented media world

Posted on by
1

Fred Bateman has been around the tech world as long as Pual Gillin and I have: At the dawn of the PC era he worked for various PR firms and then founded the Bateman Group, which grew to 90 staffers doing tech-focused PR and content marketing. Fred recently announced that he will sell his majority ownership to his three co-owners, who have re-branded the company as Mission North. He plans to partner with nonprofits to teach disenfranchised groups of people the business, writing and communications skills required for a successful career in tech-focused PR.

Paul and I spoke with Fred about how far the PR profession has come sine the dawn of the Internet era, how PR and content marketing people need to work hand-in-hand and how branded news sites such as Adobe’s CMO.com have created new avenues of influence for marketing organizations. Fred also reflects on the skills that distinguish the best PR pros he’s worked with from all the other and the complex role of influencers in today’s media landscape. You can listen to our 20-minute discussion here:

Becoming a digital vagabond? Here are ways to be secure

Posted on by
3

A friend of mine is nearing retirement and thinking about spending some extended time living and working abroad. He has a few years to plan how to manage this transition, and asked for my advice. Here are a few recommendations on gear, process, and managing his security. In the past year I have been to London, Prague and Israel, so I have some ideas. I also asked some long-time fellow vagabonds to help provide some guidance based on their own experiences.

Your phone. At the heart of your communications is going to be your smartphone. My recommendation is to have at least one country-based SIM card when you travel, which is what I do when I am abroad. The issue is that some countries can recognize others’ cards, and some can’t. If you have a European cell plan, you can easily roam around the entire continent. For those of us from the States, we can use the GiffGaff SIM — it works really well there and it is very inexpensive. Another recommendation is to limit your use of voice minutes, and get the biggest data plan that you can afford for the period of time that you will be traveling. If you are going to be someplace for a month or longer, you should consider buying the SIM when you arrive, as you often can get the best deals at a local drugstore or supermarket.

The issue is whether to have an Android or an Apple one. I am biased towards Apple. Do you need to buy the latest and greatest iPhone model? No, and lately the American cellular carriers are offering all sorts of discounted (and sometimes free) phones if you agree to a two year contract on an older iPhone, such as the iPhone 8.  One issue with using different SIMs on an iPhone is that it can mess up iMessage and deregister your American phone number from your iCloud account. A way to avoid this is to start originating your iMessages from your iCloud account instead of from your phone number.

If you are an Android fan, I would stick with Samsung, because they have updated their phones’ security software. Avoid other Androids, because they are so easily compromised: all it takes is downloading a phony app, or clicking on a phished email. You might say that you will pay careful attention and not download anything, but it is just human nature.

What about getting a dual SIM card phone such as the iPhone XR or Samsung Galaxy S10? I don’t think this feature is worth it, especially as these tend to be the more pricey phones. They also don’t really have two physical SIM sockets, so you will have to make use of a virtual or eSIM, which adds another layer of complexity and compatibility. Many non-US carriers offer free inbound calling from US numbers anyway. 

Your American cell provider. Reading articles about SIM attacks such as this one on c|net, I think the best US carrier for secure international use is T-Mobile. It also has a very flexible travel plan. This doesn’t mean that it works everywhere, and you should map your planned route with its coverage area, otherwise you will run up a nasty roaming bill in those unsupported places.

You should definitely add a wireless PIN to your online cellular account. Depending on how long you will be out of the USA, you might be able to get by without having any American cellular account. Given that there are so many data-based voice apps (WhatsApp, Skype, Viber, Facetime), you probably can limit your actual voice calls anyway. For example, WhatsApp seems to be the app of choice that many AirBnB owners use to get in touch with you, and in Israel it is really the main communications tool among locals.  

Google Fi also has some interesting plans, especially for international travel, and has expanded their geographic coverage. If they offer service in the countries that you intend to be in, then give them consideration. They also might work better on Android models. One of my friends uses this and finds it very handy: “I can touch down in 170 countries and immediately have data access plus have coverage for when I’m in the States. I cannot stress enough how important it’s been to have data when I land somewhere for both safety and convenience. When I’m able to respond to messages at touchdown and get an Uber from the airport without needing to hope there’s Wifi it’s been a genuine lifesaver.” That reminds me when I was in London for a few days and just had Wifi coverage: I had to run back and forth between the terminal and the car park and almost missed my ride because the garage had no coverage. 

One other recommendation for navigation is the mobile app Maps.me. You can easily prepare digital maps and download them to your phone in situations where you don’t have decent data coverage. One downside is that the maps are in their native language.

Your American banking provider. If you take a look at the twofactorauth site, you can see that Capital One, HSBC and USAA all support phone authentication apps. There may be others — my friend pointed out that his local credit union also now supports the Google Authenticator app. Now I know that changing banking providers is painful, but if you are planning this in advance you might as well start now and choose one of them that supports one of the auth apps. Also, if you haven’t gotten a Yubikey or a Google Titan key, you might want to purchase one of these as well. 

While supporting the local credit union has some appeal, you want a bank that has a larger footprint, and is able to make deposits and withdrawals from overseas ATMs with minimum fees. If you are going to be sticking around in one place for several months, you might want to open up a local account, and then consult the twofactorauth website to see if there is a bank that offers additional authentication support. 

Speaking of other accounts, I have been experimenting with the mobile app Revolut. It makes it easy and inexpensive to move money around the world. You can use the app to find low-fee ATMs and hold funds in multiple currencies.

What other accounts do you have that handle money transactions? Amazon, for example, is an obvious one. But you might have set up accounts for bitcoins that you have forgotten about, or other online merchants that you do business with. You should use this time to flag them and if they don’t have an authentication app option, delete them. I had set up a Yahoo.com email account back in the early days, and had about 100 contacts on this account. When Yahoo got breached, that account was compromised. I had forgotten about this account and its contents. It didn’t help matters that Yahoo made it difficult to completely delete it too. 

Harden all of your passwords. If you don’t use a password manager, now is the time to get on board with one of them and start changing your passwords to something more complex, and of course unique. Watch yourself and take note when you create a new online account and let the password manager take over – rather than typing in one of your old standbys. I use Lastpass, but there are others that are just as good. Should you be concerned about storing your entire password collection in the cloud? Yes, but the better password managers also use authentication apps to secure your master password, so make sure you use this option. BTW, you should not store your passwords in any of your browsers. This is because if you cross an international border, you might have to unlock your phone at the checkpoint. This also means that you should sign out of all your email and other sensitive accounts when you reach a customs barrier, especially when entering and leaving the USA.

What online accounts use your present cell phone number as part of your identity? This is a lot harder to figure out, even with your password manager. Facebook and Twitter are the biggest issues here. I don’t think you can easily change your cell attached to your account, but if you can you should set up Google Voice as a phone number for use just in authentications. It will forward both voice and texts to your “regular” cellular number too. One issue: you can’t use both Google Voice and Google Fi on the same account. 

Laptop physical security. I got a “disposable” – meaning cheap – laptop so I don’t have to worry about it being stolen when I travel. But when you are living somewhere else, you might have to rethink this. How can you travel with your data without worrying that something will happen to your laptop if it is all on your computer? I have heard that thieves in Silicon Valley are going around with Bluetooth scanners looking for laptops in cars. It is only a matter of time before this catches on elsewhere. This means you might want to consider either a laptop with a removable hard drive, or else keep everything in the cloud with a Chromebook.  

How about a VPN? I use ProtonVPN, made by the same folks that do ProtonMail. The basic free version is fine. One issue, though: when transiting some airports and staying at some hotels, you have to turn it off in order to connect to the venue’s WiFi hotspot web portals. The nice thing about this VPN is that you can use it on both your phone and laptop. The paid versions have fancier features, such as being able to pick an originating network.

Thanks to Paul, Bryan and Joel for their help with this article. Feel free to share your own digital nomadic experiences in the comments here. And good luck with your travels!

RSA Blog: The Tried and True Past Cybersecurity Practices Still Relevant Today

Posted on by
Reply

Too often we focus on the new and latest infosec darling. But many times, the tried and true is still relevant.

I was thinking about this when a friend recently sent me a copy of , which was published in 2003. Schneier has been around the infosec community for decades: he has written more than a dozen books and has his own blog that publishes interesting links to security-related events, strategies and failures..

His 2003 book contains a surprisingly cogent and relevant series of suggestions that still resonate today. I spent some time re-reading it, and want to share with you what we can learn from the past and how many infosec tropes are still valid after more than 15 years.

At the core of Schneier’s book is a five-point assessment tool used to analyze and evaluate any security initiative – from bank robbers to international terrorism to protecting digital data. You need to answer these five questions:

  1. What assets are you trying to protect?
  2. What are the risks to those assets?
  3. How well will the proposed security solution mitigate these risks?
  4. What other problems will this solution create?
  5. What are the costs and trade-offs imposed?

You’ll notice that this set of questions bears a remarkable resemblance to the IDEA framework that RSA CTO Dr. Zulfikar Ramzan presented during a keynote he gave several years ago. IDEA stands for creating innovative, distinctive end-to-end systems with successful assumptions. Well, actually Ramzan had a lot more to say about his IDEA but you get the point: you have to zoom back a bit, get some perspective, and see how your security initiative fits into your existing infrastructure and whether or not it will help or hurt the overall integrity and security.

Part of the problem is as Schneier says that “security is a binary system, either it works or it doesn’t. But it doesn’t necessarily fail in its entirety or all at once.” Solving these hard failures is at the core of designing a better security solution.

We often hear that the biggest weakness of any security system is the user itself. But Schneier makes a related point: “More important than any security claims are the credentials of the people making those claims. No single person can comprehensively evaluate the effectiveness of a security countermeasure.” We tend to forget about this when proposing some new security tech, and it is worth the reminder because often these new measures are too complex. Schneier tells us “No security countermeasure is perfect, unlimited in its capabilities and completely impervious to attack. Security has to be an ongoing process.” That means you need to periodically audit and re-evaluate your solutions to ensure that they are as effective as you originally proposed.

This brings up another human-related issue. “Knowledge, experience and familiarity all matter. When a security event occurs, it is important that those who have to respond to the attack know what they have to do because they’ve done it again and again, not because they read it in a manual five years ago.” This highlights the importance of training, and disaster and penetration planning exercises. Today we call this resiliency and apply strategies broadly across the enterprise, as well as specifically to cybersecurity practices. Managing these trusted relationships, as I wrote about in an earlier RSA blog, can be difficult.

Often, we tend to forget what happens when security systems fail. As Schneier says early on: “Good security systems are designed in anticipation of possible failure.” He uses the example of road signs that have special break-away poles in case someone hits the sign, or where modern cars have crumple zones that will absorb impacts upon collision and protect passengers. He also presents the counterexample of the German Enigma coding machine: it was thought to be unbreakable, “so the Germans never believed the British were reading their encrypted messages.” We all know how that worked out.

The ideal security solution needs to have elements of prevention, detection and response. These three systems need to work together because they complement each other. “An ounce of prevention may be worth a pound of cure, but only if you are absolutely sure beforehand where that ounce of prevention should be applied.”

One of the things he points out  is that “forensics and recovery are almost always in opposition. After a crime, you can either clean up the mess and get back to normal, or you can preserve the crime scene for collecting the evidence. You can’t do both.”  This is a problem for computer attacks because system admins can destroy the evidence of the attack in their rush to bring everything back online. It is even more true today, especially as we have more of our systems online and Internet-accessible.

Finally, he mentions that “secrets are hard to keep and hard to generate, transfer and destroy safely.” He points out the king who builds a secret escape tunnel from his castle. There always will be someone who knows about the tunnel’s existence. If you are a CEO and not a king, you can’t rely on killing everyone who knows the secret to solve your security problems. RSA often talks about ways to manage digital risk, such as this report that came out last September. One thing is clear: there is no time like the present when you should be thinking about how you protect your corporate secrets and what happens when the personnel who are involved in this protection leave your company.

Steer clear of Plaid for your small business accounting

Posted on by
6

If you are looking for a small business accounting software service, don’t consider WaveApps, Sage or the site And.co. All of them use the banking connector Plaid.com and have a major shortcoming. Let me explain my journey.

When I first began my freelancing business in 1992 (can it be?), I used the best accounting program at that time: QuickBooks for DOS. It was simple, it was easy to setup, and it did the job. I stayed with QB when I went to Windows and then to Mac, upgrading every few years, either when my accountant told me that they couldn’t use my aging software or when Intuit told me that I had to upgrade.

I use my accounting software for three things:

  • To keep track of my expenses and payments, entering information once or twice a month to stay on top of things.
  • To produce invoices and to accept credit card payments from my clients
  • To produce reports once a year for my accountant to produce my business tax filings

That isn’t a lot of requirements to be sure. Naturally, over time some of them have changed: when I first began my accountant directly read my QB file. Now she just wants a few year-end statements, which almost every accounting tool can produce. Also, enabling credit card payments isn’t a big deal that it once was: there are so many other solutions that don’t have to originate from the accounting software tool itself (such as Square, for example).

One thing that hasn’t changed is my goal: having to spend as little time as possible using the software, because this means that I have more time to spend actually writing and doing the work that I get paid to do.

But installing software on my desktop is so last century. Eventually, Intuit stopped making physical software and every QB version is now in the cloud. Their solutions start at $25/month, discounted for the first few months. Actually, that isn’t completely accurate: they also have a “self-employed” version for $15/month, but it has so few features that you can’t really use it effectively – such as producing those yearend reports that I need for my accountant.

Several years ago, I found Waveapps. It was free, it had just enough features to make it useful for me (see above) and did I mention it was free? I started using it and was generally happy. One of the nice features was how it connected to my corporate checking account at Bank of America and imported all my transactions, which made it easier to prepare my books and track my payments.

A few weeks ago, Wave decided to “upgrade” its banking connector to Plaid. And that broke my BofA connection. The problem is that I have setup my banking login to use an SMS text multi-factor authentication (MFA). I wish BofA offered something better, but that is what they have — they call it “extra security” — and so I use it. Plaid doesn’t support my bank account’s “extra security” MFA setting.

This begins The 2020 Accounting Software Evaluation Project. It deserves the capital letters because it meant that I had to start looking around, reading software reviews, signing up for the software service providers, and checking them out. I very quickly found that Sage and And.co (I do hate their domain name) also use Plaid as a banking connector, so I wasn’t getting very far by switching to them. Meanwhile, here we are into February and I still haven’t decided on what to do with my accounting software.

I took time to email the PR person at Plaid, who initially told me that the BofA MFA issue was a bug and they were working on a fix. That was a lie, or perhaps a misunderstanding. Eventually, this is what I got from them: “Plaid supports the standard MFA for Bank of America and most of the other 11,000 institutions on the Plaid network, but we do not currently support BofA’s perpetual MFA setting.” This is also not true. BofA only offers a single MFA method: sending SMS texts to your phone. I wish they offered a smartphone authenticator app, but they don’t.

So my dilemma is this: should I eschew security for convenience? I can turn off the MFA and get my accounting data imported, and then will have to turn it back on. I could try to switch accounting providers to something else  — I haven’t tried all of the small business providers, but I have a feeling that Plaid has them as customers too. I could find another bank that has better security and perhaps works with Plaid, but that would mean changing a lot of my bill paying data too.

No good choices, to be sure. I guess I will just stick with Wave for the time being, but I am not happy about it. Secure users shouldn’t use plaid.com.