webmages

Website useability is extremely important when it doubles as your billing system!

As you may or may not be aware, I get local phone service through Vonage. Vonage is a Voice-over-IP (VoIP) telephone service, meaning my phone’s information comes over my broadband internet connection instead of my phone line. I’ve used their service for well over a year now, and have been generally happy — until now.

A coworker was looking to change phone service, and I told her about Vonage. So she signed up using my referral which would give me a $49 credit. She got the box, got frustrated with trying to set it up, and sent it back (she could have asked me, I’d have come over and helped her out, but that’s her choice). In the meantime though Vonage had applied the credit.

It’s the end of the month, and I go to check my bill on the website (the only way to check your bill). I go to current month, and it says my bill is 30 something. It’s the last bill of the month I have, so I make sure I have that amount and about $20 bucks extra for gas. All set, right? Not quite.

I check my email this morning, and they charged me almost $74.19!!! I quickly check my account - oh no - overdraft fee, $35! I check my vonage account, and yes, the invoice as displayed on my current bill was only $33.86, but I notice under billing history that the referral credit was being cancelled. An extra $49.98 added to my bill.

An astute reader will notice that those numbers don’t add up to $74.19. $33.86 plus $49.98 is $83.84. That’s $9.65 difference from $74.19. I can only guess that the $49.98 was actually “1 month service up to $49.98″. My bill usually runs between $30-$40 per month depending on how much Bonnie talks to her sister in Australia. So the credit was more likely for an actual $40.33, although that’s not reflected *anywhere* in the billing history, not in the invoices, nothing.

This whole thing doesn’t make sense. I understand that I need to pay for that month of service, but why isn’t that charge shown on my current bill? The current bill has “Current Balance: ” on it. And if that charge is not part of my “Current Balance: “, where’s it come from? And if it’s not part of my current bill, why then did was it put through as a single transaction as part of my current bill?

So I call Vonage. They don’t understand, I guess they think I want to weasel out of the credit being charged back. What I really want to know is why my current bill didn’t actually show my current balance, and what they’re going to do about the $35 I’m out. I’m told I’d have to look at the “Dashboard” page, or the billing history to see the actual amount I owe, and they process all charges together at the end of the month.

That’s a major useability issue - doesn’t it somewhat, kinda, sorta, make sense that your charges and amount owed would show up on -*gasp*- your bill!?!?

She says there’s nothing she can do about it - I say there is, forward this up to the necessary parties, she says she’s done that, but I want to be sure, so ask to talk to a manager. So I explain the situation to the manager. There’s nothing they’re willing to do for my inconvience.

He agrees it’s a problem, but says there’s nothing they can do about it, that’s the way the billing software is. So, being a developer myself, I ask who’s providing their billing software then, because I want to give them a piece of my mind. He says it’s proprietary, in-house software. Ok, so either he lied to me about being able to effect changes, or they built it and then fired all their developers. Ah, no. They have staff who are responsible for the billing system. They have a “suggestion box”, and he’ll add it, but they have a really big punch list of new features and enhancements. This isn’t a feature or an enhancment - this is a bugfix, and a pretty serious one.

Maybe they should hire Jacob Nielsen or someone to do a complete useability review of their site, billing system included (myself, that would work too).

So, in the end, I have to eat the $35, and there are no assurances that this problem will be addressed. When I signed up for Vonage initially they were pretty much the only game in town, but now there are a bevy of VoIP competitors (AT&T, Packet8,Lingo, BroadVoice etc.). I kind of wish Sprint (they provide my DSL and the required landline for it) would step up to the plate.

Anyway, switching providers is going to cost $50-100 depending on setup fees and the Vonage termination fee, and VoIP providers are not bound by the phone number portability regulations (you can transfer your phone number to Vonage, but not from Vonage), so it might be a little while before I switch. Lingo is looking like a really good alternative for me - they have an International plan for $34.95/month that includes unlimited calls to regular landlines in Asian countries, including Australia and New Zealand.

[Update, 4/29]: Looks like my bank didn’t charge me $35. They charged me $120! So now I’m even madder at Vonage, and my bank too!. I was considering BroadVoice, but they don’t support my area code. And I’ve heard some horror stories about Lingo, but they are a Virginia company. There is one other one, 1TouchTone (a nuvio reseller), that supports both 804 and 434 (locals in Burkville even - I think they support more area codes and rate centers than even Packet8!) but their prices are even higher than Vonage, and I can’t seem to find any reviews. It would be really nice to have a voip company that supports “bring your own device” and the 804 and 434 area codes.

You may have noticed the images that appear on the comments form that contains a code that you must enter (in addition to being registered), for your comment to be successfully saved. This is called a “captcha”, and it’s a method of blocking automated spamming. Some captcha’s are better than others, and this one, AuthImage, is pretty good. However the default setup leaves a bit to be desired.

First, the default directory structure, being in the wp-content/plugins directory, is inherently insecure — it allows for the downloading of the dictionary used to generate the words, as well as the fonts and backgrounds used by default. The location for your fonts, word list, and backgrounds is defined in the veriword.ini. None of these files need to be web accessible, but should be accessible by the webserver user. In my case I created an authimage directory alongside my htdocs directory, and moved this content there. That brings up the veriword.ini itself. If you specify the full path to the veriword.ini in class.veriword.php ($config = new ConfigReader(”veriword.ini”);), you should be able to move it out of the document root as well.

Second, even once you’ve done all this you’re still vulnerable, because you’re still using the default settings for everything. The default word list is now known by the spammers who will attempt to use it to brute force. I’m not going to tell you where to get one (don’t want to popularize the one I’m using), but there are word lists available all over the net for many different languages. Grab one and set randomword_dict to that. Likewise, to make things even more difficult for any attempts at getting around it, replace the default backgrounds and fonts (any .ttf will do) - adding lots of additional fonts, which will be called at random, can help a bunch. Also, experiment with different wordart_angle settings.

Last but not least, I noticed a small problem with the way it pulls random words. You get to set randomword_length, but this limits the words pulled from the dictionary to only that length. If you set it to 4, you’ll only get four letter words. That’s not quite random enough for me (it makes brute force dictionary attacks easier). I added two variables, randomword_min and randomword_max to my veriword.ini. This requires a few modifications to the class.veriword.php file find this line, should be towards the beginning:

$this->randomword['length'] = $config->getConfig(’randomword_length’);

and add this code below it

$this->randomword['length_min'] = $config->getConfig(’randomword_min’);
$this->randomword['length_max'] = $config->getConfig(’randomword_max’);
if ($this->randomword['length_min']) {
$this->randomword['length'] = rand($this->randomword['length_min'],$this->randomword['length_max']);
}


Oh, one more thing, this isn’t security related, but it does fall into the tips category. You want users to be able to navigate normally, so you’ll need to make a simple change to image.veriword.php to help keep your browser and proxy servers from caching the dynamically created image. Just add this code before $vword->outputImage();:


header(”Expires: 0″);
header(”Last-Modified: ” . gmdate(”D, d M Y H:i:s”) . ” GMT”);
header(”cache-control: no-store, no-cache, must-revalidate”);
header(”Pragma: no-cache”);


Hopefully, if you choose to use this plugin, these instructions will help you terminate spam comments. Good Luck!