How Google Wallet Failed Me...

wallet

wallet

First, let me start off by stating that I am, and have been, a dedicated Google user for many years.  I migrated away from my Apple world because it was just too.... cloudy.  My primary email is now Gmail instead of .me, or .mac. or .whatever and all my mac mail gets autoforwarded to my gmail account.

I still use iOS on my first-gen iPad but Apple's pricing strategies combined with my decision to migrate my accounts to Google several years ago pushed me towards the Google Nexus as a tablet upgrade.  I've since dumped my iPhone because of AT&T outrageous pricing for international users in favor of my Android-based Galaxy phone.

In addition to mail, I also use Google for storing my contacts and my calendar.  I use Google drive more for personal then business use, and I think Google Keep is brilliant.

Google+ -- not so crazy about.  I try to like it, but there's something about it that just keeps missing the mark of being an app that I _need_ to use.

Because I am so heavily invested in the Googlesphere, I had a wallet account because, you know, the Google Play Store.  I had, at one time, intentions of moving most of (non-DRM - thanks again, Apple) music out to the Google Cloud and using the Play Store for my new media purchases.

My first exposure to the Google Play store was when I purchased my HTC-One android phone - and I was forced to sign-up for something called Google Wallet should I desire the ability to make purchases from the Google Play store.  I kind of viewed it as the Google version of PayPal so, what the hell.  In registering my account, I was a slightly put-off by Google's registration requirements.  They wanted a photo of a government ID and proof of residency.  I supplied both, got my account "verified" within a couple days, and spent the next several months making purchases from the Play store, leaving iTunes behind for good.

When the Nexus-7 arrived, I eagerly jumped into the queue on it's first day of release to purchase.  And had nothing but trouble main, because, of problems with Google Wallet.    The purchase was accepted, and then declined (not by my credit card company, but by Wallet - who was "unable to resolve details about your purchase request") and it took several weeks of customer-support calls, re-registering cards with Wallet, more verification, before I was finally able to get my Nexus-7, more than a month after it first launched.

Then late last year, my credit-card expired and Google Wallet crapped all over itself.

(Keep in mind, that this was all pre-Prism -- I knew Google harvested data about my account, and I was OK with it for the most part.  I use DDG for my search engine, and try to review my privacy settings monthly.)

Anyway, I get email from Google telling me that they had suspended my account because my credit-card was no longer active and, to re-enable my account, not only did I need to update my c/c information, I also had to (re)provide all the verification paperwork.

Grumble.

Ok, I did that, and got my Wallet account back.

Then, in February of this year, I received another suspension notice about my Wallet account -- an email from Google stating that it appeared my account had been compromised.  The email went on to state that Google takes the security and privacy of my account very seriously (except, apparently when the NSA is involved), and that for "security purposes", they've suspended my wallet account.  They also told me that "it is very difficult to determine the exact nature of your account compromise".

Seriously?  I mean, you're fucking Google, for god sake!  Is there anything, at all, on the internet that you don't already know about?

So, I clicky-clicky the links to un-suspend my Wallet account and I get taken back to the same old crap where I am required to prove, again, that I am me by (re)sending them pictures and documents.  The same documents I had just sent them a few months previously.

I wondered why, resending them copies of the same crap I'd sent them before would "magically" prove to them that I was still me.  After all, nothing had changed...

And then I started getting pissed.

I figured out what had "compromised" my account - it was use of a VPN on my various computers while I was logged-in to my Google account.  I notice that when I VPN, and I do frequently because I live in Mexico and some US-based websites are just amazing assholes when it comes to dealing with international customers, so I VPN into the U.S. to avoid the inconvenience.

(BTW:  http://google.com/ncr  --- good to know:  ncr = no country redirect so that, no matter where you are, your session will be treated as a US session.)

When I would VPN out, I'd suddenly get all sorts of Google mail hysteria about my account. ZOMG!!!  Your account may have been compromised!  You had the brazen temerity of logging in from some place we've never seen you log-in from before!!!   And then I thought - this is disturbing on an entirely different level... no, wait, a couple of different levels...

First, Google is actively monitoring my login locations.  If my HTTP_REFERRER IP-address changes, they record this as a location change.  If the location change, apparently, is sudden or drastic or new, Google spins up the hysteria machine and starts spewing emails.

It's like they've never heard of cookies.  Which, if you know anything about SEO, Google, and traces, is highly unlikely.

I mean, how hard is it to put a session cookie when I log-in that uniquely identifies me as me?  If I change computers, or even VM on the same computer, then the cookie is no longer available and the combination of a new IP plus the lack of an identifier-cookie would give you a flag that I was changing my location/system.  Legit, right?

But even if I VPN out, (I can't believe they've never heard of VPN...), the identifying cookie is still available in my session because they've not changed their domain -- I've changed mine.  I am still me - I'm just accessing your domain from a different location as far as your concerned.  But I'm still doing it from the same browser session.

Why the hysteria?

Second,  I've noticed Google pushing their two-step authentication process.  Quite a bit.  I don't use two-step authentication because I have a very secure password.  And I don't live in the U.S. so I don't have a phone for Google to push the challenge codes to.  And, apparently, that I don't use two-step authentication pisses off Google and they've decided to penalize me for it.

As a matter of fact, they refer to two-step authentication in their email notifying me of the suspension of my Wallet account.

I would probably use it, except that, last time I checked, it was limited to cell phones and, presumably, only cell phones in the U.S.  Which is confusing to me because when I did go to the play store, Google has a list of all of my Android devices.  My Nexus-7, for example, is connected to the internet via my wireless (it doesn't have cellular) and I am able to push apps down from my browser-app page to my Nexus.  Why can't you push the challenges to any/all registered devices you've detected?  Why am I required to use only my cell-phone for authentication?

The other reason I don't elect to use two-step authentication is this excerpt taken from Google's Support page regarding verification:

After you turn on 2-step verification, non-browser applications and devices that use your Google Account (such as the Gmail app on your phone or Outlook), will be unable to connect to your account. However, in a few steps, you can generate a special password called application-specific password to allow this application to connect to your account -- and don't worry, you'll only have to do this once for each device or application.

Lol...wait...wut?

So having removed any compelling reason to use two-step authentication, I opted out - no thank-you.

Was my Wallet account closed because of I declined to use two-step?  Perhaps it was this, and a combination of my VPN activities?  Even though "Google specialists performed a thorough investigation", I am still in the dark as to how my account was "compromised", how thorough the "investigation" was.  I am also still in the dark as to why the investigation was even initiated, and why I was not immediately informed of the suspected compromise.

Don't know -- subsequent emails to Google Wallet Support were pretty vague and unwilling to compromise.  In the end, and actually I was really shitty to them in email, I told them to keep their account - I will happily spend my money on Amazon.  (I spend a shit-ton of money on Amazon.)

But you know what really pisses me off?

The fact that Google Wallet is the only option for making purchases on the Google Play store.

Forget for a minute that my credit-card company takes very good care of the security of my card.  Last month, one of my cards was suspended because my bank got a call from Visa telling them that one of their merchants had been compromised and my card number was on-file with that merchant.  I had a replacement card in a couple days - no harm - no fall.  Google, in comparison, completely failed to proactively notify me when they "suspected" my account had been compromised, or when they launched their "thorough investigation".  I have no idea how long this purported investigation took -- I only learned of the "apparent" problem when they decided to suspend my Wallet account.

And where the hell does Google get off demanding this type of information from me?  A government-issued photo ID?  Proof of verification of my billing address?

I thought Microsoft had the largest market-share of hubris.

Can you image the cluster-fuck of e-commerce if you were required to provide this information for every single purchase you made with every single web-vendor?

All I want to do, Google, is spend money on your Play Store.  Why is this so difficult?  If my credit-card company trusts me with my card, then you should by proxy.  Period.

And why can I not make purchases off the store using a credit-card, or a PayPal account?  Why am I forced to use your Google Wallet?  Do you just not like money?

Hubris.  That's why.

If you take a few seconds to search "google wallet fail", you'll be entertained with articles far more clever than this one.   Just last month, Business Insider posted a scathing article about Google Wallet and it's failure to launch.  One statistic, posted in a follow-0p article to the BusinessWeek piece I saw, showed that while 40% of the people surveyed were aware of the existence of Wallet, only 8% were using it.  PayPal is seriously kicking Google's ass despite the millions of dollars Google has spent on Wallet.

Then, with the recent revelations around our "privacy" of electronic information, the government, PRISM, and large corporations like Google, I really have to challenge their policies and requirements pertaining to documentation necessary just to buy something from their store.

In the last six months without access to the Play Store, I've continued to buy books, movies, apps, magazines for all my mobile devices.

You can, indeed, live - even thrive - in the Googlesphere sans Wallet.

Copy of Google Wallet email suspending my account:

On 02/01/2013 12:35 PM, wallet-support@google.com wrote:

Hello, 

Our specialists recently performed a thorough investigation of your account ID: {snip}. It appeared that your Google Account was compromised. Google takes the security and confidentiality of your personal information very seriously. 

For security purposes, we have suspended your Google Wallet account to prevent any further charges. 

We strongly recommend that you update your Google Account password, security question, and secondary email in order to secure your account. If you are unable to access your Google Account, you should visit https://www.google.com/support/accounts/bin/request.py?ara=1&contact_type=ara&ctx=ara to initiate the process of restoring your Google Account. 

Additionally, we'd like to assure you that the security and confidentiality of your personal information, including your credit card number if any, is our highest priority. Your information is securely stored on our servers, and won't be shared with anyone except under the very limited circumstances described in our Privacy Policy at http://wallet.google.com/files/buyerprivacy.html 

We do understand your concerns regarding your account's security. It is difficult to determine the exact nature of your account compromise. For more information on safeguarding yourself online, please visit http://mail.google.com/support/bin/static.py?hl=en&page=checklist.cs&tab=29488

You may also use Google's 2 step verification for increased security of your Google account. Please visit http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284 for more information. 

Please feel free to contact us if you have any additional questions.

Sincerely,

The Google Wallet Team  

Why am I receiving an email from Google Wallet? Google Checkout is now part of Google Wallet. Checkout users can now manage their accounts at http://wallet.google.com/manage. To find out more about this transition, visit http://www.google.com/support/wallet/bin/answer.py?answer=1691527