How Criminals Steal $37 Billion a Year

It is increasingly difficult to trust someone calling from a phone call you don’t recognize. Not only are scammers calling from numbers that seem to be in your area, but they are also impersonating family members in distress.

The dirty little secret about elder exploitation is that almost 60 percent of cases involve a perpetrator who is a family member, according to a 2014 study by Lachs and others, an especially fraught situation where victims are often unwilling, or unable, to seek justice. Such manipulation sometimes involves force or the threat of force

via Bloomberg

This trick has been around for a while, but there are new defenses available to guard against the scam.

On Feb. 5, the Financial Industry Regulatory Authority, an industry body, put into effect “the first uniform, national standards to protect senior investors.” It now requires members to try to obtain a trusted contact’s information so they can discuss account activity. It also permits firms to place temporary holds on disbursements if exploitation is suspected.

Bloomberg

Interesting idea; a two person authentication for account transactions, but it still may be easy to beat the system.

Loewy, who left her job as a prosecutor in 2014 to join EverSafe, a startup that makes software to monitor suspicious account activity, is underwhelmed by the industry projects.

“They may say they’re focused on it, but they aren’t really doing much more than training employees,” she says. “Exploiters know what they’re doing. They take amounts under $10,000 that they know won’t get picked up by fraud and risk folks at banks. And they steal across institutions over time.”

Bloomberg

And remember, if you get a text from a short-code number with 5 or 6 digits, you can verify the identity of the sender with the Short Code Directory.

Nobody is immune to ads

In his post Nobody is immune to ads, Georges Abi-Heila explores the psychology of how humans react to the barrage of brands and ads we see every day.

There’s no scientific consensus on the number of ads we’re exposed to daily, as estimates vary from a few hundreds to thousands. Why is it so hard to get a reasonable figure? Because it depends on a variety of factors that greatly affect the final result (sorted by level of importance):

What is considered an ad?
Including brand labels and logos can increase 10x the final result.
Think about every time you pass by a brand name in a supermarket, the label on everything you wear, the condiments in your fridge, the cars on the highway…
Where does the subject live?
The denser your living environment, the more ads you’re exposed to as companies fiercely compete for your attention (and, ultimately, your wallet). Visual pollution is one of the drawbacks of living in big city…
What is the subject’s job?
During work hours, a hotel receptionist sees a lot less ads than a truck driver which is less exposed than a social media manager.

Want to see an interesting example? Have an iPhone? Ignore for a moment all the brands you see from the icons on your home screen, this one is more subtle. What does it say in the top left corner? 

https://cdn.vox-cdn.com/thumbor/prj_rjURjKC1ZVVlVmhOuMUrbso=/0x0:2040x1360/1720x0/filters:focal(0x0:2040x1360):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/9276345/jbareham_170916_2000_0088.jpg
The Verge iPhone 8 Review

So every time you pick up your phone you are served an ad for your cell carrier. Why does it exist? Do you frequently forget you are on the AT&T network?

It is worth noting, the notched iPhones no longer show the carrier name, so his redditor has the right idea.

https://cdn.vox-cdn.com/thumbor/PZtyF3VgyktMRvvz5AciV-borm8=/0x0:2040x1360/1920x0/filters:focal(0x0:2040x1360):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/9597629/jbareham_171101_2099_A_0104.jpg
The Verge iPhone X Review

Is it a big change? No. But one less ad in the thousands you see in a day.

As a bonus, check out the streets of Sao Paulo. The city has a law that prohibits outdoor advertising. The story is covered in a post by 99% Invisible.

21 Lessons for the 21st Century

Yuval Noah Harari on the Talks at Google podcast (and in video form)

He’s marketing his new book extremely well and a New York Times interview on the subject garnered attention:

It made him sad, he told me, to see people build things that destroy their own societies, but he works every day to maintain an academic distance and remind himself that humans are just animals. “Part of it is really coming from seeing humans as apes, that this is how they behave,” he said, adding, “They’re chimpanzees. They’re sapiens. This is what they do.”

. . .

“It’s just a rule of thumb in history that if you are so much coddled by the elites it must mean that you don’t want to frighten them,” Mr. Harari said. “They can absorb you. You can become the intellectual entertainment.”

. . .

He told the audience that free will is an illusion, and that human rights are just a story we tell ourselves. Political parties, he said, might not make sense anymore. He went on to argue that the liberal world order has relied on fictions like “the customer is always right” and “follow your heart,” and that these ideas no longer work in the age of artificial intelligence, when hearts can be manipulated at scale

Not the most heartening view of the future.

21 Lessons is also recommended by Bill Gates as one of 5 books he loved in 2018 (to further corroborate Harari’s points)

The trick for putting an end to our anxieties, he suggests, is not to stop worrying. It’s to know which things to worry about, and how much to worry about them. As he writes in his introduction: “What are today’s greatest challenges and most important changes? What should we pay attention to? What should we teach our kids?”

Or maybe we should be a bit more like Newt Scamander

My philosophy is that worrying means you suffer twice.

Rent-seeking

The Exponent podcast is back! And there’s a lot of news regarding pressure to change existing App Store pricing models.

it seems incredibly worrisome to me anytime any company predicates its growth story on rent-seeking: it’s not that the growth isn’t real, but rather that the pursuit is corrosive on whatever it was that made the company great in the first place. That is a particularly large concern for Apple: the company has always succeeded by being the best; how does the company maintain that edge when its executives are more concerned with harvesting profits from other companies’ innovations?

via Stratechery and Exponent

Plus, after shipping Fortnite outside of the Google Play Store, Epic Games is moving in on Steam with a new game store and taking a smaller cut of sales.

Developers receive 88% of revenue. There are no tiers or thresholds. Epic takes 12%. And if you’re using Unreal Engine, Epic will cover the 5% engine royalty for sales on the Epic Games store, out of Epic’s 12%.

via Unreal Engine Blog

The case for slowing everything down a bit

Ezra Klein on increased digital friction:

I believe that one reason podcasts have exploded is that they carry so much friction: They’re long and messy, they often take weeks or months to produce, they’re hard to clip and share and skim — and as a result, they’re calmer, more human, more judicious, less crazy-making.

Klein and Jaron Lanier discuss just that, in a podcast.

Writing . . . is full of friction. It’s hard and slow, and the words on the page fall short of the music and clarity I imagined they’d have. But it is, in the end, rewarding. It’s where I have at least a chance to create something worth creating. The work is worth it.

via Vox

Is this a legit Fortnite V-Buck site? Probably not.

Fortnite has caused quite the security kerfuffle. Between releasing the Android app outside the Google Play Store, and an insane desire for V-Bucks, scams are running rampant.

Wired put out this article yesterday entitled Fortnite scams are even worse than you thought, and it made me sad that people are being tricked (that’s for tomorrow 🎃).

I made a simple browser extension as a helpful reminder of legitimate V-Buck sites. It will give you a green thumbs up on real V-Bucks websites, and a red thumbs down for sites where you can’t safely purchase V-Bucks. Check it out on GitHub.

If all else fails, to stay safe, remember: ONLY BUY V-BUCKS IN THE GAME.

Installation

Download the extension files by clicking “Clone or download > Download Zip” on Github
Follow steps 1, 2, and 3 here to install the extension
(Yes, enabling developer mode to sideload extensions is a similar security whole to what Epic is doing with Fortnite on Android. I’ll look into publishing the extension officially.)

Test out the extension!

V-Bucks for PlayStation:
https://store.playstation.com/en-us/product/UP1477-CUSA07022_00-MTX01K0000000000

psn_vbucks

V-Bucks for Xbox:
https://www.microsoft.com/en-us/p/fortnite-1-000-v-bucks/c0f5ht9nv86p

xbox_vbucks.png

V-Bucks for PC/Switch/iOS/Android are only available in game, but here’s a link to Epic Games explaining that:
https://www.epicgames.com/fortnite

epic_vbucks.png

Don’t buy V-Bucks on eBay:
https://www.ebay.com/sch/i.html?_nkw=v+bucks

ebay_vbucks.png

Video demo

It’s all out the gifs

Other Fortnite Links and Security Tips

Here’s how to get Fortnite on Android:
https://www.epicgames.com/fortnite/en-US/mobile/android/get-started

How to protect your Epic account:
https://www.epicgames.com/fortnite/en-US/news/protecting-your-epic-account

Epic on V-Buck Scams:
https://epicgames.helpshift.com/a/fortnite/?s=epic-accounts&f=account-security-bulletin&p=all

And a reminder from Wired:

 

I’ll wrap up by saying I don’t endorse actually purchasing these things, but for those of you who do buy, stay safe out there!

Ninja and Kylie Jenner, Who Owns the Future

In his book, Who Owns the Future, Jaron Lanier discusses the idea of real-time income and wealth generation. He presents the topics through the lens of sharing songs in the music industry, but the principle applies to today’s sharing economy.

Continue reading “Ninja and Kylie Jenner, Who Owns the Future”

Sunday Reading: Thoughts on The Tech Industry’s War on Kids

Reflecting on The Tech Industry’s War on Kids: How psychology is being used as a weapon against children

Richard Freed is a child psychologist who focuses on helping families work through “extreme overuse of phones, video games, and social media.”

Preteen and teen girls refuse to get off their phones, even though it’s remarkably clear that the devices are making them miserable. I also see far too many boys whose gaming obsessions lead them to forgo interest in school, extracurricular activities, and anything else productive. Some of these boys, as they reach their later teens, use their large bodies to terrorize parents who attempt to set gaming limits. A common thread running through many of these cases is parent guilt, as so many are certain they did something to put their kids on a destructive path.

Kids might be struggling with technology, but adults may also act like children if older folks had to go a day without technology. Maybe we should all take a digital detox.

Captology

BJ Fogg directs the Stanford Persuasive Technology Lab. There is tons of research and design practices used by today’s most popular apps, websites, and games, but we can still use this newfound power for good. Although, whether good or bad, the techniques are still shaping human behavior without consent.

Fogg’s website also has lately undergone a substantial makeover, as he now seems to go out of his way to suggest his work has benevolent aims, commenting, “I teach good people how behavior works so they can create products & services that benefit everyday people around the world.” Likewise, the Stanford Persuasive Technology Lab website optimistically claims, “Persuasive technologies can bring about positive changes in many domains, including health, business, safety, and education. We also believe that new advances in technology can help promote world peace in 30 years.”

Why don’t we make it easy for kids and adults to spend their time doing the things society deems productive. Part of the challenge is exposing kids to new opportunities and experiences to help them understand their real world potential, even at their age.

While persuasion techniques work well on adults, they are particularly effective at influencing the still-maturing child and teen brain. “Video games, better than anything else in our culture, deliver rewards to people, especially teenage boys,” says Fogg. “Teenage boys are wired to seek competency. To master our world and get better at stuff. Video games, in dishing out rewards, can convey to people that their competency is growing, you can get better at something second by second.” And it’s persuasive design that’s helped convince this generation of boys they are gaining “competency” by spending countless hours on game sites, when the sad reality is they are locked away in their rooms gaming, ignoring school, and not developing the real-world competencies that colleges and employers demand.

Motivation/inspiration, Ability/capability, Trigger/feedback

According to B.J. Fogg, the “Fogg Behavior Model” is a well-tested method to change behavior and, in its simplified form, involves three primary factors: motivation, ability, and triggers. Describing how his formula is effective at getting people to use a social network, the psychologist says in an academic paper that a key motivator is users’ desire for “social acceptance,” although he says an even more powerful motivator is the desire “to avoid being socially rejected.” Regarding ability, Fogg suggests that digital products should be made so that users don’t have to “think hard.” Hence, social networks are designed for ease of use. Finally, Fogg says that potential users need to be triggered to use a site. This is accomplished by a myriad of digital tricks, including the sending of incessant notifications urging users to view friends’ pictures, telling them they are missing out while not on the social network, or suggesting that they check — yet again — to see if anyone liked their post or photo.

It seems we should be able to reframe the three motivation, ability, and triggers behavioral factors into a more productive framing of inspiration, capability, and reinforcement. For example, a kid who enjoys watching YouTube creators may be inspired to make a channel of their own. YouTube, influencers, or another service, can help kids build their movie making capabilities. Feedback on work can help reinforce learning and growth. In the end, kids are still spending time where they want to, but the behavioral model focuses on a healthy balance of creation and consumption leading to development in modern day, “real world capabilities”.

Mostly terrifying

the startup Dopamine Labs boasts about its use of persuasive techniques to increase profits: “Connect your app to our Persuasive AI [Artificial Intelligence] and lift your engagement and revenue up to 30% by giving your users our perfect bursts of dopamine,” and “A burst of Dopamine doesn’t just feel good: it’s proven to re-wire user behavior and habits.”

Ramsay Brown, the founder of Dopamine Labs, says in a KQED Science article, “We have now developed a rigorous technology of the human mind, and that is both exciting and terrifying. We have the ability to twiddle some knobs in a machine learning dashboard we build, and around the world hundreds of thousands of people are going to quietly change their behavior in ways that, unbeknownst to them, feel second-nature but are really by design.”

Facebook Messenger Kids

How has the consumer tech industry responded to these calls for change? By going even lower. Facebook recently launched Messenger Kids, a social media app that will reach kids as young as five years old. Suggestive that harmful persuasive design is now honing in on very young children is the declaration of Messenger Kids Art Director, Shiu Pei Luu, “We want to help foster communication [on Facebook] and make that the most exciting thing you want to be doing.”

Facebook’s narrow-minded vision of childhood is reflective of how out of touch the social network and other consumer tech companies are with the needs of an increasingly troubled generation. The most “exciting thing” for young children should be spending time with family, playing outside, engaging in creative play, and other vital developmental experiences — not being drawn into the social media vortex on phones or tablets. Moreover, Facebook Messenger Kids is giving an early start to the wired life on social media that we know poses risks of depression and suicide-related behavior for older children.

In response to the release of Facebook’s Messenger Kids, the Campaign for a Commercial-Free Childhood (CCFC) sent Facebook a letter signed by numerous health advocates calling on the company to pull the plug on the app. Facebook has yet to respond to the letter and instead continues to aggressively market Messenger Kids for young children.

Conscious workflows vs impulsive habits

President John F. Kennedy’s prescient guidance: He said that technology “has no conscience of its own. Whether it will become a force for good or ill depends on man.”

From Cal Newport:

Workflows are arguably more important than your high-level habits when it comes to impacting how effectively you produce valuable things (my preferred definition of “productivity”), but they’re a topic that’s often ignored.

Indeed, for most people, the workflows that drive their professional life are processes that haphazardly arose without much intention or consideration.

This fall, in other words, consider spending some serious time evaluating your workflows before turning your attention to the habits that help you deal with the obligations these flows generate.

Technology gives us the tools to do more. It’s up to us to decide how we leverage our new powers.

The best analogy I’ve ever heard is Scientific American, I think it was, did a study in the early 70s on the efficiency of locomotion, and what they did was for all different species of things in the planet, birds and cats and dogs and fish and goats and stuff, they measured how much energy does it take for a goat to get from here to there. Kilocalories per kilometer or something, I don’t know what they measured. And they ranked them, they published the list, and the Condor won. The Condor took the least amount of energy to get from here to there. Man was didn’t do so well, came in with a rather unimpressive showing about a third of the way down the list.

But fortunately someone at Scientific American was insightful enough to test a man with a bicycle, and man with a bicycle won. Twice as good as the Condor, all the way off the list. And what it showed was that man is a toolmaker, has the ability to make a tool to amplify an inherent ability that he has. And that’s exactly what we’re doing here.

Additional reading

BJ Fogg commented on the article and provided a list of his works to raise awareness about the ethics of persuasive tech.

A recent Atlantic article, “Have Smartphones Destroyed a Generation?,” by Dr. Jean Twenge

Stratechery article on Tech’s Two Philosophies: Some problems are best solved by human ingenuity; others by collective action

Short Codes (aka Messages & Two Factor Authentication from Random Five to Six Digit Numbers)

There are some cool new security features in the latest versions of iOS and Android to help you keep your accounts secure. Android’s updated Messages app and iMessage in iOS 12 both bring simplified one-time passcodes and two factor authentication (2FA) management.

iMessage – iOS 12

iMessage Security code AutoFill
Security code AutoFill. SMS one-time passcodes will appear automatically as AutoFill suggestions, so you never have to worry about memorizing them or typing them again.

 

Android Messages

Copy one-time passwords with one tap
Copy one-time passwords with one tap
Now, when you receive a message with a one-time password or code from a secure site—such as your bank—you can save time by copying that password directly from the message with a tap.

 

With both Apple and Google updating their messaging apps to ease use of text message (SMS) based two factor authentication, I’ve been thinking about why copying a verification code is the feature we need to bring more people to use 2FA. While cutting down steps required to use 2FA will make for a more streamlined experience, there seems to be an opportunity elsewhere to improve general usability of SMS based 2FA.

Understand there has been plenty of discussion regarding the security risks of these features, but putting aside discussion of the entire 2FA ecosystem and the shortcomings of SMS based 2FA, let’s look at a quirk of how people experience 2FA on their phones.

An example

Android Messages two factor authentication shortcut

Take the Capitol One notification from this article discussing the “copy 2FA code” feature in Android Messages. The message from number 227898 says “From Capitol One” and provides a code: 939966. There are two things we need to figure out here. One, that this is in fact the message from Capitol One, and two, this message contains the 2FA one-time passcode we need to complete the log on process.

First off, while the message says it’s from Capitol One, we know from our phishing lessons that we shouldn’t use the content of a message to influence our trust decision making process. The timing of getting this message in relation to attempting to log in to a bank account would make it seem like the message is legitimately from Capitol One, but how can we be sure? What is that 227898 number? Can we look it up like a phone number to verify it is registered to Capitol One?

The second bit of confusion is recognizing the 2FA verification code is 939966 not the big bold 227898 number at the top of the message. Usually the distinction between sender and message is clear with a regular 10 digit phone number or a message from someone in your contact list, but when you are sent a six digit code from a six digit number you need to do more mental processing choose the right number. Google has partially resolved the issue by giving an explicit action to copy the 2FA code, but it feels a little strange not being able to see the actual code in the message.

An aside

Slightly off topic, but while researching YubiKeys (after listening to Scott Hanselman’s podcast with Sarah Squire), I came across Two Factor Auth which maintains a list of sites that support, well, two factor auth. Exploring the various service, I noticed very few banks support usb hardware tokens. Wells Fargo seemed the only big bank with support. Clicking though the WF link from the Two Factor Auth chart, I ended up on the Advanced Access page trying figure out how WF does U2F. It turns out they use RSA SecurID (not usb U2F) which was uninteresting, but the footnote caught my attention:

We always send our text messages from 93557. Incoming calls with an Advanced Access code will come from 1-800-956-4442. We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

via Wells Fargo Advanced Access

Is this really the case? Every Wells Fargo communication and two factor authentication message comes from 93557? What’s the significance of 93557? And does every company always use the same number?

If so, this is a fantastic piece of advice buried in a random support page

We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

Why doesn’t every company and service mention this?

An investigation

To figure that out, I first needed to learn what that 5 digit non-phone number is really called. Naturally, I went online and searched “what is the number for two factor sms?”

This article from The Verge was at the top: Facebook admits SMS notifications sent using two-factor number was caused by bug

Not what I was looking for, but at least a clue.

Facebook uses the automated number 362-65, or “FBOOK,” as its two-factor authentication number

So these numbers have some T9 significance (remember landlines and flip phones?).

I figured that if facebook’s number is known, maybe there are some resources that include more of these numbers, so I quickly searched 362-65 and got 297. 😑

After getting rid of the minus sign, there was this Facebook Support link with people confused after receiving a random text seemingly from Facebook with a link to “fb.com”, a non-“facebook.com” website (here’s another example).

They are right to be concerned.

A little more searching, and boom: short codes

Short Codes

Is this a name people knew about? It’s the first time I came across the phrase “short code” even though I have been using the things for some time now.

It turns out there is an official US Short Code registrar run by CTIA and icontectiv:

Short Code Registry

Short Codes offer marketers unique opportunities to engage their audiences via text messaging. Short Codes are five- or six-digit codes that may be personalized to spell out a company, organization or a related word. Many organizations may choose to use Short Codes to send premium messages, which may charge subscribers additional fees for informative or promotional services such as coupons or news updates.

The Short Code Registry maintains a single database of available, reserved and registered short codes. CTIA administers the Common Short Code program, and iconectiv became the official U.S. Short Code Registry service provider in January, 2016.

For more information, please see the Short Code Registry’s Best Practices and the Short Code Monitoring Handbook.

The iconectiv site routes to https://usshortcodes.com/ where you can learn all about registering, case studies, and best practices. But I still want to know how to verify the sender of that 2FA message.

This is where US Short Code Directory comes in.

The U.S. Short Code Directory and the team at Tatango has assumed responsibility for the indexing of these unique phone numbers, creating the industry’s only public address book.

via https://usshortcodedirectory.com/about/

What do you know, the first code in the directory: Facebook, 32665. But wait, that’s not what’s listed in the Verge article… That’s 32665 vs 36265. Not sure what the deal is there, but may be a typo by The Verge (3-F, 2-B, 6-O, 6-O, 5-K in T9).

Just for a sanity check, does the Wells Fargo short code match their Advanced Access list? Yep! And so does the Capitol One code.

Cool! We figured out a way to verify the sender of SMS based 2FA! Remember though, this does not only apply to 2FA, but also other SMS based communication from the company.

Short Codes in the Wild

Check out this recent Wells Fargo ad on YouTube.

Wells Fargo account alert text message from YouTube ad

At the 17 second mark the narrator mentions “alerting you to certain card activity we find suspicious“. How do they do this? By SMS of course. And what number is the alert from? 93733!? NOOOOO! That’s not 93557.  WF was so close. Missed an opportunity to tie everything back to that random support page. The ad has a caveat “Screen images simulated”, so ¯\_(ツ)_/¯. For what it’s worth the phone number to call is in fact for WF Customer Service.

Questions, Concerns & Opportunities

This feels like the tip of the short code iceberg and I still have a lot of questions. How long do short codes last? Do companies change numbers? Can short code be reused? Can I trust that the next time I receive a message from a short code number that it is from the same company as last time? Can messaging apps label the code like caller id?

I don’t have all the answers, but there are definitely more things to be done to help fight the next generation of phishing. As more companies continue to recommend 2FA and send updates over SMS, we need tools in place to ensure we can trust the messages we receive.

Wells Fargo’s advice to add their numbers to your address book is good, as long as the short code (and normal telephone) numbers do not change over time. While it may be uncommon, it is possible for companies switch numbers, and (possibly more common) previously used numbers can become available for a different company to re-register. In the former, people will see an unknown number seemingly masquerading as a service they do use, which should be a cause for suspicion (although benign). For the latter, people will assume trust in the content from number they recognize (creating a phishing opportunity). While instances of these issues may be unsubstantiated (there’s very little info on how short code numbers change hands and “Best Practices” are all about marketing), this is a reason to have service driven trust management keeping track of ownership and identity.

There is an opportunity for services like US Short Code Directory and tatango to provide access to their index of short codes, so companies like Apple and Google can continue to improve their messaging services. If the Short Code Directory had a public API to query and verify short codes, messaging apps could implement a new style of caller id (essentially a DNS for SMS, but not this) to let you know the message from 227898 that says its “From Capitol One”, is legitimately from Capitol One.

At the end of the day, it should be easier to stay safe online, even if improving short codes are just an obscure part of the solution. Now to see if I can get Wells Fargo and The Verge to fix their typos.

Popular Company Short Codes

Disclaimer, I have not received messages from all of these numbers, so I cannot verify their legitimacy nor comprehensiveness. Given the issues noted above, these numbers may change or companies may start using additional numbers for SMS communication (Google already has at least 5. They may consolidate or add another).

Facebook: 32665 and 3266

Twitter: 40404

Google: 22000, 23333 and others

Apple: 272273 and others

Microsoft: 365365, 51789 and others

Amazon: 262966, 58988 and others

Capital One: 227898 and others

Chase: 28107,  24273 and others

Wells Fargo: 93557 and others

Bank of America: 73981 and others

American Express: 25684 and others

Intuit: 75341 and others

Discover: 347268 and others

PayPal: 729725777539

Venmo: 86753

AT&T: 88170, 883773 and others

Verizon: 27589 and others

T-Mobile: 37981

FedEx: 37473 and others

USPS: 28777 and others

Walmart: 40303 and others

Twilio: 22395 and others

Uber: 82722289203

Additional Reading

Economics of driving the Tesla Model 3

Long exposure photo of car lights on a highway at night

So I test drove a Model 3, and I have some thoughts.

Backstory

I feel like everyone has a story about when they got interested in Tesla. For me it was summer of 2012 just before the official release of the Model S. I was at Coit Tower in San Francisco and on the way back to the parking lot when I noticed a black Model S. I don’t remember how I’d heard about Tesla, but when I saw the car that day I remember doing a double take after realizing it was a Model S. Seeing it was so unexpected, but the thing was the coolest gadget: an all electric car with a giant touch screen. From that moment on, I wanted one. The only problem, the price tag was prohibitively expensive. (I settled for buying a few shares of stock in the company, yet not enough to afford a car now)

So six years later, the Model 3 is rolling out to the general public with the allure of a $35,000 Tesla. Still all electric with a giant touch screen, plus crazy features like autopilot no one would have imagined to be possible back in 2012.

Before the test drive, I had never been in a Tesla on the road let alone driven one. I was purposely avoiding the car knowing I would want one even more after I went for a test drive. But TL;DR, surprisingly that wasn’t the case. I’ve spent so many years thinking about the economics of owning a Tesla while listening to others talk about what the cars are like to drive and own. When I got to actually drive the Model 3, I already had my expectations and mind set on not buying one. I tend to be pretty frugal, and try to be rational about buying things that I really need instead of overspending on cool things that are just for fun (looking at you DJI Mavic…), so I knew going in that the car would be a blast, but an unnecessary purchase for me at this time. Maybe a few years down the road, when my current car starts to show its age and EV costs have been subsidized further by increased production, I’ll finally be ready to get a Tesla. For now, driving a Model 3 was just a fun thing do on one hazy Sunday morning.

Test Drive Experience

I signed up to test drive the $55,000 model with long range battery and dual motor. I specifically did not want to try the upgraded performance model because it was out of my price range (even more so than the mid tier model), and I didn’t want my first impression to be with the highest end model. The test drive started out with a warning that someone had backed the mid tier model into a wall, so we’d be driving the high end performance model. (Um, how does that happen? Aren’t all the cameras and sensors supposed to be able to prevent such a thing from happening? My question went unanswered and we hopped into the car.)

I immediately realized there would be a steep learning curve to understanding the controls. The first thing I usually do when setting out to drive a new car is adjust the mirrors (as I try to be a good driver), but there is no dial on the driver door panel. It turns out you have to tap the “car” button in the bottom left of the screen to bring up the controls menu, but without the sales associate to point me to the menu, this would have been a complicated task of searching through menu options.

Settings & controls

I could see myself sitting in the car for 30 minutes to an hour just figuring out what it can do and customizing it all to my liking. A Tesla feels like a gadget and tries to bring the simplicity of a smartphone design to a car. It works to an extent, and definitely would take time to get used to. When I found myself wondering if there was a setting to adjust the rearview mirror, or if I could just reach up and do it manually, I knew I was a bit overwhelmed by all the changes to the controls. Luckily, the controls for seat position adjustment are still on the side of the seat, so some of your muscle memory may still transfer over. It’s just hard to tell when that’s the case.

Steering

I drove the 3 out of the parking lot, the first thing I noticed was how heavy the car felt and the weight of the steering. The car feels strong, big, and solid. Turning the wheel takes effort, but not an absurd amount, just enough to give you firm sense of control. I wonder now if this is another setting Tesla programs into the car. Could there be a “light” steering mode that reduces the tension in the wheel? I don’t know why they would do such a thing, but it seems possible.

Turn signals are confusing.

Because the controls are reduced to a wheel, two stalks, and a screen, many of the controls act differently than a normal car. The turn signal for example always returns to the center, which is confusing because for all the car’s I’ve ever drive, a turn signal in the center position means its off. Pushing to the up or down position will turn right or left. I learned there is a short and a long press to the turn signal stalk, but I didn’t figure out exactly how it worked. All I know is that as long as you ignore the fact the stalk always returns to the middle position, you can signal for starting and completing turns by pushing up or down the same way you would on any other car. The 3 is even smart enough to recognize when you’ve completed a turn, but in some cases when I put the signal on too early, the car decided to turn the signal off before I even made it to the turn.

Blast off

The Model 3 goes 0 to 40 goes by in a flash and you don’t realize how fast you’re going because it happened so quickly. Just to reiterate, I was trying the Performance upgrade, so the pick up probably won’t be as powerful on lower models, but the immediate feedback and roller coaster feel, should be transferrable. There was a car ahead as I merged onto the highway, so instead rocketing by at the last minute, leaving the car in of in a cloud of dust, I decided to play it safe and drive like a normal person.

Enhanced Autopilot, lane keeping, and distance control

The vision system gives the Model 3 a super cruise control mode. In addition to maintaining speed, the car will help you stay in your lane if you start to drift, and keep the same distance between the car in front of you whether the car speeds up or slams on its brakes. Tesla notes, “Enhanced Autopilot includes additional driver assistance features. Every driver is responsible for remaining alert and active when using Autopilot, and must be prepared to take action at any time.”

Full Self-Driving Capability with hands nearby and automatic lane changing

This was just nutty. Pull down twice on the right stalk to engage full self driving mode, and you can take your hands off the wheel as the car drives itself. The same lane keeping and distance controls apply to the full self-driving mode as they do with auto pilot, but now they are the sole means of maneuvering the car down the freeway. I (eerily) quickly grew accustomed to the car driving me as we stayed in the same lane, but the craziest part is changing lanes. Simply pull down or push up the left stalk to let the car know you want to turn left or right. The car determines the lane is clear and moves on over. It’s wild. We’re not quite at the point of removing the steering wheel, but this still feels like the future. Again, Tesla includes a disclaimer, “This functionality is dependent upon extensive software validation and regulatory approval. It is not possible to know exactly when it will be available, as this is highly dependent on local regulatory approval, which may vary widely by jurisdiction.”

Other Tesla and EV specific things

Hold mode puts keeps the car in place when you push in the break all the way at a stop. Creep had to be programmed in because EVs do not inch forward in the same way a gas engine does while idling. Unlike a cell phone or laptop which has charge limiters for batteries, you have to set the max charge for a Tesla (~90% while city driving, and 100% for long road trips). Avoiding a full charge helps keeps the battery in good condition for longer.

Features & Pricing

The whole point of the test drive is to make a decision about buying the car, right? So what configuration do you want to get? Most of us bought into the allure of a $35,000 Tesla when the Model 3 was announced two years ago, but we still aren’t quite there yet.

Base configuration Model 3 available in 5 to 8 months

This is all brilliant marketing by Tesla to lure you in with the $35,000 option, anchoring your first impression of the car to a lower price, while only selling configurations that can cost upwards of double the base price for the next 5 to 8 months (as of late August 2018).

So the $35,000 (or $27,500 when considering the $7500 credit) you were expecting to pay immediately goes up by $14,000 for the Long Range model with rear wheel drive. Want Long range and Dual motor? That’s another $5000 or $19,000 over the price of the base model. You could buy one Model 3 or three cars for $54,000, and that doesn’t even include the “cool” Tesla features like Autopilot or Full Self-Driving mode add-ons (for an additional $8000). At the high end, the Performance model can cost up to $80,500. How is that affordable?

A formative view for my understanding of the value of the Model 3 came from Mr. Money Mustache. He thinks about buying a Model 3 while considering cost-per-use in relation to the base $35,000 model and upgrade options.

“I’m thinking of springing for the $9000 long-range battery in my upcoming Tesla Model 3 order” – this one strikes straight at my own heart, because I crave a long range Model 3 myself. But even for a serious roadtripper, this works out to $125 per hour of charging time that you manage to avoid. Aren’t you willing to take a few minutes occasionally to walk around and admire your beautiful car if you get paid $125 per hour after tax for it? If you are, standard range will do.

Calculations:

Tesla Battery Upgrade: The only time you use the longer range is on roadtrips over 230 miles. If you do a 600-mile trip once every month, you have to make two extra 30-minute charging stops per month. Figure the $9000 battery costs you about $1500 in extra capital cost and depreciation per year, or $125 per month. However, if you are a Tesla fan like me and you want the company to make more profit to continue their mission, you may still opt for the extra options since you have nothing better to do with that money anyway.

All wheel drive car: if the car costs $5000 more up-front plus an extra $200 per year in fuel and maintenance, you could estimate it as about $500 per year more expensive to own. Then, how many times do you truly get stuck in a front-wheel drive car with really good dedicated snow tires on winter rims? (because snow tires always come before buying AWD!)

via MMM The Twenty Dollar Swim

If you are trying to decide to buy now or wait, a commenter brings up a valid point: “Getting the larger battery gets you the full $7500 tax credit, getting the smaller battery likely doesn’t.” This is because Tesla’s US federal tax credit will expire at the end of 2018. The lucrative $7500 will only apply to vehicles delivered (not ordered) before December 31, 2018. Afterwards the credit will decrease by half and expire at the end of 2019.

Let’s consider how this pricing scheme came to be because it all seems a bit out of proportion.

Upgrade Perception

Before we get into Model 3 pricing, first think about what you get by upgrading from public transit to a car (of any kind), then move to what you get for the base line Model 3 and above.

Owning a car is a luxury allowing you to move around on your own time and optimize the routes you drive. You don’t have to adhere to bus schedules, try to find rides with people, or spend time going out of your way. A car takes a psychological load off your mind that gives you the freedom to engross yourself in your work without ever worrying about rushing to make a bus that leaves in the next 5 minutes. In many places a car is not a necessity, but it can be a quality of life improvement.

On the other hand, not owning a car has its upsides. For one, there is a significant cost savings when factoring paying for a car, insurance, gas, tolls, parking, and maintenance. It’s not unreasonable for owning a car to cost upwards of $10,000 a year (with a rough estimate of $400 a month for loan, $250 for parking and tolls, $150 for insurance, $150 for gas). Plus, you can get a lot done on the bus/train/taxi when you aren’t the one who must be engaged behind the wheel.

Ok, so for any car you decide to go with (or not) you’ll have to weigh these pros and cons. Driving a Tesla does not magically change the dynamics of owning a car any more than driving a Subaru does (yet. We’ll have to wait for advancements in autopilot and changes to regulations). If owning a car is a luxury, owning a Tesla is an opulence.

Let’s say you’ve decided against the advice of the Millionaire Next Door and are in the market for a new car under $50,000. What would persuade you to upgrade from a $35,000 Model 3 to a more premium package?

The Model 3 is a curious case of behavioral economics. It is more common for car brands to price multiple models across a $35,000 to $80,500 price range with visibly distinct prestige of owning a higher end car. Just look at the BMW line-up, they (logically) use a numbering scheme that increases with perceived prestige. For the Model 3, the body looks the same for all price configurations of the car, the only distinguishing factor is the tires (and this little badge on the back). Is it any wonder why the upgraded wheels cost an arm and a leg? It’s how you show you got the nicer car. Tesla is not the only company to do this. Apple is a constant offender, tweaking iPhone design to show make newer models easily recognizable, and adding a big red dot to their latest and greatest watch.

This makes business sense. For a company to make the most from its high end customers in order to subsidize lower end products is nothing new either. Apple also does this with the iPhone and Mac in regard to spec upgrades. The build quality, apps, OS, customer support, and general Apple ecosystem are all the same no matter of the type of iPhone or Mac you decide to purchase.

The majority of Apple’s margins come from upgrades that cost them a tens of dollars that they sell to you for hundreds (or thousands).

There’s nothing inherently wrong with this. It’s how Apple continues growing even with a trillion dollar valuation.

when you raise prices and a segment of your customer base will only buy the best, you can achieve higher average selling prices — over $100 higher year-over-year ($796 versus $694) — which means higher revenue.

Charging its best customers more for iPhones wasn’t the only reason Apple’s revenue was higher, though: remember that Apple is making more off of every customer over time via Services. And there is one more piece: Apple is selling its best customers more and more devices.

Apple’s Middle Age via Stratechery

And Tesla is doing the same thing. The baseline $35,000 Model 3 gets you the same build quality, software upgrades, autopilot hardware, customer service, brand prestige, and roller coaster acceleration. Higher margin cars will subsidize the more affordable models at larger scale, they even called it out as their master plan ten years ago:

  1. Build sports car
  2. Use that money to build an affordable car
  3. Use that money to build an even more affordable car
  4. While doing above, also provide zero emission electric power generation options

Tesla’s Master Plan

However, making business sense does not absolve companies of the psychological manipulation they employ with these pricing strategies. By singling out the one feature you get for a disproportionately large amount of money over the cost of the base product, companies frame upgrades to make you forget about all you get when you initially decide to opt for their product without the extra bells and whistles. Just look at the similarities across the iPad lineup. If Apple only pointed out the commonalities, people would question upgrading, so Apple makes the differentiators big, bold, and right at the top.

Whether you just have money to spend and only settle for the top of line, or have been saving for years only to wait a few months longer, consider the return on investment when spec’ing out a Model 3 (and anything else you buy). Maybe you ski every day and need all wheel drive, or live so far away from charging station that the larger battery is a must, but if that’s not the case for you, is the baseline good enough? After all, you’re still getting a Tesla.

So buy now or wait?

This totally depends on your budget. For me, I’ve had my current car for three years, and plan to keep it for at least 10. If you need a new car right now, and are looking at a Tesla, maybe this helps to think more rationally about the purchase. A used Chevy Volt is a decent alternative that checks many of the same boxes as a Tesla.

And if you’re set on a Tesla, just consider if driving down the highway knowing you’re safe with your hands off the wheel is worth $8,000, It is fun to be an early adopter, but why not let others subsidize your cost a bit? Are you going to buy one of these?

Google, Data Privacy, and Unconscious Oversharing

Pushpins overturned on a map of the world

Google is tracking your location. Did we not already realize this?

Yesterday the Associate Press released a story titled Google tracks your movements, whether you like it or not. The gist of the article is there are at least two settings on your Google account relevant to your location, “Location History” and “Web and App Activity”, and you need to be aware of how you’ve configured both to limit the extent to which Google tracks and saves your location data.

Privacy Settings

via Google’s Activity Controls:

Location History

Saves where you go with your devices to give you personalized maps, recommendations based on places you’ve visited, and more.

Web and App Activity

Saves your activity on Google sites and apps to give you faster searches, better recommendations, and more personalized experiences in Maps, Search, and other Google services.

Question

Which setting do you need to disable to stop Google from saving locations of the places you’ve been?

(Second question: Did you know these settings exist?)

For the first, what did you go with? Location History? That seems to make sense but turns out not to be enough.

Answer, from AP and Google

To stop Google from saving these location markers, the company says, users can turn off another setting, one that does not specifically reference location information. Called “Web and App Activity” and enabled by default, that setting stores a variety of information from Google apps and websites to your Google account.
When paused, it will prevent activity on any device from being saved to your account. But leaving “Web & App Activity” on and turning “Location History” off only prevents Google from adding your movements to the “timeline,” its visualization of your daily travels. It does not stop Google’s collection of other location markers.

Um, what? Actually, this is not too surprising. Leveraging location makes Google services better. Knowing your location allows Google Search to show you the conditions outside when you search for “weather” instead of a definition for the word. It also lets you see concert tickets at venues in your city and movie times at your local theaters without the need to include your physical address in the search. Plus, driving directions in Maps would be useless if you didn’t let Google know your GPS coordinates.

Unconscious Over-sharing

The real issue here is not that we give up some privacy to make online services better as we use them, but the fact that transparency is virtually nonexistent into how companies use our data in ways we don’t consider. We are unconsciously over-sharing our personal information.

Take Maps again as an example. Not only does the service help us get from point A to B without the need of a physical map, but it also gets us there on the fastest route, optimized to include time in traffic.

Did you specifically let Google know that you are sitting in traffic? Unless you’re an active Wazer, the answer is probably no. So how did they determine there is a slowdown ahead? Remember, data lets companies improve their apps and services in ways indirectly related to the original value proposition. So while you are going 20 on the highway, using Google Maps to direct you home, Google is using your changes in location to measure your position and speed and recognize you are sitting in traffic.

Do you like that Google Maps includes traffic data? How would you feel if Google removed the “Traffic” feature from Maps? No one focuses on the benefit that’s given to you when you hand over your data and the service gets better.

It would be interesting to learn exactly how Google implements Traffic in Maps. As a thought experiment, would Traffic still work if everyone on the planet disabled Web & Activity Data? Clearly for Google Maps to give you directions, you must give it your location. But is the transaction single use? Does Google read your location, update your directions, then throw away your GPS point? They could reuse your location data to help improve the service for everyone else. They could even go as far as saving that data point for later, just in case another service could benefit from the information in the future. Each of these are not a “could”, Google is doing all of this.

But because the industry is so shady in its reporting practices for collecting data, it’s confusing what benefit you’re actually getting because it’s all just very opaque I give you my data and what am I getting out of it? This confusion leads to a default reaction is to turn off all data sharing settings, but in reality the services don’t work if they have no data. Kind of a Catch-22.

Companies have also streamlined the app onboarding experience and skirted away the finer details of what apps give and take. Google’s activity controls are not mentioned when you set up an Android phone or create a new Google account. So how are we supposed to be proactive about the privacy settings?

We need to flip the script on data privacy and give people the information they need as they need it. Not retroactively as a “clean up” feature.

Random thoughts

Ad Market Cap. Ad companies like Google and Facebook need as much information as possible about you to create a profile about you to sell ads and show ads to people like you. Facebook still knows a lot about you based on how you’ve used Instagram even if you’ve never posted a single picture. They can track scrolling, clicking, stopping, screenshotting.

Inastapaper GDPR. We still have no idea what Intapaper and Pinterest were doing that was against GDPR in the EU. It would be nice to know how companies use the data we so generously hand over.

Facebook and Google “Shadow profile”. All the data and information we didn’t explicitly give, but is intuited by algorithms from less visible forms of input (location from ip address, activity by linking signed in & out accounts). Even with all these settings disabled, to some unknown extent, Google et all stills know about our location and how we use the internet. It’s our right to know they know.

We need apps people pay for.

Product & service privacy settings

If you are concerned about companies knowing too much about you and your whereabouts, be sure to double check privacy settings for Location Services on all your devices.

Devices

iPhone
Settings > Privacy > Location Services

Android
Settings > Security & location > Location

Mac
Apple menu > System Preferences > Security & Privacy > Location Services

Windows
Settings > Privacy > Location

Chromebook/Chrome
Settings > Advanced > Privacy and security > Content settings > Location
(or search “Location”)

Apps & Services

Google

Microsoft

Apple

Instagram

Facebook
(Use a VPN)

Strava
So many toggles… read the article

My settings

Just saying, turn everything off. Google won’t be the same, but at least you’ll be in greater control of your data privacy.

Activity Controls

Screenshot of Google's Activity Controls permissions settings webpage

My Activity

Screenshot of Google's My Activity control page

Oh, and pot, meet kettle

“They build advertising information out of data,” said Peter Lenz, the senior geospatial analyst at Dstillery, a rival advertising technology company. “More data for them presumably means more profit.”