All’s Well That Ends Well — A Warning
I’ve been on the lookout for a good quality VST delay plugin for a while now, but the ones that come with Cubase are perfectly good for core delay effects and, with a bit of tweaking, can be pressed into service in a number of ways other than their immediate use (the multitap delay can be used for pretty much any core delay purpose by selecting the number of repeats and when/where/how they occur ¹ and I like it a lot myself ² ) — and tweaking the sound beyond their capabilities can be achieved by putting other FX plugins in the chain and/or even duplicating the channel as many times as necessary before applying FX to each independently (there’s no actual need for a delay to act as more than a signal repeater, it’s just a matter of convenience).
So … much as I’ve felt that it would be nice to have more variety in a manner similar to the number of reverbs I have available thanks to Convology XT,
… there have been (and still are) other things I’ve had my eye on as something to get before I go to the expense of purchasing a nice-to-have-but-not-actually-essential delay plugin.
However … I saw an offer that looked too good to be true: a $29,99 USD for a bundle of VST plugins that normally cost $520 — a 94% reduction!
It was on a reasonably respectable site, not some dodgy dealer, but one that I wouldn’t normally think of going to when I were interested in music production matters, so … whilst I wasn’t sceptical as such … on the grounds that only one of the plugins held any direct value for me, I wasn’t necessarily inclined to purchase anything from it, even if it meant a 79% reduction on that particular plugin (which still isn’t to be sneezed at).
I made a friend aware of the offer, nevertheless — whilst I might have certain reservations myself, that doesn’t mean I don’t owe it to them to give them first refusal, as it were.
To my surprise, they leapt on it and purchased it ³.
Apparently, the process wasn’t unproblematic, however, and their attempt to do so was rejected twice for no good reason, before they were finally able to complete it.
With 25 hours left to go before the offer was rescinded, my friend informed me that the particular plugin that had interested me (Objeq Delay) was well worth the normal retail price, never mind at a 98% reduction, and was likely to be their go-to delay from now on. When put solely through the delay, sound is coloured a bit, but not immoderately ⁴ and, although lacking sophistication, the delay and modulation sections are perfectly adequate for core purposes … and they liked the extra features a lot.
And, you gotta admit, it has some nice extra features … which was, in no small way, the reason my interest in it was piqued in the first place:
So … as I trust their ears, kit (particularly their studio monitors), knowledge, experience and, therefore, judgement … I decided, what the hell, with only 24 hours left before the deal ran out, I’d take the plunge. Thirty dollars (US) wouldn’t break the bank ⁵ … and I’d get ten other (mini-ROMpler) plugins as well (not essential, but it never hurts to have extra sounds at your disposal).
And this is where we get to what this particular post is really all about.
I made my first online purchase in 1995.
To put that in perspective, that was over a quarter century ago!
In that time, things have come a long way with regards to fraud detection and prevention and have even advanced beyond the annoying period when, after submitting their details, customers were redirected to a second authorisation process by their bank … which was annoying. These days, the processes in place (not least ‘Know Your Customer’ analysis) mean that … whilst not infallible … most times out of a hundred, we just enter our details, press the [Submit]/[Buy]/whatever button and, so long as we have the funds in our account, are presented with a ‘Thankyou for your money’ notification, an invoice by email and either a download link or a link to a tracking page on the site of the delivery service, if the goods are physical.
In all that time, I have repeatedly advised people that they should never just click on links in emails without first investigating where and what they lead to, never supply their financial details without performing the same thorough investigation first, never send photos/scans of their passport/driver’s licence/credit card/debit card/whatever … to act with extreme paranoia at all times, when it comes to supplying information about themselves or their lives.
So, when, after making my purchase, I could find no way to download my software bundle, I was not impressed.
After some annoying trial and error plus detective work, I created an account at the site and logged in.
I was even less impressed to find that there was not simply no way to download it but that there was a problem with it:
“We are currently acquiring your license for this product. Please check back soon.”
Yeah, that’s not good … I gave them the money, so where’s my f**king software!?
(You should hear me enquire about my money/goods/services in person some time — apparently, I’m quite menacing ⁶).
After a couple of hours, I checked again, only to find no update. So, I emailed the vendor enquiring what the holdup was.
In the meantime, after further detective work (it was far from obvious), I discovered that the site account was pointless anyway, because I needed an account with the transaction processor in order to download it.
*sigh*
I created another account, with the transaction processor.
Only to discover that that account was only for the purpose of dealing with the financial side of things and would not be able to supply me with a link to the download(s).
Yet more detective work revealed that creating an account with the software OEM led to a list of purchases that I could download.
Only I still couldn’t download them!
Meanwhile, I got a reply from the vendor …
“Your order is currently on hold queue which is the reason why you haven’t received your license key yet because we were recently notified by our payment processor that the charge made for this order may not have been authorized by the cardholder.
In order to keep your account in good standing, kindly reply to this email indicating that you did indeed intend to make this.
Please note, in order to securely send the requested information, you will be asked to block out any identifying information which could be used for malicious purposes.
We ask that you include the following in your reply:
• A picture of your bank statement showing the charge (please block out other transactions and information). — only if the charge is already showing on your account. — OR-
• A picture of the credit card(s) used showing your name as the cardholder. We only need to see the last 4 digits of the card. For your security, please block out the rest of the numbers.”
Say what now!?
Erm … no.
I’m not doing that.
No way, nohow, nowhere, nowhen am I scanning/photographing a bank statement or bank/credit card and sending it (via email, of all things) to anyone.
That’s how I end up with my bank account drained because the scammers I sent it to in the first place can simply supply it on demand when they are told they need to do so in order to prove they are the cardholder.
Besides which, it doesn’t prove I am the cardholder, only that I am in possession of the card — which I could have stolen in the first place.
This was all very unusual.
I have never had this problem before, nor have I ever been requested to send a photo of my bank statement or my card by any vendor based in any country.
I would have to speak to my bank about this, it’s very suspicious — exactly the kind of thing we are constantly advised to be suspicious of in fact, because it’s the kind of thing scammers say in order to obtain scans/photos of our banks cards, so that they can use them under the same circumstances.
I reply to that effect and, in return, receive the missive that
We’ve reached out to you because our payment processor suspected that this order may not have been authorized by the cardholder. Just to clarify, we are not doing it for our own security but for our customers.
One of the reasons that triggered this, is because your billing address and IP address is not a match.
We were only asking you information that we are already aware of, like the last four digits of your card. We are asking these questions for verification purposes only, if the user provided information that didn’t match what’s in our system, it could mean that it’s a fraudulent transaction.
Sorry, but what?
No, really … what!?
One of the reasons is that my billing address and IP address do not match?
Why even would they? That’s not how IP address assignment even works. There never has been (nor will there ever be) any way for them, or any other party acting as an intermediary or associate, to connect my IP address to my billing address for the purpose of taking a payment from my bank account. Nor would (or will) there ever be any need for anyone, to do so in the first place.
Moreover, even if there were any way for that association to be made, it could never (and will never) be possible to do so by enquiring of my bank what my IP address is — my bank has no way of knowing that information and couldn’t supply it.
Furthermore, for all they know, I could’ve been away from home, making the purchase then (before the offer ran out), with the intention of downloading the software upon my return … or to my (or my client’s/employer’s) studio, if that were in a different location — where I purchase something is not relevant to whether my bank authorises the transaction!
It is 2021 — for a long time now, it has been completely normal to make online purchases from a mobile device whilst on the move, never mind whilst signing in from an IP address not connected to a person’s home address or billing address. My IP address is as relevant to whether or not my bank authorises the transaction as is my chest measurement when I order a T-shirt from Amazon (who have no way of determining whether the item of clothing is for myself or a gift fro someone else, only whether my bank authorised the transaction based upon the details supplied at the time of purchase).
That is not how TCP/IP works, nor is it how fraud prevention works either.
As said, in the quarter century I have been buying things online, never have I been asked to supply the details for which they were asking in order to make a purchase — even with the more stringent and exacting requirements in place these days, I submit my details, they are processed, the transaction is completed and that’s the end of the matter unless there is some reason why my bank declines to fulfill it, not because some third or fourth party makes some nonsense claim that it cannot match two entirely unrelated (and entirely unrelatable) pieces of information, one of which is entirely irrelevant to the transaction in question anyway.
Not only that, but a subsequent communication from them (after I pointed the above out to them), that
our payment processor requires for you to very the information being asked in order for your purchase to be approved and your future purchases to not have any issues.
We were only asking information that we are already aware of, like the last four digits of your card. We are asking these questions for verification purposes only, if the user provided information that didn’t match what’s in our system, it could mean that it’s a fraudulent transaction. We do this for your own protection.
… cut no ice with me either: I didn’t have an account, with either them or their payment processor, prior to the initial transaction attempt — so, they had no details in their systems with which to compare the ones I supplied.
Finally, my suspicions were aroused by
- their first communication with me being labelled ‘URGENT!’
What could be urgent about it as far as they are concerned?
Either my bank/their payment processor clears the transaction or it/they doesn’t. I’m the one who might be troubled because there’s a time limit on the offer, not them. - other emails I started receiving, notifying me that “You left it in your cart, and now it’s selling out!”
No, actually, I didn’t leave it my cart, they did — as far as I’m concerned, the initial notification “We are currently acquiring your license for this product” is an indication that, so long as my bank doesn’t outright decline the transaction and refuse to take any further action (which it won’t) then, although it might take a few days, ultimately I’ll be legally entitled to my software bundle at the offer price, because they have notified me of their recognition that the initial purchase took place within the valid offer period, even if there was a delay before it was finally completed.
When people start putting you under pressure to ‘hurry before it’s too late’ … that’s often a sign that they’re trying to get you to part with the money without giving the matter as much attention as you should — meaning it’s often either a scam of some sort or else there’s some ‘small print’ that would discourage you from doing so, if you took the time to digest its meaning first.
In the end, it was all resolved without the need to supply them with any copies of anything, but that’s not the point.
If it had been a scam then it would have been a particularly invidious one.
It’s all too easy to to think that, because we have already supplied the information, it’s perfectly safe to supply it a second time when requested by the same party to whom we initially supplied it — it’s only the same thing after all, right?
But the person making the request was an individual, not the secure, automated algorithm to which my data were initially supplied — their motives for requesting it could be nefarious (e.g. to enable them to supply a copy of my card when requested to do so themselves).
In the last ten years, the number of data breaches by internal employees has risen from 25% to 33% of the total number of breaches worldwide, Of course some, if not the majority, will have been down to incompetence/simple accident … but that still leaves a percentage of them being down to criminal activity by people officially employed by the entity that promises to keep your details secure. Just because the person reaching out to you works for the organisation with which you are engaging that doesn’t mean that they aren’t engaged in criminal activity.
Additionally, it’s all too easy to lose sight of the fact that many (if not most) businesses don’t supply customer/technical services themselves but outsource them — we think we’re dealing with a second party when, in reality, we’re dealing with a third (or even fourth) party somewhere else.
And it’s even easier to lose sight of all that and become complacent when feeling pressured into supplying information, or performing some action, when subject to a time limit: you don’t have time to examine everything closely and notice the imperfectly disguised signs of structural problems, or reflect upon some of the answers to your questions … if you don’t make the deposit on the apartment/house now, someone else (with whom the realtor claims to have made a viewing appointment immediately after you leave), you might not get it — hurry up, decide, decide … you don’t have time to go away and think about things, you have to say ‘yes’ now or it might be gone, say yes now!
I don’t like being put under pressure like that … and it always arouses my suspicions.
On top of that, even if it weren’t a scam … just poor procedures set in place by people clueless about the issues surrounding them … there’s the fundamental problem of sending scans/photos of documents via email.
Seriously … no — just no.
Email was invented during a simpler, more innocent era. It is fundamentally unsecure and, by its very nature, can never really be made secure: even when encrypted, the second someone opens your missive, the plain text (plus attachments) are available for anyone to save, screenshot or forward to any number of other parties … or even cached on a server maintained by their service provider — if it’s Google, you can be sure that anything unencrypted that you send will be scanned as soon as the server receives it … and even if encrypted, if the user relies upon webmail rather than a local email client, as soon as they log into their email account (so, don’t communicate anything confidential by email with anyone using Gmail or Outlook365, is my advice).
Once that attachment has been opened, a copy of it is cached somewhere (possibly in multiple locations) and just waiting for an accident or nefarious activity to make it available to people to whom you you would never voluntarily supply it in a million years.
No matter how legitimate the request for it, do not scan/photograph your bank card, passport/ID card, birth certificate, medical details, bank statement … anything … and email it to anyone, for any reason, ever! If they can’t supply a secure means to supply them with that information, they aren’t people to whom you should entrust it in the first place — even if only because they are ignorant and, therefore, incompetent, rather than criminally inclined.
As said, all’s well that ends well and, in the end, the problem was resolved without the need for me to send them any copies of anything … so, there doesn’t appear to have been any cause for concern about criminality only incompetence.
But, if I hadn’t stepped back and thought about things … noting that their remarks made no sense not merely from a technical perspective (there’s no way for anyone other than my ISP to link my IP address with my bank account, nor is there any need to) but from a practical one (they can’t compare the supplied data with anything in their systems, if it’s the first time the data have ever been supplied) … then, under pressure to resolve the issue and save $490 USD ‘before it’s too late’, I might (especially if I weren’t as technically knowledgeable and experienced as I am) have foolishly supplied them with what they were asking for and fallen prey to a scam designed to obtain a scanned/photographed copy of my bank card in order to make use of it for nefarious purposes at a later date.
TL;DR
No matter how legitimate the request for it might appear … or might even actually be … do not scan/photograph your bank card, passport/ID card, birth certificate, medical details, bank statement … anything … and email it to anyone, for any reason, ever!
There are no legitimate reasons for anyone to request that you do so … not even if it’s down to ignorance and incompetence, rather than any criminal motivation, on their part.
And, if you can’t avoid supplying the thing requested altogether … e.g. it’s the government demanding it from your or it is otherwise legally mandated for some reason … then insist upon a secure method by which to do so.
[ADDENDUM]
The delay is pretty sweet … and the ROMplers have some eminently usable sounds in them as well. Although the particular offer is now over, whilst I wouldn’t necessarily advise anyone to try to build the specific bundle for themself by purchasing all the elements individually, many of them are on offer from the OEM directly at 50% off right now — and I’d even consider paying full price for Objeq Delay at some future date, if I hadn’t now already got it ⁷.
—
¹ Yes, it’d be overkill but, if the processing overhead of the multitap won’t present an issue, you can eliminate the need for the simple stereo and mono delay plugins altogether and rely upon it for pretty much all your needs.
² It’s not something you’d want to apply very often, but the Down South Slapping Chords preset is a particular favourite starting point for when I want to add an extra sense of the ethereal/melancholy — there’s a real sense of ‘landscape’ about it (you can see the empty marshland/swampland in your mind’s eye).
³ When I’ve mentioned my desire for a bit more choice re delays in the Past, they’ve not been dismissive but, like me, have remarked that, sure, it’s a nice-to-have but not essential and there are other things they’d be inclined to spend money on before that — so I was expecting them to observe that, yeah, the price reduction on the bundle was astounding but they had no need for anything in it, not immediately purchase it themself!
⁴ Besides which, that’s an inevitability anyway — either the hardware will do it, if it’s an outboard unit, or the algorithmic choices will have an impact when they overlap the the sources sound and/or other interpolated copies of the delayed sound.
⁵ A lot of people spend more than that on cigarettes alone in a single week!
⁶ In a “Well you tell your brother that, if he ain’t there with my money when I get there, I’ll break both your f**king legs” kinda way 😉
⁷ It really is very flexible and, when automated, the extra features (LFO, filter, object and even the mixer) make it capable of creating an ever evolving sound.
