Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

January 07 2011

ePayments Week: McAfee worries about mobile security

Here's what caught my attention in the payment space this week:

Android, iOS, and geolocation services all on McAfee's endangered list

Urban legend has it that when Willie Sutton was asked why he robbed banks he replied, "That's where the money is." No surprise then that as mobile commerce grows, so does its lure to black-hats. McAfee Labs released its 2011 Threats Predictions, which cites mobile operating systems (Android and iOS) as well as abuses tied to location services like Facebook Places, Gowalla, and Foursquare. The fast growth of smart phones is likely to make 2011 "a turning point" in threats to mobile devices, McAfee's report says, adding that the loose integration of these devices with business systems makes this threat particularly worrisome. The report also expressed concern about the rise of URL shorteners which, because they hide the code about to be launched, represent a "huge opportunity for abuse."

Stirring the Hotpot in Portland

Google Places recommendationGoogle takes another step toward deployment of near-field communications (NFC) transactions with its current Hotpot promotion in Portland, Ore.. Hotpot, Google's local-recommendation service, is designed to integrate with Google Places and make it easier for folks to post reviews and see what others think about local businesses. Google says it's working with hundreds of vendors in the Portland area to whip up interest in the program. While we expect that Android phones will soon be capable of using NFC technology to handle payment transactions with a tap or wave of the phone, the Hotpot trial uses an NFC chip embedded in stickers that merchants can place in their windows to show they're fans of Google Places. Anyone with a newer Android phone (like the Nexus S) can tap the sticker to learn more and get reviews of the business.

How will Facebook spend it?

While the business press analyzed the financial implications of Goldman Sachs' $450 million investment in Facebook this week (including some scrutiny over which investors were offered in and why), the rest of us wondered how Zuckerberg and company would spend that money, along with the $50 million it raked in from Russia's largest Internet company, Digital Sky Technologies. VC Circle, which focuses on investment news from an Indian perspective, wondered if, in addition to beefing up its international footprint (hiring in more countries, improving its local language capabilities), Facebook might invest its new funds to improve its mobile platform. VC Circle noted that roughly one third of Facebook's 600 million members access the site from mobile devices at least part of the time and that Facebook could do more to allow them to tailor their interface to suit whatever device they prefer to use. That optimization is likely to become more important as Facebook pushes its Places program and any commercial tie-ins (like discounts or coupons) that may accompany it.

Got payment news?

Suggestions are always welcome, so please send tips or news here.

If you're interested in learning more about the payment development space, check out PayPal X DevZone, a collaboration between O'Reilly and PayPal.

October 25 2010

What to consider before shortening links

Chances are, you're reading this article after clicking on a shortened link. And if, like many modern infovores, your online reading is driven by your social network rather than your feed reader, most of the pages you've visited today were mediated by a shortened link.

Link shorteners have become ubiquitous over the last few years, and they're an increasingly important part of the social fabric of the web. But is that a good thing?

Below I explore some of the issues to be aware of, both as a user of link shortening services and a consumer of shortened links.

A brief history of link shorteners

Link shorteners have been around for a number of years. Wikipedia notes that the first link shortening service,, launched in 2002. Back then the primary need for shortened links was avoiding line-wrapping issues, which could break long links in some email readers. In the years since, the web development community has recognized the utility of simple, readable URLs that are free of implementation cruft. URLs tend to be tidier than they once were. But the need for even shorter URLs has been driven by constrained user interfaces, either because of hardware issues or artificial constraints imposed by particular services. It's no fun entering long URLs on a mobile device, and who wants to waste tweet space on URL characters?

The sharp rise in the number of shortening services -- there are more than 180 services in this list -- has been accompanied by a race to the bottom: who can generate the shortest URLs by creative use of domain name registration and by compressing URLs into as few characters as possible?

But while brevity might bring users to a service, it doesn't necessarily bring revenue. Value-added mediation features, such as access to click-through statistics on individual URLs, has given services another dimension.'s live usage statistics, and its previously close relationship with Twitter, has made it beloved by many. The statistics and other services offer combine web analytics with your social media influence. They answer the question: How much traffic did you drive today?

Issues with URL shorteners

The issues surrounding URL shorteners all follow from the shorteners acting as an intermediary for destination websites.


As more web users find new content via shortened links, certain shorteners may emerge as considerable referral generators for some sites. If a service goes down, traffic could be temporarily blocked.

We don't often think of the web as a long-term medium, but we should. There's very little truly ephemeral content on the web anymore. The 301Works project from the Internet Archive is intended to address the issue of URL shortening services going permanently offline, providing an escrow service for link shorteners with the hope of preserving the integrity of more of the web. And, as recently illustrated by the take-down of, there are more than just financial reasons why a site might go offline. Legal and ethical issues can arise, requiring developers to consider more than just what makes a short or cool-sounding domain name.

Some sites now offer their own domain-specific URL shorteners (e.g.,, that don't suffer from the same issues. These are more likely to offer the same resilience and stability as the sites themselves. As a user, you're better off turning to these services where available.


It's hard to tell what's at the end of a shortened link. From a user-interface point of view this can be frustrating. How many times have you followed a link in a tweet to find that it's actually something you've already read? But that lack of visibility can be more than just frustrating, it's also a possible vector for a phishing attack.

Not everyone pays attention to the URLs they're visiting, and an unwary user can easily be taken advantage of through a seemingly innocuous shortened link. They're a great way to hide a phishing site, exploit scripting vulnerabilities, or just avoid spam blocking. (Eric Hellman has created a nice list of "evil uses for URL shorteners.")

If a URL shortener is hacked, as happened with, then once innocuous links can suddenly become spam vectors.

Some services do apply a spam filter to shortened links, while others offer a preview mode or tools to increase visibility of the destination site. However, in the latter case, the user of the link usually has to take some additional action before following a link, making these less than ideal.

Again, domain-specific URL shorteners are likely to be more secure, if not more transparent than third-party services.


URL shorteners inevitably add overhead, requiring additional DNS lookups and HTTP requests. Domain-specific shorteners suffer in this regard just as much as third-party systems. Waiting for an additional web request can be particularly irritating on patchy mobile connections. For many users it won't be clear where performance issues lie: Is it the link shortener or the target service that's slow?

The role URL shorteners play in routing increasingly large chunks of Internet traffic makes their performance significant. It also makes them a highly visible target for denial of service attacks.

(Note: Here's an interesting dashboard that provides some insight into up-time and performance for a selection of shortening services.)


An often overlooked issue with URL shorteners is that they have the ability to track the links you're following across the web. Several services hand out tracking cookies as links are followed. It's this facility that underpins the shorteners' ability to offer usage statistics, although none yet offer the ability to track individual users. But, if you're the type of person who is concerned about how your Internet usage is being recorded, then this is yet another avenue to consider.

Summing up

In all likelihood, URL shorteners are here to stay. As users and developers of web services we ought to understand when they are and aren't useful, and what alternatives are available. Domain-specific shortening services avoid many of the issues identified here, but they don't offer the same cross-site analytics that are the unique selling point of third-party services.

Disclosure: O'Reilly uses Pro for its shortened domain, O'Reilly AlphaTech Ventures (OATV) is also an investor in


September 13 2010

Why Twitter's is a game changer

TwitterTwitter has been open with its data from the start, and widely available APIs have created a huge variety of applications and fast adoption. But by making their platform so open, Twitter has fewer options for monetization.

The one thing they can do that nobody else can -- because they're the message bus -- is to rewrite tweets in transit. That includes hashtags and URLs. Twitter could turn #coffee into #starbucks. They could replace a big URL with a short one. And that gives them tremendous power.

Twitter recently announced a new feature that makes this a reality. The URL shortener -- similar to those from,, and tinyURL -- might seem like a relatively small addition to the company's offering. But it's a massive power shift in the world of analytics because now Twitter can measure engagement wherever it happens, across any browser or app. And unlike other URL shorteners, Twitter can force everyone to use their service simply because they control the platform. Your URLs can be shortened (and their engagement tracked by Twitter) whether you like it or not.

Web marketers obsess over the "funnel" -- the steps from first contact to purchase. They try to optimize it constantly, tweaking an offer or moving an image. They want to know everything about a buyer or a visitor.

While every click of a visit to these marketers' sites is analyzed with web analytics, it's much harder to know what people are doing elsewhere on the web. Modern marketers crave insight into two aspects of online consumers' behavior.

  1. They want insight into the "long funnel" -- what happened before someone got to their site that turned a stranger into a visitor.
  2. They want to measure engagement -- more than just knowing how many people a message might have reached, they want to know how many acted on it, regardless of where that link took them.

Web analytics is a huge industry, but the tools marketers rely on to understand visitors are breaking.

Web 2.0 Expo New York - 20% off with code RadarCookies, long the basis for tracking users, need web browsers to store them. In a world where we share URLs via email and social networks, those cookies get lost along the way, and with them the ability to track viral spread of a message. Invasive practices like toolbars and cross-site tracking cookies that try to tie users across websites have triggered huge consumer backlash (that hasn't stopped them from becoming common). Despite adoption, cross-site tracking cookies' days are numbered. This is one of the reasons companies like Tynt are finding other ways of following the spread of messages.

If you're a nosy marketer, it gets worse. We're moving from a browser-centric to an app-centric world. Every time you access the Internet through a particular app -- Facebook, Gowalla, Yelp, Foursquare, and so on -- you're surfing from within a walled garden. If you click on a link, all the marketer sees is a new visit. The referring URL is lost, and with it, the context of your visit.

This is why short URLs are so important. URLs survive the share. Because the interested reader is forced to go to the URL shortener to map the short URL to the real one, whoever owns the shortener sees the engagement between the audience and the content, no matter where it happens. That's why URLs are the new cookies.

Web analytics, marketing and points of control will be discussed at Web 2.0 Expo NY. Radar readers can save 20% on registration with the code "radar."

According to a Twitter email, will "wrap links in Tweets with a new, simplified link." There's good reason to believe this will become the dominant URL shortener. Here's why:

  • Twitter is adding malware detection to the links it shortens.
  • links will include a custom display that shows more of the destination before you click on the link.
  • The company has Twitter clients on most mobile devices, where it can make the default shortener if it wants.
  • The extremely short URL saves precious characters.

Back in late 2008, Twitter was looking for ways to monetize its platform. With, Twitter has found a product marketers will embrace if they want to understand how the world interacts with the messages they put out there.

By now, it's clear that Twitter is not just a site. It's a protocol for asymmetric follow. It's a message bus for human attention. It's able to force every Twitter user to let it know when an interaction happens, simply by changing URLs.

This is the real value of the company -- not just knowing what people are talking about, but knowing which things prompt an action, wherever that happens.


Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.
No Soup for you

Don't be the product, buy the product!

YES, I want to SOUP ●UP for ...