Buy Now, Pay Later (BNPL) can be considered the modern incarnation of the old installment plans that some brick-and-mortar stores used to give their customers. BNPL is often available on major e-commerce websites. Upon checkout, customers just have to select the BNPL option and their repayment schedule. There is usually no upfront payment required. Customers just need to start paying 1 or 2 months later, with monthly installment payments. The installments are often interest-free which makes them highly attractive to cash-strapped buyers.
Juicy target for fraudsters
Since BNPL is usually targeted at those who are less affluent, credit checks might not be as stringent as opposed to normal credit card purchases. This exposes merchants to a higher risk of being defrauded. Stolen identities and credit cards can be utilized to make purchases which will end up as chargebacks on the merchants.
What can merchants do to protect their online stores?
At the very least, merchants should incorporate SMS verification as part of their e-KYC process for BNPL customers. When fraudsters have to present their mobile phone numbers for identity verification, they will be more reluctant to press their luck. After all, how many different mobile phone numbers can they get to perform their fraudulent activities. Not many, right?
That said, you cannot always assume they won’t have access to many phone numbers. This is especially true if you’re dealing with a professional fraudster or huge national criminal syndicate. For this reason, screening your customer’s details via a fraud prevention service is key to protect your business revenue.
The solution I use myself in my own billing systems is called Fraudlabs Pro. The great news is that they even have a FREE micro plan, which is suitable for small shops or startups that only need to do <500 fraud checks per month.
How FraudLabs Pro can help prevent BNPL frauds?
First of all, FraudLabs Pro have multiple blacklists to check against user and credit card data. These are powered by the FraudLabs Pro Global Merchant Network. Merchants around the world using FraudLabs Pro help to protect each other from fraud by reporting whenever they encounter a fraudulent transaction. All of these contributions are then utilized in real-time to protect others on the network.
FraudLabs Pro can see when fraudsters make multiple purchases by tracking their email address, IP address, etc. Fraud patterns can be observed and merchants have the option to customize fraud rules to flag orders for manual review or reject straightaway. This eases the workload on the merchants to check for frauds.
Hackers can see your SMS texts and bypass 2FA security using mirroring
It’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone.
As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system.
But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.
So what’s the problem with SMS?
Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.
For example, SIM swapping has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims’s mobile service provider they themselves are the victim, and then requesting the victim’s phone number be switched to a device of their choice.
SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called reverse proxy. This facilitates communication between the victim and a service being impersonated.
So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’s interactions with the service, including any login credentials they may use).
In addition to these existing vulnerabilities, our team have found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.
Due to syncing services, if a hacker manages to compromise your Google login credentials on their own device, they can then install a message mirroring app directly onto your smartphone. Shutterstock
If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone.
The attack on Android
Our experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronise user’s notifications across different devices.
Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as [email protected]) to nefariously install a readily-available message mirroring app on a victim’s smartphone via Google Play.
This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Using a password manager is an effective way to make your first line of authentication — your username/password login — more secure.
Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.
For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA.
Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.
More importantly, this attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.
The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim’s smartphone.
What’s the alternative?
To remain protected online, you should check whether your initial line of defence is secure. First check your password to see if it’s compromised. There are a number of security programs that will do this for you, such as Bitdefender, which includes digital identity protection. You should also check Have I been Pwned which will tell you if your email address or phone number is has been part of a known breach.
We also recommend you limit the use of SMS as a 2FA method if you can. You can instead use apps that provide one-time codes, such as Microsoft Authenticator or Authy. The option to store these codes also exists in many popular password managers. In this case the code is generated within the Authenticator app on your device itself, rather than being sent to you.
However, this approach can also be compromised by hackers using some sophisticated malware. The best solution would be to use dedicated hardware devices such as YubiKey.
The YubiKey, first developed in 2008, is an authentication device designed to support one-time password and 2FA protocols without having to rely on SMS-based 2FA. Shutterstock
These are small USB (or near-field communication-enabled) devices that provide a streamlined way to enable 2FA across different services.
Such physical devices need to be plugged into or brought into close proximity of a login device as a part of 2FA, therefore mitigating the risks associated with visible one-time codes, such as codes sent by SMS.
It must be stressed an underlying condition to any 2FA alternative is the user themselves must have some level of active participation and responsibility.
At the same time, further work must be carried out by service providers, developers and researchers to develop more accessible and secure authentication methods.
Essentially, these methods need to go beyond 2FA and towards a multi-factor authentication environment, where multiple methods of authentication are simultaneously deployed and combined as needed.
If you need help with security, “FA, password managers etc, get in touch.
Protect yourself from Pegasus, the most advanced spyware ever identified in the wild
There can be a fine line between malware and dubious applications, but NSO’s spyware Pegasus is so far past that line that you can’t even see it anymore.
We often hear of strains of distributed malware in third-party app stores, and sometimes they even make it past the gates and find them coming from official sources. What separates Pegasus from the rest is that it’s likely the most advanced spyware ever identified in the wild. The reason is simple; it exploits zero-day vulnerabilities in popular applications such as WhatsApp, iMessage and FaceTime to infect smartphones.
The NSO Group has been around for half a decade and specializes in selling government-grade spyware to a select pool of customers such as governments and law enforcement agencies. They’ve always asserted that law agencies and other institutions use their software for legitimate reasons. However, it’s challenging to find corroborating evidence since such agencies won’t admit to buying or using spyware.
It turns out that people can protect their iOS and Android devices from Pegasus if they only take one extra step.
Imagine a world without privacy
Spyware is a category of malware that grants third parties access to private information, including photos, files messages and call records from apps that are supposedly safe from such interference. The applications targeted by Pegasus are some of the most secure communication apps in existence: WhatsApp, Facebook, Twitter, Skype and Gmail.
Operators wielding this spyware would also be able to take screenshots, exfiltrate photos and directly access the phone’s camera and microphone. Since our smartphones are constantly at attention, attacks would have a 24/7 window into a target’s life.
The process of compromising a device begins with the exploitation of the software to circumvent the built-in safety features. Once the device has been “rooted” or “jailbroken”, an application can have unrestricted access to stored data and other apps running on the phone. However, the compromised mobile phone remains open to all types of attacks even after the government-sanctioned data collection program has finished.
Fortunately, there is still hope for people who use security solutions and take the precautions they need to guard their digital lives.
No one is safe from attack, but everyone can be protected
It is possible to protect our digital life by taking several common-sense measures that dramatically limit the success rate of a potential Pegasus attack:
Install applications from legitimate sources only. Avoid installing apps sent as links over messaging platforms, as they may be compromised.
Always install OS updates and security patches as soon as they become available. If you are planning to leave the country for a vacation or business trip, make sure that your device is fully patched before you leave your home. Most mobile phones don’t download bulky updates via 4G, particularly when roaming on a foreign network.
Set a pin- or pattern-based lock screen to prevent unauthorized physical access to your device.
Regularly check which apps have device administrator privileges on your device and revisit your security choices if needed.
It’s easy to think we’re all set if we have all these boxes checked. But attackers have been known to deploy zero-day vulnerabilities, which means they’ve managed to compromise fully patched and up-to-date devices.
This is also why you need a security solution to automate security decisions, such as Bitdefender Mobile Security app on iOS or Bitdefender Mobile Security for Android, which first identified the Pegasus spyware back in 2017 and, over the years, has constantly improved detection to keep up with this ever-improving spyware framework.
While mobile platforms give the impression of heightened security, Pegasus is a stark reminder that, as long as your device connects to the internet, it will never be safe as-is. The need for security solutions is now more evident than ever.
When compared to other computers, MacBooks are quite reliable as far as their performance goes. It should not come as a surprise either, given how expensive Macs are.
Nevertheless, after a while, you are bound to run into some issues. MacBooks are like other computers in the sense that they do not last forever.
Thankfully, quite a few issues are manageable and should not require too much time. Let’s take a look at what you can expect to deal with on an older MacBook. And remember that knowing in advance will give you an advantage because you will know how to counter these performance problems.
Overheating
Overheating should not be that much of an issue if you use the MacBook in a ventilated room. However, the issue usually lies in dust accumulation.
The filth that accumulates over time inside the MacBook will not disappear by itself. You will need to remove it. If you lack the experience, you will be reluctant to take the laptop apart to clean it thoroughly.
Paying a professional you can hire online or at a local computer service store will cost money, but at least you will not have to worry about potentially damaging the hardware.
If the issue persists despite cleaning the dust inside, spend time tinkering with the internal fans. Knowing how to increase and how to decrease mac fan speed would give you some leeway on managing the computer’s temperature.
Lastly, if the internal fans do not cut it, invest in a cooling pad. This accessory is relatively cheap, but it provides fresh air to the MacBook’s hardware and keeps it cool.
Poor Wi-Fi Signal
Getting in touch with your ISP should be the first thing you want to do when there are problems with the Wi-Fi signal. If the internet provider confirms that things are okay from their end, you will have to seek solutions elsewhere.
Start by reconnecting to the network. Restarting the computer might also be one of the possible solutions.
You might have some third-party peripherals at your house that are interfering with the Wi-Fi signal. A microwave oven or a wireless printer are examples of such peripherals that jam the signal.
In case you still cannot fix the problem, you might have to switch to an ethernet cable rather than a wireless connection. An ethernet cable would limit the laptop’s portability, but it provides a better internet connection.
Flickering Screen
A flickering Mac screen can get on your nerves quite fast. You might find that resetting the MacBook is enough to solve the problem, but such a solution is usually temporary.
More often than not, the flickers appear due to the incompatibility between the operating system and the graphics processing unit. If you noticed that the flickering started after you updated macOS, you would need to switch back to an older version and wait for a hotfix from Apple to take care of the problem. If more users report the same issue, it usually does not take too long for macOS developers to release a new update.
Storage Problems
MacBooks are not the best when it comes to the total available space on the drive. If you run out of free space, you will notice that the overall performance slows down.
There are a few things to consider when dealing with storage problems on the MacBook. Try the following:
Delete old applications, localization files, temporary system storage junk, and other unnecessary files
Transfer some data to iCloud or an external HDD
Use streaming services instead of hoarding large media files on the MacBook’s drive
FPS Drops in Video Games
Dropping frames in video games is quite annoying when you want to enjoy your hobby. Macs do not come with the best hardware in the first place, so it is quite difficult to find many games that you can run on this platform. Nevertheless, some indie games should still perform optimally.
If FPS drops are too much of an issue, tinker with in-game settings. If lowering the graphics does not help, check the Activity Monitor and quite redundant background processes to free up more resources.
Finally, make sure the system is malware-free. Even minor viruses can snowball and cause performance problems, including FPS drops in video games.
Slow Internet Browser
A slow internet browser is not necessarily related to the MacBook. Some people go overboard with extensions and install more than their internet browser can handle.
Too many active browser tabs are known to cause issues as well, especially if you use a resource-heavy application like Google Chrome.
Finally, get in the habit of regularly clearing browser caches. You should remove the cache at least once every couple of months.
Fraudsters are everywhere on the Internet. If you run a website that allows users to create an account in order to access goods or services then you will definitely encounter your fair share of them. For the purpose of this article, we’ll cover 2 types of such fraudsters.
Plus, the amount of online fraud has dramatically increased over the last couple of years due to worldwide pandemic, which according to the latest print on demand eCommerce stats, is due to the online business market growing like crazy.
Credit card fraudsters
This is the type of fraudster that you’ll see frequently if you run an online business. They will create multiple fake accounts with various email addresses, often using free or disposable email providers. For them, it’s a form of anonymization to cover their malicious activities. As far as the online merchant is concerned, they are different people because the email address is different.
After creating multiple fake accounts, the fraudster will then attempt to purchase multiple items at the website using stolen credit cards. With different accounts and varying email addresses, it’s often hard to manually trace the culprit. In the end, the online merchant will suffer severe financial losses from chargebacks by the legitimate card owners.
Spamming fraudsters
Now, these guys are everywhere in forums, blogs, review sites, etc. They are often paid shills that are given the task of promoting some dodgy websites or giving fake reviews to boost the status of a questionable product. They just keep spamming everywhere that they can post their website links as well as any review sites.
Similar to the credit card fraudsters, they hide behind the identities of multiple email accounts. Without an automated screening tool, it would be next to impossible to identify all such accounts. Using mass spamming bots, they can severely compromise the integrity of review sites as well as degrade the usage experience of the normal web users.
How to limit the fake account issue?
In the case of the credit card fraudsters, online merchants can use FraudLabs Pro which offers both plugins or APIs to screen out fraudulent credit card transactions. The highly sophisticated algorithm in FraudLabs Pro, coupled with blacklists powered by feedback from other merchants, makes it a highly effective screening tool to block the transaction.
Since both types of fraudsters rely on fake accounts to perform their nefarious deeds, the use of the FraudLabs Pro SMS Verification is another tool to prevent the fraudsters from signing up with multiple accounts. By requiring a mobile phone number to receive the One-Time-Passcode (OTP) for verification, it is a lot harder for bad actors to successfully sign up for multiple accounts.
In the case of blocking the scammers and spammer on your website, there are plenty of tools available to fight the spammers, which very much depends what your website is built with. One of the most popular solutions is Cleantalk, which can be installed on any website, and blocks spam silently in the background. No annoying captcha or math problems for users to solve.
For added security against other kinds of threats/issues, I recommend Sucuri, which is a web application firewall/proxy service that sits in front of your website and filters all requests for malicious activity and blocks them before they ever reach your website.
For customers using WordPress, it is also critical to have a security plugin to monitor your WordPress installation and protect against malware. A popular passive solution is Malcare, which will detect an automatically remove malware, which is great for sites which are not being professionally managed. At the very least it is recommended to have the free versions version of Wordfence or Sucuri plugins.
Conclusion
Deploying at least basic security/protection doesn’t need to cost you an arm and a leg, in fact in many cases it is actually FREE. The FraudLabs Pro protection is an easy and fast way to limit the potential damage that fraudsters can do to your website and your reputation. Their Micro plan is completely free, so there is no reason not to give it a try.
FYI I do use all the above services myself for both myself and many of my clients.
As usual, If you need any help with your security or anything mentioned here, feel free to get in touch.
I have had a few clients ask me about this recently, so thought it was time for a new post on this thorny topic.
The Brexit transition period ended on 31 December 2020, so UK organisations that process personal data must now comply with the following:
The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) if they process only domestic personal data.
The DPA 2018 and UK GDPR, and the EU GDPR if they process domestic personal data and offer goods and services to, or monitor the behaviour of, EU residents.
UK DPA (Data Protection Act) 2018 overview
As revised by the DPPEC Regulations, the UK DPA 2018’s main provisions are as follows.
Part 2, Chapter 2 supplements the UK GDPR and should be read alongside the Regulation by every UK organisation that processes personal data.
Part 2, Chapter 3 sets out exemptions for manual unstructured processing and for national security and defence purposes.
(Part 1 contains preliminary information, Part 5 deals with the powers of the Information Commissioner, Part 6 covers enforcement and Part 7 provides supplementary information.)
Identifying which data processing regime applies to the processing you carry out is essential.
Data protection law after 31 December 2020: does the GDPR apply in the UK after Brexit?
No, the EU GDPR does not apply in the UK after the end of the Brexit transition period on 31 December 2020.
UK organisations need to amend their GDPR documentation to align it with the requirements of the UK GDPR. In particular, Article 30 records, privacy notices, DPIAs (data protection impact assessments), DSARs (data subject access requests) and documentation covering international data flows must all reflect the UK’s independent jurisdiction and the specific scope and wording of the UK GDPR.
Any UK organisation that offers goods or services to, or monitors the behaviour of, EU residents will also have to comply with the EU GDPR, and will reflect this in its process documentation.
Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
Update your policies, procedures and other documentation in light of the these changes.
The EU GDPR’s requirements as originally implemented by Parts 3 and 4 of the DPA 2018 continue to apply – but no longer within the EU’s jurisdiction – for law enforcement and intelligence purposes.
Rights in relation to automated decision-making and profiling.
There are still six data processing principles and six lawful bases for lawful processing, and data controllers and processors are still obliged to ensure the security of the personal data they process.
However, there are some areas of divergence.
Important differences between the DPA 2018/UK GDPR and the EU GDPR
Child consent age
EU GDPR: A child can consent to data processing at age 16.
DPA 2018/UK GDPR: A child can consent at age 13.
Definition of personal data
EU GDPR: Personal data can include IP addresses, Internet cookies and DNA
DPA 2018/UK GDPR: More limited definition.
Processing of criminal data
EU GDPR: Processors of criminal data must have official authority to do so.
DPA 2018/UK GDPR: Processors of criminal data do not require official authority.
Automated decision making/processing
EU GDPR: Data subjects have rights to refuse automated decision making or profiling.
DPA 2018/UK GDPR: Permits automated profiling subject to legitimate grounds for doing so.
Data subject rights
EU GDPR: Protects data subjects to personal data processing.
DPA 2018/UK GDPR: Data subject rights can be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes.
Privacy vs Freedom of Expression
DPA 2018/UK GDPR: An exemption exists in relation to the processing of personal data if it is in the public interest.
Representatives
EU GDPR: Many non-EU data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in the EU.
DPA 2018/UK GDPR: Many non-UK data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the UK must appoint a representative in the UK.
Administrative fines
EU GDPR: The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
DPA 2018/UK GDPR: The maximum fine for non-compliance is £17.5 million.
Google will soon start pushing more Gmail users and Google Account holders to enable two-step verification — the extra layer of security that can protect people when their credentials have been phished or exposed through a data breach.
May 6 is “World Password Day” which is largely about making people less reliant on them for securing online accounts.
Google’s contribution this year is to nudge more people into enabling two-step verification, otherwise known as two-factor authentication.
Today, Google prompts its two billion Gmail users to enroll in two-step verification (2SV) but soon it will be automatically enrolling users.
“Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup),” Mark Risher, director of product management in Google’s Identity and User Security group, notes in a blogpost.
“You may not realize it, but passwords are the single biggest threat to your online security – they’re easy to steal, they’re hard to remember, and managing them is tedious,” he says.
That second factor, be it a security key or a smartphone, means that someone in possession of your username and password — in most cases — can’t log into your account unless they have physical access to your device.
Google has refined its processes over the years to make 2SV less of an obstacle, but it can still be fiddly if you change a mobile phone number. Today, after signing in with a username and password, users who have enrolled in 2SV get a code via SMS, voice call or the Google app.
“Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone,” notes Risher.
Passwords, unfortunately, are still rife some 17 years after Microsoft co-founder Bill Gates predicted they would one day disappear. Since then world has only seen a proliferation of new username and password combinations, but two-factor authentication is more widely adopted and supported in online consumer services and in the enterprise.
Multi-factor authentication does work. According to Microsoft, 99.9% of the compromised accounts it tracks every month did not use multi-factor authentication.
Microsoft has also been doing its bit in tackling outdated password policies that lead to people choosing bad passwords.
Two years ago it changed a Windows 10 security baseline that until then recommended enterprise users change their password every few months. “Periodic password expiration is an ancient and obsolete mitigation of very low value,” Microsoft declared at the time.
Google’s other key password assistant is the built-in password manager in Chrome. Apple offers the same feature in its Safari browser.
By now most of have heard of the General Data Protection Regulation (GDPR). But in case you’ve been carefully avoiding the news since 2017, it’s a law put in place by the EU which strengthens the protection of citizens’ data.
GDPR has brought with it some very stringent penalties for non-compliance. And if your business isn’t yet compliant, you could be at risk of an astronomical fine, as well as lasting brand damage.
The UK’s Information Commissioner’s Office (ICO) collected the second-highest total value of fines for data protection violations last year, with businesses paying up €43,901,000 (roughly £39.7 million) for breaching GDPR.
However, putting GDPR into practice raises some really big questions. Who is liable in the event of a breach? What is a GDPR data controller? And who is the GDPR data processor? Let’s take a look at each in turn.
1) What is GDPR?
Before we understand the role of a GDPR Data controller, we need to tackle what GDPR is. To put it In simple terms, GDPR forbids the misuse of EU citizens data. And it applies whether your company is based in the EU or not.
2) Who is the GDPR Data Controller?
The ‘GDPR data controller’ is the organisation that decides how and why customers personal data is processed. In other words, it’s usually your business. You collect and control the data but, crucially, you don’t necessarily have to hold or process it. However, even if you don’t process it yourself, you’re still responsible for how it is used, stored and deleted.
3) What are the GDPR Data Controller’s responsibilities?
Under GDPR Data Controllers are obliged to:
Protect personal data against compromise or loss by implementing strict technical and organisational measures to secure data
Have a legal agreement with your processors to ensure they only act on your instructions and comply with GDPR
4) Who is the GDPR Data Processor?
A data processor, on the other hand, is the company or person who processes personal data on behalf of the controller. To give a few examples, it could be your data storage provider, payroll company, accountant or marketing agency.
5) What are the GDPR Data Processor’s responsibilities?
Under GDPR, data processors have a lot more responsibilities, including:
Appointing a Data Protection Officer if their business processes sensitive or ‘big’ data
Responsibility for implementing significant security measures
Maintaining a record of all data processing operations under their responsibility
Inform the data controller(s) immediately of any leaked data
Become a joint controller for any data processing they carry out beyond the scope of the controller’s instructions
In Summary
GDPR has changed the way we process and control data. And understanding your role as a data controller, processor or both is crucial – both to avoid legal hot water and protect your customers.
Are you looking to get GDPR-compliant and improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
If you are interested in easy Cyber Essentials and GDPR certification
Do not expect a Macbook to perform the same way that it does the first time you start it. A time will come when you start to notice that it takes longer for applications to launch or that the loading screen after each restart is also not as fast as it should be.
Does this mean that you need to purchase a new computer? That is an option, but there are ways you can boost Macbook performance without getting another Macbook. If you want to find out how, read on.
Idea #1 – Add New Hardware
You will need to spend money on new hardware, but it is still a much cheaper option than buying another Macbook. Moreover, you can find plenty of great deals for used parts that would still be an upgrade. Not to mention sales during holidays. So even those with a budget can significantly improve their Macbook’s performance.
The most popular additions are RAM and SSDs. The latter can be found in the most recent Macbook models already, but if you own an older Mac, then replacing your hard drive with a solid-state drive will make a difference. As for extra RAM, the more memory your Mac has, the better it will perform.
Idea #2 – Free up Drive Space
Do not end up with just a few gigabytes of storage on your drive. If you do, then using a Macbook will become quite difficult.
Available space on a hard drive or a solid-state drive can run out quickly if you are not careful. Be smarter about managing your data. Get in the habit of getting rid of system junk regularly. Remove applications you no longer need. Transfer data to clouds and external storage devices. The bottom line is that the more free storage you have, the better your Macbook will perform.
Idea #3 – Get Rid of Visual Effects
You would be better off forgetting about visual effects. Some of the examples include animations for the Dock, a backlit keyboard, and visuals for Music.
These visual effects are a hindrance to the overall Mac performance and offer nothing in return, other than consuming system resources.
Idea #4 – Scan for Malware
Check the Mac for malware and viruses. It may be that you accidentally stumbled upon a cybersecurity threat, and it infected one of your system files. Scan the system with reliable antivirus and eliminate potentially infected files.
If you want to improve the computer’s security, enable the firewall and browse the internet via a virtual private network in addition to antivirus.
Idea #5 – Clean Filth Inside the Macbook
You should remove dust and dirt that accumulates inside the Macbook. Do so regularly, because it can lead to issues worse than the computer’s performance. You risk damaging internal hardware that will be expensive to replace.
A high temperature and loud fan noises are two indications that there is too much filth inside the Mac. Some will suggest you purchase a cooling pad. While the accessory is a nice addition, it will still not solve the root of the problem.
If you are afraid of taking the Macbook apart yourself to clean the dust and dirt inside, then take it to a service store and let professionals handle the work.
Idea #6 – Manage Applications
Keep close tabs on the applications running in the background. Activity Monitor will tell you which processes are consuming the most resources. You can sort applications by CPU and memory usage to see which of them should be removed or replaced.
For instance, there are many internet browsers. If your current web browser requires a lot of memory, then you may want to consider looking for an alternative. And transferring bookmarks and browsing history to another browser should not be a problem.
Idea #7 – Declutter Desktop
Do not clutter your Macbook’s desktop. Each icon is rendered every time you switch to another tab from the desktop and vice-versa.
It might be more convenient to have your most important files available there on the desktop, but is it worth sacrificing the computer’s performance for that convenience?
You should keep your files in folders. And if you find it hard to locate the files, be smarter with naming and use Spotlight for searching.
Idea #8 – Install Updates
Make sure that your system is up to date. The most recent version of the OS provides more than just new features. Updates bring stability and performance improvements, as well as security patches. It may be that the OS has some holes and is prone to cybersecurity threats, but a hotfix usually solves the problem.
Speaking of the operating system, you may find that the best way to boost the performance is none other than reinstalling the OS. But before you commit, create a data backup because files get wiped after reinstalling the OS.
When it comes to billing systems, most people in my line of business have heard of WHMCS. It is the defacto billing and automation system for most hosting providers but it is also very popular with many other types of business as well, such as ISP’s, website design agencies or anyone selling IT services etc.
Even though WHMCS is intended for hosting providers and is more of a provisioning and automation system, it still manages to beat other dedicated billing platforms due to its flexibility and configurability and is also very cheap, starting at only $15 per month.
I have been using WHMCS for at least the last 15 years or so through my former companies and during that time I have tried various other WHMCS alternatives, such as box billing, blesta and others. I have also used many other general billing systems such as freshbooks, quickbooks, zoho and many others.
Another area where I have always been on the lookout for the best solution is a CRM / project manager. I have tried so many different solutions over the years, I have lost count, these include Trello, Bitrix24, Hubspot, Asana and many more.
Some of them were good, some of the were awful. The free or affordable solutions always had some missing features or functionality and/or I did not find them very intuitive. The rest were just too bloated and expensive for my megre requirements.
One of my favourite project/task management apps I have used was Paymo, which I used when it was still in beta and is a great app and it has improved a lot since then. So if you need task/time tracking and task billing then I give Paymo a look.
Then in 2019, quite by chance, I came across this hidden gem on CodeCanyon called Perfex CRM.
Perfex is one of those rare finds that seems almost too good to be true for the price. Not only does it have a ton of features and functionality that would normally need multiple different apps to achieve, but amazingly it costs only $59. That’s it, there are no recurring costs unless you need ongoing support and who can’t afford $59?
The list of features available for this small price is quite staggering. And depending on your specific requirements, this may actually cover all the bases and even be a viable alternative to WHMCS as a billing system, as long as you do not require the provisioning/automation features of WHMCS.
I found very little information online RE Perfex and certainly no useful comparison between it and other solutions, so I decided to write one myself.
Below I have listed the core features of both systems for comparison. I am only listing the ones I feel are most relevant, but If there is something important I have missed, feel free to let me know in the comments.
NOTE: I am aware that WHMCS and Perfex are 2 very different apps meant for different purposes. So to clarify, the purpose of this article is primarily to compare them as a billing system. But I will be mentioning the other features and functionality for completeness in case it is useful to anyone who is looking for those features
FEATURE
PERFEX
WHMCS
Client Management
Project Management
with paid addon
Task Management
with paid addon
SUPPORT/TICKET SYSTEM
– WYSIWYG editor
– Set ticket reminders
– Assign ticket to specific contact
– Add billable tasks to tickets
BILLING SYSTEM
– Invoices
– Recurring Invoices
– Subscriptions
– Bill for tasks/billable time on tickets
– Quotes
– Estimates
– Credit Notes
PAYMENT PROSESSING
– Automatic payments
– Credit/Debit Cards
– Paypal
– Direct Debit
Expenses Tracker
Contracts
Proposals
Leads
Shopping Cart / Online Store
Automation / Provisioning System
REST API for external integration
3rd party modules / Addons
Domain Name Registration/Renewal
Resell third party services (Security, backup, hosting, email etc)
I used Perfex for about a year for all my freelance/web design work and overall I have been very happy with it (for the price). But eventually I did get to the point where I really wanted the automatic provisioning, domain name renewals and other automation features of WHMCS.
So I once again bit the bullet and switched all my recurring billing over to WHMCS. I do however still use Perfex for my project management, one-off invoices, leads, contracts etc since it is also a CRM, which WHMCS is not.
Billing is the primary focus of this comparison article, since that is the one trait that both Perfex and WHMCS share in common.
Perfex is the better option for one-time/ad hoc billing, because you can create a customer (without their interaction) and send them an invoice, which they can just pay by clicking a link, no login required. Whereas with WHMCS, your client needs to register, create an account and set a password, then they need to login make a payment, which is a whole fiasco they don’t need just to make a one-time payment.
WHMCS is better for recurring billing, mainly due to the fact that it charges customers automatically with no manual interaction from the client. As soon as they have made their first card payment, a token is stored, which allows all future payments to be taken automatically. Plus WHMCS supports direct debit payments via GoCardless, which is great if you do not want to worry about cards being declined or expiring.
Every single product and service you setup in WHMCS can be set as recurring or one-time payment with optional setup fees. If you need to bill a client for something non-standard for which you do not have a pre-defined product/service for it, then you would setup a “billable item” which is essentially the same as a recurring invoice.
With Perfex, customers must pay all invoices manually, even recurring invoices, which means constant chasing of those clients who do not pay on time or ignore emails telling them a payment is due. This may not be a problem for you, but chasing clients for payment isn’t something I like doing 🙂
Perfex does support Stripe subscriptions, which will allow you to take payments automatically. But this feels like a rather clunky solution, as it has to be setup via stripe, where you create your products/plans. Then you create a subscription via Perfex, which will allow you choose from your stripe plans. So you can only bill clients a set amount as per the subscription. If the monthly amount changes, you must setup a new subscription.
If subscriptions could at least be created automatically via Perfex, then that would at least be an improvement but it is a strange decision on the part of the developer to do this way, especially when stripe supports tokens as standard which allows for automatic payments like WHMCS.
Currently the only other way to setup automatic billing is via a payment gateway, such as via direct debit with GoCardless and then manually mark the invoices as paid in Perfex once payment was received. You are able to turn off invoice reminders in the case that you have setup a direct debit, so it won’t harass your client if you forget to apply the payment.
Perfex allows you to set a reminder on any invoice, so you can send yourself an email telling you to chase it up. While this is useful, it does seem a bit counter productive that this has to be done manually. I would prefer that these reminders were enabled by default or at least prompted during the invoice creation, otherwise chance are that you won’t remember to set a reminder.
Both apps allow you to set automatic reminders to send to the customer. In the case of WHMCS it will only send 3 and that’s it. In the case of Perfex, it will continue sending reminders until the customers pays, which is much better IMO.
Both apps allow you to apply manual payments with a transaction ID if you have processed an offline payment, such as through paypal or BACS for example.
I find Perfex far more intuitive in the way it displays the invoices and all the information relating to that invoice. When you select an invoice, you have tabs for “Payments, tasks, activity logs, reminders, notes, email tracking, views tracking”.
The views and emails tracking is unique to Perfex as WHMCS does not have this, and it is very useful, as this shows you when the emails were sent and if they were opened and whether your client has viewed the invoice and when and from what IP. So if your client tells you “I didn’t get the emails” then you will know if they are telling porky pies.
From this page you also have the ability to:- Send an overdue notice, create a credit note, attach a file, copy invoice, pause overdue reminders.
WHMCS allows you to send any of your pre-defined invoice related email templates, which is a bit more flexible although doesn;t apply so much to perfex due to the lack of automatic billing.
WHMCS also allows you re-attempt a payment capture from any of the clients saved credit/debit cards, so you can retry a card that had failed or if they have multiple cards stored and one failed, you can try another one.
Selling Products & Services
Perfex CRM does not have any kind of shopping cart or online store functionality at all, there is also a complete lack of product configuration in general. All you can do is create an item (i.e. something you sell) and give it a description and price, that’s it, so it is only really good for selling very simple products and services.
I have however noticed a storefront module has recently appeared on codecanyon which provides this functionality. Although I have not tested it, so cannot comment on how useful it is.
WHMCS by comparison has the ability to create products with setup fees, monthly, annually, bi-annually etc pricing, addons and configurable options for every product, which makes it very flexible, plus the ability to upgrade and downgrade products, create product bundles and resell pre-defined products from the WHMCS market connect.
That said, WHMCS is still not an online store, more just a basic ordering/provisioning system as it was primarily designed for hosting providers. You cannot add product images or detailed descriptions, SKU’s or anything of that nature for example. What most people do is to have the products/service pages on their main website and just have the order button link through to WHMCS.
If you need an actual online store then I can recommend taking a look at Ecwid, which is a nice and simple eCommerce system that can be easily integrated into WordPress. This is what I have been using for all my simple one-time purchase services. Note that Ecwid does not support subscriptions.
Automation & Provisioning
Since Perfex is not a provisioning system it has zero features in this dept.
WHMCS has automatic ordering and provisioning for domain names, hosting, email, SSL, servers, wix, sitelock, spam experts and more. You can also find a ton more provisioning modules in the market place.
As great 80’s rock band Cinderella once said, you don’t know what you’ve got till it’s gone. So had I never used WHMCS, I would have been more happy with Perfex, and for any small agency or freelancer, it is a perfectly adequate solution.
But once you get to a certain size, doing things manually becomes a PITA and is more prone to human error, which is where automation really becomes a necessity.
If you are selling services like hosting, domain names, SSL or any of the built in products/services then WHMCS is a no brainer. For anything else, you can always get a custom provisioning module created.
If you deal with more than a few dozen of these types of products/services then WHMCS is probably the preferable solution as Perfex does not have any kind of provisioning or automation in that respect, unless you are prepared to pay to get such custom modules created.
There is however an increasing number of custom perfex modules available on codecanyon which adds additional functionality and integrations. So it may just be a matter of time until somone turns perfex into a provisioning system.
If you don’t sell services like this and do not require this kind of automation and provisioning, then Perfex will likely suit you just fine.
Support Tickets
Both WHMCS and Perfex are fairly equal when it comes to how support tickets work and functionality is almost identical, both are very basic on this front.
Basic features are: create depts, create ticket, assign tickets to depts, assign ticket to staff member, assign to client account and product it is related to, change ticket status, add ticket notes, view related tickets.
Perfex does have a few advantages though. It allows you to set a reminder on a ticket, so that you don’t forget to follow up in case the customer does not respond. You can also create a task on a ticket or convert the ticket to a task and them record billable time against those tasks, which can then be invoiced. This obviously makes it a lot easier to bill customers for time spent doing support.
WHMCS does have the ability to add a billing entry to a ticket, and then invoice it immediately or add to clients next invoice, but this is very basic, not especially useful and also easy to miss or forget to do it. I was using WHMCS for a very long time before I noticed this option and then never remembered to use.
One other big improvement Perfex has is that it will display HTML in tickets and also has a WYSIWYG editor, allowing you to insert HTML and even images into ticket replies. This is something WHMCS sorely lacks, despite users requesting it for many years.
Perfex also allows you to use aliases without any additional configuration. So all email that comes into your ticket mailbox will be imported, regardless of what address it was sent to.
So if you wanted info@ support@ and help@ to all come into the same dept, you just alias/forward all those addresses to same inbox, that’s it.
With WHMCS you have to setup a separate dept for every single email address, otherwise the emails will be rejected. This is very annoying when you have multiple domain aliases (e.g. .com, .co.uk, .uk) that you wish to pipe email into the ticket system for.
On the downside, Perfex does not allow you to pipe emails to different depts using aliases. You are required to have a separate imap inbox for every dept, whereas WHMCS does support this.
A few WHMCS only features are:- the ability to watch a ticket. This is useful if a ticket is not assigned to you, but you want to receive/monitor all activity on that ticket. It also has a ticket log which you can view to see all staff and user activity.
Project Manager
I have used quite a few project manager / task management apps over the years and I have to say that for the price, Perfex is very good and it does most of what I need.
All the basic/typical functionality you need to manage projects and tasks is there, tasks, gantt charts, nites, milestones, timesheets. From within the project you can view associated contracts, invoices, proposals, estimates, expenses, credit notes and subscriptions.
A task does not require a project, you can create a stand alone task or it can be related to anything else in the system. a project, client, task, proposal, invoice, estimate, contract or lead. This is very neat and of course rather useful.
Perfex does have a TODO list, which is great for keeping track of really basic task lists, but because tasks can be open and not assigned to anything or anyone, this means you can also use the task manager for internal/personal stuff too, meaning you can make use of the time tracking, lists, notes etc.
Tasks can also be set as repeatable using days/months/weeks and years and you can also set an hourly rate on a per task basis. Both of which are features I have found lacking in many other PM systems I have used.
So not only do I use Perfex for my client work, I also use it to keep track of tasks at home as well. You know, all those little jobs that you have been putting off for years, which your wife reminds you about every few months 🙂
One annoying/lacking feature is the reminders. These can be set on just about everything, not just tasks, but they only remind once. Reminders really need to be recurring, in case you you miss/forget the first one.
WHMCS does have an official project management addon to add this functionality, but since it is an addon, I won’t be covering it here. I have not tried it and it does seem a bit too basic to me.
Discussions
This is a weird feature of Perfex and I am not entirely sure how useful it is.
As the name suggests, it allows you to create discussions on a project, it works rather a forum, in that replies are nested and has a basic WYSIWYG editor and allows you to attach files.
Annoyingly it does not allow you to reply to discussions via email, you must login to respond. This has a tendency to result in clients not bothering to reply, probably because they couldn’t do so when they rea dthe notification email and had to until they were in front of a computer and then forgot.
Since tickets can be linked to projects, I have tried to use tickets instead, but the issue with this is that tickets are not always visible unless the client has replied and not visible at all once they have been closed.
It does seem a little confusing having both tickets and discussions available on a projects.
SALES
Quotes/Estimates
An estimate in Perfex is the same as a quote in WHMCS. It is basically the same functionality as generating an invoice, except no payment is due since it is just a quote for how much somehting will cost. If the client accepts it, then you convert it to an invoice.
You have the ability to add additional notes to the client, plus WHMCS has the advantage that you can create a quote for a new client and enter the client details at the same time. But Perfex only allows you to select an existing client, so you would need to create the client first.
Perfex allows you to attach files to a quote, WHMCS does not allow this. Perfex also has a pipeline view, which is basically a kanban layout.
Proposals + Contracts
Only Perfex has this feature.
A proposal can be related to either a lead or a customer. It is basically an estimate plus a contract. As with an estimate or an invoice the proposal can have multiple line items.
The contract can only be assigned to a customer and can only have a total contract value, no line items.
Both can have tasks assigned to them but only proposal can have reminders. Both can have attachments but bizarrely they both handle attachments in a different way which is just confusing.
A contract has a start date and an end date whereas a proposal has a creation date and an open-until date, after which I assume the client cannot accept it.
The client can leave notes on the proposal or the contract, i.e. to ask for changes or haggle the price etc. Once they are happy they can then accept the proposal or contract, which you can then convert to an estimate or an invoice.
When accepting a proposal or contract, the client must provide a electronic signature.
Honestly I am not really sure what the point is in having both as they both seem to serve the same purpose.
Leads
Only Perfex has this feature.
A proposal holds the potential client details, a last contact date, you specify the status of the lead (new, contacted qualified, working proposal sent, customer) , you set the source of the lead (Facebook, Google etc) and can assign it to a staff member.
You can add your leads manually or import them from a CSV file, making sure your csv is in the required format first.
A lead can also have tasks and proposals assigned to it as well as notes and reminders (to follow up). If you are successful with your lead then you can convert it to a customer.
There is also an activity log if you want to see what actions have been taken with this lead, either by yourself or whomever it is assigned to.
Customisation
Perfex has theme customisation built right in, making it real easy to change all the colours on both the front end and backend. It even has an area for you to add custom CSS if you want to do further customisation.
WHMCS sadly does not have any such customisation options, so you would have to manually add your own customisations to the custom_css file to achieve the same, which does require you to know some CSS. Also very annoyingly, WHMCS will overwrite that custom_css file with an empty file, every time you update WHMCS. Nobody knows why and many have told WHMCS devs to stop doing this.
Perfex also makes it easy to customise the view files, simply by copying the original file and naming it my_filename.php, and this file will then be used instead of the original.
I have used this method myself to add a link to my terms and conditions at the end of all invoices by default, rather than having to add it manually to every invoice.
WHMCS on the other hand requires you to create a whole new theme. This is a better solution if you are doing a lot of customisation, but not if you just want to do some minor changes.
In either case, you do need to remember to check if any of the files you have customised have been changed after installing updates, and then re-apply your customisations to the new versions of those files.
Summary
I hope you have found this Perfex CRM vs WHMCS comparison useful in making a decision as to which product to use or it has helped you discover the hidden gem that is Perfex CRM for the first time, as an alternative CRM and billing system that doesn’t cost an arm and a leg.
Even though I have switched my own billing to WHMCS, I am still a big fan of Perfex and it has a lot of potential to be a killer product.
The one thing holding Perfex back is that it is built and maintained and all support by a single developer, so if anything happens to that guy, that is the end for Perfex CRM. Whereas WHMCS is a proper company with a team of developer and support staff.
This does however put WHMCS to shame that a single developer has managed to achieve so much when the WHMCS devs have regularly taken up to10 years to add highly requested features and functionality and have a habit of breaking important functionality with every release, even when that functionality has not changed or been updated.
Obviously both products are going to receive updates after I have published this article, meaning that it will eventually become out of date as new features get added.
So if you notice any mistakes or outdated info, let me know in the comments.
Recent Comments