Forgot your password?

Comment: Re:This isn't why they had a security breach (Score 1) 210

by hawaiian717 (#46884387) Attached to: Target Moves To Chip and Pin Cards To Boost Security

I assume you're thinking of the eInk display as a way to protect web based transactions?

Rather than coming up with another scheme, I feel like a better solution would be a way to do EMV payments over the web using a regular smart card reader. Smart card readers don't seem uncommon in business oriented laptops already, and Dell and HP have smart card reader keyboards that they could just make the standard keyboard they ship with desktop PCs. It's possible to read EMV cards using regular USB card readers; the folks on FlyerTalk do it to read the CVM list off their card (that's how people figure out if a card is C&S or C&P priority and whether it supports offline PIN).

Comment: Re:Chip and Signature, not Chip and PIN (Score 1) 210

by hawaiian717 (#46883025) Attached to: Target Moves To Chip and Pin Cards To Boost Security

True about most US cards being C&S, not C&P. Or being both, but with C&S as higher priority and not supporting offline PIN (which is where the real trouble comes). From what I'm hearing, Visa is the one that's really pushing C&S in the US; MasterCard is pushing C&P. And since the new EMV Target cards will be MasterCards, there's reason to hope that they'll be C&P.

For the record, Walmart has also apparently been advocating C&P. They're also ahead of Target in rolling out EMV support, about 25% of Walmart US stores are actively accepting EMV payments.

Comment: Re:This isn't why they had a security breach (Score 1) 210

by hawaiian717 (#46882987) Attached to: Target Moves To Chip and Pin Cards To Boost Security

And this is where the October 2015 liability shift comes in:

If fraud occurs on an EMV card and the merchant hadn't upgraded to EMV and was relying on swiping the magnetic strip to process the transaction, the merchant has liability.

If fraud occurs on a non-EMV card and the merchant had upgraded to EMV, then the bank issuing the card has liability.

The result is banks are incentivized to upgrade to EMV cards so they can try to shift fraud liability to the merchant who hasn't upgraded to EMV terminals, and the merchant is incentivized to upgrade to EMV terminals to avoid the liability shifting to them.

Presumably fraud liability for EMV cards processed at EMV terminals remains where it is today (banks), and possibly everyone wonders "how did that happen?"

Meanwhile, fraud moves to card not present (read: over the Internet/phone) transactions.

Comment: Re:Security (Score 1) 455

by hawaiian717 (#46605937) Attached to: Wal-Mart Sues Visa For $5 Billion For Rigging Card Swipe Fees

Visa Debit is 2FA if you press the "debit" button on the point of sale terminal, since you need to have the card (something you have) and enter the PIN (something you know).

On the credit card side of things, EMV can make 2FA common and has in many places, with Chip and PIN cards. But many banks are going with Chip and Signature, which to me is worthless as a form of authentication. There are other parts to how EMV works that still makes it superior to mag stripe even with Signature.

Comment: Re:I am torn! (Score 2) 455

by hawaiian717 (#46605845) Attached to: Wal-Mart Sues Visa For $5 Billion For Rigging Card Swipe Fees

EMV cards are available in the US today. American Express offers EMV versions of virtually all their cards today, you just have to call customer service and ask for one and they'll send one out. Many major banks including Bank of America, Citibank, Chase, US Bank, City National, USAA and Barclaycard as well as some credit unions have started issuing EMV cards as well. CaptialOne is a notable exception as a major credit card issuer that does not yet issue EMV cards in the US (though I've heard they do in Canada).

The caveat is that most of these cards are Chip and Signature, while much of Europe is using Chip and PIN. It's all about how the card issuers and merchants set their priority though; retail outlets should accept Chip and Signature though there have been reports of merchants not wanting to (and some people have problems with mag stripe cards too). The biggest problem for travelers tends to be unattended kiosks, which are set for PIN only. Sometimes the cash advance PIN will work with a Signature-only card, this depends on whether the kiosk has an online network connection to authentication the PIN with the bank rather than with the card itself. Visa is pushing these setups to accept no authentication ("No CVM" in EVM lingo) as a fallback for Signature-only cards.

What will drive the move to EMV in the US is a liability shift for fraudulent transaction that is set to occur on October 1, 2015. Fraud liability for a magnetic stripe transaction on an EMV capable terminal (meaning the merchant has upgraded but the card issuer has not) will rest with the bank that issued the card. But fraud liability at a non-EMV capable terminal (meaning the merchant has not upgraded) rests with the merchant. This combination will incentivize merchants to upgrade to EMV (since liability will be shifted to them if they don't), while banks will want to get EMV cards in peoples' wallets so that fraud liability will be shifted away from them at merchants who don't upgrade.

Comment: Re:OR... (Score 1) 448

by hawaiian717 (#46103161) Attached to: Developer Loses Single-Letter Twitter Handle Through Extortion

I do find it odd that someone would actually break the law (at the very minimum, identity theft and extortion) in such a contrived chain of events... Just to gain control of something they won't even realistically get to use (can you imagine trying to use @N for the next few months through the massive volume of hate-tweets it will get?)

I don't, because it's happened before. I haven't reread the article to see if this states it, but I recall hearing that the reason the hacker did all this to Mat Honan was because he decided he wanted his @mat twitter handle.

Comment: Re:Ban Removed Due to New Revenue From Micro-Cells (Score 1) 183

by hawaiian717 (#45497105) Attached to: FCC To Consider Cellphone Use On Planes

The Gogo network may be cellular, but their network is designed to hit a target flying 500 miles per hour at 39,000 feet. Plus, the base station on the aircraft concentrates the traffic, which means there's one air-to-ground link per plane, rather than per handset as would be the case of someone using an unauthorized cell phone inflight today.

It's also not true that all the existing inflight data links are cellular. Southwest uses Row 44, which provides a satellite based solution. JetBlue is planning to launch, if it hasn't already, a satellite-based system with ViaSat.

There are other, older, slower options for inflight data access that are satellite based, but we're talking about dialup speeds here.

Comment: Re:Sounds ready for abuse (Score 2) 240

by hawaiian717 (#45146251) Attached to: Square Debuts New Email Payment System

Virtually everyone has secure communication to their email provider these days.

And virtually nobody has secure communication between email providers. So there's a good chance that at some point along the line, your email is being transmitted across the Internet in the clear. Secure IMAP/POP/SMTP is good for protecting your authentication credentials (password), but if you want to protect the contents of your email, you need an end-to-end solution like PGP or S/MIME.

3500 Calories = 1 Food Pound