Forgot your password?

Comment: Re:Chip and PIN (Score 1) 132

by hawaiian717 (#47821529) Attached to: Banks Report Credit Card Breach At Home Depot

A PIN is not required to use a debit card today. The vast majority of them support running the transaction either through the debit networks, where you use a PIN, or through the credit networks (Visa or MasterCard) where, today anyway, you sign. So the thieves can still steal the card number off a debit card and use it just like a credit card. The only difference is that your checking account is the money that gets tied up in limbo until it's sorted out, instead of the the bank's money (in the form possibly of your credit limit).

Comment: Re:article summary is wrong (Score 1) 51

by hawaiian717 (#47750897) Attached to: Aussie Airlines To Allow Uninterrupted Mobile Use During Flights

This is why I simply cannot understand United's new policy of buying aircraft with NO entertainment system at all, not even one where you can just plug a headphone in so you can hear the announcements.

United and other airlines are seeing the trend of more and more people bringing their own devices and using those, thus they can save several hundred pounds of weight by removing the inflight entertainment systems. US Airways did this a few years ago. Southwest never had a built-in system.

But your point about the built-in systems' ability to be automatically paused when the pilots and flight attendants make an announcement is an interesting one; something I hadn't thought about before.

Comment: Re:Digital stamping (Score 1) 144

by hawaiian717 (#47672897) Attached to: Telegram Not Dead STOP Alive, Evolving In Japan STOP

I don't know much about how PGP works, but with S/MIME, you attach the certificate containing the public key to the e-mail, as well as the encrypted ("signed") hash of your email.

The next question is how do you know the certificate is genuine? Well, that's why you pay VeriSign, DigiCert, or whatever your favorite Certificate Authority (the same people who create certificates for web servers) is, to sign your public key and issue you a certificate.

Your statement that PKI is hard is absolutely correct.

Comment: Re:This isn't why they had a security breach (Score 1) 210

by hawaiian717 (#46884387) Attached to: Target Moves To Chip and Pin Cards To Boost Security

I assume you're thinking of the eInk display as a way to protect web based transactions?

Rather than coming up with another scheme, I feel like a better solution would be a way to do EMV payments over the web using a regular smart card reader. Smart card readers don't seem uncommon in business oriented laptops already, and Dell and HP have smart card reader keyboards that they could just make the standard keyboard they ship with desktop PCs. It's possible to read EMV cards using regular USB card readers; the folks on FlyerTalk do it to read the CVM list off their card (that's how people figure out if a card is C&S or C&P priority and whether it supports offline PIN).

Comment: Re:Chip and Signature, not Chip and PIN (Score 1) 210

by hawaiian717 (#46883025) Attached to: Target Moves To Chip and Pin Cards To Boost Security

True about most US cards being C&S, not C&P. Or being both, but with C&S as higher priority and not supporting offline PIN (which is where the real trouble comes). From what I'm hearing, Visa is the one that's really pushing C&S in the US; MasterCard is pushing C&P. And since the new EMV Target cards will be MasterCards, there's reason to hope that they'll be C&P.

For the record, Walmart has also apparently been advocating C&P. They're also ahead of Target in rolling out EMV support, about 25% of Walmart US stores are actively accepting EMV payments.

Comment: Re:This isn't why they had a security breach (Score 1) 210

by hawaiian717 (#46882987) Attached to: Target Moves To Chip and Pin Cards To Boost Security

And this is where the October 2015 liability shift comes in:

If fraud occurs on an EMV card and the merchant hadn't upgraded to EMV and was relying on swiping the magnetic strip to process the transaction, the merchant has liability.

If fraud occurs on a non-EMV card and the merchant had upgraded to EMV, then the bank issuing the card has liability.

The result is banks are incentivized to upgrade to EMV cards so they can try to shift fraud liability to the merchant who hasn't upgraded to EMV terminals, and the merchant is incentivized to upgrade to EMV terminals to avoid the liability shifting to them.

Presumably fraud liability for EMV cards processed at EMV terminals remains where it is today (banks), and possibly everyone wonders "how did that happen?"

Meanwhile, fraud moves to card not present (read: over the Internet/phone) transactions.

Comment: Re:Security (Score 1) 455

by hawaiian717 (#46605937) Attached to: Wal-Mart Sues Visa For $5 Billion For Rigging Card Swipe Fees

Visa Debit is 2FA if you press the "debit" button on the point of sale terminal, since you need to have the card (something you have) and enter the PIN (something you know).

On the credit card side of things, EMV can make 2FA common and has in many places, with Chip and PIN cards. But many banks are going with Chip and Signature, which to me is worthless as a form of authentication. There are other parts to how EMV works that still makes it superior to mag stripe even with Signature.

Comment: Re:I am torn! (Score 2) 455

by hawaiian717 (#46605845) Attached to: Wal-Mart Sues Visa For $5 Billion For Rigging Card Swipe Fees

EMV cards are available in the US today. American Express offers EMV versions of virtually all their cards today, you just have to call customer service and ask for one and they'll send one out. Many major banks including Bank of America, Citibank, Chase, US Bank, City National, USAA and Barclaycard as well as some credit unions have started issuing EMV cards as well. CaptialOne is a notable exception as a major credit card issuer that does not yet issue EMV cards in the US (though I've heard they do in Canada).

The caveat is that most of these cards are Chip and Signature, while much of Europe is using Chip and PIN. It's all about how the card issuers and merchants set their priority though; retail outlets should accept Chip and Signature though there have been reports of merchants not wanting to (and some people have problems with mag stripe cards too). The biggest problem for travelers tends to be unattended kiosks, which are set for PIN only. Sometimes the cash advance PIN will work with a Signature-only card, this depends on whether the kiosk has an online network connection to authentication the PIN with the bank rather than with the card itself. Visa is pushing these setups to accept no authentication ("No CVM" in EVM lingo) as a fallback for Signature-only cards.

What will drive the move to EMV in the US is a liability shift for fraudulent transaction that is set to occur on October 1, 2015. Fraud liability for a magnetic stripe transaction on an EMV capable terminal (meaning the merchant has upgraded but the card issuer has not) will rest with the bank that issued the card. But fraud liability at a non-EMV capable terminal (meaning the merchant has not upgraded) rests with the merchant. This combination will incentivize merchants to upgrade to EMV (since liability will be shifted to them if they don't), while banks will want to get EMV cards in peoples' wallets so that fraud liability will be shifted away from them at merchants who don't upgrade.

Comment: Re:OR... (Score 1) 448

by hawaiian717 (#46103161) Attached to: Developer Loses Single-Letter Twitter Handle Through Extortion

I do find it odd that someone would actually break the law (at the very minimum, identity theft and extortion) in such a contrived chain of events... Just to gain control of something they won't even realistically get to use (can you imagine trying to use @N for the next few months through the massive volume of hate-tweets it will get?)

I don't, because it's happened before. I haven't reread the article to see if this states it, but I recall hearing that the reason the hacker did all this to Mat Honan was because he decided he wanted his @mat twitter handle.

Comment: Re:Ban Removed Due to New Revenue From Micro-Cells (Score 1) 183

by hawaiian717 (#45497105) Attached to: FCC To Consider Cellphone Use On Planes

The Gogo network may be cellular, but their network is designed to hit a target flying 500 miles per hour at 39,000 feet. Plus, the base station on the aircraft concentrates the traffic, which means there's one air-to-ground link per plane, rather than per handset as would be the case of someone using an unauthorized cell phone inflight today.

It's also not true that all the existing inflight data links are cellular. Southwest uses Row 44, which provides a satellite based solution. JetBlue is planning to launch, if it hasn't already, a satellite-based system with ViaSat.

There are other, older, slower options for inflight data access that are satellite based, but we're talking about dialup speeds here.

COBOL is for morons. -- E.W. Dijkstra