If they do this by issuing real IPv6 addresses, with CGNAT to IPv4, I actually don't have a problem with it. but using it in full IPv4 mode just makes the existing situation worse.

I don't disagree with that at all. I wish I knew what BT's plans were in this instance, but at some point CGNAT will need to be rolled out. I guess you could argue that IPv6 is less of a priority because if IPv4 addresses run out, people are screwed and ISP's need to have a solution in place - right now, IPv6 is not that solution because it only gets you on to the (rather small and limited) IPv6 internet.

CGNAT will be necessary for as long as there's still people out there only on IPv4. I don't disagree with what you're saying - as IP(v4)'s become scarce, they'll be worth more and ISPs will probably try to charge for them until people get the idea and move to IPv6.

There's more to it than NAT vs IPv6. The reality is we'll need both in the future. Say BT switched on IPv6 tomorrow and everyone in the UK got an IPv6 address - brilliant. But that's only half of the problem, they still need access to the IPv4 internet because all those servers the world over aren't IPv6 accessible yet.

Wrong. It's a free opt-out, just ring them up and they'll give you a dynamic IP again.

To be honest, I don't actually disagree with you on this one. But then what are these "android viruses" if not trojans themselves?

Yeah, gaping security holes like email attachments with names similar to "bigtits.exe" and "funny.exe".

Not all viruses exploit security weaknesses, some are just malicious programs that idiot users run.

If you're security conscious enough to put this fancy bit of JSON on your site, then most likely you're smart enough to not store your user's passwords in plaintext. In fact, I'd like to think you're clever enough to salt the hash of the passwords that you're storing as well.

Why am I pointing this out? Because password re-use is an issue when a password gets compromised. Passwords get compromised when they're not encrypted or hashed. So to "fix" the problem like this is all well and dandy, but it only works if every site does it and if every site hashed the bloody passwords in the first place, they wouldn't get compromised as often.

How does using a strong password prevent password re-use?

No it isn't. Well, it is to a degree but it uses the same underlying technology - the "tap to pay" (What we call "contactless") is an antenna attached to the same chip. The transaction flow is a little different but it uses all of the same methods and technology as a chip transaction.

Yes, read the article carefully...

The cryptographic flaw – the result of mistakes by both banks and card manufacturers in implementing the EMV* protocol

The vulnerable cards have not been properly designed for a start. What's more, this doesn't affect all cards (even if the unpredictable number is guessable) due to different authorisation methods.

Yes, this is a vulnerability in older cards that had a somewhat predictable "unpredictable number". However, it still doesn't allow you to clone a card in a meaningful way and later cards (I can't give you a timeframe as it depends entirely on your issuer, your country, etc.) aren't susceptible to such things, even when the unpredictable number is, er, predictable, due to a thing called CDA.

Just because the transaction is contactless does not mean that you don't still have to occasionally enter a PIN to approve of the transaction. As for the latter, there are floor and ceiling limits to both contact and contactless transactions - $1 you'd get away with, but $100 would require a much more involved process due to the terminal going online and such.

Still, you're right, the terminal could display an incorrect amount however there's literally nothing you can do against this other than watch your receipts - however this is no different than magstripe today. The chip card is still secure and this kind of fraud would be extremely easy to trace straight back to the merchant. You still wouldn't be liable.

By all means, show me a paper or something that shows how it's possible. The technology isn't new, it dates back to the 80's and is similar to the SIM technology used in mobile phones - show me a device capable of cloning any technology even remotely similar to that, then.

That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).

Yes, but the point that perhaps I'm not making clear enough is that any vulnerability is due to the OLD systems, the magstripe stuff that should have been replaced years ago. The issue lies with the legacy system, not the new system.