Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Almighty Buck

Beaming Money 175

Wes writes "If you've ever dreamed of having a system like they use on Star Trek, where credits are instantly passed back and forth, this is it. PayPal, from Confinity will let you do that. Just sign up, load the software onto your Palm or WinCE device and go. If the other person doesn't have the software, you can IR-beam it to them, same as transferring money. Never fear if you don't have a handheld. An e-mail address will do just fine, but no money beaming. Sounds like a new payment type for eBay. "
This discussion has been archived. No new comments can be posted.

Beaming Money

Comments Filter:
  • Geez, its going to be simpley an encypted text/data. There should be no need for any executables, meaning there should be no viruses. But, as was previously said, we need to find out what encryption and protection system they are using first. Anyone know anything about this companies history? any complaints?
  • Having not read the site at all I won't comment too deeply, but it occurred to me that some sort of double-check system might solve the problems you mentioned above.

    Meaning, both my PDA and the other party's PDA would record the specifics of the transaction including the amount of transfer and who the money was transferred from and to. Money wouldn't change hands until both ends had been synched to the server.

    This may not be the way they're doing it and would certainly eliminate some of the convenience, but it would keep money from electro-magically appearing out of the ether.
  • Notice the electronics trend the past few years? Everything's i-this, e-that, etcedera, but as wonderful as these things are, nothing is really safe anyways, so would we be seriously ready to make this everyday for some (nevermind all) people?

    And I'm not necessarily meaning that someone is going to walk around with that massive IR panel hooked into a palm with an IR sniffer (idea!), but there's much larger worries lurking overhead.

    No, not the little green men from Mars (that's a different story). Remember back 30 years or so when we detonated a nuke in space to see the effects? No damage, except an EMP shockwave that ruined a good deal of all electronics in the pacific (Hawaii too I believe, I can't remember much, anyone want to follow up on these old projects?).

    The military, and in some rare instances, even law enforcment use EMP to nuetralize sensitive areas, in a package smaller than a Pringles tube. It shorts out most electronics and wiring without too much of a problem.

    Now obviously this technology can be applied well (like EMP car horns! they'll never go that slow in the left lane again!), yet there can be mailicious uses. yet, when I think about it, there're malicious uses for cardboard so we're never really safe.

    Just another thing to think about before we all even considering jumping on another bandwagon.


    --me
    ----------------------------------
    Anyone else remember VisiOn?
  • #include
    int answer;
    main()
    {
    printf("gimme yer money");
    scanf("%d", &answer);
    if(answer == 1)
    beamthem();
    else
    takeitbyforce();
    }

  • And I bet Peter Thiel was sweating a little... would have been fun if something had screwed up with that little transfer!

    Effective gesture, though. They wouldn't have put $3 mil on the line without a well tested system!
  • If no one uses it because they're all waiting for other people to show that the system is reliable, then no one will prove that the system is reliable, and all the people waiting around will still be awaiting the proof.... :)


    Who am I?
    Why am here?
    Where is the chocolate?
  • On July 23, Confinity made history by receiving its first-round financing from Nokia Ventures using Palm Pilots and Confinity's PayPal software to do the funds transfer. At Silicon Valley's Bucks Restaurant, where many a venture capital deal goes down, Nokia executives will 'beam' the company's $3 million investment to Confinity CEO Peter Thiel's PalmPilot.

    http://www.buckswoodside.com/s tories/storyReader$218 [buckswoodside.com]
  • There were several services like this in the early days of the Internet... and they worked, too! Jack Rickard had an open invitation to let people pay for their Boardwatch Subscriptions using one of the email-money-transfer services.

    I can't find the column on their online version; must have been pre-1995 (back when it there actually was BOARD in boardwatch, instead of this "internet" stuff... :P )

    -Chris
  • Hmm... it is, indeed, interesting that this happened just after DigiCash went belly up (according to another poster) -- as DigiCash held most of the patents involved in digital cash algorithms.

    I wonder if these folks managed to get them for a song...

    As for folks wondering how this is done, there are some excellent examples of digital money protocols in Applied Cryptography, a must-read for anyone who finds this interesting.
  • Actually, there have been several cybercash schemes around the UK for a while now - Mondex in Swindon which seems to be humming along nicely and Visa Cash in Leeds (my home town), which seems to be gaining in popularity quite rapidly... you should see parking meters as the 'foot in the door' for the technology which can then move up the food chain, as the Leeds project has done.

    james
  • umm can you please point me to a url where you found this info? I don't see it anywhere, but if true that is definatly good news!
  • There are things to be said about cash... but:

    I can't be traced: oh, yeah? Where can you spend a lot of cash and not be traced!

    refunds are easy: Where are refunds easy? I always seem to have to show a receipt, show ID, and fill out/sign a form.

    and I know if someone's trying to use my money: After they've robbed you, you might know if they're using your money, but you won't know who or where!

    Cash and checks are increasingly uncommon in Europe, especially checks. Smart cards may face a hostile environment here in the USA, but Visa and MasterCard at least provide some protections against unauthorized use that might occur. Cash will only be protected by a safe, a gun, the police, or moral behaviour. I say, bring on some smart, technologically intelligent alternatives!
  • Well they specifically state in their privacy policy that they ask for demographic information, but that they don't give it out (cept probably base statistic as in how many people on their system fit certain demographics). They simply use it for indirect marketing. Meaning a adveriser says "Hey, I hear you have alot of college students signed up, give them all this advertisment." PayPal says "Yea we got 2 million of em, that'll cost you 50,000"
  • hmm, that could be a problem. but the technology exists to make everything else about the product secure; it shouldn't be impossible to figure out a solution to the hardware issues. besides, if you lost your 'wallet' most likely none of the transactions would be completed unless both parties sync'd them up. who wants a cashless society anyway - how would you buy dope? an excellent book to read on the subject is "Web Security and Commerce" at www.ora.com [oreilly.com]
  • A somewhat accepted explaination for this is that while the federation does not pay it's officers per-se, theye is money avail-able to them for use with races that do use a monetary system. Thus, if they wanted to spend money in Quark's bar, they would requisition latinum from the Fed's.
  • What happens when you break your Palm Pilot or 'accidentally' do a hard reset? Just like losing your wallet?

    James
  • It's been quite a year for Star Trek advances. We've had

    The cloaking device

    The transporter (old news I know)

    The medical tricorder

    The warp drive

    Pon farr (okay, getting laid for the first time in seven years probably doesn't count

    Nearly all references are bogus; none of them (except the warp drive) are analagous to their Trek counterparts. Course, they're still cool.

    About the credit transfer: the town of Ennis in Ireland tried giving everyone smart cards, and they only used 'em for parking meters. 'A good idea whose time has not yet come' was the official response.

  • it sounds like you could buy dope with this system, it inables transfer of funds directly from one pad to another, so theres no way to know *why* the cash was transferd.

    *and* theres no cash limit (unlike smart cards with there $500 max) the VC used this system give this start up $3 million dolars....


    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • I wonder how they plan on making $$ on this system.... The signup is free, the software's free, the transactions are free... what does that leave them?

    We're all worried about Micros~1 & AOL taking over the world; who's watching the credit card people?

    --Mid
  • I think most smart cards have a certan limit of cash, althogh some places the cards for gasoline and phones have been "recharged"
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • So, I get an e-mail attachment that I'm supposed to trust and open. Sounds like a great oppertunity to do a lot of damage, with a virus. "Click here to get your $500.00!" :(
  • I want a credit card with a $3 millon limit! I'd create a fake identity, beam myself a bunch of cash, disappear to some tropical island and "pleasure code" for the rest of my life.
  • my guess is it would be hard to just about anything anonymous when you need to be physicaly within 5 feet of eachother...
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • When do I get my Credstick? Like in ShadowRun?

    Kagenin, who not only plays too many RPGs, but dreams of a Cashless Society
  • So we could have petty thieves who, instead of cutting purse straps, simply intercept a wide angle IR beam with their own device.. or even MORE simply, stickyfinger the device.. *be it palm, ce, whatever* and beam all the cash in the guy's bank account into his own bank account

    So let's see... lose the $3 in your wallet and spend a week waiting for all your credit cards to get replaced... or be drained of every penny you have?

    I think digital money is a good thing.. but this is a slightly more sketchy idea.

  • All the data is also stored on the server, and both need to be synched before you can get it (I belive, although I'm not sure that would be necisary)

    it's like a check. you can *write* a check for however much you want, but it isn't going to do you a lot of good.........
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • Some people have no sence of hummor...
    However.. note he got modded up to..

    People might (like he did) take the joke out of context and think this is accually likely...

    It's funny and a cool joke but not realistic..
    I still have images of a a crook fidling with a knife and a plam..

    "In todays news a would be mugger went to the hospital when he accadentally stabbed himself during a mugging attempt when he couldn't get the palm working"

    It might be easyer if they just steal your palm...
    Then you go on the internet have your plan voded and the next time the crook trys to use it you get your palm back :)


    A sillyness note... some doom sayers think we'll have to have 666 stammped on our palms in order to do busness..
    I just can't get the image out of my mind that "The beast" refers to larg Unix servers in stores and the palm with 666 is a palm pilot set world accessable [chmod 666]
    The number of the Unix beast :)

    Ok enough sillyness...
  • This sounds really cool, and I'd love to use it. But there is no way I'm gonna be the guinnea pig. Sorry,I wanna know how they can ensure several things first.
    • What happens if my plam does a reset? Actually by reading the site it seems like my payment never happens.
    • People can forge emails. What's to prevent them from forging email payments?
    • What credit card companies support this?

    I'd really like to use this, it sounds nifty, now prove to me it works safely, and reliably.
    -cpd
  • SSL. That and large amount of transaction auditing at just about every point in the system. Oh, and the limitation most online transfers have to only being able to transfer to ones own accounts or to predefined payees.

    It wouldn't be impossible to break the SSL-but I sure wouldn't transfer too much, you *will* be detected (expecially if you try to transfer to *your* account, duh).

    Penrif

  • Yeah you beat me to it, there is no money in
    Star Trek, they're all a bunch of new-age hippies
    who help each other just out of the goodness
    of their hearts.

    PSHAW!

    like that would ever happen, there will always
    be people like WILL~1.G8S and such around who
    feel they are superior to us all by birth-right.
    ...dave

  • Boy, aren't we quick to pass judgment. Just because something isn't available yet doesn't mean it's vaporware. They set a release date of fall '99. If it's not available then, come back here and spread the word.
  • by Mawbid ( 3993 )
    Has anyone but me heard of e-gold [e-gold.com]? Has anyone used the service or is everyone doing what I'm doing... waiting until everyone else is using it?
    --
  • Sorry bout that.. didn't see the side nav bar on the about company tab.
    http://www.paypal.com/cgi-bin/pageview?cmd=inves tors

    Anyways, for anyone else out there, the list of investors is Nokia, Deutsche Bank, Bill Melton (of CyberCash and VeriFone), and Martin Hellman.
  • Yes, provided they have the software, it is just an encrypted text/data file.

    However, if they don't have the software, they have to get it. It took credit cards quite a long time to get universal adoption.

    So, if I don't have this software, but you want to buy a widget from me, you send me the text/data file. I don't have the software, though, so you "beam" it to my palm-pilot or e-mail it to me or whatever. That is binary, executable code that you are sending to me. :( Even if it was signed, I would have no way to verify the signature without a public key (which you sent to me, with your payment, right?).
  • We're all worried about Micros~1 & AOL taking over the world; who's watching the credit card people?

    The credit card people are WAY ahead of those two. If you want to use an operating system, you can choose a non-Microsoft OS easily. If you want to go on the Internet, you can easily sidestep AOL. If you want to be able to spend money over the phone or Internet, you're pretty much dead in the water without a credit card. Checks are really being phased out, and even then not everyone (especially minors) has access to a checking account.

    The credit card people have taken over the world of electronic commerce. There are dozens of operating systems and ISP's available worldwide to the general public, but there are only four major credit cards (Visa, Mastercard, Amex, and Discover -- although that last one's a stretch) that you can use.
  • As far as I can see this is just electronic checks. Instead of writing out a paper check and handing it to the counterparty, you beam an electronic check from your PalmPilot to his PalmPilot. Just as with checks, no money transfer actually takes place at this time -- money flows from your accont to his account later when the transaction information is uploaded to the bank. Same with e-mail: instead of snail-mailing the paper check to somebody, you e-mail an electronic check to him.

    Will this work? Probably yes. Electronic fund transfer is not going to go away. Will this work in this particular incarnation? It depends (on the company cluefulness, marketing, govt regulation, etc. etc.) Do I like the scheme? Not very much: there is no anonymity whatsoever.

    Also consider the usefulness of the idea: how often do you write out paper checks and give them to other people (as opposed to, say, utility companies)? I do this maybe two-three times a year. For the rest of the time cash, credit card, and online bill payment are quite sufficient for me, thank you very much.

    Kaa
  • by Anonymous Coward
    I've put together my own IR assault rifle. I replaced the IR LED on a cheap universal remote with an IR laser diode. I also added a red laser diode for sighting purposes (which is switched off onde the target is acquired). I then mounted the device on my telescope tripod and can now change TV channels in other poeple's houses! The fools! They leave their windows open! Muhahahahaha!!!!!
  • I suspect the palm money is just a refrence to a central bank file where the money accually is.
    In a sence your palm becomes a really expensive ATM card... only you can shoot a file off so someone else can pull some money out of your bank.

    If your palm breaks you can just void your palm money.. It also means you can not run to the store and buy a new palm... have to run to the bank first... void palm money.. withdrawl money... get new palm.. get new palm money...

    It also leaves some room for crackers to forge your palm codes and withdrawl more money from your bank than they should...
  • If they build up a customer base there will be major advertising opportunities, but the main source of income is the float. PayPal charges your credit card, and they get access to that money almost right away and can invest it (possibly regulated to invest only in liquid securities like U.S. treasuries). Then they hope that the friend you paid leaves that value in their PayPal account for a long time out of inertia or the expectation that they'll use their account real soon.

    Plus the Wired News article says they expect over time to get people to load their account by check or bank debit, so PayPal wouldn't have to pay those nasty credit card interchange fees.

    Give PayPal credit for recognizing the market opportunity in peer-to-peer payments. If enough buzz develops, somebody will take the next step and commercialize real digital cash.
  • what they don't know is the world will come closer to ending when theres 31 0's (out of 32) at least on current systems, which i'm pretty sure will change my 2038 anyhow, linux alpha (probably sparc too) is allready y2038 compliant, maybe it will be the key to dethroning m$
    although i hate to think of nearly 40 more years of microsoft 'inovention'

  • I worked for DigiCash up until it went into Chapter 11 bankruptcy, so I know a little about it ;-) This post is personal opinion - I do not speak for the company.

    To the best of my knowledge, all of the non-US DigiCash systems are still successfully up and running. Mark Twain was running a US trial for a long period of time but pulled out a year or so ago, which is why there is no current US presence.

    However, you will be pleased to hear that the DigiCash IP was sold to a startup who appear very interested in making it a ubiquitous and successful product, and IMHO it sounds like they have the execution skill to back up the vision. Keep an eye out for it :)

  • I can see why this would be a good alternative to the play stuff that passes for cash in Canada.

    Don't get me wrong, I'm not trying to insult Canadians, just their money. I just remember being in a Canadian arcade, and it was obviously much easier to get one of the arcade's own special cards than to come up with $2.75 in change per game.

    ($2.75? Remember to take not only the exchange rate into account, but the fact that everyone loves making tourists pay through the nose, especially if they have no clue how much their money is actually worth.)

    Okay, okay, this is getting more and more off-topic by the second. I'll stop now.
    --
  • Visa Cash is a settled system - you have to be a Visa Cash merchant to receive value, which is just a transaction entry on a PSAM. From this, a transaction is sent to visa requesting payment. The funds pool for the card issuer is decremented and the merchant paid.



    It is very obvious when more money has been spent on a card than has been loaded.



    With Mondex, where real value flows from card to card, it would be possible to create value gradually and have an infinite source of cash...

  • by Col. Klink (retired) ( 11632 ) on Tuesday July 27, 1999 @09:36AM (#1780383)
    First, digital money would be signed and encrypted, so it's not just a matter of catching the beam. That also means that a stolen pilot won't sync money with someone else's cradle. They would have to beam it to another palm and, I would expect, you'd want to put a password around that function.

    Next, I believe you actually need to "load money" into these things. When you sync, you would tell it to load say $50 for "walking around" money. If you palm is stolen, this is the most you can lose. If someone beams money to you, you take your pilot home and transfer it back into your bank. There is no wireless connection to your bank or any way to get money to/from your bank except at the hot sync.

    This is NOT like a "debit card" where the money is instantly transfered from your bank to theirs. It's more like a travellers check, where you withdraw the money and carry it around and then someone else deposits it later. They plan to make money off the float (between the time you withdraw the money and someone else deposits it, they will earn interest off of it).
  • I was kinda thinking the same thing...

    what about the complaint about the PalmV and using it to steal the remote operation codes from cars so that you can open the doors just by intercepting the keycode... Can you do this w/this? Just intercept the IR beam and run like a purse-snatcher laughing all the way?

    I am all for electronic little gadjets doing my work for me, but I feel bad enough typing my CC info into a web browswer for a transaction (and even worse when a computer company says, oh, send it to us in email, it is as safe as handing it to a waiter in a restaurant). Maybe I am old fashioned and maybe a bit paranoid, but I would carry my wallet any day over my Palm for money transaction... Plus, paper and coin and even plastic money transfers just as easy as this...
  • The software can be signed with DEVELOPER's public key, not public key of whoever beams it to you.
    Of course, that also presents a problem because
    one needs access to the Net to verify the digital
    signature. Of course, one could store both the money and the software in encrypted form and then try to decrypt at home...

    I think that sounds pretty clunky. Now, a smart-card reader for the Pilot... That might work.

    mAx
  • Any digital money scheme worth its salt will encrypt its transactions. e.g., Alice wants to send Bob money, unaware that Edgar is standing nearby, eavesdropping on Alice's IR transmission; it shouldn't be useful to Edgar, because Alice has (likely using a public-key encryption algorithm) encrypted it for Bob and for Bob only. Given suitable encryption elsewhere in the system (credit card transfers, email transactions, etc.) this should be fairly secure.

    Of course, I still don't want my money going down the toilet if my Palm III resets or gets lost or dies...

  • If it's a Cybercash (old-style) lookalike, then the loss/destruction/crash of a PDA means they keep the money - similar to the business model of many Stored Value schemes on Smartcards today.

    A fine suggestion, but utterly, utterly wrong. What you are proposing is illegal thanks to the little known and recently dug out and dusted off escheatment laws. It says that when property (tangiable or intangiable) has no rightful owner, like expired cash or phone credits on a card, the government will look after that property until the rightful owner presents himself.

    So, if a company is planning on keeping the cash/credit on an expired/lost card, they are acting illegally.

    Read up on escheatment and be very scared if your company operates in this way.
  • Further, just because the Federation doesn't use CASH doesn't mean they don't use money. DS9 implied heavily that the Federation uses a very fluid credit/debit system. The Ferengi and others just don't buy into this wacky sort of thing and want "real" MONEY in their hot little hands, even if the Federation has enough economic standing to let its citizens convert their credits into latinum (otherwise Chief O'Brien couldn't have paid his bar bill).

  • Me too. And with cash, you don't have to worry about either sitting on or your PDA dying on you....

  • Funny, I've never had to show any ID when getting a refund from either Kmart or Wal-mart, and whoever said you had to use your real name on any of the forms? I've paid $1500 cash for a used car at a dealership without any problems whatsoever.
  • My ATM (Interac) card does all the things you mention, save for person-to-person transfers. I thought that the MAC (Money Access Center) cards worked the same in the US?

    The money sits in my account until I decide to move it to pay for a purchase. Therefore it collects (pitiful) interest. I don't have to change banks, I can make withdrawls from any bank (usually with an interbank fee however). And some bank machines indeed do give you the option of american cash. In fact, my card works on the Cirrus system of interbank transfers -- I can get cash in the states or wherever Cirrus machines exist.
  • I found this on their web site:

    "PayPal financial transactions are encrypted using public-key cryptography to ensure maximum security for all beamed transactions between users and for all subsequent interactions with our secure server, which occur during synchronization of each handheld device. When you conduct a transaction on the PayPal web site, we encrypt all of your private information. That information is stored on a secure server housed in a secure data center. All transactions are conducted through our secure servers, which are protected behind state-of-the-art firewalls."
  • Assuming patents operate in a similar manner to copyrights (which they may or may not), the rights would revert back to the person(s) who actually created the [insert patented item here]. (This also assumes there are no weird contractual clauses about who rights go to...)

    Of course, this could totally be off, as well.
  • Okokok. I bow before the all-knowing relater of The Jargon File...

    D'oh!

    I should RTFM more often so that I know of what I speak... :-)
    --
    - Sean
  • This is basically a way to make credit payments to people who can't accept credit card payments themselves. It's not for ebay or other real merchants. It's likely to be very popular and make them lots of money I'm afraid. Banks actually make more than just the interest on the accounts, they make money on the float, it's basically free money that the banking money synthesizes (Now that's the real start trek stuff, except it's the basis for the existing brick and morter banking business).

    The problem is that the availability of faux-ecash systems like this will only make it less likely that we ever get true electronic cash. Mondex, et al are all just "better credit cards" that avoid having to pass your credit card in the clear but don't do anything to preserve your privacy. Do you really want your credit card company to have a list of everyone you exchanged cash with and every store you shop at?
  • Yeah. Instead, money would electro-magically
    disappear into the ether. If you never sync
    your PDA (or reinstall/wipe the memory/whatever
    periodically), you can transfer all you want and
    never pay anything..
  • Not if you've received a transaction. Then it's like burning a check written out to you...
  • New Age Hippies....

    Maybe they have a "Gift Economy" and all their software and hardware designs are open Source so there no need for money!

    (note for the humor impaired the above is inteded as a "joke")

    "I didn't know you wore falsies -- false ears" -Brazil
  • It may have changed by now, as I haven't lived in Boston for a few years,
    but their universal transit card was *way* better.
    Because of the zoned fares, my Dad had a card that was worth, say, $2.50 for the Commuter Rail trains.
    You could then use the same card on the T for subway/tram travel, and it had the Magnetic Stripe for quick access.
    The best part: unlike here in fscking Toronto, you didn't need picture ID to use the damn thing!
    So I could use it on weekends when my Dad wasn't working. Ideal!

    Someone from Beantown may want to correct my statements:
    I never had to buy one, so I don't know about cost. But it seemed to work great!

    Pope
  • Well, they said the word "secure" three times in that paragraph, AND "state-of-the-art". How much more do you want...?

    I'm very skeptical of this scheme. First, they have a stupid name. "PayPal"? Uggh. Sounds like a toy cash register made by Mattel.

    Not to mention the enormous difficulty of getting this thing to spread. I don't have a Palm or WinCE device (I prefer EPOC, thanks), so if someone wanted to "beam" me the ten bucks I lent them for lunch, they would have to first explain the scheme, quell my fears about its safety, and then convince me to download the software (most likely Windows and Mac only), give this company my private financial information, and then collect my ten dollars. Yeah, ummm... There's an ATM a block away. Let's go get my money.

  • On the subject of star trek: According to Jean Luc Picard in Star Trek: First Contact "money doesn't exist in the 24th centuryto which Cockrin's assistant replies "no money? you mean you don't get paid...". This is was in response to the question of how much the Enterprise (1701-E) cost. This is all very good,etc.. but haven't you noticed how the Ferengi and just about everyone else seem to have money or some form or other. Indeed, the Federation seems to have money on some occasions, but on others it "doesn't exist". Can anyone clarify how this is explaned or is it yet another classic Star Trek wonderful inconsistancy?
  • Why is it that every time we get a couple zeros on the end of the year, people start up this "end of the world" stuff? Sorry, but I just don't by it.

    Every century a collection of zelots from various religions start getting their mortal affairs in order, and (in some cases) forcing others to do the same. The problem now adays is that some utter psycho could come up with a "millenium bug" that WOULD end the world (at least as far as humans are concerned).

    I'm more concerned about people who think the world will end (and try to fulfil some nut-job prophecy), than I am in a couple zeros. Even (scary) three of them.
  • At the bottom of most (all?) of the pages, there's a "Security Notice" link which gets you to the following statement:

    ---
    Security Notice

    PayPal(TM) financial transactions are encrypted using public-key cryptography to ensure maximum security for all beamed transactions between users and for all subsequent interactions with our secure server, which occur during synchronization of each handheld device.

    When you conduct a transaction on the PayPal(TM) web site, we encrypt all of your private information. That information is stored on a secure server housed in a secure data center. All transactions are conducted through our secure servers, which are protected behind state-of-the-art firewalls.
    ---

    No indication of what flavor or key strength their crypto is, though.

  • Jeez... it was a joke!!

    Didn't you notice the rating comment? aka: 3: Funny??

    That's why it was rated up... not because of anything else.
    --
    - Sean
  • Of course, you're all forgetting one of the largest trials of electronic cash performed so far. You should have heard of Mondex [mondex.com] - an electronic cash system co-developed by BT , Midland Bank (now HSBC)> [hsbc.com] and others. They have an electronic card which uses a smart chip to actually store the cash. You can get electronic "wallets" with which you can exchange cash with other private individuals. Shops have have more permanently fixed card readers. You can lock the card with strong encryption (hello US :-) so that others cant get at your cash even if you loose your card - to use it again you have to "unlock" it, and just like a mobile phone, it can be set to only authenticate with your own "wallet" so someone else can't even try cracking it. Using BT's specially developed telphones, you can withdraw money from the bank without leaving your home and you can also deposit it aswell. Anyone who is interested in this, I wrote a report on mondex several years ago when the Swidon trial took place. Unfortunately it's in M$ word format as my university hasn't embraced Linux yet and their sun's are laughably inequiped with decent word/text processing capabilities. Anyways, if you're interested - it has lots of pretty pictures :-) anyone who mails mondex-request@periscope-systems.freeserve.co.uk will receive a copy - that is if I can find it :-)
  • It seems to me it should be possible for someone to arrange an encrypted transaction via computer, where given some sort of info about your account (as in a public key), I connect with my bank, generate an encoding indicating the amount, my account, and the target account, and then I could send you the encoding and you give that to your bank for receipt. This could then be an electronic check, and with long enough keys should be safe at least for the short run.
  • Hmmm... and this thing is theoretically intended for WinCE machines...?


    Heh... OTOH, this could be good. Let's say someone big... big and important... has just received a nice large - ummm - payment, and Windows crashes...

    Ok, so I'm sure there are a few holes in that scenario, but it's a nice thought :-)
    --
    - Sean
  • Some people spend most of their lives making Star Trek "consistant". Personally I think that's way over the verge of sadness, but what can I say, my Ex girlfriend was really into this kinda thing. Check the credits, you'll see "consistancy checkers".......
  • Are you going to publish the protocol used to communicate with your servers, and between handheld devices?

    I own a Palm Pilot, but I use Linux, and I'm worried about my ability to use your service.

    I'm also concerned about the security of any non-public protocol. Long experience in the cryptography community has proven that any algorithm that isn't public and survived teams of people trying to crack it isn't secure. I don't care if you use a proven algorithm like RSA. How do you use it? Where are the private keys stored? What data is on the wire? Is any data that may potentially damage security transmitted? I don't care what your answers are. I want other people's answers.

    I'm looked at as a technology advisor by a lot of my friends. I will advise them all to not use your service due to the problems I outlined above unless you publish your protocol for peer review.

  • How long would a palm pilot take to do >100bit public key encryption ? About a month ?
  • Paper is slowly becoming obsolete...though I agree that keeping your money centralized like that is risky. Should have a direct connection to a bank or something.
  • by Anonymous Coward
    Bad idea becauses there's at least three points at which to break in and subvert the system.
    To subvert it, you have to know what you're looking at (unless deleting it is sufficient).
    -On the IR level, such as copying someone's transaction from a distance.
    This doesn't work if the exchange is encrypted. This is easy to do with methods like Diffie-Hellman key exchange; others have mentioned that Hellman is part of this venture.
    -At the software level, such as getting a legit payment, then hacking the software on the Palm to up the amount by a large number.
    If the payment is signed by the payor, you'll have to derive his signing key in order to alter the contents. With systems like RSA this costs more do than you could get from small or medium-size forgeries.
    -At the return the data to Confinity, such as sending them records of transactions that never actually occured in the first place.
    Again, you'd have to forge the signatures.
    Plus probably more. Admittedly, all these three can be fixed with the right kinds of encryption, but I doubt they worried about that too much when writing the software.
    The scheme as described on the web site is very sketchy and doesn't give crucial details; perhaps they are still working them out. However, the worst problem I can see is that it appears to depend on the honesty of the payor; if the payor deletes or otherwise never uploads the record of the transaction, it never happened. Non-repudiation is an essential part of any secure payments system, so you'd have to allow payees to claim payment based on an upload of a signed promissory record from the payor's computer.

    The neat thing about this system is that it is viral; the enabling software can spread from Palm to Palm at the speed of gossip. I don't see anything that prevents the same scheme from being used to foster an anonymous e-Cash system in the future, and once Confinity's system is widespread enough for people to start getting annoyed with its lack of privacy, the stage is set for another viral system to replace it overnight. Getting people used to exchanging money with hand-helds is the big battle, selling them on a private system that's just as easy to use is child's play by comparison.

  • This is, while wittily crafted, a rather ignorant comment, I can't believe it was sorted to the top of the comment display.

    If one reads the article one would see that the transactions are neither anonymous nor instantaneous. Two qualities which are highly desirable to those interested in performing a successful mugging.

  • According to the Wired article on Confinity [wired.com], the money involved in the transfers will pass through an escrow account managed by Merrill Lynch. So I have to trust that Confinity and Merrill Lynch will not use their position to invade my privacy or cheat me.

    If you offered me software that implemented true crypto-cash, I wouldn't have to trust an intermediary bank -- but I would have to trust that the software implemented a secure crypto-cash protocol in a correct way. Even if I had the source code in front of me, I couldn't verify that myself, so I'd have to trust some experts in the field to verify the program's reliability for me.

    Furthermore, the average palmtop owners don't have a clue about who to trust on crypto issues, but they do trust the name "Merrill Lynch". So a pseudo-ecash system backed by Merrill Lynch is likely to go farther in the marketplace than a true ecash system backed by, say, Bruce Schneier [counterpane.com].

    Remember, worse is better [jwz.org].

  • > Citibank (and some other big bank, I think) tried a pilot (sorry) program on the Upper West Side of Manhattan a year ago or so. They replaced our ATM cards with "smart cards" that could hold cash, and got a bunch of vendors in the neighborhood to install readers. The smart card came with a little reader that would show you your current balance as well as your last few transactions.

    That sort of system has been in place all across Canada for several years now (like about 7 or 8). I's called Interac.

    The only thing you mentioned that we don't have are the little readers.

    Every single bank and credit union in Canada (there are 5 big banks, a handful of small ones, and a zillion credit unions) is in on the Interac system.

    It's basically an ATM (bank) card that can be used for purchasing. Pretty much any store in Canada, from McDonalds to the international airports, to little mom-and-pop corner store, to the big department stores (Sears, etc) accept them.

    You can pay for your purchases directly with the card; no signing anything, all you have to do is input a single 4-number PIN. The money, if available, gets debited directly and instantly from your account.

    A couple bank machines also offer the option of transferring money directly to someone else's Interac account, similar to what this Confinity thing does (except that you can't carry it with you).

    Sure, the bank knows where you made the purchase, when and how much, but that's it. They don't know /what/ the purchase was. And it offers pretty much instant transactions; a few seconds and it's over. It's pretty close to being crack-proof; about the only way would be to tamper with one of the machines in advance... but they sit along-side the cash registers, so you might as well tamper with that and take the money directly, especially since any Interac transfer is logged.

    Like I said, it's been in place here since the early 90's, and is immensely popular. I don't have the exact figures on-hand but something like 30%-40% of all purchases nationwide last year were made over Interac, and it's growing by 10% plus per year.

    Since every single banking institution in the country is involved, you don't have to be a customer of any one particular bank or have a special ATM card or anything. Any old one will do.

    And, there are really only a very few (probably under 5%) stores/restaurants/whatever that don't take it. Even the government takes it for pretty much anything. I think taxes (Income taxes, etc) are the only things they don't accept it for... and there are plans underway to change that.

    It's a great system -- to be honest, I've always wondered why on earth they couldn't adopt something similar (or even the same system, to make things easy) in the USA.
    --
    - Sean
  • Actually, they don't plan on making money on it just yet. Wired did an article on this, mentioning that a VC had beamed $3 million to the creators with his palm. You can find it here [wired.com].
  • If you look at the visitors-from-the-past episodes and even that movie, it's not that the got rid of money, but that they eliminated poverty. Though it would be hard to maintain a productive society, eliminate poverty, and continue a minimal form of capitalism, but hey, they _did_ say the same thing about a democracy in a capitalistic society.
  • What happens when stealing right hands becomes a popular practice among criminals. . .

  • the palm wouldn't have to crack the code, once you have the key it is just as simple to decrypt as any other method. However, if you are planning on brute force cracking the code, that would take forever, a more feisable effort might be to capture the transaction, then load it back home and crack it there...

    just a thought.
  • Ummm... my understanding of vapourware was that it refers to a software project that gets abandoned before it is completed/released.

    Just because something is not available yet (ie: before they said it would be) does not mean that it's vapourware. If it never becomes available, then it is vapourware.

    Until they say they're abandoning it, or until the release date hits without them saying/releasing anything, it's simply "under development".

    I mean, by your argument, Linux 2.4 is vapourware. Huh??? No, it's not! It's just not finished yet.
    --
    - Sean
  • Well, their FAQ doesn't cover this, but this quote from their "About PayPal" [paypal.com] is interesting:
    You can beam the PayPal[tm] software to your friend and then "beam him some money" instantly. The system charges your credit card when you next sync your device, and your friend can register later at PayPal.com.
    So my guess is, that if you send money to someone, and your storage medium would err, accidentally be damaged, the transaction will never be sent and your victim will not get the money.

    Mo Money!

    - da Lawn

  • by Anonymous Coward
    People...you seem to be ignoring a few very important parts of this PayPal (why not PayPilot?) system...

    1) Federal law limits your personal liability in credit card matters to $50 (long distance phone calls, stamps, etc). This means that since the actual payment part involves a credit card company...if for some reason the system is hacked and someone tries to fake a $5000 transfer, you just tell your card company to dispute the charge and that's that. Now of course, if you were dumb enough to use your fancy new CHECK card, then you will be fighting to get money you already PAID back (versus getting the right not to pay) so let's not do that, hmmm?

    2) It's called Pay_PAL_ and I think this is just to remind people that initially this system will be used to settle minor debts and cash transfers between FRIENDS. Like when the bo-bos in desktop support all decide they want to eat somewhere nice for lunch but one of them is short on cash. Someone else pays for that person and instead of an IOU on a Post-It note...they get a digital version that is less likely to be forgotten or misplaced.

    3) For crying out loud...have the people whining about resets even HEARD of FlashPro? If you put your PayPal database in FlashROM instead of RAM then even a hard-rest is not going to touch it. Do this and the only way the "payment to be" will be vulerable is if your PalmPilot breaks or you lose it. If this is the case, the $5 someone transferred from lunch is not going to be your biggest concern. And if it is, you can always ask the person to resend since the data got lost and thus never got charged. Do you really think Confinity would have lost their venture capital funding if the CEO dropped his Palm under a bus? No. Of course he would have gone back to the Nokia rep and asked for a resend. Now if you are selling your car or house to stangers on the street, then loss of Palm might be an issue, but otherwise...get real. =]

    4) Hacks and trojans are possibly a future concern but don't forget I can always do an Info command to review the maker, version, and size information if I'm that paranoid (not like it can't be faked but at least it gets rid of the casual CodeWarrior kiddie). But getting back to point #2 I'm not going to let any shmuck on the street beam an application to my Palm, let alone one that involves payment. You either trust your friends that this is legit, or you tell them to put cash on the barrelhead.

    Maybe someday when strangers on the street are trying to PayPal each other will these security issues be a concern. As it stands right now, this is just a simple, automated IOU system that gives any JoeShmoe the ability to accept credit card payment (via proxy) from someone they already know and trust. Good for them. I'll use it and hide behind Citibank if it doesn't work the way it was supposed to.

    Besides...I'm more concerned about looking my contact list than any PayPal data. The contact list is priceless, PayPal is "only money".

    JoeShmoe

    ~~~~~
    The best .sig's are the ones you think up at the last second.
  • I'm no expert, but shouldn't it be possible to make a semi-anonymous service by reverse engineering thier encryption protocols?

    Do this - take the digital check, intended to be beemed to someone who doesn't have an account. Instead of signing up for the service, and thus revealing who you are, simply use that check to pay someone else for an anonymous service or product. Voila'!

    Of course, how viable this scenario is depends on how long the expiration period is on the check. I would think that it'd be at least thirty days or so, to allow for the lazy person with no immediate money concerns. And if we can hack the protocoll, we could make a version that would post-date the check for greater circulation time.

    The main drawback of taking this approach is that you couldn't make change - the digital check is a non-changable entity. Thus you wouldn't be able to take a check for $100 and make two payments of $50 off of it. BUT!!! It should be fairly simple to request several digital checks from your friend/trading partner instead of one massive one.

    How long will it take us to reverse engineer the algorythms and re-create the software as an open source project? Or will they try to increase confidence in their project by releasing it as open source, or at least open spec? Is it just me, or does this seem like the obvious thing to do for your typical paranoid? Is this just a pipe dream, or could this happen?

  • Didn't anyone see First Contact? The don't have money in Star Trek. Well, except when it's convenient to the plot. And there's gold pressed latinum. But definately not credits.
  • That website addresses next to nothing....
    while making it sound like this thing should be roling out next week some time.

    And I thought financial ruin was close enough for all of us with simple credit cards and on-line brokers/auction houses/stores!



  • ... and don't forget the "phaser"!
  • by broken ( 1648 ) on Tuesday July 27, 1999 @08:25AM (#1780443)
    "(...)And from that point on, robbers had Palm Pilots in their equipment, along with switchblades and guns. When they robbed somebody, their usual words were: "point your Pilot to mine and beam all your money and nobody gets hurt"."

    Extract From Galactic Encyclopedia, May 2010.
  • by Anonymous Coward on Tuesday July 27, 1999 @08:28AM (#1780446)
    Dont forget the fact that we (U.S.A.) have a chubby, womanizing captain and a first officer incapable of experiencing emotion.
  • They have credible encryption experts involved in the project, including one inventor of PUBLIC KEY CRYPTOGRAPHY (ever heard of that?) who is additionally an investor.

    -Undoubtedly the infrared xmission is encrypted!

    -The data sent to Confinty is probably encrypted and digitally signed to avoid tampering.

    -You probably will not be able to fake a transaction. My understanding of the article is that the money will be held in escrow until both parties confirm the transaction via sync'ing. (Although this would open up another possible problem).

    In any case, why not take a RTFM-approach before posting flippant theories.

  • From what the site says, it basically allows you to take credit card payments. Probably goes like this:

    You setup your Palm with the software.
    You setup an account with Confinity (free-ish).
    You can now take credit card payments with the software, OR beamed payments from other users.
    When you "sync" the Palm with Confinity, the data is sent to them, and they actually charge the credit cards, and send the money to you or your account with them, whichever.

    Bad idea becauses there's at least three points at which to break in and subvert the system.

    -On the IR level, such as copying someone's transaction from a distance.

    -At the software level, such as getting a legit payment, then hacking the software on the Palm to up the amount by a large number.

    -At the return the data to Confinity, such as sending them records of transactions that never actually occured in the first place.

    Plus probably more. Admittedly, all these three can be fixed with the right kinds of encryption, but I doubt they worried about that too much when writing the software.

    Just don't use this for anything important for about a year or two, giving them time to work out the bugs.. Probably vaporware anyway..

  • Tell that to the Ferengi.
  • > I wonder how they plan on making $$ on this system.... The signup is free, the software's free, the transactions are free... what does that leave them?

    Your money in your account, which they are holding.

    It's just like a bank. They use your money to make more money, they they keep the profit. Simple. Normally banks pay you interest (Savings accounts), but they dont have to, because they're providing you a service. Could be very profitable for them, if they get enough users, and don't go belly up inside of 6 months, which is my prediction. :-)


  • The catch is that they dont pay it directly into your bank account, but into your account with them.

    It helps to think of them as a bank. They hold your money, and let you spend it. If someone transfers money to you, it goes into that account which you can then spend.

    A bank spends your money to make more money. That's how banks survive, other than bank fees. For some savings accounts, you pay nothing, but earn interest on the money in that account. The reason for this is that they use your money to make more money than the interest they pay you.

    I wouldn't be surprised to discover that this is actually a bank somewhere, and not just an internet company.
  • Since they do not specify these in their page, I can only speculate on my major concerns.

    1) As someone has already mentioned, what are they getting out of this?

    I can only think of a few ways to make money on this, but none of them seem overly viable.
    • a) invest the deposits and the government concurrency, like as the banks.

      • i) my guess would be that these are going to be very small accounts with rapidly changing balances, which would give a fairly low margin.
      • ii) even so, this seems the most likely: if enough people deposit, the variance on the total gets smaller (but higher risk)

    • b) kickbacks for financial information

      • i) sell to credit companies
      • ii) aww. They'lll do this anyway

    • c) charge interest on deposited funds for "availability services"

      • i) their page only mentions that they will not charge for deposits or withdrawals, not for the storage
      • ii) this would sort-of be shooting themselves in the foot... no one would want balances, so this would exclude a)

    • d) offer credit at some interest rate

      • i) like as credit cards, loans, etc.

    • e) public service, register non-profit, get donations and government support

      • i) yeah, right


    2) How is the transaction accounted?
    Obviously, they must use both payee-dependence and payer-dependence. If only payee, the payee could get as much as they want. If only payer, the payer could --- oops --- reset --- his pilot. So, the two must agree. Further, the limit of accountability must be either based on the pre-deposited funds or some credit financing scheme as above.
    If they do it this way, it seems fairly well accountable, from three axes. Of course, they'll need encryption and authentication and all of that, but that looks fairly sound otherwise... if they do it this way...

    That, of couse, is the final concern:
    They don't tell us, the future customers, their methods, accountability, and financial interests.
  • One of the investors is Martin Hellman, famed in song, story and Diffie/Hellman algorithms. "Best known as co-inventor of public key cryptography", as they put it on the website. So, concerns about security should be addressed at least somewhat by his presence. d
  • Odd coincidence today. A few years back, I had a huge interest in Chaum's digital money system, DigiCash. Back then, it didn't seem too widely spread to be of use to me, so every 6 months or so I check up on it. Today I went to their site on a whim only to find they went bankrupt!

    And then this slashdot post.

    As far as I know, DigiCash (wasn't there an "e-cash" that used Chaum's system?), was the only system that allowed anonymous payments. This is what I found most useful. I was pretty distressed when I heard that DigiCash went under.

    I don't think this product is viable. From the glossy web pages, I found nothing about privacy, real encryption, or anything more beneficial over the credit card number over SSL payment.

    Oh, sure, I can give some "money" to my buddy with a Palm (any word on an HP48 port?), but is that really useful?

    I wanted DigiCash. Are there products that allow for truly anonymous transactions?

  • http://www.wired.com/new s/news/technology/story/20958.html [wired.com]

    According to this article, you beam your account number across Palms, and when the user synchs, your account is billed n dollars. So if you do a hard reset on your Palm, you just have to re-enter your account information. You don't "lose" any money.

    My first impression when I saw this was "Wow, how long before someone writes an IR sniffer?" Luckily, they seem clueful. Dan Boneh and Martin Hellman (as in Diffie-Hellman encryption) both helped develop the software, so I imagine its reasonably secure. Plus, they use the high-test encryption, opting for security over exportability. IMHO more companies need to take this attitude. Then again, the government needs to get a clue and so do most software houses (hint, XORing passwords is NOT secure!).

    I'll probably wait a little while for them to get the bugs out of a nationwide rollout, but I can't wait to be able to buy a jolt with my Palm III!

We are not a loved organization, but we are a respected one. -- John Fisher

Working...