Slashdot Mirror
Google Wallet: the End of Anonymous Shopping
jfruhlinger writes "Google today announced Google Wallet, an NFC-based payment system that will allow people to pay for purchases just by waving their phone across a reader. It's the beginning of a future where commercial transactions are 'frictionless' and convenient — but it's a future where every transaction can be tracked and data-mined, as Dan Tynan points out. Stores can user information about your Doritos purchases to rearrange their wares; Google could push coupons via its new Google Offers service; your health insurance company might be interested in your sodium intake."
C'mon, Google Wallet is the end of anonymous shopping? No, if you don't want to be tracked by Google Wallet, just don't use Google Wallet. If you want to stay anonymous, use cash.
And wear a hat.
And gloves.
And a fake mustache.
My postings are informational and does not constitute legal advice. Act on it at your risk.
Aside from being run by Google?
Sendou Wave Kick!!
Other then contact-less reading (which can and is done with smart cards already), how does this allow them to track you any differently then a credit card?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
What anonymous shopping? You can be traced with enough effort using cash, let alone the ease of tracking the vast majority of people using credit cards, debit cards or checks for purchases. What a fucking stupid headline and summary.
2 glaring errors in the summary: "NFC-base" should be "NFC-based" and "Stores can user information" should be "Stores can use information"
Has slashdot/online/other media ever let facts get in the way of a nice headline?
That credit cards collect the same information is completely irrelevant to the article - because that fact is simply discarded.
Yea, even for Slashdot, this article is fucking retarded. How is this different from credit cards, debit cards, paypal, amazon order history, any form of payment other than cash? Is this random new form of payment somehow suddenly mandatory?
closer and closer...
There's always BitCoin.....
... your health insurance company might be interested in your sodium intake.
s/be interested in/change your premium based on/
FTFY.
Am I part of the core demographic for Swedish Fish?
"Stores can user information about your Doritos purchases to..."
I'm starting to think you all do this on purposes.
Credit cards only store that you have a transaction at a certain shop. What you bought exactly isn't known to the credit card company. It depends on what information is shared with Google Wallet.
I can't decide.
Thank God they can't do that with credit cards!
Well, you see, when it comes to patents, people are offended that adding but it's online or but with a computer or but in the cloud makes something qualify as a new idea.
When it comes to things that could involve gathering data, adding but now Google is doing it makes it new and outrageous.
My girlfriend thinks I'm paranoid because I use cash just about everywhere except at Costco and online. The less "they" know about me the less likely they are to put in "nerd re-education camp." Or because "they" have so little information on me, I'm sticking out. hmmm... tough position.
Certain renegade elements of the consumer sector are considering switching to alternate methods of payment in retaliation against Google's proprietary monetary transaction system. "Basically the plan is to exchange small rectangular pieces of green paper in exchange for all debts, public and private," said one proponent of this new monetary system. When asked how his purchasing history would be tracked, indexed, and made available to advertisers in order to better serve him, he responded, "That's kind of the point."
More on this story, and new developments that indicate water may be wetter than once thought, at 11.
"Google today announced Google Wallet [...] Google could push coupons via its new Google Offers service; your health insurance company might be interested in your sodium intake."
And I won't have to use it or be affected by it at all.
I don't think people who don't want their transactions recorded will be using Google wallet to pay for their recreational substances, or their hookers...
While this is nothing new explained 16 times above, this this a good thing. In any scenario where large amounts of data are being collected, and that data is consider the infallible truth, the truth can be poisoned before being passed on to be consumed. As long as you know what information they're collecting, you can give them any information you want within those parameters.
I just realized this will never take off. Look at their logo.
Look familiar?
I need to set up a whole lot of billing booths at random places along streets that read "walk past me to make a $1 donation to my personal wellbeing!"
If you want to really learn whats going on about google wallet go to www.terrencebrejla.net
Sounds like a new age of digital pick-pockets that steal your wallet without even touching you. And also, Google knows which ads you click on, but now they'll know which ads lead you to spend more money. And they'll know what you're buying in real life, too, not just on the webs. I'm gonna start using the barter system again. -www.awkwardengineer.com
I don't know about anybody else, but I've been considering going back to paying cash for most everything for a while now. I read much more like this and I'll be doing it.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
It costs the merchant more. It won't be implemented widely in the US, considering that Google's fees are higher than American Express.
I don't respond to AC's.
And Google Buzz was the end of Facebook.
If Google wants to track my buying habits then use that info to push ads relevant to me, then by all means do so. I'm Vegan, so I don't need ads on steaks or Burger King. And if they've got some online coupons, then hook a brother up because being Vegan ain't cheap.
Can I bum a sig?
I don't sell you medical coverage so you can deliberately ruin your health and cost me a fortune.
If you are going to live an unhealthy lifestyle, that is fine. You *should* have to pay more in insurance, because I am sure as hell going to have to shell out more to keep you alive.
You people wonder why insurance companies always try to get cheap and disallow expensive procedures....well....we can't exactly pay our staff if we just spent all our money saving the lives of people who are apparently trying to commit suicide by food.
How is this different from credit cards?
Simple:
A traditional credit card has raised digits and other information on the card itself -- It is not very secure. When you hand your credit card over to the waiter/waitress they can easily snap a pic with their camera phone and sell that data for $2 (wholesale) online.
A magnetic strip bearing credit card has the above insecurities, plus a convenient stripe that can be used to input the information into a computer -- Fake "clone" cards can be created that have the same magnetic signature as your card, and actually, the mag stripe lessens security by giving the clerk a false sense that the card is legit. The clerks don't care anyhow, it's not their money -- As a test I actually use a cloned card printed with the name "Sir Thievey Thiefterson III" and always sign my name as: "This card is Stolen" on all receipts; It's been four years, and still only eight times has my ID been asked for -- at which time I tip the cashier and use my real card.
A near field credit card works via RFID. RFID is not secure. It has no concept of a secret internal state and a challenge response system to authenticate that single (and only that single) transaction. It simply responds to query, any query, with your card info. Once again, we're putting the insecure data that's printed on the outside of the card into a more conveniently readable format, but this time it can also easily be scanned by malicious persons from several hundred feet away by using a Pringles can to shape their antenna's emissions.
None of these data exchange formats have the concept of a secret internal state and a challenge response system to authenticate that single (and only that single) transaction. It takes a computation capable device to provide public key encryption. We solved the problem a long time ago with public / private key pairs -- Google Wallet is a technology that finally uses the solution to the problem of identity theft via "public" card information dissemination. The device and/or application containing the private key (the key itself, even) can itself be locked/unlocked with a pass-phrase.
Note that this is not absolutely secure -- nothing is -- however, it is leaps and bounds more secure than the current dumb "hey here's a plain-text number to get my money" credit card system.
As for traceability -- It's no more traceable than the credit card system, true. It could be made more private by using something in the vein of Bitcoin (there I said it), since it has over a hundred unique account tokens for a given wallet. However, you would need an intermediary to process the transactions on your behalf, and trust them with your identity -- I'm looking at you Google.
In short: The Current Bullshit CC system is Broken as Hell! This is a step in the right direction, get on board or have your identity stolen like a dumbass.
P.S. In 2001 my wallet was stolen from my locker while I was clearing a jam from a trash compactor. I canceled my cards & entire bank account, got new checks & cards, and STILL was fraudulently charged $557.00 via the old canceled bank card three weeks later -- Wells Fargo doesn't care if I followed their security guidelines to the letter and have written proof of such -- they don't care if their agents were the ones that fucked up and didn't take the stolen card off of my name, and it ended up linked to my new account: It's not their money, they don't care (I still "owe" them this money since I refuse to pay for others' mistakes, also, credit reporting companies don't care either).
P.P.S. Cash is still the most secure, but carrying a lot of it is arguably not (Yes, I have been robbed at gunpoint after cashing a large check -- if I had digitally transferred the funds, I would not have lost the money).
Your's truly,
A FOSS Hacker that grew up in the ghettos of H-Town.
Credit companies and banks are highly regulated. Google is an advertising agency that boasts about its data mining abilities.
The summary has it backwards: Your health insurance company is interested in your calorie intake and the police are ones interested in your Doritos intake. Nobody cares about the soduim.
What puzzles me is that there is no confirmation step required in these contactless payment systems.
When I buy stuff with my chip-based debit or credit card, I'm asked to enter a PIN. Else, I have to physically swipe the card to ensure there is no ambiguity as to whether or not I meant to pay with my card of choice.
With a contactless system, I could be wanting to pay with my credit card, but if I accidentally held my cell phone too close to the reader, it would debit the amount from my phone instead of my card. Why can't there be a screen that pops-up on the phone that says "Touch button to confirm payment"? This seems to me to be a major design flaw.
Credit card companies only get the total amount spent at a retailer. They don't get the list of items purchased as that information stayed with the merchant.
If Google Wallet or any other NFC implementation allows the transmission of transaction details (i.e. list of items purchased) to the credit card companies then this is can indeed become a new way of invading people's privacy.
I remember stories that FBI would record the serial numbers of robbery cash, usually $100s. They they'd wait for the numbers to show up at Reserve Banks which often scan the serial numbers. Then the FBI would home in sub-banks and merchants to identify usage locations.
I saw this when I went to Japan in 2005, it's called osaifu-keitai.
In Switzerland and elsewhere I can already pay for vending machine purchases with my phone. In Hong Kong I can use my Octopus card.
Quidnam Latine loqui modo coepi?
Which can be used to better manage money and grow wealth.
Similar to weather you log into Google or not. You get more efficient searches when you log in.
Only in that banks don't serve you web ads. This helps Google get even better informed about what you thus tailor ads to your psyche.
Because, please, the purpose of stalking and data-mining the hell out of you is not just to sell you wonderful goods that will make your life better but to learn the marketing tricks that better fool you into getting what you don't really need.
But... the future refused to change.
You talk like if no one is tracking your credit card!
This kind of system offers significantly better security than CCs.
If the system is designed well the stores you visit will never see your financial information (and never have an opportunity to lose it). Encrypt the account information on the phone with a psuedo-random number that is generated every 60s (along the lines of SecureID), send the encrypted data to the store, the store forwards that encrypted string, along with the amount of purchase to the payment server, the server responds back with a simple 'approve/deny' response. This also applies to card skimmers, if someone skims your account details, they're valid for 60s or less.
The system can also be password protected, or even biometricly protected if you really wanted to make things easy; which is better than I've heard of CCs being able to do.
Google is just using paypass. This is not Google proprietary monetary transaction system any more then any Credit Card.
The Kruger Dunning explains most post on
Please use a writing style obfuscator. It would be an improvement to your grammatical contributions to the net and protect your privacy.
It's not. The payment will still go through your credit/debit card account, unless you sign up for a Google pre-paid account, which is just another debit account anyway. (And is only 'google' in name - google won't be handling your money.)
Google is just providing a new way to access that means of payment, in a hopefully convenient and secure way. I say hopefully, because this thing is beta, with as yet unknown bugs and problems still to be worked out.
WALSTIB!
http://www.google.com/wallet/how-it-works-security.html
The Kruger Dunning explains most post on
If you live in a city, you are on camera anyway.
You are traceable - how many people with your "taste" in clothes and your fine figure live in your area?
I'll see your Constitution and raise you a Queen.
Perhaps Google should first figure out how to keep everyone up to date?
It's really going to suck when someone takes advantage of some newly discovery vulnerability/hole in the security of this after either the manufacturer or carrier decides to not update my device and I'm stuck with 18 months left in my contract...
What do you mean "try" using cash? Southwest Airlines lists it as one of their accepted forms of payment:
Likely to be followed by a nice groping... err, "enhanced" patdown by your friendly neighborhood TSA bouncers. Maybe you like to pay to get felt up?
That's one instance where you'll have to present ID anyway so there is really little point in using cash in a futile attempt to be anonymous.
Starting to read like wired magazine, here.
Every issue:
How x beat y
The death of x
Your future is y
The end of z
Inside the x
By my count, they have less than the accuracy of a coin flip. My fave is the alarmist misleading and inaccurate front page headline. The slightly less alarmist index entry, and the very thin on any actual information you can't find with the most cursory Internet search article, itself. Wedged between ads meant to look like articles.
That definitely is bad news for stripper & escort girl afficionados :)
Never antropomorphize computers, they do not like that
Aye Matey, mixing up your speak will mess with those land lubbers.
Stores can user information about your Doritos purchases to rearrange their wares;
Stores can user information?
Is this information really necessarily private, or is it private just because we worry that it leaves us somehow more vulnerable? Have any of us really thought through what "vulnerable" might mean?
Some alternative thinking: Our data, ourselves at The Boston Globe.
With each breath in, a flower somewhere opens; with each breath out, a flower withers away. In between lies beauty.
"Computer, report location of Cmdr Riker"
The future is privacy through access control, law and mutually assured harassment. Once you can easily tell who exactly Googled you, they will be a lot more respectful.
Another hysterical headline. Can we please stop doing this? I vote Timothy is no longer allowed to post Google stories--clearly Google killed his puppy or something and he simply can't get past it.
Google does not sell your information directly, that would put them out of business since their cash-cow IS your information; instead they sell target markets, like instead of selling the info on what Mr. Anonymous Coward bought, they would sell advertisement space for people who bought X, Y, Z Products at N Location during the past month/year.
What is the progress from paper money to NFC payment?
What if there are floods of false transactions? 1T/s false transactions? Can your system handle them? What about more?
Google Wave called, it wants its logo back.
I can see it now: "Ambulance unit 23, please report to 983 Columbia Ave for a well-being check, we just got a call from owner's HMO saying they got data the owner just bought a ton of junk food but is diabetic and near a heart attack. HMO says only deliver to St. Joseph Memorial." "Dispatch this is unit 23, owner is out walking his dog while kids are celebrating a birthday party, false alarm" Yeah, that won't piss off your customers. You accept garbage data and act on it, you might as well lock your doors and put that CLOSED sign in the window permanently. Most HMO's are not that stupid.
I hope it works at the vapor room
1. This isn't the end of anonymous shopping, because you don't have to use it.
2. I use NFC payments every day at 7-11 and other places (and to ride the train). The only thing shops like 7-11 get from me (other than the money) is the serial number of my "card" (in the phone, but it could be a simple card as many people use).
Since they don't know my name or anything else, I am not sure what good it will go them to know that I buy a bottle of green tea every day. Even if they got my name from the provider (Edy, Japan Rail), I am not sure how much it would really help them or hurt me. If they can data mine that people buy a lot of item X at store Y, then maybe they can properly stock it. On the other hand, they can use the stock-keeping records to get that.
At any rate, almost all electronic NFC payment systems have a totally anonymous option. The only bad side to using it is that if you lose your card/phone, it's the same as losing cash, someone else can pick it up and use it with no problem.
(Ok Devil's advocate here, just for fun.)
Who cares?
Let's look at each of your best attempts at a scary consequence.
"Stores can use information about your Doritos purchases to rearrange their wares" - sounds good to me, helping to make sure the shelf hasn't run out of what I want. Why be so protective of information which is expressed so publicly anyway whenever you shop?
"Google could push coupons via its new Google Offers service" - coupons are an annoying way to create artificial loyalty, but I don't think it started with Google Wallet. What might be new here is how tailored the coupons are to your preferences, but I don't see how that's a problem either.
"your health insurance company might be interested in your sodium intake" - of course their interested. Now consider the two options: (a) they don't get information about your individual health, or (b) they do get information. In (a), the insurance premium has to be the same for everyone, regardless of health. If you happen to unhealthy, you're better off, paying the average instead of above average. BUT if you're healthy you're worse off, effectively subsidizing other people's poor lifestyle. This is unfair on those who are healthy, and bad for the group since it rewards bad health as an individual strategy.
Come on man, let go and be part of the google hive mind. One of us, one of us.
(Not sure whether I was really convincing there ... thoughts?)
-- the only thing we have to fear is really scary things
You can scan the Doritos barcode with your phone camera and a smiley face will show if it's a good idea to buy them. If it would cause your health premiums to rise due to high sodium consumption a picture of Wayne Night will appear shaking his finger and a sample of "unh-unh-uh, you didn't say the magic word" will play over and over again.
Actually it would be funnier it Nedryed you at the checkout and you had to take the Doritos back, humiliated while the other people in the line glared at you.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
what is google going to do? Ban the sale of V for Vendetta masks?
Yall do understand that a lot of people can't afford a smartphone right?
Google wallet could also be a good thing for the consumer. It would mean that all items bought this way will have their prices tracked and stored in google. This will mean that users should be able to run price comparisons over all stores that are compatible with this tech - this means you can work out before you go grocey shopping - which store will offer you the best price for your weekly shopping list.
Sheesh, people. Stop worrying about about all the silly little things. If you don't want your grocery store collecting information on you, use fake information when you sign up for your card like I do! Problem solved.
There's a bigger issue at stake here, but I haven't seen anyone else mention it yet.
Have you heard of Michael's? The nationwide craft store? Thieves managed to swap out 90 separate credit card readers without anybody knowing, in Michael's stores around the country. They've been snarfing credit card data for quite a while.
With NFC, the thieves will have a field day! They don't even need to swap out readers; just stick your sniffer's antenna somewhere close enough to read the NFC transaction. What do you want to bet that passive receiving can be done from a couple of feet away? Then they just sniff the transaction and away they go.
What's that you say? Secure communication? Hahahaha.
There isn't a major credit card system in existence in the world today that hasn't been hacked at one time or other, and most of those "bugs" just got whitewashed over, not really fixed. Hell, it didn't take long at all to hack the "unique, secure" id from RFID tags and clone them.
The probability that somebody will find a serious vulnerability in the system is close to 1. Combine that with reading from a distance, and it will be a free-for-all.
This is such an outrageously bad idea, I can hardly sit still and not yell at people about it. I have already berated one software company for planning to support NFC in its apps.
Don't worry. They do nothing of the kind. It's just a system to use RFID instead of a magstripe reader.
...headline for you:
"Google Wallet may mark the End of Anonymous Shopping "
There. Much better.
"I'm taking this loop off." - Jack O'Neill
It's closer to contactless chip-and-pin. It includes a secure element (transactor) in the device, it's challenge response and the transaction takes place inside the secure element instead of the credential being passed outside the device where it can be copied.
I'm not saying you can't defraud it, but it's a lot harder than RFID, magstripe or raised letters.
http://lkml.org/lkml/2005/8/20/95
Here in the Netherlands, for years already most payment in shops is done by pin (bankpass plus pin-code): in fact, some shopping chains are now talking of (and experimenting with) abolishing cash payment altogether.
So Google wallet really does not introduce anything new: for Europe at least.
For the US, who is decidely archaic in its monetary system, it might be new but that is only because the US is lagging behind the rest of the world in these things (many NW European countries abolished paper cheques ages ago for example - all money transfer is done electronically directly from account to account here).
Ceterum censeo Carthaginem delendam esse
Fool you into getting what you don't really need. That is incorrect.
We are adults. That means we have the awesome responsibility for making decisions about our own lives. They aren't tricking us into anything. WE decide we want to buy something. WE decide to spend the money. If Google or Apple or any other company shows us a product, WE have the option to say "no thank you."
I seem to be defending Google a lot on this topic but really, this is like blaming McDonalds because I chose to eat supersized Double Quarter Pounder with Cheese meals every day and ended up getting fat. All Google is doing is finding out what we like and saying, "Hey, you might like this too!"
Google isn't fooling anyone about anything. What's happening is that we are fooling ourselves into thinking that we HAVE to buy this, or NEED to buy that. Google doesn't need to fool us because we are already fools of our own making.
who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
If it's important then people have to stand up to government and let them know. It's right there in the declaration of independence. Rights which are earned only by demanding them and willing to sacrifice for. The US Federal Government is mandated to create a national currency. It's about time we had an electronic version. The only way we are going to get an anonymous monetary system is by a national movement. All the credit card companies are making so much money they are and will continue to lobby against it.
And it is a very tough sell. How can you sell a system that makes black markets possible? How do you sell black markets? For anyone to be able to buy and sell weapons, drugs and other contraband, and to bribe, or hire another to kill? I doubt US citizens have any fight in them or the wisdom to protect the right to be corrupt. And credit companies will continue to make money while the US currency loses all credibility. I truly believe there will be a monetary coup where people will choose to bank in diversified international monetary funds, all very automatic. It is virtually impossible for the US government anymore to control money like they did way back in the day trying to outlaw gold and silver. In this day and age to do the equivalent would be to ban the stock market and or to require government approval of international stock and bond trades. Simply not possible.
For an international currency the world will demand privacy because countries will never trust one another and people of other countries know better than to trust their government or any other government.
I don't think anyone actually bothers to track purchases of individual customers. Or if they do then they don't pay much mind. I have this curse, it is the subject of jokes amongst myself and my nearest and dearest. If I like a product, I mean really like it, so that I become brand loyal and all that crap the suppliers go out of business or they stop making whatever it is that I want to buy.
I live in the UK and back in the mid nineties we briefly got a taste of Pretzel Flipz chocolate covered pretzels. I absolutely loved the White Fudge variety you now can't get in the UK for love nor money. A takeout near where we live did a particular type of burger I ate too many of and shortly thereafter the place changed hands and menus. A short while ago the grocer just opposite where we live stopped stocking both flapjacks, which I inhale, and a particular brand of glucose energy drink which I thought was superior to the leading brand. That's just the start. I can't help noticing that all of these items were totally bad for me. So maybe they were watching, and decided to put my health before their profits... maybe...
www.nodicerpg.com - Some RP stuff for free, some not so for free, but still cheap.
You mean that they might rearrange their shelves to be more convenient to my needs, and send my coupons that i might actually use?
That's horrible.
this service will last long ;)
Kroger uses its "Discount" card to gather information about the shopping basket (what things are bought together). This information is used for stocking and shelving.
Evil data-mining and tracking issues aside, there are still some of us out there that (thank the gods) don't have or want a cell phone/smart phone. Seems their approach is flawed in choosing a means that is not completely common-place.
Gosh, remembering how Google disrespected people's privacy with Google Buzz and the stunt they pulled with white washing search results for China on "Tienanmen Square" I would just as soon trust Facebook my social security number and my ATM PIN.
Geeze, I forgot to mention Google and Apple tracking people's location with their mobile devices.
Anyone who trusts their financial information with these companies is being short sighted.
They've been doing this in Japan for a while now. They use a pre paid service where you load cash onto your phone for use later. It's actually one of the reasons why smartphones haven't taken off like they have in the states, as most don't offer the option.
It's convenient, and as others have pointed out, it's a lot more secure than the current system.
When I saw this article, I wasn't afraid that my my purchase data would be sold to marketers (it already is... face it, there is little data in this world that's actually private anymore), but surprised it took this long to do it.
I would love to be pushed coupons for items I buy. Where do I sign up?
We don't now.
You think the bank really has your cash in a big pile of money in vaults waiting to be spent?
I mean, wow, that's like a 4 year old's concept of money.
Deleted
http://www.amazon.com/Take-Fourth-Jeffrey-Walton/dp/1452089280/
information about your Doritos purchases to rearrange their wares
Truly, this is a nightmare made real.
If only they would do it this way. Unfortunately less secure systems are more profitable it seems...
(i.e. if security was this easy then why would Sony just leave everything out there to begin with?)
You could do a lot better than what you propose. The merchant should send an "invoice" to the payment device. The payment device displays the invoice and gets the user to approve it. The payment device adds a timestamp and unique transaction ID to the invoice, signs it, and returns it to the merchant. The merchant presents that to the bank and gets the approve. If the payment device uses secure hardware (probably not happening in this case) then your entire transaction is secure end-to-end and immune to replay attacks, cloning, etc.
Credit cards are simply obsolete. It isn't a shared "secret" if you share that secret with every store you visit...