Slashdot Mirror
Google Wallet: the End of Anonymous Shopping
jfruhlinger writes "Google today announced Google Wallet, an NFC-based payment system that will allow people to pay for purchases just by waving their phone across a reader. It's the beginning of a future where commercial transactions are 'frictionless' and convenient — but it's a future where every transaction can be tracked and data-mined, as Dan Tynan points out. Stores can user information about your Doritos purchases to rearrange their wares; Google could push coupons via its new Google Offers service; your health insurance company might be interested in your sodium intake."
C'mon, Google Wallet is the end of anonymous shopping? No, if you don't want to be tracked by Google Wallet, just don't use Google Wallet. If you want to stay anonymous, use cash.
And wear a hat.
And gloves.
And a fake mustache.
My postings are informational and does not constitute legal advice. Act on it at your risk.
Aside from being run by Google?
Sendou Wave Kick!!
Other then contact-less reading (which can and is done with smart cards already), how does this allow them to track you any differently then a credit card?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
What anonymous shopping? You can be traced with enough effort using cash, let alone the ease of tracking the vast majority of people using credit cards, debit cards or checks for purchases. What a fucking stupid headline and summary.
Has slashdot/online/other media ever let facts get in the way of a nice headline?
That credit cards collect the same information is completely irrelevant to the article - because that fact is simply discarded.
There's always BitCoin.....
... your health insurance company might be interested in your sodium intake.
s/be interested in/change your premium based on/
FTFY.
Am I part of the core demographic for Swedish Fish?
Thank God they can't do that with credit cards!
Well, you see, when it comes to patents, people are offended that adding but it's online or but with a computer or but in the cloud makes something qualify as a new idea.
When it comes to things that could involve gathering data, adding but now Google is doing it makes it new and outrageous.
My girlfriend thinks I'm paranoid because I use cash just about everywhere except at Costco and online. The less "they" know about me the less likely they are to put in "nerd re-education camp." Or because "they" have so little information on me, I'm sticking out. hmmm... tough position.
Certain renegade elements of the consumer sector are considering switching to alternate methods of payment in retaliation against Google's proprietary monetary transaction system. "Basically the plan is to exchange small rectangular pieces of green paper in exchange for all debts, public and private," said one proponent of this new monetary system. When asked how his purchasing history would be tracked, indexed, and made available to advertisers in order to better serve him, he responded, "That's kind of the point."
More on this story, and new developments that indicate water may be wetter than once thought, at 11.
While this is nothing new explained 16 times above, this this a good thing. In any scenario where large amounts of data are being collected, and that data is consider the infallible truth, the truth can be poisoned before being passed on to be consumed. As long as you know what information they're collecting, you can give them any information you want within those parameters.
I just realized this will never take off. Look at their logo.
Look familiar?
I need to set up a whole lot of billing booths at random places along streets that read "walk past me to make a $1 donation to my personal wellbeing!"
If you want to really learn whats going on about google wallet go to www.terrencebrejla.net
I don't know about anybody else, but I've been considering going back to paying cash for most everything for a while now. I read much more like this and I'll be doing it.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
It costs the merchant more. It won't be implemented widely in the US, considering that Google's fees are higher than American Express.
I don't respond to AC's.
And Google Buzz was the end of Facebook.
If Google wants to track my buying habits then use that info to push ads relevant to me, then by all means do so. I'm Vegan, so I don't need ads on steaks or Burger King. And if they've got some online coupons, then hook a brother up because being Vegan ain't cheap.
Can I bum a sig?
How is this different from credit cards?
Simple:
A traditional credit card has raised digits and other information on the card itself -- It is not very secure. When you hand your credit card over to the waiter/waitress they can easily snap a pic with their camera phone and sell that data for $2 (wholesale) online.
A magnetic strip bearing credit card has the above insecurities, plus a convenient stripe that can be used to input the information into a computer -- Fake "clone" cards can be created that have the same magnetic signature as your card, and actually, the mag stripe lessens security by giving the clerk a false sense that the card is legit. The clerks don't care anyhow, it's not their money -- As a test I actually use a cloned card printed with the name "Sir Thievey Thiefterson III" and always sign my name as: "This card is Stolen" on all receipts; It's been four years, and still only eight times has my ID been asked for -- at which time I tip the cashier and use my real card.
A near field credit card works via RFID. RFID is not secure. It has no concept of a secret internal state and a challenge response system to authenticate that single (and only that single) transaction. It simply responds to query, any query, with your card info. Once again, we're putting the insecure data that's printed on the outside of the card into a more conveniently readable format, but this time it can also easily be scanned by malicious persons from several hundred feet away by using a Pringles can to shape their antenna's emissions.
None of these data exchange formats have the concept of a secret internal state and a challenge response system to authenticate that single (and only that single) transaction. It takes a computation capable device to provide public key encryption. We solved the problem a long time ago with public / private key pairs -- Google Wallet is a technology that finally uses the solution to the problem of identity theft via "public" card information dissemination. The device and/or application containing the private key (the key itself, even) can itself be locked/unlocked with a pass-phrase.
Note that this is not absolutely secure -- nothing is -- however, it is leaps and bounds more secure than the current dumb "hey here's a plain-text number to get my money" credit card system.
As for traceability -- It's no more traceable than the credit card system, true. It could be made more private by using something in the vein of Bitcoin (there I said it), since it has over a hundred unique account tokens for a given wallet. However, you would need an intermediary to process the transactions on your behalf, and trust them with your identity -- I'm looking at you Google.
In short: The Current Bullshit CC system is Broken as Hell! This is a step in the right direction, get on board or have your identity stolen like a dumbass.
P.S. In 2001 my wallet was stolen from my locker while I was clearing a jam from a trash compactor. I canceled my cards & entire bank account, got new checks & cards, and STILL was fraudulently charged $557.00 via the old canceled bank card three weeks later -- Wells Fargo doesn't care if I followed their security guidelines to the letter and have written proof of such -- they don't care if their agents were the ones that fucked up and didn't take the stolen card off of my name, and it ended up linked to my new account: It's not their money, they don't care (I still "owe" them this money since I refuse to pay for others' mistakes, also, credit reporting companies don't care either).
P.P.S. Cash is still the most secure, but carrying a lot of it is arguably not (Yes, I have been robbed at gunpoint after cashing a large check -- if I had digitally transferred the funds, I would not have lost the money).
Your's truly,
A FOSS Hacker that grew up in the ghettos of H-Town.
STores are already storing user information.
My industry keeps every transaction logged you have made with us for 10 years and we have been doing it for the last 20-30 years.
While it helps with purchasing (stock refilling), and inventory management, the real purpose is so that when the customer walks up to us and says. Remember that "thing" I bought for this" job" "3 years" ago, I need another one. We can look it up.
I did it yesterday for a guy. He wanted the exact same thing he just used. When did he buy the last one? 13 months ago.
The only difference between us and google is that your information stays on our servers period. We use it. Not third party ad companies. I will never put my credit card data on an NFC device ever. I might put a couple of promo cards on there just so I don't have to carry them. but i only have three of those anyways.
i thought once I was found, but it was only a dream.
Credit companies and banks are highly regulated. Google is an advertising agency that boasts about its data mining abilities.
The summary has it backwards: Your health insurance company is interested in your calorie intake and the police are ones interested in your Doritos intake. Nobody cares about the soduim.
What puzzles me is that there is no confirmation step required in these contactless payment systems.
When I buy stuff with my chip-based debit or credit card, I'm asked to enter a PIN. Else, I have to physically swipe the card to ensure there is no ambiguity as to whether or not I meant to pay with my card of choice.
With a contactless system, I could be wanting to pay with my credit card, but if I accidentally held my cell phone too close to the reader, it would debit the amount from my phone instead of my card. Why can't there be a screen that pops-up on the phone that says "Touch button to confirm payment"? This seems to me to be a major design flaw.
I remember stories that FBI would record the serial numbers of robbery cash, usually $100s. They they'd wait for the numbers to show up at Reserve Banks which often scan the serial numbers. Then the FBI would home in sub-banks and merchants to identify usage locations.
In Switzerland and elsewhere I can already pay for vending machine purchases with my phone. In Hong Kong I can use my Octopus card.
Quidnam Latine loqui modo coepi?
Which can be used to better manage money and grow wealth.
Similar to weather you log into Google or not. You get more efficient searches when you log in.
Only in that banks don't serve you web ads. This helps Google get even better informed about what you thus tailor ads to your psyche.
Because, please, the purpose of stalking and data-mining the hell out of you is not just to sell you wonderful goods that will make your life better but to learn the marketing tricks that better fool you into getting what you don't really need.
But... the future refused to change.
2 glaring errors in the summary: "NFC-base" should be "NFC-based" and "Stores can user information" should be "Stores can use information"
Actually, I was rather hoping that the Stores would can the user information.
When our name is on the back of your car, we're behind you all the way!
This kind of system offers significantly better security than CCs.
If the system is designed well the stores you visit will never see your financial information (and never have an opportunity to lose it). Encrypt the account information on the phone with a psuedo-random number that is generated every 60s (along the lines of SecureID), send the encrypted data to the store, the store forwards that encrypted string, along with the amount of purchase to the payment server, the server responds back with a simple 'approve/deny' response. This also applies to card skimmers, if someone skims your account details, they're valid for 60s or less.
The system can also be password protected, or even biometricly protected if you really wanted to make things easy; which is better than I've heard of CCs being able to do.
Google is just using paypass. This is not Google proprietary monetary transaction system any more then any Credit Card.
The Kruger Dunning explains most post on
It's not. The payment will still go through your credit/debit card account, unless you sign up for a Google pre-paid account, which is just another debit account anyway. (And is only 'google' in name - google won't be handling your money.)
Google is just providing a new way to access that means of payment, in a hopefully convenient and secure way. I say hopefully, because this thing is beta, with as yet unknown bugs and problems still to be worked out.
WALSTIB!
http://www.google.com/wallet/how-it-works-security.html
The Kruger Dunning explains most post on
If you live in a city, you are on camera anyway.
You are traceable - how many people with your "taste" in clothes and your fine figure live in your area?
I'll see your Constitution and raise you a Queen.
What do you mean "try" using cash? Southwest Airlines lists it as one of their accepted forms of payment:
Likely to be followed by a nice groping... err, "enhanced" patdown by your friendly neighborhood TSA bouncers. Maybe you like to pay to get felt up?
That's one instance where you'll have to present ID anyway so there is really little point in using cash in a futile attempt to be anonymous.
That definitely is bad news for stripper & escort girl afficionados :)
Never antropomorphize computers, they do not like that
Is this information really necessarily private, or is it private just because we worry that it leaves us somehow more vulnerable? Have any of us really thought through what "vulnerable" might mean?
Some alternative thinking: Our data, ourselves at The Boston Globe.
With each breath in, a flower somewhere opens; with each breath out, a flower withers away. In between lies beauty.
"Computer, report location of Cmdr Riker"
The future is privacy through access control, law and mutually assured harassment. Once you can easily tell who exactly Googled you, they will be a lot more respectful.
Another hysterical headline. Can we please stop doing this? I vote Timothy is no longer allowed to post Google stories--clearly Google killed his puppy or something and he simply can't get past it.
The health insurance companies are NOT struggling, FAR from it.
They aren't needy, they are greedy!
Just because it CAN be done, doesn't mean it should!
Google Wave called, it wants its logo back.
I can see it now: "Ambulance unit 23, please report to 983 Columbia Ave for a well-being check, we just got a call from owner's HMO saying they got data the owner just bought a ton of junk food but is diabetic and near a heart attack. HMO says only deliver to St. Joseph Memorial." "Dispatch this is unit 23, owner is out walking his dog while kids are celebrating a birthday party, false alarm" Yeah, that won't piss off your customers. You accept garbage data and act on it, you might as well lock your doors and put that CLOSED sign in the window permanently. Most HMO's are not that stupid.
"Stores can user information about your Doritos purchases to..."
I'm starting to think you all do this on purposes.
They cleaned it up some. The original submission was texted: "OMG /. peeps!! stores kin useur info bout ur doritos buyin..."
(Ok Devil's advocate here, just for fun.)
Who cares?
Let's look at each of your best attempts at a scary consequence.
"Stores can use information about your Doritos purchases to rearrange their wares" - sounds good to me, helping to make sure the shelf hasn't run out of what I want. Why be so protective of information which is expressed so publicly anyway whenever you shop?
"Google could push coupons via its new Google Offers service" - coupons are an annoying way to create artificial loyalty, but I don't think it started with Google Wallet. What might be new here is how tailored the coupons are to your preferences, but I don't see how that's a problem either.
"your health insurance company might be interested in your sodium intake" - of course their interested. Now consider the two options: (a) they don't get information about your individual health, or (b) they do get information. In (a), the insurance premium has to be the same for everyone, regardless of health. If you happen to unhealthy, you're better off, paying the average instead of above average. BUT if you're healthy you're worse off, effectively subsidizing other people's poor lifestyle. This is unfair on those who are healthy, and bad for the group since it rewards bad health as an individual strategy.
Come on man, let go and be part of the google hive mind. One of us, one of us.
(Not sure whether I was really convincing there ... thoughts?)
-- the only thing we have to fear is really scary things
You can scan the Doritos barcode with your phone camera and a smiley face will show if it's a good idea to buy them. If it would cause your health premiums to rise due to high sodium consumption a picture of Wayne Night will appear shaking his finger and a sample of "unh-unh-uh, you didn't say the magic word" will play over and over again.
Actually it would be funnier it Nedryed you at the checkout and you had to take the Doritos back, humiliated while the other people in the line glared at you.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Yall do understand that a lot of people can't afford a smartphone right?
Google wallet could also be a good thing for the consumer. It would mean that all items bought this way will have their prices tracked and stored in google. This will mean that users should be able to run price comparisons over all stores that are compatible with this tech - this means you can work out before you go grocey shopping - which store will offer you the best price for your weekly shopping list.
Sheesh, people. Stop worrying about about all the silly little things. If you don't want your grocery store collecting information on you, use fake information when you sign up for your card like I do! Problem solved.
There's a bigger issue at stake here, but I haven't seen anyone else mention it yet.
Have you heard of Michael's? The nationwide craft store? Thieves managed to swap out 90 separate credit card readers without anybody knowing, in Michael's stores around the country. They've been snarfing credit card data for quite a while.
With NFC, the thieves will have a field day! They don't even need to swap out readers; just stick your sniffer's antenna somewhere close enough to read the NFC transaction. What do you want to bet that passive receiving can be done from a couple of feet away? Then they just sniff the transaction and away they go.
What's that you say? Secure communication? Hahahaha.
There isn't a major credit card system in existence in the world today that hasn't been hacked at one time or other, and most of those "bugs" just got whitewashed over, not really fixed. Hell, it didn't take long at all to hack the "unique, secure" id from RFID tags and clone them.
The probability that somebody will find a serious vulnerability in the system is close to 1. Combine that with reading from a distance, and it will be a free-for-all.
This is such an outrageously bad idea, I can hardly sit still and not yell at people about it. I have already berated one software company for planning to support NFC in its apps.
...headline for you:
"Google Wallet may mark the End of Anonymous Shopping "
There. Much better.
"I'm taking this loop off." - Jack O'Neill
It's closer to contactless chip-and-pin. It includes a secure element (transactor) in the device, it's challenge response and the transaction takes place inside the secure element instead of the credential being passed outside the device where it can be copied.
I'm not saying you can't defraud it, but it's a lot harder than RFID, magstripe or raised letters.
http://lkml.org/lkml/2005/8/20/95
Fool you into getting what you don't really need. That is incorrect.
We are adults. That means we have the awesome responsibility for making decisions about our own lives. They aren't tricking us into anything. WE decide we want to buy something. WE decide to spend the money. If Google or Apple or any other company shows us a product, WE have the option to say "no thank you."
I seem to be defending Google a lot on this topic but really, this is like blaming McDonalds because I chose to eat supersized Double Quarter Pounder with Cheese meals every day and ended up getting fat. All Google is doing is finding out what we like and saying, "Hey, you might like this too!"
Google isn't fooling anyone about anything. What's happening is that we are fooling ourselves into thinking that we HAVE to buy this, or NEED to buy that. Google doesn't need to fool us because we are already fools of our own making.
who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
If it's important then people have to stand up to government and let them know. It's right there in the declaration of independence. Rights which are earned only by demanding them and willing to sacrifice for. The US Federal Government is mandated to create a national currency. It's about time we had an electronic version. The only way we are going to get an anonymous monetary system is by a national movement. All the credit card companies are making so much money they are and will continue to lobby against it.
And it is a very tough sell. How can you sell a system that makes black markets possible? How do you sell black markets? For anyone to be able to buy and sell weapons, drugs and other contraband, and to bribe, or hire another to kill? I doubt US citizens have any fight in them or the wisdom to protect the right to be corrupt. And credit companies will continue to make money while the US currency loses all credibility. I truly believe there will be a monetary coup where people will choose to bank in diversified international monetary funds, all very automatic. It is virtually impossible for the US government anymore to control money like they did way back in the day trying to outlaw gold and silver. In this day and age to do the equivalent would be to ban the stock market and or to require government approval of international stock and bond trades. Simply not possible.
For an international currency the world will demand privacy because countries will never trust one another and people of other countries know better than to trust their government or any other government.
...For the US, who is decidely archaic in its monetary system, it might be new but that is only because the US is lagging behind the rest of the world in these things (many NW European countries abolished paper cheques ages ago for example - all money transfer is done electronically directly from account to account here).
Uh, that "decidely archaic" system we call "cash" still allows for true anonymous shopping, which from the sounds of it has pretty much been deemed illegal in the Netherlands.
Sometimes "old-fashioned" still has value to those in the tinfoil hat fashion circles. And for those who aren't, it's still nice to know you have that option still available for purchasing quite a few things in life.
No argument with that. Progress has its drawbacks, notably in the privacy realm. From cellphones tracking your movement to pyaments tracking your spending.
Ceterum censeo Carthaginem delendam esse
I don't think anyone actually bothers to track purchases of individual customers. Or if they do then they don't pay much mind. I have this curse, it is the subject of jokes amongst myself and my nearest and dearest. If I like a product, I mean really like it, so that I become brand loyal and all that crap the suppliers go out of business or they stop making whatever it is that I want to buy.
I live in the UK and back in the mid nineties we briefly got a taste of Pretzel Flipz chocolate covered pretzels. I absolutely loved the White Fudge variety you now can't get in the UK for love nor money. A takeout near where we live did a particular type of burger I ate too many of and shortly thereafter the place changed hands and menus. A short while ago the grocer just opposite where we live stopped stocking both flapjacks, which I inhale, and a particular brand of glucose energy drink which I thought was superior to the leading brand. That's just the start. I can't help noticing that all of these items were totally bad for me. So maybe they were watching, and decided to put my health before their profits... maybe...
www.nodicerpg.com - Some RP stuff for free, some not so for free, but still cheap.
this service will last long ;)
Kroger uses its "Discount" card to gather information about the shopping basket (what things are bought together). This information is used for stocking and shelving.
Evil data-mining and tracking issues aside, there are still some of us out there that (thank the gods) don't have or want a cell phone/smart phone. Seems their approach is flawed in choosing a means that is not completely common-place.
Gosh, remembering how Google disrespected people's privacy with Google Buzz and the stunt they pulled with white washing search results for China on "Tienanmen Square" I would just as soon trust Facebook my social security number and my ATM PIN.
Geeze, I forgot to mention Google and Apple tracking people's location with their mobile devices.
Anyone who trusts their financial information with these companies is being short sighted.
It keeps being funny though, to see the typical American reaction to any suggestion that the US might not always be on the technological forefront of things. Up to Americans then starting to hail the perceived merits of old fashioned systems...
In terms of monetary transactions, the US is decidedly lagging behind the rest of the western world. Paper cheques: monetary clay tablets, really.
Ceterum censeo Carthaginem delendam esse
They've been doing this in Japan for a while now. They use a pre paid service where you load cash onto your phone for use later. It's actually one of the reasons why smartphones haven't taken off like they have in the states, as most don't offer the option.
It's convenient, and as others have pointed out, it's a lot more secure than the current system.
When I saw this article, I wasn't afraid that my my purchase data would be sold to marketers (it already is... face it, there is little data in this world that's actually private anymore), but surprised it took this long to do it.
I would love to be pushed coupons for items I buy. Where do I sign up?
We don't now.
You think the bank really has your cash in a big pile of money in vaults waiting to be spent?
I mean, wow, that's like a 4 year old's concept of money.
Deleted
http://www.amazon.com/Take-Fourth-Jeffrey-Walton/dp/1452089280/
information about your Doritos purchases to rearrange their wares
Truly, this is a nightmare made real.
And it even more fun to see that mentioning this, will result in your comment being moderated "Troll"....
Ceterum censeo Carthaginem delendam esse
It keeps being funny though, to see the typical American reaction to any suggestion that the US might not always be on the technological forefront of things. Up to Americans then starting to hail the perceived merits of old fashioned systems... In terms of monetary transactions, the US is decidedly lagging behind the rest of the western world. Paper cheques: monetary clay tablets, really.
While I certainly see your point in us ignorant Americans actually defending an archaic model, chances are we'll also "lag behind" in things like electronic identity theft/cloning as well.
Sonys PSN database got hacked. Imagine that on a much broader scale, when your entire legal identity is sitting inside a (now cloned) chip in "your" cell phone.
And I fail to see your overall point here with the US model. I've paid bills and received payments in 100% electronic form for years now, and I don't know of anyone else who also does not have that same ability. I was paying for fuel via RFID "swipe" over fifteen years ago, this tech is hardly "new" by any means. Of course, we ALSO have the ability to write "cheques" and still use that non-traceable green stuff called "cash". What you may call "archaic" I call "flexible".
Identity theft is not really an issue here. It seems to be more of an issue in the US.
Ceterum censeo Carthaginem delendam esse
You could do a lot better than what you propose. The merchant should send an "invoice" to the payment device. The payment device displays the invoice and gets the user to approve it. The payment device adds a timestamp and unique transaction ID to the invoice, signs it, and returns it to the merchant. The merchant presents that to the bank and gets the approve. If the payment device uses secure hardware (probably not happening in this case) then your entire transaction is secure end-to-end and immune to replay attacks, cloning, etc.
Credit cards are simply obsolete. It isn't a shared "secret" if you share that secret with every store you visit...