A PIN is not required to use a debit card today. The vast majority of them support running the transaction either through the debit networks, where you use a PIN, or through the credit networks (Visa or MasterCard) where, today anyway, you sign. So the thieves can still steal the card number off a debit card and use it just like a credit card. The only difference is that your checking account is the money that gets tied up in limbo until it's sorted out, instead of the the bank's money (in the form possibly of your credit limit).
This is why I simply cannot understand United's new policy of buying aircraft with NO entertainment system at all, not even one where you can just plug a headphone in so you can hear the announcements.
United and other airlines are seeing the trend of more and more people bringing their own devices and using those, thus they can save several hundred pounds of weight by removing the inflight entertainment systems. US Airways did this a few years ago. Southwest never had a built-in system.
But your point about the built-in systems' ability to be automatically paused when the pilots and flight attendants make an announcement is an interesting one; something I hadn't thought about before.
I don't know much about how PGP works, but with S/MIME, you attach the certificate containing the public key to the e-mail, as well as the encrypted ("signed") hash of your email.
The next question is how do you know the certificate is genuine? Well, that's why you pay VeriSign, DigiCert, or whatever your favorite Certificate Authority (the same people who create certificates for web servers) is, to sign your public key and issue you a certificate.
Your statement that PKI is hard is absolutely correct.
I assume you're thinking of the eInk display as a way to protect web based transactions?
Rather than coming up with another scheme, I feel like a better solution would be a way to do EMV payments over the web using a regular smart card reader. Smart card readers don't seem uncommon in business oriented laptops already, and Dell and HP have smart card reader keyboards that they could just make the standard keyboard they ship with desktop PCs. It's possible to read EMV cards using regular USB card readers; the folks on FlyerTalk do it to read the CVM list off their card (that's how people figure out if a card is C&S or C&P priority and whether it supports offline PIN).
True about most US cards being C&S, not C&P. Or being both, but with C&S as higher priority and not supporting offline PIN (which is where the real trouble comes). From what I'm hearing, Visa is the one that's really pushing C&S in the US; MasterCard is pushing C&P. And since the new EMV Target cards will be MasterCards, there's reason to hope that they'll be C&P.
For the record, Walmart has also apparently been advocating C&P. They're also ahead of Target in rolling out EMV support, about 25% of Walmart US stores are actively accepting EMV payments.
And this is where the October 2015 liability shift comes in:
If fraud occurs on an EMV card and the merchant hadn't upgraded to EMV and was relying on swiping the magnetic strip to process the transaction, the merchant has liability.
If fraud occurs on a non-EMV card and the merchant had upgraded to EMV, then the bank issuing the card has liability.
The result is banks are incentivized to upgrade to EMV cards so they can try to shift fraud liability to the merchant who hasn't upgraded to EMV terminals, and the merchant is incentivized to upgrade to EMV terminals to avoid the liability shifting to them.
Presumably fraud liability for EMV cards processed at EMV terminals remains where it is today (banks), and possibly everyone wonders "how did that happen?"
Meanwhile, fraud moves to card not present (read: over the Internet/phone) transactions.
Banks are offering EMV cards today in the US, and I've yet to hear of anyone being charged for them. American Express will upgrade people now without having to wait for the card to expire; just call customer service and ask for one and the new card will arrive via UPS Next Day Air.
Visa Debit is 2FA if you press the "debit" button on the point of sale terminal, since you need to have the card (something you have) and enter the PIN (something you know).
On the credit card side of things, EMV can make 2FA common and has in many places, with Chip and PIN cards. But many banks are going with Chip and Signature, which to me is worthless as a form of authentication. There are other parts to how EMV works that still makes it superior to mag stripe even with Signature.
EMV cards are available in the US today. American Express offers EMV versions of virtually all their cards today, you just have to call customer service and ask for one and they'll send one out. Many major banks including Bank of America, Citibank, Chase, US Bank, City National, USAA and Barclaycard as well as some credit unions have started issuing EMV cards as well. CaptialOne is a notable exception as a major credit card issuer that does not yet issue EMV cards in the US (though I've heard they do in Canada).
The caveat is that most of these cards are Chip and Signature, while much of Europe is using Chip and PIN. It's all about how the card issuers and merchants set their priority though; retail outlets should accept Chip and Signature though there have been reports of merchants not wanting to (and some people have problems with mag stripe cards too). The biggest problem for travelers tends to be unattended kiosks, which are set for PIN only. Sometimes the cash advance PIN will work with a Signature-only card, this depends on whether the kiosk has an online network connection to authentication the PIN with the bank rather than with the card itself. Visa is pushing these setups to accept no authentication ("No CVM" in EVM lingo) as a fallback for Signature-only cards.
What will drive the move to EMV in the US is a liability shift for fraudulent transaction that is set to occur on October 1, 2015. Fraud liability for a magnetic stripe transaction on an EMV capable terminal (meaning the merchant has upgraded but the card issuer has not) will rest with the bank that issued the card. But fraud liability at a non-EMV capable terminal (meaning the merchant has not upgraded) rests with the merchant. This combination will incentivize merchants to upgrade to EMV (since liability will be shifted to them if they don't), while banks will want to get EMV cards in peoples' wallets so that fraud liability will be shifted away from them at merchants who don't upgrade.
Red Hat Enterprise Linux if you want to pay, CentOS if you don't. Versions 5 and later (6 is current and 7 is in beta) are supported with updates and fixes for 10 years.
I do find it odd that someone would actually break the law (at the very minimum, identity theft and extortion) in such a contrived chain of events... Just to gain control of something they won't even realistically get to use (can you imagine trying to use @N for the next few months through the massive volume of hate-tweets it will get?)
I don't, because it's happened before. I haven't reread the article to see if this states it, but I recall hearing that the reason the hacker did all this to Mat Honan was because he decided he wanted his @mat twitter handle.
The Gogo network may be cellular, but their network is designed to hit a target flying 500 miles per hour at 39,000 feet. Plus, the base station on the aircraft concentrates the traffic, which means there's one air-to-ground link per plane, rather than per handset as would be the case of someone using an unauthorized cell phone inflight today.
It's also not true that all the existing inflight data links are cellular. Southwest uses Row 44, which provides a satellite based solution. JetBlue is planning to launch, if it hasn't already, a satellite-based system with ViaSat.
There are other, older, slower options for inflight data access that are satellite based, but we're talking about dialup speeds here.
Virtually everyone has secure communication to their email provider these days.
And virtually nobody has secure communication between email providers. So there's a good chance that at some point along the line, your email is being transmitted across the Internet in the clear. Secure IMAP/POP/SMTP is good for protecting your authentication credentials (password), but if you want to protect the contents of your email, you need an end-to-end solution like PGP or S/MIME.
Microsoft didn't come up with the idea of a WYSIWYG text editor. I don't know who was first, but I know Apple's MacWrite in 1984 only had one view of the document, and it was like what Word calls "Print Layout".
Or, you can use Safari. I have both an iPad 3 and an iPhone, and find that site-specific apps are far less necessary on the iPad, since the screen is big enough that most sites work reasonably well. As to whether that is the case with Flickr site specifically, I'm not sure.
Fight this, no doubt. But if it happens, I'm not sure that companies like Google and Facebook moving out of state would be enough. Since the proposal appears to (based on the summary) apply to California customers, they'd actually have to stop doing business with residents of the state. Seeing as California tends to be the leader on these things, it's probably in their long term interest just to set up the systems necessary to comply.
Most airliners fly higher - 50-60,000 feet isn't unusual.
Not unusual for Concorde, which would float up during transatlantic cruise starting around 45,000 feet up to its service ceiling of 60,000 feet. But most other civilian airliners top out in the low 40,000s; I think a few bizjets may get a bit higher:
AT&T still uses Yahoo to handle their email. att.net email addresses use Yahoo servers. The webmail interface is a rebranded version of Yahoo webmail. I was able to combine it with my already existing Yahoo account (though I never used that email address for anything either), so both the yahoo.com and att.net addresses I have point to the same inbox, and I can interchangeably use my Yahoo or att.net ID to log in to various Yahoo services.
Interestingly, when I lived in an area where Qwest (now CenturyLink) was the local telco and I had their DSL service, it was cobranded with MSN. So the email address i got from them was msn.com, not qwest.net. And there's a funny thing about MSN; when you leave, you can keep the email address as it's really just a Hotmail (or whatever they want to call it these days) address with a different domain. So I still have (and still don't really use) that msn.com email address. This is not just for the DSL customers either; I had a relative I helped switch from MSN dialup to what was then SBC (now AT&T) DSL, and they were able to keep their msn.com email address as well.
I think you're trying too hard. All you have to do is replace the site with a Flash applet. Or for extra awesomeness, use Java instead. Now the only functional hyperlinks will be to the main page that loads the applet, which will load their content cover page, and all article content is accessed there, within the applet. Plus since the content won't be searchable, the won't have to worry about Google and friends providing links directly to their site.
Or they can just do what brain-dead mobile site developers do and redirect all incoming links that don't have a referrer of their own site back to the home page.
Slashdot Mirror
A PIN is not required to use a debit card today. The vast majority of them support running the transaction either through the debit networks, where you use a PIN, or through the credit networks (Visa or MasterCard) where, today anyway, you sign. So the thieves can still steal the card number off a debit card and use it just like a credit card. The only difference is that your checking account is the money that gets tied up in limbo until it's sorted out, instead of the the bank's money (in the form possibly of your credit limit).
This is why I simply cannot understand United's new policy of buying aircraft with NO entertainment system at all, not even one where you can just plug a headphone in so you can hear the announcements.
United and other airlines are seeing the trend of more and more people bringing their own devices and using those, thus they can save several hundred pounds of weight by removing the inflight entertainment systems. US Airways did this a few years ago. Southwest never had a built-in system.
But your point about the built-in systems' ability to be automatically paused when the pilots and flight attendants make an announcement is an interesting one; something I hadn't thought about before.
I don't know much about how PGP works, but with S/MIME, you attach the certificate containing the public key to the e-mail, as well as the encrypted ("signed") hash of your email.
The next question is how do you know the certificate is genuine? Well, that's why you pay VeriSign, DigiCert, or whatever your favorite Certificate Authority (the same people who create certificates for web servers) is, to sign your public key and issue you a certificate.
Your statement that PKI is hard is absolutely correct.
Easy enough to fix...
Note that Net10 and StraightTalk are both actually part of the same company (TracFone).
I assume you're thinking of the eInk display as a way to protect web based transactions?
Rather than coming up with another scheme, I feel like a better solution would be a way to do EMV payments over the web using a regular smart card reader. Smart card readers don't seem uncommon in business oriented laptops already, and Dell and HP have smart card reader keyboards that they could just make the standard keyboard they ship with desktop PCs. It's possible to read EMV cards using regular USB card readers; the folks on FlyerTalk do it to read the CVM list off their card (that's how people figure out if a card is C&S or C&P priority and whether it supports offline PIN).
True about most US cards being C&S, not C&P. Or being both, but with C&S as higher priority and not supporting offline PIN (which is where the real trouble comes). From what I'm hearing, Visa is the one that's really pushing C&S in the US; MasterCard is pushing C&P. And since the new EMV Target cards will be MasterCards, there's reason to hope that they'll be C&P.
For the record, Walmart has also apparently been advocating C&P. They're also ahead of Target in rolling out EMV support, about 25% of Walmart US stores are actively accepting EMV payments.
And this is where the October 2015 liability shift comes in:
If fraud occurs on an EMV card and the merchant hadn't upgraded to EMV and was relying on swiping the magnetic strip to process the transaction, the merchant has liability.
If fraud occurs on a non-EMV card and the merchant had upgraded to EMV, then the bank issuing the card has liability.
The result is banks are incentivized to upgrade to EMV cards so they can try to shift fraud liability to the merchant who hasn't upgraded to EMV terminals, and the merchant is incentivized to upgrade to EMV terminals to avoid the liability shifting to them.
Presumably fraud liability for EMV cards processed at EMV terminals remains where it is today (banks), and possibly everyone wonders "how did that happen?"
Meanwhile, fraud moves to card not present (read: over the Internet/phone) transactions.
Banks are offering EMV cards today in the US, and I've yet to hear of anyone being charged for them. American Express will upgrade people now without having to wait for the card to expire; just call customer service and ask for one and the new card will arrive via UPS Next Day Air.
Visa Debit is 2FA if you press the "debit" button on the point of sale terminal, since you need to have the card (something you have) and enter the PIN (something you know).
On the credit card side of things, EMV can make 2FA common and has in many places, with Chip and PIN cards. But many banks are going with Chip and Signature, which to me is worthless as a form of authentication. There are other parts to how EMV works that still makes it superior to mag stripe even with Signature.
EMV cards are available in the US today. American Express offers EMV versions of virtually all their cards today, you just have to call customer service and ask for one and they'll send one out. Many major banks including Bank of America, Citibank, Chase, US Bank, City National, USAA and Barclaycard as well as some credit unions have started issuing EMV cards as well. CaptialOne is a notable exception as a major credit card issuer that does not yet issue EMV cards in the US (though I've heard they do in Canada).
The caveat is that most of these cards are Chip and Signature, while much of Europe is using Chip and PIN. It's all about how the card issuers and merchants set their priority though; retail outlets should accept Chip and Signature though there have been reports of merchants not wanting to (and some people have problems with mag stripe cards too). The biggest problem for travelers tends to be unattended kiosks, which are set for PIN only. Sometimes the cash advance PIN will work with a Signature-only card, this depends on whether the kiosk has an online network connection to authentication the PIN with the bank rather than with the card itself. Visa is pushing these setups to accept no authentication ("No CVM" in EVM lingo) as a fallback for Signature-only cards.
What will drive the move to EMV in the US is a liability shift for fraudulent transaction that is set to occur on October 1, 2015. Fraud liability for a magnetic stripe transaction on an EMV capable terminal (meaning the merchant has upgraded but the card issuer has not) will rest with the bank that issued the card. But fraud liability at a non-EMV capable terminal (meaning the merchant has not upgraded) rests with the merchant. This combination will incentivize merchants to upgrade to EMV (since liability will be shifted to them if they don't), while banks will want to get EMV cards in peoples' wallets so that fraud liability will be shifted away from them at merchants who don't upgrade.
Red Hat Enterprise Linux if you want to pay, CentOS if you don't. Versions 5 and later (6 is current and 7 is in beta) are supported with updates and fixes for 10 years.
Interesting, because the attraction was reported, at least when it originally opened, to be running Windows XP.
I do find it odd that someone would actually break the law (at the very minimum, identity theft and extortion) in such a contrived chain of events... Just to gain control of something they won't even realistically get to use (can you imagine trying to use @N for the next few months through the massive volume of hate-tweets it will get?)
I don't, because it's happened before. I haven't reread the article to see if this states it, but I recall hearing that the reason the hacker did all this to Mat Honan was because he decided he wanted his @mat twitter handle.
The Gogo network may be cellular, but their network is designed to hit a target flying 500 miles per hour at 39,000 feet. Plus, the base station on the aircraft concentrates the traffic, which means there's one air-to-ground link per plane, rather than per handset as would be the case of someone using an unauthorized cell phone inflight today.
It's also not true that all the existing inflight data links are cellular. Southwest uses Row 44, which provides a satellite based solution. JetBlue is planning to launch, if it hasn't already, a satellite-based system with ViaSat.
There are other, older, slower options for inflight data access that are satellite based, but we're talking about dialup speeds here.
Virtually everyone has secure communication to their email provider these days.
And virtually nobody has secure communication between email providers. So there's a good chance that at some point along the line, your email is being transmitted across the Internet in the clear. Secure IMAP/POP/SMTP is good for protecting your authentication credentials (password), but if you want to protect the contents of your email, you need an end-to-end solution like PGP or S/MIME.
Microsoft didn't come up with the idea of a WYSIWYG text editor. I don't know who was first, but I know Apple's MacWrite in 1984 only had one view of the document, and it was like what Word calls "Print Layout".
Kansas City didn't exactly work as a hub for a smaller airline either.
...and the computer it was in cost $10,000.00.
Or, you can use Safari. I have both an iPad 3 and an iPhone, and find that site-specific apps are far less necessary on the iPad, since the screen is big enough that most sites work reasonably well. As to whether that is the case with Flickr site specifically, I'm not sure.
Fight this, no doubt. But if it happens, I'm not sure that companies like Google and Facebook moving out of state would be enough. Since the proposal appears to (based on the summary) apply to California customers, they'd actually have to stop doing business with residents of the state. Seeing as California tends to be the leader on these things, it's probably in their long term interest just to set up the systems necessary to comply.
Most airliners fly higher - 50-60,000 feet isn't unusual.
Not unusual for Concorde, which would float up during transatlantic cruise starting around 45,000 feet up to its service ceiling of 60,000 feet. But most other civilian airliners top out in the low 40,000s; I think a few bizjets may get a bit higher:
AT&T still uses Yahoo to handle their email. att.net email addresses use Yahoo servers. The webmail interface is a rebranded version of Yahoo webmail. I was able to combine it with my already existing Yahoo account (though I never used that email address for anything either), so both the yahoo.com and att.net addresses I have point to the same inbox, and I can interchangeably use my Yahoo or att.net ID to log in to various Yahoo services.
Interestingly, when I lived in an area where Qwest (now CenturyLink) was the local telco and I had their DSL service, it was cobranded with MSN. So the email address i got from them was msn.com, not qwest.net. And there's a funny thing about MSN; when you leave, you can keep the email address as it's really just a Hotmail (or whatever they want to call it these days) address with a different domain. So I still have (and still don't really use) that msn.com email address. This is not just for the DSL customers either; I had a relative I helped switch from MSN dialup to what was then SBC (now AT&T) DSL, and they were able to keep their msn.com email address as well.
If you don't want to do the fingerprint scanning thing, you're going to the wrong Disney park. Disneyland in California doesn't have them.
I think you're trying too hard. All you have to do is replace the site with a Flash applet. Or for extra awesomeness, use Java instead. Now the only functional hyperlinks will be to the main page that loads the applet, which will load their content cover page, and all article content is accessed there, within the applet. Plus since the content won't be searchable, the won't have to worry about Google and friends providing links directly to their site.
Or they can just do what brain-dead mobile site developers do and redirect all incoming links that don't have a referrer of their own site back to the home page.