Technology – Page 10 – Ephemerality

May 25, 2017

The Plastic in Your Wallet: How to Pay

As both a customer and a bank employee, I see the frustrations on both ends of monetary transactions. Since we don’t pay for anything with cash anymore, and with cybercrime and fraud keeping pace with the exponential growth of technology, studying ways to protect oneself quickly becomes a rabbit hole of madness and despair. Well fear not (rather, keep a healthy level of fear)! I will use my experience in the industry to try to simplify this nagging question: how do I pay for things? I will do this by tackling two subjects: Liability and Security.

Liability

Liability is simply: who is immediately responsible for fraudulent transactions? I say “immediately” because ultimately the bank still has to investigate, but depending on the type of transaction, someone’s money is tied up in the meantime. Also, ultimately customer loss is covered under different legal protections by transaction type. I will explain.

For Debit Cards, customer liability is based on when activity is reported. If a lost card is reported and then the card is used, that’s the bank’s fault for not deactivating the card. If the customer waits 2 days, there’s a $50 liability. Beyond that, up to 60 days, there’s a $500 liability. Beyond 60 days, and the customer is not protected from the loss.

A second point on Debit Cards–it’s the customer’s money that’s tied up during an investigation, depending on how nice the bank is. So even if you immediately report a lost card, and someone uses it to drain your account, you’re up a creek with no personal funds while the investigation is underway. That’s an extreme example, but something to consider.

For Credit Cards, customer liability is also based on when activity is reported, but it’s far less important. Technically, the law was very similar to Debit Card liability until the CARD Act. Now, the 60-day rule no longer applies, so customer liability caps out at $50. Even so, most credit card companies simply waive that paltry (to them) $50 liability for marketing purposes (pay attention to the next solicitation you get in the mail).

And, referencing the earlier point, a credit card is not the customer’s money. While an investigation is pending, it is not the customer’s finances that are being held. A stolen credit card is an inconvenience, yes, but a relatively minor one.

Security

Now that we’ve covered who’s responsible for what, we can address what is the safest method of payment. Security is defined by 3 methods: something you have (a physical card), something you know (a PIN), and something you are (biometrics). Security is enhanced as these methods are compounded. To explain: a magnetic strip credit card only leverages a single method: possession of the card itself. A physical swipe is all that’s needed for authorization. This method fails when that account information can be flashed to blank cards, creating facsimiles (counterfeit fraud, in the industry). Account information is stolen both on an individual basis by reading the unencrypted account number off the mag strip by a harvester (by anyone nefarious who has temporary access to your card), and from merchant databases (since merchants store your full account number for transactional history).

To address these problems, the EMV chip was introduced. The idea is that a card would leverage a second factor of authorization: something you know. In this case, a PIN would be coded into the chip with the account number and encrypted, thus preventing card duplication and rendering a card useless if stolen. It also makes storing and stealing information less useful because transactions are assigned a session token, determined by an algorithm on the chip and applied to transaction-specific data and a terminal nonce; only valid for that transaction; which the bank takes as verification that it was your card being used. This became known as the Chip and PIN method.

But, this method was neither standardized nor enforced. EMV whitepapers include a number of possible applications, which translates to varying degrees of security of which the customer can’t readily determine. And so, we also ended up with the Chip and Signature method. This undermines part of the point by not requiring a second factor of authentication (i.e. the PIN). The Chip and Signature method encrypts the account information and generates tokens in the chip, same as Chip and PIN, hopefully preventing harvesting the information and mitigating counterfeit fraud, but it doesn’t require a PIN. You see the difference–a stolen card can still be used.

Also, until chipped cards are mandatory, many are still printed with a magnetic strip, defeating all the benefits of the chip. The law shifted so that the bank can now force all liability on the merchant for not supporting chip technology, but nothing is legally required, so in the meantime we still have cards with insecure magnetic strips.

Now back to debit cards. The original debit card was only a debit card. It had an insecure account number in a magnetic strip, yes, but it required a PIN to authorize–so two factor. A stolen card, therefore, was theoretically useless as the thief wouldn’t have the PIN. But, then banks started leveraging the credit card networks to offset transaction costs, which is why you can run your debit card as a credit. Running it this way doesn’t require a PIN, thus destroying the purpose of the PIN itself, and the money still comes out of your bank account.

So to date, we had a single-factor authentication card, came up with a couple two-factor methods, undermined one, haven’t standardized the other, and came up with a way to mitigate duplicating a card but haven’t standardized or enforced it.

The most recent enhancement has been mobile pay–specifically for this article: Apple Pay. In this method, a secondary account number, derived from nonce i.e. the token, is generated and stored on a mobile device. As in the way time-based authenticators are used, a cryptogram is generated at the time of sale from an algorithm, the variables of which are unique to the device itself and cannot be determined mathematically from the cryptogram or the token, both of which are submitted to the merchant for authorization. A third element, a dynamic CVV, is submitted as well, another algorithmic derivative of the token and cryptogram. The security lies in that that the token, cryptogram, and CVV output are all required for a transaction, yet two of them are dynamic, and the cryptogram which ties together the mathematical relationship relies upon device-specific identifiers that are encrypted on the device and never divulged–only verified through the process–likely a hash (this is an overview, as the specific details are not published). The point is that any information harvested in the transaction or stored cannot be used to determine the account number, nor re-used, nor applied to determine the cryptogram’s elements that generate the cryptogram/CVV.

Furthermore, the mobile pay method leverages the security of the customer’s mobile device, therefore enforcing two factor authentication (the phone’s password/owner’s fingerprint). And, since all data is encrypted by default on an iPhone, stealing the phone won’t allow its use for payment.

Conclusion

For maximum security and minimal liability, use a mobile pay method of a credit card. After this, I rank other methods in decreasing order of ideal security/liability combination: mobilepay/debit card; Chip and PIN credit card*, Chip and PIN debit card*; Chip and Signature credit card*; magnetic strip credit card, Chip and Signature debit card, magnetic strip debit card.

*Only if card does not also have a magnetic strip.

NOTE: I have yet to be issued a chip-only card. So far, they have all been dual chip/magnetic strip cards. Dual cards ultimately offer little benefits over magnetic strip only cards if the card is stolen, but do use the chip over the strip whenever possible as this still limits the use of stored credit card data.

Bottom line: use mobile pay if possible, and always use a credit card over a debit card.

Also, you might be wondering how a phone or internet transaction occurs, to which I say: good question. If no one’s scanning the card/device, obviously the card’s security is moot. Although, Apple Pay does integrate with iOS applications, so you can pay through the same device’s merchant application as Apple Pay. And for EVVs, there is information regarding an out of band dynamic CVV generation….

Obviously we’re still working on the problem as a society. I dunno, maybe pay with cash after all.

–Simon

May 11, 2017

Because It’s There!

In my college apartment, back when my roommate and I had a collection of (Gasp!) two computers and an Xbox 360, we had the beginnings of a respectable home network. In actuality, this consisted of a single router and a discreet hole punched in the wall between our rooms to allow for an Ethernet run. But it was a wired home network, dammit!

One evening, probably after imbibing too much, we had a discussion about stress-testing the network, for no other reason beyond idle curiosity. And so, we each began a bandwidth test on our computers, while simultaneously transferring a large file between them, and playing an Xbox game. In actuality, this didn’t represent much of a stress test, but it was sufficient to fry the router–a Linksys WRT-something.

The router was my roommate’s, and since he already had it at the time, I felt no need to purchase something better. After the test though, I went to a different brand: D-Link, with whom I’ve stayed since, at least until I have a bad experience. In any case, this utterly pointless test broke an expensive electronic and forced us to be offline for a couple days. What was the lesson? NOT A DAMN THING!

Fast-forward to present. I acquired a 5 terabyte USB HDD, at the time intended as a master backup drive. I encrypted the drive, then manually copied over every file from every computer we owned. I then locked this drive in my desk at work. Clumsily, I had created an off-site data backup. But the process was cumbersome and time-consuming, and the encryption didn’t play nice cross-platform. So when Amazon started offering unlimited cloud storage for a fixed yearly rate, and I found out my NAS could integrate with it and maintain client-side encryption, I really couldn’t think of a reason to continue with the arduous task of manual backups.

But now, I had an unused giant hard drive. What to do with it? My Xbox One, always suffering from a critical shortage of storage, won the prize. I connected the drive, followed the formatting prompts, and subsequently solved all my storage problems for the foreseeable future.

In fact, it was so much storage that I decided to download every free game offering that came with my Xbox Live Gold subscription. Generally, they’re mediocre games that neither I (nor anyone) will ever play. But, I can. So now, every month, I download these games simply because it’s there!

because — …at least until my ISP finally institutes data caps

–Simon

May 9, 2017

The Internets and Social Medias

That’s actually how a company higher-up referred to it: The Internets and Social Medias. I felt like a kid, talking to some adult who was desperately trying to understand “what the kids are into these days”. It was painful.

The point of that particular email communication was to be careful that when you take to the Internet to obnoxiously voice your opinion about something, as we are all apt to do, that you take pains to avoid having your opinion interpreted as a representative of your employer. Remember Chick-fil-A and that comment against homosexuals by whoever that executive was? I get that it’s a Christian company, but it seemed odd to me that we were holding a company accountable for an employee’s personal opinion. I don’t recall the company ever catching flak for refusing to hire homosexuals, or denying them service, so as far as I know, the company itself hadn’t done anything ethically questionable. But it demonstrated that people as a whole didn’t want to make that distinction, and so proved my own employer’s concerns.

My point is that this is one consequence of the Internet, which represents something greater: open access to exercise free speech to a worldwide audience, and the major consequences it can have against a powerful individual, whether or not those consequence are justified. It’s a definite point of concern, but it got me thinking about something even bigger: who specifically would be against this paradigm that we’re in a constant state of disagreement regarding the openness of the Internet?

And my conclusion is simply, that it’s those with the most to lose. Let’s consider some logic: knowledge is obtained through experience and study. Study is written information, vetted and discussed. The Internet is the biggest and most available source of vetted information. The internet is therefore knowledge incarnate. An argument against the openness of the internet, therefore, is an argument for greater widespread ignorance. So who would benefit? I surmise that it would be those who are in power. Why? Because the mere fact that they hold positions of power demonstrates that they have benefited from the existing system to this point, which compared to today’s access to information (courtesy of the Internet), has been a period of relative ignorance.

People fear to lose what they have acquired, even when recognizing it doesn’t benefit the common good. More tangibles means a higher standard of living–something for which we fight tirelessly–human nature. Conclusion: those in power don’t want to lose power, and consequently perceive the Internet as a direct threat to their power.

Enter: government intervention. The trend has been to cripple the Internet where its ubiquity benefits the commoner, without threatening areas in which it benefits commerce (AKA: the flow of money and by proxy, power). This translates to being able to monitor who does what on the Internet. If you can build a profile on every citizen, then through historically successful tactics of government action; such as intimidation, threats, political imprisonment; you can then silence anyone who’s informed enough to be a direct threat without destroying the technology itself, and therefore still capitalize upon it while maintaining the power dynamic.

The first approach was to damage the first threat to surveillance: encryption. In the 1990s there were actual laws which dictated the effectiveness of Internet encryption strength, and even went so far as to classify the technology as a munition, and therefore precluded from international export. Review the history of PGP for an amusing example.

But stifling encryption ultimately harmed commerce, as the Internet became increasingly commerce-centric. Money had to flow and it could only do so with encryption. The restrictions eased, but encryption remained cost-prohibitive to anything outside of commerce, so for a time the government was still in a winning position. More interested in communication and people’s access to information, the government was still comfortable with the fact that while strong encryption existed, nothing they were interested in monitoring was encrypted.

But then, encryption became universal, recently thanks in part to the push for it by companies such as Google, Mozilla, Apple, and the EFF. Suddenly, it became infeasible to police the public based on their Internet traffic. So the government responded with what they tried before: breaking encryption. Except this time, the commercial Internet entities were no longer solely comprised of companies who unquestionably took the government’s side in all matters. Encountering resistance by these powerful companies, attempts to renew similar legislation have so far failed (in the US, anyway–Brazil and Britain are two notable counterexamples).

So the power play has taken a new approach. If you can’t control the technology that runs the Internet, control the infrastructure itself. In order to do that, it needs to be consolidated–monopolized. Enter the era of mega-mergers.

Time Warner/Comcast/Charter/Verizon/Level 3/AOL–the Internet backbones of the country are quickly becoming one. In a closed-door tit-for-tat arrangement, these companies assuaged the government leaders’ fear, by providing all the financial incentive required to keep these leaders in power, while the leaders responded by further de-regulating legal restrictions, allowing these companies to squeeze additional capital from it’s customer base. But as stated, there’s a bigger plan. This mutually-beneficial arrangement extended to ignore antitrust regulations, giving companies the monopolistic power they wanted to maximize revenue from a competition-less industry, while becoming unofficially indebted to the government, true, but the government will then will exercise its power to regulate these indebted monopolies for its own purposes, finding away around the technology to access customer data through the gatekeepers themselves. And once the industry is monopolized, there will be no fringe competitors available to offer alternatives.

So what is the next step? I will theorize. Ultimately we’ll end up with one or two ISPs. We’ll pay increasingly exorbitant prices for Internet access. Then they’ll leverage their monopoly over the Internet backbone itself to force a technological loophole. ISPs may require that customers install an ISP-provided encryption certificate, which would break encryption to the ISPs while still maintaining secure communications for commercial purposes. They may require customers to use ISP equipment, designed for a similar middle-box proxy service. They may require something at their business customers’ end, such as logging and surrendering customer information. There are many specific possibilities, but what’s important is that we as the customer, with no other ISP alternative, will be in no position to refuse. And the pseudo-anonymity, open exchange of ideas, and access to the world’s repository of knowledge; will gradually be lost to the ages until the next violent revolution.

–Simon

April 22, 2017

My Outlook: Office Doesn’t Excel

Do you know what they improved between MS Office 2013 and 2016? NOT A DAMN THING!

Okay, to be fair, there were some totally awesome improvements, like…window stacking? And new Excel graphs. And there’s this map function apparently. And better database integration support. This would totally be worth buying a new license.

Of course, that’s not their MO anymore. I realize it’s clichéd to blame Millennials for things as I’m apt to do, but it’s totally their fault. They expect software to have no upfront cost, and to be completely cloud-based. So now, Microsoft pushes subscription services instead. Yay, just like DRM! You never actually own anything anymore.

On the business side, we have the same thing: perpetual contracts, even when the new software adds no value. So what did Office 2016 change? Well, they moved all the functions around so I had to find them again. And now, repeated keystrokes cause some type of application layer panic and everything crashes.

excelcrash — How about you just let me CLOSE the program?

Rant complete. But I’m not one to complain without suggesting a solution. I offer you an alternative: LibreOffice. It’s an open-source fork. So while you may be forever forced to use Microsoft products at work, you can still make a choice in your personal computing needs.

Now I’m going to get back to work and see if Excel launches.

–Simon

April 17, 2017

Certificate Renewal

In accordance with Lets Encrypt’s (the certificate authority for this site) 90-day SSL certificate expirations, I needed to renew the certificate for this site. It should be seamless, but if you are using any applications that support certificate pinning, you may receive a notice of a certificate mismatch. This is normal, and the alert serves as a warning against a possible certificate forgery. Simply accept the new certificate. However, for the extra paranoid (myself included), you may validate the new certificate’s authenticity with the below fingerprints: