Thursday 14 October 2010

PayPass - what's the problem?

The system is encrypted, the bank says it cannot be hacked and my funds are protected against unauthorised use if I abide to their terms and conditions.

So what's the big deal, why not chill out and deal with it - or even change banking institution?

First of all, this idea is broken. It's broken on more levels than I can count. I've only been highlighting some of the issues.

Here's some scenarios to consider:

Scenario 1:
What if someone hits me over the back of the head to get my card because it's as good as cash. Does the bank protect against that?

Suggestions have been made that thieves aren't interested in $100. My experience of theft - as in being a victim of theft - tells me that any amount of free cash is desirable.


Scenario 2:
What if someone manages to make a clone of my card. The bank can claim that any purchase made with that cloned card is in fact my card, and thus I'm liable for a purchase made on that cloned card - I have no recourse because according to the bank, I made the purchase with my card. Since I still have my card, I cannot claim it was stolen.

The bank claims that cloning isn't possible, but I've been in the IT industry too long to rely on such an assumption. There is a good financial incentive to clone a card. Since this system uses RFID, a wireless techology, people can access my card just by being in range with a strong enough antenna.

This means that my card can be cloned without my knowledge or participation.


Scenario 3:
If this technology takes off, then the number of transactions on a credit card statement will increase significantly. Typically this means that less people are likely to sit down and check every single transaction on their statement, making it easier for fraudulent transactions to slip through.


Scenario 4:
To deal with the increased volume of transactions, the bank could create "smarter" software to detect fraudulent transactions.

This means that you might have other side effect issues like getting on a plane in the morning and trying to pay for a taxi at your destination in a different country.

The bank might decide that you have never been to Nepal and that this transaction is fraudulent. With real-time banking making inroads, this makes it likely that the transaction will be caught in real-time, making it impossible for you to pay for your completely valid taxi-ride from the airport to base-camp.

PayPass - not so new kid on the block

It seems that the Commonwealth Bank has been playing with PayPass since 2006. I don't recall ever seeing any information about it, and only in the last couple of months have I seen TV advertising and seen readers sprouting like mushrooms in my neighbourhood.

There are others who have been raising concerns since 2009. Note that the statement on that page about Mythbusters has been retracted by Adam Savage.

There is also a ZDNet Patch Monday podcast (from 4'56" until 14'33") that discusses PayPas and PayWave (the Visa version of the Mastercard PayPass). They state $35 as the limit, which appears to be incorrect, I've been told $100. The podcast discusses some of my concerns - those to do with authentication and hack-ability. It also raises concerns about customer risk assesement, legal issues related to Card (Not) Present transactions, etc.

The podcast also goes on to discuss issues related to checking your statement, which contactless payments will make harder, since you're unlikely to get a receipt and the number of transactions per statement will increase markedly, making it even harder to spot an unsolicited transaction.

Wednesday 13 October 2010

VM Workstation

Having now used my virtual workstation for many months, I can provide a meaningful update about the whole thing.

For those who want some background I wrote about what I'd like to achieve a while back. I ended up running VMware Fusion on a 17" MacBook Pro.

First of all, it works. I use my main virtual workstation all day every day. Deployment was as simple as creating a disk image of my ThinkPad, putting it on my MacBook drive and pointing VMware at it.

My only beef are three persistent bugs with VMware Fusion:
  1. Sometimes the keyboard doesn't work when I resume my workstation image. A keypress results in a beep. The only work-around is to go from full-screen to single window with Command-Option-Return and then maximizing the window to full-screen again. This is a PITA since my Gnome Toolbars then "helpfully" move around and don't get put back where they were.
  2. When I wake the workstation, sometimes for no particular reason the network is off and I need to re-enable it.
  3. I've stopped sleeping my MacBook with VMware running because there is a nasty bug that somehow causes VMware to freeze which results in data-loss - very unhappy. So now I quit Fusion, and then sleep my MacBook. Not ideal.
Things that work.
  1. I have the ability now to snapshot my workstation, or development server, or client image, or whatever and do an upgrade or driver install and then roll it back with no pain.
  2. I am running this with 3 external monitors and it just works. I'm using the DVI port and 2 x USB-DVI adapters with 3 x 1080p screens (Toshiba PA3768) - which also rotate - niiice.
  3. I'm using Afloat to keep a VM window floating above my "normal" desktop, so I can use Ubuntu as my workstation full-screen while still keeping an eye on another VM.
  4. My backups are using Time Machine on a sparse bundle drive, which VMware doesn't notice. So all my VM images are stored on this drive and Time Machine just backs up the sparse-bundle file.
  5. I pulled out all the apps from OS X and created an OS X guest machine where I can run iTunes etc. Sound is still buggy on this guest, but I'm working on that.
All in all, this has proven to be a little nerve racking in the early days, especially with the data-loss issue, but my productivity has increased no-end and I can say that this is a vast improvement on running my workstation on bare-metal for many many reasons.

Now if I had a few more hours in the day I could get back to doing more productive stuff for the Ubuntu Server Team.