What's really pathetic is how Google and Fandroids were hyping (i.e. "Bullish!tting) GoogleWallet and with years of a head start, accomplished squat.
Here comes Apple once again showing these idiots how it's done, and done right and the Fandroid community once again scurries to the corner of a room and hope no one calls them out on their idiocy.
ApplePay is a great system, is easy to use, and has rock-solid security and does everything and anything to make sure that no individual information is kept anywhere. That's giving Google the big middle-finger.
Way to go Tim!
As with so much of what Google does they introduced Google Wallet, didn’t promote it, didn’t advertise it, didn’t tie in with banks and retailers. They sort of left it twisting in the wind and went on to the “next big thing” and forgot about it. But they had it first which means nothing these days.
Google has the focus and concentration of a squirrel in heavy traffic.
<span style="line-height:1.4em;">Not really, because people will still be carrying cards along with having ?Pay as an option on them for some time. We'll have to get to a certain threshold in a particular use case before an iPhone 6 or ?Watch will be the only device people carry with them so that a stolen CC or debit card is not likely to occur. BT I have no doubt it will come and I expect some major advancements announced this year.</span>
Correct. Every single merchant that you can possibly think about using (and some that you might not think about) would have to accept NFC contactless payments, highly unlikely in the next few years.
Also, I am not aware of heavy deployment of ATMs that support NFC. If I recall correctly, Visa and MasterCard's liability shifts for ATMs is next year and that's for EMV; the liability shift for gas station POS terminals is in 2017, so I'm guessing that people will still need to have physical cards for some time.
Those timelines will be highly shortened once consumer preference starts hammering on the bottom line. The consumers will tromp over any sleepy vendors to get to those more to their liking. The adoption rate of ?Pay going on is a lot higher then I would have expected, and even more then I had hoped.
Tim was right when he said 2015 is the year of ?Pay.
Once the Federal Govm't embraces ?Pay, the state and local govm'ts won't be far behind. The military has long depended on cash to pay members in combat areas should be prime to go for ?Pay too.
Yeah. I don't carry my CC anymore, but my ATM cards since I need to withdraw money sometimes. If ATM allows Apply Pay, I'll be good to drop my physical wallet. On that note, California soon allows digital ID/Driver License too (Assembly Bill 221). What's in your wallet? nothing for mine.
I still carry credit cards since not every merchant I use accepts contactless payments. It's not like I only spend money at chains or big box stores; there are plenty of mom-and-pop shops I use. I don't eat at fast food/quick bites chains like McDonald's or Panera Bread. If I spend money dining out, it's usually a better restaurant: most of those don't take contactless payments.
The two plastic credit cards (one AMEX and one Visa) in my wallet represent $30,000 in credit, valid for use in any merchant that accepts those forms of payment. An iPhone 6 in a store that doesn't accept contactless payments is a nice paperweight.
Yes, I keep an ATM/debit card in my wallet for the occasional cash withdrawal (about once every three weeks these days), but I don't think I've used it as a debit card for close to twenty years.
Another thing in my wallet? Public transit card (specifically the Clipper Card for SF Bay Area transit systems). Apple Pay doesn't do diddley-squat when you're standing at a BART turnstile or Caltrain ticket vending machine.
Apple Pay is a great start, but it's not enough to empty your wallet. Not even close. It may reduce the number of times you need to pull out your wallet, but you still need to pull out your phone. What Apple Pay does bring to the table is enhanced security and some convenience. But it certainly isn't a nail in the coffin of plastic cards.
...What Apple Pay does bring to the table is enhanced security and some convenience. But it certainly isn't a nail in the coffin of plastic cards.
It is a nail, perhaps the first...the final will come in two years likely. It is rapidly expanding, the benefit of unique, encrypted token-transactions using your fingerprint undeniable to all three parties of the transaction.
It could also be possible to use your fingerprint to generate a unique scannable code for expanding input, and secure BT transactions for services such as restaurants, gas fill-ups, tipping, etc...
There is SO much that will be expanded, over time, in what Apple Pay can do...loyalty programs, gift cards, access to receipts and transactions...this is potentially the biggest platform Apple has ever produced, because it not only can succeed wildly on its own, but will be a major driver for purchase of Apple branded hardware that uses it.
Just curious. Has anyone proposed an actual method for cracking Apple Pay? Seems like it would be extraordinarily difficult and might require a flunky inside one of the banks in order to breach it.
I love the idea of Apple Pay and will probably use it when I get a 6. However, we all know the "experts" say there is no such thing as unbreakable security in the cyber world. I wonder if that is absolutely true?
Just curious. Has anyone proposed an actual method for cracking Apple Pay? Seems like it would be extraordinarily difficult and might require a flunky inside one of the banks in order to breach it.
I love the idea of Apple Pay and will probably use it when I get a 6. However, we all know the "experts" say there is no such thing as unbreakable security in the cyber world. I wonder if that is absolutely true?
almost 100% of time security is broken, it is because of stupid users, or stupidly designed system were security is an afterthought. Systems that are specifically designed with security in mind are very rarely compromised.
How often has the back-end of bank been compromised? There has been a few attacks on front ends, like credit card transactions through ATM's because there are intermediaries involved for some cards. But, the banks themselves would be a very very hard nut to crack. I don't recall of a single one being breached. That would be big news indeed.
almost 100% of time security is broken, it is because of stupid users, or stupidly designed system were security is an afterthought. Systems that are specifically designed with security in mind are very rarely compromised.
How often has the back-end of bank been compromised? There has been a few attacks on front ends, like credit card transactions through ATM's because there are intermediaries involved for some cards. But, the banks themselves would be a very very hard nut to crack. I don't recall of a single one being breached. That would be big news indeed.
I don't hear too much about a bank being hacked. It's more like Target, or Walmart kind of establishments. They just don't have the talent in-house to maintain the ever-difficult task of modern encryption and data security. I'll bet their systems are old servers running out-of-date Windows Server patches and simply look the other way when a breach happens. They are the problem, not the banks.
I would be curious to see what research shop determines a way to crack ApplePay. Even if a vulnerability exists, I'll bet it will be only a theoretical flaw, and not something that can be easily used in a real-world attack. Either way, let's give them the best of luck. I think it's already the best thing out there security-wise, but nothing in 100% so they have my permission to unleash the hounds!
As with so much of what Google does they introduced Google Wallet, didn’t promote it, didn’t advertise it, didn’t tie in with banks and retailers. They sort of left it twisting in the wind and went on to the “next big thing” and forgot about it. But they had it first which means nothing these days.
To be fair, ? isn't immune to this sort of behaviour of releasing and then leaving to whither for somewhat unclear time.. As much as I remain hopeful I didn't see and don't see or hear much about iBeacons. iTunes Radio - OK for the US , but what about the rest of the world? We were promised "Coming Soon" at the time on the Apple.com/uk website... It's been 18 months now and clearly that's not not likely to ever
happen
Tech companies, ? included, are all great at launching things. less so at keeping up momentum for various reasons - commercial or simply because of lack of rescues.
How often has the back-end of bank been compromised? There has been a few attacks on front ends, like credit card transactions through ATM's because there are intermediaries involved for some cards. But, the banks themselves would be a very very hard nut to crack. I don't recall of a single one being breached. That would be big news indeed.
A bank was hacked last year but the bank said it was just contact info taken:
Banks probably have some sort of proxy setup whereby requests can't breach the account server directly. They will likely quarantine incoming requests on a proxy server and that server might have contact info that when validated gets passed on to the account servers. All servers are vulnerable, the banks use the same technology as everyone else and zero-day exploits will compromise their servers like any other. They would be a lot more paranoid about it than a retailer though and have multiple layers of security.
Banks probably have some sort of proxy setup whereby requests can't breach the account server directly. They will likely quarantine incoming requests on a proxy server and that server might have contact info that when validated gets passed on to the account servers. All servers are vulnerable, the banks use the same technology as everyone else and zero-day exploits will compromise their servers like any other. They would be a lot more paranoid about it than a retailer though and have multiple layers of security.
Contact info would probably be on the outer network. Things that get accessed often by people that don't need access to the the secure fianncial data should not be put in the same area, limiting exposure. That seems to have been the case here.
The question is not that if they are negligent they get hacked, it is; is it possible to enforced a level of security/infrastructure/procedures/policies so high that for all intended purposes, it is impenetrable, or penetration will create a very limited damage.
One part of it is preventing user idiocy, or even malignent users, from compromising the secure network. Most data breach these days come from Malware...
Isolating networks functions and putting very hardened proxy server (bastion host) with DMZ's on both sides and hardened routers with static routes as gateways between networks and the DMZ makes access to the protected resource extremely difficult.
Says Net 1 -- Static route router A - DMZ (Bastion host) DMZ ---- Static route router B --- Net 2 DB SERVERS
All traffic to and from DMZ gets encrypted. Inbound traffic from DMZ is decrypted, examined and logged, then is reencrypted to go to the DB server. The examined traffic could have a payload itself encrypted that would mean the DMZ itself doesn't have the whole info even if compromised.
People always talk about 0 days and exploits, and whatever. But, those things need to actually run to do damage. If you limit your port/services, even access to a minimum (say only top level admins physically access the DMZ box and routers, they have no remote access),
If you are truly paranoid, you can inspect your server code yourself (even put more protection for buffers, a big problem ) and compile it. Then, run it in a sandbox or a user with the most limited access you can give it; some servers restrict access to a very granular level, for example the timed can only set time and do nothing else on a system. Remove every bit of software from the DMZ box that's not needed (including all but the most basic shell), make it lean and mean.
Just imagine. The box is already socked into a DMZ with limited services with no remote login access (only through the physical terminal) and I'm still paranoid enough to further restrict everything. Lock everything down. You could make it more secure still by seperating outbound and inbound fluxes.
Now, physically lock down the location of the DMZ, the routers and their network. Physically lock the machines and then bolt them down. Make sure its impossible to add anything to those machines (internally glue things if you have too). Put cameras all around their rack. Make sure, people who give access to the machine are limited and with a lot of background check (done regularly). People that are granted access should not be people that can remove traces of their access; another person should be doing audits on their accesses. There should have to be 2 people compromised to have an inside hack.
If you are truly paranoid, you can inspect your server code yourself (even put more protection for buffers, a big problem ) and compile it. Then, run it in a sandbox or a user with the most limited access you can give it; some servers restrict access to a very granular level, for example the timed can only set time and do nothing else on a system. Remove every bit of software from the DMZ box that's not needed (including all but the most basic shell), make it lean and mean.
Hardening servers IS commonly done. Though, there are servers distribution that are mostly there so you don't have to spend time culling your stuff. Reviewing the code of the only services (inbound/outbound) that goes on board and compiling it yourself would be a good practice (I do it, when I need mega security). But, you do need the in-house expertise to do so or it will be useless.
I started security work at a time when there was no Linux or BSD distributions really and commercial Unix' were a bit bloated.
Hardening servers IS commonly done. Though, there are servers distribution that are mostly there so you don't have to spend time culling your stuff. Reviewing the code of the only services (inbound/outbound) that goes on board and compiling it yourself would be a good practice (I do it, when I need mega security). But, you do need the in-house expertise to do so or it will be useless.
I started security work at a time when there was no Linux or BSD distributions really and commercial Unix' were a bit bloated.
Comments
Google has the focus and concentration of a squirrel in heavy traffic.
Those timelines will be highly shortened once consumer preference starts hammering on the bottom line. The consumers will tromp over any sleepy vendors to get to those more to their liking. The adoption rate of ?Pay going on is a lot higher then I would have expected, and even more then I had hoped.
Is that the S6 with Samsung-Pay?
Once the Federal Govm't embraces ?Pay, the state and local govm'ts won't be far behind. The military has long depended on cash to pay members in combat areas should be prime to go for ?Pay too.
Yeah. I don't carry my CC anymore, but my ATM cards since I need to withdraw money sometimes. If ATM allows Apply Pay, I'll be good to drop my physical wallet. On that note, California soon allows digital ID/Driver License too (Assembly Bill 221). What's in your wallet? nothing for mine.
I still carry credit cards since not every merchant I use accepts contactless payments. It's not like I only spend money at chains or big box stores; there are plenty of mom-and-pop shops I use. I don't eat at fast food/quick bites chains like McDonald's or Panera Bread. If I spend money dining out, it's usually a better restaurant: most of those don't take contactless payments.
The two plastic credit cards (one AMEX and one Visa) in my wallet represent $30,000 in credit, valid for use in any merchant that accepts those forms of payment. An iPhone 6 in a store that doesn't accept contactless payments is a nice paperweight.
Yes, I keep an ATM/debit card in my wallet for the occasional cash withdrawal (about once every three weeks these days), but I don't think I've used it as a debit card for close to twenty years.
Another thing in my wallet? Public transit card (specifically the Clipper Card for SF Bay Area transit systems). Apple Pay doesn't do diddley-squat when you're standing at a BART turnstile or Caltrain ticket vending machine.
Apple Pay is a great start, but it's not enough to empty your wallet. Not even close. It may reduce the number of times you need to pull out your wallet, but you still need to pull out your phone. What Apple Pay does bring to the table is enhanced security and some convenience. But it certainly isn't a nail in the coffin of plastic cards.
...What Apple Pay does bring to the table is enhanced security and some convenience. But it certainly isn't a nail in the coffin of plastic cards.
It is a nail, perhaps the first...the final will come in two years likely. It is rapidly expanding, the benefit of unique, encrypted token-transactions using your fingerprint undeniable to all three parties of the transaction.
It could also be possible to use your fingerprint to generate a unique scannable code for expanding input, and secure BT transactions for services such as restaurants, gas fill-ups, tipping, etc...
There is SO much that will be expanded, over time, in what Apple Pay can do...loyalty programs, gift cards, access to receipts and transactions...this is potentially the biggest platform Apple has ever produced, because it not only can succeed wildly on its own, but will be a major driver for purchase of Apple branded hardware that uses it.
Just curious. Has anyone proposed an actual method for cracking Apple Pay? Seems like it would be extraordinarily difficult and might require a flunky inside one of the banks in order to breach it.
I love the idea of Apple Pay and will probably use it when I get a 6. However, we all know the "experts" say there is no such thing as unbreakable security in the cyber world. I wonder if that is absolutely true?
Just curious. Has anyone proposed an actual method for cracking Apple Pay? Seems like it would be extraordinarily difficult and might require a flunky inside one of the banks in order to breach it.
I love the idea of Apple Pay and will probably use it when I get a 6. However, we all know the "experts" say there is no such thing as unbreakable security in the cyber world. I wonder if that is absolutely true?
almost 100% of time security is broken, it is because of stupid users, or stupidly designed system were security is an afterthought. Systems that are specifically designed with security in mind are very rarely compromised.
How often has the back-end of bank been compromised? There has been a few attacks on front ends, like credit card transactions through ATM's because there are intermediaries involved for some cards. But, the banks themselves would be a very very hard nut to crack. I don't recall of a single one being breached. That would be big news indeed.
almost 100% of time security is broken, it is because of stupid users, or stupidly designed system were security is an afterthought. Systems that are specifically designed with security in mind are very rarely compromised.
How often has the back-end of bank been compromised? There has been a few attacks on front ends, like credit card transactions through ATM's because there are intermediaries involved for some cards. But, the banks themselves would be a very very hard nut to crack. I don't recall of a single one being breached. That would be big news indeed.
I don't hear too much about a bank being hacked. It's more like Target, or Walmart kind of establishments. They just don't have the talent in-house to maintain the ever-difficult task of modern encryption and data security. I'll bet their systems are old servers running out-of-date Windows Server patches and simply look the other way when a breach happens. They are the problem, not the banks.
I would be curious to see what research shop determines a way to crack ApplePay. Even if a vulnerability exists, I'll bet it will be only a theoretical flaw, and not something that can be easily used in a real-world attack. Either way, let's give them the best of luck. I think it's already the best thing out there security-wise, but nothing in 100% so they have my permission to unleash the hounds!
As with so much of what Google does they introduced Google Wallet, didn’t promote it, didn’t advertise it, didn’t tie in with banks and retailers. They sort of left it twisting in the wind and went on to the “next big thing” and forgot about it. But they had it first which means nothing these days.
To be fair, ? isn't immune to this sort of behaviour of releasing and then leaving to whither for somewhat unclear time.. As much as I remain hopeful I didn't see and don't see or hear much about iBeacons. iTunes Radio - OK for the US , but what about the rest of the world? We were promised "Coming Soon" at the time on the Apple.com/uk website... It's been 18 months now and clearly that's not not likely to ever
happen
Tech companies, ? included, are all great at launching things. less so at keeping up momentum for various reasons - commercial or simply because of lack of rescues.
A bank was hacked last year but the bank said it was just contact info taken:
http://lifehacker.com/chase-bank-hacked-info-stolen-for-83-million-accounts-1642063956
Banks probably have some sort of proxy setup whereby requests can't breach the account server directly. They will likely quarantine incoming requests on a proxy server and that server might have contact info that when validated gets passed on to the account servers. All servers are vulnerable, the banks use the same technology as everyone else and zero-day exploits will compromise their servers like any other. They would be a lot more paranoid about it than a retailer though and have multiple layers of security.
A bank was hacked last year but the bank said it was just contact info taken:
http://lifehacker.com/chase-bank-hacked-info-stolen-for-83-million-accounts-1642063956
Banks probably have some sort of proxy setup whereby requests can't breach the account server directly. They will likely quarantine incoming requests on a proxy server and that server might have contact info that when validated gets passed on to the account servers. All servers are vulnerable, the banks use the same technology as everyone else and zero-day exploits will compromise their servers like any other. They would be a lot more paranoid about it than a retailer though and have multiple layers of security.
Contact info would probably be on the outer network. Things that get accessed often by people that don't need access to the the secure fianncial data should not be put in the same area, limiting exposure. That seems to have been the case here.
The question is not that if they are negligent they get hacked, it is; is it possible to enforced a level of security/infrastructure/procedures/policies so high that for all intended purposes, it is impenetrable, or penetration will create a very limited damage.
One part of it is preventing user idiocy, or even malignent users, from compromising the secure network. Most data breach these days come from Malware...
Isolating networks functions and putting very hardened proxy server (bastion host) with DMZ's on both sides and hardened routers with static routes as gateways between networks and the DMZ makes access to the protected resource extremely difficult.
Says Net 1 -- Static route router A - DMZ (Bastion host) DMZ ---- Static route router B --- Net 2 DB SERVERS
All traffic to and from DMZ gets encrypted. Inbound traffic from DMZ is decrypted, examined and logged, then is reencrypted to go to the DB server. The examined traffic could have a payload itself encrypted that would mean the DMZ itself doesn't have the whole info even if compromised.
People always talk about 0 days and exploits, and whatever. But, those things need to actually run to do damage. If you limit your port/services, even access to a minimum (say only top level admins physically access the DMZ box and routers, they have no remote access),
If you are truly paranoid, you can inspect your server code yourself (even put more protection for buffers, a big problem ) and compile it. Then, run it in a sandbox or a user with the most limited access you can give it; some servers restrict access to a very granular level, for example the timed can only set time and do nothing else on a system. Remove every bit of software from the DMZ box that's not needed (including all but the most basic shell), make it lean and mean.
Just imagine. The box is already socked into a DMZ with limited services with no remote login access (only through the physical terminal) and I'm still paranoid enough to further restrict everything. Lock everything down. You could make it more secure still by seperating outbound and inbound fluxes.
Now, physically lock down the location of the DMZ, the routers and their network. Physically lock the machines and then bolt them down. Make sure its impossible to add anything to those machines (internally glue things if you have too). Put cameras all around their rack. Make sure, people who give access to the machine are limited and with a lot of background check (done regularly). People that are granted access should not be people that can remove traces of their access; another person should be doing audits on their accesses. There should have to be 2 people compromised to have an inside hack.
If you are truly paranoid, you can inspect your server code yourself (even put more protection for buffers, a big problem ) and compile it. Then, run it in a sandbox or a user with the most limited access you can give it; some servers restrict access to a very granular level, for example the timed can only set time and do nothing else on a system. Remove every bit of software from the DMZ box that's not needed (including all but the most basic shell), make it lean and mean.
Is this commonly done? Custom server code?
Is this commonly done? Custom server code?
Hardening servers IS commonly done. Though, there are servers distribution that are mostly there so you don't have to spend time culling your stuff. Reviewing the code of the only services (inbound/outbound) that goes on board and compiling it yourself would be a good practice (I do it, when I need mega security). But, you do need the in-house expertise to do so or it will be useless.
I started security work at a time when there was no Linux or BSD distributions really and commercial Unix' were a bit bloated.
Hardening servers IS commonly done. Though, there are servers distribution that are mostly there so you don't have to spend time culling your stuff. Reviewing the code of the only services (inbound/outbound) that goes on board and compiling it yourself would be a good practice (I do it, when I need mega security). But, you do need the in-house expertise to do so or it will be useless.
I started security work at a time when there was no Linux or BSD distributions really and commercial Unix' were a bit bloated.
Thanks, I didn't know that.