On 4/9/2015 10:18 PM, firstname.lastname@example.org wrote:
I've used my U.S. bank issued EMV (so called "pin and chip") credit
cards throughout Europe for more than 2 years. A PIN number was issued
automatically with the cards (to make them compatible with use in ATM
machines) but I've never been asked for my PIN by a restaurant or shop
keeper. I've always been asked for my signature. For smaller
transactions, such as purchasing fares in the London underground, or the
Paris metro, the card was accepted by the vending machine without either
a PIN request or a signature request. In fact, I purchased train
tickets costing more than 100 pounds sterling from vending machines in
the U.K. without needing pin or signature.
The only time I was every asked for my PIN at a restaurant was prior to
having a chip enabled credit card, when after swiping the card, the
waiter wanted me to enter the PIN. I declined because my bank told me
that if I used my PIN with a point of sale transaction, it would be
treated as a loan (as if it were an ATM transaction) and subject to
daily interest charges until the balance was paid.
Most banks will be issuing new EMV cards between now and October regardless of
the current non-EMV card expiration date.
Yes, it is. When Walmart turned on their EMV card readers last year, they
started by honoring the mag stripe flag for those cards that were EMV and
rejected use of the EMV card mag stripe. Because people were not familiar with
how an EMV card worked, they temporarily changed their terminals to allow either
mag strip or EMV. Come October, that dual use will no longer be permitted by
Walmart or any other retailer. If anyone could bypass the EMV protection by
damaging the chip in an attempt to force use of the mag stripe, what would the
point be of switching to EMV?
EMV cards can be programmed for multiple verification types (Online PIN, Offline
PIN, Signature or None - None being used for low value transactions like a fast
food restuarant.) Some card issuers will not issue a PIN right away, but the
card can be reprogrammed remotely at a later date. Other issuers will issue a
PIN, but still leave the card programmed to prefer signature.
Because US card users are so used to thinking PIN = Debit, Signature = Credit,
most US card issuers have decided to initially program EMV cards as Signature.
The only change to the user experience is that the card gets placed in a slot
instead of swiped.
Once people in the US are familiar with how PIN based verification for credit
cards work, the cards will be reprogrammed to prefer PIN.
You are confusing EMV ("Chip") cards with RFID ("Radio") cards. They are not the
same thing. Most RFID cards are also chip cards, but very few chip cards are
The RFID chip in RFID cards can only be ready from a few inches away. It's the
same chip and technology found in millions of employee badges around the world.
If there was a problem with remote survelliance of RFID card holders, you would
have heard about it already.
But as I said - very few EMV cards have the RFID feature.
| The RFID chip in RFID cards can only be ready from a few inches away. It's
| same chip and technology found in millions of employee badges around the
| If there was a problem with remote survelliance of RFID card holders, you
| have heard about it already.
I'm incredulous that you could think that. First, you're
contradicting your own point. Isn't the purpose of
employee ID badges to track movements of employees
and perhaps act as a security device? Having a chip read
in proximity to a reader is exactly what we don't want.
Did you ever see the map of the journalist who discovered
his iPhone was keeping a record of all of his movements?
Did you hear the one about the man who only discovered
his teenage daughter was pregnant because Target
started mailing coupons for baby gear? (Target had
guessed she was pregnant based on her purchases.)
How about the issue of cellphones being used to track
people in malls? Why not EMV chips and RFID chips?
I'm very concerned about privacy issues, yet even for
me it's difficult to imagine what problems there could be.
Increasingly, vast data is being combined with vast
analytical capability. It's not farfetched that you might
one day drive past a CVS and see an ad on your
dashboard for a prescription drug sale, on all the drugs you
and your family take, because CVS has a new, improved
RFID chip reader and they picked up 3 RFID tags in your
car, two of which are from Walgreen's (packaging from
the shaver and clock you bought awhile back), and all of
which identify you via your shopping history.
If you shop at CVS you're already being sold out:
In this theoretical scenario the additional RFID reading
of debris in your car allows all of the dots to be connected,
and your daughter now starts seeing CVS ads for her
birth control pills on her Facebook page. This is not at
all farfetched. (See the links above.) But it is very
difficult to grasp the extensiveness of the growing data
I'm often surprised by the news that comes out. It's
so Orwellian that we just don't expect it. And in general
we *don't* hear about them. That's been a big complaint
with intrusions into commercial databases. The companies
don't want to go public because everyone wants to
pretend that credit cards are secure.
I think it's safe to say that if there are problems then the
odds are I *will not* hear about it.
| But as I said - very few EMV cards have the RFID feature.
But both can be read without direct contact, right? So
what does it matter in prctice?
Actually, my face book page has been showing
me ads for business cards printed online and
shipped. Since I looked online a couple days
ago. Not sure how FB found out.
Christopher A. Young
learn more about Jesus
| Actually, my face book page has been showing
| me ads for business cards printed online and
| shipped. Since I looked online a couple days
| ago. Not sure how FB found out.
If you don't make a specific effort to block them
then Facebook will be setting a "1st party" cookie
on most websites you visit. Their button appears
to be an image, but the image is loaded in an
iframe, which is an HTML method for embedding
one webpage within another. So you actually
visit Facebook with most sites you visit.
Google/Doubleclick and other mega-advertisers do
the same thing.
On any given webpage, if you forced borders and
scrollbars to be visible, you'd probably see about
a dozen mini-browser windows, give or take, with
images or ads in each. Each of those is a webpage
that can set a 1st-party cookie and run script because
you've been tricked into visiting their site.
Due to that design, iframes are also one of the
biggest security risks online, allowing a technique
known as cross-site scripting to enable attacks
from domains you've never heard of but have
The design also directly undermines the original
design and intention of cookies. They were designed
in such a way that any given domain could have
no knowledge or control of cookies in other domains.
The tactics now commonly in use entirely eliminate
those safety/privacy measures, so that a dozen
different entities could be watching you as you move
And of course that's not even counting
the direct cooperation between companies. Google
*is* Doubleclick, which is one of the biggest online
ad companies.... And Google also sells ads directly....
And they also track most webpages via voluntary
addition of google-analytics code to webpages. Then
there's Facebook, Twitter, Instagram, etc. Any or all
of those companies may also be buying and/or selling
data with "uber dataminers" like Axciom.
All of that begins with you 1) using a for-profit
corporate product to mediate your own social life
[Facebook, gmail, etc] and 2) allowing total surveillance
of your online activities.
I really enjoy watching my extended family grow up in various parts of
the country with daily pictures and videos on social media. It
certainly is a great improvement over the past when we mailed black
and white photos in our letters. I'm willing to pay the advertising
price for the privilege. YMMV.
You're just bits in somebody's computer. Do you really think a human
somewhere is following your tracks in Google's hundreds of millions
| >and 2) allowing total surveillance
| >of your online activities.
| You're just bits in somebody's computer. Do you really think a human
| somewhere is following your tracks in Google's hundreds of millions
The point is they're spying on something that's
none of their business. Humans can connect into
that at any point they like. Companies like Google
like to say that the data is "anonymized", and people
like you believe them. In actuality it's an Orwellian
claim. The whole point of their spying and data
analysis is precisely to prevent anyone from being
anonymous. The point is to know who you are,
what you've done and what you're doing at all
I know that many people don't care about this,
but it's not without cost. So I post info for the
sake of those who do care.
Currently the NSA is
pushing for a "front door" into web properties like
Google, Microsoft, Yahoo, etc. They're trying
to make the case that they should have that
access. It's a blatant denial of the 4th amendment
and a threat to free speech. (There's a reason
that librarians traditionally won't disclose what
books someone has taken out.) What the NSA wants
to do is no different from asking for a key to
your house and access at will to your briefcase.
The only difference is that collecting "cloud" data
** The NSA is only able to make their case at
all because so many people like you have accepted
the TOS from companies like Google in exchange
for some little convenience. ** You're helping to set
a legal precedent that you don't have any right
to privacy from total corporate/govt surveillance,
by officially agreeing to give up privacy for a pittance.
AT&T just launched their Gigapower Fiber to the Home in my city. Unless
you pay them an extra $30 per month, they are doing deep packet
inspection of your data in order to be able to serve up advertising that
reflects your web usage. Ad blocing and anti-tracking software won't
help. VPN will stop them but that will slow service.
| AT&T just launched their Gigapower Fiber to the Home in my city. Unless
| you pay them an extra $30 per month, they are doing deep packet
| inspection of your data in order to be able to serve up advertising that
| reflects your web usage. Ad blocing and anti-tracking software won't
| help. VPN will stop them but that will slow service.
Interesting. I hadn't heard of that. I looked it
up just now. It appears to be similar to Google's
cheap plans. But in the first page of links I didn't
see any indication that people are concerned, or
even that they know, about the terms of the deal.
I wonder how that fits with the fledgeling FCC
enforcement of Net Neutrality.
Not the way you apparently think it does. The chip enables access to
chip-secured devices, including door locks. If I want to enter my
office building before or after normal business hours, I have to use
my secure card to unlock the door. If I want to enter
routinely-secured areas that I'm authorized to access, I have to use
my card to unlock the doors. If I'm not authorized, the door won't
unlock. If I want to use certain devices in the workplace that are
restricted to authorized users, I have to use my card, and if I'm not
authorized, again - the device will not work.
It's about controlling access, not about monitoring people's
movements. If they want to do that, there are better tools available
and in use right now. For instance:
Security cameras - Just about every major employer (and a good many
small businesses) have security cameras in place. If they want to
watch you, they've got cameras.
Computer network monitoring software - Every company that uses a
computer network has software installed to track each employee's use
of the network. They know what you're doing online and how much time
you're spending on it.
It's what the card issuer wants. If you don't like carrying a chipped
card, don't carry one. It will result in fewer options for you, but
that's the price you'll pay for living on your terms. Just understand
you don't get to dictate your terms to the card issuer.
Which is a different issue, and an optional service. The location
service is necessary to provide you with information connected to your
area. If you're looking for place to park or eat, it needs to know
where you are in order to provide suggestions. If you're using a
traffic app, same thing. If you don't want to make use of those
conveniences, you simply disable location services.
Which again had nothing to do with chips. It is about data collection,
which is what you should be primarily concerned with. Any time you pay
for something by any means other than cash, your purchase is noted,
and this data is collected and sold to companies that create user
profiles and sell it to anyone willing to pay for it. Guess what -
odds are your employer is providing your employment data to them, too
- including how much sick leave and vacation you take, your pay, your
job title, how long you've worked there. If they provide it for free,
they get free access to the databases in exchange.
Which happens online now with cookies. Your point?
If you don't want your purchasing habits to be tracked, pay cash.
That's your simple solution.
Certain high-tech companies use all three of those examples to track
your whereabouts in their buildings. Your picture is stored on the
DVR's with a timestamp when you present your card to the reader. Going
to my old lab, I had to use the card 3 times (the last one got me into
the lab). Once in the lab, they know when you sign off & on and group
policies make the screensaver come on in 10 minutes with no activity. So
if you don't log back on, they know your in the "area" where individual
labs are, since you need to tag-out to leave. Even the parking garages
have a gate, so if you don't come or leave within a certain time, you
have to tag-in or out. Cameras at every door, every corridor, elevator,
and public area.
| Certain high-tech companies use all three of those examples to track
| your whereabouts in their buildings.
His arguments are not about information or logic.
It's the classic ostrich argument: "I don't want to
have to worry about this, so it's not true! If you
claim it is then I'll shout you down."
Herbert Marcuse had a fun term he called the
"toilet assumption", which underlies the feasibility
of most all corporate and government surveillance
today, online and off:
If you can't see it, it's not there. :)
I have no idea who this person is you're referring to. It certainly
isn't me. I'm simply noting that your concerns are somewhat misplaced
and based in part on erroneous assumptions. Pardon me for being
pedantic. I'm going to point out when your assumptions about how
certain form of data collection work are incorrect, because I'm picky
that way. One of the reasons I am is because it drives me fricken'
batty how many people get up in arms over perceived (and usually not
quite correct) privacy issues with one or two things in their lives,
while airily dismissing the rest. They'd rather focus on a couple of
details instead of the big picture, which is data collection and
dissemination. People have to understand how it is being collected and
what risks it entails before they can make any decisions as to what
they're willing to share, and how, in exchange for what benefit.
I've been educating people on security and privacy issues since the
mid-1990s. It is a labor of perpetual frustration, since from the
individual to the organizational level, the majority of persons either
cannot or will not take even rudimentary steps to protect their own or
others' private information unless/until they are forced to do so.
It's "too hard".
| > His arguments are not about information or logic.
| > It's the classic ostrich argument: "I don't want to
| > have to worry about this, so it's not true! If you
| > claim it is then I'll shout you down."
| I have no idea who this person is you're referring to. It certainly
| isn't me. I'm simply noting that your concerns are somewhat misplaced
| and based in part on erroneous assumptions.
You said RFID chips are only used for access to
restricted areas. They're used for all sorts of things.
The same chip that identifies stolen items at a
store entrance can also be used to track shoppers
around the mall. The same chip that allows payment
of tolls via EasyPass can be used to track personal
whereabouts in general. And as G. Morgan pointed
out, they can be and are used for inhouse tracking.
Why wouldn't they be?
You said iPhone location tracking is necessary for
GPS services. Only a single GPS reading is necessary
for that. It doesn't need to be stored. Here's just
one example -- there should be plenty, easy to find,
online -- of *involuntary* privacy intrusions in
Here's one example of the iPhone location tracking
story. Apple provided no credible explanation for
carefully tracking and storing data they have no
possible use for.
You conflated proximity-read chips with EMV chips.
I don't mind a better card chip to replace the strip.
I'm only concerned about reading the card at a distance,
which is unnecessary risk.
You ventured that my employer probably sells my
personal info. I'm self-employed.
You explained that being tracked by cookies online
is the same as being tracked and ID'd in public by RFID
scanners. It isn't at all comparable. And I don't enable
cookies. It's not inevitable that one has to be watched
online by multiple entities, but it is what's happening
to people like yourself who don't bother to adjust settings
like those for cookies, and who think it's all not worth
In other words, you've used a series of glib, spurious
arguments to tell me I'm overreacting and that I don't
have any privacy, anyway, so why worry? That's the
argument used by Google in court cases. That's the
argument used by the NSA in requesting "front door"
access to online services. That's the classic ostrich logic
used by anyone who doesn't want to deal with something.
("I've been eating snack foods for years anyway, so
there's no sense worrying about my weight now.")
I make all local purchases in cash and use a credit card only for
online purchases which are not very frequent. Probably the next card
they send me will have a chip and I'll definitely be looking to
Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)
HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.