Log In
Register
Home
Topic RSS
Facebook
Twitter
Email this4:50 am
March 30, 2017
Offline
Lodown said
Your connection to your bank is end-to-end encrypted at McD, Starbucks or from the comfort of your home. The risk is a man in the middle attack which allows your login credentials to be stolen. Sorry to say, this type of attack can happen at your home as well by your hacker neighbors, someone outside close to your home sitting in a car. That is why 2FA is second level of defence....never give it out if someone calls you! Oh, and to avoid most man in the middle attacks, hard wire your computer to your router ...no wifi.
While end-to-end is true, It’s far more likely for crooks sitting at a Starbucks phishing for wifi data than outside my house. Just don’t want to give the bank the excuse when shit happens and point out that I was using a public IP and deny any claims.
Yeah my router. Is setup same room as my desktop, and I always hardwired, since it’s fastest anyway. No reason not to do that
6:36 am
November 8, 2018
Offline
RetirEd said
I prevent use of contactless payment with my card (if stolen) by disabling the contactless on cards whose issuers permit that.
If they won't disable it or reduce its contactless limit to or $1, one can easily find and cut the antenna wire on the card. The chip contacts will still work.
Which means, for every transaction large and small, you have to enter your card PIN number.
Now, how would that work if card is stolen after they noted PIN you entered? Here is an explanation:
Visa, MasterCard and American Express have zero-liability policies, so that if your credit card is lost or stolen, or if someone uses your credit card number to make transactions you didn’t authorize, you can usually be reimbursed.
The zero-liability policy applies to transactions made on the Internet, by phone or at retailers. However, it may exclude transactions made using a PIN (personal identification number) – for example, a cash advance made with your [stolen] card at an automated banking machine.
7:23 am
April 27, 2017
Offline
RetirEd said
Norman1:If they won't disable it or reduce its contactless limit to or $1, one can easily find and cut the antenna wire on the card. The chip contacts will still work. Either a very bright backlight or careful location of the wire at the card's right edge will allow you to use either a hole punch, razor blade or drill to sever it. Been doing this since the first contactless cards; never a problem. Private Message me if you need more info on how to do this.
Impressed.
Not sure it would work for my Apple Wallet though. Phones and watches don’t take kindly to hole punches.
Supposedly, cell phone “wallets” are safer than physical cards. Provides another layer of protection.
8:37 am
April 6, 2013
Offline
savemoresaveoften said
If one signs up for a dedicated IP address, that maybe doable ? The technology is already there for FIs to record your IP and use that for ‘trust your computer’ feature when loggin in and bypass 2FA.
That is done by a cookie in the browser not by IP address.
A static IP address is usually only available to those paying for business internet and not home internet. Even then, it is not guaranteed to never change. The ISP may need to reorganize their network or one may change ISP's.
8:42 am
April 6, 2013
Offline
RetirEd said
Norman1: Most cable home internet uses a dedicated IP address, as many users want to run a local web server, especially small businesses. …
Running a web server actually prohibited on home internet plans.
The IP address assigned by cable internet is dynamically assigned with a certain lease period. It doesn't change often because when the leased is renewed and the address is still available, then another lease is issued for the same IP address.
8:54 am
March 30, 2017
Offline
Norman1 said
savemoresaveoften said
If one signs up for a dedicated IP address, that maybe doable ? The technology is already there for FIs to record your IP and use that for ‘trust your computer’ feature when loggin in and bypass 2FA.
That is done by a cookie in the browser not by IP address.
A static IP address is usually only available to those paying for business internet and not home internet. Even then, it is not guaranteed to never change. The ISP may need to reorganize their network or one may change ISP's.
ic. But dont they send a cookie anyway even if I dont select 'trust the device' ?
i read some cookies do also store IP address as well, and all websites track IP address for visitors anyway.
8:55 am
April 6, 2013
Offline
savemoresaveoften said
Are you sure BMO do not have MFA for bank accounts that can be either email or text msg ? I find that quite impossible to believe. But I never bank with them so don’t know.
BMO does. The article says someone logged in with her credentials. The bank sent a confirmation code to the e-mail address on her account to confirm. Correct confirmation code was supplied.
Victim may claim fraud. But, the bank or a judge will be quite suspicious.
9:00 am
April 6, 2013
Offline
savemoresaveoften said
ic. But dont they send a cookie anyway even if I dont select 'trust the device' ?
i read some cookies do also store IP address as well, and all websites track IP address for visitors anyway.
The 'trust the device' cookie is a specific cookie. A site is allowed multiple cookies.
No need to keep an IP address in a cookie if the cookie has a unique ID for the visitor.
10:06 am
April 14, 2021
Offline
RetirEd said
I prevent use of contactless payment with my card (if stolen) by disabling the contactless on cards whose issuers permit that.
If they won't disable it or reduce its contactless limit to or $1, one can easily find and cut the antenna wire on the card. The chip contacts will still work.
I also thought that chip/PIN was superior to the contactless function. However, I was watching a news episode regarding skimmers and they presented an opposite viewpoint. They mentioned that the skimming technology is now so good that it is difficult to notice whether or not a machine has been tampered. In the early days of skimmer fraud, it was not difficult to know that a machine was altered. Usually, a good shake of the terminal was sufficient. One scheme even had a pinhole drilled into the pad so that a camera could steal the PIN code. Their claim was that contactless was superior to chip/PIN, since there would be no way to compromise the signal between the reader and the card. It sounded logical and made me reconsider my previous opinion.
11:06 am
April 6, 2013
Offline
HermanH said
I also thought that chip/PIN was superior to the contactless function. However, I was watching a news episode regarding skimmers and they presented an opposite viewpoint. They mentioned that the skimming technology is now so good that it is difficult to notice whether or not a machine has been tampered.…
The skimming presented only skims enough info to produce a magnetic stripe card. Same with the so-called EMV bypass cloning.
There has been no cloning of the full chip card. One does not end up with a card that does chip-and-PIN or contactless payment.
8:15 am
November 18, 2017
Offline
Alexandre: Exactly. Having to enter the PIN is safer than not having to enter it! And of course I hope all of us here are by now savvy enough to hide our numbers when typing them in. If you're REALLY paranoid you can make several backspaces and re-keys while entering it, which would be VERY hard for a shoulder surfer to track. I also use more than one finger when typing a PIN so it can be hard to tell which button I've pressed.
The credit issuer's policies may try to force us to contactless payments, but the chip-and-PIN is a superior system. Merchants should mark their mini-terminals and safely store them when not open for business.
In the case of doctored terminals, there will rarely be just one fraudulent transaction.
In many parts of the world, chip-and-pin cards are not used; they go with chip-and-signature. (I think the UK and much of the EU.)
Norman1: does the prohibition on running a server apply to home users letting friends and family fetch things from their computers, or only to commercial users? I know many clubs that run a server for members, and I haven't heard of any troubles. When the first home internet plans from Rogers and Shaw were marketed, the ability to run a home server was used as a major selling point.
RetirEd
9:15 am
April 6, 2013
Offline
For home cable internet, the prohibition on servers applied to everything including "mail, news, file, gopher, telnet, chat, web, or host configuration servers, multimedia streamers, or multi-user interactive forums."
I remember some of the home cable internet plans came with some hosted web space that one could upload content to for sharing, without having to run a server at home.
9:54 am
October 27, 2013
Offline
Americans need to get with the times. No more cards with magnetic stripes and no more POS acceptance of cards with magnetic stripes. That said, there are still a few Canadian locations that I notice use the magnetic stripe only (a local car wash).
Contactless RFID technology is safest and I use that methodology where possible. All 5 (4 raised + 1 flat) of my cards fit in a Secrid RFID wallet. https://unluggage.com/collections/secrid/products/secrid-card-protector They can often be found on sale for under $30. I have been using this for several years.
Chip + PIN is the next best alternative.
All said though, this thread has gotten derailed from the original subject. I cannot imagine that Ottawa woman has any ground to stand on as Norman1 has already pointed out in post #47.
1:36 pm
November 8, 2018
Offline
RetirEd said
Alexandre: Exactly. Having to enter the PIN is safer than not having to enter it!
It is the other way around.
"Tap to pay" transactions covered by zero liability policy. Fraudulent transactions will be refunded.
"Chip and PIN" transactions are excluded from zero liability policy. Fraudulent transactions involving PIN may or may not be refunded.
With current generous limits, I almost never have to enter PIN. You do enter PIN for every transaction you make.
3:46 pm
October 27, 2013
Offline
RetirEd said
In many parts of the world, chip-and-pin cards are not used; they go with chip-and-signature. (I think the UK and much of the EU.)
That is pretty useless since anyone can forge a signature. The USA is worse. Purposely when in the USA, when I sign a charge slip (where they do not use chip and PIN), I have scrawled a useless scrawl that bears no resemblance to my signature. Not once has it been questioned or have I been asked to show them the signature on the back of the card. It leaves me speechless!
9:19 pm
April 6, 2013
Offline
That does not appear to be factually accurate.
Europe is mostly chip-and-PIN. Articles like The Guardian (January 20, 2019): How shops sign away the self-worth of disabled people describe discrimination in Europe against those who can’t memorise or can’t key in a PIN by merchants who refuse to accept the domestic chip-and-sig cards issued to such people.
Chip-and-sig cards seem to be a US phenomenon. Travel articles like Do I Need a Chip-and-PIN Credit Card in Europe? suggest it is a good idea for people to have a chip-and-PIN card when travelling to Europe.
Most merchants in Europe are set up to accept chip-and-PIN cards, which means they aren’t always used to dealing with chip-and-signature cards.
In fact, on a recent trip I took to England, I only had a chip-and-signature card and it created a lot of hassle. A lot of the stores that I went to didn't even have pens at the register for me to sign receipt slips with, so there was a scramble to find a pen until I began carrying one with me everywhere.
And, in some cases, not having a chip-and-PIN card can make it impossible to enter into a transaction at all. The self-checkouts in the supermarkets in England, for example, were not equipped to accept chip-and-signature cards -- a fact I learned when the machine started blaring after I inserted my card and a store manager had to come over to resolve the problem.
…
9:51 pm
October 27, 2013
Offline
Now that you mention it, I agree the European merchants I used to frequent years ago used Chip and PIN. I haven't been to Europe since well before covid so I had forgotten.
6:45 am
November 18, 2017
Offline
Looks like times have changed.
RetirEd
7:17 am
April 6, 2013
Offline
It is also not that important whether the chip card is one that requires a PIN or not.
Most of the security improvement of the EMV cards come from having the chip that produces a dynamic card-specific authentication code instead of a magnetic stripe that has a static CVV code.
Please write your comments in the forum.