This attack (and some variants of it, e.g. fooling the proximity detection or man in the middle) work because the acknowledgement action that the user does is simply having the device nearby. This seems like a poor choice of acknowledgement action for something that transfers money. Payment devices should probably have a physical or soft button that you have to press to acknowledge payment.
Strong disagree. The usability hit is not worth the added security. Having a cutoff for PIN entry requirement and the card issuer taking responsibility for fraud means customers are quite safe (as long as they look at their charges).
Work could be done to make it more usable. With a phone, it could be a button you could press just by holding it. With a smart watch, it could be hooked into any kind of bluetooth sensor. The point is that in normal society, you don't have that much control over who and what gets into proximity with you, and having a system where anything that does get into proximity can take money from you without you even acknowledging that in any way is just a bad way of doing things.
You could do something like "you need to be physically holding the card with your hand", which would complete some circuit. I can't think of many cases where that wouldn't work, except perhaps people who don't take their cards out of their wallets(?).
Getting a payments terminal is not easy, this would requires ID verification and working business bank account (acquirer), this terminals are highly regulated. Someone doing this can get caught easily by just a couple of customers reporting the fraudulent transactions. This is very small risk and is rarely seen.
It's fine to present a pdf, as long as it's legible and the code can be scanned.
> Het E-ticket dat wordt geladen op een mobiele telefoon, tablet of laptop is alleen geldig als vervoerbewijs als het duidelijk leesbaar weergegeven kan worden op de mobiele telefoon, tablet of laptop.
Literally on the PDF ticket it says it is only valid when printed out in full or when loaded in the app that can only be gotten legally through google or apple.
Can’t you mix Apple account with phone numbers if everyone is using iMessage? And if everyone isn’t on iMessage it would defeat the purpose and might as well use an android, no?
It depends. I understand that ad networks for example take identifying data (such as IP addresses) without consent. But if I sign up to Facebook and I put there my name and my face, it's because I want to. No one has put a gun to my head. And I don't see that it matters whether that data is in a hard disk in the US or the EU. These regulations seem a power move more than anything else.
The proof of a problem isn't "someone put a gun to my head" - its a meaningful part of our society put behind a rich man's walled garden because only he had enough money to bribe every telecom and buy every competing platform.
Every competing platform? I can think of a few alternatives, starting with this one we are on right now. But some people are still choosing Facebook, and they are choosing it willingly, happy they do not have to pay for it with anything more than some targeted ads...
> But if I sign up to Facebook and I put there my name and my face, it's because I want to
Facebook wouldn't have all its negativity around privacy if they only captured & used data that the user explicitly entered. The problem is that Facebook collects much more data that what you knowingly & willingly give it.
You might have uploaded your name and face willingly to Facebook in order to set up your profile, but without proper safeguards and legislation, the data might be used to train an AI model to use your face to identify your relations with other user using photos, which they also willingly upload, to power features such as people you might know and of course, advertising. The data might also be sold or transferred to third-parities like Cambridge Analytica for political advertising or government agencies for "national security" -- all without your explicit consent.
It is true that it does not matter if a piece of data is stored in either side of the Atlantic, but this is not a engineering problem about data locality and latency. As someone who spent months working on a global distributed GDPR-compliance identity store, my life will be much easier if the problem can simply be solved by paying a slightly higher inter-region data transfer fee.
Unfortunately, US and EU here are not referring to cloud regions, but as jurisdictions because different laws on data protection apply. None of us likes this kind of complexity, but "power move" would be an overly-simplified abstraction of this problem.
https://support.apple.com/en-us/HT210060