Posts by sugerbear 103 publicly visible posts • joined 5 Jan 2010
Blockchain is a solution looking for a problem.
A currency needs someone to back it, trust it and it needs to have real value. The current solutions (cash, cards etc) are already so embedded that blockchain will be just another passing fad that we will look back and laugh at in 5 or 10 years.
"4) Provision of own equipment - does Uber provide the equipment?
=> NO, the driver provides his car (though Uber provides the app, the car is the key here). [Para 44.]"
You could argue that Uber provide the equipment in the form of software to be able to perform the job.
"2) Mutuality of obligation - Is the driver obliged to turn up for work, and is Uber obliged to find work for them?"
They are not obliged to but not turning up for work means they are penalized and other more regular drivers are favoured for fares.
A am pretty sure they are a cab firm as they set the terms and conditions and prices and have direct contact with the customer up front, they aren't providing a service to the cab driver that enables the cab driver to set fares.
@Dabooka.
You dont understand because you dont understand how EMV works maybe?
Anyway, short answer
The terminal generates a random number that is sent to the card along with a bunch of transaction info. The card then uses a secret key to generate an ARQC. The terminal then sends the random number + transaction information to the issuer who also hold a copy of the secret key. The issuer then uses the information supplied to the chip to recreate the ARQC and compare it to the one the chip generated. You can check the EMV CO manuals if you want to investigate further.
If you understand how it works you will understand why cloning a contactless transaction so you can use it later in a contactless terminal wont work because you can't predict the random number that the terminal will send to the card when you attempt to replay it.
@ theOtherJT
You would have to steal my card first. But fair enough, you take my card and use it buy everyone a round in the pub. I report it to my bank and the money is refunded, I have lost nothing in that scenario because i have not been negligent. You may or may not be filmed on CCTV buying those beers and if you are the type of person that does that kind of thing you are at some stage going to get caught.
"If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy" how have you cloned the secure element of the chip and extracted the keys? Do you have access to a lab of some sort?
[comment]Ok, you're going to struggle to buy thousands of pounds worth of goods with this - but surely the real way to abuse this system is with a cloned card and just keep paying for little things? Keep a stack of them and never pay for your tube journey again. Never pay for your petrol again (only fill up 1/4 of a tank at a time). Never pay for your round in the pub again... That's what has always really worried me about this contactless thing. Just because it's a small amount of money per transaction doesn't mean someone couldn't systematically steal a lot from you before your next bank statement arrives - I mean, who actually checks theirs daily to make sure it all lines up?[/comment]
Sigh... your comments are typical of the ill informed "security researchers" that pop up every now and again to tell the world (and sell a story to a newspaper) about some hole in EMV or contactless.
Your idea of living off someones card are unworkable. It is sad because a little lie goes a long way on the internet. The terminal generates a random number which then forms the ARQC that the issuer validates. So unless you can pre-predict the random number that the terminal will generate your idea is.a crock shite (excuse my french).
I think your quote about transactions under £20 is wrong, I still had to authenticate a £9.50 transaction in Costa using my fingerprint so it isn't the same as a card (I actually like having to authenticate all transactions using a biometric). I have two cards registered so not sure if that makes a difference.
I didn't downvote you BTW :)
[quote]That's nothing - a good hacker can do it from several meters away without you needing to pull your wallet out...[/quote]
I think i might notice if this "good hacker" pulled my iphone out then managed to get my thumb on the button for a good 10 seconds all without me notice, I dont think "good hacker" even comes it, maybe this hacker is actually a stealth ninja hypnotist in which case why wouldn't they just hypnotise me then get me a bank and withdrawing all my money.
On the other hand, if you don't wear a tinfoil hat, don't live in a iPhone mugging hotspot (like London) and have an iPhone 6 then it's really easy to add your credit card and use it to pay for stuff.
That is what you are doing at the end of the day and my iPhone is a damn sight slimmer than my NFC Card/Cash stuffed wallet, plus so far I have to use my thumb to authorise every transaction, no big deal and easier than having to shiel my PIN at the POS terminal. Now (hopefully) the merchants will start to roll out more contactless terminals and make my life even easier.
I didn't buy my phone to use it to pay for stuff, but it's a very nice feature to have.
On your second point apple had to build a secure element into the iphone to hold the payment app (along with the secure keys), plus they also have to build some of the infrastructure to support setting up the payment app.
The payment itself is between the phone and the merchant which then gets authorised through the scheme by the issuer of the card (or token in the case of the bonking applet).
It's apple at the end of the day and they will charge what the issuers are prepared to pay. The issuers dont have to play with Apple, they can build their own secure application/infrastrure (like the telco's tried to do).
Chip and PIN allows for the PIN to be held at the issuer and not on the card, it can be one of the options in the CVM list. Not all terminals support offline PIN validation so in those cases the PIN would be sent online to the acquirer (encrypted).
UK EMV cards support validation of the card between the terminal.
i noticed that my POS payment on monday at ASDA appears on my Natwest statement with absolutely no detail whatsoever (unless you call the last 4 digits of the card number..detail).
Every other payment from this retailer is clearly definied and includes who the retailer was and the type. But not this one.
Let the speculation begin !!
[quote]RBS faces a Herculean job in bringing online a new mainframe operating in a core part of its day-to-day business. It must plan and execute the job without interrupting the existing service by taking the old mainframe offline during the transition.
RBS did not say when it plans to bring the new mainframe online.
But hardware is only one thing: RBS must also determine what do with the existing apps running on the system. Either it must port existing apps to the new system - which is likely - or write or buy new apps. If the former, RBS must design, write, test and then shift. If the latter, RBS must make sure the new apps work on the new mainframe and interoperate with other RBS’s other, connected systems.[/quote]
Spoken by someone that knows nothing about mainframes. Are you a consultant by any chance ?
RBS are just buying a bigger mainframe and then plugging it into their existing parallel sysplex system. Whoop de doo. All that will get them is the chance to use the newest version of the bits of mainframe software and things will run a bit faster.
No porting of apps, no downtime required. That is what makes the mainframe such a great environement to develop and run. Something that lesser mortals dont get.
[quote]The first question a PwC (or any other 'management') consultant asked to carry out such a review will ask is: "What would you like the answer to be?" [/quote]
Hello Mr Fox, can you investigate why all my hens have disappeared.
Also telling that the senior (mis)management cant work out the causes of the problem themselves without squandering more cash on the problem. Do they actually have any IT experience or are they just managers who manage so far removed from the actual workplace that this kind of thing happens (and rinse and repeat).
More organised scam. The parking operators used to employ people to collect money when people left the car park. In the name of decreasing costs they went over to automated systems and then the racket of towing and clamping anyone unlucky enough to be in one of their car parks without a ticket.
They could always go back to the man in a shed approach but I guess the revenue from charging people who dont pay or overstay, however % small that is, is worth more to them.
The "tickets" they send are just an offer to pay. So I choose not to.
Moving from IMS to CICS was more open heart surgery with a brain transplant thrown in. CICS is the devils work.
Anyway, I know plenty of people that are mainframers in the age group of 35 - 50 but unfortunately their jobs can be done offshore much cheaper so no one is going to be hiring them anytime soon unless the whole offshoring industry collapses in a heap.
I would love a job back in a COBOL/DB2/IMS or CICS support role but i think the time I have spent away 4 years ish and my age of 40+ will mean that there really is no way back into IT unless there is another round of year 2000 type work.
I can write all sorts of complex SQL but I cant find a role that needs it solely. I must be looking in the wrong place.
Just a thought, wouldn;t be the first time that a company has brought in someone before taking over. They have a lot of cash swirling around in their bank account. Adobe have lots of "creative" software. Plus Apple could effectively kill flash once and for all withouth any chance of it re-surfacing.
You use the tool that is best suited for the job.
The arguments set forth here are like a bunch of carpenters trying to argue the merits of a drill over a router.
If you cant get your head round cobol then maybe you just aren't cut out for a career in IT (I have written in Pascal, C, c++, java, cobol, zos assember).
ok. The worst that could happen is that the trader will know your PIN number. He may also know your card pan number and its expiry date. But the reader wont know what is on the magstripe (which is good, cant be cloned and used in the US).
Without the physcial card the info the trader has is useless. The generated cryptograms rely on (amongst other things) the application transaction counter (which is held on the chip) which is unique to every transasction.
So I understand peoples reluctance to use something that looks odd, but because it's chip it is much more secure.
Unfortunatly you are being very selective by choosing a card (not Visa/MasterCard/JCB/Discovery/Amex) with a well known defect.
So please please please, take a bank card from the UK and clone ALL of the chip data (software, keys etc).
When you have done you can then post about it.
He is spot on.
Apple are under the impression that they can utilise the 100+ billion they have in reserve better than the investor (who own the company) can. The board of the company work for the investors.
if Apple need cash to purchase something in the future they can quite easily borrow from either their investors or a bank.
Mr Einhorn is saying is that he and other investors can better utilise the captial that Apple have sitting in their bank account. They want Apple to return that captial to the shareholders in the form of new shares of dividends.
He is spot on. Any company that has captial that is just sitting there doing nothing year after year is doing a diservice to their investors.
[quote]What about the man-in-middle attack reported last year (arbitrary pin can be used for purchases at an EMV terminal with a stolen card) rendering security put in place by such a system rather moot? OK granted it does require physical access to the card.
[/quote]
That attack doesn't work on all card, only where issuers dont have the correct rules in place on their auth platform. It certainly doesn't work on ATM's (where the PIN is sent online) nor does it work in countries that only support online PIN. And if the issuer issuer checks the CVR correctly (Which is signed by the chip and verfified by the issuer) then you certainly cannot bypass the PIN.
Ok I will bit and call B@llsh!t. Every single one of the IT contractors I know set up as a contractor for the sole reason that they receive more income and pay less tax. Deducting travelling/accomodation costs associated with working somewhere and being able to employ your non-working wife was also a great wheeze unavailable to PAYE employees.
All well and good until the IR realised that more and more people were avoiding income tax by playing "pretend" contractor and were no different to a normal employee that changed jobs every 6/12/24 months.
90% of IT contractors are not really contractors. They are just PAYE employees that change jobs more frequently. Businesses like them because they pay less tax and are easier to hire/fire.
I think it would end badly for you. It's the balance of probabilities and how beleivable you are in court. Trying to be a smart arse in court will alienate you from the jury and a lair normally gets found out. "it must be corrupted officer" excuses if found to be untrue will be reflected in your sentence.
To think a highly skilled hacker/cracker whatever manages to infiltrate networks and launch DDOS attacks but then the file the police are trying to unlock is corrupted ! Any decent barrister will be able to show either malicous damage or wilful obstruction.
Anyway, I have several dead bodies locked in a safe in my home and there is absolutely NO WAY that I am going to incriminate myself by giving the police the combination. I have NOTHING to hide ;-)
This is what I would worry about, the chances of guessing are 999,999 to 1 but if enough people use it then there is a fair chance that at some stage someone will guess one correctly.
Why not enter you account number or some other reference no instead (maybe your DOB even).
Hello America and your backward magstripe technology :o)
You are wrong though. EMV is used in ATM transactions, the difference is the PIN is authenticated at the issuer/processor. The US uses magstripe but only becuase they have such a fragmented market and no one to drive the changes other than the schemes (which will eventually happen between 2013-2015).
If I had the option I would do away with the magstripe on my EMV card but there are still some terminals that use it (before reverting to the chip).
I look at the article and I beleive the attack is only possible with older static data (SDA) type cards.
The problem with Cambridge is that some of their research is based on old tech standards, but there are are still some SDA cards in circulation (because they are cheap). I have not had a chance to check yet but to correctly guess the cryptogram on a DDA (dynamic data authentication) card is impossible as the chip generates its own random number so seeing two transasctions with the same ICC random number would highlight a cloned card.
There are also other technologies such as the ATC count so again cloning is made difficult if the card hasn't been stolen.
As with all tech, someone will eventually break it but as long as it isn't cheap/quick then its still worth employing.
Paywave and Passpass incorporate even more complex cryptogram generation CDA which makes the duplication even more very difficult.
But dont let the above get in the way of a good story and worry mongering :o)
[quote]Conservatives traditionally only support state intervention in cases of market failure[/quote]
I nearly fell off my seat laughing at that statement. They are quite happy to support their friends/relatives/business associates and their associated businesses. Especially if the relationship involves sponsorship of the party !
Next week I am also releasing a 60 page document. It will explain that banks have failed to invest in the one key asset that will in future prevent the global banking system from collapsing.
They are called employees, but most senior managers probably refer to them as excessive operational expenses.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
