Pages

2011-12-30

Visa payment processing case study: network flaws

On July 20, 2011, I went to purchase the new Macbook Air in Delaware -- the home of tax free shopping. My Visa card was declined and I called to confirm the purchase. After returning home, I investigated the matter and found that my account had been put on hold due to suspicious activity. (They could have called me first, but problems with calling credit card customers to confirm purchases is already a documented problem.)

Someone used my card for a purchase at McDonalds for $1 (probably small fries), then a $400 purchase at Target and then another $400 purchase at a different Target -- all in Virginia. I was also buying lunch at Chick-fil-a and buying a MacBook in Delaware at the same time. Naturally this triggered an alert because why would anyone who has access to a Chick-fil-a also eat at a McDonalds during the same meal period?

I called Target security at the store and asked them to find a purchase under my name that day... none found. Then I asked to look up any purchase for $417.36 on that day. Within seconds they had two camera angles of the purchase, on register #27 at 1:17:10pm. (They start counting registers at #20, they don't actually have 27 registers). The security person would not send me the video, due to problems in the past with them being uploaded to YouTube, but she would let me see them if I filed a police a report.

The security person confirm that this was a swipe purchase, so obviously someone has copied my Visa card. But then the next obvious question: if there were no search results for my name, what name WAS on the card that made this purchase? The answer: there was no name, this transaction was posted as a gift card with no name. Visa later confirmed this. So the security flaw is this:
In the processing payments on the Visa network, information on the card regarding the authorized signer and card type can be recorded and trusted by the merchant, but this information is never sent to or verified with Visa.
In other words, the design of Visa's network allows the following types of exploits assuming the attacker has access to print credit cards.
  • Copy a real credit card as a gift card and make purchases without needing ID
  • Copy a real credit card and change the authorized signer to make purchases using a different ID
Naturally, this could be fixed easily by verifying ALL credit card details against a central database at the time of purchase.

2011-12-01

iCloud interface case study: How to only show reminders

Stop using Google Tasks, switch to Apple Reminders

The result is clear: Apple releases a new product with one sexy new feature and a better interface but it's not compatible with any Google products, Google is left in the dust. Next year Google will copy all the innovation and Apple won't improve anything.

Google Tasks Apple Reminders
Can input tasks, due dates, reminders Can input tasks, due dates, reminders, and location based reminders
Switching task lists requires two clicks (Google Calendar & iPhone web page)Can view all task lists at once (iCal) or swipe to switch lists (iPhone)
Can view tasks online at https://mail.google.com/tasks/canvas (looks better than Apple)Can view tasks online at https://www.icloud.com/#calendar (interface sucks)
Viewable on iPhone through slow websiteViewable on iPhone with fast app
Integrates with Gmail and Google CalendarIntegrates with iCal
Printing looks retarded, one page per list (can print from link above)Printing looks semi-retarded, but you can print all lists at once using iCal
Will copy all Apple's features and improve, somedayWon't ever improve their product and will never sync with Google

===========================

You can view the reminders online at iCloud.com, but it bothers you will a full size calendar in the middle of the screen. To fix that, use this bookmarklet:


Basically, save that as a bookmark open iCloud to your calendar and then run that bookmark.