Honestly apples approach is pure security theater, as they're not an acquirer that process the transaction at the end.
Instead the real acquirer now reverses apples masking.
The merchants themselves aren't allowed to store the credit card information anyway, otherwise they'd lose their PCI certificate, losing the ability to process credit cards. And if they use a payment processor, then they didn't ever get in contact with the credit card information either.
No clue how/if Google does anything. I was just involved in implementing apple pay at a payment processor that was also an acquirer a few years ago. Ultimately, we've had the same information on the consumer, wherever they used Apple pay or just a regular credit card
I am not an expert in this so I can't explain it in any truly deep detail, and you might be right in terms of "Masking" the identity of the card number if you think this is a privacy feature, but there is much more to it than security theater of a per-device DAN.
Both when using EMV Contactless and when using Apple Pay on the web, some kind of dynamic and/or encrypted data is signed by the secure element of the device. EMV Contactless definitely signs the whole transaction, with Apple Pay on the web in at least some cases it will use either a dynamic CVV code and/or "cryptogram" containing the transaction data similar to the contactless protocol that verifies that specific payment request was signed by the secure device/card.
The payment processors can use this to know the transaction is freshly authorised and is not a replay of a skimmed credit card number/CVV (whether skimmed from another apple pay transaction, or skimmed from entering the static physical card details).
On the merchant/processor side, I believe in some cases you may get a better rate or different fraud protection for such transactions (especially at a large scale), or, it will also factor into the fraud control and the bank/payment network/etc are less likely to reject such a payment as fraud where as it may be more likely to reject the static physical card details as fraud, etc.
If someone knows better or different then please do share.
> EMV Contactless definitely signs the whole transaction, with Apple Pay on the web in at least some cases it will use either a dynamic CVV code and/or "cryptogram" containing the transaction data similar to the contactless protocol that verifies that specific payment request was signed by the secure device/card.
The same is true for chip card payments.
What makes Apple Pay significantly more secure in practice is that issuers can limit the device-specific card number to be only usable with a chip cryptogram, and not e.g. by manually typing it in on a website.
For POS and online payments, the idea was the same (eventually depreciate cryptogram-less use entirely and use 3DS online and chip/EMV at the POS), but alas, it never quite happened that way.
> On the merchant/processor side, I believe in some cases you may get a better rate or different fraud protection for such transactions (especially at a large scale)
Apple Pay usually shifts the liability for fraud to the issuer, yes. This is a huge advantage for merchants that would otherwise usually be on the hook for most types of fraud.
> What makes Apple Pay significantly more secure in practice is that issuers can limit the device-specific card number to be only usable with a chip cryptogram, and not e.g. by manually typing it in on a website.
That's sort of true for non 3DS enabled cards. For 3DS enabled cards, you need a second factor for most transactions on the internet.
> For POS and online payments, the idea was the same (eventually depreciate cryptogram-less use entirely and use 3DS online and chip/EMV at the POS), but alas, it never quite happened that way.
where I live it happened exactly this way since a few years. Online is 3DS only and in person is chip/EMV only
Can you not use your card in US online stores? These mostly don’t support 3DS, so there is still a large fraud vector for compromised cards that work internationally.
Apple Pay is also somewhat different from contactless/chip payments on a card because it's authenticated, whereas (US at least) cards are not authenticated since we don't use PINs.
IIRC in some countries this means it's accepted more or has higher payment limits.
A physical card usually uses the number embossed on the plastic on all other channels (i.e. magnetic stripe, chip, contactless) as well.
That's not a hard rule – some cards have no number embossed/printed at all (e.g. the Apple Card), and it's technically possible to use different numbers. But I haven't really seen it done since it could cause quite some confusion, as e.g. some airlines use the card number to look up your online booking at self-check-in machines, which wouldn't work if the two differ.
There are also some special cases of things that are technically regular old smartcards but that do (I believe) use tokenization/DPANs, like wearable form factor contactless payment devices by Swatch or Fidesmo.
It can in the near term, as each endpoint has a unique public identifier instead of being mixed with multiple endpoints behind a NAT gateway, but less so over the long term, as privacy addresses are typically rotated at least daily.
Of course, all of this needs to be included in a broader discussion around myriad vectors of tracking and fingerprinting to arrive at a meaningful conclusion.
This is largely why I’m on disability and have not been a “functional” member of society for the better part of a decade. I have been unable to identify a role available to me which will not materially make things worse. This leaves the only viable options as living in abject poverty, or ceasing to exist, the latter frequently more attractive.
Is it possible that you've gotten fixated on ways in which a role could make things worse, without also noticing ways in which it could make things better? It seems to me that when choosing a career, you should account for both costs and benefits.
One idea is to try & identify a job that does as little harm as possible, then live frugally and donate excess earnings to a charity you believe is making a positive impact.
> I have been unable to identify a role available to me which will not materially make things worse.
Have you ever watched The Good Place? What you're saying resonates with me, and there's a character (Doug, S03E08) that you might identify with. I'm wondering if seeing a conversation about the topic played out in fiction might bring you some comfort.
I watched _The Good Place_ when it originally aired, the strongest residual and most attractive concept was _The Final Door_. This has promoted it on my rewatch queue.
I want to see meaningful pushback on this indefensible move of forcing customers to establish and maintain a relationship with the manufacturer in order to use the products they sell.
Other examples are:
Wahoo, who locked the control of their products behind an account and login requirement for devices which had been working perfectly fine for years prior.
Roche, who killed their blood glucose app at the start of 2023 and forced all their users to move to a third party app, developed by one of their subsidiaries, which requires you to accept a data exfiltration clause, if they wish to continue the automagic on-device logging.
Samsung did something similar with their phones' built I'm heart rate and oxygen sensor, and health related metrics from the accelerometer
My Samsung Galaxy S8+ had those sensors and I used them often for many years. The results were interesting and useful, and graphed with history in the Samsung app which shipped on the device.
Then one day they changed the terms so you had to create and sign into a Samsung account, and upload your health data, to continue using the sensors.
I didn't accept those terms so I wasn't able to use those health monitoring functions on my expensive device any more.
Interestingly, most articles I saw about the change portrayed it as a good thing, that you could now have consistent healrh sensor records across your devices and other good cloud features, even portraying it as an oddity that Samsung Health didn't require Samsung cloud integration all along and that they had finally caught up to the times. But it already had those features before the change! The only visible change was to to remove the choice to opt out of uploading your personal data.
As people who understand these things, we can choose the role of "citizen technologist", to benefit society.
Some off-the-cuff ideas of how:
1. Make our own purchases "on principle", and hope that enough other techies do that, that economic pressure is applied to brands.
2. Make our own non-purchase technology adoptions "on principle".
3. Inform other techies, both on specifics of individual devices/architectures/vendors/etc., and to bring everyone up to speed on the basics (e.g., reasons for open standards, user-oriented products/services, avoiding lock-in, privacy-respecting, responsible security, etc.).
4. Inform non-techies, such as by pointing them at solutions in their interest, and in the interest of society.
5. Advise lawmakers, to complement whatever they're hearing from lobbyists.
6. Contribute code and other effort to open platforms, and actually use them.
7. Be careful about helping to prop up society-hostile platforms, such as by using them to the exclusion of something else, making them more palatable to the exclusion of something better, implicitly endorsing them, etc.
8. Keep principles a factor in who we go to work for, how we work while there, and whether we stay there.
These are great ideas, that a tax paying citizen should not be burdened with in a first world country. Our administration needs to step up from hiring dinosaurs, to actually hiring technology-competent legislators that can compose effective legislation.
I bought a Miku baby monitor because it had the features I wanted but didn’t require a subscription. It was pretty expensive ($399).
Then Miku sold to another company (they either filed or were planning on filing for bankruptcy), and the first thing the new company did was send a letter demanding $10 a month to keep using most of the monitor’s features.
Without knowing the particulars, that's an interesting example. The fact that Miku was going bankrupt suggests that they did not have a viable/sustainable business, and perhaps they could have been profitable with a different (i.e. subscription fees) business model. In either case, new company seems like they do not much value existing Miku customers, as demanding more money for a product that was bought/paid seems pretty outrageous.
They pushed out an over the air update the bricked nearly every device and had to swap them all out right before sending out a letter warning they were going to file.
The lesson that it drives home to me is that if a company can force updates to your device, it doesn’t matter what the terms of service are or how much you trust the company.
They can go bankrupt, sell off the assets, and some new vampire company can come along and remove your ability to use your product.
Oh hey, fellow Miku friend. I was _furious_ when they first announced their bankruptcy plan. We supposedly paid a hefty premium for hardware that enables onboard breathing monitoring, and suddenly they're pretending they have to ship it to the cloud to do some magic? Nah, tear it down, and turns out we did pay extra for hardware.
I likely won't have time, what with the kids and all, but I'm going to give it the old college try to tear into this thing and craft some firmware so we can actually keep things from being a paperweight. It blows my mind this isn't just table stakes with IoT crap these days, but here we are.
Your first mistake was buying a baby monitor where it was even possible for most of its features to be remotely disabled unless you paid a fee. If you give someone else control over your devices, and your data, they'll eventually take it.
BMW now hides features behind signing into their absolutely atrocious online "app store." When I first got my car and was excited about exploring the features, I went through the incredible pain of logging into my account by typing my email and password with that little knob, and then one day it just logged me out and wanted me to do it all over again, and I can't be bothered so I just dismiss the dialog whenever I see it. So the upshot is they've created a set of features that aren't worth the trouble of the awful UX (and potential privacy issues), plus an occasional nag to remind me of that fact.
You also can't get a software update without installing their terrible mobile app (and logging in), so I take it to the dealer and make them do it.
Won't they charge you through the nose for this? We recently went to a Lexus dealer for something random but specific on an old Lexus, and they did basic service like an oil change. When we stepped inside, it was like a 5 star hotel lobby with ordurves and fancy hosts a bunch of weird junk.
We got the bill, and never even considered going back.
I had them do it when I was in for my (free) oil change, and they didn't charge me for it. I suppose they might if I brought it in for just the software update.
Maybe they do, but I don't install apps for horseshit like this. I especially don't install apps from companies that are obviously terrible at software development, like car manufacturers.
I have to admit, begrudgingly, that the Tesla App experience “JustWorksTM.” This is the 3rd I’ve picked up (3, Y, Y) and this time, I didn’t even have to pair my phone. I was signed into my existing app and my new Y just changed from an order number to a VIN and started working. All my preferences synced to my driver profile immediately.
If every experience with Tesla was like the initial buying experience I’d recommend it to anyone, however, let me assure anyone interested the honeymoon phase definitely ends.
Good luck. I called out Logitech for forcing users to log into some bullshit online account to maintain their Harmony remotes, and was attacked by apologists on Reddit (take that for what you will).
A couple months later Logitech shitcanned the entire product line (which I had already returned after discovering their scam), and screwed all the apologists. I wonder what they think today... if they even do.
Don't underestimate the cognitive dissonance (and resulting apologism and shilling) that you'll face when you call out defects and scams in someone's pet product or belief system. And yes, it happens right here on HN too often as well.
Sometimes people get into niche communities and get really obsessive in a ridiculous way, like spending inordinate amounts of time defending a junky Logitech software suite.
I know, because it has happened to me. I see it happen with particular frequency in Discord.
I am not a psychologist, but it seems like a trap humans are predisposed to fall into.
Logitech still supports the Harmony devices, for how much longer remains to be seen. I just recently replaced some that had broke so I'm good till the next device failure as long as I don't make any major replacements either.
I know I'm part of a dwindling customer base that still uses separate A/V gear and not just built-in streaming apps and a soundbar, but it seems like there would have still been a market for competent universal remotes that you could customize.
I hated how almost every generation of their remotes got harder to use and program compared to pre-Logitech Harmony. The Touch remotes were practically unusable because you had frequently used buttons in poor locations and a touch screen that you had to scroll through to find the correct soft touch button for that wasn't especially responsive, the old models with all hard buttons were vastly more usable.
I also have separate components, and beyond that they're even in an equipment closet separated from my living room (and projector) by a wall. So I wanted an RF remote with an IR blaster I could put in the closet.
But screw it. On the rare occasion I watch something that's not on my Shield (whose remote can control my receiver's volume with CEC), I just adjust the volume manually.
But let's not even get started on the pathetic state of the A/V receiver market, where you can't even get a receiver with A/B/C sets of speakers... despite advertising three zones.
FWIW Logitech continues to run the Harmony servers, and I've bought a couple of used hubs since. I hate that you have to login, so don't call me an apologist; Logitech made some real mistakes here. Still, the Harmony products work well enough. I hope eventually either Logitech open sources the server and database, or that someone emulates the server somehow.
Ring doorbells, because the microphone heard the citizen say the N-word and locked him out of the Amazon account.
Back then, we thought legal questions about discrimination silly - if the baker won't bake cakes for lesbians, who cares, there are dozens of bakers in town who are not silly, why fight with the one who is, especially since the only recourse you will get is a birthday cake.
But now with the app monopolies it's different. If Lyft bans you over a justified chargeback and Uber bans you over another justified chargeback you are going to have a problem.
Not what happened. The driver thought they heard the nword come from a Eufy doorbell. Which was them mishearing the automated response. No person uttered an nword and no ring doorbell was involved.
Amazon did lock the guys account for the report from their driver. That did lock him out of his other IoT devices.
The thing is - even racists have a right that their devices work. They paid money for it. Amazon's duty is to protect their driver, and if they refuse to deliver because a driver has been threatened that's OK. But they can't lock him out of their alarm system or automated door opener. It's worse because when you choose a camera doorbell because you have a choice between Ring and Nest, which is not much of a choice.
Eufy by Anker lied about their products storing data locally and instead uploaded it to their servers — and had them unsecured so anyone could download anyones videos.
There need to be reasonable limits as companies are not actually literal people, and their rights should be inferior to those of literal people. Treating companies as people and anything they do (eg in the lens of speech) has caused so much damage and has obviously just been an excuse for lawmakers to not have to make tough decisions.
An example that comes to mind is how if you get banned from Steam, you typically still retain the ability to access your past purchases, you just lose multiplayer, purchasing new content etc.
Similarly, companies should not be able to unilaterally discard the responsibilities they take on when they sell people things that require continuous service to operate.
This should be especially relevant in cases like with Philips Hue, now that they've chosen to bear the burden of even previous Hue owners' smart homes, they should not be able to willy nilly shed that in a way that renders the system non-functional. Any bans they make should just leave the hardware usable in the way that it already was.
Normally you would be able to simply continue using the firmware on it, plus the app you originally installed, in perpetuity.
In reality, on each new iOS device, Apple forces you to use the current version of the app in the App Store now, and your old version apps are not included in backups or able to be transferred to new devices.
You are eventually forced to use the latest version of the app by Apple.
The latest version of the app will require the latest firmware or will modal lock you out until you upgrade the device.
Blame Apple for not letting you preserve your old versions of working apps between backups and devices, and blame Apple for allowing time bomb expiring apps like Signal and Chase Mobile into the App Store.
Further blame Apple for not having an iOS "internet access" permission per app that would prevent these apps from learning that there are new, unwanted firmware updates available when all you want to do is local operations.
Finally, any product that requires that you "sign up/log in" on the first screen and can't be used otherwise without PII should go straight back into the box to be returned.
Unfortunately, that doesn't work. If Reddit is any indication, the moral of the story is they can get away with it because there's a million idiots all ready to take your place.
Fair enough. But what if you bought the product, paid a fair amount for it (i.e., you can't just shit-can it) and *then* X months later the brand suddenly require a sign up, subscription fee, etc.
Exactly. I have hundreds of dollars tied up in MY hue products. I paid the market price for a device that didn't require me to sign up for an account.
As far as I'm concerned these companies should get hit with deceptive advertising charges. Yes, I realize that buried somewhere two or three hundred paragraphs deep in the TOS I "agreed" to let them do this. Then again maybe I didn't, because I also likely "agreed" to have the TOS changed at any time for any reason without warning. That is key here.
IMO These companies get away with this because they can toss out one of the basics of contract law. It is unconscionable that one party can _unilaterally_ change the terms of the contact (the "terms of service") without prior warning or input from the other party (me, as the purchaser of said device/service).
Basic contract law should apply here. What _tangible_ benefits are there to me
Step 1: Make discontent known to brand
Step 2: Create/join community of fellow disaffected individuals
Step 3: Use community to spread awareness of said dissatisfaction
Step 4: Observe as sales of product fall off and brand reputation falters
Step 5A: Observe as brand reverses unpopular decision and recovers
OR
Step 5B: Observe as brand is replaced in the market by one which better meets consumer preferences
This has no actual effect on the underlying issue that nothing is stopping companies from doing this. In fact, if what you describe active ually happens a lot, it would be trivial to set up puppet competitors to your own products in order to recapture leaving costumers, repeat ad infinitum.
> Step 5B: Observe as brand is replaced in the market by one which better meets consumer preferences
Step 0A- Realize that most mature industries are incestuous. They share the same consultants, they swap employees, they compete for the same market with the same group-think mindset, etc. They all have the same incentives and paradigm for success and thus often act in murmuration'ing way. That is, they're too big and too risk-adverse to consider innovation so they feign being competitive and milk the market the best they can.
Step 0B - Realize that for the most part the gov - via Cronie Capitalism - will not protect consumers, and will put the thumb on the scale for the largest players. Your rights and privacy - in the context of Surveillance Capitalism (which the gov benefits from) - are more myth than they are real.
Step 0C - Realize that all the steps follow are rarely successful. Sure, you can try but the odds are not in your favor. You end up paying the subscription and/or having your usage data sold in some black box cyber back room.
A: I already explicitly avoid products that are encrusted in this shit.
B: I have not used either of these products since their respective changes, even though they’re otherwise still perfectly functional.
A notable flow on effect is both of these products had helped with the management and improvement of my health, and these changes have had a measurable negative impact since I’ve been unable to use them.
except every single manufacture is going down this road pretty much, they want to monetize all that data because more money equals more better, privacy be damned.
No but I live in the amazing world of free-market capitalism where I can choose to reward whichever company best meets my preferences as a consumer with money.
And Comcast were the biggest proponents of building IPv6 support into the DOCSIS specs, because they exhausted 10/8 in the management network for their modem fleet.
I’ve been wondering for a while now if it would be worth coupling a heat pump coils to the heat sinks of a battery, inverter or other building electronics to help offset the diminishing returns at the lower extremes.
The simplest example would be a heat pump with its own built in UPS style battery, but I also see it being built with coupling to a power wall style house battery.
This equipment would be installed outside, the difference being to position it near, or coupled to, the compression loop of the heat pump. When the pump is running, it draws from the battery, which will need to dissipate heat through its operation. Why not capture that heat and redirect it where desired.
In summer, you could decouple it and use standard separate heat dissipation mechanisms.
A black body catching some rays would give a decent boost (for part of the day at least) - https://www.youtube.com/watch?v=FtfaZMahSUU - just putting the split unit somewhere that catches the sunshine would probably be a non negligible positive!
Once we go down the heat extraction / transfer path some interesting efficiencies should crop up - any waste heat (higher than ambient temperature) exiting a property could reasonably be captured and used.
I’m sick of every product now requiring I establish, and maintain, a personal relationship with the manufacturer.
Notable examples for myself are Wahoo Fitness[1], Water Rower[2] and Roche’s Accu-Chek[3], which all now require logins and agreements to leak health data to be hosted on external services in order to continue using the products I purchased from them.
In Roche’s case, they gave barely 5 weeks notice that their apps will cease to function at the end of the year, locking all data and functionality on January 1, and punting all responsibility to their subsidiary, mySugr[4].
I see billionaire individuals and organised charities as polar extremes of the same policy failure. Neither should exist, and when they do it should be as an ephemeral anomaly.
Any charity which fails to prioritise putting itself out of business is functionally a grift.
If society truly valued what charities do, their activities would be intrinsically valuable, and not require a special economic status to be conjured for them to be viable.
People have this idea that you can just solve problems like world hunger by waving a magic wand, but you can’t. There are probably South Sentinelese starving right now, we can’t do anything about that because they won’t let us. The little world hunger that is left today after the advancements of the 20th century is almost entirely in war-torn messes, and you can’t eliminate war unless you eliminate human free will
Or they are considered valuable but we have a captive market… Many people would like charities to become institutional features instead of charities but then there are other interests who are against such things because then “muh capital”
Charities, as they exist today, serve as a void into which corporations and governments can abdicate their respective responsibilities. Continuing to tolerate charities, at least in their current form, is complicity.
The merchant receives the same ‘random’ card number for transactions from the same device.