Can anyone explain to me how Tinder changed exactly? I don’t think it did, it's just that people learned how to use it better (rather, women learned to be vastly more selective on it and/or pile up matches without replying to anyone)
If you want to try easy mode, check out those newfangled android-based credit card terminal. I bet they're much more rewarding, especially since you tap your pin on the screen. Juicy.
The touch controller is generally connected to a MUX controlled by the security processor. When entering sensitive data (PIN/PANs), the touch controller output is routed directly to the security processor, bypassing any Android-derived OS responsible for the GUI.
And as a user, I have absolutely no way of distinguishing this from a device that had all secure features removed, and is running a random Android that proxies the NFC or chip data to a real reader, siphoning off what they can, while my PIN gets proxied by a human typing it into the real reader in real time. All I'd notice is a second or so of latency.
Do you have a way do make sure that a terminal with physical buttons is secure? To me, the touchscreen doesn't make the whole device inherently less secure.
As far as I understand, the whole system is designed to make replay attacks useless. PIN on its own doesn't allow you to make a transaction, neither does it in combination with a recorded conversation between the reader and the card during a successful transaction. There's some asymmetric cryptography involved with the private key stored in the chip on your card and every signed payload containing a random nonce.
The PIN and magstripe data alone (which I think can be replicated from a one-time read-only interaction with the chip) are enough to make payments in some cases.
If there are sufficiently few legitimate terminal types in circulation and the user is aware of it, anyone presenting a different terminal would be looked at with suspicion. With the status quo, I as the cardholder essentially have to assume that anything presented to me is likely legit, even if it looks like someone's homemade skimmer.
However, this still leaves the merchant. If they (the person handing me the terminal) aren't in on the scam, any tampering has to be non-obvious to them. AFAIK some places go as far as weighing the devices and regularly checking seals and serial numbers. VISA recommends checking twice daily https://busfin.colostate.edu/Forms/Merchant_Svcs/Visa_Securi...
Trying to tamper with a terminal with physical buttons would almost certainly require rewiring it physically, triggering tamper detection and rendering the terminal useless. So it would have to be swapped with a unit that looks identical despite being tampered, and functions well enough to not raise suspicion. I guess an attacker could hollow out a case and insert completely custom electronics, in theory, but that's quite a high bar (especially if it requires forging serialized seals).
On the touch-screen-with-insecure-Android, a software-only change on the insecure side (never actually initiating PIN entry mode, or only initiating it after the first attempt and "pin incorrect" message) should be enough to get the PIN, and an added NFC skimmer not connected to the other electronics could do the rest.
The devices also look cheaply made, distributed in small numbers, and I have my doubts about them having as many anti-tamper features as the most common terminals, although I might be wrong. If they have strong physical anti-tamper measures, and the software is hardened against software-based tampering, I think that they could, in theory, be comparably secure.
Magnetic stripes seem to only still be popular in the US. It always blows my mind just how insecure card payments are there. For small payments, like several dollars, they'll swipe your card in a reader attached to the POS system and that's it. No pin code, no nothing, you just get an SMS that your card was charged several seconds later. For larger payments they'll rely on entirely human-based confirmation methods like "sign the receipt" or "show your ID". I didn't even know this was a thing before I visited the US.
In Russia, where I'm from, I haven't swiped my card for at least a decade. Lately many places also started getting those square Android-based Sberbank terminals that don't even have the magstripe reader, only NFC and chip. Granted, our banking system has been effectively disconnected from most of the world since 2022, but I would be surprised if these aren't designed to accommodate MasterCard and Visa requirements for when they return. And skimmers are simply not a thing here any more. People get scammed through social engineering instead.
I also remember reading that magstripe transactions cost merchants more or something like that, precisely because they carry more risk because they only need static, easily copyable data.
Anyway, the point I'm making is that the threat model changes, and becomes much simpler at that, when transactions can't be made with static data. Because no matter what the scammer captures, even if that's the PIN and the complete data exchange with the card through NFC or the chip reader, they can't use that to make transactions. Obtaining the number, the expiration date, and the CVC is also unlikely to allow them to make online transactions because those need a second factor now. Except on Amazon. Amazon somehow manages to charge my card with just the number and the date, no CVC needed, and no 2fa code either.
Thinking about it a bit more, no, your argument about touchscreens doesn't make sense. The terminal OP looked at runs Linux on the "insecure" side, but the keypad is still passed through to that the same way the touchscreen would be passed through to the Android SoC, because it's used to navigate menus and enter the purchase amount. The Linux side would still send some sort of command to the CPU core that runs the "secure" OS to initiate PIN entry, and it could still just do what you describe.
That'd get you the PIN quite easily, but if they're designed the same way (with all the important bits being handed off to a secure secondary processor) you still wouldn't be able to do much with the card as modern cards do a whole load of cryptography on-card to prevent stuff like this.
The attack would only work on terminals where every payment option but the magnetic card reader is broken, but those should give off skimmer alert alarm bells before you ever see a PIN prompt.
I'm not sure which type of android terminals you have where you are, but in India they seem to be running Android Oreo (support ended in Jan '21). Yummy!
I feel it’s weird defining them by the main religion of the country it is (maybe) mostly used. No one says the numbers used in English are Muslim, they are generally referred to as Arabic.
I wouldn’t say printing is a “catholic thing”, but it definitely came from a super catholic part of the world.
Mainly because Islam has jurisprudence around hygiene in a sense. Ritual purification is an actual religious principle.
Islam requires Muslims to pray 5 times a day, and for those prayers, one has to be ritually clean. That involves washing the hands, rinsing the mouth and nose, washing the face, forearms, head, ears, and then the feet. That's effectively all the major parts of the body that are generally not covered by clothes. Your "cleanliness" is invalided if you use the toilet, pass flatulence, vomit, sleep and so on.
More so, for using the toilet, there are rules. You have to find a place that is away from standing water, people's pathways, shade etc ; granted, this generally doesn't apply in today's age. You have to be quiet on the toilet, and not look at anyone. Not allowed to eat any food while defecating. Lastly and most relevant in this case, you have to use water to wash yourself using the left hand, and then afterwards, you need to do the same for washing the front if you've urinated.
The reason why the "bidet spray" thing exists, is largely because of the rules in the religion around that practice. Calling them Arabic wouldn't make any sense because Indonesia, with the largest Muslim population, has similar tools in their facilities. Again, because they're mostly Muslims.
Printing isn't a catholic thing because the religious doctrine didn't emphasis "printing" itself.
Arabic numbers aren't "islamic numbers" because the religious doctrine didn't emphasise the numbers in some way.
> After defecating, the anus must be washed with water using the left hand, or an odd number of smooth stones or pebbles called jamrah or hijaarah (Sahih Al-Bukhari 161, Book 4, Hadith 27).
Japan is the perfect place for this because their house numbering system already requires you to look at a map to find it.
For those unfamiliar with it, numbers are incremented progressively around a block as doors are added to it. So the door "Block SanChome 4" could be on the opposite side of the building from "Block SanChome 6"
It is even more complex than that: within a neighborhood you have "chome", then blocks, then buildings. All three levels are numbered chronologically and don't follow any kind of logical order. Oh, and streets don't have names. Honestly, I don't know how people did before modern navigation systems.
So yeah, this system looks like a godsend, I want to try it as soon as possible.
* I don't know if there is a translation for this word.
Indeed - at least now you can enter the property address (e.g. a four-digit number followed by a dash and another number, as in this small town) into google maps and it'll show you where it is. Not long ago it was more like driving in the general direction while hanging on the mobile phone and trying to agree on a landmark (e.g. a 7/11 or a tower or an office building) while trying to find the place.
Before mobile phones? Well, there's this big big sign in a park near the town center, and on that you can find family names on a kind of map.. of course that had this assumption that Nobody Never Moves. So, no, I don't know how people did this in the past..
"Where the Streets Have No Names", the U2 song. I wouldn't have imagined, but that's how it is.
> Honestly, I don't know how people did before modern navigation systems.
The good old: ask a local about it. Nowadays people seems so against just stopping a random passerby to ask them a question. (obviously not feasible with the huge amount of deliveries we do today but back then it would have been reserved for the very rich or rare occasions)
> Japan Post said Monday that it has launched a "digital address" system that links seven-digit combinations of numbers and letters to physical addresses.
Their proposal is useful when one wants to move addresses.
I don’t think they’re saying that the system is intended to replace old addressing but that the new proposed system is fine because the old addressing system, like this new one, is not very good at providing intuitive physical wayfinding anyways.
Yeah but now it's a personal identifier that actually moves with you when you move to a different physical address. In terms of privacy, that might just be worse.
You put a trusted intermediary (JP Post) that knows the address in the middle, and provide the seller with an identifier that the intermediary can associate with your physical address.
That’s already how it works if you buy something trough the online marketplaces here - Mercari et. al.
Mercari knows addresses of all counterparties, but the label that the seller puts on the package doesn’t have the destination address, and the label the package has when it reaches your door doesn’t have the seller’s address either.
Doesn't it just give the shop a way to fetch the full address from some public API? I don't think you can just jot down that number on a box and have it delivered.
> Under the system, users can input these seven-digit codes on online shopping websites, and their addresses will automatically appear on the sites.
This is pretty much how we do it in Bulgaria as well, with almost all residential apartment buildings having no street address, it's just "City region X, building number Y". Online maps services are almost unusable for some places because they simply do not want to handle any system other than "street name + street number".
