“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked

[micky]

The only financial transaction I ever make from the cell phone is buying
an app, using my google account. But I signed up for the account from a
desktop computer, and my question is, Does the credit card number ever
get transitted to or from the phone when buying an app? I think not, so
I'm safe, right?

“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked
http://arstechnica.com/security/2014/06/free-wi-fi-from-xfinity-and-att-also-frees-you-to-be-hacked/

and even if there were sensitive info in the phone traffic, the
convoluted method of stealing it in the url above seems unlikelly to
happen to me. Right?

BTW, I'm happy to learn that att has a wifi hotspot network like
Xfinity's, but much smaller, I'm sure.
https://www.att.com/maps/wifi.html#fbid=Qncz14ky5pH There are quite a
few, but on the commercial street and near me, there are abou five,
Burger King, Ruby Tuesday, walmart, the bank I use. instead of 80 or
so, and in residential n'hoods, afaik/ct there are none. Still better
than nothing and there is still the 2 hours per month of free xfinity.


I think I did use a public wifi spot at the Delaware Turnpike travel
plaza, but only to dl more map data. That's safe, yes?

[VanguardLH]

Comcast's "free" wi-fi hotspots are only usable to Comcast customers.
They are not open to everyone. They are free to already paying
customers. If you have not previously connected to an "xfinitywifi"
hotspot before, you will be asked your Comcast login credentials. The
communication is encrypted and the homeowner with the wifi cable modem
cannot see that traffic. The "attwifi" must not be asking for login
credentials to prove you are a customer of theirs to use their network.
For xfinitywifi, you need their app on your phone. When you login the
first time, the app records the login credentials to reuse at other
xfinitywifi hotspots. So that you automatically connect to another
xfinitywifi hotspot means your login credentials encrypted and sent to
Comcast are still valid.

The author of the article never did test an xfinitywifi hotspot. He
based his assumptions on hot attwifi works. Even if they both worked
the same, why aren't you using HTTPS? Someone operating an bogus
attwifi or infinitywifi hotspot still cannot interrogate your encrypted
web traffic because their hotspot is not either of the endpoints (your
client and the site to which you connect) in a connection to an HTTPS
web site. The first and subsequent automatic logins to Comcast are via
HTTPS. Again, the author only made guesses, not actual tests. After
all, when you are home using wired Ethernet to connect to a web site,
there are lots of nodes (hops) in the route between you and the target
site that are not on your ISPs network. If the author thinks a hotspot
is going to steal your login credentials, why couldn't ANY node in the
route between you and any site also steal your login credentials. Hence
the purpose of HTTPS.

The man-in-the-middle attacks the author speaks of must be using HTTP so
the attacker can intercept and actually interpret the non-encrypted web
traffic. For HTTPS, the attacker won't have the site's cert. If the
HTTPS connect results in a warning in your web browser, you cannot be
sure you connected to where you thought you connected.

http://tools.kali.org/information-gathering/sslsplit
"SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
encrypted network connections. Connections are transparently intercepted
through a network address translation engine and redirected to SSLsplit.
SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to
the original destination address, while logging all data transmitted."

Except the attacker's host where they run SSLsplit won't have the target
site's certificate. They do attempt to forge a fake certificate based
on the details of the site's certificate. But that isn't unique to
wifi. ANY host in the route between your end and the target site could
do that. It's not a wi-fi specific attack vector. From an article at:

https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/,

the attacker must have the private key of a CA (certificate authority).
Well, how did they get that? Alas, there are CAs that should never have
been granted permission to operate as a CA. The article mentions the
user must have the attacker's root cert in the user's own cert store
(which is either the OS global cert store or a private store such as the
one that Firefox uses). How did the attacker's root cert get into the
user's local cert store? Malware. Companies do this MITM scheme all
the time so they can monitor HTTPS traffic generated by their employees
(who are supposed to be working, not downloading porn or leaking trade
secrets) by putting the company's root cert in the image they put on
their workstations that their employees use.

That the Internet does not guarantee the nodes between you and the
target host are all trusted (and repeatedly verified as such), there are
dangers in doing anything in the Internet. A VPN might provide better
protection since the tunnelling is supposed to be secure between
endpoints no matter what nodes are in the route. I haven't investigate
VPNs to see if that premise is correct.

Users worry so much about protecting their web traffic and yet they lock
their house with doors having easily punched-out windows that grants an
attacker access to the inside turn knob on the deadbolt, and they lots
of knockouts (aka windows) in their house to grant forced entry. HTTPS
and VPNs add security levels. They don't guarantee 100% secure
communication, just highly likely secure communication.

Did you use HTTPS to make the connection to the web site where you made
a purchase? Doesn't matter whether you use wi-fi or Ethernet. You
should be using HTTPS. VPNs are nice but only if you are afraid of
having someone seeing to where you connect. They do further encrypt the
web traffic but HTTPS should be fine. play.google.com is a HTTPS site.

Best would be to check with your credit card issuer if they have a safe
card scheme. This lets you create temporary credit card numbers
(assigned onto your real credit card number) where you can specify the
maximum amount that can be charged and how long the temporary number
will survive (its expiration month/year). No one can charge more than
that and after its expiration (usually 2 months is the minimum) no one
can make any charge to that card number. After you use that card
number, and after you are sure the transaction has been completed, you
can even delete that card number so it cannot be used again. Bank of
America calls it ShopSafe.

Tis humorous that folks are so worried about their credit card numbers
when making Internet purchases and yet they gladly hand over their
credit card to some low-wage flunky at a restaurant who disappears from
the table to charge the card. They call Comcast for tech support who
asks for the account number, last 4 digits of the user's social security
number, telephone number, postal address and other customer validation
information. So why couldn't their phone line be tapped, or their
outbound call be intercepted or redirected elsewhere to someone
pretending to be Comcast?

[micky]

In comp.mobile.android, on Sat, 17 Dec 2016 01:11:47 -0600, VanguardLH

I wouldn't be surprised if he's exaggerating a risk. Columnists need
topics to write about and surely sometimes they can't find a good one,
and some of those time, their publisher expects a new column. Maybe
that's true online too.

>based his assumptions on hot attwifi works. Even if they both worked
>the same, why aren't you using HTTPS? Someone operating an bogus

I don't connect with a bank when I'm using a phone, but if I did and it,
for example, provided an HTTPS url, I'd use it of course.

If one reads about, or google provides, an http:// url can one just use
https:// instead? Is that what you mean?

I don't know. IIRC when I'm using a webbrowser the full url shows, but
when using the PlayStore, nothing much shows.

>should be using HTTPS. VPNs are nice but only if you are afraid of
>having someone seeing to where you connect. They do further encrypt the
>web traffic but HTTPS should be fine. play.google.com is a HTTPS site.
>
>Best would be to check with your credit card issuer if they have a safe
>card scheme. This lets you create temporary credit card numbers
>(assigned onto your real credit card number) where you can specify the
>maximum amount that can be charged and how long the temporary number
>will survive (its expiration month/year). No one can charge more than
>that and after its expiration (usually 2 months is the minimum) no one
>can make any charge to that card number. After you use that card
>number, and after you are sure the transaction has been completed, you
>can even delete that card number so it cannot be used again. Bank of
>America calls it ShopSafe.
>
>Tis humorous that folks are so worried about their credit card numbers
>when making Internet purchases and yet they gladly hand over their
>credit card to some low-wage flunky at a restaurant who disappears from
>the table to charge the card. They call Comcast for tech support who
>asks for the account number, last 4 digits of the user's social security
>number, telephone number, postal address and other customer validation
>information. So why couldn't their phone line be tapped, or their
>outbound call be intercepted or redirected elsewhere to someone
>pretending to be Comcast?

You're right. The waiter could copy all the info. I mostly use a
debit card that is supposed to email me for purchases made without
presenting the actual card. -- However, as an aside, Bank of America
has implemented this incorrectly, and when I buy something, like on
Ebay, and pay with Paypal, they treat it as if I have presented my card
and don't email me. I spent two hours on the phone with BOA, an hour of
this with Paypal at the same time, and by that time we were all tired,
and the BOA person told me to call the Electronic payment (or something)
extension next time, because they were in charge. She still wasn't
convinced they were doing things wrong, even though they are. The
problem is not that my Paypal purchases dont' get emailed to me, but
that fraudulent purchases won't generate an email either. I probalby
shoudln't write about this until I get BOA to fix it, but I don't look
forward to another hour on the phone. )

I agree with or believe everything you have here, except that Xfinity
says that any non-subscriber can still have two free hours, in one hour
increments, per month, of wifi from any of its hotspots. (I wonder if
you can move and change hotspots as long as you are still in the middle
of your hour.)

I haven't actually used any of this yet, because the one time I went
part way though the process, I had no need and it was early in the
month, and I thought I might need it later (but that was last month and
I didn't need it at all). However, I got close to connecting without
any Comcast app. I guess it was the OS Android v5 that provided some
sort of login screen. The webpage also said if one used
up his two hours he could buy another hour for, iirc $3, a day for $8,
two weeks for ??, and 30 days for ??? I think this last rate might be
more than xfinity costs by the year, and that might include TV and home
phone too, but the advantage is that there are a half-million or a
million of hotspots, maybe in the US alone. And there is no comcast
cable etc. where I live, so if I were on a 2 week or one month vacation,
this would not be a major expense for most people.

I would provide a webpage about the free xfinity, but my webbrowser is
really slow now. If you want, I'll find one.

[VanguardLH]

With BOA (since you appear to be their customer), I would certainly use
their ShopSafe scheme to protect me. It originally was MBNA's idea of
they got acquired by BOA. Alas, the failing is not somehow creating a
plastic card to give to someone who wants a physical card. Creating the
temporary and deletable ShopSafe credit card number, CVV, and expiration
date is something you do online. As I recall, they are stuck on ancient
Adobe Flash to present the ShopSafe UI in a web browser.

ShopSafe make protecting your credit very easy. A seller cannot charge
you more than agreed by you. I usually add $5 just in case something
was forgot during the transaction. I set the expiration to 2 months
(the minimum - so they have enough time to process the transaction and
report it in your monthly statement which might not be until your next
monthly statement). The seller cannot overcharge me. They also cannot
automatically enlist me in some covert renewal scheme: they next time
they try to use the same ShopSafe number, there will only be $5 left
that can be charged on it. After the transaction has completed and they
received the money and I received the goods or services, I can delete
the ShopSafe number. It cannot be reused. That $5 overage cannot even
be charged. Not even I can regenerate the same old ShopSafe number. If
I deal with the same seller again, I can create a new ShopSafe number,
set its max charge amount, and its expiration. Or, if I don't delete
the old ShopSafe number, I can reuse it by assigning more value to it
and a new expiration.

If someone steals the Shopsafe number, most likely that will be after
the transaction with the seller with whom I originally made a purchase.
There might be only $5 left for someone else to steal if I have not yet
deleted that ShopSafe number or it already expired. If they managed to
get it before the seller charged to that ShopSafe number, well, my
liability is limited to the max charge value I assigned to that Shopsafe
number (or the limit of liability per transaction as stated in my credit
card contract, whichever is less).

The credit cards I have now do not have a similar ShopSafe number. I
really miss that protection. There is nothing that will give you 100%
security when on the Internet, just stuff that will make your more safe.
Using ShopSafe lets you control your credit exposure. Until you delete
the ShopSafe number, anyone (besides the intended seller) could steal
that number and charge up to the maximum value you assigned to that
number. It's a service that I wish all credit issuers provided;
however, it protects you, not them, so many aren't oriented to
protection of their customers but how to minimize their own losses.

[tlvp]

On Sat, 17 Dec 2016 01:11:47 -0600, VanguardLH wrote:

> Comcast's "free" wi-fi hotspots are only usable to Comcast customers.
> They are not open to everyone.

I encountered such a hotspot -- with xfinitywifi SSID -- in a Schenectady
restaurant recently. In exchange for an email address, it gave me an hour's
worth of wi-fi connectivity -- at no co$t to me. No idea what may transpire
the next time I encounter one of these.

FWiW, while I am a Comcast customer, have no xfinity username or password,
or email account.

(Just another little data-point to shed a tad more light on this story.)

Cheers, and Seasons' Greetings, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.

[nospam]

In article <ebm1pg...@mid.individual.net>, VanguardLH <V...@nguard.LH>
wrote:

> With BOA (since you appear to be their customer), I would certainly use
> their ShopSafe scheme to protect me. It originally was MBNA's idea of
> they got acquired by BOA. Alas, the failing is not somehow creating a
> plastic card to give to someone who wants a physical card. Creating the
> temporary and deletable ShopSafe credit card number, CVV, and expiration
> date is something you do online. As I recall, they are stuck on ancient
> Adobe Flash to present the ShopSafe UI in a web browser.

the web version requires flash but there's a windows app, at least with
citibank, who offers the same feature.

> ShopSafe make protecting your credit very easy. A seller cannot charge
> you more than agreed by you. I usually add $5 just in case something
> was forgot during the transaction. I set the expiration to 2 months
> (the minimum - so they have enough time to process the transaction and
> report it in your monthly statement which might not be until your next
> monthly statement). The seller cannot overcharge me. They also cannot
> automatically enlist me in some covert renewal scheme: they next time
> they try to use the same ShopSafe number, there will only be $5 left
> that can be charged on it. After the transaction has completed and they
> received the money and I received the goods or services, I can delete
> the ShopSafe number. It cannot be reused. That $5 overage cannot even
> be charged. Not even I can regenerate the same old ShopSafe number. If
> I deal with the same seller again, I can create a new ShopSafe number,
> set its max charge amount, and its expiration. Or, if I don't delete
> the old ShopSafe number, I can reuse it by assigning more value to it
> and a new expiration.

while it usually blocks overcharges, it doesn't always.

> If someone steals the Shopsafe number, most likely that will be after
> the transaction with the seller with whom I originally made a purchase.
> There might be only $5 left for someone else to steal if I have not yet
> deleted that ShopSafe number or it already expired. If they managed to
> get it before the seller charged to that ShopSafe number, well, my
> liability is limited to the max charge value I assigned to that Shopsafe
> number (or the limit of liability per transaction as stated in my credit
> card contract, whichever is less).

you're already protected for fraud. having a virtual number just means
you don't have to update recurring transactions that are tied to your
actual card number, saving you the hassle.

> The credit cards I have now do not have a similar ShopSafe number. I
> really miss that protection. There is nothing that will give you 100%
> security when on the Internet, just stuff that will make your more safe.
> Using ShopSafe lets you control your credit exposure. Until you delete
> the ShopSafe number, anyone (besides the intended seller) could steal
> that number and charge up to the maximum value you assigned to that
> number. It's a service that I wish all credit issuers provided;
> however, it protects you, not them, so many aren't oriented to
> protection of their customers but how to minimize their own losses.

it protects them, not you. otherwise they wouldn't offer it at all.

it's also something created by a company that's no longer around and
given that flash is mostly dead, it may ultimately be discontinued.

american express had a similar feature and no longer offers it.

an easier solution is just get a card for online (and non-recurring)
transactions and if it gets compromised, the issuer will send out a new
card with a new number.

[Alek]

tlvp wrote on 12/17/2016 7:20 PM:
> On Sat, 17 Dec 2016 01:11:47 -0600, VanguardLH wrote:
>
>> Comcast's "free" wi-fi hotspots are only usable to Comcast customers.
>> They are not open to everyone.
>
> I encountered such a hotspot -- with xfinitywifi SSID -- in a Schenectady
> restaurant recently. In exchange for an email address, it gave me an hour's
> worth of wi-fi connectivity -- at no co$t to me. No idea what may transpire
> the next time I encounter one of these.
>
> FWiW, while I am a Comcast customer, have no xfinity username or password,
> or email account.

Do you have a comcast username? Same thing.

[VanguardLH]

nospam <nos...@nospam.invalid> wrote:

> while [ShopSafe] usually blocks overcharges, it doesn't always.

Never had that happen. If the seller charged more than what I allowed
on a ShopSafe number, the seller would get a rejected charge. They
don't get a portion of their charge. It's either accepted or rejected.
If they charge less than the max value that I assigned to the ShopSafe
number, their charge got accepted. There would be a remaining balance
between what the seller charged and the max value that I had assigned.
Say it was $5. That same seller or a scammer could charge anything up
to $5 to have their charge accepted. If they charged over $5 then they
got rejected. If I deleted the ShopSafe number, any charge to that
Shopsafe number got rejected. If I ordered something from a seller but
deleted the ShopSafe number before they submitted their charge, the
seller got rejected (and subsequently would not send the goods). If I
ordered something from a seller, waited until their charge showed up in
my BOA/MBNA account (to make sure they got their money), and then
deleted the ShopSafe number, the seller got paid and any further charges
of any amount to that now-deleted ShopSafe number got rejected.

Usually I just added $5 to what was the expected total cost of a sale to
make sure the sale went through okay. My exposure was only the $5
buffer if that ShopSafe number had been stolen or leaked. I rarely
deleted a ShopSafe number because they would self-destruct after the
expiration date (which was usually 2 months).

I never saw anyone that could charge a still-active ShopSafe number more
(an overcharge) than the remaining value assigned to that number. In
fact, I had sellers that had to tell me the transaction was incomplete
because they could not charge the ShopSafe number (which they see as
only a credit card number). Despite what they claimed was the total
cost, they decided to add something more that they hid from me. If they
give me an invalid total cost value (price, tax, handling, etc) then
they got nothing. The higher charge is not to what I agreed. If it was
my fault - the case when I first started using ShopSafe and neglected
the shipping cost, for example - I could change the max value for the
same ShopSafe number and tell the seller to redo the transaction.

I never got an overcharge using a ShopSafe number. Maybe you used
Citibank's similar service and they don't enforce a user-specified
maximum dollar value that can be charged to their temporary card
numbers. Bodes ill for Citibank's "shopsafe" feature is what you say is
true.

> you're already protected for fraud.

In most credit contracts, you are liable for the first $50 of a charge.
That's for each charge. If it happened 10 times, you would have to pay
the $500 exclusion.

> having a virtual number just means
> you don't have to update recurring transactions that are tied to your
> actual card number, saving you the hassle.

Not only do you save on the hassle - which can drag out to months - but
you also don't have to argue over validity of the charge or even have to
identify who was the seller that charged you. I would much rather be
proactive (or preventative) to avoid the problem rather than practice
catastrophic recovery after the fact. Reactive mode is a lot more
hassle, time, and could cost you money (like the first $50 of each
charge that they won't cover which is not relevant if you are in control
of the max value and expiration for a ShopSafe number).

> an easier solution is just get a card for online (and non-recurring)
> transactions and if it gets compromised, the issuer will send out a new
> card with a new number.

And those cards are ...? Are you talking about pre-paid debit cards?
Some places won't take them. You have to go through the hassle of
buying them and that costs a fee: you have to buy the card so you can
then put money on it. It does give you a physical card for those places
that expect one (i.e., physical transactions versus online ones).

[micky]

Vanguard, that's a very good suggestion about ShopSafe. I used to use
something like that long ago. Not for a specific purpose but I put $200
in it and set it for 6 months, when I almost never charged anything, and
then I guess I forgot about it.

The first hit on ShopSafe was indeed BOA and I don't know why they
haven't been pushing it at all in their mail or email to me, or when I
go on their webpage. That is, there is no mention at all. It was a
good idea years ago and it's even better now that I charge more things.
Thank you.

But I still have to clear up the problem with them not notifying me of a
Paypal charge. I suspect if they don't notify me, they don't notify
anyone. A pretty big flaw for a big company. That's why the woman I
talked to couldn't believe there was a flaw. (Other than Paypal,
afaik, they do notify me of all the other charges that don't use the
card itself. (Recurring charges like my HOA fee they notify me in
advance, I guess so I can make sure I have enough money.) And they
don't email me for charges that actually do require use of the card,
which is fine. At least it all would be if they did things the way
they say they will.)


As to hotspots, I found this:
http://wifi.xfinity.com/ Pretty far down the page, just shy of the
bottom:


Not an XFINITY Internet Customer?
Sign up today and get access to XFINITY WiFi instantly.
Here are three easy ways to start enjoying XFINITY WiFi:

1. Sign up for XFINITY Internet.
Get immediate access to XFINITY WiFi, included with your service at no
additional cost. (This is not what I meant!)

2 Try XFINITY WiFi — for free.
Get two, 60-minute complimentary sessions per month. Select
“xfinitywifi” in your list of available networks and we’ll tell you what
to do from there. (This is exactly what I meant.)

3. Get an XFINITY WiFi Access Pass.
When you are at a hotspot you can connect for an hour, day, week or
month, choose the Access Pass that works best for you.
$2.95 two hour pass
$7.95 daily pass
$19.95 weekly pass
$54.95 monthly pass

(And this too is what I meant, for when one has used up his 2 free
hours. They are clock hours, regardless of usage, once one starts, the
hour expires in 60 minutes.)


Already have a pass?
Manage your account




In comp.mobile.android, on Sat, 17 Dec 2016 00:28:57 -0500, micky

[nospam]

In article <ebm913...@mid.individual.net>, VanguardLH <V...@nguard.LH>

wrote:

>
> > while [ShopSafe] usually blocks overcharges, it doesn't always.
>
> Never had that happen. If the seller charged more than what I allowed
> on a ShopSafe number, the seller would get a rejected charge. They
> don't get a portion of their charge. It's either accepted or rejected.

that's what is *supposed* to happen and usually does, but if you read
the credit card forums, it doesn't always work out that way.

...

>
> I never got an overcharge using a ShopSafe number. Maybe you used
> Citibank's similar service and they don't enforce a user-specified
> maximum dollar value that can be charged to their temporary card
> numbers. Bodes ill for Citibank's "shopsafe" feature is what you say is
> true.

it's the exact same thing, just branded differently by citibank, with
maximum dollar and/or expiration dates and the same ugly flash
interface.

<https://en.wikipedia.org/wiki/Controlled_payment_number>

> > you're already protected for fraud.
>
> In most credit contracts, you are liable for the first $50 of a charge.
> That's for each charge. If it happened 10 times, you would have to pay
> the $500 exclusion.

no. it's the first $50 if your card is lost/stolen, which is usually
waived. if you still have the physical card but the number was
compromised (i.e., online transactions), it's $0.

> > having a virtual number just means
> > you don't have to update recurring transactions that are tied to your
> > actual card number, saving you the hassle.
>
> Not only do you save on the hassle - which can drag out to months - but
> you also don't have to argue over validity of the charge or even have to
> identify who was the seller that charged you. I would much rather be
> proactive (or preventative) to avoid the problem rather than practice
> catastrophic recovery after the fact. Reactive mode is a lot more
> hassle, time, and could cost you money (like the first $50 of each
> charge that they won't cover which is not relevant if you are in control
> of the max value and expiration for a ShopSafe number).

how is it months? once you get a new card (usually next day, but worst
case a couple of days), you contact the various services with recurring
charges and update your information, which usually can be done online
or over the phone. that shouldn't take more than an hour or two, if
that much. in some cases, the bank can update it for you when they
create the new number.

in rare cases, a merchant might require a paper form. i had to do that
once a few years back.

> > an easier solution is just get a card for online (and non-recurring)
> > transactions and if it gets compromised, the issuer will send out a new
> > card with a new number.
>
> And those cards are ...?

all of them.

every card issuer will cancel your existing account number when you
report fraud and create a new number. most will overnight a replacement
card.

they have to do that, because otherwise, someone out there will
continue to make fraudulent charges.

> Are you talking about pre-paid debit cards?

no.

> Some places won't take them.

anywhere that takes regular credit/debit cards *must* take a prepaid
card if it has a mastercard/visa/amex logo on it, which is just about
all of them.

> You have to go through the hassle of
> buying them and that costs a fee: you have to buy the card so you can
> then put money on it. It does give you a physical card for those places
> that expect one (i.e., physical transactions versus online ones).

prepaid cards are just that, prepaid. you pay the entire value of the
card at the time of purchase (plus a fee if it's mc/v/ax, but not if
it's a store card). once they're used up, they're worthless.

refillable cards are different, which tend to be for deadbeats who
can't get a normal credit card or for parents who want their (younger)
kids to be able to buy stuff with a card but want to limit how much
they can spend.

[AL]

On 12/17/2016 7:46 PM, micky wrote:
> Vanguard, that's a very good suggestion about ShopSafe. I used to
> use something like that long ago. Not for a specific purpose but I
> put $200 in it and set it for 6 months, when I almost never charged
> anything, and then I guess I forgot about it.

While on the subject of CC protections I use two others that I think are
of value:

2 step verification. Even if someone has my password they can't log on
to any of my CC accounts unless they have my phone in their physical
possession.

Text notification. I get a text for every CC transaction over $50
listing the merchant and amount. I would know quickly of any
unauthorized transaction.

An added benefit of the texts: When killing time when the wife shops I
know when my phone buzzes that she has just checked out and it's time to
meet her... ;)

[nospam]

In article <o352id$v18$1...@dont-email.me>, AL <l4522...@invalid.com>

wrote:

> > Vanguard, that's a very good suggestion about ShopSafe. I used to
> > use something like that long ago. Not for a specific purpose but I
> > put $200 in it and set it for 6 months, when I almost never charged
> > anything, and then I guess I forgot about it.
>
> While on the subject of CC protections I use two others that I think are
> of value:
>
> 2 step verification. Even if someone has my password they can't log on
> to any of my CC accounts unless they have my phone in their physical
> possession.

or they intercept it, which isn't particularly difficult.

it also won't work at all if you are outside cellular service, where
you can't get a text, at which point you can't log in *at* *all*.

<https://threatpost.com/nist-recommends-sms-two-factor-authentication-de
precation/119507/>
Acknowledging there¹s a risk that SMS messages can be intercepted or
redirected, NIST is encouraging any service considering adopting
two-factor authentication in the future to ³consider alternative
authenticators.²

<https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentic
ation/>
The last few months have demonstrated that SMS text messages are
often the weakest link in two-step logins: Attacks on political
activists in Iran, Russia, and even here in the US have shown that
determined hackers can sometimes hijack the SMS messages meant to
keep you safe.

> Text notification. I get a text for every CC transaction over $50
> listing the merchant and amount. I would know quickly of any
> unauthorized transaction.

easier and *much* safer use the bank's app for that.

[VanguardLH]

nospam <nos...@nospam.invalid> wrote:

> VanguardLH <V...@nguard.LH>> wrote:
>
>> Not only do you save on the hassle - which can drag out to months - ...
>
> how is it months?

Not many users check their credit account balance each day. A charge
today might go into this month's statement. It could end up in next
month's statement. Then you notice and open a ticket with your credit
card issuer. They get a period of time to contact the other party. The
other party gets time to respond. From what I've seen, it can take 2 to
3 tete a tete before the credit card issuer decides in your favor. Then
the change doesn't show up until the next statement or perhaps even not
until the next one.

You are reacting to a disputed charge when you notice it and then have
to go through the arbitration phase and then have to wait for a decision
and a chargeback to your account.

>>> an easier solution is just get a card for online (and non-recurring)
>>> transactions and if it gets compromised, the issuer will send out a new
>>> card with a new number.
>>
>> And those cards are ...?
>
> all of them.
>
> every card issuer will cancel your existing account number when you
> report fraud and create a new number. most will overnight a replacement
> card.

Oh, you mean after I notice the disputed charge. And after someone has
made a bogus charge. And after it could affect by credit rating. And
after arguing with the credit card issuer about the charge and hoping
they decide in my favor.

> anywhere that takes regular credit/debit cards *must* take a prepaid
> card if it has a mastercard/visa/amex logo on it, which is just about
> all of them.

Nope. Debit cards say "Debit" on them. No merchant must accept any
credit card. Merchants can elect not to accept debit cards. No
merchant is ever forced to accept what you present for payment. They
don't even have to take cash.

> prepaid cards are just that, prepaid. you pay the entire value of the
> card at the time of purchase (plus a fee if it's mc/v/ax, but not if
> it's a store card). once they're used up, they're worthless.

So you go through the hassle of having to buy a prepaid card (to pay for
that service) and then add money to it. Yeah, that works and limits
your exposure to the maximum current value you prepaid onto the prepaid
card. Sounds just like what ShopSafe does except I don't have to buy a
prepaid card, go to a store to get one, or wait for it to arrive in the
mail. I've had those before. Too much a nuisance.

[VanguardLH]

micky <NONONO...@bigfoot.com> wrote:

> But I still have to clear up the problem with them not notifying me of a
> Paypal charge.

You don't get an e-mail from Paypal when there is a charge to your
PayPal account? I do. Maybe you need to go into your PayPal account to
configure it for e-mail notification. Not only do I get a PayPal e-mail
when they get a charge but I also get one from my bank against which
PayPal issues the charge. E-mail notices are a feature of PayPal and of
my bank (which is not BOA). Each time I use my PayPal account, I get 2
e-mails: one from PayPal, one from my bank.

At PayPal: Settings (gear icon) -> Notifications -> Payments. If that
doesn't work, contact PayPal. I get e-mails on payments from (charges
to) my PayPal account. I usually get an e-mail from Paypal within a day
of when I order online (but then the merchant might not be submitting
until the next business day). While they submit an EFT immediately to
my bank, it can take 3 days before my bank honors it (well, until they
record it so I can see it online in my bank account).

> Other than Paypal,
> afaik, they do notify me of all the other charges that don't use the
> card itself.

Which card are you talking about now? For Paypal to be involved means
you had a charge against a PayPal account. Paypal does have a credt
card they will dole out to their customers. I have one. Says
MasterCard on the front. Whenever I make a charge using that physical
plastic card, I do get an e-mail from PayPal about the charge.

I can't say what BOA does because I haven't had an account with them for
a long time. I was using MBNA's ShopSafe, left MBNA (interest rates way
too high and not customer friendly), and later MBNA got acquried by BOA.

> As to hotspots, I found this:
> http://wifi.xfinity.com/ Pretty far down the page, just shy of the
> bottom:
>
> Not an XFINITY Internet Customer?

> ...

> 2 Try XFINITY WiFi — for free.
> Get two, 60-minute complimentary sessions per month. Select
> “xfinitywifi” in your list of available networks and we’ll tell you what
> to do from there. (This is exactly what I meant.)

I don't how they can track who uses how many minutes. Anyone can change
their MAC. When they are roaming, their IP address will change. Maybe
they require you install their app and that does the tracking.

I wonder what the "we'll tell you what to do from there" means. Sounds
like on first connect that they intercept whatever HTTP traffic you
generated to redirect to their site to have to do something, like sign
up or install an app.

https://www.youtube.com/watch?v=17ksL7KSYa8
(no audio)

At timemark 0:08, there is the web page to which you get redirected to
get the complimentary hour pass (so they must allow 2 passes per month).
This guy is showing that he has used up his passes. So what does he do?
Change his MAC address. If that is all Comcast uses to track two 1-hour
complimentary usages, anyone can circumvent that limit.

If the MAC is the only means of regulating complimentary passes to
xfinitywifi, this is disappointing as to how stupid is Comcast.

[AL]

On 12/17/2016 9:47 PM, nospam wrote:

> AL <l4522...@invalid.com> wrote:

>> 2 step verification. Even if someone has my password they can't
>> log on to any of my CC accounts unless they have my phone in their
>> physical possession.
>
> or they intercept it, which isn't particularly difficult.

They would have to be logging in to my CC account on their device having
my user name/password at the exact same time they intercept my phone's
verifying text. How likely is that? Nothing's perfect but that tiny
risk is way better than no 2FA.

> it also won't work at all if you are outside cellular service, where
> you can't get a text, at which point you can't log in *at* *all*.

If I'm out of cell range I can't use my phone's CC app anyway?? And
anyway, my phone is a trusted device so I don't need to log in using 2FA
every time, only the first time.

> Acknowledging there¹s a risk that SMS messages can be intercepted or
> redirected, NIST is encouraging any service considering adopting
> two-factor authentication in the future to ³consider alternative
> authenticators.²

I'll be quick sign up when they make 2FA better. But the current SMS
risk is teeny tiny compared to the risk of someone using my
name/password in a hack (like Yahoo) when I don't have 2FA.

> The last few months have demonstrated that SMS text messages are
> often the weakest link in two-step logins: Attacks on political
> activists in Iran, Russia, and even here in the US have shown that
> determined hackers can sometimes hijack the SMS messages meant to
> keep you safe.

Which is safer. 2FA or no 2FA?

>> Text notification. I get a text for every CC transaction over $50
>> listing the merchant and amount. I would know quickly of any
>> unauthorized transaction.
>
> easier and *much* safer use the bank's app for that.

Easier? I have all my financial stuff set up like that. I know when a
check is cashed, a dividend is paid, CC transactions, etc. No having to
sign into the separate apps unless I need the encrypted details.

Safer?? Someone getting my text on how much the wife spent at Target??

[micky]

In comp.mobile.android, on Sat, 17 Dec 2016 21:17:40 -0700, AL

<l4522...@invalid.com> wrote:

>On 12/17/2016 7:46 PM, micky wrote:
>> Vanguard, that's a very good suggestion about ShopSafe. I used to
>> use something like that long ago. Not for a specific purpose but I
>> put $200 in it and set it for 6 months, when I almost never charged
>> anything, and then I guess I forgot about it.
>
>While on the subject of CC protections I use two others that I think are
>of value:
>
>2 step verification. Even if someone has my password they can't log on
>to any of my CC accounts unless they have my phone in their physical
>possession.
>
>Text notification. I get a text for every CC transaction over $50
>listing the merchant and amount. I would know quickly of any
>unauthorized transaction.

I get that too, or at least I'm supposed to, but the Bank of America has
a problem that they think when Paypal charges my account that Paypal has
provided the PIN, but Paypal has not since I've never told PP the PIN
and they have never asked. I spent two hours on the phone with BOA,
including one hour that all three of us were on the phone, Paypal too,
but she ended up telling me to call a different department. I'm saving
up strength for another hour. They don't believe they could be making
such a big mistake, but they are, and if they don't notify me, they
probably don't notify anyone.

>
>An added benefit of the texts: When killing time when the wife shops I
>know when my phone buzzes that she has just checked out and it's time to
>meet her... ;)

I thought you were going to say you knew when she spent money.
>

[micky]

Ignore most of the previous post, I forgot that I'd said it already.
;-(

In comp.mobile.android, on Sat, 17 Dec 2016 21:17:40 -0700, AL
<l4522...@invalid.com> wrote:

[AL]

On 12/17/2016 11:24 PM, micky wrote:
> In comp.mobile.android, on Sat, 17 Dec 2016 21:17:40 -0700, AL

>> An added benefit of the texts: When killing time when the wife shops I
>> know when my phone buzzes that she has just checked out and it's time to
>> meet her... ;)
>
> I thought you were going to say you knew when she spent money.

These days the wife doesn't have a chance. I not only know when and how
much she spends, but also where she is at all times (using Find My
iPhone). Ain't technology wonderful... ;)

[micky]

In comp.mobile.android, on Sat, 17 Dec 2016 23:30:18 -0600, VanguardLH

<V...@nguard.LH> wrote:

>micky <NONONO...@bigfoot.com> wrote:
>
>> But I still have to clear up the problem with them not notifying me of a
>> Paypal charge.
>
>You don't get an e-mail from Paypal when there is a charge to your
>PayPal account? I do. Maybe you need to go into your PayPal account to
>configure it for e-mail notification.

I do get the email from Paypal but I don't get the email from BOA. This
means whatever Paypal sends to BOA, a fraudster could also send them.
He'd need my card number, expiration date, and probably that 3-character
number, but he wouldn't need either the card itself or the PIN. BOA
thinks, for no good reason, that PP has my PIN.

Shouldn't a vendor that has received my PIN, like a gas station or
supermarket checkout, transmit the PIN to BOA also, along with the CC
number? Otherwise, someone could use any number as a PIN and the
vendor couldn't tell. So since I know PP doesn't know my PIN, why does
BOA think they have it? They don't react this way to other online
sales, at sites that have my card number but no PIN, only Paypal. For
other online sites, I get a BOA email when I spend money.

Account Alert: Debit Card Used Online, by Phone or by Mail
doesn't characterize the transaction, but for the same purchase
Account Alert: Debit/ATM Card Transaction Over Your Chosen Alert Limit
does show a a transaction type of "PURCH W/O PIN "

OTOH, when I got cash back and went over $100 at the supermarket "Over
Your Chosen Alert Limit", and put in my PIN, it says "PURCH WITH PIN "

So I need to buy something using Paypal and spend over 100 and see what
it says. I think I did spend over 100 once. Can't find it, only
health and car insurance, but they are of a different type.

But I did remind myself of last July when some church in Massechusetts
deducted 500 from my account at 2;30 in the morning. That was listed as
W/O Pin, and it was over my notification minimum**, so I got an email,
two actually, and IIRC the money was returned by noon, before I even
looked at my email. (though there is no email for money returned, only
money spent.) I called the church and talked to someone but I can't
remember the story anymore.

**I lowered my minimum to their minimum until I get this settled.

> Not only do I get a PayPal e-mail
>when they get a charge but I also get one from my bank against which
>PayPal issues the charge. E-mail notices are a feature of PayPal and of
>my bank (which is not BOA).

I'd be surprised if it were BOA. ;-(

> Each time I use my PayPal account, I get 2
>e-mails: one from PayPal, one from my bank.

Right. That's what I want.

>
>At PayPal: Settings (gear icon) -> Notifications -> Payments. If that
>doesn't work, contact PayPal. I get e-mails on payments from (charges
>to) my PayPal account. I usually get an e-mail from Paypal within a day
>of when I order online (but then the merchant might not be submitting
>until the next business day). While they submit an EFT immediately to
>my bank, it can take 3 days before my bank honors it (well, until they
>record it so I can see it online in my bank account).
>
>> Other than Paypal,
>> afaik, they do notify me of all the other charges that don't use the
>> card itself.
>
>Which card are you talking about now? For Paypal to be involved means

My BOA debit card, but I think it would be the same with a credit card.

>you had a charge against a PayPal account. Paypal does have a credt
>card they will dole out to their customers. I have one. Says

I thought about getting one. They certainly push it all the time.
Mostly I want one that will cover my collision damage waiver on a car
rental when I'm out of the country. Does it do that?

Or one that won't charge a commission when changing currency, getting
local money out of a USA dollar account. I think Capital One is like
that, but I don't have that either.

>MasterCard on the front. Whenever I make a charge using that physical
>plastic card, I do get an e-mail from PayPal about the charge.
>
>I can't say what BOA does because I haven't had an account with them for
>a long time. I was using MBNA's ShopSafe, left MBNA (interest rates way
>too high and not customer friendly), and later MBNA got acquried by BOA.

Aha.

>> As to hotspots, I found this:
>> http://wifi.xfinity.com/ Pretty far down the page, just shy of the
>> bottom:
>>
>> Not an XFINITY Internet Customer?
>> ...
>> 2 Try XFINITY WiFi — for free.
>> Get two, 60-minute complimentary sessions per month. Select
>> “xfinitywifi” in your list of available networks and we’ll tell you what
>> to do from there. (This is exactly what I meant.)
>
>I don't how they can track who uses how many minutes. Anyone can change
>their MAC. When they are roaming, their IP address will change. Maybe
>they require you install their app and that does the tracking.

You're right, they go by MAC, and there are webpages saying how to
change your MAC so that you can have endless free Xfinity, even though
that would be stealing. I was still curious enough to look into it.
It's easy enough to do and undo for a laptop, but iirc a phone has to be
rooted. And I'd have to change either of them back because my home
wifi filters on MAC. Maybe there are other reasons I don't know about
too.

>
>I wonder what the "we'll tell you what to do from there" means. Sounds
>like on first connect that they intercept whatever HTTP traffic you
>generated to redirect to their site to have to do something, like sign
>up or install an app.

I will try it and let you know, within the next week I hope.

>
>https://www.youtube.com/watch?v=17ksL7KSYa8
>(no audio)
>
>At timemark 0:08, there is the web page to which you get redirected to
>get the complimentary hour pass (so they must allow 2 passes per month).
>This guy is showing that he has used up his passes. So what does he do?
>Change his MAC address. If that is all Comcast uses to track two 1-hour
>complimentary usages, anyone can circumvent that limit.

But most people won't. Either they're honest or they don't know how, or
it's too much trouble, or they rarely want more than 2 hours anyhow.

>If the MAC is the only means of regulating complimentary passes to
>xfinitywifi,

That's what those webpages say.

> this is disappointing as to how stupid is Comcast.

Ugh.

[VanguardLH]

https://www.bankofamerica.com/onlinebanking/education/online-banking-alerts.go
https://www.bankofamerica.com/online-banking/mobile-banking-alerts.go

Those indicate that BOA will issue alerts; however, since I do not have
a BOA account, I cannot say what types of alerts you can elect.

[nospam]

In article <o358go$bon$1...@dont-email.me>, AL <l4522...@invalid.com>

wrote:

> >> 2 step verification. Even if someone has my password they can't
> >> log on to any of my CC accounts unless they have my phone in their
> >> physical possession.
> >
> > or they intercept it, which isn't particularly difficult.
>
> They would have to be logging in to my CC account on their device having
> my user name/password at the exact same time they intercept my phone's
> verifying text. How likely is that? Nothing's perfect but that tiny
> risk is way better than no 2FA.

it's not 'way better'.

> > it also won't work at all if you are outside cellular service, where
> > you can't get a text, at which point you can't log in *at* *all*.
>
> If I'm out of cell range I can't use my phone's CC app anyway?? And
> anyway, my phone is a trusted device so I don't need to log in using 2FA
> every time, only the first time.

of course you can, via wifi.

> > Acknowledging there1s a risk that SMS messages can be intercepted or

> > redirected, NIST is encouraging any service considering adopting

> > two-factor authentication in the future to 3consider alternative
> > authenticators.2

>
> I'll be quick sign up when they make 2FA better. But the current SMS
> risk is teeny tiny compared to the risk of someone using my
> name/password in a hack (like Yahoo) when I don't have 2FA.

the risk may be small, but so is the risk of someone actually hacking
your bank account and the bank won't hold you liable anyway if they
did.

> > The last few months have demonstrated that SMS text messages are
> > often the weakest link in two-step logins: Attacks on political
> > activists in Iran, Russia, and even here in the US have shown that
> > determined hackers can sometimes hijack the SMS messages meant to
> > keep you safe.
>
> Which is safer. 2FA or no 2FA?

*proper* 2fa, such as a totp code, not sms, which is not secure.

> >> Text notification. I get a text for every CC transaction over $50
> >> listing the merchant and amount. I would know quickly of any
> >> unauthorized transaction.
> >
> > easier and *much* safer use the bank's app for that.
>
> Easier? I have all my financial stuff set up like that. I know when a
> check is cashed, a dividend is paid, CC transactions, etc. No having to
> sign into the separate apps unless I need the encrypted details.

there's no need to sign into the app. the bank sends push notifications
for transactions or other activity.

> Safer?? Someone getting my text on how much the wife spent at Target??

cancel her credit card.

[nospam]

In article <ebmjma...@mid.individual.net>, VanguardLH <V...@nguard.LH>
wrote:

> >>> an easier solution is just get a card for online (and non-recurring)
> >>> transactions and if it gets compromised, the issuer will send out a new
> >>> card with a new number.
> >>
> >> And those cards are ...?
> >
> > all of them.
> >
> > every card issuer will cancel your existing account number when you
> > report fraud and create a new number. most will overnight a replacement
> > card.
>
> Oh, you mean after I notice the disputed charge. And after someone has
> made a bogus charge. And after it could affect by credit rating. And
> after arguing with the credit card issuer about the charge and hoping
> they decide in my favor.

set up alerts and you'll find out within seconds when a bogus charge
was made.

> > anywhere that takes regular credit/debit cards *must* take a prepaid
> > card if it has a mastercard/visa/amex logo on it, which is just about
> > all of them.
>
> Nope. Debit cards say "Debit" on them. No merchant must accept any
> credit card. Merchants can elect not to accept debit cards. No
> merchant is ever forced to accept what you present for payment. They
> don't even have to take cash.

if they don't accept debit cards then a regular card isn't going to
help you either.

the point is that anywhere that accepts mastercard/visa/amex *must*
accept the prepaid version.

a merchant cannot say 'oh that's a prepaid gift card, sorry'. if they
do, contact mc/v/ax and report them.

> > prepaid cards are just that, prepaid. you pay the entire value of the
> > card at the time of purchase (plus a fee if it's mc/v/ax, but not if
> > it's a store card). once they're used up, they're worthless.
>
> So you go through the hassle of having to buy a prepaid card (to pay for
> that service) and then add money to it. Yeah, that works and limits
> your exposure to the maximum current value you prepaid onto the prepaid
> card. Sounds just like what ShopSafe does except I don't have to buy a
> prepaid card, go to a store to get one, or wait for it to arrive in the
> mail. I've had those before. Too much a nuisance.

i didn't suggest that at all.

what i said is to have a *separate* credit card for sketchy purchases,
and if that card is compromised, your other cards will not be affected.
the bank replaces it and you use the new number for more sketchy
purchases.

[AL]

On 12/18/2016 9:30 AM, nospam wrote:
> In article <o358go$bon$1...@dont-email.me>, AL <l4522...@invalid.com>
> wrote:

>>> it also won't work at all if you are outside cellular service,
>>> where you can't get a text, at which point you can't log in *at*
>>> *all*.

Of course I can. See below.

>> If I'm out of cell range I can't use my phone's CC app anyway??

> of course you can, via wifi.

Use a strange WiFi for sensitive financial apps? Good security thinking.

But since my devices are trusted I could certainly log in using that
strange WiFi, even with 2FA installed, even with no cell service.

> the risk may be small, but so is the risk of someone actually
> hacking your bank account

Which is the smaller risk, 2FA or no 2FA?

> and the bank won't hold you liable anyway if they did.

Why put up with the hassle of straightening out a bank hack if you can
prevent it with 2FA?

>> Which is safer. 2FA or no 2FA?
>
> *proper* 2fa, such as a totp code, not sms, which is not secure.

You dodged the question. Which is safer, 2FA or no 2FA?

> cancel her credit card.

The CC is much cheaper than divorce...

[micky]

In comp.mobile.android, on Sun, 18 Dec 2016 11:30:41 -0500, nospam

This probably doesn't apply to prepaid visa/etc. debit cards, only
becasue they start off with a fairly small amount iirc, and I can't
foresee all the results, but I heard about this, and even if it's a bit
OT, this seems a place to mention it:

Thieves go to a display rack of gift cards, they take a card, or more
than one, smuggle it out to the car maybe, or the bathroom, scratch off
the covering over the PIN, copy the PIN, cover the PIN with something
that looks something like the original covering, and put the card back
on the rack. Then they check again (My guess is they put a little
pencil mark on the paper holder to make checking go quickly) and when
the card is gone again, it means someone has paid for it and activated
it, and that's when they spend the money on the card, since they already
know the PIN. Since they're often bought as a gift, they aren't
delivered or used for a few days, and when the donee gets around to
using it, he finds that it's all spent.

I've only bought such cards three times, inc. a week ago I bought one
for BabiesRUs as a baby present, and I remembered to check if the
covering on the PIN looked right. I didn't think to check if the
cashier activated it -- didn't even known about that part -- but I found
a receipt and notation in my grocery bag.

>> > prepaid cards are just that, prepaid. you pay the entire value of the
>> > card at the time of purchase (plus a fee if it's mc/v/ax, but not if
>> > it's a store card). once they're used up, they're worthless.
>>
>> So you go through the hassle of having to buy a prepaid card (to pay for
>> that service) and then add money to it. Yeah, that works and limits
>> your exposure to the maximum current value you prepaid onto the prepaid
>> card. Sounds just like what ShopSafe does except I don't have to buy a
>> prepaid card, go to a store to get one, or wait for it to arrive in the
>> mail. I've had those before. Too much a nuisance.
>
>i didn't suggest that at all.
>
>what i said is to have a *separate* credit card for sketchy purchases,
>and if that card is compromised, your other cards will not be affected.
>the bank replaces it and you use the new number for more sketchy
>purchases.

I have some stocks held by a major though maybe regional brokerage, and
I got a debit card from them, and then they told me that the maximum
that could be withdrawn was the entire value of the stocks! After that,
I was afraid and unwilling to carry the card or use it at all.
Eventually it expired. A few years later I thought, "This is absurd.
Surely there's a way to avoid this" and by this time, they didn't offer
such cards anymore (I think they'd been bought by another bigger
national brokerage). Just a quick approval by Amex. Amex btw now
offers pre-paid cards. I guess it's not just for rich people anymore.

[micky]

In comp.mobile.android, on Sun, 18 Dec 2016 02:01:20 -0600, VanguardLH
<V...@nguard.LH> wrote:

>https://www.bankofamerica.com/onlinebanking/education/online-banking-alerts.go general
>https://www.bankofamerica.com/online-banking/mobile-banking-alerts.go cell phone

>
>Those indicate that BOA will issue alerts; however, since I do not have
>a BOA account, I cannot say what types of alerts you can elect.

Thanks. Not surprisingly, they specify no exception for Paypal.

But it's good to have these pages -- thanks -- for when I'm trying to
explain to them what they are doing wrong and why it's in their own
interest to live up to their offers.

I don't know if they are "promises" but I think a plaintiff will be
found entitled to rely on their offers and the bank is setting itself up
for a fall by having this big glaring flaw/exception to a program that
otherwise works fine IME.

It was also good to discuss this with you because it did a lot to put my
thoughts in order, before I call them again.

Maybe this is one of the times I should write the president of the
company.


(I do get notices when the amount is over the minimum, which is $100 --
I wish now that it were less.)



Also, for my own notes. First node is 'secure' so it doesn't work
without logging in.
https://secure.bankofamerica.com/mycommunications/alerts/aboutAlerts.go

[AL]

On 12/18/2016 1:44 PM, micky wrote:

> Amex btw now offers pre-paid cards. I guess it's not just for rich
> people anymore.

Definitely not. Unless you mean it makes the card holder richer. I've
had an Amex cash back CC for several years now. It has no annual fee and
gives me (on average) $500 cash back every year. Course it has to be
paid off every month or the cash back is quickly consumed by the
excessive interest rate.

[tlvp]

On Sat, 17 Dec 2016 19:48:03 -0500, Alek wrote:

>> FWiW, while I am a Comcast customer, have no xfinity username or password,
>> or email account.
>
> Do you have a comcast username?

No. Comcast is my TV provider, not my ISP. Cheers, -- tlvp

[tlvp]

On Sat, 17 Dec 2016 21:46:24 -0500, micky quoted the offer:

> 2 Try XFINITY WiFi — for free.
> Get two, 60-minute complimentary sessions per month. Select
> “xfinitywifi” in your list of available networks and we’ll tell you what
> to do from there. (This is exactly what I meant.)

Exactly what I encountered in that Schenectady restaurant. Thanks for
providing that prototype of my evidence :-) . Cheers, -- tlvp

[tlvp]

On Sun, 18 Dec 2016 02:11:03 -0500, micky wrote:

> Mostly I want one that will cover my collision damage waiver on a car
> rental when I'm out of the country

If you find one, do post back to tell us which bank and what they market
that card as: lots of us could use just such a card type as well here.

[nospam]

In article <fnipyku424hz.9ugsl5ql39cx$.d...@40tude.net>, tlvp

<mPiOsUcB...@att.net> wrote:

>
> > Mostly I want one that will cover my collision damage waiver on a car
> > rental when I'm out of the country
>
> If you find one, do post back to tell us which bank and what they market
> that card as: lots of us could use just such a card type as well here.

just about all cards offer secondary auto rental insurance and a few
offer primary, both of which covers collision.

[nospam]

In article <o36i39$2ks$1...@dont-email.me>, AL <l4522...@invalid.com>

wrote:

> >>> it also won't work at all if you are outside cellular service,
> >>> where you can't get a text, at which point you can't log in *at*
> >>> *all*.
>
> Of course I can. See below.

then you don't have true 2fa.

> >> If I'm out of cell range I can't use my phone's CC app anyway??
>
> > of course you can, via wifi.
>
> Use a strange WiFi for sensitive financial apps? Good security thinking.

i didn't say anything about a strange wifi, but regardless, the bank
uses https, which is encrypted, and you can always use a vpn.

you clearly don't understand how it all works

> But since my devices are trusted I could certainly log in using that
> strange WiFi, even with 2FA installed, even with no cell service.

if you can log in without getting a text, you don't have 2fa.

that also means that if your trusted device is lost/stolen, someone
*else* could potentially log in.

> > the risk may be small, but so is the risk of someone actually
> > hacking your bank account
>
> Which is the smaller risk, 2FA or no 2FA?

no 2fa, assuming the 2fa you're using uses sms texts.

2 factor authentication is two of:
something you know (password)
something you have (code generator via app, dongle, etc.)
something you are (fingerprint, retina scan, etc.)

a text message sent to you via an unencrypted channel and which can be
intercepted is none of those.

> > and the bank won't hold you liable anyway if they did.
>
> Why put up with the hassle of straightening out a bank hack if you can
> prevent it with 2FA?

there's nothing to straighten out beyond contacting the bank that your
account was hacked.

and in reality, they probably know already and will be contacting you
first because if their database was compromised, millions of people
will be affected, not just you.

> >> Which is safer. 2FA or no 2FA?
> >
> > *proper* 2fa, such as a totp code, not sms, which is not secure.
>
> You dodged the question. Which is safer, 2FA or no 2FA?

i didn't dodge it at all.

i gave *two* links that explain why security professionals, including
bruce schneir and the nist, say using text messages for 2fa is an
incredibly bad idea.

> > cancel her credit card.
>
> The CC is much cheaper than divorce...

not in the long run.

[nospam]

In article <qesd5c54qj813f69r...@4ax.com>, micky

<NONONO...@bigfoot.com> wrote:

> >
> >a merchant cannot say 'oh that's a prepaid gift card, sorry'. if they
> >do, contact mc/v/ax and report them.
>
> This probably doesn't apply to prepaid visa/etc. debit cards, only
> becasue they start off with a fairly small amount iirc, and I can't
> foresee all the results, but I heard about this, and even if it's a bit
> OT, this seems a place to mention it:

it applies to prepaid cards that bear the mastercard/visa/amex logo.

the value of the card does not matter. it only needs to be larger than
the purchase (although with a split transaction, it can be less).

> Thieves go to a display rack of gift cards, they take a card, or more
> than one, smuggle it out to the car maybe, or the bathroom, scratch off
> the covering over the PIN, copy the PIN, cover the PIN with something
> that looks something like the original covering, and put the card back
> on the rack. Then they check again (My guess is they put a little
> pencil mark on the paper holder to make checking go quickly) and when
> the card is gone again, it means someone has paid for it and activated
> it, and that's when they spend the money on the card, since they already
> know the PIN. Since they're often bought as a gift, they aren't
> delivered or used for a few days, and when the donee gets around to
> using it, he finds that it's all spent.

you'd need to tear open the package to be able to scratch off the code
and then hope someone eventually buys the already opened package and
nobody notices anything unusual.

so no, that won't work.

> I've only bought such cards three times, inc. a week ago I bought one
> for BabiesRUs as a baby present, and I remembered to check if the
> covering on the PIN looked right. I didn't think to check if the
> cashier activated it -- didn't even known about that part -- but I found
> a receipt and notation in my grocery bag.

it's activated when it's scanned.

>
> I have some stocks held by a major though maybe regional brokerage, and
> I got a debit card from them, and then they told me that the maximum
> that could be withdrawn was the entire value of the stocks! After that,
> I was afraid and unwilling to carry the card or use it at all.
> Eventually it expired. A few years later I thought, "This is absurd.

in the event someone fraudulently drains your account, you're covered.

> Surely there's a way to avoid this" and by this time, they didn't offer
> such cards anymore (I think they'd been bought by another bigger
> national brokerage). Just a quick approval by Amex. Amex btw now
> offers pre-paid cards. I guess it's not just for rich people anymore.

amex has been mainstream for years, although they still target rich
people with cards such as the amex centurion, which is made out of
metal, invitation only and has an annual fee of $2500 *plus* a $7500
first year initiation fee. you get a lot of benefits with it, although
not substantially much more than amex platinum. it's really just for
show.

[micky]

In comp.mobile.android, on Mon, 19 Dec 2016 07:49:30 -0500, nospam

<nos...@nospam.invalid> wrote:

>In article <fnipyku424hz.9ugsl5ql39cx$.d...@40tude.net>, tlvp
><mPiOsUcB...@att.net> wrote:
>
>>
>> > Mostly I want one that will cover my collision damage waiver on a car
>> > rental when I'm out of the country
>>
>> If you find one, do post back to tell us which bank and what they market
>> that card as: lots of us could use just such a card type as well here.

Where is "here"?

>
>just about all cards offer secondary auto rental insurance and a few
>offer primary, both of which covers collision.

By secondary, do you mean after my own car insurance pays? The thing
is that I don't have collision insurance on my own car, so I have none
of that.

And if the credit card offers secondary but desn't offer primary, I
wonder what that means for someone like me. If most collision policies
have a $500 deductabile, does secondary mean for me that they will pay
the 500 but not the bigger amount that my own insurance would have paid
if I had some. Or they won't pay anything?

[micky]

In comp.mobile.android, on Mon, 19 Dec 2016 05:23:56 -0500, tlvp

<mPiOsUcB...@att.net> wrote:

>On Sat, 17 Dec 2016 19:48:03 -0500, Alek wrote:
>
>>> FWiW, while I am a Comcast customer, have no xfinity username or password,
>>> or email account.
>>
>> Do you have a comcast username?
>
>No. Comcast is my TV provider, not my ISP. Cheers, -- tlvp

What you need is a TV to Internet converter. And for when you're not at
home, a TV to cell data converter.

[nospam]

In article <n9ag5ct3dutr6cuel...@4ax.com>, micky

<NONONO...@bigfoot.com> wrote:

> >
> >just about all cards offer secondary auto rental insurance and a few
> >offer primary, both of which covers collision.
>
> By secondary, do you mean after my own car insurance pays?

yes.

> The thing
> is that I don't have collision insurance on my own car, so I have none
> of that.

in some cases, secondary becomes primary when you don't have your own
primary collision coverage.

call both your insurance provider and the credit card issuer and ask
what is covered in your situation.

> And if the credit card offers secondary but desn't offer primary, I
> wonder what that means for someone like me. If most collision policies
> have a $500 deductabile, does secondary mean for me that they will pay
> the 500 but not the bigger amount that my own insurance would have paid
> if I had some. Or they won't pay anything?

typically, secondary will cover what your insurance doesn't, which
should include any deductible. keep in mind that there will be a
collision payout on your record which may affect your rates in the
future.

primary means the card covers all repairs (usually up to $75k-$100k)
without involving your insurance.

some vehicles may be exempt, such as a moving truck or a high end car,
such as a ferrari.

[AL]

On 12/19/2016 8:40 AM, nospam wrote:

> AL <l4522...@invalid.com> wrote:

> you don't have true 2fa.

What's true 2FA? Google wants to know.

> you clearly don't understand how it all works

You clearly don't understand the various ways 2FA can work.

>> But since my devices are trusted I could certainly log in using
>> that strange WiFi, even with 2FA installed, even with no cell
>> service.
>
> if you can log in without getting a text, you don't have 2fa.

Course I do. Google says so. And I still have the 2FA protection because
someone knowing my name/password trying to hack my account on a strange
device would generate a text to *my* phone. He would be unsuccessful and
I would be warned of the hack attempt. And of course that scary
unencrypted text you worry so much about is only sent once to a trusted
device for the life of the app - many months in my case.

> that also means that if your trusted device is lost/stolen, someone
> *else* could potentially log in.

Nope. They would need several further passwords to break in both the
device and to each separate app.

> 2 factor authentication is two of: something you know (password)
> something you have (code generator via app, dongle, etc.) something
> you are (fingerprint, retina scan, etc.)

Google can save passwords on the device for you, is that no longer a
real password? And Google can save a 2FA code on a trusted device, is
that no longer 2FA?

> a text message sent to you via an unencrypted channel and which can
> be intercepted is none of those.

On a trusted device the text code is sent only once for the life of the
app, perhaps once in months. Not a real big security risk IMO.

> there's nothing to straighten out beyond contacting the bank that
> your account was hacked.

Bwahahahah!!! You've obviously never dealt with my bank...

> and in reality, they probably know already and will be contacting
> you first because if their database was compromised, millions of
> people will be affected, not just you.

Yup. Twice already for me. Change passwords and free credit monitoring.
Big Whoop.

> i gave *two* links that explain why security professionals,
> including bruce schneir and the nist, say using text messages for 2fa
> is an incredibly bad idea.

Perhaps. But using texted 2FA rather than no 2FA is still an incredibly
good idea.

[nospam]

In article <o39qlp$2gu$1...@dont-email.me>, AL <l4522...@invalid.com>

wrote:

>
> > you don't have true 2fa.
>
> What's true 2FA? Google wants to know.

no they don't, since they know exactly what it is already, given that
they offer proper totp 2fa, with several third party apps that can
generate the codes. nothing is sent over the air.

> > you clearly don't understand how it all works
>
> You clearly don't understand the various ways 2FA can work.

more than you do, that much is clear.

here's more:
<http://thehackernews.com/2016/07/two-factor-authentication.html>
However, NIST argues that SMS-based two-factor authentication is an
insecure process because it's too easy for anyone to obtain a phone
and the website operator has no way to verify whether the person who
receives the 2FA code is even the correct recipient.

In fact, SMS-based two-factor authentication is also vulnerable to
hijacking, if the individual uses a voice-over-internet protocol
(VoIP) service, which provides phone call service via a broadband
internet connection instead of a traditional network.

Since some VoIP services allow the hijacking of SMS messages, hackers
could still gain access to your accounts protected with SMS-based
two-factor authentication.

Also, the designing flaws in SS7 or Signalling System Number 7 also
allows an attacker to divert the SMS containing a one-time passcode
(OTP) to their own device, which lets the attacker hijack any
service, including Twitter, Facebook or Gmail, that uses SMS to send
the secret code to reset account password.

Even some devices leak secret 2FA code received via SMS on the lock
screen.

> >> But since my devices are trusted I could certainly log in using
> >> that strange WiFi, even with 2FA installed, even with no cell
> >> service.
> >
> > if you can log in without getting a text, you don't have 2fa.
>
> Course I do. Google says so. And I still have the 2FA protection because
> someone knowing my name/password trying to hack my account on a strange
> device would generate a text to *my* phone. He would be unsuccessful and
> I would be warned of the hack attempt. And of course that scary
> unencrypted text you worry so much about is only sent once to a trusted
> device for the life of the app - many months in my case.

all they need to do is intercept the sms messages, or even better,
activate a new sim/phone under your account.

now the 2fa codes go to the bad guys, and as for the passwords, they
can be phished, guessed or obtained in other ways.

<https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-
account-could-be-hijacked-identity-thief>
A few weeks ago an unknown person walked into a mobile phone store,
claimed to be me, asked to upgrade my mobile phones, and walked out
with two brand new iPhones assigned to my telephone numbers. My phones
immediately stopped receiving calls, and I was left with a large bill
and the anxiety and fear of financial injury that spring from
identity theft. This post describes my experiences as a victim of ID
theft, explains the growing problem of phone account hijacking, and
suggests ways consumers and mobile phone carriers can help combat
these scams.

[tlvp]

On Mon, 19 Dec 2016 13:44:33 -0500, micky wrote:

> What you need is a TV to Internet converter.

I do? Why? And: suggest one, please.

> ... And for when you're not at

> home, a TV to cell data converter.

Again, please: suggest one.

Thanks. Cheers, -- tlvp

[tlvp]

On Mon, 19 Dec 2016 07:49:30 -0500, nospam wrote:

> just about all cards offer secondary auto rental insurance and a few
> offer primary, both of which covers collision.

In my experience, some do, and some don't, especially when it comes to
coverage for rentals *abroad*. YMMV. Cheers, -- tlvp

[tlvp]

On Mon, 19 Dec 2016 13:42:48 -0500, micky wrote:

>>> do post back to tell us which bank and what they market
>>> that card as: lots of us could use just such a card type as well here.
>
> Where is "here"?

Initially, by "here", I meant the c.m.a. NG. But you can take "here" to
mean "the USA" if you prefer :-) . Cheers, and TiA, -- tlvp

[AL]

On 12/19/2016 4:55 PM, nospam wrote:
> AL <l4522...@invalid.com> wrote:

>> What's true 2FA? Google wants to know.
>
> no they don't, since they know exactly what it is already, given that
> they offer proper totp 2fa, with several third party apps that can
> generate the codes. nothing is sent over the air.

Google has several ways to do 2FA. None is ID'ed to be 'true'.

> NIST argues that SMS-based two-factor authentication is an insecure
> process because it's too easy for anyone to obtain a phone and the
> website operator has no way to verify whether the person who
> receives the 2FA code is even the correct recipient.

This would apply to both text 2FA and your true 2FA.

> Since some VoIP services allow the hijacking of SMS messages, hackers
> could still gain access to your accounts protected with SMS-based
> two-factor authentication.

My trusted device apps don't request 2FA codes to hijack. (I don't use
VOIP anyway.)

> Also, the designing flaws in SS7 or Signalling System Number 7 also
> allows an attacker to divert the SMS containing a one-time passcode
> (OTP) to their own device, which lets the attacker hijack any
> service, including Twitter, Facebook or Gmail, that uses SMS to send
> the secret code to reset account password.

Ditto last answer. Unless they catch me when I request that one new code
sometime in the future (probably next few months). Unlikely IMO.

> Even some devices leak secret 2FA code received via SMS on the lock
> screen.

Leak? There is a setting on my phone that allows texts on the lock
screen. I have it turned off.

> all they need to do is intercept the sms messages,

No 2FA codes to intercept from me in quite awhile.

> or even better, activate a new sim/phone under your account.

Perhaps make calls? But not much else in my name without my Google account.

> now the 2fa codes go to the bad guys,

Without the name/password for my apps there's no way to request a code.

> and as for the passwords, they can be phished,

Getting phished? An idiot problem, not a 2FA problem.

> guessed

Not in my case.

> or obtained in other ways.

Vague...So I will apply it to both text 2FA and your true 2FA.

> identity theft. This post describes my experiences as a victim of ID
> theft, explains the growing problem of phone account hijacking,

Shit happens. Not sure how you think your true 2FA would help here...

[nospam]

In article <t91qv0itnl58$.1b5qj9fr...@40tude.net>, tlvp

<mPiOsUcB...@att.net> wrote:

>
> > just about all cards offer secondary auto rental insurance and a few
> > offer primary, both of which covers collision.
>
> In my experience, some do, and some don't, especially when it comes to
> coverage for rentals *abroad*. YMMV. Cheers, -- tlvp

nearly every credit card includes auto rental insurance in some form,
including abroad. they have to, because the competition does. there may
be limitations in a couple of countries but that's about it.

obviously, the higher tier cards will have better coverage than lower
tier cards, including primary.

bottom tier cards might not include coverage because they're targeted
at people who can't qualify for anything better and probably can't
afford to rent a car anyway. perhaps that's the type of card you have.

[micky]

In comp.mobile.android, on Mon, 19 Dec 2016 20:38:46 -0500, tlvp

<mPiOsUcB...@att.net> wrote:

>On Mon, 19 Dec 2016 13:44:33 -0500, micky wrote:
>
>> What you need is a TV to Internet converter.
>
>I do? Why? And: suggest one, please.

I don't think they make them, but that's what you need. Because it
woudl take your comcast TV and use it to provide internet.

>
>> ... And for when you're not at
>> home, a TV to cell data converter.
>
>Again, please: suggest one.

I didn't say there was one. Just that you need one. It would take your
comcast TV and provide data to your cell phone where you're not at home.

<g>

>Thanks. Cheers, -- tlvp

[nospam]

In article <o3a7th$ues$1...@dont-email.me>, AL <l4522...@invalid.com>

wrote:

> >> What's true 2FA? Google wants to know.
> >
> > no they don't, since they know exactly what it is already, given that
> > they offer proper totp 2fa, with several third party apps that can
> > generate the codes. nothing is sent over the air.
>
> Google has several ways to do 2FA. None is ID'ed to be 'true'.

i didn't say true. i said proper. do not twist what i say.

sms 2fa is not 2fa and trivially hacked.

> > NIST argues that SMS-based two-factor authentication is an insecure
> > process because it's too easy for anyone to obtain a phone and the
> > website operator has no way to verify whether the person who
> > receives the 2FA code is even the correct recipient.
>
> This would apply to both text 2FA and your true 2FA.

nope and it's not mine. it's an industry standard.

with totp, there is no code to receive which means it *cannot* be
intercepted. the code is generated by the user, either with an app or a
physical key, and must match the code generated by the provider, which
is valid for 30 seconds (typically).

> > Since some VoIP services allow the hijacking of SMS messages, hackers
> > could still gain access to your accounts protected with SMS-based
> > two-factor authentication.
>
> My trusted device apps don't request 2FA codes to hijack.

then you don't have 2fa.

> (I don't use
> VOIP anyway.)

your loss.

> > Also, the designing flaws in SS7 or Signalling System Number 7 also
> > allows an attacker to divert the SMS containing a one-time passcode
> > (OTP) to their own device, which lets the attacker hijack any
> > service, including Twitter, Facebook or Gmail, that uses SMS to send
> > the secret code to reset account password.
>
> Ditto last answer. Unless they catch me when I request that one new code
> sometime in the future (probably next few months). Unlikely IMO.

if you're requesting codes every couple of months, you aren't using 2fa.

> > Even some devices leak secret 2FA code received via SMS on the lock
> > screen.
>
> Leak? There is a setting on my phone that allows texts on the lock
> screen. I have it turned off.

you might. others don't. and even if you do disable it, all it takes is
intercepting them.

> > all they need to do is intercept the sms messages,
>
> No 2FA codes to intercept from me in quite awhile.

which means you're not actually using 2fa.

> > or even better, activate a new sim/phone under your account.
>
> Perhaps make calls? But not much else in my name without my Google account.

phone calls aren't the issue, but that won't work for you either.

> > now the 2fa codes go to the bad guys,
>
> Without the name/password for my apps there's no way to request a code.

someone who has hijacked your phone will already have all of that.

> > and as for the passwords, they can be phished,
>
> Getting phished? An idiot problem, not a 2FA problem.

not an idiot problem.

people who are smart enough to know not to be phished get phished,
including reporters doing research on phishing and *expecting* to be
phished so they're on the lookout for suspicious activity.

> > guessed
>
> Not in my case.

ignorance is bliss.

> > or obtained in other ways.
>
> Vague...So I will apply it to both text 2FA and your true 2FA.

nothing vague about it and it's not my 2fa.

how a system is hacked does not matter. what matters is that the
passwords get compromised.

> > identity theft. This post describes my experiences as a victim of ID
> > theft, explains the growing problem of phone account hijacking,
>
> Shit happens. Not sure how you think your true 2FA would help here...

because compromising someone's account with 2fa is *extremely*
difficult.

you're in way over your head.

[Frank Slootweg]

tlvp <mPiOsUcB...@att.net> wrote:
> On Mon, 19 Dec 2016 07:49:30 -0500, nospam wrote:
>
> > just about all cards offer secondary auto rental insurance and a few
> > offer primary, both of which covers collision.
>
> In my experience, some do, and some don't, especially when it comes to
> coverage for rentals *abroad*. YMMV. Cheers, -- tlvp

Exactly! And 'abroad' the 'deductable' - often called 'excess' - can
be several/many *thousands* of dollars [1], making your CC 'insurance'
worth less than the paper it's written on.

The extra premium to reduce/eliminate the deductable/excess can be up
to many tens of dollars a day.

Do 'you' (not you, tlvp, but a certain poster - again - telling -
US-centric? - fairy tales) *really* think that a CC company will cover
that kind of money out of the goodness of their heart!?

Back in the real world: *Check* what and how much your CC *really*
covers, or you might be in for a very nasty surprise.

[1] And even (much) more if the 'car'/'auto' is something other than a
normal passenger car.

[tlvp]

Thanks, Frank. Me? I wasn't going to expend the effort to detail all that
in some misguided attempt to educate the ineducable :-) . Cheers, -- tlvp