Interesting, I received an E-mail from my bank (TD) pointing out that they now support using my Android -or- Blackberry phone ( no mention of the iPhone 6, since it only supports NFC for Apple Pay) to make small payments (tap and go), as an NFC (tap and go) device, if I have a supported credit card with them (which surprisingly, I do).
Now Your Phone is Your Wallet?
To quote TD’s e-mail to me:
Any TD EasyWeb customer with a supported Android or BlackBerry smartphone, eligible TD Credit Card and the TD app can enjoy using TD Mobile Payment. The Android or Blackberry smartphone must be certified and enabled with Near Field Communication (NFC) technology (contactless) and a NFC SIM Card to securely store your payment information, and have a mobile plan with a participating carrier/service provider.
The nice part is that this is integrated into the TD Banking App, so there is a degree of security (I hope) with the app. I am not sure, but I hope I have to log into the App to be able to use the NFC capabilities of the app and phone (together), and not just enable it once, and then be able to willy nilly tap and pay (thus enabling anyone with my phone to do the same).
Is this a secure method of payment? I am not sure of the mechanics in the Android and Blackberry phones, however, the Android phones do have a reputation as being a little less secure than other phones (as all open systems do, when you let everyone see the source code, that includes the bad guys). Google has been working hard to improve Android’s reputation in the security area, but it is going to take a while to do that.
Am I recommending this service and TD? No, I am simply pointing out yet another interesting new way to spend your money. They keep making it easier and easier to spend your money.
How hard is it to get all of your information? One of the major victims, Ms. Kardashian™ has a plethora of security folks, and Kanye West™ to protect her on-line, who do you have?
This is really sad but true, but the folks hunting down all the information “in the Cloud” (skip that movie too) and trying to extricate your personal info for their own nefarious deeds, are the same (type) of folks that are hacking your home computer, bank’s computer, Internet Service Provider’s Database, Google’s Info DB, etc., etc., .
Everybody is watching, including the bad guys
Remember only a few weeks back, my info got hacked from Home Depot (sure I have free Equifax, but that is a small pay back given I am now being inundated with spam e-mails). I have written countless articles about security:
This is all to point out that assuming that you are safe, might be a little naive (oh and did you read about ISIS threatening your bed rooms too?), this world is getting scarier and scarier. If you are looking for me, I will be hiding under YOUR bed (they won’t think to look for me there).
Oh and my apologies on the cheap pop for the title as well.
After the past few weeks of fun and excitement on the Web, I have decided to practice what I preach by starting to decrease my Electronic Footprint. The Heartbleed Bug will mean that we must all go and change all of our passwords and such to get back to a less vulnerable stance (sorry I have been watching MI-5 on Netflix).
One of the first steps I have taken is to minimize financial issues, and I had a small account with Mint.com, which was mostly to just try things out, that I have deleted. The account was not being used, all it did was tell me once a month that one of my credit cards has a balance, but no longer.
The reasons for cancelling this part of my electronic footprint:
- The account was not being used and all it could do was act as a gateway for “bad folk” to break into my financial life and crap all over the place.
- Mint while an interesting service, can cause a great deal of consternation with your financial providers as well, if your account is cracked and used for bad things. I am not sure if your bank could do anything, but I don’t think you want to expose yourself to any possible jeopardy from sharing your banking information.
- It is one less password and user id to remember or worry about.
I actually have a very long list of user ids and passwords that I will now be going through to decide to either:
- Change the password to something new
- Delete the account because I can’t justify having this “possible security hole” still existing
Oh, and understand that a lot of accounts if you “DELETE” them, they don’t actually go away (e.g. Facebook), so remember to read carefully what happens if you try to DELETE an account.
No, not sin, Social Insurance Numbers, that SIN.
If the Social Insurance Number is simply a number given out each time a Canadian asks for one, the Maximum number of encodings is simply 999,999,999 codes. That seems like a very large number and why would anyone worry about running out of numbers in this program? The Social Insurance Number has become the de facto standard for identification in Canada (especially financially), and a number to be guarded closely, so each number is very important.
Some points to think about this number:
A very Fake Social Insurance Number
- I don’t think anyone has the Social Insurance Number 000 000 001 or anything like that encoding, so there aren’t as many numbers as we think. Is the exact number of available SINs published anywhere? I don’t think it is, but maybe I missed out on that.
- From 1973 to 1994 the three digit prefix (the first three numbers) increased by about 265 (if I compare my SIN to my children’s SIN), so not an insignificant increase. From 1994 to 2005 the prefix digits increased by 035. This assumes that the numbers are allocated in an increasing order.
- There are no more plastic SIN Cards being made, you simply get a letter with your SIN and that is it!
- Given 900 SIN were lost with the Heartbleed bug, how many more digits are lost due to identity theft and such?
- Is there a recovery program for digits after someone dies? I don’t think so.
- Temporary SINs have 9 as the first digit, and depending on where you apply your leading digit will reflect that (see Wikipedia for this)
- There is a checksum to easily figure out if a SIN is real or bogus.
Am I just fear mongering now? It’s possible, but I just wonder if we are going to hear in about 20 years that the Social Insurance Number will go from being a 9 digit number to either:
- A 9 digit hexadecimal number (base 16) (e.g. DEA DBE EF9 )
- A 12 digit regular number
Those would be simple fixes I suppose, except then every and any program that used the SIN for identification would need to be recoded (can you say Y2K ?) .
Yes you should really care about this large hole in an allegedly secure internet world. Can you do something about it? That remains to be seen.
Someone either wrote bad code, or built in their own back door in the OpenSSL product which is the basis for many (read LOTS) of “secure internet” applications that are used on the Web and elsewhere, and created the Heartbleed Bug with this change. This is so interesting, there is a Heartbleed Bug web site! Do you really want a detailed explanation, read Bruce Schneier’s explanation (he says on a scale of 1 to 10 in terms of bad, this is an 11).
How serious is this problem? Well the CRA closed down Netfile’ing for now, because they weren’t sure if they were victims of this problem. My bank didn’t shut down their Web Banking, so they either don’t think this is a big issue, or they know they did not use that code.
What should you do about it? I have seen lots of folks screaming that we should all be changing our passwords right away, which might be a good idea, except if you then use it on a site that has not been “fixed” yet, your new password is now available to Evil Hackers as well.
It might be best to find out which sites you use that might have this “software flaw” in it, and once the site declares it is safe, then change your password there. If you have a common password which you use everywhere, you might want to change it everywhere as well. You can test a site here, but I also am not sure if that site’s findings are (1)believable (2) to be trusted.
The good news is that this bug has been around since 2011? Does that mean no one noticed this before, or it has been exploited for a long time and now it is becoming well-known? I have no idea, but this is another argument about why you should regularly change ALL of your passwords, especially for on-line banking and such.