The Plastic in Your Wallet: How to Pay

As both a customer and a bank employee, I see the frustrations on both ends of monetary transactions.  Since we don’t pay for anything with cash anymore, and with cybercrime and fraud keeping pace with the exponential growth of technology, studying ways to protect oneself quickly becomes a rabbit hole of madness and despair.  Well fear not (rather, keep a healthy level of fear)!  I will use my experience in the industry to try to simplify this nagging question: how do I pay for things?  I will do this by tackling two subjects: Liability and Security.

Liability

Liability is simply: who is immediately responsible for fraudulent transactions?  I say “immediately” because ultimately the bank still has to investigate, but depending on the type of transaction, someone’s money is tied up in the meantime.  Also, ultimately customer loss is covered under different legal protections by transaction type.  I will explain.

For Debit Cards, customer liability is based on when activity is reported.  If a lost card is reported and then the card is used, that’s the bank’s fault for not deactivating the card.  If the customer waits 2 days, there’s a $50 liability.  Beyond that, up to 60 days, there’s a $500 liability.  Beyond 60 days, and the customer is not protected from the loss.

A second point on Debit Cards–it’s the customer’s money that’s tied up during an investigation, depending on how nice the bank is.  So even if you immediately report a lost card, and someone uses it to drain your account, you’re up a creek with no personal funds while the investigation is underway.  That’s an extreme example, but something to consider.

For Credit Cards, customer liability is also based on when activity is reported, but it’s far less important.  Technically, the law was very similar to Debit Card liability until the CARD Act.  Now, the 60-day rule no longer applies, so customer liability caps out at $50.  Even so, most credit card companies simply waive that paltry (to them) $50 liability for marketing purposes (pay attention to the next solicitation you get in the mail).

And, referencing the earlier point, a credit card is not the customer’s money.  While an investigation is pending, it is not the customer’s finances that are being held.  A stolen credit card is an inconvenience, yes, but a relatively minor one.

Security

Remember the Ident-i-Eeze card?

Now that we’ve covered who’s responsible for what, we can address what is the safest method of payment.  Security is defined by 3 methods: something you have (a physical card), something you know (a PIN), and something you are (biometrics).  Security is enhanced as these methods are compounded.  To explain: a magnetic strip credit card only leverages a single method: possession of the card itself.  A physical swipe is all that’s needed for authorization.  This method fails when that account information can be flashed to blank cards, creating facsimiles (counterfeit fraud, in the industry).  Account information is stolen both on an individual basis by reading the unencrypted account number off the mag strip by a harvester (by anyone nefarious who has temporary access to your card), and from merchant databases (since merchants store your full account number for transactional history).

To address these problems, the EMV chip was introduced.  The idea is that a card would leverage a second factor of authorization: something you know.  In this case, a PIN would be coded into the chip with the account number and encrypted, thus preventing card duplication and rendering a card useless if stolen.  It also makes storing and stealing information less useful because transactions are assigned a session token, determined by an algorithm on the chip and applied to transaction-specific data and a terminal nonce; only valid for that transaction; which the bank takes as verification that it was your card being used.  This became known as the Chip and PIN method.

But, this method was neither standardized nor enforced.  EMV whitepapers include a number of possible applications, which translates to varying degrees of security of which the customer can’t readily determine.  And so, we also ended up with the Chip and Signature method.  This undermines part of the point by not requiring a second factor of authentication (i.e. the PIN).  The Chip and Signature method encrypts the account information and generates tokens in the chip, same as Chip and PIN, hopefully preventing harvesting the information and mitigating counterfeit fraud, but it doesn’t require a PIN.  You see the difference–a stolen card can still be used.

Also, until chipped cards are mandatory, many are still printed with a magnetic strip, defeating all the benefits of the chip.  The law shifted so that the bank can now force all liability on the merchant for not supporting chip technology, but nothing is legally required, so in the meantime we still have cards with insecure magnetic strips.

Now back to debit cards.  The original debit card was only a debit card.  It had an insecure account number in a magnetic strip, yes, but it required a PIN to authorize–so two factor.  A stolen card, therefore, was theoretically useless as the thief wouldn’t have the PIN.  But, then banks started leveraging the credit card networks to offset transaction costs, which is why you can run your debit card as a credit.  Running it this way doesn’t require a PIN, thus destroying the purpose of the PIN itself, and the money still comes out of your bank account.

So to date, we had a single-factor authentication card, came up with a couple two-factor methods, undermined one, haven’t standardized the other, and came up with a way to mitigate duplicating a card but haven’t standardized or enforced it.

The most recent enhancement has been mobile pay–specifically for this article: Apple Pay.  In this method, a secondary account number, derived from nonce i.e. the token, is generated and stored on a mobile device.  As in the way time-based authenticators are used, a cryptogram is generated at the time of sale from an algorithm, the variables of which are unique to the device itself and cannot be determined mathematically from the cryptogram or the token, both of which are submitted to the merchant for authorization.  A third element, a dynamic CVV, is submitted as well, another algorithmic derivative of the token and cryptogram.  The security lies in that that the token, cryptogram, and CVV output  are all required for a transaction, yet two of them are dynamic, and the cryptogram which ties together the mathematical relationship relies upon device-specific identifiers that are encrypted on the device and never divulged–only verified through the process–likely a hash (this is an overview, as the specific details are not published).  The point is that any information harvested in the transaction or stored cannot be used to determine the account number, nor re-used, nor applied to determine the cryptogram’s elements that generate the cryptogram/CVV.

Furthermore, the mobile pay method leverages the security of the customer’s mobile device, therefore enforcing two factor authentication (the phone’s password/owner’s fingerprint).  And, since all data is encrypted by default on an iPhone, stealing the phone won’t allow its use for payment.

Conclusion

For maximum security and minimal liability, use a mobile pay method of a credit card.  After this, I rank other methods in decreasing order of ideal security/liability combination: mobilepay/debit card; Chip and PIN credit card*, Chip and PIN debit card*; Chip and Signature credit card*; magnetic strip credit card, Chip and Signature debit card, magnetic strip debit card.

*Only if card does not also have a magnetic strip.

NOTE: I have yet to be issued a chip-only card.  So far, they have all been dual chip/magnetic strip cards.  Dual cards ultimately offer little benefits over magnetic strip only cards if the card is stolen, but do use the chip over the strip whenever possible as this still limits the use of stored credit card data.

Bottom line: use mobile pay if possible, and always use a credit card over a debit card.

Also, you might be wondering how a phone or internet transaction occurs, to which I say: good question.  If no one’s scanning the card/device, obviously the card’s security is moot.  Although, Apple Pay does integrate with iOS applications, so you can pay through the same device’s merchant application as Apple Pay.  And for EVVs, there is information regarding an out of band dynamic CVV generation….

Obviously we’re still working on the problem as a society.  I dunno, maybe pay with cash after all.

–Simon

Changing Priorities

Have you ever played a video game series, and the dates of release uncannily correspond to life events?  I take this as evidence that I am of the gamer generation, not simply here during a time in which video games exist.

Man I wish I could have played that

Back when I was in Jr. High School, I had a friend who was obsessed with Fallout.  He talked about it endlessly, and I admit that it sounded bad-ass.  But, my family was not only opposed to video games (of the generation that considered them mind-rotting indulgences (you know, the Victorians complained about their children reading too many books–some things never change)), but we were an Apple-using family–back in the day in which it was considered counter-culture and what I considered cool, but therefore excluded from the PC-gaming community.  So I never got to play it.

A couple years out of college, and into the beginnings of my disillusionment upon experiencing the workforce for the first time, I used my newfound full-time salary to escape reality.  It was during this period, 2008, that Bethesda, having now acquired the rights to the Fallout franchise, published their first game under that title: Fallout 3.  And, it was fantastic.

I don’t want to set the world on fire

At the time, something I didn’t realize, was how appropriate the narrative was to my circumstances.  In a very abridged plot synopsis: a young man gets involved in some local politics, enters the bigger world in an attempt to find his father and the work he was entangled with to better said greater world, and in the process achieves his noble victory at great personal loss.  How strongly that resonated.  How much I wished that my own suffering was for some greater cause.

In 2015, Fallout 4 came out.  By that time, I was married and had a daughter.  This time, the plot involved tracking down my spouse’s murderer and child’s kidnapper.  Ouch.  It was a bit of a different emotional pull.  Plus, this time the game’s theme involved trying to rebuild the world and take care of the populous, rather than generally ignoring or using them to further personal objectives.  The protagonist, in these regards, was far more mature.

It’s all over, but the crying

Some consider me a part of Generation-Y, while others define me as at the older end of the Millennials.  What seems to be apparent, however, is that I am at the exact age during which video games evolved from simplistic novelties into powerful forms of emotional media.

–Simon

Cheating

Since the vegetable garden got decimated by frost, I was forced to do something I’ve never done before: buy tomato plants.  I’ve purchased seed of course, and the first year we were in our last townhouse my mother-in-law gave us two tomato plants, but never before have I purchased them at a store.  And once I grow a plant, I save seed–partly out of a sense of self-sufficiency and the desire to maintain my own seed stores, partly to discover new hybrids, and partly because the germination rate on saved seed is significantly better than store-bought (not to mention free).

But with over half my tomato plants dead, and since I didn’t get the chance to put in a vegetable garden at the new house last year, this year I was going to have tomatoes dammit!  So when the local Lowe’s started putting them on sale, I relented.

Normally I don’t get tomatoes until July, but here I am with a single tomato, growing from the heirloom yellow lemon variety:

I see you!

I suppose since I’ve recently depleted my canned tomato stores, that I can forgive myself just this once.

–Simon

Not So Boldly Going (Part 4)

Tutorial finally complete, it was time for questing!  First order of business: inform the widower of the Bile Hurk’s former first officer that she died in glorious combat…or I’m assuming anyway.  If you recall, Kur’P Ud Wakk more or less stumbled into that scene, so the particulars of her death, beyond that the former captain dunnit, were left to speculation.  Still, Klingons.  I imagine if I told her family that she died like a bitch (like the captain), then the streets would flow with the blood of Klingons.

But I didn’t have the choice anyway.  For an RPG, this game doesn’t exactly have a whole lot of decisions built into it.  But this is an older game from a time preceding RPG character repercussions, so I had no choice but to be the good guy.  Following the GPS embedded into the upper-left corner of my eye, I found this guy and delivered the news (yes, by pressing “A”).  Button mashing commenced, because I really didn’t care at all about this guy or his reaction.  Kur’P Ud Wakk’s short command career had apparently already made him incredibly callous.  I left the Klingon to grieve, which probably meant blood wine…because they’re Klingons and that’s all I’ve ever seen them drink in any of the Star Trek series.  Klingons have blood wine, Romulans have Romulan ale (which is illegal in the Federation because of some embargo, like Cuban cigars–this gets mentioned a lot), and the Federation has their non-alcoholic synthesol (although Picard has been known to enjoy some genuine wine from his family’s estate in France).  The future of alcohol seems pretty sad I must say.  I muse on this while I pour another glass of bourbon from my decanter.

I think Hugh Janus had to do this as well, which seems a little odd.  Imagine an enormous Klingon runs up to you and tells you that your wife is dead, all the while someone else stands awkwardly close to your conversation, only to interject the moment you finish talking to tell you that your wife is dead.  I’m no Klingon, but that might make me a little violent.  To recap, it went something like this:

Kur’P Ud Wakk:

‘Hi, your wife is dead.’

Widower:

‘Uh, okay.’

Hugh Janus:

‘Hi, your wife is dead.’

Widower:

‘…Yeah, okay, I got that.’

Kur’P Ud Wakk and Hugh Janus high-five and shout in celebration, then take of running at full speed, because no one ever walks anywhere in an RPG.

But the Klingon did not get violent, and despite the nature of the quest, we celebrated having successfully completed an objective together.  We had figured out game mechanics.

But the quest was not yet completed.  For some reason, this objective was lumped in with the next: going to a warehouse, shooting some people, and activating terminals.  So we do just that.  Kur’P Ud Wakk skillfully balances pressing the right trigger and “A”, dropping foes with his disruptor.  Hugh Janus, on the other hand, goes in ineffectually swinging a bat’leth.  Kur’P Ud Wakk suspects he was impressed after witnessing his own mad break-dancing moves earlier and wants to show off.  I anticipate a bat’leth duel between the two at some point.

On the way out, a bigger baddie shows up, which requires many more pushings of the right trigger.  He drops, we leave the warehouse, and then we run around the station for several minutes trying to figure out where to go.

Which brings me to my next point: email!  How many RPGs have you completing objectives, but you have to physically return to the quest-giver?  And these are futuristic games.  We have video conferencing and voice chat, yet when it’s time to send a message back, the player character is apparently incapable of initiating the communication.  Like some old geezer who can’t figure out his cell phone and says “Fuck it, I’m just going to go pay this guy a visit.  I’ll go jump in my Buick and drive 20 in a 45 while everyone else is trying to get to work on time.”

Eventually, perseverance pays off when we collectively explore the entirety of the compound’s physical space, and successfully complete the objective, thus officially completing our first quest together.  I celebrate with a glass of bourbon.

–Simon

Supplements

I knew that when we purchased a house the demands for my physical labor would skyrocket.  As predicted, the chores piled up, and my body, certainly approaching the end of its prime, started objecting by chronically hurting and refusing to operate at peak efficiency.  But the body is a biomechanical machine, and while we as a people pretend to understand it way more than we actually do, logical reasoning and experimentation still apply.

I hate physicians as much as I hate hippie homeopathic peddlers.  The two represent extremes: the former–an ego-maniacal sellout to the entrenched pharmaceutical overlord, the latter–a manipulative snake-oil huckster who relies upon contradictory medical evidence to spin compelling pseudo-science.  They’re more alike than different, really (having the same motivator).  And as I always say, the truth generally lies somewhere in the middle.  Therefore I considered both positions in my conclusions.  So without further ado…

Step 1: determine the source of the problem.  Bones, joints, connective tissue, and muscles all suffer from physical punishment.  Bones strengthen from impact and aren’t a problem unless broken (and men usually don’t suffer from calcium deficiency).  Joints and connective tissue can strain and tear, but the physical therapy applied to fix this problem focuses on strengthening the supporting muscle.  My muscles themselves were constantly fatigued and suffering tears.  So with my bones not a problem, and the other points of concern all pointing to muscles, I concluded that I needed to focus on said muscles.

Step 2: determine what my muscles needed of which they weren’t getting enough.  Presumably, anything my body needs it would synthesize itself from raw organic caloric input.  Of course, it doesn’t work that way, and there are things that have to be consumed to be replenished.  Since the size of my belly can attest to me receiving sufficient caloric input, I therefore concluded that I needed to focus on the essential, vital components.  I know of two: amino acids and vitamins.

Step 3: consider the stages and requirements for muscle growth and repair.  Like anything, it needs base components.  Then to begin construction, it needs metabolizers.  And of course, to operate, it needs an energy source.  Starting point now defined, it was time to seek out something that fit the bill in the form of supplements.

Vitamins were pretty straightforward, despite what the supplements isle at the local grocery store might suggest.  Like anything, casual interest can turn into obsession, but good lord people–they’re just vitamins.  I did, however, choose a name brand.  I had found out once from someone on the inside of the pharmaceutical industry that generic brands contain less of their reported active ingredients than name-brands, due to less stringent legal requirements.  That right there is a red flag that the industry is fucked up.  But anyway, I settled on a standard adult multivitamin.

What the hell is in there?

Amino acids, specifically essential amino acids, usually come as part of protein powder, I guess because amino acids are protein.  As I searched for something simple and minimally processed, I ruled out anything generally marketed to meatheads.  Also because I hate vegans, I didn’t want to support that in any way–which ruled out a surprising percentage of these supplements too–I guess because vegans are worried about getting enough protein.  Finally I found something that fit the bill: brewer’s yeast–the leftover byproduct of beer brewing.  It had the added bonus of supporting an industry I’m behind 100%.  Is fungi okay to eat as a vegan?  I dunno…stupid vegans.

So between vitamins and essential amino acids, I had covered supplementing my muscles with the extra material they needed for growth, repair, and production.  It wasn’t until much later that I found the answer to the energy problem, because it’s part of an industry I also despise, and because of my general concerns regarding artificial supplements: creatine.

But as it turned out, it wasn’t the artificial illegal performance-enhancing jet fuel that the 90s and Mark McGuire had led to me believe.  In fact, there is almost no evidence of long-term detrimental effects.  It is actually a natural distillate (probably not the most accurate word), of animal protein.  You can read Wikipedia for a more detailed explanation, but basically it recycles a certain energy transport nucleotide (adenosine triphosphate) that muscles use, while also allowing muscles to store more phosphocreatine, which in turn increases the rate of adenosine triphosphate synthesis.  And because it’s the same energy system the nervous system uses, it also has the benefit of enhancing cognition, so win-win.

With this trio of supplements, I now had the building blocks for muscle growth and repair, the ability to synthesize muscular protein for this purpose, and greater muscular energy and endurance–which lessened the total amount of injury I receive from exertion while allowing me the greater potential for exertion.  The wood is chopped, the lawn is mowed, and the gardens are being dug.  And, I did it all without spending a fortune or taking something dangerous.

And this combo got a true test when the garage door spring broke and I had to open it manually.  Turns out, according to the technician, it weighs about 400 pounds.  Admittedly, that did make me feel a little like a badass.  Vae Victus!

Here’s what I take for anyone interested:

https://www.amazon.com/Centrum-Multivitamin-Multimineral-Supplement-200-Count/dp/B003G4BP5G/ref=sr_1_4_a_it?ie=UTF8&qid=1492530944&sr=8-4&keywords=centrum+vitamin

https://www.amazon.com/Solgar-Brewers-Yeast-Powder-Ounce/dp/B00014DZL6/ref=sr_1_3_a_it?ie=UTF8&qid=1492530976&sr=8-3&keywords=brewer%27s+yeast

https://www.amazon.com/Six-Star-Nutrition-Unflavoured-Packaging/dp/B00DTWI5LW/ref=sr_1_3_a_it?ie=UTF8&qid=1492531034&sr=8-3&keywords=creatine+six+star

–Simon