Linked by Thom Holwerda on Mon 22nd May 2017 11:42 UTC
In the News

Like many other countries, The Netherlands uses a chip card for paying and using public transport, and while there's been a number of issues regarding its security, privacy, and stability, it won't be going anywhere any time soon. Just today, the various companies announced a new initiative where Android users can use their smartphones instead of their chip cards to pay for and use public transport.

The new initiative, jointly developed by the various companies operating our public transport system and our carriers, is Android-only, because Apple "does not allow it to work, on a technical level", and even then, it's only available on two of our three major carriers for now.

This got me thinking about something we rarely talk about: the increasing reliance on external platforms for vital societal infrastructure. While this is a test for now, it's easy to see how the eventual phasing out of the chip cards - already labelled as "outdated" by the companies involved - will mean we have to rely on platforms beyond society's control for vital societal infrastructure. Chip cards for public transport or banks or whatever are a major expense, and there's a clear economic incentive to eliminate them and rely on e.g. smartphones instead.

As we increasingly outsource access to vital societal infrastructure to foreign, external corporations, we have to start asking ourselves what this actually means. Things like public transport, payments, taxes, and so on, are absolutely critical to the functioning of our society, and to me, it seems like a terrible idea to restrict access to them to platforms beyond our own control.

Can you imagine what happens if an update to an application required to access public transport gets denied by Apple? What if the tool for paying your taxes gets banned from the Play Store days before the tax deadline? What if a crucial payment application is removed from the App Store? Imagine the immense, irreparable damage this could do to a society in mere hours.

If these systems - for whatever reason - break down today, we can hold our politicians accountable, because they bear the responsibility for these systems. During the introduction of our current public transport chip card and its early growing pains, our parliament demanded swift action from the responsible minister (secretary in American parlance). Since the private companies responsible for the chip card system took part in a tender process with strict demands, guidelines, rules, and possible consequences for failure to deliver, said companies could and can be held accountable by the government. This covers the entire technological stack, from the cards themselves up to the control systems that run everything.

If we move to a world where applications for iOS and Android are the only way to access crucial government-provided services, this system of accountability breaks down, because while the application itself would be part of the tender process, meaning its creator would be accountable, the platforms it runs on would not - i.e., only a part of the stack is covered. In other words, if Google or Apple decides to reject an update or remove an application - they are not accountable for the consequences in the same way a party to a government tender would be. The system of accountability breaks down.

Of course, even today this system of accountability isn't perfect, but it is a vital path for recourse in case private companies fail to deliver. I'm sure not every one of you even agrees the above is a problem at all - especially Americans have a more positive view of corporate services compared to government services (not entirely unreasonable if you look at the state of US government services today). In countries like The Netherlands, though, despite our constant whining about every one of these services, they actually rank among the very best in the world.

I am genuinely worried about the increasing reliance on - especially - technology companies without them actually being part of the system of accountability. The fact that we might, one day, be required to rely on black boxes like iOS devices, Microsoft computers, or Google Play Services-enabled Android phones to access vital government services is a threat to our society and the functioning of our democracy. With access to things like public transport, money, and all that come with those, locked to closed-source platforms, we, the people, will have zero control over the pillars of our own societies.

What can we do to address this? I believe we need to take aggressive steps - at the EU-level - to demand full public access to the source code that underpins the platforms that are vital to the functioning of our society. We, the people, have the right to know how these systems work, what they do, and how secure they really are. As computers and phones become the only way to access and use crucial government services, they must be fully 100% open source.

We as The Netherlands are irrelevant and would never be able to make such demands stick, but the EU is one of the most powerful economic blocks in the world. If you want access to the wealthy 450 million customers in the European Union (figure excludes the UK), your software must be open source so that we can ensure the security and stability of our infrastructure. If you do not comply, you will be denied access to this huge economic block. Most of you will probably balk at this suggestion, but I truly believe it is the only way to guarantee the security and stability of vital government services we rely on every single day.

We should not rely on closed-source, foreign code for our government services. It's time the European Union starts thinking about how to address this threat.

Order by: Score:
Comment by ironhead
by ironhead on Mon 22nd May 2017 11:52 UTC
ironhead
Member since:
2012-04-24

I generally agree that this kind of dependency should and could be avoided by open source.

But I seriously wonder how independent our goverment and administration is today, by using Microsoft Windows and Office nearly everywhere...

Reply Score: 2

RE: Comment by ironhead
by AaronMiller on Mon 22nd May 2017 12:10 UTC in reply to "Comment by ironhead"
AaronMiller Member since:
2011-05-23

I generally agree that this kind of dependency should and could be avoided by open source.

But I seriously wonder how independent our goverment and administration is today, by using Microsoft Windows and Office nearly everywhere...

Even without access to Windows or Office, the documents they create and edit would still be accessible. You can't really call that dependence when operations can still continue even without them. It's a reasonable case for complacency though.

Reply Score: 1

v Open sourcing IS à security threat
by gotocaca on Mon 22nd May 2017 12:06 UTC
ahferroin7 Member since:
2015-10-30

The speed with which bug are found in open source is generally a good thing though. With limited exceptions (mostly stuff in libc or the kernel itself), I usually have my Linux system secure again within 24 hours after a new CVE affecting it comes out. My Windows systems on the other hand often take at least a week to get updates, and there's nothing I can do to accelerate that myself. Notably, public disclosure embargoes are usually shorter on open source projects too, so there is generally more incentive for users to get their systems fixed ASAP.

Reply Score: 6

Kochise Member since:
2006-03-03

My heart bleed.

Reply Score: 1

ahferroin7 Member since:
2015-10-30

Which while not noticed for so long, involved a feature most people didn't use (which is part of why it wasn't noticed), and was trivial to harden against once discovered (rebuild OpenSSL with one changed configure option).

It also works as a counter-example too by the way, the code was out there and almost nobody noticed it. If OpenSSL wasn't open source, it might have never been found at all, and even if it was, it probably wouldn't have been fixed as fast.

Reply Score: 6

Soulbender Member since:
2005-08-18

Ask experts, there is no such system as 100% Secured system.


Yes you probably should ask the experts.

Edited 2017-05-23 10:33 UTC

Reply Score: 3

quackalist Member since:
2007-08-27

I'm no expert and neither am I going to ask one but think it's a kinda no-brainier to claim no system can be 100% secure.

Reply Score: 2

Alfman Member since:
2011-01-28

quackalist,


I'm no expert and neither am I going to ask one but think it's a kinda no-brainier to claim no system can be 100% secure.


It really depends how you want to look at it.

Systems built on discrete mathematics can be proven to be 100% correct. That's not hard to do in principal, and for small systems it's quite achievable, you just need to prove that every possible outcome is correct for every possible input. Given that computers are strictly finite computation machines, proving the correctness of arbitrarily large algorithms is theoretically possible. However large algorithms quickly exceed our human ability to prove them. Even small and medium code bases can have edge cases that are very difficult to prove. And then even if the software is proven to be 100% correct, the hardware and toolchains may not be.


On top of that physics itself is inherently probabilistic, so we can't rely on real machines to execute our code 100% reliably - there will always be the possibility for error.

We try and mitigate hardware errors with ECC RAM and disk data, but those are also probabilistic and will eventually experience an error. An attacker might try to exploit this by irradiating the target's CPU, or manipulating power to derail the correct code execution.

So mathematically speaking, a system could be 100% secure, but when we allow for physical attacks, no machine can be "100% secure".

Reply Score: 2

Monochrome eggs.
by AaronMiller on Mon 22nd May 2017 12:41 UTC
AaronMiller
Member since:
2011-05-23

Rather than forcing an entity to do something they don't wish to do and would otherwise legally be allowed to not do, and have possibly specifically decided not to do regardless of their rationale for it, how about just not putting all eggs in one basket?

Certainly alternative systems could exist, could they not? Isn't an easier approach simply practicing what any cautious entity should? That is, not to conquer some other entity (or ban it if conquering isn't possible), but to ensure that reliance doesn't exist solely on it.

I'm no expert, but surely a chip system and a smartphone app could coexist, even if companies may desire a monopoly.

Sure, it would be great if more companies had truly open source code for their major products, products which millions of people rely on for their everyday lives. However an approach in which you force it out of their hands by threatening to remove it from the very people who rely on it to begin with, due to being unable to sneak a peek at what it looks like inside, is rather unpleasantly extreme regardless of whether you're the company, the consumer, or the perpetrator.

If a system is relied upon too heavily, then come up with alternatives. Reduce your dependencies, don't focus on them more. The problem isn't monochrome.

That said, this is just my initial impression of the post. Perhaps I didn't properly understand the proposed policy. Though I disagree with the conclusion, I think it's a great write up and a good point of discussion.

Reply Score: 2

Guarantees and accountability
by acobar on Mon 22nd May 2017 13:23 UTC
acobar
Member since:
2005-11-15

See, I'm all for open source software. My own computers all run a flavor of linux (openSUSE), I push to install servers with open source software whenever possible and I try to get customers on open source land two feet.

Besides all that, I can not really see as obligatory use of open source software as the only reasonable solution to the problem of access to public services.

For the last almost forty years we have been hammering the importance of open interfaces and protocols to guarantee accessibility and interoperability and it does not have changed on my eyes, and it does not matter if the code is public or not.

Of course, if the development of the system is backed-up by public funds it is more than reasonable to ask for open source implementation.

What we really should ask is guarantees and accountability. Do you want to participate? Fine, here are the interface/protocols to use, but keep in mind, if we find an exploit on your side of thing, you will be singled as responsible for the possible losses of people affected.

On all years I watched, making people responsible for their acts (and failures) have been the best method to keep them careful of what they spill out.

The current EULA(s) and agreements are almost an offense and a free pass to make poorly implemented software float around.

Reply Score: 3

You mean "Free Software, free Society"?
by 5ebastian on Mon 22nd May 2017 13:36 UTC
5ebastian
Member since:
2013-04-11

There's a foundation for that: http://fsfe.org

Reply Score: 2

Agree...
by dionicio on Mon 22nd May 2017 13:59 UTC
dionicio
Member since:
2006-07-12

Congrats on all of your own contribution, Thom.

Reply Score: 4

Openness
by Alfman on Mon 22nd May 2017 14:02 UTC
Alfman
Member since:
2011-01-28

Thom, first off: Thanks for this kind of content!

We as The Netherlands are irrelevant and would never be able to make such demands stick, but the EU is one of the most powerful economic blocks in the world. If you want access to the wealthy 450 million customers in the European Union (figure excludes the UK), your software must be open source so that we can ensure the security and stability of our infrastructure. If you do not comply, you will be denied access to this huge economic block. Most of you will probably balk at this suggestion, but I truly believe it is the only way to guarantee the security and stability of vital government services we rely on every single day.



I agree very much with you about these issues. Mobile innovation is becoming increasingly vital to everything we do, yet the fact that corporate power has consolidated to the point where just a few corporations worldwide are deciding the fate off all our technology is extremely troubling. The corporations in power will only allow technology that benefits them and it has absolutely nothing to do with merit but rather the monopoly/oligopoly control over the entire market.

These (mostly US) tech monopolies are so powerful now that even national governments are struggling to bring independent services to the public, this is extremely dangerous.



We should not rely on closed-source, foreign code for our government services. It's time the European Union starts thinking about how to address this threat.


Open source code is important for many reasons, however we must not forget that open source code is insufficient, the hardware and OS themselves must not be designed to impose vendor locking or to punish owners who choose to modify their own devices. These moves by apple/ms/google/etc to take control away from owners are extremely disappointing for open technology, since it makes independent innovation less and less viable.
http://www.osnews.com/story/29821/Android_developers_can_now_block_...

Note that even if the entire stack were "open source", our rights are still compromised if our computers don't allow the owners to install modifications.

The new initiative, jointly developed by the various companies operating our public transport system and our carriers, is Android-only, because Apple "does not allow it to work, on a technical level", and even then, it's only available on two of our three major carriers for now.


I suspect this has to do with apple's decision to monopolize NFC functions on IOS. Apple has a lot of incentives to ban 3rd party NFC applications to kill off the competition, but it's absolutely devastating for independent innovation.

I understand why people don't want government stepping in to force changes, but leaving corporations to their own vices consistently produces the worst outcomes for the public good: technology that takes away owner control, banking practices that trigger financial calamities, manufacturers that deceive, predatory practices to kill competition, manufacturers contractually banning component repairs, etc.

The Netherlands may have very little influence on apple, but at the very least there could be a campaign to name and shame the corporations like apple that are actively taking away our rights. Imagine if your public transport system could put up large billboards showing how apple holds back technology, that would get the public's attention very quickly - even beyond the Netherlands. It would perhaps spark the public debate we need to have about technology designed to take away our rights.

Edited 2017-05-22 14:09 UTC

Reply Score: 5

FDROID?
by Bill Shooter of Bul on Mon 22nd May 2017 14:25 UTC
Bill Shooter of Bul
Member since:
2006-07-14

If the main concern is problems with the app update, then perhaps having the application also available via fdroid or amazon might be a good fall back.

Lots of security implications here that would take a while to figure out. You want everything to be open, but not so open that its easy for fraudulent implementations to exist. Smart cards seem to be a rather smart solution, when viewed in this light.

Reply Score: 2

RE: FDROID?
by dionicio on Mon 22nd May 2017 15:19 UTC in reply to "FDROID? "
dionicio Member since:
2006-07-12

Quite an interesting view, Bill. Is Fully Open, easy to fraud? Which one the more? Fully Open, or Fully Closed?

What about Closed Silicon Hardware [which still is default]? Remembering those Electronics Cards embedded on black resin.

Remembering those repair shops passing the shop to the back. Or bakeries becoming just front stores. We don't know anymore, Bill. My Coke drink declaring content: Coke concentrate, édulcorant, carbonated water.

We're self abandoning to a continuous exercise of FAITH.

Comming back to an OPEN culture, an OPEN society with adopted, open technologies is now an URGENT, survival request.

No longer able to sleep tight, Bill. A symptom of faith overdose.

Reply Score: 3

RE[2]: FDROID?
by Bill Shooter of Bul on Mon 22nd May 2017 16:31 UTC in reply to "RE: FDROID? "
Bill Shooter of Bul Member since:
2006-07-14

Sorry, maybe I shouldn't have commented without time to explain. The risk is similar having Firefox or Chrome trust any and all cert authorities. Which would allow craziness like anyone pretending to be your bank.

There needs to be some central authority to vet options even in an open environment, to prevent fraud.

Reply Score: 2

RE[3]: FDROID?
by Alfman on Mon 22nd May 2017 16:42 UTC in reply to "RE[2]: FDROID? "
Alfman Member since:
2011-01-28

Bill Shooter of Bul,

Sorry, maybe I shouldn't have commented without time to explain. The risk is similar having Firefox or Chrome trust any and all cert authorities. Which would allow craziness like anyone pretending to be your bank.

There needs to be some central authority to vet options even in an open environment, to prevent fraud.



One approach that could be interesting is to have a standard app signing protocol where applications are directly signed by website owners.

A website could host the public key, and the app could be signed with the private key, thereby proving the app came from the owners of the website regardless of how it got installed (bittorrent, http, app store, etc).

Reply Score: 2

RE[4]: FDROID?
by Bill Shooter of Bul on Mon 22nd May 2017 20:15 UTC in reply to "RE[3]: FDROID? "
Bill Shooter of Bul Member since:
2006-07-14

Well, ok. Do you really want any/all websites to be used to process payments? Even if they aren't fraud, are they themselves protected against attacks by fraudsters? Should every commuter have to choose a provider in a list of thousands? Which ones have good security and privacy practices?

Reply Score: 2

RE[5]: FDROID?
by Alfman on Mon 22nd May 2017 21:22 UTC in reply to "RE[4]: FDROID? "
Alfman Member since:
2011-01-28

Bill Shooter of Bul,

Well, ok. Do you really want any/all websites to be used to process payments? Even if they aren't fraud, are they themselves protected against attacks by fraudsters? Should every commuter have to choose a provider in a list of thousands? Which ones have good security and privacy practices?


I was really referring to a ways to solve the problems you brought up in the original post. In particular, solving fraud in app distribution. Cryptographic signatures solve this problem very nicely.

What you're asking here seems to be a bit different: how do you trust a website to process payments and how do you choose good providers from a list of thousands? I'm not really able to answer that, but regardless of how people choose their services, cryptography can be used to eliminates fraud.


Cryptographic technology is way ahead of the industry, and personally I blame visa/mastercard for not doing more to embrace 1990's era crypto for payment processing.

With PKI:
1) Each individual transaction could be signed.

2) the merchant couldn't just claim the customer authorized a payment, it would have to be cryptographically signed by the customer.

3) even if the merchant account was 100% breached, no one would be able to issue new fraudulent transactions using the information since the merchant never sees the private signing key.

4) we could even require the banks themselves to use PKI such that even employees of the bank couldn't transfer your funds without your cryptographic signature.

Reply Score: 2

RE[6]: FDROID?
by acobar on Mon 22nd May 2017 23:12 UTC in reply to "RE[5]: FDROID? "
acobar Member since:
2005-11-15

Alfman,

I totally agree with you about security of operations using cryptography being stronger, though, it does not dispel the worries about security and who is going to bear the consequences of breaches.

When I think about security I imagine an elder citizen using her/his smart phone on every interaction she/he may need. Now, suppose her/his phone is hacked and his/her cryptography signature stolen.

Now, who is going the bear the consequences? The elder citizen, the OS seller, the producer of the software that was unlucky to have its software used on fraudulent transactions?

I think banks and credit card companies will be more than happy to share the burden with the OS sellers and the other software vendors on the stack, but till now all we have is an offensive indemnity on EULAs and agreements over use.

You probably know that if you want a bigger slice of the pie you must take more responsibility on failures. I have said here many times that my main customers are small business. Some of them would like to lower the cost of credit card operations. It is possible to have a contract so that an internal system pre process the payment and as so lower the cost of the operation, it does, though, shift part of the responsibilities of fraudulent operations to who is pre processing them. Big business can afford the costs because they can spread the risk between a large base of customers and it has an (almost) fixed cost to develop and secure the system. It does not work well on small scale. When I explain this to them, the many point-of-failure in the chain, they usually, let me know that they want to keep what is "working".

Now, I know that my business is not to cast fear on my friends, and that is what all they are, hearts, but I don't want them to incur on costs that can hurt their source of income. If we really want a better system, guarantees and accountability must be very well established.

Reply Score: 2

RE[7]: FDROID?
by Alfman on Tue 23rd May 2017 01:15 UTC in reply to "RE[6]: FDROID? "
Alfman Member since:
2011-01-28

acobar,

I totally agree with you about security of operations using cryptography being stronger, though, it does not dispel the worries about security and who is going to bear the consequences of breaches.

When I think about security I imagine an elder citizen using her/his smart phone on every interaction she/he may need. Now, suppose her/his phone is hacked and his/her cryptography signature stolen.

Now, who is going the bear the consequences? The elder citizen, the OS seller, the producer of the software that was unlucky to have its software used on fraudulent transactions?



Consider what happens with credit cards today:

https://www.merchant-accounts.ca/how_to_fight_fraud_reduce_chargebac...
Fraudulent use of a credit card is another reason chargebacks occur. Unfortunately, it is not altogether uncommon for credit card numbers to be stolen and used to purchase products and services online. Although most assume that the person whose credit card number was stolen and used to make online purchases is the victim, in actuality the merchants are the real victims. Why? Because the card issuers will protect cardholders by charging back the cost of any products or services that were purchased without the cardholder's authorization.

When credit cards are used fraudulently in this manner, typically the cardholder does not realize the fraud has occurred until days or weeks after the transactions took place, when their monthly credit card statement is received. The customer will notice one or (usually) more suspicious transactions on their credit card statement and will call their card-issuing bank to report them. The bank will dispute all of the unauthorized transactions with the merchants that processed them. As a merchant, if you cannot prove that you delivered the product or service to the card holder then you will likely lose the dispute and the chargeback will be processed.


The link goes on to discuss other facets of this problem.



https://en.wikipedia.org/wiki/Credit_card_fraud
United_States Merchants

The merchants and the financial institutions bear the loss. The merchant loses the value of any goods or services sold, and any associated fees. If the financial institution does not have a charge-back right then the financial institution bears the loss and the merchant does not suffer at all. These losses incline merchants to be cautious and often they ban legitimate transactions and lose potential revenues. Online merchants can choose to apply for additional services that credit card companies offer, such as Verified by Visa and MasterCard SecureCode. However, these are complicated and awkward to do or use for consumers so there is a trade-off of making a sale easy and making it secure.

The liability for the fraud is determined by the details of the transaction. If the merchant retrieved all the necessary pieces of information and followed all of the rules and regulations the financial institution would bear the liability for the fraud. If the merchant did not get all of the necessary information they would be required to return the funds to the financial institution. This is all determined through the credit card processory.

United Kingdom
Any misuse of the card, unless deliberately criminal on the part of the cardholder, must be refunded by the merchant or card issuer.

Merchants
The merchant loses the payment, the fees for processing the payment, any currency conversion commissions, and the amount of the chargeback penalty. For obvious reasons, many merchants take steps to avoid chargebacks—such as not accepting suspicious transactions. This may spawn collateral damage, where the merchant additionally loses legitimate sales by incorrectly blocking legitimate transactions. Mail Order/Telephone Order (MOTO) merchants are implementing Agent-assisted automation which allows the call center agent to collect the credit card number and other personally identifiable information without ever seeing or hearing it. This greatly reduces the probability of chargebacks and increases the likelihood that fraudulent chargebacks will be successfully overturned.



To be clear, you bring up legitimate concerns, but these are not being addressed by visa/mastercard today anyways. The responsibility today lies between the merchant and banks.


You probably know that if you want a bigger slice of the pie you must take more responsibility on failures.



Isn't that part of the problem with visa/mastercard? They don't bring much of value including responsibility for fraud. I don't think anything would be worse than today if we could eliminate the middle men. If anything, by allowing more secure alternatives to become viable fraud would actually go down, which would be better for merchants, banks, and consumers! The credit card companies are the only participants in this circle that that actually make money when fraud is committed because they still get their fees even when the entire purchase is reversed via chargeback:


https://www.wepay.com/api/payments-101/payments-fraud-and-loss
While cardholders may not be liable for unauthorized transactions, merchants have no such protection. When the real cardholder inevitably reverses the payment, the merchant is out the cost of fulfilling the order, the revenue of the sale, and the fees associated with receiving the chargeback.

Reply Score: 2

Security Management doesn't admit CUTS...
by dionicio on Mon 22nd May 2017 14:37 UTC
dionicio
Member since:
2006-07-12

Public transport depends on lot of technologies; winner above all electric grid -reliability issues related.

Countries with 99.99% Uptime at their critical lines. [Admiration to Electrical Engineering civilized view of duty ;) ].

Nowadays, another energy options at place to back-up failures.

Lack of LOCAL options, is a clear sign of Administrations missing Security scientists, engineers and technicians.

Not going to talk this time of another, "pooping baby" technologies.

Reply Score: 2

Not Just The EU
by dekernel on Mon 22nd May 2017 14:40 UTC
dekernel
Member since:
2005-07-07

Being that I am a US citizen, I am still amazed that so many countries rely on closed source software from the US. I would think that countries that don't have a large software presence would invest in its people to support something like FreeBSD or Debian which in turn could be used within the country to eliminate the exodus of money.

Reply Score: 1

RE: Not Just The EU
by nicubunu on Tue 23rd May 2017 06:54 UTC in reply to "Not Just The EU"
nicubunu Member since:
2014-01-08

That closed software is not perceived as coming from USA, it is perceived as coming from global megacorporations. Which is not better, but a different nuance.
As for those country pushing for alternate OSes, is all about apps and compatibility. And those other OSes also come from global entities.

Reply Score: 2

Right direction, wrong path
by Ibrahim on Mon 22nd May 2017 15:33 UTC
Ibrahim
Member since:
2016-11-03

Getting in step with tech is good and all; However, relying on consumer devices, to enable such services that Thom speaks of. Is the wrong approach.

I rarely use my "smartphone". Only time I bring it with me is when I'm expecting an non social related call. Which equals to about 2-3 times a month. Heck I haven't carried physical currency(cash) in almost 15 years. My debit cards replaced cash.

If government services or what not. Want to force you to use tech, to utilize their services. They need a more general approach. Facial recognition perhaps, not reliance on a android/iOS or what-ever consumer device.

Reply Score: 1

RE: Right direction, wrong path
by dionicio on Mon 22nd May 2017 16:09 UTC in reply to "Right direction, wrong path"
dionicio Member since:
2006-07-12

Good Point, Ibrahim: As in NHS case, relaying on "consumer grade" technology.

Have no doubt that eventually Alphabet will release stronger products.

But is this excessive reliance on such a HUGE pile, or stack, which I find of little sense, to begin with.

Remembering an Old American Express campaign: "Your key to the World" or something like that. Is stupid to have ONE key to the World. Such a big and fragile one, also. [Sorry about the term, but absolutely appropriate].

Reply Score: 2

RE: Right direction, wrong path
by dionicio on Mon 22nd May 2017 16:18 UTC in reply to "Right direction, wrong path"
dionicio Member since:
2006-07-12

Many toll systems at highways use "pass-by" remote tech which stand on small [private] stacks.

Again, is RELIEF tech, to reduce length of waiting lines. All other options remain present.

Reply Score: 2

RE: Right direction, wrong path
by Alfman on Mon 22nd May 2017 16:34 UTC in reply to "Right direction, wrong path"
Alfman Member since:
2011-01-28

ibrahim,

I rarely use my "smartphone". Only time I bring it with me is when I'm expecting an non social related call. Which equals to about 2-3 times a month. Heck I haven't carried physical currency(cash) in almost 15 years. My debit cards replaced cash.

If government services or what not. Want to force you to use tech, to utilize their services. They need a more general approach. Facial recognition perhaps, not reliance on a android/iOS or what-ever consumer device.


That may be fine for you, but it's not to say they're not useful for many other people. Having choice is the important factor here. The free market can only work when everyone can decide for themselves what works without being coerced. We need to recognize that whenever the industry becomes dominated by a few giants, independent competition becomes nonviable and innovation gets stifled.

Visa and mastercard are examples of a stifled industry at great cost to both consumers and merchants in terms of noncompetitive transaction fees and notoriously regressive security practices. If we could somehow displace the incumbents and give give alternatives some breathing room, it could do wonders for innovation and competition.

Reply Score: 2

RE[2]: Right direction, wrong path
by acobar on Mon 22nd May 2017 18:54 UTC in reply to "RE: Right direction, wrong path"
acobar Member since:
2005-11-15

Visa and mastercard are examples of a stifled industry at great cost to both consumers and merchants in terms of noncompetitive transaction fees and notoriously regressive security practices.

Even though I agree with your assertion, there is a reason they are at their positions and it is for accountability, if something goes wrong on transfer of funds in a transaction they are the ones you will be calling (usually). It is like a mafia sell of protection, but one most of us have, somehow, consented on paying. Society is still a wild west when money is at stake, accountability is a must.

Reply Score: 2

Alfman Member since:
2011-01-28

acobar,

Even though I agree with your assertion, there is a reason they are at their positions and it is for accountability, if something goes wrong on transfer of funds in a transaction they are the ones you will be calling (usually). It is like a mafia sell of protection, but one most of us have, somehow, consented on paying. Society is still a wild west when money is at stake, accountability is a must.



Well, as a consumer, you deal with your bank. Even store credit/debit cards are backed a bank. Try calling the phone number on the back of your cards, you'll find it reaches the bank and not Visa/Mastercard. They are strictly middlemen and if we had widely deployed open source transaction processing networks, then visa/mastercard would be entirely unnecessary.

I understand they initially filled an important purpose, but these days they'd be easily replaceable if it weren't for their widespread market control.


Edit: I'm not particularly promoting bitcoins, but they are noteworthy for bringing about P2P technology to the point where all middle men, and even the banks can be eliminated.

Edited 2017-05-22 20:04 UTC

Reply Score: 2

acobar Member since:
2005-11-15

You don't travel abroad a lot do you? If you did you would have the displeasure to discover that your bank may not has a presence on many countries but your credit card company does. They fill a niche, they are a middleman, but until we have a better system we have no option but deal with them. Your bank likes them because it allows your bank to cover a wider area without a lot of investment. Business owners count on them to lower the risks and try to compensate their own costs inserting any loss on products price. To them, after all, it is you that are going to pay the expenses.

As you, I would pretty much like to have lower taxes on transactions but, unless there is a large intervention on the way the system works today, I don't see it going through a huge change. The incentives are not there for banks, even though it may be there for other business, specially big ones, and, for what I have seen, they all want their cut without changing the costs that much (actually, I suspect that Apple cuts would be worse).

Again, if such open source system is to be created, who is going to bear the cost of fraudulent operations? You know, they are not going to disappear.

For almost the same reason, lower risks, we buy insurance policies for burglary and whatnot. On an ideal world we should drop them but we don't live at such world yet (perhaps, we never will).

Reply Score: 2

Alfman Member since:
2011-01-28

acobar,

You don't travel abroad a lot do you? If you did you would have the displeasure to discover that your bank may not has a presence on many countries but your credit card company does.


Many banks don't even have a national presence either, even in the US. But this is beside the point, I don't have a "credit card company", I have a bank. As consumers, you and I don't deal directly with Visa/Mastercard. We have credit cards issued and managed by banks, and it's our banks that we deal with EVEN for foreign transactions and even if our banks don't have a foreign presence.

In other words, the fact that our banks participate in Visa/Mastercard networks means that cards issued by our banks can be used to make purchases from merchants who also participate in the Visa/Mastercard networks, regardless of where they are in the world.

They fill a niche, they are a middleman, but until we have a better system we have no option but deal with them. Your bank likes them because it allows your bank to cover a wider area without a lot of investment.


The role played by visa/mastercard as middlemen can technically be eliminated with open federated protocols. It's not about the lack of better options, but about how noncompetitive the market is for alternatives to visa/mastercard. I personally dislike the crippling forces of visa & mastercard, yet I still have one because the reality is if my card doesn't have one of those logos on it, it's not going to be accepted by the stories I buy from. Conversely, as a merchant, if you don't accept visa & mastercard, your going to loose the majority of customers if you can't accept visa / mastercard.


These aren't technical problems, these are competitiveness/market oligopoly problems.


Business owners count on them to lower the risks and try to compensate their own costs inserting any loss on products price. To them, after all, it is you that are going to pay the expenses.



This is where having a competitive market would help. Unfortunately once the market is controlled by a few incumbents, new competition tends to be non-viable. Even counting on a government fix is unlikely since the lobbying power of credit card companies is too great.

Reply Score: 2

acobar Member since:
2005-11-15

OK, I think I should better explain my point.

It is not about if, technically, a better solutions is possible or not, it clearly is.

My worries are about guarantees and accountability. Now we have a system where there is a minimum of them established. Now, do you think that hardware producers, OS sellers and software vendors will change their mind about, "use at your own risk, no guarantees!" clause they have about possible malfunctions? If the software is open source, who will bear the consequences of poor implementations?

We need a better system but responsibilities must be established along the chain.

Reply Score: 2

Alfman Member since:
2011-01-28

acobar,

My worries are about guarantees and accountability. Now we have a system where there is a minimum of them established. Now, do you think that hardware producers, OS sellers and software vendors will change their mind about, "use at your own risk, no guarantees!" clause they have about possible malfunctions? If the software is open source, who will bear the consequences of poor implementations?

We need a better system but responsibilities must be established along the chain.



I understand your point, but I don't understand why it's any worse than today?

If a merchant installs an ecommerce platform like Oscommerce or Magento, those are popular open source platforms that can accept payments, but they come with no guaranties whatsoever today. Responsibility for these lies with the merchant. If the merchant buys an ecommerce service, that may or may not come with a guarantee. I don't understand why any of today's responsibilities would need to change?

Edited 2017-05-23 01:46 UTC

Reply Score: 2

RE: Right direction, wrong path
by Ibrahim on Mon 22nd May 2017 21:25 UTC in reply to "Right direction, wrong path"
Ibrahim Member since:
2016-11-03

I think I need to clarify my point.

1) I did "not" read the article.
A) I was going on my interpretation of Thom's interpretation of the article.
i) which I understood to be, that some government services, were switching from RFID to strictly Android App. [ I don't know how to insert preformatted text. So please don't mind the bullets. i is a subsections of A and of 1. ]

If my interpretation on Thom's interpretation, was correct. I felt relying solely on a consumer phone app, segregated me and possibly others like me from using that service. Hence the suggestion for a more general tech, such as facial recognition or something else. If the RFID card or a general ID card for said service, was being abandoned. I shouldn't need to carry around my cellphone, just to use that service.

The money bit, was me pointing out, that I support tech for improvements. Such as digital currency. For me currently, that's through two services.

Reply Score: 1

Shameless propaganda...
by dionicio on Mon 22nd May 2017 16:35 UTC
dionicio
Member since:
2006-07-12

"...it's easy to see how the eventual phasing out of the chip cards - already labelled as "outdated" by the companies involved -".

Eight thousand years and NOTHING has replaced a knife and a table, at the kitchen. Open tech -by the way.

Open tech doesn't "outdate", mature.

Reply Score: 3

Transport Payments
by Munchkinguy on Mon 22nd May 2017 18:29 UTC
Munchkinguy
Member since:
2007-12-22

Specific to the concern of transportation payment cards: The British Government has developed an open payment standard called ITSO. Details <a href="https://www.itso.org.uk/">here.

Reply Score: 1

RE: Transport Payments
by Alfman on Mon 22nd May 2017 18:50 UTC in reply to "Transport Payments"
Alfman Member since:
2011-01-28

Munchkinguy,

Specific to the concern of transportation payment cards: The British Government has developed an open payment standard called ITSO. Details <a href="https://www.itso.org.uk/">here.


Interesting, thanks for posting.

This page gives the impression it may not be a completely open standard, they're not exactly clear on the details:
https://www.itso.org.uk/the-specification/
In general, ITSO promotes open standards but it does not disallow proprietary solutions where they are offered on reasonable, non-discriminatory terms and contribute towards the ultimate objective of interoperability.



That's a concern, but aside from that I really like the principals of inter-operable standards that many independent vendors/service providers are free to implement and use. That's the kind of thing that makes technology better at serving our needs!

Reply Score: 2

RE[2]: Transport Payments
by Munchkinguy on Mon 22nd May 2017 19:05 UTC in reply to "RE: Transport Payments"
Munchkinguy Member since:
2007-12-22

It's because most public transport services in Britain are privately run, so I think the idea is that the standard allows each private company to have their own proprietary implementation.

Reply Score: 1

RE: Transport Payments
by gld59 on Tue 23rd May 2017 05:38 UTC in reply to "Transport Payments"
gld59 Member since:
2012-11-09

Yeah, from an Australian perspective (well, the Sydney region, including Newcastle, Wollongong etc), Thom's real-life example seems to be missing an obvious option. Our transport payment system's backend is being augmented to (eventually) allow payment with bank cards as well as the current Opal cards. It's all just NFC, so the physical carrier doesn't really matter - you can already load a bank "card" onto a phone app, just as a transport payment app would be doing with a transport payment card.

Reply Score: 1

Realistic
by nicubunu on Tue 23rd May 2017 07:07 UTC
nicubunu
Member since:
2014-01-08

Realistically, do you expect for the foreseeable future those cards to be replaced completely by smartphone apps? Around here it won't fly, since an entire old generation does not reliably use smpartphones, if the government would give them free ones a lot of those people won't know what to do with them. Yes, this generation would be mostly vanished in 10-20 years from now, but who can predict where technology will be in 10-20 years?
I would not worry much about denied updates or banned apps. Can you imagine public transport in a big European city blocked, hundreds of thousands (at least) people angry and a corporation "guilty" of that? It would be commercial suicide.

Reply Score: 3

the precedents
by unclefester on Tue 23rd May 2017 07:58 UTC
unclefester
Member since:
2007-01-13

In the not to distant future the software industry will most likely undergo the same massive changes that physical engineering underwent in the late 19th and early 20th century.

Software engineers will need to be formally qualified, licenced and insured. Companies will be liable for severe civil and criminal punishments. Software will need be fully documented and all source code held on public registers. Mandatory international standard testing and design protocols will also need to be instigated. The whole hack, release and patch mentality must be replaced by a formal design and engineering process.

No government would ever allow a) an unqualified person to design or build a bridge or building, b) a project to be built without submitting formal plans and documents, c) an engineer to create his own arbitrary testing standards or d) fail to investigate or prosecute an engineering company if a building collapsed. Yet the equivalents are completely normal in the world of software.

If MS (and virtually every other software company) was in the civil construction business they would have been bankrupted decades ago by negligence lawsuits and fines.

Reply Score: 2

RE: the precedents
by sydbarrett74 on Fri 26th May 2017 09:25 UTC in reply to "the precedents"
sydbarrett74 Member since:
2007-07-24

Amen. The software industry and its practitioners have had it too easy for far too long. They should be subject to the same rigour and expectations (e.g., lemon laws) to which physical products are subject. Time to grow up and put on their big-person trousers like every other industry has had to at a certain point.

Edited 2017-05-26 09:26 UTC

Reply Score: 1

BankID
by TasnuArakun on Tue 23rd May 2017 16:06 UTC
TasnuArakun
Member since:
2009-05-24

Thanks Thom for the post! This is something I've been worrying about for several years.

In Sweden we have something called BankID. It's a form of electronic ID meaning it's not only used to log into one's bank account but can also be used to file taxes, manage medicine prescriptions and much more. It's owned by a private company that have been quite diligent in dropping support for older mobile and desktop OSes because it no longer made "economic sense".

That's not how you manage a vital piece of infrastructure!

Linux support was dropped completely in 2014 because "only about 5000 people were using it". [1]

There was a news article recently about a few thousand Android and Windows Phone being locked out of BankID because their phones were deemed too old. [2]

I was contacted a while ago by a neighbour because BankID had stopped working on his computer. The problem was that he was running an older OS. To be able to upgrade it he first had to buy and install more RAM. Even after doing all that he probably only bought himself one more year.

I myself had the opposite problem once. I had installed an OS update and couldn't access my online bank for about two weeks because the new version wasn't supported yet.

All of this from a company with the goal that "in the future almost all Swedes will be using our product". (Good thing they included the "almost".)

Then there was the time when Apple started declining apps relying on BankID since it was against the rules for an app to depend on another app for its functionality. BankID managed to get a formal exception from this rule. [3]

[1] https://www.bankid.com/om-oss/nyheter/bankid-linux-fasas-ut
[2] https://www.svt.se/nyheter/ekonomi/tusentals-blockerade-fran-bank-id
[3] https://www.bankid.com/om-oss/nyheter/apple-godkanner-beroende-till-...

Reply Score: 2