Fly Buys – Where security is an afterthought

By Steve Biddle, in , posted: 20-Jan-2014 22:04

In late 2012 Fly Buys launched an interactive advertising campaign with advertising company Adshel. Bus stops signs, and a much larger display that was located in Wellington Airport for some time offered customers the chance to swipe their Fly Buys card and receive a free gum ball. You can see photos of these, and read more about the campaign here.

I’d never actually seen one of these in real life, but after seeing comments on Twitter on Friday about one of these not accepting an Air NZ Airpoints card (which it is supposed to do according to both the display and a Fly Buys rep on Twitter), I thought I’d have a look at one of these machines which is currently running in an Adshel bus stop in Manners St in Wellington with a few other Geekzoners.

The machine was broken and wouldn’t give us a gum ball, no matter what card we tried.

BeZe3pCCAAAhnlA

The Adshel sign welcomes me to swipe my Fly Buys card or my Airpoints card and receive a free gum ball. Innocent enough – until you consider the security implications of this.

A basic Fly Buys card has your 16 digit number printed on it, and the magnetic stripe on your Fly Buys card contains this number. The format of your Fly Buys number is identical to a credit card and uses the LUN10 algorithm – the initial 6 digits are a BIN range 6014 35 (unique to Fly Buys) followed by 9 digits which make up your Fly Buys number, and the last digit which is a check digit. The number is also present  on a barcode on the back of your Fly Buys card in an EAN13 format. EAN barcodes normally start with the GS1 member country code, which you can see on goods manufactured in New Zealand which will typically start with a barcode in the range of 940-949. The 264 range is not allocated specifically to Fly Buys, but is one they’re permitted to use. After the 264 your Fly Buys number is shown, and the last digit as with all EAN13 barcodes is a check digit.

If you swipe your Fly Buys card through this mag stripe reader in the hope of getting a free gum ball, the risks are minimal. If somebody has maliciously tampered with the mag stripe reader and replaced this with a skimming device to capture card numbers your Fly Buys number isn’t going to be of any real use to a fraudster. Your Airpoints card however is another matter entirely.

Air New Zealand partnered with Fly Buys several years ago allowing Air New Zealand Airpoints members to accrue Fly Buys points directly to their Airpoints account. Not long after this Air New Zealand launched a new Airpoints card that used the Rev platform to offer a prepaid Mastercard Debit card capable of storing multiple foreign currencies, your regular Airpoints card, and Fly Buys card. The card is EMV compliant and supports Mastercard PayPass NFC technology as well as a chip , and can also be used at NFC capable Air New Zealand kiosks and gates to identify the card holder. Because the magnetic strip on the card has to be used for the Mastercard component, the Fly Buys number barcode has to be scanned at retailers, it can’t be swiped through a mag stripe reader like a regular Fly Buys card.

 

airpoints card

By now you’re probably starting to realise the security implications of swiping your Airpoints card through a random mag stripe reader attached to a bus stop. Rather than simply giving your 16 digit Fly Buys number away, you’re giving away your 16 digit credit card number, your name, and your Airpoints number. Anybody who decides to maliciously tamper with the mag stripe reader and replace it with a skimming device now has access to a constant stream of credit card numbers from unsuspecting people. Of course not everybody who swipes their card will have their OneSmart card activated, or have money in their account, but the security aspect is exceptionally scary.

With the number of recent cases of ATM tampering where skimming devices have been attached to machines, Air New Zealand and BNZ (who provide the OneSmart Mastercard product) should be terrified that Fly Buys is encouraging their customers to willingly swipe their card in a public place in a mag stripe reader that would require absolutely no skills to tamper with and replace with a skimming device. It really does makes a mockery of all the security messages that banks try and send to their customers about protecting their cards.

 

EXTRA:

I had to dig out my mag stripe gear to show the data on the Airpoints/OneSmart card. I’ve PAN masked some of my personal data including my Airpoints number, expiry dates and OneSmart credit card numbers with a *.

c10B5314*********376^BIDDLE/STEVEN^****2213106060***14007****16002?3a205314*********376=****22100000310?093100

It was also pointed out to me that the billboard will not work with a Kiwibank Airpoints Card by somebody who had attempted to use one in the past thinking that the reference to “Airpoints card” would include this card. I wonder what Kiwibank think of their customers swiping their credit cards through a mag stripe reader in a public area attached to a bus stop that could so easily be tampered with?



Boundary Road Brewery. Average beer, terrible spelling.

By Steve Biddle, in , posted: 23-Oct-2013 08:58

Anybody who knows where the town of Plzen is located is probably a bit of a beer geek. Plzen translates to Pilsen in German, and is the home of Pilsner beer. First brewed in 1842, the Pilsner style was a clear, slightly hoppy style beer that was very different to the much darker Ale that had been commonplace across Europe for centuries beforehand.  If you’re a true beer fan you’ve possibly visited Plzen and been to the Pilsner Urquell factory – if you haven’t, it’s something that should be on the bucket list of every true beer geek as the factory tour is a fantastic experience.

Boundary Road is a brand of Independent Liquor, a company created by New Zealander Michael Erceg in 1987. Erceg was a true genius, who was sadly killed in a helicopter crash in 2005. Erceg pretty much created the ready to drink (RTD) market in New Zealand and in the late 90’s and early 2000’s Independent Liquor tightly controlled this highly profitable market with other players struggling to gain any traction in the market. In the early 2000’s beer became a growth area of the business as supermarket beer sales quickly took market share from traditional bottle stores that were at the time owned by industry giants DB and Lion Breweries. This allowed Independent Liquor jumped at the chance to gain traction in the beer market by aggressively pushing product in supermarkets, as they had previously been unable to do this in bottle stores owned by their much larger competitors. Some of this beer was terrible (Ranfurly anybody?) but as with the RTD market, they targeted price conscious consumers and quickly gained market share in the off premise market. The addition of some large imported brands such as Grolsch and Carlsberg gave them a portfolio of products that allowed them to compete head-on with DB and Lion offerings in the marketplace.

After Erceg was sadly killed in a helicoper crash with Grolsch executive Guus Klatte in 2005, Independant Liquor was ultimately sold to a private equity companies Unitas Capital and Pacific Equity Partners. It was then sold to Japanese company Asahi in 2011. In recent years they have continued with a strategy of flooding the market with products and hoping that large supermarket end displays and multiple facings of cheap beer would drive growth, and to some extent this has strategy has paid off. Whether the significant amount of money that would have been spent on Public Relations companies to drive this strategy was money well spent is a hot topic of debate, as attempting to grow the Ranfurly Brand failed miserably with what must rank as one of New Zealand’s worst ever advertising campaign. As to whether their beer is any good is also a hot topic of discussion – Boundary Road have numerous “craft” beer brands and consider themselves a “craft” brewer however many of their products are anything but unique. There is a significant market of price conscious customers who aren’t worried about the quality of their beer, and they are doing well in this category.

All of this leads to the horrible revelation that Independent Breweries don’t actually know how to spell Plzen. I was given a dozen Boundary Road Bouncing Czech beer a few weeks ago and yesterday decided to drink one while engaging in the great Kiwi tradition of cooking food on the BBQ. The beer was very average for a Pilsner style, but what was worse was the spelling. Where in the world is Pizen? One can assume that they actually mean Plzen (note the l rather than an i). Considering that the Pilsner style beer has only been brewed since 1842 their reference to the world “centuries” also seems a little strange.

20131022_184306

I think a certain company is in need of not only a better Pilsner recipe, but also a history lesson and spelling lesson as well.



Flight Review – NZ8

By Steve Biddle, in , posted: 11-Oct-2013 13:40

My blog has always traditionally revolved around technology because it’s something I love. What I do love even more however is travel, and with this in mind instead of writing yet another blog post with a technology focus I thought I’d write about travel since I am currently on holiday in the US at Astricon (ironically a tech conference!).

Air New Zealand have two remaining 747-400 aircraft in their fleet, both of which are used almost exclusively on the NZ7/8 route to and from San Francisco. To me the 747 is still the most amazing plane to grace the world’s sky and it is a shame that due to their age these planes are rapidly disappearing from airline fleets around the world. Both remaining Air New Zealand planes are due to be scrapped by October 2014. In all my previous 747 flights I’d never flown upper deck on a 747, so chose to head to the US via SFO in Premium Economy just so I could make possibly my final 747 flight and tick an upper deck seat off my bucket list.

20131004_184013 ZK-NBV  at Auckland airport

NZ8  - 04/10/2013 - Seat 22A Premium Economy

My seat was an exit row window at the front of the upper deck Premium Economy area. I consider this one of the best Premium Economy seats due to the extra legroom, but others may disagree due to the proximity to the door which can be a colder area to sit. The upper deck is shared between Business Premier and Premium Economy, with 23 Premium Economy seats in a 3-2 configuration and 10 Business Premier seats in a 1-1 configuration. Another 16 Premium Economy seats are located on the main deck in a 2-2 configuration which offers a much cosier feel. These seats offer a seat pitch of between 38” and 40”.

Not being on the main deck gives this area a very different feel, which is clearly the appeal of sitting up there. Boarding for the service was a little late and the 7:15pm departure was a little late with pushback occurring at around 7:30pm. While boarding was underway the PA announcement apologising for the “jams in the aisle” were slightly amusing to me as the only “jam” was the crew delivering pre flight champagne to Business Premier customers.

20131005_061000

The view from the top of the stairs of the upper deck showing the Premium Economy and Business Premier seats.

20131005_071637 

My Seat

20131005_064848

Looking forward to Business Premier from my seat.

Pre dinner drinks were served, with the same beverage selection being shared between Business Premier and Premium Economy. This means glass bottles of wine served in real glass, unlike the plastic bottles served in Economy. Wines and spirits are also of a much higher quality, and my glass of Mumm champagne (my favourite!) went down very well. Not long after this the meal service commenced consisting of an entree of prawns with wasabi mayonnaise, green tea noodle salad, nori and watercress. The flavours in this were great, with the wasabi managing to not overpower the other ingredients.

20131004_191344

The Premium Economy menu.

20131004_204017  For my main I opted for the sage rolled chicken with white bean cassoulet, zucchini, fried chorizo and rocket. 

20131004_211856

Desert was a chocolate delice with blackberry creme fraiche.

The main is described as “being served with rocket” on the menu but no fresh rocket was served with this meal. Having had this main previously (with rocket) flying Business class to Honolulu in May I definitely feel the course did lack a little zing without the rocket. No bread roll was served in Premium Economy, which was strange as the tray contained a serve of butter. My assumption is that the crew simply forgot, as the bread roll basket had plenty of rolls in it after being delivered to Business Premier customers and sat on the wine storage area between Business Premier and Premium Economy during the service. The desert was delicious and washed with with a couple of glasses of Pinot noir served by a crew who were very generous with after dinner drinks.  Not long after the meal trays were collected the main cabin lighting was dimmed. What is nice is a a range of snacks including Whitakers Chocolate, fresh fruit, muesli bars, vege chips and beverages are available from a self service area throughout the flight.

Breakfast was fresh fruit salad and yoghurt with optional cereal, and a croissant with a selection of preserves.  I opted for the lemon scented brioche French toast with apricots, honey cream, toasted almonds and vanilla syrup as the hot option and found this to be amazing, and would have happily opted for more if it was on offer!

20131005_045143

20131005_054542

Despite the late departure time we were pretty much right on schedule landing in San Francisco. Clearing immigration at SFO seems to be a lot better than many of the horror stories I’ve heard at Los Angeles lately, and I had cleared immigration and collected my bags within 30 minutes of leaving the plane.

Premium Economy on Air New Zealand is a great offering, with the food and beverage selection being very similar to the Business Premier offering. Seating differs significantly between the different aircraft on the fleet, with both Boeing 747 –400 and 777-200 aircraft opting for a more traditional seat (which is slightly wider on the 747-400), whereas the Boeing 777-300 offers the newer Air New Zealand designed Spaceseat. Having not flown Premium Economy in the 777-300 I don’t have a view on this seat, but do know plenty of people who prefer the 747-400 seat over the Spaceseat.

Service is also a huge step up from regular Economy, however I do feel that the upper deck service may be slightly less attentive than my previous 777-200 Premium Economy flights. I put this down to the focus of the two crew on the Business Premier customers, however no matter how you look at it, the experience is a significant step up from Economy!

Permalink to Flight Review – NZ8 | Add a comment (4 comments) | Main Index


In breaking news.. Chorus purchased by Telecom NZ for an undisclosed sum.

By Steve Biddle, in , posted: 4-Sep-2013 21:38

Did anybody tell the NZX?

According to the NZ Herald “Chorus is a business unit of Telecom NZ” … so it must be true.

 

image

Seriously folks, can the level of accuracy in the New Zealand mainstream media really get any worse?

Source: http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11119558



Hey Coliseum Sport. Where’s your MHEG5 app?

By Steve Biddle, in , posted: 23-Aug-2013 08:15

If you’re a sports fan in New Zealand you’ll be aware of the acquisition of the New Zealand broadcast rights to the English Premier League by Coliseum Sport, a new start-up who’s goal is to break the stranglehold of existing broadcast TV by streaming games over the internet.

Unfortunately for Coliseum they’re already set themselves up to fail. Not because of their model, but the poor technological solutions that they’ve chosen to deliver their content. Delivery of video content over the internet is the future of media, and with the rollout of fibre optic cable to 75% of New Zealand homes by 2019 as part of the Ultra Fast Broadband (UFB) rollout, New Zealand homes will have the capability and bandwidth to enable broadcasters to bypass existing terrestrial and satellite delivery platforms – that’s not to say New Zealand doesn’t already have world class broadband, because we do - over 80% of premises are capable of receiving a internet connection of at least 10Mbps, and around 50% of those premises are capable of receiving VDSL2 which can deliver between 30Mbps and 70Mbps depending on your distance from your local exchange or roadside cabinet. What UFB does differently is enable guaranteed bandwidth to premises, and more importantly enables multicast delivery of content over the UFB network, something that is essential to deliver high bandwidth content to multiple premises. Delivering content over the internet is the way of the future, particularly as people move to replace viewing live content with watching On Demand content when and where it suits them.

Coliseum Sport’s failing isn’t the decision to deliver content over the internet – it’s the options that exist to view their streamed content. No matter how many internet enabled devices people may have in their home, the big screen TV is still the entertainment hub of the home. While tablets may be convenient for watching content in bed, nothing can match the experience of watching high definition content on a big screen TV. Logic would dictate that anybody looking at  replacing the existing broadcast model would focus on replicating the experience, but it seems it’s the aspect Coliseum have chosen to ignore. Right now your only option for watching Coliseum Sport content is to use a PC as their content uses Adobe Flash for it’s streaming – although there are are Android and iOS apps in development to allow viewing content on these devices. If you want to watch content on your big screen TV your only option is to hook a PC up to your TV, something that’s not difficult if you own a laptop, but it’s still a very cumbersome task that simply shouldn’t be required. If you don’t own a laptop that you can move to near your TV it’s probably not even an option.

Coliseum’s have completely overlooked the fact that every home in the country that has a TV with Integrated Freeview|HD (known as an IDTV – Integrated Digital TV) or a MyFreeview|HD recorder already has the technology built in to solve their problem. Pretty much every IDTV sold these days is required to have internet connectivity to comply with Freeview specifications. While many so called smart TVs already have their own applications such as YouTube for viewing content from the internet, building applications for multiple brands of TVs is expensive and time consuming, and that’s where MHEG5 steps in to save the day.

MHEG5 is an open standards Application Programme Interface (API) that is mandatory on every Freeview|HD IDTV or Freeview Set Top Box (STB) sold in New Zealand. MHEG5 allows interactive applications to be run on the TV or STB, an example of which is the Freeview Electronic Program Guide (EPG). The EPG application is device agnostic, meaning it will run on every MHEG5 capable device and deliver the same consistent user experience across every device that it’s run on. One of the coolest features of MHEG5 is the interactive channel extensions and ICStreaming extensions – two extensions that allow interactive content on your TV using content that is sourced via the internet.  Support for this is required on every Freeview|HD IDTV and MyFreeview|HD recorder now sold, and it means your TV can access streaming content delivered over a broadband connection without the end user having to install any software or change any settings - all that’s required is for the TV to be correctly connected to an Internet connection. Support for ICStreaming is not required on every standard Freeview STB, however some do support this capability.

MHEG5 ICStreaming is already used in countries such as the UK to deliver BBC iPlayer content to end users, and has also been chosen by Quickflix who will be launching a MHEG5 based service into the New Zealand market before the end of 2013. This will make viewing Quickflix content on your TV as simple as watching regular broadcast channels, and means Quickflix don’t have to develop applications for the different brands of smart TVs on the market.

The capabilities of MHEG5 are exceptionally powerful, and there is nothing to stop other broadcasters or ISPs from building their own MHEG5 applications and delivering content over the internet. What’s surprising so far is the lack of interest from existing players such as TVNZ and Media Works who both currently offer On Demand services, but make viewing that content on a TV far more difficult than it needs to be. The key is making content easy to access, and both of these players, along with Coliseum Sport, don’t yet seem to have grasped this simple concept.



Why Sky TV’s days of market dominance are numbered

By Steve Biddle, in , posted: 17-Jul-2013 21:57

There has been a lot of talk in the last year about Sky TV’s dominance of the Pay TV market, with many people concerned about their businesses practices around exclusivity of content and pricing. Whether or not you agree on Sky being evil, they’re ultimately the main source of entertainment for many NZ homes, and many people can’t wait for the day they face some competition and have a choice of Pay TV providers.

What if I told you that Sky’s competition already existed? That’s right. With the purchase of TelstraClear, Vodafone is sitting in a prime spot, ready to engage in a war with Sky TV if they so desire.

TelstraClear was formed with the merger of Telstra New Zealand and Saturn Communications. Saturn Communications started it’s life as Kiwi Cable and deployed a cable TV network on the Kapiti Coast before expanding into Wellington, and later Christchurch. Expansion into Auckland was stopped by politics – in particular the NZ Herald who did an an amazing job ensuring that TelstraClear were not allowed to deploy their network in Auckland. This ensured that Aucklanders were subjected to the early 2000’s monopolistic practices of Telecom rather than being given freedom of choice when it came to fixed line phone and internet providers.

On the Kapiti Coast, Wellington and in Christchurch, Saturn Communications deployed what is known as a hybrid fibre co-axial network, or HFC for short. This network also has a traditional copper network for phone services that was rolled out alongside the HFC network. The network has a fibre to the node (FTTN) architecture consisting of both fibre optic and coaxial cables, with fibre carrying data to node (the roadside cabinet) where it’s converted to a radio frequency (RF) signal and then carried over the coaxial cable to your home. Each cabinet will typically cover several hundred homes.

Inside your home the co-axial cable is connected to your set top box (STB) which uses the Digital Video Broadcasting over Cable (DVB-C) standard. This is very similar to the DVB broadcasting standards used for terrestrial (DVB-T) and satellite (DVB-S) broadcasts used by Freeview and Sky. In it’s early days Saturn Communications sourced much of it’s content independently, but lacking a sport offering meant it made sense to partner with Sky, ultimately resulting in TelstraClear essentially just reselling Sky TV over it’s network.

Now that you’ve grasped the basics I’ll now explain why Vodafone’s acquisition of TelstraClear was a smart move. Not only did it give them a fixed line network and a nationwide fibre network, it also gave them New Zealand’s most advanced internet protocol (IP) playout system for TV. Every customer watching TV via their Vodafone STB is actually watching content that started it’s life in the Vodafone network as an IPTV stream, however rather than being IP all the way to your home, it’s converted to RF to be carried over the co-axial cable. Since the signal is digital all the way, no loss of quality occurs along the broadcast path. What is important however is that every channel they offer already exists in an IPTV format within their network, meaning it can easily be delivered over any IP delivery network anywhere within New Zealand.

Those of you with a T-Box will have spotted the Ethernet port on the back that is currently only used for electronic program guide (EPG) updates. This Ethernet port is also cable of being the source of all content, with IPTV content either live or on demand streamed directly to your T-box with no requirement for the HFC network.

It doesn’t take a smart network engineer to realise that broadcasting high definition content over the internet currently is an exceptionally inefficient use of bandwidth and that both terrestrial and satellite do a far better job of this. In the xDSL world where speeds are limited by your distance from an exchange or roadside cabinet and your internal home phone wiring, delivering IPTV content is something fraught with potential issues. Just on 84% of NZ premises have access to broadband speeds of 10Mbps or greater, with around 50% of those having access to VDSL2 which will deliver average speeds of around 35Mbps downstream and 10Mbps upstream. When you consider that a single 1080i Full HD broadcast TV channel broadcast over terrestrial or satellite uses up to 10Mbps, you can already see the issues that are faced. Those issues are solved by the current rollout in New Zealand of ultra fast broadband (UFB), with the construction of a fibre optic network to 75% of New Zealand homes and businesses already underway and due for completion by 2019. With fibre speed no longer becomes an issue, and a home could easily have several STB’s streaming 1080i HD content with no need to worry about it significantly impacting their internet experience.

As the UFB network rolls out Vodafone are in the prime position to take advantage of the IPTV revolution. While the T-box may have had a chequered past with numerous software issues, it’s now a relatively stable product. More importantly however, the IP based playout system that Vodafone now own gives them a massive head start over anybody else contemplating such a product. Building such a system isn’t cheap.

Now that I’ve given you a technical rundown of delivering IPTV, you’re probably going to ask where the content is. This is the question everybody is asking, but the answer is quite simple. It’s already there. Vodafone already have an existing resell agreement with Sky that allows them to rebroadcast Sky content, along with sourcing several additional channels not carried by Sky. What needs to be remembered is that much of this content is not exclusive to Sky, and anybody who wants to rebroadcast many of the channels carried by Sky is free to do so providing they’ve got the money to pay the content owner. There is realistically very little in the way of Vodafone deciding to go it alone and acquire rights to somewhere in the vicinity 80% of the content that Sky offer – with one notable exception – sport. This very much puts the ball in Sky’s court (literally). Sport is very expensive to produce and it’s not clear if Sky actually break even on revenue from their sports channels or whether they are cross subsidised. If Vodafone went it alone without a sports channel they’re only going to have limited success in the market, but the effect on Sky could be significant. Would Sky then do the smart thing and resell sport to Vodafone? Or would they simply hope that sport is a big enough selling point to ensure differentiation in the marketplace? My money is on the former. I’d also put money on Vodafone allowing their IPTV service to in effect be bundled by other internet providers, ultimately putting them head to head with Sky, and hopefully delivering us a future with a much greater choice of content, both live and on-demand.

UFB’s going to mean an exciting future in the NZ marketplace…



Viewing the content of your New Zealand ePassport

By Steve Biddle, in , posted: 10-May-2013 08:13

If you’ve had a New Zealand passport issued since November 2005 you would have spotted the Near Field Communication (NFC) page in your passport. This solid page contains a NFC chip which duplicates the data printed in your passport electronically, and also contains a digital copy of your photo along with the biometric data relating to this photo.

An ePassport is now mandatory for visiting a number of countries, and if you’ve been to Australia in the past couple of years chances are you’ve used a Smartgate machine at the airport rather than having to be processed manually by Customs. The Smartgate kiosk reads the biometric data from your passport  and when your photo is taken it is compared to the biometric data in your passport to establish a positive match.

If you have a modern Android phone with NFC capabilities you can easily view the contents of this NFC chip.

Download the  NFC Tag Info app from the Play store to your Android phone, and once installed click on the app to run it. If you now try and read your passport you’ll see an error come up saying “Basic Access Control is active”. BAC is an security layer protecting your passport from being accessed without an encryption key, essentially preventing your ePassport from being read by somebody who doesn’t have physical access to the passport. The BAC encryption key is generated using your passport number, date of birth, and passport expiry date – data that is only printed inside your passport.

If you now go back to the main menu you’ll see an option to “setup access keys”. enter your passport number, date of birth and passport expiry date and press save. This will generate the encryption key required to read your passport.

epassport 2 

If you now put your phone next to your passport the app will be able to read the NFC chip and you should see your passport details and photo appear on the screen.

epassport 1 modified

A number of other details can be viewed, including the biometric data for your photo and the Machine Readable Zone (MRZ) data which is the machine readable text that appears at the bottom of  your passport photo page.

To change electronic details of a passport additional layers of encryption exist also – you can’t change your details simply by having the BAC encryption key as this allows read only access.

If you’re interested in knowing more here are a few links you might want to check out:

http://en.wikipedia.org/wiki/Biometric_passport

http://en.wikipedia.org/wiki/Basic_access_control

http://en.wikipedia.org/wiki/Extended_Access_Control

http://www.frontex.europa.eu/assets/Publications/Research/Operational_and_Technical_Security_of_Electronic_Pasports.pdf



Are Vodafone NZ holding NZ's best kept secret?

By Steve Biddle, in , posted: 29-Jan-2013 14:19

If you've upgraded your iPhone5 to iOS 6.1 this morning you'll now see a new setting in the network settings screen:



iOS devices need to have the carrier pack configured to allow LTE on supported networks before LTE can be used. This option will only show in phones that have had the carrier pack set to allow LTE. Vodafone New Zealand isn't listed as an official LTE carrier on the Apple website but it would be safe to assume that Apple aren't going to ruin things for Vodafone and announce something before Vodafone themselves do.

So what secret are Vodafone holding from us?

It's no secret they've just upgraded over 400 cellsites around the Auckland region over the weekend to deliver 900 MHz Dual Carrier 3G services across the Auckland region (I wrote about this here on Friday). Vodafone also have plenty of 1800MHz spectrum to deploy a LTE network on.

Does this hardware support a technology they haven't yet told us about? You decide...








Are pharmacies NZ’s biggest* rort? (*excluding airport carparking)

By Steve Biddle, in , posted: 21-Jan-2013 11:31

Example A - $12.99 vs $20.00 for the identical tablets at two different pharmacies.

If you do suffer from hayfever I highly recommend Levrix tablets, I've found them amazing. It might just pay however to check the price before you buy them.

levrix (Medium)



Credit Card Security–Why close enough isn’t good enough

By Steve Biddle, in , posted: 4-Jan-2013 18:28

Credit card security isn't a laughing matter these days. It's certainly not difficult to find people who have had their credit cards compromised and fraudulent transactions charged to their account. Typically this has been as a result of physical  card security being compromised by the use of a card skimmer attached to an ATM (numerous instances in Auckland), a compromised EFTPOS terminal recording card details (a major burger retailer in Queen St, Auckland), or by staff who have access to credit card records randomly copying numbers down for use (a foreign call centre for a major telco). Banks have complex systems monitoring transactions in real time and will often detect card fraud and put a hold on your card well before you're even aware there could be an issue. While card fraud normally doesn't leave the card holder out of pocket due the liability limits banks have in their terms and conditions, having to get a new card can often be a real pain if you have automatic payments such as bills set up on it.

Having had my card compromised while in Australia in the middle of 2012 and then spending an entire afternoon dealing with the consequences while trying to enjoy a relaxing long weekend away means I have zero tolerance to anybody in the industry dealing with credit cards who isn't willing to comply with industry guidelines. As far as I'm concerned you deserve to be named and shamed if you're accepting credit cards and failing to comply with industry guidelines.

The Payment Card Industry (PCI) Security Standards Council are responsible for creating data security standards for cardholder data. Known as the PCI Data Security Standard (DSS) this document covers the requirements and security assessment procedures that should be used in the banking and payments industry to ensure that card security remains a top priority. It's common to refer to being "PCI complaint" when your systems are complaint with this standard.

It's therefore surprising so see a large business like Wellington Airport failing to comply with industry PCI standards governing credit card security, and more so the fact this lack of security has now existed for several years in their car park ticketing machines.

Despite what some may think, a credit card number, or Primary Account Number (PAN) as it's technically known as, isn't just sixteen random numbers. Each card issuer has a unique Bank Identification Number (BIN) which comprises the first six digits of the card. The next nine digits are the account number, and the last digit is a check digit calculated using the MOD 10 algorithm, otherwise known as the Luhn Algorithm, calculated off the prior fifteen digits. This algorithm isn't complex, and it's easy to calculate this check digit with a piece of paper and a pen.

PCI DSS requirement 3.3 covers the storage and use of PAN numbers

3.3 Obtain and examine written policies and examine displays of PAN (for example, on screen, on paper receipts) to verify that primary account numbers (PANs) are masked when displaying cardholder data, except for those with a legitimate business need to see full PAN.

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

As you can see the PCI DSS requirements are that the first six and last four digits are the only digits that should be displayed on a receipt. Why? Because displaying any more than this leaves your card number open to being compromised.

The first six digits are unique to your bank, so displaying these poses no real security risk. The last digit is a check digit, and the prior three prior digits are only 1/3 of your account number. Using a MOD10 calculator to calculate the remaining six digits still leaves a vast number of possibilities, so many in fact, that it poses no great security risk.

Wellington Airport receipts display the last six digits of the PAN, as pictured below (I've crossed two out so you can't see them). This now only leaves four digits that need to be generated, and literally leaves only a handful of possibilities for the card number. For all intent purposes you may as well be displaying the full PAN, as a card card can be compromised with access to the first six digits and the last six digits of the PAN.

20130104_181316

A Wellington Airport parking receipt by itself isn't going to let somebody exploit your credit card - as they're only displaying the last six digits of the PAN. Combined with another receipt from a PCI compliant terminal or retailer however and your card number can be compromised. Considering many people throw receipts away together it's entirely possible that somebody could gain access to two receipts which would enable them to reconstruct your credit card number.

So a small tip from me - if you use your credit card at Wellington Airport be careful what you do with your receipt. It could be the most expensive car park you ever use!

 

Update 05/01/2012 :

Fellow Geekzone Moderator Nate spent some some time whipping up some code using the MOD 10 algorithm to generate possible card combinations. By entering an incomplete credit card number and X's to signify the masking all possible full PAN numbers are displayed. These could then easily be submitted automatically to a payment gateway to establish the valid number. If PCI compliant PAN masking of six digits is followed the 100000 possible combinations make this a a virtually impossible task. With non PCI compliant PAN masking such as that used by Wellington Airport this could be done in a matter of minutes with access to appropriate payment gateways.



sbiddle's profile

Steve Biddle
Wellington
New Zealand


I'm an engineer who loves building solutions to solve problems.

My interests and skillset include:

*VoIP (Voice over IP). I work with various brands of hardware and PBX's on a daily basis
  -Asterisk (incl trixbox, PiaF, FreePBX, Elastix and AsteriskNOW)
  -Polycom
  -Cisco
  -Linksys
  -Patton
  -Zyxel
  -Snom
  -Sangoma
  -Audiocodes

*Telecommunications/Broadband
  -xDSL deployments
  -WiMAX
  -GSM/WCDMA

*Structured cabling
  -Home/office cabling
  -Phone & Data

*Computer networking
  -Mikrotik hardware
  -WAN/LAN solutions

*Wireless solutions
  -Motel/Hotel hotspot deployments
  -Outdoor wireless deployments, both small and large scale
  -Temporary wireless deployments
   
*CCTV solutions
  -Analogue and IP

I'm an #avgeek who loves to travel the world (preferably in seat 1A) and stay in nice hotels.


+My views do no represent my employer. I'm sure they'll be happy to give their own if you ask them.


You can contact me here or by email at [email protected]

twitter.com/stevebiddle










Located in NZ and after a cheap way to call friends or family in Australia?

Faktortel VoIP offers plans from $0 per month that offer you the convenience of being able to call landline numbers anywhere in Australia from A$ 10c per call (yes *per call*, not per minute!). An optional Australian DDI number also lets friends and family call you and they will only pay the cost of a local call. Interested? Check out Faktortel for more details.