Links: MCX’s ever-downward spiral, Apple nixes PCalc widget, ID theft site was sold credit data (and more)

Rite Aid, With Us, it's Personal, Signs, 2014, by Mike Mozart of TheToyChannel and JeepersMedia on YouTube #Rite #Aid
A selection of 10 links for you. Use them wisely.

MCX says merchants doing what’s best for customers, being attacked for ‘challenging the status quo’ >> Mac Rumors

MCX certainly appears to be placing the blame for its member retailers’ refusal to accept Apple Pay on the merchants themselves. Asked whether Apple Pay and MCX’s CurrentC solution should be able to exist side-by-side, the executives noted that believe they will in the future and that it will take two or three major players in mobile payments to allow the entire market to thrive.

But pressed as to why some retailers such as CVS and Rite Aid have shut down NFC entirely rather than allow unofficial Apple Pay payments in their stores, Davidson argued that merchants know their customers best and are making the choices they believe are right for their customers. He said the merchants believe customers want more than just mobile payments, and CurrentC’s integration of payments with loyalty cards and coupons will in his opinion prove to be the best solution.

“Merchants know their customers best.” That’s why you stop them paying in one way and make them wait for another that will come at some unspecified time next year and require them to enter all sorts of other stuff.

The narrative around MCX/CurrentC has its own fascinating momentum – hacks, press conferences – which suggests that it’s already heading towards some sort of crisis.

Drupal Core – Highly Critical – Public Service announcement >>

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement…

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

The vulnerability was notified (highly critical) on 15 October; every version of version 7 from before that is vulnerable if you didn’t update.

James Thomson on Twitter: “Apple has told me that Notification Center widgets on iOS cannot perform any calculations, and the current PCalc widget must be removed.”

Apple has told me that Notification Center widgets on iOS cannot perform any calculations, and the current PCalc widget must be removed.

This was bad – but I understand Apple will reverse course and approve it today, Thursday. Especially in light of this.

Apple eyes new uses for NFC beyond iPhone payments >> The Information

Amir Efrati:

For instance, the “Clipper” card that’s used in California’s Bay Area Rapid Transit system uses a near-field communication (NFC) chip made by the same company that built the NFC chip that powers Apple Pay. And the Clipper card transmits data using the same standard and frequency as the iPhone 6 (ISO 14443 at 13.56 MHz), says Mr. Rosenberg of Creating Revolutions.

That means Apple could easily allow for Clipper cards to be uploaded into the phone, with key information stored in the phone’s “secure element,” along with bank cards used through Apple Pay, and let people tap their phones at the BART turnstiles to transmit the information to the card reader using the iPhone’s NFC chip.

Such a scenario would require a formal deal with Apple. For now, Apple restricts access to the iPhone’s NFC chip, meaning software developers can’t build apps that use it. But observers expect the company to open up access to developers in the future, just as it did for the iPhone’s Touch ID fingerprint sensor. Developers are already building apps that use the NFC chips in many Android phones like the Samsung Galaxy.

You can imagine software updates enabling new features on old iPhones, though Apple’s never done it before. Is it feasible on the NFC elements in the iPhone 6 range?

Experian sold consumer data to ID theft service >> Krebs on Security

An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.

In November 2011, this publication ran a story about an underground service called, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans. Registration was free, and accounts were funded via WebMoney and other virtual currencies that are popular in the cybercriminal underground.

Answers to Your Questions >> MCX

MCX sets out how wonderful it is for everyone.

On the data security side, the technology choices we’ve made take consumers’ security into account at every aspect of their core functionality. We want to assure you, MCX does not store sensitive customer information in the app. Users’ payment information is instead stored in our secure cloud-hosted network. Removing this sensitive information from the mobile device significantly lowers the risk of it being inappropriately disclosed in a case that the mobile device is hacked, stolen or otherwise compromised.

In the cloud? I’m so.. not reassured. Also enjoyable:

When merchants choose to work with MCX, they choose to do so exclusively and we’re proud of the long list of merchants who have partnered with us. Importantly, if a merchant decides to stop working with MCX, there are no fines.

(MCX emphasis.)

72 Hours of #Gamergate >> Medium

Andy Baio did a fantastic analysis of three days’ tweets around Gamergate, and then (with help) drew up a Delphi graphic showing how the pro- and anti- camps look:

This network visualization is as good a metaphor as any for #Gamergate. Two massive, impenetrable hairballs of people that want little to do with one another, only listening to their side and firing volleys across the chasm.

Much the same as any political divide, and as unlikely to be closed.

Sprout >> HP® Official Site

It’s a PC that has inbuilt cameras that look down onto a tabletop mat, which connects the cameras to what appears on the screen.

Hard to categorise. If this had come from Apple everyone would be raving about it; as it’s HP it’s had a collective “hmm”. The difference, perhaps, is that Apple knows how to drive the interest – and use – for such a product. Still, could find some eager buyers in particular segments. (Bonus point for the “Sprout” name, though.)

Anita Sarkeesian on video games’ great future >>

Anita Sarkeesian:

The Wii reignited my interest in gaming, offering play experiences I found engaging and rewarding, like Mario Kart, de Blob and The Beatles: Rockband. From there, I immersed myself in zany PC games like Plants vs. Zombies, World of Goo and Spore, and eventually became a fan of mainstream first-person titles like Mirror’s Edge, Portal and Half-Life 2.

Even though I was playing lots of games, I still didn’t call myself a “gamer” because I had associated that term with the games I wasn’t playing — instead of all the ones I was playing. This was largely because I’d bought into the myth that to be a “real gamer,” you had to be playing testosterone-infused blockbuster franchises like Grand Theft Auto, God of War or Call of Duty.

And that’s the crux of what’s going on. It’s like “cracker” v “hacker” (“hackers aren’t crackers, maaaan!”) and “what does ‘troll’ actually mean?” (“You see, ‘troll’ actually means humorously annoying people…”). Language is fluid, but the latter meaning above of “gamer” is – ironically – becoming a carapace that won’t let its participants out, because they’re building it around themselves.

Note also how the cracker/hacker, “define troll” and “actually, a ‘gamer’ is…” lends itself to mansplaining.

Getting chipped: Why I will live with an NFC chip implant for a year | Network World

René Schoemaker lives in Holland:

I’ve been living with an NFC chip in my left hand since Sept. 25. It was implanted between my thumb and index finger, and I can tell you that it hurt quite a bit. But that was mainly because of all the TV camera people trying to film it, which dragged the process out from the normal five seconds to about 30 seconds.

I got chipped together with nine other volunteers during the IT Innovation Day organized by IDG Netherlands. The other volunteers and I will spend the next 12 months testing the use of an NFC chip in our daily lives to see whether having the chip implanted in our bodies is more useful than using a chip embedded on a card or in a smartphone.

So far, it has been pretty useless though. We are still in the process of coming up with possible applications such as using the chip to pay for public transportation or in shops and restaurants.

Isn’t that the sort of thing you’d think about before getting the implant? Perhaps he’ll meet Kevin Warwick.

Leave a comment. Be informative. Add to the conversation.

Links: US virus scam, CurrentC’s woeful policies, when crowdsourcing goes wrong, and more

City of #SF has deployed #NFC payments for street parking meters. #mobile

A selection of 12 links for you. Use them wisely. Comments are open (but moderateable).

Acting on Facebook Referral, FTC Gets Federal Court to Shut Down Scam Support Outfit Pairsys – AllFacebook

Acting on a referral from Facebook, the Federal Trade Commission announced Friday that at the commission’s request, a federal court shut down the operations of Pairsys, an Albany, N.Y.-based company that coerced computer users into paying hundreds of dollars apiece for unnecessary technical support and software that was available free-of-charge.

According to the FTC, Pairsys employees cold-called computer users and posed as representatives of Facebook or Google, and the company was also behind online ads that indicated that its phone number was the technical support number for legitimate companies in the industry.

Damn. The Indian “Windows virus” variant was bad enough; now it’s metastatized to the US and UK.

Apple Pay Reality – accepting payments >> Quora

Brian Roemmele:

80% of the US transaction payment card volume comes from 150,000 merchant locations. These are the largest retailers in the US.

If we subtract the MCX members like WalMart and Target we are left with just over 60% of the top 150,000 top volume merchant locations accepting Apple Pay. This number is increasing rapidly as 250,000 medium sized merchant and the 5.5m small merchants join the Apple Pay rocket ride. This group has increased demand for NFC devices by over 3,000%. These merchants are rapidly adding these free upgrades to their existing payment card devices at such a record pace that supplies that were going to be sent to Europe are now being sent to the US. I see no slow down to this demand.

CurrentC User Terms and Conditions >> MCX

So much to choose from here. What about
– no “jailbroken” devices (might rule out some Android fans)
– you have to create a CurrentC account (obviously) for which “you will be asked to provide your name and certain other personal information, which may include, but not be limited to, name, email address, date of birth, and social security number. In addition, you will be asked to provide MCX with your Payment Method account information (such as bank account or other financial account information) necessary to originate, process and settle your payment transactions with participating MCX Merchants.” Though it says in the privacy policy that it doesn’t store those.
– “You grant MCX express written consent to receiving autodialed and prerecorded message calls, text messages or push notification alerts from MCX, or those Third Party Services providers acting on MCX’s behalf, at any mobile telephone number you provide to MCX, regardless of your registration of your mobile device number on any state or federal “do not call” registry. Your express, written permission applies to messages and alerts regarding the MCX payment transaction Services and any optional Services you have elected to receive.”

The privacy policy is amazing too: collects system activity; hardware settings; date and time; location; IP address; and then “may share or disclose” to merchants, third-party providers involved in providing the services, and so on.

It’s quite creepy. And giving a merchant organisation direct access to your bank account? You’d hope US consumers have seen enough examples of hackers breaking into retailers not to go for that.

How crowdsourcing turned on me >> Nautilus

Iyad Rahwan had taken part in a number of Darpa challenges, and succeeded using crowdsourcing. When it came to putting back virtual shredded documents using a crowd, all was going well – until a troll hit and scattered their work:

In our post-mortem analysis, Cebrian and I revealed how the crowd recovered efficiently from its own errors, fixing 86% of them in under 10 minutes. However, the crowd was hopeless against a determined attacker. Before the first attack, our progress on the fourth puzzle had combined 39,299 moves by 342 users over more than 38 hours. Destroying all this progress required just 416 moves by one attacker in about an hour. In other words, creation took 100 times as many moves and about 40 times longer than destruction. [Emphasis added.]

First place was taken by a team of three using custom-designed software. They were far less vulnerable to invasion than we were with our oh-so-open platform. A few days after the contest had ended, our attacker emailed Cebrian from an anonymous address, admitting that he or she belonged to a competing group. They claimed to have recruited individuals through…

Guess which notorious site they recruited them through.

Malicious ads on major websites held users’ files to ransom >> Engadget

A widespread attack has exposed millions to malware that holds files to ransom. The campaign, which was first detected a month ago, placed fake adverts on websites such as Yahoo, AOL and The Atlantic that installed so-called “ransomware” onto a victim’s computer. The attackers stole assets from the likes of Case Logic, Bing and Fancy in order to make the malicious ads appear real, but once a computer becomes infected, things get very bad, very fast, for victims.

The ransomware – named CryptoWall 2.0 – uses Adobe Flash to exploit browser vulnerabilities, installing itself on the affected computer.

Two avenues: malvertising, and Flash. Advertising is always going to be a risk; Flash, though, you can do something about. Like removing it. You don’t have it on your phone, after all.

Mobile in China — the year of the looking glass >> Medium

Julie Zhuo:

The strangest thing about iPhone usage in China was how most people had accessibility mode turned on. In other words, a persistent tab was always covering some part of the screen, though you could move it around along the edge. I wasn’t aware this feature even existed, but apparently you can use it to avoid having to use the power and home buttons. Baffled, I asked my cousin why this option was so commonly turned on. She said it was because people were concerned about their home button malfunctioning (apparently it’s enough of a meme that multiple people I talked to cited this reason) and as repairs are expensive they’ve resorted to not using the hardware buttons altogether.

I’ve seen this too (in Dubai) and the reason given was the same. (Personally, I’ve used lots of iPhones and never had a home button fault, but if repairs are expensive..) The Accessibility function is in Settings -> General -> Accessibility -> (scrolllll dowwwwnnn) AssistiveTouch -> (turn it on).

Plenty more to digest (not Apple-related) about the world’s biggest smartphone market, China, in this great post.

Facebook offers life raft, but publishers are wary >>

David Carr on Facebook’s suggestion to publishers that they just publish stuff directly into Facebook itself, and do a revenue split on the adverts shown there:

It reminds me very much of those times when other digital behemoths tried to persuade content providers into letting them host the publishers’ content. In the early days, when AOL was dominant, the service preyed on the publishers’ fear that if they didn’t put their content inside the walled garden of AOL, their content would be invisible. That strategy benefited AOL in the short run, but no one prospered in the long run.

And I remember a visit to Google when Sergey Brin, a founder of the company, and some of his colleagues talked about how clunky most news web pages were — sound familiar? — and offered to host content with quicker load times and a revenue share. That went nowhere fast.

Once companies reach a certain scale online, they have a tendency to decide that while they love the Internet, they would like a better version. And, oh, by the way, they should run it. (All considered, Apple has already pulled off that trick, creating a private enclave of apps that it controls.)

Introducing Fire TV stick >> Amazon Media Room: Press Releases

Apart from “DUAL-CORE 1GB RAM 8GB STORAGE DUAL-BAND DUAL ANTENNA” (none of which will mean anything to the average person; Amazon is clearly aiming at the geek buyer who goes for the Chromecast), I found this interesting, about the inclusion of a remote control:

Customers have told us they want to use a remote control, not just their phones, to watch TV. Now, everyone in the household can watch movies and TV shows without borrowing your phone—use the included remote to easily navigate and discover movies, TV shows, apps, and games.

The impossibility of killing the remote control is one of those factors about internet TV that makes it so hard to do well.

Apple’s iPhone 6 Sales outpace Samsung Galaxy Note 4 in South Korea >> Chinatopix

The three South Korean carriers all reported strong sales, with the end result after one day being more than 500,000.

Compare this to the Galaxy Note 4’s 30,000 sales at the same time point, it is clear why some analysts are pointing to Apple’s final push into South Korea, after years of being shrugged off by the country, in favour of their own homegrown brands.

KT were the first carrier to start selling the iPhone 6 and iPhone 6 Plus, reporting 10,000 sales in 1 minute and 50,000 sales in 30 minutes. SK Telecom, the largest carrier in South Korea, gave even more praise to the early sales of the iPhone.

This is not good news for Samsung, which can normally rely on the Galaxy smartphones to come up big in South Korea. The Galaxy S5 was shunned in South Korea, in favor of the LG G3, which outsold Samsung’s flagship 3 to 1 for most of the year.

Did not know that about the G3. LG has really shown how to turn a phone business around.

Meanwhile, the Note’s apparently slow sales have to be seen in context: Samsung has been selling them since 2011, so you’d guess that anyone who wants one likely has one already.

Even so, likely to be a few high fives about this in Cupertino.

Leaked Rite Aid docs say Apple Pay may never come >> SlashGear

Here is the text of the alleged internal memo:

Please note that we do not accept Apple Pay at this time. However we are currently working with a group of large retailers to develop a mobile wallet that allows for mobile payments attached to credit cards and bank accounts directly from a smart phone. We expect to have this feature available in the first half of 2015.

If customers attempt to pay for a transaction with Apple Pay, a message will prompt both customer and cashier for a different form of payment. Please instruct cashiers to apologize to the customer and explain that we do not currently accept Apple Pay, but will have our own mobile wallet next year.

This is going to fail, not because Apple Pay is somehow magical, but because hackers will target the woeful security of CurrentC (ugh, the name) – which uses QR codes and insists on direct access to the customer’s current (not credit) account, and stores customer details.

It’s hard to believe that there’s been a real security audit of CurrentC. Perhaps they’ll publish it.

Why I don’t trust copypaste >> Securinti

I was talking to a good old friend when I accidentally hit ctrl-v instead of ctrl-c. Normally, this would be no big deal: I’d immediately notice my mistake and correct it. My friend wouldn’t notice anything.

But things went different this time. I was working on a photoshop project earlier that day. The data stored in my clipboard was not clear text, but an image. Facebook seems to treat images in a different way: it sends them right away, without having the need to press enter or “send”. Long story short: I sent my friend some image data from a project I’ve been working on. Not a big deal, or is it?

It is.

Why @Evleaks is giving up reporting phone scoops >> The Next Web

Evan Blass (aka phone leaker Evleaks)

These matters are always somewhat complicated, but like many things, it mostly comes down to money. Trying to monetize a stream of Twitter leaks is not easy. First I tried monthly sponsorships. Then weekly. Then single sponsored tweets. I took donations — felt like online panhandling.

I also started a website, and it’s actually done somewhat respectably, but with all the leaks going out on Twitter anyway, people have little incentive to visit, and most of my tech-savvy-heavy audience seem to be pretty heavy ad-block users, as well. It all adds up to an unsustainable living, and with a progressively worsening disease [Ed; Blass was diagnosed with multiple sclerosis], I need to make sure I can prepare myself better for the future, financially.

Best wishes for a lasting treatment for his MS.