Monday, September 21, 2015

How Do You Want To Pay For That?

Magnetic stripe cards, touchless cards, chip cards, what does it all mean?  Read this to use the payment methods that will keep you safe from fraud.

I'll also talk about the opportunity toward the end in the "Business Opportunity" section.


Introducing The Credit Card
First of all, a review of traditional cards:  Your card has a short, 15-16 digit account number printed on it.  You can use this number wherever you can't find a card machine, such as when you buy things online or over the phone, and it's raised so that the next time you step into a taxi without an electronic card reader, they can easily get the card number with their machine that inks the bumps on the card.  The trouble with that is it's really short and easy to steal, so the card manufacturers came out with magnetic card reader machines in the 1980s to make it more difficult to copy.

The CVV code is written on the card and is never raised like the account number is.  Payment Card Industry requirements dictate that the CVV should never be stored, though it may be used to reassure the card processor that the user had the card in hand at the time the account number was stored.

Single Use Card Numbers
If you have authenticated yourself at your cardholder's site (or another site you trust), the card provider trusts your active session more than any payment made with a 15 or 16-digit account number entered on another web site or over the phone.  Several of the cardholder sites offer a single-use alternative account number you can use to charge things to your regular account.  Simply login, generate the card number, copy it to your computer's clipboard, and paste it into the vendor's web site.

Single use card numbers can be used for a single transaction or a single vendor.  They are quite secure, cheap to issue, and though not as easy to use as a plastic card, they can be entered via any machine and provide reasonably good security, rivaling magnetic card security.

Despite their advantages, customers aren't using them, and many card issuers have discontinued this technology packaged in this form, but as you'll see below, the technology is available in similar formats that are more convenient.

Magnetic Cards
Your credit card has a magnetic strip on it.  Overall, the technology is similar to a cassette tape, using magnetized parts of the strip to store the information, which is easily scanned by the machine.  Besides including the account number and name you see on the face of your card, the magnetic strip provides additional information you can't see on the outside of the card.  This extra set of numbers is like a really long password, designed to tell the machine that the genuine card is present at the transaction, and provides some degree of assurance to the card processor that the consumer is probably there, and that this is not a scam.

When the card is swiped, a pulse of on and off signals are read using the magnetic reader in the device as the card moves through the slot.

However it's becoming increasingly easy to add additional tiny card readers to the magnetic stripe reader slot so that it's read twice (once by the machine and once by an imposter, and someone comes by later to collect their own device), or to add a device to record the signals over the wires between the magnetic reader and the rest of the machine.  Like a password, once recorded it can be copied to another payment device, such as another card, and then if used again the mag stripe machine can't tell the difference between a copy and the genuine card.

Sometimes the magnetic strip of a counterfeit card doesn't match what's printed on the card, which is why some machines ask the cashier to confirm the last 4 digits written on the card.

As of 4 years ago, illegally copied magnetic strip cards could be purchased for as little as $0.25 each (or so I've read).  The price is likely lower than that now.

Some of the new popular everything-in-one cards like "Coin" offer a magnetic stripe that changes to match a card.  They have the same benefits and drawbacks as regular magnetic cards.  However the newest of these also offer additional, secure ways to pay that incorporate the features below.  Seek these out!  You'll understand why in a minute.

NFC, "Touchless" Cards, Apple Pay, and Android Pay (formerly Google Wallet)
Near Field Communication (NFC) or "touchless" payment methods (except Samsung Pay) all work based on short range (within inches) radio waves.  The general idea of each of these is that the credit card machine can have a "conversation" about the transaction, and that some of the information is different with every transaction.  So your card's "password" that makes it unique changes constantly, and isn't easily copied.

These work on the premise that the card and the payment processor know a "secret" that is never transmitted over the air.  Copying this payment method is harder, but if you had a device to have this "conversation" with a card that is in your wallet, you could have the card authorize a payment without your knowledge.  I haven't actually heard of this being done, but it's made people nervous enough to start an explosion of wallets and pockets that advertise they can block signals to keep your cards safe.

Touchless cards also have a magnetic stripe for magnetic readers that don't support the touchless payment option, but the magnetic stripe is no better than any ordinary magnetic card.  Unlike the touchless radio responder built into the card (or phone), the information on the magnetic stripe never changes.

Apple Pay and Android Pay are more secure because both use a form of authentication on your phone to authorize the payment.  Your PIN is never transmitted over the air, but your phone won't authorize the touchless payment without it.

Samsung Pay will act like Apple Pay and Android Pay, but the value Samsung Pay adds beyond Android Pay (which is available on every Samsung device) is outside this category, and I'll cover that later.

EMV "Chip" Cards
Retailers and card manufacturers particularly like the chip cards because they use a randomized password similar to the NFC "Touchless" cards, Apple Pay, and Android Pay, but cannot be accessed without removing it from a jacket pocket or wallet.

Contrary to common belief, the chip on the card has nothing to do with the magnetic stripe on the card, and just like Touchless cards, the magnetic stripe is provided as a backup for when the more secure payment option is not available.  The chip is not accessed when the card is swiped.

Unlike touchless cards, chip cards require the machine makes physical contact with the chip.  If you've been to one of the many Wal-Mart stores now equipped (as of Summer 2015) with these readers you have probably seen the slot at the bottom of the card reader.  The card is inserted into the reader, and left there until the transaction has been processed.

These also have the advantage over Apple Pay, Android Pay, and even Samsung Pay of being able to securely pay at a restaurant without giving up your phone to the waiter or waitress that will scan the card somewhere out of sight.

Most card issuers are sending free replacement EMV cards to their customers already.

Samsung Pay
Android Pay is now available for all Android-based Samsung devices, so if you have a Samsung device you already have Android Pay.  The newest Samsung devices will offer Samsung Pay.

Samsung Pay operates in two modes:

  • It can offer the same touchless payment experience Android Pay offers (which is why they don't bother to make it available for older phones that can already use Android Pay)
  • It can use a special antenna on these newest devices to send out a series of magnetic pulses, mimicking the presence of a magnetic card
Nothing I've found really explains Samsung Pay's security features, but they advertise they're more secure than a physical card.  

If I were Samsung, I would use a single use, extended length card number in that transaction, and transmit it directly from the phone through the card reader.  This would provide the same degree of security found in touchless and EMV card account numbers, and if the card number were captured by an illegal magnetic card reader, it would be invalid because it's single use.

Changes Effective October 1, 2015

Effective October 1, if you (as a vendor) use a magnetic card reader to process a transaction, you will be liable for any fraud related to illegal cards copied from an EMV or NFC capable original card.

Samsung Pay transactions through a magnetic card reader should be exempt based on my understanding of the technology, but it's unclear whether card processors will be able to tell the difference between a secure Samsung Pay transaction and a magnetic card.

Business Opportunity

The business opportunity here is in the sale or lease of secure equipment to retailers that are still using magnetic reader equipment.  The motivation for them to buy is in what merchants won't have to cover in credit card fraud.  In addition, merchants will be able to protect their customers by allowing and promoting secure forms of payment, and won't be held liable if a customer uses an illegally copied magnetic strip card.  

Online transactions shouldn't be affected, but retailers should still always ask for the CVV code as that's harder to copy, and reduces transaction fees.

Because the retailer almost always pays the processing fees (and not the card holder), most card holders are unaware and unmotivated to do anything that would improve the security of their transactions.  

For Consumers

Credit card companies and vendors with old equipment will cover the cost of fraud, but it's a lot of hassle to straighten out your account and replace your card when fraud happens.  So protect yourself and get a secure way to pay.  It's free.

Sunday, July 26, 2015

Why you should take your sleep apnea diagnosis seriously

I (somewhat erratically) maintain this blog to talk about topics that people don't seem to think about.  Usually I do it from a business perspective, but now I want to talk to all of you who (like me) have a diagnosis of sleep apnea.

First of all, who are you?  You are not necessarily middle-aged, male, and have a waist size of 38" or more, though those are 3 of the most common things.  If you feel tired often, but have figured it's because you're getting a little older, you probably should go get checked.  I am male and don't have either of the other two risk factors, but I have sleep apnea.  I was tired a lot, but I figured it was because of my lifestyle -- staying up late with the kids, and then leaving very early for a long commute to the office.

The doctors say I have a large tongue but a small lower jaw, and that's what is causing my sleep apnea -- losing weight won't really help me, it's the way God designed me.

The "gold standard" treatment for sleep apnea is the CPAP machine.  You have to wear something on your face to give you air when your body can't breathe in.  This treatment has a near-100%* success rate, but no one wants to wear a mask on their face -- besides unattractive look of it, it's uncomfortable, it's a hassle to keep clean, and finding the mask that fits properly can take over a year (remembering why you took off that mask can be more difficult than remembering your dream last night!).  ...and it can have an impact on the family too -- my full face mask startled my young children until I told them the doctors said I have to wear an "elephant nose" at night, and it though my wife is understanding, it has affected life activities in the bedroom too.

What are the alternatives?  Well yes, there are some, and they have varying degrees of effectiveness, but none of them are as effective as the CPAP machine.

  1. CPAP -- included for completeness, already discussed above, effective for 90%* of sleep apnea patients
  2. Lose weight.  This is probably the most effective alternative "cure" but you have to keep it up, and requires you have significant weight to lose - effective for 40%* of sleep apnea patients
  3. Dental device -- if, like me, you have a smaller lower jaw, sometimes this is effective.  Wasn't for me, though, and your jaw will be sore every morning for the first few weeks.  Effective for 25%* of sleep apnea patients
  4. Surgery -- if you've already had your tonsils removed, this probably won't do anything for you, but there are more things they can do than just remove the tonsils.  Varies based on the type of surgery, 15-35%* of sleep apea patients benefit.
  5. Pacemaker -- there is a "pacemaker for the tongue" to keep it out of your airways, but it's a very new treatment.  You have to maintain the device just like a pacemaker (batteries, etc.), and I have no idea what the side-effects are (does it impact your ability to talk?  no idea) -- insufficient data.
  6. "I'll just sleep on my side." -- usually not effective, but I'll give it a generous 5%* estimate
Is it really that big of a deal?

Yes.  It is.  Your heart can do its job to wake up the body enough for you to catch your breath a few times a night, that's no problem.  Sleep apnea patients wake up 25-50 times a night, but usually don't remember it.  That's a lot of wear and tear on your heart.

Also, general fatigue can lead to:
  • Car accidents
  • Poor attention span
  • Poor posture, and therefore back and other health problems
  • Poor judgement at work
  • Emotional health problems (which impact relationships at home and at work)

But I've lived like this for years!

This is the often overlooked piece of the puzzle.  According to a presentation I saw at Stanford's Sleep Clinic, you can live up to about 10 years like this before you start having noticeable health problems.  

You can also drive over 100 miles with a screw in your tire* without air leaking out, but chances are you would rather change the tire as soon as you notice it, because you don't want the risk of a blowout on the freeway.  So why would you take that risk with your body?

Ok, I've tried it, I don't like it.  I give up.

You owe it to your family, friends, and coworkers to keep trying.  Every night you don't, you shorten your life a bit.  

My story...

Three years after my diagnosis I'm still trying with my Variable BiPAP machine (similar to CPAP) -- the masks I've tried don't fit quite right for me.  The other options have already been ruled out for me (except the pacemaker option... not much is known about that one as of mid-2015).  However even though I'm not entirely successful, I've noticed a huge difference in my energy level, and my general health once I got above 4 hours of use per night.  ...and as I continue to get better at it, my energy level and health has continued to improve.

It's been worth the effort, and I wish I could just take a pill for it every day, but CPAP is the best solution for now.  My efforts paid off, yours will too.

Factors to play with

If you're having trouble and think you've tried it all, here are some factors to consider:

  • Type of mask
  • Tightness of straps
  • Is the mask seal clean?
  • Do you wash your face before you go to sleep?
  • Temperature of the humidifier
  • Your pillow (does it bump the mask off at night)?
  • Ramp-up settings of the breathing machine
  • Your doctor's settings on the machine
  • The air filter on the machine
  • Do you change your mask seal at least monthly, as designed?
  • Your mattress!  (if you've been tossing and turning thinking it was your breathing machine, but it was really your mattress, changing your mattress can help a lot! -- the Personal Comfort Bed is a great alternative to the Sleep Number Bed -- tell them referred you for $50 off)
...and if you're looking for tips, the CPAP Forum is a great place to get advice from breathing machine users who are just like you, but may have more experience.

* - this "research" should be treated as "what your friend thinks he remembers reading somewhere" at best, and if you want to know the truth, go research it yourself.  I am not a doctor, nor am writing this as a formal research paper.  I don't have sources, nor do I plan to add any.