Thread: CharlieCards v.v. Oyster (and Octopus?)
View Single Post
  #853   Report Post  
Old March 19th 12, 03:18 AM posted to uk.railway,uk.transport.london,misc.transport.rail.americas
Stephen Sprunk Stephen Sprunk is offline
external usenet poster
  
First recorded activity at LondonBanter: Aug 2004
Posts: 172
Default card numbers, was cards, was E-ZPass, was CharlieCards v.v. Oyster(and Octopus?)
On 13-Mar-12 05:13, Roland Perry wrote:
In message , at 11:46:39 on Mon, 12 Mar
2012, Stephen Sprunk remarked:

It is, when there's no money to replace them,

... which is why savvy customers look at the ROI: you pay for capital
assets with the cost savings from employing those assets.

They don't see a cost saving, only a cost increase (all those mobile
data bills).

We can debate _how large_ the cost saving will be, and therefore whether
it is worth solving, but it is not zero.

Indeed, and I'm saying the saving might well be less than zero (ie a
greater cost).

I don't deny that; a careful analysis would be required, and I would
hope they have done so rather than simply saying there's "no money" to
solve the problem and moving on.

The recent introduction of card-based terminals to pay for refreshments
on board the trains I catch to London has been scrapped, and they went
back to accepting cash only, citing the cost of operating (including
leasing, probably) the terminals.

Interesting. In contrast, the airline I usually fly stopped accepting
cash for in-flight snacks several years ago; they only accept cards
now--and they _do_ have online authorization.

You are promoting a classic "solution looking for a problem to solve",
and there isn't one.

I clearly identified the problem to be solved and was told there was no
solution; now that I identify the solution, you claim there is no
problem?

The problem you identified exists, but is not serious enough that it
needs a solution.

That is a much more reasonable response. I even grant that may be the
case, but we don't have sufficient data to presume it is correct.

There is also opportunity cost in not accepting money
from potential paying customers who only have a debit card.

You can use cash as well. Although the chances of (eg) needing paid car
parking and not having plastic is pretty small.

And if someone has only a debit card and no cash, you're going to throw
them off the train? What is the cost of doing that--particularly the
cost in PR?

There's never been a question of not-accepting debit cards. Some now
deprecated *versions* of debit cards are not accepted,

That isn't how the problem was initially presented in this thread: that
_all_ debit cards were refused, based on the assumption that they were
more likely to be declined and therefore a higher risk for offline
transactions.

If that is not actually correct, that changes the entire conversation.

Also, since this is a gaping security hole just waiting to be
exploited by the masses,

Clearly it isn't.

There is no debate he offline credit/debit payments _are_ insecure.

They are secure (in as much as anything can be - one day someone will
rob Fort Knox), but there's a very small risk of the payment being
"bounced" if the cardholder has no funds.

All that it takes to beat an offline payment system is to obtain a valid
card with no funds available--hardly equivalent to breaking into Ft Knox.

Someone (you, I think) said that the current terminals accept _any_
credit card presented. That means I can just print up my own cards with
random numbers and ride for free

No, because you'd have to make a Chip (for the C&P) that validated
correctly.

Are you sure they require EMV, eg. they don't accept US non-EMV cards?

So far, there's been no reported incidence of someone being
able to counterfeit the chips (and I'm quite sure a lot of people have
been trying for years).

It may have been an earlier "Chip and PIN" system, but I recall a case
of a man in France being jailed in the 1990s for demonstrating to a bank
his ability to counterfeit their chips.

Even if that wasn't EMV, it's just a matter of time until someone
figures out how to do it.

--and the carrier doesn't know until the
terminal uploads the card information later, long after I'm off the
train.

Using _my_ credit/debit card for such a fraud would be silly.

So it has to be a stolen one, where you know the PIN.

In the above case, the man created a chip that accepted _any_ PIN and
could be programmed with _any_ card number.

Again, I don't know if that was EMV, but if not it's just a matter of
time until someone figures out how to do it.

The entire "smart card" industry, like the DRM industry, relies on
hackers not being able to access data that they physically possess.

I remember the stories, like people being charged vast roaming fees to
call from (eg) Minneapolis to St Paul.

The other end of the call had no effect on roaming charges; what
mattered was the "service area" you subscribed to and from which
carrier. So, if you lived in NYC, traveled to Chicago and made a call
to a "local" number, you would be charged roaming fees for being out of
your service area plus the LD fees from NYC to Chicago.

Indeed, and I should have made it clear that in my example it was
implied that someone's "service area" would only have been one of the
twin cities, and not both. With predictable consequences when they
picked up a tower in the wrong one.

I don't know that case in particular, but the much larger Dallas/Ft
Worth area was a single "service area". OTOH, as stated (and snipped),
it would have been entirely possible to end up on the "other" carrier's
towers--and pay roaming charges--even in your home service area if you
wandered into a dead spot in your own carrier's coverage.

It sounds like similar nonsense still afflicts the UK, which could
explain why your coverage is so spotty: there is no incentive for
carriers to improve it.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
Reply With QuoteReply With Quote