f



�Free� Wi-Fi from Xfinity and AT&T also frees you to be hacked

The only financial transaction I ever make from the cell phone is buying
an app, using my google account.  But I signed up for the account from a
desktop computer, and my question is, Does the credit card number ever
get transitted to or from the phone when buying an app?  I think not, so
I'm safe, right? 

�Free� Wi-Fi from Xfinity and AT&T also frees you to be hacked
http://arstechnica.com/security/2014/06/free-wi-fi-from-xfinity-and-att-also-frees-you-to-be-hacked/

and even if there were sensitive info in the phone traffic, the
convoluted method of stealing it in the url above seems unlikelly to
happen to me.  Right? 

BTW, I'm  happy to learn that att has a wifi hotspot network like
Xfinity's, but much smaller, I'm sure. 
https://www.att.com/maps/wifi.html#fbid=Qncz14ky5pH   There are quite a
few, but on the commercial street and near me, there are abou five,
Burger King, Ruby Tuesday, walmart, the bank I use.   instead of 80 or
so, and in residential n'hoods, afaik/ct there are none.   Still better
than nothing and there is still the 2 hours per month of free xfinity. 


I think I did use a public wifi spot at the Delaware Turnpike travel
plaza, but only to dl more map data.  That's safe, yes? 
0
micky
12/17/2016 5:28:57 AM
comp.mobile.android 1779 articles. 0 followers. Post Follow

35 Replies
189 Views

Similar Articles

[PageSpeed] 2

micky <NONONOmisc07@bigfoot.com> wrote:

> The only financial transaction I ever make from the cell phone is buying
> an app, using my google account.  But I signed up for the account from a
> desktop computer, and my question is, Does the credit card number ever
> get transitted to or from the phone when buying an app?  I think not, so
> I'm safe, right? 
> 
> �Free� Wi-Fi from Xfinity and AT&T also frees you to be hacked
> http://arstechnica.com/security/2014/06/free-wi-fi-from-xfinity-and-att-also-frees-you-to-be-hacked/
> 
> and even if there were sensitive info in the phone traffic, the
> convoluted method of stealing it in the url above seems unlikelly to
> happen to me.  Right? 
> 
> BTW, I'm  happy to learn that att has a wifi hotspot network like
> Xfinity's, but much smaller, I'm sure. 
> https://www.att.com/maps/wifi.html#fbid=Qncz14ky5pH   There are quite a
> few, but on the commercial street and near me, there are abou five,
> Burger King, Ruby Tuesday, walmart, the bank I use.   instead of 80 or
> so, and in residential n'hoods, afaik/ct there are none.   Still better
> than nothing and there is still the 2 hours per month of free xfinity. 
> 
> I think I did use a public wifi spot at the Delaware Turnpike travel
> plaza, but only to dl more map data.  That's safe, yes?

Comcast's "free" wi-fi hotspots are only usable to Comcast customers.
They are not open to everyone.  They are free to already paying
customers.  If you have not previously connected to an "xfinitywifi"
hotspot before, you will be asked your Comcast login credentials.  The
communication is encrypted and the homeowner with the wifi cable modem
cannot see that traffic.  The "attwifi" must not be asking for login
credentials to prove you are a customer of theirs to use their network.
For xfinitywifi, you need their app on your phone.  When you login the
first time, the app records the login credentials to reuse at other
xfinitywifi hotspots.  So that you automatically connect to another
xfinitywifi hotspot means your login credentials encrypted and sent to
Comcast are still valid.

The author of the article never did test an xfinitywifi hotspot.  He
based his assumptions on hot attwifi works.  Even if they both worked
the same, why aren't you using HTTPS?  Someone operating an bogus
attwifi or infinitywifi hotspot still cannot interrogate your encrypted
web traffic because their hotspot is not either of the endpoints (your
client and the site to which you connect) in a connection to an HTTPS
web site.  The first and subsequent automatic logins to Comcast are via
HTTPS.  Again, the author only made guesses, not actual tests.  After
all, when you are home using wired Ethernet to connect to a web site,
there are lots of nodes (hops) in the route between you and the target
site that are not on your ISPs network.  If the author thinks a hotspot
is going to steal your login credentials, why couldn't ANY node in the
route between you and any site also steal your login credentials.  Hence
the purpose of HTTPS.

The man-in-the-middle attacks the author speaks of must be using HTTP so
the attacker can intercept and actually interpret the non-encrypted web
traffic.  For HTTPS, the attacker won't have the site's cert.  If the
HTTPS connect results in a warning in your web browser, you cannot be
sure you connected to where you thought you connected.

http://tools.kali.org/information-gathering/sslsplit
"SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
encrypted network connections. Connections are transparently intercepted
through a network address translation engine and redirected to SSLsplit.
SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to
the original destination address, while logging all data transmitted."

Except the attacker's host where they run SSLsplit won't have the target
site's certificate.  They do attempt to forge a fake certificate based
on the details of the site's certificate.  But that isn't unique to
wifi.  ANY host in the route between your end and the target site could
do that.  It's not a wi-fi specific attack vector.  From an article at:

https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/, 

the attacker must have the private key of a CA (certificate authority).
Well, how did they get that?  Alas, there are CAs that should never have
been granted permission to operate as a CA.  The article mentions the
user must have the attacker's root cert in the user's own cert store
(which is either the OS global cert store or a private store such as the
one that Firefox uses).  How did the attacker's root cert get into the
user's local cert store?  Malware.  Companies do this MITM scheme all
the time so they can monitor HTTPS traffic generated by their employees
(who are supposed to be working, not downloading porn or leaking trade
secrets) by putting the company's root cert in the image they put on
their workstations that their employees use.

That the Internet does not guarantee the nodes between you and the
target host are all trusted (and repeatedly verified as such), there are
dangers in doing anything in the Internet.  A VPN might provide better
protection since the tunnelling is supposed to be secure between
endpoints no matter what nodes are in the route.  I haven't investigate
VPNs to see if that premise is correct.

Users worry so much about protecting their web traffic and yet they lock
their house with doors having easily punched-out windows that grants an
attacker access to the inside turn knob on the deadbolt, and they lots
of knockouts (aka windows) in their house to grant forced entry.  HTTPS
and VPNs add security levels.  They don't guarantee 100% secure
communication, just highly likely secure communication.

Did you use HTTPS to make the connection to the web site where you made
a purchase?  Doesn't matter whether you use wi-fi or Ethernet.  You
should be using HTTPS.  VPNs are nice but only if you are afraid of
having someone seeing to where you connect.  They do further encrypt the
web traffic but HTTPS should be fine.  play.google.com is a HTTPS site.

Best would be to check with your credit card issuer if they have a safe
card scheme.  This lets you create temporary credit card numbers
(assigned onto your real credit card number) where you can specify the
maximum amount that can be charged and how long the temporary number
will survive (its expiration month/year).  No one can charge more than
that and after its expiration (usually 2 months is the minimum) no one
can make any charge to that card number.  After you use that card
number, and after you are sure the transaction has been completed, you
can even delete that card number so it cannot be used again.  Bank of
America calls it ShopSafe.

Tis humorous that folks are so worried about their credit card numbers
when making Internet purchases and yet they gladly hand over their
credit card to some low-wage flunky at a restaurant who disappears from
the table to charge the card.  They call Comcast for tech support who
asks for the account number, last 4 digits of the user's social security
number, telephone number, postal address and other customer validation
information.  So why couldn't their phone line be tapped, or their
outbound call be intercepted or redirected elsewhere to someone
pretending to be Comcast?
0
VanguardLH
12/17/2016 7:11:47 AM
In comp.mobile.android, on Sat, 17 Dec 2016 01:11:47 -0600, VanguardLH
<V@nguard.LH> wrote:

>micky <NONONOmisc07@bigfoot.com> wrote:
>
>> The only financial transaction I ever make from the cell phone is buying
>> an app, using my google account.  But I signed up for the account from a
>> desktop computer, and my question is, Does the credit card number ever
>> get transitted to or from the phone when buying an app?  I think not, so
>> I'm safe, right? 
>> 
>> �Free� Wi-Fi from Xfinity and AT&T also frees you to be hacked
>> http://arstechnica.com/security/2014/06/free-wi-fi-from-xfinity-and-att-also-frees-you-to-be-hacked/
>> 
>> and even if there were sensitive info in the phone traffic, the
>> convoluted method of stealing it in the url above seems unlikelly to
>> happen to me.  Right? 
>> 
>> BTW, I'm  happy to learn that att has a wifi hotspot network like
>> Xfinity's, but much smaller, I'm sure. 
>> https://www.att.com/maps/wifi.html#fbid=Qncz14ky5pH   There are quite a
>> few, but on the commercial street and near me, there are abou five,
>> Burger King, Ruby Tuesday, walmart, the bank I use.   instead of 80 or
>> so, and in residential n'hoods, afaik/ct there are none.   Still better
>> than nothing and there is still the 2 hours per month of free xfinity. 
>> 
>> I think I did use a public wifi spot at the Delaware Turnpike travel
>> plaza, but only to dl more map data.  That's safe, yes?
>
>Comcast's "free" wi-fi hotspots are only usable to Comcast customers.
>They are not open to everyone.  They are free to already paying
>customers.  If you have not previously connected to an "xfinitywifi"
>hotspot before, you will be asked your Comcast login credentials.  The
>communication is encrypted and the homeowner with the wifi cable modem
>cannot see that traffic.  The "attwifi" must not be asking for login
>credentials to prove you are a customer of theirs to use their network.
>For xfinitywifi, you need their app on your phone.  When you login the
>first time, the app records the login credentials to reuse at other
>xfinitywifi hotspots.  So that you automatically connect to another
>xfinitywifi hotspot means your login credentials encrypted and sent to
>Comcast are still valid.
>
>The author of the article never did test an xfinitywifi hotspot.  He

I wouldn't  be surprised if he's exaggerating a risk.  Columnists need
topics to write about and surely sometimes they can't find a good one,
and some of those time, their publisher expects a new column.  Maybe
that's true online too. 

>based his assumptions on hot attwifi works.  Even if they both worked
>the same, why aren't you using HTTPS?  Someone operating an bogus

I don't connect with a bank when I'm using a phone, but if I did and it,
for example, provided an HTTPS url, I'd use it of course. 

If one reads about, or google provides, an http:// url can one just use
https:// instead?    Is that what you mean? 

>attwifi or infinitywifi hotspot still cannot interrogate your encrypted
>web traffic because their hotspot is not either of the endpoints (your
>client and the site to which you connect) in a connection to an HTTPS
>web site.  The first and subsequent automatic logins to Comcast are via
>HTTPS.  Again, the author only made guesses, not actual tests.  After
>all, when you are home using wired Ethernet to connect to a web site,
>there are lots of nodes (hops) in the route between you and the target
>site that are not on your ISPs network.  If the author thinks a hotspot
>is going to steal your login credentials, why couldn't ANY node in the
>route between you and any site also steal your login credentials.  Hence
>the purpose of HTTPS.
>
>The man-in-the-middle attacks the author speaks of must be using HTTP so
>the attacker can intercept and actually interpret the non-encrypted web
>traffic.  For HTTPS, the attacker won't have the site's cert.  If the
>HTTPS connect results in a warning in your web browser, you cannot be
>sure you connected to where you thought you connected.
>
>http://tools.kali.org/information-gathering/sslsplit
>"SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
>encrypted network connections. Connections are transparently intercepted
>through a network address translation engine and redirected to SSLsplit.
>SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to
>the original destination address, while logging all data transmitted."
>
>Except the attacker's host where they run SSLsplit won't have the target
>site's certificate.  They do attempt to forge a fake certificate based
>on the details of the site's certificate.  But that isn't unique to
>wifi.  ANY host in the route between your end and the target site could
>do that.  It's not a wi-fi specific attack vector.  From an article at:
>
>https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/, 
>
>the attacker must have the private key of a CA (certificate authority).
>Well, how did they get that?  Alas, there are CAs that should never have
>been granted permission to operate as a CA.  The article mentions the
>user must have the attacker's root cert in the user's own cert store
>(which is either the OS global cert store or a private store such as the
>one that Firefox uses).  How did the attacker's root cert get into the
>user's local cert store?  Malware.  Companies do this MITM scheme all
>the time so they can monitor HTTPS traffic generated by their employees
>(who are supposed to be working, not downloading porn or leaking trade
>secrets) by putting the company's root cert in the image they put on
>their workstations that their employees use.
>
>That the Internet does not guarantee the nodes between you and the
>target host are all trusted (and repeatedly verified as such), there are
>dangers in doing anything in the Internet.  A VPN might provide better
>protection since the tunnelling is supposed to be secure between
>endpoints no matter what nodes are in the route.  I haven't investigate
>VPNs to see if that premise is correct.
>
>Users worry so much about protecting their web traffic and yet they lock
>their house with doors having easily punched-out windows that grants an
>attacker access to the inside turn knob on the deadbolt, and they lots
>of knockouts (aka windows) in their house to grant forced entry.  HTTPS
>and VPNs add security levels.  They don't guarantee 100% secure
>communication, just highly likely secure communication.
>
>Did you use HTTPS to make the connection to the web site where you made
>a purchase?  Doesn't matter whether you use wi-fi or Ethernet.  You

I don't know. IIRC when I'm using a webbrowser the full url shows, but
when using the PlayStore, nothing much shows. 

>should be using HTTPS.  VPNs are nice but only if you are afraid of
>having someone seeing to where you connect.  They do further encrypt the
>web traffic but HTTPS should be fine.  play.google.com is a HTTPS site.
>
>Best would be to check with your credit card issuer if they have a safe
>card scheme.  This lets you create temporary credit card numbers
>(assigned onto your real credit card number) where you can specify the
>maximum amount that can be charged and how long the temporary number
>will survive (its expiration month/year).  No one can charge more than
>that and after its expiration (usually 2 months is the minimum) no one
>can make any charge to that card number.  After you use that card
>number, and after you are sure the transaction has been completed, you
>can even delete that card number so it cannot be used again.  Bank of
>America calls it ShopSafe.
>
>Tis humorous that folks are so worried about their credit card numbers
>when making Internet purchases and yet they gladly hand over their
>credit card to some low-wage flunky at a restaurant who disappears from
>the table to charge the card.  They call Comcast for tech support who
>asks for the account number, last 4 digits of the user's social security
>number, telephone number, postal address and other customer validation
>information.  So why couldn't their phone line be tapped, or their
>outbound call be intercepted or redirected elsewhere to someone
>pretending to be Comcast?

You're right.  The waiter could copy all the info.   I mostly use a
debit card that is supposed to email me for purchases made without
presenting the actual card.  -- However, as an aside, Bank of America
has implemented this incorrectly, and when I buy something, like on
Ebay, and pay with  Paypal, they treat it as if I have presented my card
and don't email me.  I spent two hours on the phone with BOA, an hour of
this  with Paypal at the same time, and by that time we were all tired,
and the BOA person told me to call the Electronic payment (or something)
extension next  time, because they were in charge.  She still wasn't
convinced they were doing things wrong, even though they are.   The
problem is not that my Paypal purchases dont' get emailed to me, but
that fraudulent purchases won't generate an email either.  I probalby
shoudln't write about this until I get BOA to fix it, but I don't look
forward to another hour on the phone. )

I  agree with or believe everything you have here, except that Xfinity
says that any non-subscriber can still have two free hours, in one hour
increments, per month, of wifi from any of its hotspots.  (I wonder if
you can move and change hotspots as long as you are still in the middle
of your hour.) 

I haven't actually used any of this yet, because the one time I went
part way though the process, I had no need and it was early in the
month, and I thought I might need it later (but that was last month and
I didn't need it at all).  However, I got close to connecting without
any Comcast app.  I guess it was the OS Android v5 that provided some
sort of login screen.                The webpage also said if one used
up his two hours he could buy another hour for, iirc $3, a day for $8,
two weeks for ??, and 30 days for ???    I think this last rate might be
more than xfinity costs by the year, and that might include TV and home
phone too, but the advantage is that there are a half-million or a
million of hotspots, maybe in the US alone.   And there is no comcast
cable etc. where I live, so if I were on a 2 week or one month vacation,
this would not be a major expense for most people. 

I would provide a webpage about the free xfinity, but my webbrowser is
really slow now.  If you want, I'll find one. 
0
micky
12/17/2016 8:16:31 PM
With BOA (since you appear to be their customer), I would certainly use
their ShopSafe scheme to protect me.  It originally was MBNA's idea of
they got acquired by BOA.  Alas, the failing is not somehow creating a
plastic card to give to someone who wants a physical card.  Creating the
temporary and deletable ShopSafe credit card number, CVV, and expiration
date is something you do online.  As I recall, they are stuck on ancient
Adobe Flash to present the ShopSafe UI in a web browser.

ShopSafe make protecting your credit very easy.  A seller cannot charge
you more than agreed by you.  I usually add $5 just in case something
was forgot during the transaction.  I set the expiration to 2 months
(the minimum - so they have enough time to process the transaction and
report it in your monthly statement which might not be until your next
monthly statement).  The seller cannot overcharge me.  They also cannot
automatically enlist me in some covert renewal scheme: they next time
they try to use the same ShopSafe number, there will only be $5 left
that can be charged on it.  After the transaction has completed and they
received the money and I received the goods or services, I can delete
the ShopSafe number.  It cannot be reused.  That $5 overage cannot even
be charged.  Not even I can regenerate the same old ShopSafe number.  If
I deal with the same seller again, I can create a new ShopSafe number,
set its max charge amount, and its expiration.  Or, if I don't delete
the old ShopSafe number, I can reuse it by assigning more value to it
and a new expiration.  

If someone steals the Shopsafe number, most likely that will be after
the transaction with the seller with whom I originally made a purchase.
There might be only $5 left for someone else to steal if I have not yet
deleted that ShopSafe number or it already expired.  If they managed to
get it before the seller charged to that ShopSafe number, well, my
liability is limited to the max charge value I assigned to that Shopsafe
number (or the limit of liability per transaction as stated in my credit
card contract, whichever is less).

The credit cards I have now do not have a similar ShopSafe number.  I
really miss that protection.  There is nothing that will give you 100%
security when on the Internet, just stuff that will make your more safe.
Using ShopSafe lets you control your credit exposure.  Until you delete
the ShopSafe number, anyone (besides the intended seller) could steal
that number and charge up to the maximum value you assigned to that
number.  It's a service that I wish all credit issuers provided;
however, it protects you, not them, so many aren't oriented to
protection of their customers but how to minimize their own losses.
0
VanguardLH
12/17/2016 11:58:40 PM
On Sat, 17 Dec 2016 01:11:47 -0600, VanguardLH wrote:

> Comcast's "free" wi-fi hotspots are only usable to Comcast customers.
> They are not open to everyone.

I encountered such a hotspot -- with xfinitywifi SSID -- in a Schenectady
restaurant recently. In exchange for an email address, it gave me an hour's
worth of wi-fi connectivity -- at no co$t to me. No idea what may transpire
the next time I encounter one of these.

FWiW, while I am a Comcast customer, have no xfinity username or password,
or email account.

(Just another little data-point to shed a tad more light on this story.) 

Cheers, and Seasons' Greetings, -- tlvp
-- 
Avant de repondre, jeter la poubelle, SVP.
0
tlvp
12/18/2016 12:20:32 AM
In article <ebm1pgFkl9rU1@mid.individual.net>, VanguardLH <V@nguard.LH>
wrote:

> With BOA (since you appear to be their customer), I would certainly use
> their ShopSafe scheme to protect me. It originally was MBNA's idea of
> they got acquired by BOA.  Alas, the failing is not somehow creating a
> plastic card to give to someone who wants a physical card.  Creating the
> temporary and deletable ShopSafe credit card number, CVV, and expiration
> date is something you do online.  As I recall, they are stuck on ancient
> Adobe Flash to present the ShopSafe UI in a web browser.

the web version requires flash but there's a windows app, at least with
citibank, who offers the same feature.

> ShopSafe make protecting your credit very easy.  A seller cannot charge
> you more than agreed by you.  I usually add $5 just in case something
> was forgot during the transaction.  I set the expiration to 2 months
> (the minimum - so they have enough time to process the transaction and
> report it in your monthly statement which might not be until your next
> monthly statement).  The seller cannot overcharge me.  They also cannot
> automatically enlist me in some covert renewal scheme: they next time
> they try to use the same ShopSafe number, there will only be $5 left
> that can be charged on it.  After the transaction has completed and they
> received the money and I received the goods or services, I can delete
> the ShopSafe number.  It cannot be reused.  That $5 overage cannot even
> be charged.  Not even I can regenerate the same old ShopSafe number.  If
> I deal with the same seller again, I can create a new ShopSafe number,
> set its max charge amount, and its expiration.  Or, if I don't delete
> the old ShopSafe number, I can reuse it by assigning more value to it
> and a new expiration.  

while it usually blocks overcharges, it doesn't always.

> If someone steals the Shopsafe number, most likely that will be after
> the transaction with the seller with whom I originally made a purchase.
> There might be only $5 left for someone else to steal if I have not yet
> deleted that ShopSafe number or it already expired.  If they managed to
> get it before the seller charged to that ShopSafe number, well, my
> liability is limited to the max charge value I assigned to that Shopsafe
> number (or the limit of liability per transaction as stated in my credit
> card contract, whichever is less).

you're already protected for fraud. having a virtual number just means
you don't have to update recurring transactions that are tied to your
actual card number, saving you the hassle. 

> The credit cards I have now do not have a similar ShopSafe number.  I
> really miss that protection.  There is nothing that will give you 100%
> security when on the Internet, just stuff that will make your more safe.
> Using ShopSafe lets you control your credit exposure.  Until you delete
> the ShopSafe number, anyone (besides the intended seller) could steal
> that number and charge up to the maximum value you assigned to that
> number.  It's a service that I wish all credit issuers provided;
> however, it protects you, not them, so many aren't oriented to
> protection of their customers but how to minimize their own losses.

it protects them, not you. otherwise they wouldn't offer it at all. 

it's also something created by a company that's no longer around and
given that flash is mostly dead, it may ultimately be discontinued.

american express had a similar feature and no longer offers it.

an easier solution is just get a card for online (and non-recurring)
transactions and if it gets compromised, the issuer will send out a new
card with a new number.
0
nospam
12/18/2016 12:45:42 AM
tlvp wrote on 12/17/2016 7:20 PM:
> On Sat, 17 Dec 2016 01:11:47 -0600, VanguardLH wrote:
> 
>> Comcast's "free" wi-fi hotspots are only usable to Comcast customers.
>> They are not open to everyone.
> 
> I encountered such a hotspot -- with xfinitywifi SSID -- in a Schenectady
> restaurant recently. In exchange for an email address, it gave me an hour's
> worth of wi-fi connectivity -- at no co$t to me. No idea what may transpire
> the next time I encounter one of these.
> 
> FWiW, while I am a Comcast customer, have no xfinity username or password,
> or email account.

Do you have a comcast username? Same thing.
0
Alek
12/18/2016 12:48:03 AM
nospam <nospam@nospam.invalid> wrote:

> while [ShopSafe] usually blocks overcharges, it doesn't always.

Never had that happen.  If the seller charged more than what I allowed
on a ShopSafe number, the seller would get a rejected charge.  They
don't get a portion of their charge.  It's either accepted or rejected.
If they charge less than the max value that I assigned to the ShopSafe
number, their charge got accepted.  There would be a remaining balance
between what the seller charged and the max value that I had assigned.
Say it was $5.  That same seller or a scammer could charge anything up
to $5 to have their charge accepted.  If they charged over $5 then they
got rejected.  If I deleted the ShopSafe number, any charge to that
Shopsafe number got rejected.  If I ordered something from a seller but
deleted the ShopSafe number before they submitted their charge, the
seller got rejected (and subsequently would not send the goods).  If I
ordered something from a seller, waited until their charge showed up in
my BOA/MBNA account (to make sure they got their money), and then
deleted the ShopSafe number, the seller got paid and any further charges
of any amount to that now-deleted ShopSafe number got rejected.

Usually I just added $5 to what was the expected total cost of a sale to
make sure the sale went through okay.  My exposure was only the $5
buffer if that ShopSafe number had been stolen or leaked.  I rarely
deleted a ShopSafe number because they would self-destruct after the
expiration date (which was usually 2 months).

I never saw anyone that could charge a still-active ShopSafe number more
(an overcharge) than the remaining value assigned to that number.  In
fact, I had sellers that had to tell me the transaction was incomplete
because they could not charge the ShopSafe number (which they see as
only a credit card number).  Despite what they claimed was the total
cost, they decided to add something more that they hid from me.  If they
give me an invalid total cost value (price, tax, handling, etc) then
they got nothing.  The higher charge is not to what I agreed.  If it was
my fault - the case when I first started using ShopSafe and neglected
the shipping cost, for example - I could change the max value for the
same ShopSafe number and tell the seller to redo the transaction.

I never got an overcharge using a ShopSafe number.  Maybe you used
Citibank's similar service and they don't enforce a user-specified
maximum dollar value that can be charged to their temporary card
numbers.  Bodes ill for Citibank's "shopsafe" feature is what you say is
true.

> you're already protected for fraud. 

In most credit contracts, you are liable for the first $50 of a charge.
That's for each charge.  If it happened 10 times, you would have to pay
the $500 exclusion.

> having a virtual number just means
> you don't have to update recurring transactions that are tied to your
> actual card number, saving you the hassle. 

Not only do you save on the hassle - which can drag out to months - but
you also don't have to argue over validity of the charge or even have to
identify who was the seller that charged you.  I would much rather be
proactive (or preventative) to avoid the problem rather than practice
catastrophic recovery after the fact.  Reactive mode is a lot more
hassle, time, and could cost you money (like the first $50 of each
charge that they won't cover which is not relevant if you are in control
of the max value and expiration for a ShopSafe number).

> an easier solution is just get a card for online (and non-recurring)
> transactions and if it gets compromised, the issuer will send out a new
> card with a new number.

And those cards are ...?  Are you talking about pre-paid debit cards?
Some places won't take them.  You have to go through the hassle of
buying them and that costs a fee: you have to buy the card so you can
then put money on it.  It does give you a physical card for those places
that expect one (i.e., physical transactions versus online ones).
0
VanguardLH
12/18/2016 2:02:11 AM
Vanguard, that's a very good suggestion about ShopSafe.  I used to use
something like that long ago.  Not for a specific purpose but I put $200
in it and set it for 6 months, when I almost never charged anything, and
then I guess I forgot about it.  

The first hit on ShopSafe was indeed BOA and I don't know why they
haven't been pushing it at all in their mail or email to me, or when I
go on their webpage.  That is, there is no mention at all.  It was a
good idea years ago and it's even better now that I charge more things.
Thank you. 

But I still have to clear up the problem with them not notifying me of a
Paypal charge.  I suspect if they don't notify me, they don't notify
anyone.  A pretty big flaw for a big company.  That's why the woman I
talked to couldn't believe there was a flaw.   (Other than Paypal,
afaik, they do notify me of all the other charges that don't use the
card itself.  (Recurring charges like my HOA fee they notify me in
advance, I guess so I can make sure I have enough money.)  And they
don't email me for charges that actually do require use of the card,
which is fine.   At least it all would be if they did things the way
they say they will.)


As to hotspots, I found this:
http://wifi.xfinity.com/   Pretty far down the page, just shy of the
bottom: 


Not an XFINITY Internet Customer?
Sign up today and get access to XFINITY WiFi instantly.
Here are three easy ways to start enjoying XFINITY WiFi:

1. Sign up for XFINITY Internet.
Get immediate access to XFINITY WiFi, included with your service at no
additional cost.  (This is not what I meant!)

2   Try XFINITY WiFi � for free.
Get two, 60-minute complimentary sessions per month. Select
�xfinitywifi� in your list of available networks and we�ll tell you what
to do from there. (This is exactly what I meant.) 

3.  Get an XFINITY WiFi Access Pass.
When you are at a hotspot you can connect for an hour, day, week or
month, choose the Access Pass that works best for you.
    $2.95 two hour pass
    $7.95 daily pass
    $19.95 weekly pass
    $54.95 monthly pass

(And this too is what I meant, for when one has used up his 2 free
hours.  They are clock hours, regardless of usage, once one starts, the
hour expires in 60 minutes.) 


Already have a pass?
Manage your account


 

In comp.mobile.android, on Sat, 17 Dec 2016 00:28:57 -0500, micky
<NONONOmisc07@bigfoot.com> wrote:

>
>The only financial transaction I ever make from the cell phone is buying
>an app, using my google account.  But I signed up for the account from a
>desktop computer, and my question is, Does the credit card number ever
>get transitted to or from the phone when buying an app?  I think not, so
>I'm safe, right? 
>
>�Free� Wi-Fi from Xfinity and AT&T also frees you to be hacked
>http://arstechnica.com/security/2014/06/free-wi-fi-from-xfinity-and-att-also-frees-you-to-be-hacked/
>
>and even if there were sensitive info in the phone traffic, the
>convoluted method of stealing it in the url above seems unlikelly to
>happen to me.  Right? 
>
>BTW, I'm  happy to learn that att has a wifi hotspot network like
>Xfinity's, but much smaller, I'm sure. 
>https://www.att.com/maps/wifi.html#fbid=Qncz14ky5pH   There are quite a
>few, but on the commercial street and near me, there are abou five,
>Burger King, Ruby Tuesday, walmart, the bank I use.   instead of 80 or
>so, and in residential n'hoods, afaik/ct there are none.   Still better
>than nothing and there is still the 2 hours per month of free xfinity. 
>
>
>I think I did use a public wifi spot at the Delaware Turnpike travel
>plaza, but only to dl more map data.  That's safe, yes? 

0
micky
12/18/2016 2:46:24 AM
In article <ebm913Fm6r7U1@mid.individual.net>, VanguardLH <V@nguard.LH>
wrote:

> 
> > while [ShopSafe] usually blocks overcharges, it doesn't always.
> 
> Never had that happen.  If the seller charged more than what I allowed
> on a ShopSafe number, the seller would get a rejected charge.  They
> don't get a portion of their charge.  It's either accepted or rejected.

that's what is *supposed* to happen and usually does, but if you read
the credit card forums, it doesn't always work out that way.

....

> 
> I never got an overcharge using a ShopSafe number.  Maybe you used
> Citibank's similar service and they don't enforce a user-specified
> maximum dollar value that can be charged to their temporary card
> numbers.  Bodes ill for Citibank's "shopsafe" feature is what you say is
> true.

it's the exact same thing, just branded differently by citibank, with
maximum dollar and/or expiration dates and the same ugly flash
interface.

<https://en.wikipedia.org/wiki/Controlled_payment_number>

> > you're already protected for fraud. 
> 
> In most credit contracts, you are liable for the first $50 of a charge.
> That's for each charge.  If it happened 10 times, you would have to pay
> the $500 exclusion.

no. it's the first $50 if your card is lost/stolen, which is usually
waived. if you still have the physical card but the number was
compromised (i.e., online transactions), it's $0.

> > having a virtual number just means
> > you don't have to update recurring transactions that are tied to your
> > actual card number, saving you the hassle. 
> 
> Not only do you save on the hassle - which can drag out to months - but
> you also don't have to argue over validity of the charge or even have to
> identify who was the seller that charged you.  I would much rather be
> proactive (or preventative) to avoid the problem rather than practice
> catastrophic recovery after the fact.  Reactive mode is a lot more
> hassle, time, and could cost you money (like the first $50 of each
> charge that they won't cover which is not relevant if you are in control
> of the max value and expiration for a ShopSafe number).

how is it months? once you get a new card (usually next day, but worst
case a couple of days), you contact the various services with recurring
charges and update your information, which usually can be done online
or over the phone. that shouldn't take more than an hour or two, if
that much. in some cases, the bank can update it for you when they
create the new number.

in rare cases, a merchant might require a paper form. i had to do that
once a few years back.

> > an easier solution is just get a card for online (and non-recurring)
> > transactions and if it gets compromised, the issuer will send out a new
> > card with a new number.
> 
> And those cards are ...? 

all of them.

every card issuer will cancel your existing account number when you
report fraud and create a new number. most will overnight a replacement
card.

they have to do that, because otherwise, someone out there will
continue to make fraudulent charges.

> Are you talking about pre-paid debit cards?

no.

> Some places won't take them.  

anywhere that takes regular credit/debit cards *must* take a prepaid
card if it has a mastercard/visa/amex logo on it, which is just about
all of them.

> You have to go through the hassle of
> buying them and that costs a fee: you have to buy the card so you can
> then put money on it.  It does give you a physical card for those places
> that expect one (i.e., physical transactions versus online ones).

prepaid cards are just that, prepaid. you pay the entire value of the
card at the time of purchase (plus a fee if it's mc/v/ax, but not if
it's a store card). once they're used up, they're worthless.

refillable cards are different, which tend to be for deadbeats who
can't get a normal credit card or for parents who want their (younger)
kids to be able to buy stuff with a card but want to limit how much
they can spend.
0
nospam
12/18/2016 3:17:13 AM
On 12/17/2016 7:46 PM, micky wrote:
> Vanguard, that's a very good suggestion about ShopSafe.  I used to
> use something like that long ago.  Not for a specific purpose but I
> put $200 in it and set it for 6 months, when I almost never charged
> anything, and then I guess I forgot about it.

While on the subject of CC protections I use two others that I think are
of value:

2 step verification. Even if someone has my password they can't log on
to any of my CC accounts unless they have my phone in their physical
possession.

Text notification. I get a text for every CC transaction over $50
listing the merchant and amount. I would know quickly of any
unauthorized transaction.

An added benefit of the texts: When killing time when the wife shops I
know when my phone buzzes that she has just checked out and it's time to
meet her... ;)



0
AL
12/18/2016 4:17:40 AM
In article <o352id$v18$1@dont-email.me>, AL <l452236747@invalid.com>
wrote:

> > Vanguard, that's a very good suggestion about ShopSafe.  I used to
> > use something like that long ago.  Not for a specific purpose but I
> > put $200 in it and set it for 6 months, when I almost never charged
> > anything, and then I guess I forgot about it.
> 
> While on the subject of CC protections I use two others that I think are
> of value:
> 
> 2 step verification. Even if someone has my password they can't log on
> to any of my CC accounts unless they have my phone in their physical
> possession.

or they intercept it, which isn't particularly difficult.

it also won't work at all if you are outside cellular service, where
you can't get a text, at which point you can't log in *at* *all*.

<https://threatpost.com/nist-recommends-sms-two-factor-authentication-de
precation/119507/>
  Acknowledging there�s a�risk that�SMS messages can be intercepted or
  redirected, NIST is encouraging any service considering adopting
  two-factor authentication in the future to��consider alternative
  authenticators.� 

<https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentic
ation/>
  The last few months have demonstrated that SMS text messages are
  often the weakest link in two-step logins: Attacks on political
  activists in Iran, Russia, and even here in the US have shown that
  determined hackers can sometimes hijack the SMS messages meant to
  keep you safe.

> Text notification. I get a text for every CC transaction over $50
> listing the merchant and amount. I would know quickly of any
> unauthorized transaction.

easier and *much* safer use the bank's app for that.
0
nospam
12/18/2016 4:47:19 AM
nospam <nospam@nospam.invalid> wrote:

> VanguardLH <V@nguard.LH>> wrote:
> 
>> Not only do you save on the hassle - which can drag out to months - ...
> 
> how is it months? 

Not many users check their credit account balance each day.  A charge
today might go into this month's statement.  It could end up in next
month's statement.  Then you notice and open a ticket with your credit
card issuer.  They get a period of time to contact the other party.  The
other party gets time to respond.  From what I've seen, it can take 2 to
3 tete a tete before the credit card issuer decides in your favor.  Then
the change doesn't show up until the next statement or perhaps even not
until the next one.

You are reacting to a disputed charge when you notice it and then have
to go through the arbitration phase and then have to wait for a decision
and a chargeback to your account.

>>> an easier solution is just get a card for online (and non-recurring)
>>> transactions and if it gets compromised, the issuer will send out a new
>>> card with a new number.
>> 
>> And those cards are ...? 
> 
> all of them.
> 
> every card issuer will cancel your existing account number when you
> report fraud and create a new number. most will overnight a replacement
> card.

Oh, you mean after I notice the disputed charge.  And after someone has
made a bogus charge.  And after it could affect by credit rating.  And
after arguing with the credit card issuer about the charge and hoping
they decide in my favor.

> anywhere that takes regular credit/debit cards *must* take a prepaid
> card if it has a mastercard/visa/amex logo on it, which is just about
> all of them.

Nope.  Debit cards say "Debit" on them.  No merchant must accept any
credit card.  Merchants can elect not to accept debit cards.  No
merchant is ever forced to accept what you present for payment.  They
don't even have to take cash.

> prepaid cards are just that, prepaid. you pay the entire value of the
> card at the time of purchase (plus a fee if it's mc/v/ax, but not if
> it's a store card). once they're used up, they're worthless.

So you go through the hassle of having to buy a prepaid card (to pay for
that service) and then add money to it.  Yeah, that works and limits
your exposure to the maximum current value you prepaid onto the prepaid
card.  Sounds just like what ShopSafe does except I don't have to buy a
prepaid card, go to a store to get one, or wait for it to arrive in the
mail.  I've had those before.  Too much a nuisance.
0
VanguardLH
12/18/2016 5:04:10 AM
micky <NONONOmisc07@bigfoot.com> wrote:

> But I still have to clear up the problem with them not notifying me of a
> Paypal charge.  

You don't get an e-mail from Paypal when there is a charge to your
PayPal account?  I do.  Maybe you need to go into your PayPal account to
configure it for e-mail notification.  Not only do I get a PayPal e-mail
when they get a charge but I also get one from my bank against which
PayPal issues the charge.  E-mail notices are a feature of PayPal and of
my bank (which is not BOA).  Each time I use my PayPal account, I get 2
e-mails: one from PayPal, one from my bank.  

At PayPal: Settings (gear icon) -> Notifications -> Payments.  If that
doesn't work, contact PayPal.  I get e-mails on payments from (charges
to) my PayPal account.  I usually get an e-mail from Paypal within a day
of when I order online (but then the merchant might not be submitting
until the next business day).  While they submit an EFT immediately to
my bank, it can take 3 days before my bank honors it (well, until they
record it so I can see it online in my bank account).

> Other than Paypal,
> afaik, they do notify me of all the other charges that don't use the
> card itself.  

Which card are you talking about now?  For Paypal to be involved means
you had a charge against a PayPal account.  Paypal does have a credt
card they will dole out to their customers.  I have one.  Says
MasterCard on the front.  Whenever I make a charge using that physical
plastic card, I do get an e-mail from PayPal about the charge.

I can't say what BOA does because I haven't had an account with them for
a long time.  I was using MBNA's ShopSafe, left MBNA (interest rates way
too high and not customer friendly), and later MBNA got acquried by BOA.

> As to hotspots, I found this:
> http://wifi.xfinity.com/   Pretty far down the page, just shy of the
> bottom: 
> 
> Not an XFINITY Internet Customer?
> ...
> 2   Try XFINITY WiFi � for free.
> Get two, 60-minute complimentary sessions per month. Select
> �xfinitywifi� in your list of available networks and we�ll tell you what
> to do from there. (This is exactly what I meant.) 

I don't how they can track who uses how many minutes.  Anyone can change
their MAC.  When they are roaming, their IP address will change.  Maybe
they require you install their app and that does the tracking.

I wonder what the "we'll tell you what to do from there" means.  Sounds
like on first connect that they intercept whatever HTTP traffic you
generated to redirect to their site to have to do something, like sign
up or install an app.

https://www.youtube.com/watch?v=17ksL7KSYa8
(no audio)

At timemark 0:08, there is the web page to which you get redirected to
get the complimentary hour pass (so they must allow 2 passes per month).
This guy is showing that he has used up his passes.  So what does he do?
Change his MAC address.  If that is all Comcast uses to track two 1-hour
complimentary usages, anyone can circumvent that limit.

If the MAC is the only means of regulating complimentary passes to
xfinitywifi, this is disappointing as to how stupid is Comcast.
0
VanguardLH
12/18/2016 5:30:18 AM
In comp.mobile.android, on Sat, 17 Dec 2016 21:17:40 -0700, AL
<l452236747@invalid.com> wrote:

>On 12/17/2016 7:46 PM, micky wrote:
>> Vanguard, that's a very good suggestion about ShopSafe.  I used to
>> use something like that long ago.  Not for a specific purpose but I
>> put $200 in it and set it for 6 months, when I almost never charged
>> anything, and then I guess I forgot about it.
>
>While on the subject of CC protections I use two others that I think are
>of value:
>
>2 step verification. Even if someone has my password they can't log on
>to any of my CC accounts unless they have my phone in their physical
>possession.
>
>Text notification. I get a text for every CC transaction over $50
>listing the merchant and amount. I would know quickly of any
>unauthorized transaction.

I get that too, or at least I'm supposed to, but the Bank of America has
a problem that they think when Paypal charges my account that Paypal has
provided the PIN, but Paypal has not since I've never told PP the PIN
and they have never asked.  I spent two hours on the phone with BOA,
including one hour that all three of us were on the phone, Paypal too,
but she ended up telling me to call a different department.  I'm saving
up strength for another hour.  They don't believe they could be making
such a big mistake, but they are, and if they don't notify me, they
probably don't notify anyone. 
>
>An added benefit of the texts: When killing time when the wife shops I
>know when my phone buzzes that she has just checked out and it's time to
>meet her... ;)

I thought you were going to say you knew when she spent money. 
>

0
micky
12/18/2016 6:24:05 AM
Ignore most of the previous post,  I forgot that I'd said it already.  
  ;-(  


In comp.mobile.android, on Sat, 17 Dec 2016 21:17:40 -0700, AL
<l452236747@invalid.com> wrote:

>On 12/17/2016 7:46 PM, micky wrote:
>> Vanguard, that's a very good suggestion about ShopSafe.  I used to
>> use something like that long ago.  Not for a specific purpose but I
>> put $200 in it and set it for 6 months, when I almost never charged
>> anything, and then I guess I forgot about it.
>
>While on the subject of CC protections I use two others that I think are
>of value:
>
>2 step verification. Even if someone has my password they can't log on
>to any of my CC accounts unless they have my phone in their physical
>possession.
>
>Text notification. I get a text for every CC transaction over $50
>listing the merchant and amount. I would know quickly of any
>unauthorized transaction.
>
>An added benefit of the texts: When killing time when the wife shops I
>know when my phone buzzes that she has just checked out and it's time to
>meet her... ;)
>
>

0
micky
12/18/2016 6:25:33 AM
On 12/17/2016 11:24 PM, micky wrote:
> In comp.mobile.android, on Sat, 17 Dec 2016 21:17:40 -0700, AL

>> An added benefit of the texts: When killing time when the wife shops I
>> know when my phone buzzes that she has just checked out and it's time to
>> meet her... ;)
>
> I thought you were going to say you knew when she spent money.

These days the wife doesn't have a chance. I not only know when and how 
much she spends, but also where she is at all times (using Find My 
iPhone). Ain't technology wonderful... ;)

0
AL
12/18/2016 6:42:56 AM
In comp.mobile.android, on Sat, 17 Dec 2016 23:30:18 -0600, VanguardLH
<V@nguard.LH> wrote:

>micky <NONONOmisc07@bigfoot.com> wrote:
>
>> But I still have to clear up the problem with them not notifying me of a
>> Paypal charge.  
>
>You don't get an e-mail from Paypal when there is a charge to your
>PayPal account?  I do.  Maybe you need to go into your PayPal account to
>configure it for e-mail notification.

I do get the email from Paypal but I don't get the email from BOA.  This
means whatever Paypal sends to BOA, a fraudster could also send them.
He'd need my card number, expiration date, and probably that 3-character
number, but he wouldn't need either the card itself or the PIN.  BOA
thinks, for no good reason, that PP has my PIN. 

Shouldn't a vendor that has received my PIN, like a gas station or
supermarket checkout, transmit the PIN to BOA also, along with the CC
number?   Otherwise, someone could use any number as a PIN and the
vendor couldn't tell. So since I know PP doesn't know my PIN, why does
BOA think they have it?  They don't react this way to other online
sales, at sites that have my card number but no PIN, only Paypal.   For
other online sites, I get a BOA email when I spend money. 

Account Alert: Debit Card Used Online, by Phone or by Mail
  doesn't characterize the transaction, but for the same purchase
Account Alert: Debit/ATM Card Transaction Over Your Chosen Alert Limit
  does show a a transaction type of  "PURCH W/O PIN "

OTOH, when I  got cash back and went over $100 at the supermarket "Over
Your Chosen Alert Limit", and put in my PIN, it says "PURCH WITH PIN "

So I need to buy something using Paypal and spend over 100 and see what
it says.  I think I did spend over 100 once.   Can't find it, only
health and car insurance, but they are of a different type. 

But I did remind myself of last July when some church in Massechusetts
deducted 500 from my account at 2;30 in the morning.  That was listed as
W/O Pin, and it was over my notification minimum**, so I got an email,
two actually, and IIRC the money was returned by noon, before I even
looked at my email. (though there is no email for money returned, only
money spent.)   I called the church and talked to someone but I can't
remember the story anymore. 

**I lowered my minimum to their minimum until I get this settled. 


>  Not only do I get a PayPal e-mail
>when they get a charge but I also get one from my bank against which
>PayPal issues the charge.  E-mail notices are a feature of PayPal and of
>my bank (which is not BOA).

I'd be surprised if it were BOA.  ;-( 

>  Each time I use my PayPal account, I get 2
>e-mails: one from PayPal, one from my bank.  

Right.  That's what I want. 
>
>At PayPal: Settings (gear icon) -> Notifications -> Payments.  If that
>doesn't work, contact PayPal.  I get e-mails on payments from (charges
>to) my PayPal account.  I usually get an e-mail from Paypal within a day
>of when I order online (but then the merchant might not be submitting
>until the next business day).  While they submit an EFT immediately to
>my bank, it can take 3 days before my bank honors it (well, until they
>record it so I can see it online in my bank account).
>
>> Other than Paypal,
>> afaik, they do notify me of all the other charges that don't use the
>> card itself.  
>
>Which card are you talking about now?  For Paypal to be involved means

My BOA debit card, but I think it would be the same with a credit card. 

>you had a charge against a PayPal account.  Paypal does have a credt
>card they will dole out to their customers.  I have one.  Says

I thought about getting one. They certainly push it all the time.
Mostly I want one that will cover my collision damage waiver on a car
rental when I'm out of the country.  Does it do that?   

Or one that won't charge a commission when changing currency, getting
local money out of a USA dollar account.  I think Capital One is like
that, but I don't have that either. 

>MasterCard on the front.  Whenever I make a charge using that physical
>plastic card, I do get an e-mail from PayPal about the charge.
>
>I can't say what BOA does because I haven't had an account with them for
>a long time.  I was using MBNA's ShopSafe, left MBNA (interest rates way
>too high and not customer friendly), and later MBNA got acquried by BOA.

Aha. 

>> As to hotspots, I found this:
>> http://wifi.xfinity.com/   Pretty far down the page, just shy of the
>> bottom: 
>> 
>> Not an XFINITY Internet Customer?
>> ...
>> 2   Try XFINITY WiFi � for free.
>> Get two, 60-minute complimentary sessions per month. Select
>> �xfinitywifi� in your list of available networks and we�ll tell you what
>> to do from there. (This is exactly what I meant.) 
>
>I don't how they can track who uses how many minutes.  Anyone can change
>their MAC.  When they are roaming, their IP address will change.  Maybe
>they require you install their app and that does the tracking.

You're right, they go by MAC, and there are webpages saying how to
change your MAC so that you can have endless free Xfinity, even though
that would be stealing.   I was still curious enough to look into it.
It's easy enough to do and undo for a laptop, but iirc a phone has to be
rooted.   And I'd have to change either of them back because my home
wifi filters on MAC.  Maybe there are other reasons I don't know about
too. 
>
>I wonder what the "we'll tell you what to do from there" means.  Sounds
>like on first connect that they intercept whatever HTTP traffic you
>generated to redirect to their site to have to do something, like sign
>up or install an app.

I will try it and let you know, within the next week I hope.
>
>https://www.youtube.com/watch?v=17ksL7KSYa8
>(no audio)
>
>At timemark 0:08, there is the web page to which you get redirected to
>get the complimentary hour pass (so they must allow 2 passes per month).
>This guy is showing that he has used up his passes.  So what does he do?
>Change his MAC address.  If that is all Comcast uses to track two 1-hour
>complimentary usages, anyone can circumvent that limit.

But most people won't.  Either they're honest or they don't know how, or
it's too much trouble, or they rarely want more than 2 hours anyhow.  

>If the MAC is the only means of regulating complimentary passes to
>xfinitywifi,

That's what those webpages say. 

> this is disappointing as to how stupid is Comcast.

 Ugh.
0
micky
12/18/2016 7:11:03 AM
https://www.bankofamerica.com/onlinebanking/education/online-banking-alerts.go
https://www.bankofamerica.com/online-banking/mobile-banking-alerts.go

Those indicate that BOA will issue alerts; however, since I do not have
a BOA account, I cannot say what types of alerts you can elect.
0
VanguardLH
12/18/2016 8:01:20 AM
In article <ebmjmaFocviU1@mid.individual.net>, VanguardLH <V@nguard.LH>
wrote:

> >>> an easier solution is just get a card for online (and non-recurring)
> >>> transactions and if it gets compromised, the issuer will send out a new
> >>> card with a new number.
> >> 
> >> And those cards are ...? 
> > 
> > all of them.
> > 
> > every card issuer will cancel your existing account number when you
> > report fraud and create a new number. most will overnight a replacement
> > card.
> 
> Oh, you mean after I notice the disputed charge.  And after someone has
> made a bogus charge.  And after it could affect by credit rating.  And
> after arguing with the credit card issuer about the charge and hoping
> they decide in my favor.

set up alerts and you'll find out within seconds when a bogus charge
was made.

> > anywhere that takes regular credit/debit cards *must* take a prepaid
> > card if it has a mastercard/visa/amex logo on it, which is just about
> > all of them.
> 
> Nope.  Debit cards say "Debit" on them.  No merchant must accept any
> credit card.  Merchants can elect not to accept debit cards.  No
> merchant is ever forced to accept what you present for payment.  They
> don't even have to take cash.

if they don't accept debit cards then a regular card isn't going to
help you either.

the point is that anywhere that accepts mastercard/visa/amex *must*
accept the prepaid version.

a merchant cannot say 'oh that's a prepaid gift card, sorry'. if they
do, contact mc/v/ax and report them.

> > prepaid cards are just that, prepaid. you pay the entire value of the
> > card at the time of purchase (plus a fee if it's mc/v/ax, but not if
> > it's a store card). once they're used up, they're worthless.
> 
> So you go through the hassle of having to buy a prepaid card (to pay for
> that service) and then add money to it.  Yeah, that works and limits
> your exposure to the maximum current value you prepaid onto the prepaid
> card.  Sounds just like what ShopSafe does except I don't have to buy a
> prepaid card, go to a store to get one, or wait for it to arrive in the
> mail.  I've had those before.  Too much a nuisance.

i didn't suggest that at all.

what i said is to have a *separate* credit card for sketchy purchases,
and if that card is compromised, your other cards will not be affected.
the bank replaces it and you use the new number for more sketchy
purchases.
0
nospam
12/18/2016 4:30:41 PM
In comp.mobile.android, on Sun, 18 Dec 2016 11:30:41 -0500, nospam
<nospam@nospam.invalid> wrote:

>In article <ebmjmaFocviU1@mid.individual.net>, VanguardLH <V@nguard.LH>
>wrote:
>
>> >>> an easier solution is just get a card for online (and non-recurring)
>> >>> transactions and if it gets compromised, the issuer will send out a new
>> >>> card with a new number.
>> >> 
>> >> And those cards are ...? 
>> > 
>> > all of them.
>> > 
>> > every card issuer will cancel your existing account number when you
>> > report fraud and create a new number. most will overnight a replacement
>> > card.
>> 
>> Oh, you mean after I notice the disputed charge.  And after someone has
>> made a bogus charge.  And after it could affect by credit rating.  And
>> after arguing with the credit card issuer about the charge and hoping
>> they decide in my favor.
>
>set up alerts and you'll find out within seconds when a bogus charge
>was made.
>
>> > anywhere that takes regular credit/debit cards *must* take a prepaid
>> > card if it has a mastercard/visa/amex logo on it, which is just about
>> > all of them.
>> 
>> Nope.  Debit cards say "Debit" on them.  No merchant must accept any
>> credit card.  Merchants can elect not to accept debit cards.  No
>> merchant is ever forced to accept what you present for payment.  They
>> don't even have to take cash.
>
>if they don't accept debit cards then a regular card isn't going to
>help you either.
>
>the point is that anywhere that accepts mastercard/visa/amex *must*
>accept the prepaid version.
>
>a merchant cannot say 'oh that's a prepaid gift card, sorry'. if they
>do, contact mc/v/ax and report them.

This probably doesn't apply to prepaid visa/etc. debit cards, only
becasue they start off with a fairly small amount iirc, and I can't
foresee all the results, but I heard about this, and even if it's a bit
OT, this seems a place to mention it:  

Thieves go to a display rack of gift cards, they take a card, or more
than one, smuggle it out to the car maybe, or the bathroom, scratch off
the covering over the PIN, copy the PIN, cover the PIN with something
that looks something like the original covering, and put the card back
on the rack.   Then they check again (My guess is they put a little
pencil mark on the paper holder to make checking go quickly) and when
the card is gone again, it means someone has paid for it and activated
it, and that's when they spend the money on the card, since they already
know the PIN.   Since they're often bought as a gift, they aren't
delivered or used for a few  days, and when the donee gets around to
using it, he finds that it's all spent. 

I've only bought such cards three times, inc. a week ago I bought one
for BabiesRUs as a baby present, and I remembered to check if the
covering on the PIN looked right.   I didn't think to check if the
cashier activated it -- didn't even known about that part -- but I found
a receipt and notation in my grocery bag. 

>> > prepaid cards are just that, prepaid. you pay the entire value of the
>> > card at the time of purchase (plus a fee if it's mc/v/ax, but not if
>> > it's a store card). once they're used up, they're worthless.
>> 
>> So you go through the hassle of having to buy a prepaid card (to pay for
>> that service) and then add money to it.  Yeah, that works and limits
>> your exposure to the maximum current value you prepaid onto the prepaid
>> card.  Sounds just like what ShopSafe does except I don't have to buy a
>> prepaid card, go to a store to get one, or wait for it to arrive in the
>> mail.  I've had those before.  Too much a nuisance.
>
>i didn't suggest that at all.
>
>what i said is to have a *separate* credit card for sketchy purchases,
>and if that card is compromised, your other cards will not be affected.
>the bank replaces it and you use the new number for more sketchy
>purchases.

I have some stocks held by a major though maybe regional  brokerage, and
I got a debit card from them, and then they told me that the maximum
that could be withdrawn was the entire value of the stocks!  After that,
I was afraid and unwilling to carry the card or use it at all.
Eventually it expired.  A few years later I thought, "This is absurd.
Surely there's a way to avoid this" and by this time, they didn't offer
such cards anymore (I think they'd been bought by another bigger
national brokerage).  Just a quick approval by Amex.  Amex btw now
offers pre-paid cards.  I guess it's not just for rich people anymore. 
0
micky
12/18/2016 8:44:16 PM
In comp.mobile.android, on Sun, 18 Dec 2016 02:01:20 -0600, VanguardLH
<V@nguard.LH> wrote:

>https://www.bankofamerica.com/onlinebanking/education/online-banking-alerts.go  general
>https://www.bankofamerica.com/online-banking/mobile-banking-alerts.go   cell phone
>
>Those indicate that BOA will issue alerts; however, since I do not have
>a BOA account, I cannot say what types of alerts you can elect.

Thanks.  Not surprisingly, they specify no exception for Paypal. 

But it's good to have these pages -- thanks -- for when I'm trying to
explain to them what they are doing wrong and why it's in their own
interest to live up to their offers. 

I don't know if they are "promises" but I think a plaintiff will be
found entitled to rely on their offers and the bank is setting itself up
for a fall by having this big glaring flaw/exception to a program that
otherwise works fine IME. 

It was also good to discuss this with you because it did a lot to put my
thoughts in order, before I call them again. 

Maybe this is one of the times I should  write the president of the
company. 


(I do get notices when the amount is over the minimum, which is $100 --
I wish now that it were less.) 



Also, for my own  notes.  First node is 'secure' so it doesn't work
without logging in. 
https://secure.bankofamerica.com/mycommunications/alerts/aboutAlerts.go
0
micky
12/18/2016 10:02:19 PM
On 12/18/2016 1:44 PM, micky wrote:

> Amex btw now offers pre-paid cards. I guess it's not just for rich
> people anymore.

Definitely not. Unless you mean it makes the card holder richer. I've
had an Amex cash back CC for several years now. It has no annual fee and
gives me (on average) $500 cash back every year. Course it has to be
paid off every month or the cash back is quickly consumed by the
excessive interest rate.
0
AL
12/19/2016 2:24:06 AM
On Sat, 17 Dec 2016 19:48:03 -0500, Alek wrote:

>> FWiW, while I am a Comcast customer, have no xfinity username or password,
>> or email account.
> 
> Do you have a comcast username?

No. Comcast is my TV provider, not my ISP. Cheers, -- tlvp
-- 
Avant de repondre, jeter la poubelle, SVP.
0
tlvp
12/19/2016 10:23:56 AM
On Sat, 17 Dec 2016 21:46:24 -0500, micky quoted the offer:

> 2   Try XFINITY WiFi — for free.
> Get two, 60-minute complimentary sessions per month. Select
> “xfinitywifi” in your list of available networks and we’ll tell you what
> to do from there. (This is exactly what I meant.)

Exactly what I encountered in that Schenectady restaurant. Thanks for
providing that prototype of my evidence :-) . Cheers, -- tlvp
-- 
Avant de repondre, jeter la poubelle, SVP.
0
tlvp
12/19/2016 10:27:33 AM
On Sun, 18 Dec 2016 02:11:03 -0500, micky wrote:

> Mostly I want one that will cover my collision damage waiver on a car
> rental when I'm out of the country

If you find one, do post back to tell us which bank and what they market
that card as: lots of us could use just such a card type as well here.
Cheers, -- tlvp
-- 
Avant de repondre, jeter la poubelle, SVP.
0
tlvp
12/19/2016 10:35:27 AM
In article <fnipyku424hz.9ugsl5ql39cx$.dlg@40tude.net>, tlvp
<mPiOsUcB.EtLlLvEp@att.net> wrote:

> 
> > Mostly I want one that will cover my collision damage waiver on a car
> > rental when I'm out of the country
> 
> If you find one, do post back to tell us which bank and what they market
> that card as: lots of us could use just such a card type as well here.

just about all cards offer secondary auto rental insurance and a few
offer primary, both of which covers collision.
0
nospam
12/19/2016 12:49:30 PM
In article <qesd5c54qj813f69rmjpobd8aamrp2sv66@4ax.com>, micky
<NONONOmisc07@bigfoot.com> wrote:

> >
> >a merchant cannot say 'oh that's a prepaid gift card, sorry'. if they
> >do, contact mc/v/ax and report them.
> 
> This probably doesn't apply to prepaid visa/etc. debit cards, only
> becasue they start off with a fairly small amount iirc, and I can't
> foresee all the results, but I heard about this, and even if it's a bit
> OT, this seems a place to mention it:  

it applies to prepaid cards that bear the mastercard/visa/amex logo.

the value of the card does not matter. it only needs to be larger than
the purchase (although with a split transaction, it can be less).

> Thieves go to a display rack of gift cards, they take a card, or more
> than one, smuggle it out to the car maybe, or the bathroom, scratch off
> the covering over the PIN, copy the PIN, cover the PIN with something
> that looks something like the original covering, and put the card back
> on the rack.   Then they check again (My guess is they put a little
> pencil mark on the paper holder to make checking go quickly) and when
> the card is gone again, it means someone has paid for it and activated
> it, and that's when they spend the money on the card, since they already
> know the PIN.   Since they're often bought as a gift, they aren't
> delivered or used for a few  days, and when the donee gets around to
> using it, he finds that it's all spent. 

you'd need to tear open the package to be able to scratch off the code
and then hope someone eventually buys the already opened package and
nobody notices anything unusual.

so no, that won't work.

> I've only bought such cards three times, inc. a week ago I bought one
> for BabiesRUs as a baby present, and I remembered to check if the
> covering on the PIN looked right.   I didn't think to check if the
> cashier activated it -- didn't even known about that part -- but I found
> a receipt and notation in my grocery bag. 

it's activated when it's scanned.


> 
> I have some stocks held by a major though maybe regional  brokerage, and
> I got a debit card from them, and then they told me that the maximum
> that could be withdrawn was the entire value of the stocks!  After that,
> I was afraid and unwilling to carry the card or use it at all.
> Eventually it expired.  A few years later I thought, "This is absurd.

in the event someone fraudulently drains your account, you're covered.

> Surely there's a way to avoid this" and by this time, they didn't offer
> such cards anymore (I think they'd been bought by another bigger
> national brokerage).  Just a quick approval by Amex.  Amex btw now
> offers pre-paid cards.  I guess it's not just for rich people anymore. 

amex has been mainstream for years, although they still target rich
people with cards such as the amex centurion, which is made out of
metal, invitation only and has an annual fee of $2500 *plus* a $7500
first year initiation fee. you get a lot of benefits with it, although
not substantially much more than amex platinum. it's really just for
show.
0
nospam
12/19/2016 3:40:22 PM
In comp.mobile.android, on Mon, 19 Dec 2016 07:49:30 -0500, nospam
<nospam@nospam.invalid> wrote:

>In article <fnipyku424hz.9ugsl5ql39cx$.dlg@40tude.net>, tlvp
><mPiOsUcB.EtLlLvEp@att.net> wrote:
>
>> 
>> > Mostly I want one that will cover my collision damage waiver on a car
>> > rental when I'm out of the country
>> 
>> If you find one, do post back to tell us which bank and what they market
>> that card as: lots of us could use just such a card type as well here.

Where is "here"? 
>
>just about all cards offer secondary auto rental insurance and a few
>offer primary, both of which covers collision.

By secondary, do you mean after my own car insurance pays?    The thing
is that I don't  have collision insurance on my own car, so I have none
of that. 

And if the credit card offers secondary  but desn't offer primary, I
wonder what that means for someone like me.  If most collision policies
have a $500 deductabile, does secondary mean for me that they will pay
the 500 but not the bigger amount that my own insurance would have paid
if I had some.   Or they won't pay anything?  
0
micky
12/19/2016 6:42:48 PM
In comp.mobile.android, on Mon, 19 Dec 2016 05:23:56 -0500, tlvp
<mPiOsUcB.EtLlLvEp@att.net> wrote:

>On Sat, 17 Dec 2016 19:48:03 -0500, Alek wrote:
>
>>> FWiW, while I am a Comcast customer, have no xfinity username or password,
>>> or email account.
>> 
>> Do you have a comcast username?
>
>No. Comcast is my TV provider, not my ISP. Cheers, -- tlvp

What you need is a TV to Internet converter.  And for when you're not at
home, a TV to cell data converter. 
0
micky
12/19/2016 6:44:33 PM
In article <n9ag5ct3dutr6cuelgup46mv1uhd5g2s0i@4ax.com>, micky
<NONONOmisc07@bigfoot.com> wrote:

> >
> >just about all cards offer secondary auto rental insurance and a few
> >offer primary, both of which covers collision.
> 
> By secondary, do you mean after my own car insurance pays?   

yes.

> The thing
> is that I don't  have collision insurance on my own car, so I have none
> of that. 

in some cases, secondary becomes primary when you don't have your own
primary collision coverage. 

call both your insurance provider and the credit card issuer and ask
what is covered in your situation.

> And if the credit card offers secondary  but desn't offer primary, I
> wonder what that means for someone like me.  If most collision policies
> have a $500 deductabile, does secondary mean for me that they will pay
> the 500 but not the bigger amount that my own insurance would have paid
> if I had some.   Or they won't pay anything?  

typically, secondary will cover what your insurance doesn't, which
should include any deductible. keep in mind that there will be a
collision payout on your record which may affect your rates in the
future.

primary means the card covers all repairs (usually up to $75k-$100k)
without involving your insurance.

some vehicles may be exempt, such as a moving truck or a high end car,
such as a ferrari.
0
nospam
12/19/2016 8:00:16 PM
On Mon, 19 Dec 2016 13:44:33 -0500, micky wrote:

> What you need is a TV to Internet converter.

I do? Why? And: suggest one, please.

> ...  And for when you're not at
> home, a TV to cell data converter.

Again, please: suggest one.

Thanks. Cheers, -- tlvp
-- 
Avant de repondre, jeter la poubelle, SVP.
0
tlvp
12/20/2016 1:38:46 AM
On Mon, 19 Dec 2016 07:49:30 -0500, nospam wrote:

> just about all cards offer secondary auto rental insurance and a few
> offer primary, both of which covers collision.

In my experience, some do, and some don't, especially when it comes to
coverage for rentals *abroad*. YMMV. Cheers, -- tlvp
-- 
Avant de repondre, jeter la poubelle, SVP.
0
tlvp
12/20/2016 1:41:34 AM
On Mon, 19 Dec 2016 13:42:48 -0500, micky wrote:

>>> do post back to tell us which bank and what they market
>>> that card as: lots of us could use just such a card type as well here.
> 
> Where is "here"?

Initially, by "here", I meant the c.m.a. NG.  But you can take "here" to
mean "the USA" if you prefer :-) . Cheers, and TiA, -- tlvp
-- 
Avant de repondre, jeter la poubelle, SVP.
0
tlvp
12/20/2016 1:44:35 AM
In article <t91qv0itnl58$.1b5qj9frfuu7g.dlg@40tude.net>, tlvp
<mPiOsUcB.EtLlLvEp@att.net> wrote:

> 
> > just about all cards offer secondary auto rental insurance and a few
> > offer primary, both of which covers collision.
> 
> In my experience, some do, and some don't, especially when it comes to
> coverage for rentals *abroad*. YMMV. Cheers, -- tlvp

nearly every credit card includes auto rental insurance in some form,
including abroad. they have to, because the competition does. there may
be limitations in a couple of countries but that's about it.

obviously, the higher tier cards will have better coverage than lower
tier cards, including primary.

bottom tier cards might not include coverage because they're targeted
at people who can't qualify for anything better and probably can't
afford to rent a car anyway. perhaps that's the type of card you have.
0
nospam
12/20/2016 4:07:38 AM
In comp.mobile.android, on Mon, 19 Dec 2016 20:38:46 -0500, tlvp
<mPiOsUcB.EtLlLvEp@att.net> wrote:

>On Mon, 19 Dec 2016 13:44:33 -0500, micky wrote:
>
>> What you need is a TV to Internet converter.
>
>I do? Why? And: suggest one, please.

I don't think they make them, but that's what you need.   Because it
woudl take your comcast TV and use it to provide internet. 
>
>> ...  And for when you're not at
>> home, a TV to cell data converter.
>
>Again, please: suggest one.

I didn't say there was one.  Just that you need one. It would take your
comcast TV and provide data to your cell phone where you're not at home.

 <g>

>Thanks. Cheers, -- tlvp

0
micky
12/20/2016 6:15:43 AM
Reply: