> It's no longer between two parties (a consumer and a merchant)
A cash transaction is between 2 parties. A debit card transaction is between 5: consumer, consumer's bank, merchant, merchant's bank, payment network/card provider.
You are using Mastercard's payment network whenever you pay for something. They see and record all your transactions. Mastercard is the entity informing your bank to pay the merchant's bank.
Yes, but how is Mastercard encouraging me to spend more? In my day to day, it matters little which payment network I use since that’s abstracted away by the bank’s interface.
What opportunity does Mastercard have to target me?
They sell your transaction data to Google. When merchants provide Level 3 information (line items), Google can now know exactly what you're actually spending your money on.
Then, Google can show you super-relevant ads, that might encourage you to spend even more.
Presumably they could tell stores that you have your card on file with? (Only speculating; I have no idea if they or any other card network actually does that.)
Offering lower interests rates as a promo, higher limits, low interest loans, bonus points from certain brands/categories, offering new types of cards, etc etc
Read OP’s comment again. Mastercard is not a card issuer, they can offer none of the things you mentioned.
The answer to OP’s question, of course, is that Mastercard doesn’t make use of the information it has directly. It sells the information to interested parties like Google and other advertisers. This is the behavior EFF is objecting to.
I live off grid, and have more than my batteries can take. I considered just doing a hot water cylinder for the excess, but I’m currently instead working on a hot water cylinder heated by GPUs. May as well do some useful work while making my shower hot.
Was thinking about this too. Or mining Bitcoin and using that wate heat etc.
There's heat pump boilers apparently with some additional loops for external heating (meant for solar water heaters) that could be used for this.
"Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world."
--
excerpt from A Cypherpunk's Manifesto,
Eric Hughes,
March 9, 1993
It's funny (not haha-funny) how political policy in 2023 is still trying to catch up to morality understood 30 years ago. I remember being annoyed at newscasters abusing the term "hackers" in the late 90s and extremely broad definitions of "hacking" being applied in court-rulings. It must still be really difficult to comprehend tech and the consequences of these kinds of policies for policy makers. Either that or policy makers really are maleficent towards life, liberty and the pursuit of happiness.
Oh, politics understands that alright, don't you worry about that. Politicians are the enemies of privacy for the masses, because a transparent population is a population that is easier controlled and manipulated.
That's also why terms are being used deliberately incorrectly, to move legitimate positions nearer to criminal activity. Just ask anyone interested in hobbyist chemistry.
The term "illegal aliens" is an invention. "Immigrant" doesn't care about legality; it is literally just someone who has moved from another locale. Labeling one variant "legal" and another "illegal" is perfectly reasonable.
I think it was 1986, as in the Immigration Reform and Control Act of 1986. [1]
> That way build sympathy for the law-breakers, then legitimize them via immigration reforms that only benefit the illegals
it was noted "The legalization provisions in this act will go far to improve the lives of a class of individuals who now must hide in the shadows, without access to many of the benefits of a free and open society. Very soon many of these men and women will be able to step into the sunlight and, ultimately, if they choose, they may become Americans"
I don't really care if somebody entered the country legally or not. Eventually, everybody assimilates. However, I am not ok extending benefits paid for by taxes to non-citizens. As long as there are politicians trying to give tax paid benefits to "illegal" immigrants I will be against illegal immigration.
I agree, but I don't think that's a good example. The only reason for the existence of a bank password is to enable private interactions between yourself and the bank (and the government through their financial surveillance).
In practice your bank password is indeed a secret, and that's a bad thing, because that above definition is wrong, which is why I prefer to think about the U2 lyric (from "The Fly"):
"They say a Secret is something you tell one other person, so I'm telling you, child".
The bank knows your password. Which means they (or more precisely their agents, employees, etc.) can lose it yet they'll probably try to blame you.
It is possible to not have this happen via what's called an Augmented PAKE - the bank wouldn't know your password, but they'd be able to check you still remembered it - however almost certainly none of the systems you use today do this.
>The bank knows your password. Which means they (or more precisely their agents, employees, etc.) can lose it yet they'll probably try to blame you.
Normally banks can't and shouldn't know the password in most jurisdictions. It does pass to their server, but they're supposed to only store a hash of it, so not be able to know what it is.
But if anybody makes this BS argument, just ask them for the credit card number and the 3 digits on the back of the card, telling them you will post it online.
Don't they usually store a hash of it? And doesn't it therefore for the most part work exactly the way you say it ideally should?
Of course leaking the hash of my password might make it easier to crack, to some extent, but if they've done a good job then this is much better than it being something the bank can trivially lose.
> Don't they usually store a hash of it? And doesn't it therefore for the most part work exactly the way you say it ideally should?
Putting aside the banks who literally do store the password because they have security procedures like "Please enter the first and fifth characters of your password" even those that do store a password hash still need you to submit your password to authenticate.
So, like the lyric says, you tell the bank your password. You hope they just use it to authenticate you and immediately discard it, but if bank security lapses are anything to go by they're probably logging it "for security" and there are definitely employees able to snoop the decrypted plaintext passwords from customers on some internal teams.
That is what Augmented PAKEs fix, it's really hard to do well, and of course banks see themselves as infinitely trustworthy so why would they bother.
This mistaken sense of self-worth applies to your credit card PIN by the way also, of course banks and thus bank employees can know your PIN, which means when a purchase is "secured" by the PIN that rules out some local pickpocket having made the purchase, but as well as you it leaves open the possibility that it was a bank employee or their co-conspirator.
This is completely false. You validate any password requirements before salting and hashing the password and then store the salt and hash. Even if you restrict usage of previous passwords, you are just comparing hashes.
If the bank is indeed salting and hashing the password, then what's the rationale of allowing certain special characters like '!', but not '+'? Hashing and salting should be character agnostic.
Some special characters are not processed as one might expect, particularly by implementations of languages such as COBOL, which is still used on the server side by many banks, insurance companies and government agencies where consistency is paramount.
"#" can mean phone number
"+" or "&" can mean concatenate variables
It is vastly easier to screen out possible problems at the user/browser level than rewrite zillions of lines of legacy code.
Except you are giving them the password and trusting them to discard it after validating it. If it's purely client side, then the bank is trusting you to follow the password requirements which is also out of the question.
Whether hashing is happening client side does tell you a little, though in most cases most users are still trusting the client side software to not exfiltrate the password before hashing it.
Even with Client side hashing, the software can still validate password requirements on the client side, you may be able to bypass those requirements by modifying the client side software.
So still no, having password requirements tells you nothing about whether the password is being stored in the clear or not. The statement that I disagreed with is still completely false.
>In a 2010 Quebec Court of Appeal case the court stated that a password compelled from an individual by law enforcement "is inadmissible and that renders the subsequent seizure of the data unreasonable
It is backed by nothing and that's ok. It's a money, it doesn't need to be "backed". Gold is not "backed" by anything, the notion doesn't even make sense. Backing implies a debt or a promise to convert currency into money by a counterparty, and that backing can be taken away.
A cash transaction is between 2 parties. A debit card transaction is between 5: consumer, consumer's bank, merchant, merchant's bank, payment network/card provider.