Recently, IT System Integrator forums and YouTube channels have been all a-twitter because it appeared that a UniFi user ID and network connection were required to use any of the UniFiOS hosted controllers introduced with along with UniFiOS. After hearing Tom Lawrence and Willie Howe rant about the issue, I decided to experiment a little to see if their complaint was true of my deployment.
I wrote the previous post reporting my experience trying to log in to my controller host while divorced from the Internet. As expected, it smoked so I opened a ticket.
The various Internet communities can be helpful when I’ve overlooked something or misinterpreted something that is common product knowledge. When something appears to be a design issue, only the designers can help. So I ticketed my experience.
Ubiquity Support has responded with what appears to be the solution to my concern raised in the ticket, that local service should be possible during an Internet fade. Read on for the fix.
The good folks at Ubiquity have revised the architecture of the UniFi software system to provide a uniform user management and login environment for Network, Protect, Access, and the coming Talk.
A roles based access rights scheme greatly simplifies user administration and has greatly reduced the number of UniFi related passwords in 1Password. So, life is good in paradise? Not really. Read on to learn of the unanticipated consequences.
I’ve been watching to Mandolin.Com live stream shows during the live music quarantine. My old practice was to AirPlay from an iPad to the lounge AppleTV. I got tired of this (WiFi stalls next to the airport) and decided to eliminate the stuff in the middle. Raspberry Pi Foundation came to the rescue.
Dismal Manor remains an OOMA Telo subscriber and a Ting Wireless subscriber but has discontinued Google Voice service. We were running into voicemail configuration issues that caused two of the voice mail services to start talking to each other. Healthcare providers were unable to leave messages. This had to be fixed so Dismal Wizard got out the lopping shears.
This Sunday, I watched a Punch Brother’s live show. Yes watched Punch Brothers live streaming an hour-twenty or so of non-stop live music. Just five guys and a Neumann U-87 performing Oprey style like they always do on stage. Lots of tuning as keys changed. But tight and moved.
Punch Brothers engaged Mandolin.com a start up streaming production company to produce the show. Mandolin handled the lighting, video production, stream production, and content distribution and ticketing. The band prepared and practiced like they would for any live gig. Mandolin boffins and roadies handled all the tech for the show.
Publicity for the show. A Punch Brothers tweet, a Chris Thile retweet. Don’t know how big the crowd was. Dismal Manor was a sudden sailor for $25. Calvin needs shoes, what can I say?
Featured image courtesy of Apple, Inc. for use in this commentary.
In the summer of 2019, Apple launched the Apple Card in partnership with Wall Street bank Goldman Sachs and transaction interchange network MasterCharge. Apple made a fuss over its titanium substrate and elegant looks. Others give their attention to its interest rates, limits, fees, and cash back features. Truth be known, the Apple Card is a better than median deal for most but not a fee leader or interest rate leader. But it is the first 21st century credit card. After the break, I’ll explain why.
15 August 2020, correct inaccuracy regarding magnetic stripe.
15 August 2020, how do I pay my Apple Card bill?
15 August 2020, Added shimming reference
15 August 2020, Added glossary and cleaned up terminology to make it consistent with the world.
15 August 2020, Added compromised card procedures
18 August 2020, Apple Card does not work with Quicken, Banktivity, etc.
Glossary
EMV Europay, MasterCard, Visa consortium specifying the chip and pin interchange network protocol and chip to reader protocol
NFC Near field contactless protocol used on air between a payment terminal and a account holder token or mobile device.
EMV and NFC transaction use the physical card number. The physical card number takes its name from the fact that it is baked into the chip embedded in the card.
Card Not PresentNumber my shorthand for the full card number you can read in Apple Wallet. An easily replaced virtual card number.
Physical Card Number Apple Wallet name for the card number used for NFC and EMV transactions. Last 4 shown. It is encoded in your titanium card hence physical card number.
Device Account Number Apple Wallet name for the card number used by Apple Pay transactions. Last 4 shown.
21st Century ???
So why is the Apple Card the first 21st century credit card? Because it is the first designed exclusively for use with modern payment interchange infrastructure. The minimal design is striking. Nowhere on the card is there a card number, an expiration date, or a magic number for use in manual transactions.
The card itself can be used in chip-and-pin readers that support the EMV protocol described in reference [3]. It also has a magnetic stripe allowing it to be used with the deprecated stripe reading terminals.
Second, it is designed for near field radio contactless payment devices in partnership with Apple iPhone and Apple Watch.
NFC reader image courtesy of Google and NFC Times trade paper.
Apple iPhone is designed for use with near field contactless readers like the one shown above conducting a transaction with Google Wallet on an early Android device. Any transaction point showing the radio waves and card symbol is able to conduct near field contact-less transactions. In the Apple ecosystem, Apple Wallet lets you select a card and carry out the transaction. Note that Apple Card itself does not have the radio parts imbedded, just the EMV card present parts.
Apple Pay and Apple Card are integrated. Any transaction point supporting Apple Pay works with iPhone Apple Wallet and with Apple Card EMV transactions. NFC transactions require that the transaction point have the proper radio parts included.
Note that Apple Pay is an optional protocol with most merchant services providers. Some include it as a free configuration option. Others bleed the merchant for a bit more vigorish to support Apple Pay. Apple Pay is offered to merchant services folk and the interchange carriers without cost. As merchants replace readers, they are adopting EMV/NFC protocols and Apple Pay as checkout is quicker and more secure.
Apple Card is about Security
Goldman, MasterCard, and Apple designed Apple Card to be identity theft resistant. It can only be used for EMV transactions. No numbers on the card to be photographed. Yes, servers photo cards for later exploitation.
The card has multiple card numbers, one for each payment channel. There is a virtual account number card not present transactions. There is a physical card number for EMV and NFC transactions initiated by the card. There is a device card number for Apple Pay transactions. You can change the virtual account number after each use if you wish.
The Apple Wallet App shows all “completed” transactions, here completed means that the EMV, NFC or Apple pAy protocol has run from start to finish without error and an accepted status was received. You’ll also see failed transactions.
Fraudulent Transactions
Fraudulent transactions become a lot more difficult as the card must be present for most transactions. The card may be present directly, or the transaction can be Apple Pay or Apple Cash Pay if you have set it up. The EMV protocol works via hashes and transaction IDs. There is no point in the transaction where your card number is exposed to be stolen. There is no strip to copy during the swipe. There is a name on the card so you can retrieve it from your server but no other PII on the outside of the card. What there is on the card is encrypted in the EMV secure enclave on the card.
Use the last 4 of the account number to identify which of the three numbers was compromised. Report the compromise to Goldman. Goldman will carry out its fraudulent transaction procedures to reimburse you.
Activating Apple Card
Order Apple Card using Apple Wallet on your iPhone. Apple creates a card matched to that iPhone and Apple ID. Only the ordering iPhone is able to activate and use the card. Its a cryptography thing (public key and private key). To activate the card, open Apple Wallet and place the NFC antenna over the marked spot on the card’s shipping wallet. The two talk to deliver the phone’s half of the cryptographic key pair. Apple has the other half. The phone saves off its key in the secure enclave (that pesky trusted computing stuff). This cryptographic trickery complies with the EMV protocol allowing any EMV NFC reader to conduct an Apple Card transaction.
Apple Card is a Credit Card
It does not have a PIN. Some European points of sale may require a PIN for all cards. If so, you’ll need to use another card at these.
It is not a debit card. You accumulate a bill that closes at the end of the month (28th?) and is carried interest free until the end of the following month. I opened my card in mid-August. It will generate a statement on 30 August. I must pay by 30 September to avoid interest charges.
Credit Line Sizing
Apple set my credit limit at about 10% of my yearly income based on the number I gave them (about twice my Social Security). It appears to be all about Goldman’s opinion about your income statement accuracy and what they can learn about you from the credit bureaus. Spousal income is not considered.
Apple Touch or Face ID controls access
To use Apple Wallet and Apple Card, you must have an unlocked iPhone with you. Apple Touch, Face ID, and iCloud credentials control access to the Apple Card credentials used for transactions. The secure enclave in the T2 chip stores the Apple Card credentials.
Old School Transactions
On Friday, I ordered some music from Qobuz. I payed for it with my Apple Card by using the card number, expiration date, and CCV obtained from Apple Wallet. These are generated uniquely for each card. At any time, you can request a replacement trio, well just because. Or if you don’t trust the Russian Internet merchant. Those numbers are good until you say they are not and replace them.
Wallet is Really Useful
Image courtesy of Apple, Inc for use in this commentary.
Apple Wallet App gives you access to your transaction history as it is built up, your balance, payment date, and payment process. Click the Pay thing and run through the dialog. You will also receive transaction alerts.
Paying your Apple Card Bill
You pay your Apple Card bill using Apple Wallet to manually initiate an ACH transaction to transfer money from your bank account to your Apple Card account. This requires having your ACH credentials stored in Wallet which keeps them in the secure enclave on the T2 chip.
Apple Card Doesn’t Play Nicely with Personal Finance Programs
Apple Card is not designed to be used with personal finance programs such as Quicken, Mint, and Banktivity. Basically, Goldman Sachs does not offer a net portal for the purpose. Also, the card has multiple account numbers, one for each transaction environment. Only the least used card not present number is exposed for your use. The physical card number and device card number are hidden.
Apple Wallet provides a mechanism for exporting the transactions listed n a statement (they’re in your wallet) to an external computer for transfer to a personal finance manager. Reference [11] gives the export procedures. The import procedure is destination specific.
Fraudulent Transactions
Apple Card is still vulnerable to fraudulent transactions. So far, most have happened when the online card not present numbers were used and leaked by a compromised website.
Other fraudulent transactions have occurred when the EMV chip and pin interface was shimmed in a terminal and the transaction copied and used to construct a fraudulent magnetic stripe card.
Apple Card wisely uses three credit card numbers, one for card not present transactions, one for EMV transactions, and one for NFC transactions. Apple Wallet allows you to lock the apple card physical card disabling EMV and stripe transactions. You can continue to make NFC transactions using Apple Wallet and Apple Watch.
Card Not Present Number Compromised
If your card not present virtual card number has been compromised, you can kill it immediately from within Wallet by requesting a new one.
Physical Card Number Compromised
If the physical card number has been compromised, immediately lock the physical card using the lock procedure in Apple Wallet. Order a replacement card by card by running the lost or stolen procedure within Apple Wallet. You will still be able to use Apple Pay which uses the device card number.
Device Card Number Compromised
This should never happen. Apple Pay uses transaction tokenization and stores transactions locally on the secure element (T2 Chip). Report this to Apple Support! Yell really loudly. I can find no mention of a compromised Apple Pay device number.
Transaction Costs
In the US, most merchants absorb the merchant services costs. Vending machines selling candy and soda are the notable exception. Each transaction has three components, the fixed transaction charge, typically $0.25 for US providers, an interchange fee of 2% to 3% of ticket that has an interchange component and a merchant service component.
Some merchant services providers use tranches for transaction pricing with A, B, and C originators. The pricing bins are for card present, card not present, and risky business transactions. For some reason, lodging charges are risky (reservation deposits and cancellations gum up the works). Restaurants are also risky. Risky is risky in regard to the merchant services provider getting paid. Restaurants are risky because they have a short half-life. Non-profits are typically given preferred rates as little goes wrong for their merchant services provider.
More enlightened merchant services providers offer interchange plus pricing. They pass through the Authorize.net or other interchange network charge adding a surcharge proportional to the ticket face value. For a small non-profit, many merchant services providers will offer interchange plus pricing that averages out about 2.9% of ticket. If interchange plus pricing is available, that is the preferred pricing.
Shimming
Shimming is the new skimming. You can protect yourself from shimming attacks by using the terminals NFC payment interface where ever possible. Shimming has the ability to compromise your Apple Card physical card number.
Crooks sandwich a shim between the card and the terminal. The terminal and card chat for the EMV transaction. The shim snoops on the exchange and stores the messages in flash. The shim can be inserted in the terminal and concealed. If you feel any unusual resistance inserting your card into the reader there may be a shim present.
From what the shim overhears, an unscrupulous person can recreate the contents of an old-fashioned card stripe and make a fraudulent card. This is a risk when your card disappears during the transaction and is then returned. A reputable establishment will perform the card transaction in your presence using a regular chip and pin reader.
It is possible to tamer with chip and pin readers but this is becoming increasingly hard as equipment becomes more tamper resistant to fraudulent setup alteration.
Ring’s prominence in the news prompted me to look for an alternative to replace the Ring doorbell with its security issues, limited battery life, and less than satisfactory image quality. While I was at it, I also wanted a couple of cameras to look in on the area where the dogs hang out. Because of the added porch roof, it is difficult to run Ethernet cable to this area for wired cameras. Camera things are in flux with many entrants into the market place. After a market search, I settled on an Anker EuFy doorbell and cameras. Find out more after the jump.
The Moocher finally decided to replace his iPhone 6 while keeping its little buddy. That turned out to be a frustrating evolution because Apple does not cue you to look at the checklist for this evolution. The watch has to be unpaired from the old phone before it is retired and paired to the new phone. If you do everything in order, it goes smoothly. If you try to wing it without the check list, you may end up with a useless wrist ornament as I did.
This short note guides you around the common pitfalls for swapping iPhones while retaining a current Watch. Well, it started that way until my USAA 2FA token went crazy.
For the longest time, Apple Airport Extreme secured the Dismal Manor networks. This began back in 2002 when, out of curiosity, the Head Moocher bought an Air Port Express to add WiFi in the early days. The Moocher had noticed that firmware updates kept showing up for the Airport products so concluded, rightly, that Apple was making an effort to keep these products up to date and secure. When Apple discontinued the Airport product line, it was time to move on. But to what?
Are streaming services evil? For some. For others, they are the gateway to new artists, concerts, and record purchases. Audiophiles that have made the leap are in this latter camp. There’s more to life than the next Beatles reissue. Read on to learn how Roon, Qobuz, and Tidal combine synergisticly to promote artists and music. Roon 1.6 Radio is the secret.
