America had many many years of accepting credit cards before it was feasible to bring the readers to the table, and by then it was ingrained. My impression is that Europe it was much more common to pay at a counter before wireless card readers came about in the late 90s/early 2000s.
It's becoming more common to bring readers to tables in America now, because Visa and MasterCard have realized the security benefits and are encouraging it, but there's literally 50 years of habit.
>I can write a check in my home or office, put it in an envelope with a stamp, and put it in the outgoing post, all without going anywhere or paying anyone. I can complete the whole payment task in 5 minutes.
Is that better than logging into your online banking, making an instant transfer? No need to go anywhere or pay anyone.
Every time I do that to a new recipient I have never paid before (especially when my client IP is in another country (where I spend more than half each year), but also even just in the US), Chase bank locks the entire account, including all debit and credit cards, and demands an in-person (in USA) visit with ID to unlock it, because US retail banks have not figured out unphishable web authentication yet.
Paying a new person is at a minimum a 3 hour process using online payments for me if they don't accept credit card payments.
Also, my checks don't have my full name or billing address on them. Credit card payments require disclosing at least part of these (at a minimum, billing address zip code) to the payee. Wire transfers disclose the full name on the account. I want to send money, not PII.
In fairness, you don't have to put your return address on the envelope.
Historically, places could be fussy about accepting checks without an address although I expect that's not generally an issue today. (Of course, lots of other ways to get someone's address especially if they own a house. It's public information in general in the US.)
But, yeah, I've never heard of this account locking thing. I can go to my major brick and mortar bank's web site and add a new payee in 30 seconds. Done.
> Is that better than logging into your online banking, making an instant transfer? No need to go anywhere or pay anyone.
If I have their bank routing number and account number, sure I can do that (then it's effectively the same thing as a check but without the slip of paper). But I don't always have that info particularly for informal one-off payments (e.g. yard cleaner that came to haul debris away) so it's easiest to hand them a check.
My Dubai, Hong Kong and Singapore banks have issued me cheque books. Clearly some people use them outside of the US, although I'm not quite sure for what.
Oh yes, chequebooks are still issued, but no one uses them. Chequebooks used to be these thick 50-100 page ones which used to cost a lot too. Nowadays you would be lucky to get a 15 page leaflet
Not only BEC, the recovery rate for ridiculously named authorized push payment fraud fraud (i.e. craigslist car scams) is also very low.
Reg E at least protects consumers from some banking malware, but still does not provide protections for phishing victims (despite new non-binding CFPB guidance)
When this stuff happens, you can engage in a legal process that has the power to get your property back. The process to recover from this can be slow and difficult. I acknowledge that this is a failure of the institutions involved, which can and should be fixed. However, the existence of these avenues for recovery acts as a strong deterrent that limits the frequency of such crimes. That’s why I am slightly worried about the local gang stealing my TV (and my safe full of Kruggerands) but not at all worried about them stealing my house.
When your crypto is stolen, the theft cannot be reversed, by design.
The same legal processes that can be used to recover funds stolen from your bank account or stocks stolen from your brokerage account can be used to recover cryptocurrency.
>When your crypto is stolen, the theft cannot be reversed, by design.
If someone sends you a phishing link, gets your info, logs into your online banking and sends all of your money overseas, that theft generally can't be reversed either. (You'll find that the CFPB recently updated their Reg E interpretation on this, but that interpretation isn't binding and directly contradicts decades of practice)
If you're a business and get hit by banking malware, you're similarly fucked.
Not for Bitcoin no. For other more advanced currencies (everything that supports smart contracts) rules likes these can be coded into the wallet.
You can have a rule that allows spending <$1k at known places, but anything over that has to have approval from 3/5 board members, or your manager etc. Any spending rule can be coded like this.
> The same legal processes that can be used to recover funds stolen from your bank account or stocks stolen from your brokerage account can be used to recover cryptocurrency.
If that is the case, then doesn't that destroy (at least) one of the basic principles of cryptocurrency that people constantly harp on?
A house? Maybe. Hasn't worked out for the guy in the BBC story so far.
Brokerage account hacked, stocks sold and money wired away? Your chances of recovery are extremely slim. There's pretty much no recourse once that money has passed through a few hops.
if you're talking about https://twitter.com/LukeDashjr/status/1609661811455819776, my guess is that he's either omitting something (eg. the cold wallet was internet connected, or there was a backup of its wallet floating around somewhere), or suffered a stuxnet level attack.
Yeah, my best guess is that he was owned for a while and the hackers managed to pivot into everything owns. The plan was probably to backdoor bitcoin core, but after luke-jr detected his server being compromised the hackers figured they were burned and decided to run off with whatever bitcoin they could get from him.
Not necessarily SE, there's been tons of 0days exploited against stuff like WHMCS, Hostbill, Kayako and many other systems used by hosting companies to manage this kind of thing.
Colocation and epoxy in any relevant ports is the obvious way to avoid this.
Inclined to agree here. Luke is going on about Intel ME backdoors on Twitter, but in reality there will be a far less crazy explanation for how he got owned.
You can easily protect your hardware from all but the most determined adversaries with extensive physical access. Epoxy in ports, case intrusion detection and locked down boot chain. Use TPM2-totp for verified boot.
Your colo provider can be thoroughly owned, your adversaries can have physical access to the server for extended periods of time and still not be able to do anything because you've denied them access to any ports that'd allow DMA.
Lots of cheap DIY options for fancy case intrusion detection going way beyond that offered by mfgs. USB camera and some tape?
