website utilities

People before Profit

Follow on:

The Consumerist

The Inevitable Comes To Pass: Of Course A “Sexy Ebola Containment Suit” Exists

Mon, 2014-10-27 17:39



As the sun rises in the east and sets in the west, as the Earth doth go round the moon and as strangers will inevitably call me Mary despite evidence that that is not, in fact, my name, we as a society cannot resist the temptation to create topical Halloween costumes. But we’re also not content with just one iteration, say, of an Ebola Containment Suit costume for Halloween this year. Nope. There inevitably had to be a a Sexy Ebola Containment Suit costume.

And so it has come to pass: There’s regular containment, and then there’s sexy containment.

What makes sexy containment different than your run-of-the-mill hazardous cleanup? You’re fighting Ebola in style, and will be cutting such a shape throughout the upper echelons that the world’s most fashionable people will be clamoring for your style. Sure, we’ll go with that.

“As the deadly Ebola virus trickles its way through the United States, fighting its disease is no reason to compromise style. The short dress and chic gas mask will be the talk of Milan, London, Paris, and New York as the world’s fashionistas seek global solutions to hazmat couture. Ending plague isn’t the endeavor of a single woman, so be sure to check out our men’s Ebola Containment Costume for a great couple’s costume idea.”

It seems appropriate to end this on a simple not: Sigh.

Master Of Fried Fair Food Opens Restaurant, Will Clog Arteries Year-Round

Mon, 2014-10-27 17:12

(Wade Courtney)

Here at Consumerist, we like to keep our fingers on the feeble, erratic pulse of the latest news in junk food. We like to check in annually on the latest novelty fair foods from Chicken Charlie’s, a vendor at various fairs in southern California and an influential fryer of things. Exciting news from San Diego: Chicken Charlie’s opened a year-round restaurant over the weekend.

Our most recent post about Chicken Charlie’s was about their offering at this year’s fair: a triple cheeseburger on a Krispy Kreme glazed doughnut bun. Surprisingly, no part of this meal is deep-fried, but no part of it really had to be.

That brings us to an important question: how many deep-fried Klondike Bars and dough balls soaked with Kool-Aid are they moving? Not as many as you’d think. The tiny restaurant’s menu mixes fair food with much healthier fare, like salads and… um, salads with fried chicken on them.

The owner says that the most popular item in the restaurant is right there in the name: people are mostly coming to buy fried chicken, not deep-fried Oreos. He claims to have invented the deep-fried Oreo in 1998, and has been an innovator in fried-food technology since.At the fair, whatever fried innovation makes its debut that year is always the most popular item.

After a few decades of vending and frying at events, he began making plans to open a stationary restaurant a few years ago when his first child was born.

Yelp reviews so far are mixed, but overwhelmingly positive.

Chicken Charlie’s FryBQ Debuts: Fair Food Magician Rejects ‘Boring’ [Times of San Diego]

Hours Before Going Dark, Twitpic Acquired By Twitter – The Company Responsible For Its Demise

Mon, 2014-10-27 16:57

twitpicTwitpic users who feared their photos would soon be a casualty of the Internet blackhole received some slightly good news over the weekend: Twitter, which had a heavy hand in the demise of Twitpic, acquired the company, allowing photos stored on the site to live on.

Tech Times reports that Twitpic officials announced the last-minute reprieve in a blog post just hours before the site was set to go dark.

Noah Everett, CEO of Twitpic, says in the post that the two companies reached an agreement in which Twitter would receive the Twipic domain and photo archive.

“Twitter shares our goal of protecting our users and this data,” Everett wrote. “Also, since Twitpic’s user base consists of Twitter users, it makes sense to keep this data with Twitter.”

But the news doesn’t mean that users will be able to actually use Twitpic in its previous capacity in the future.

Instead photos will be available in read-only mode, meaning users can no longer upload new content or edit existing photos. However users can continue to delete, download and export photos, or delete their Twitpic accounts.

Twitter’s decision to acquire Twitpic comes less than two months after the social media network demanded that the photo sharing site abandon its 5-year-old trademark for the Twitpic name or lose access to the Twitter API, taking away a good chunk of Twitpic’s reason for existing in the first place.

At the time, officials with the smaller site said they didn’t have the resources to maintain a drawn-out legal fight over its name and opted to shut down operations.

When Twitpic began in 2008, it was one of the few services that allowed photos to be shared on Twitter. But over time, Twitter developed its own platform allowing users to upload photos directly to their feeds.

Twitpic is dead but it’s domain and photo archive will live on, thanks to Twitter [Tech Times]

Bogus Credit Card Charges Look Like They Were Made With Chip-Enabled Cards

Mon, 2014-10-27 16:45

chipcardAs banks begin rolling out new credit cards embedded with microchips intended to help prevent fraudulent use, some financial institutions are reportedly seeing a spike in bogus transaction charges that appear to be coming from these newer cards, even though chip-enabled cards have yet to be sent out.

This is according to, which reports that at least three U.S. banks have recently seen tens of thousands of fraudulent transactions coming from Brazil that are not only using account numbers stolen from data heists like the massive Home Depot breach, but which are being processed through the Visa and MasterCard networks as if they are coming from chip-enabled cards.

One small New England bank tells Krebs that it saw around $120,000 in bogus charges from Brazil in just a two-day period last week. All of those purchases came through the MasterCard network as if they were from new, chip-enabled cards. Luckily, it was able to block $80,000 of these transactions from going through, but it could still be on the hook for the remaining $40,000.

The accounts in question had been associated with the recent Home Depot breach, but the bank said that it had previously seen almost no attempts to make fraudulent purchases with that stolen info. Then came last week.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” a rep for the bank tells Krebs. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.”

Since the bank has not yet released chip-embedded cards, how are the thieves tricking the MasterCard and Visa networks?

In the case of the New England bank, it says that MasterCard initially insisted that the purchases had to have been made with the physical chip-embedded cards. But not only has the bank not released any of these cards, its payment processor hasn’t yet been certified by MasterCard to handle these sorts of transactions.

The microchips themselves are apparently quite hard and expensive to clone and Krebs explains that there are additional security checks that banks can use to validate chip card transactions:

The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

Since no one is speaking on the record about these bogus purchases, insiders tell Krebs that the most likely explanation for the trickery is what’s known as a “replay” attack.

It’s believed that the fraudsters in this case had control of a payment terminal and could manipulate data fields for transactions put through that terminal.

Once they had data from a genuine chip card transaction, they could basically fill in the blanks with the stolen card numbers and the other necessary info.

Avivah Litan, a fraud analyst with Gartner Inc., tells Krebs that Brazilian scammers were recently able to pull this sort of fraud on a Canadian bank because the institution wasn’t thoroughly checking the cryptograms or counters on chip-card transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan explains. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

It’s basically like trying to sneak backstage at an event by wearing a VIP lanyard around your neck and hoping that no one actually looks to see if it’s genuine.

“It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it,” says Litan. “Doing EMV correctly is hard, and there are lots of ways to break not the cryptography but to mess with the implementation of EMV.”

MasterCard is apparently now in the process of reviewing the fraudulent transactions in the New England case to see if the merchants associated with these purchases have any actual records of these transactions.

While chip-enabled cards can add a level of security to transactions, it’s important for banks to not be lulled into a false sense that everything is okay.

Litan tells Krebs that setting up the systems for chip-based transactions is not simple for banks and processors, but that “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly.”

“That’s the irony: We think EMV is going to solve all our card fraud problems,” says Litan, “but doing it correctly is going to take a lot longer than we thought.”

Police: Regretful Thief Returns Money To Gas Station Hours After Robbing It, Apologizes

Mon, 2014-10-27 16:27

(Bill Binns)

Not the suspect. (Bill Binns)

There’s regretting past misdeeds, and then there’s feeling immediately so sorry for doing someone wrong that you return to the scene of the crime to set things aright. The latter was the case for a 23-year-old in California who police said robbed a gas station convenience store and then came back to apologize with the cash later.

Police in Eureka, CA say that the suspect robbed the gas station, demanding cash, at gunpoint, reports the Associated Press.

After a clerk handed him some money, the suspect allegedly took two bottles of beer and hit the road. But cut to three hours later and the would-be robber returned to the scene of his alleged past misdeeds and handed over most of the cash he’s suspected of stealing earlier in the day.

He told the clerk that the weapon he’d had on him earlier was just a BB gun, which police had yet to recover. He also said he was sorry, that he’d taken the cash to get a fresh start and leave town, but he’d realized he’d done wrong.

He was booked into jail on $50,000 bail.

Police: Regretful California robber returns cash [Associated Press]

Maker Of Airbags Linked To 8M Recalled Vehicles Used Unusual Chemical Explosive For Inflation

Mon, 2014-10-27 16:07

(I Am Rob)

(I Am Rob)

Takata, the Japanese/German auto-parts maker, that supplied airbags used in millions of recalled vehicles employed an unusual explosive chemical to inflate the safety devices, which may have contributed to the spraying of metal shrapnel at vehicle passengers.

Bloomberg Businessweek reports that the chemical will likely become the focus of National Highway Traffic Safety Administration investigators as they continue a probe into the defective airbags that have so far been linked to four deaths and 30 injuries in the United States.

Chemicals have long been the powerful mechanism behind airbags. That’s why after some crashes, the driver or front-seat passenger in a vehicle may have chemical burns on their skin.

Typically the inside of an airbag contains an igniter that heats an aspirin-sized tablet of compressed chemical. The ensuing reaction fills the airbag with gas, inflating it at speeds reaching a few hundred miles per hour.

Takata began using ammonium nitrate in its airbags in the late 1990s, because of the chemical’s ability to make airbags inflate in a matter of milliseconds.

Jochen Siebert, a Shanghai-based managing director of JSC Automotive Consulting, says Takata – the only auto-parts supplier to use ammonium nitrate – favored the chemical because it allowed for the creation of smaller and slighter airbags.

“It was all about technology; it wasn’t even about price,” Siebert tells Businessweek. “But it all went wrong.”

Regulators believe that issues with the airbags have been caused by the presence of moisture, which led automakers to initiate recalls in areas of high humidity such as the southern United States.

Scott Upham, president of Valient Market Research, tells Businessweek that the presence of moisture can render the ammonium nitrate unstable.

When the safety device becomes activated the combination of the unstable chemical and igniter inside the airbag can create an environment where too much force is present.

The high-pressure force created by the chemical reaction has been found to send small pieces of metal flying at drivers and passengers in the affected vehicles.

Officials with Takata declined Businessweek’s request to comment on the use of ammonium nitrate in their airbags.

So far this year, 10 automakers have recalled nearly 8 million vehicles to replace the Takata airbags.

While NHTSA issued an unusual warning last week urging owners of affected vehicles to get them fixed, a shortage of parts has left millions of potentially dangerous vehicles on the roadways.

Takata’s biggest customer Honda, which has been linked to at least three of the deaths related to the airbag defect, said last week that it doesn’t have enough parts to fix the 2.8 million vehicles the company has recalled.

Instead, the manufacturer is sending out recall notifications only as parts become available, with priority being reserved for areas of high humidity.

Toyota, which expanded its recall of vehicles with Takata airbags last week, says because of the lack of parts, the company would in some cases disable the airbags, leaving a note urging customers not to ride in the front passenger seat.

For their part, officials with Takata say they are “working night and day” to enhance the safety of parts.

According to Businessweek, this isn’t Takata’s first issue with the chemicals used in its airbags.

The company was found to have previously improperly stored chemicals and mishandled explosive propellants used in its airbags at a plant in Mexico. In March 2006, a series of explosions at the factory led authorities to evacuate nearby residents.

Air-Bag Maker in Global Crisis Used Unusual Explosive [Bloomberg Businessweek]

Microsoft Dropping Xbox One Price $50 In Advance Of Holiday Season

Mon, 2014-10-27 15:45

Group_ThreeBundles_StackB_hiresIt’s been a year since Microsoft and Sony launched their latest game consoles and the makers of the Xbox One are making a push to get their product in more homes this holiday season by dropping the price through the end of the year.

Starting on Nov. 2, the Xbox One will be available for as low as $350 at many of the nation’s largest retailers, including Amazon, Best Buy, GameStop, Target, Toys ‘R’ Us, Walmart, and of course Microsoft Stores.

The $50 discount will also apply to a variety of Xbox One console/game bundles being offered during the holiday season. More info is available here.

The Xbox One originally launched at $500 but eventually got a price drop to $400 for users choosing to go without the Kinect motion/voice sensor. That made the base console the same price as Sony’s competing PS4.

No word yet on whether Sony will try to match or undercut Microsoft, or if the company feels secure that it can sell enough consoles at the $400 price point.

Man Throws Chihuahua At Window Of Starbucks That Banned Him

Mon, 2014-10-27 15:44

starbucks_dogIn Houston, a man was banned from a Starbucks due to his disruptive behavior, which included “harassing” customers. He reacted to this ban in a completely logical way: by pitching a fit outside, throwing a glass bottle at the ground, then throwing a Chihuahua puppy of unknown origin at the coffee shop’s window.

Nobody knows whether the puppy belonged to the man banned from the Starbucks, a bystander who hasn’t stepped forward to reclaim their pet, or where it could have come from. What the authorities do know is that the man pitched the puppy into the window with such force that bystanders thought that it couldn’t have survived.

Fortunately for everyone, it did. The four-pound dog is now in the care of a local rescue organization, and one of her hind legs is broken and needs repair. “How in the world can someone take such a tiny animal and use it to vent their anger?” the volunteer who is providing foster care to the dog asked TV station KHOU.

The man who threw the dog into the window has been charged with animal cruelty, and remains in jail. Naturally, the dog has been named Starbucks, presumably because “Pupkin Spice Latte” was too long. Since no one knows who she belongs to, she will go up for adoption after she recovers.

Chihuahua on mend after being thrown against Starbucks window [KHOU]

American Airlines Flight Forced To Return To Gate After Passenger Discovers “Al-Quida” WiFi Network

Mon, 2014-10-27 15:33



While there’s no rule that WiFi networks need to employ good spelling, naming a plane hotspot “Al-Quida Free Terror Nettwork” isn’t going to help anyone. And it’s because of that poorly chosen/thick-headed decision that an American Airlines flight from Los Angeles to London last night had to turn back before it even got started.

Adding to the rolls of poorly chosen hotspot names, ABC 7 reports that a passenger on last night’s flight saw the terrorist named WiFi connection and told a flight attendant after becoming concerned.

Passengers were then reportedly stuck on the plane for about three hours while authorities investigated, with some travelers saying they were at first told the delay was due to a maintenance problem.

American Airlines officials say the flight returned to the gate and was delayed until 1 p.m. Monday, according to ABC 7.

It said last night that it’s assessing the situation and law enforcement has been notified while police gather more information.

When in doubt, stick with WiFi names like “Fuzzy Socks Stink, Right” or “Keep Your Head Off My Shoulder, Please.”


Why Did CVS & Rite-Aid Stop Taking Apple Pay?

Mon, 2014-10-27 14:58



After nearly a week of accepting payment via the recently launched Apple Pay system, both CVS and Rite-Aid suddenly stopped offering this option to shoppers over the weekend. And neither retailer is giving a reason why, though it appears to be part of a retail-industry effort to eventually roll out its own payment system.

Rite-Aid will only say that it is “continually evaluating various forms of mobile payment technologies,” and that the drugstore chain is “committed to offering convenient, reliable, and secure payment methods that meet the needs of our customers,” but none of that actually explains why Rite-Aid opted to pull the plug on Apple Pay after only a few days.

Meanwhile, CVS has thus far remained mum on why it no longer accepts Apple Pay.

As Bloomberg BusinessWeek points out, the stores didn’t just disable Apple’s new service, which lets users pay at the cashier with a tap of your iPhone, but that they also stopped offering competing tap-to-pay systems Google Wallet and Softcard.

While Rite-Aid and CVS aren’t telling people why they can’t use Apple Pay or these other options anymore, many analysts believe that it’s a preemptive move in advance of the impending launch of CurrentC, a payment system being developed by Merchant Customer Exchange, a consortium of dozens of major retailers — including Rite-Aid, CVS, Best Buy, and Walmart — that is fighting against the major payment card networks by attempting to cut out the middle man completely.

CurrentC would not only mean that retailers would avoid the swipe fees that they pay to card networks every time a customer makes a credit/debit card purchase, it would also give the stores greater ability to collect data about individual customers’ shopping habits across multiple retailers.

This stands in direct contrast to the privacy which Apple Pay reportedly offers to its users, as the retailers who accept this form of payment receive virtually no information about the customer.

“Clearly Rite Aid and CVS are making a business decision over a customer satisfaction decision,” Patrick Moorhead, president of Moor Insights & Strategy, tells CNBC.

Amazon Announces Fire TV Stick To Compete With Chromecast

Mon, 2014-10-27 14:56



Where there once was plenty of room on the streaming TV field, things are now getting a little bit more crowded, as Amazon has announced a rival to Chromecast. The Fire TV Stick is a dongle similar to other streaming media devices that connects to an HDMI port on HDTVs, and will allow users to watch content from Netflix, Amazon Prime Instant Video, Hulu Plus and more.

The Fire TV Stick follows Amazon’s set-top box, the Fire TV, which debuted last winter. But while that device sells for $99, the new stick sells for $39 (compared to Chromecast’s $35 price tag) and can do much of what Fire TV does, and seems to be a direct bid to compete with Chromecast and the Roku streaming stick for customers’ affections.

Amazon is touting features like the Fire TV Stick’s dual-core processor, 1 GB of memory and “4x the storage and 2x the memory of Chromecast,” as well as features like “ASAP,” which “learns what movies and shows you like so they start instantly” instead of taking time to buffer.

In addition to TV apps, the Stick has the option for playing games, though you’ll likely need a separate controller for ease of play.

There’s also a remote and app option for controlling the Stick, or a voice search option that allows users to speak what they want and control the device that way — but that remote is sold separately and doesn’t come free when you order the device.

Amazon is taking pre-orders now for the $39 devices, with Prime customers getting the option for two days only to buy it for $19. Orders will begin shipping on Nov. 19.

Your Electric Company Will Not Call And Demand Payment By Prepaid Card

Sat, 2014-10-25 00:21

(Timothy Barnes)

(Timothy Barnes)

While your local utility could call you up and demand immediate instant payment using a prepaid debit card before shutting off your natural gas and power, they will never actually do that. The owner of the Squeeze Inn, a fantastically-named restaurant in California, learned that the hard way when he panicked and sent $1,000 to scammers claiming to represent Pacific Gas & Electric.

The caller ID claimed to be PG&E, and the person on the other end claimed that there was a crew on their way over right then. Panic overrode the owner’s better judgement and even his knowledge that the bill had already been paid. He obtained the prepaid card and stopped the imaginary crew from turning off his utilities.

Green Dot itself even offers anti-fraud advice on their website, including these crucial tips:

  • Never give your MoneyPak number to someone you don’t know.
  • Refuse any offer that asks you to buy a MoneyPak and share the number or receipt information by email or phone.
  • Don’t use the MoneyPak to pay taxes or fees to claim “winnings” on a foreign lottery or prize promotion. Unless it’s an approved MoneyPak partner, don’t use MoneyPak for any offer that requires you to pay before you get the item.

Those are all solid pieces of advice. The problem, of course, is that many targets of these scams aren’t Internet-savvy, and will never see this page. Same goes for the very useful list of approved partner companies that accept MoneyPak payments.

It would be useful to put these tips on the package for the MoneyPak cards, but people still probably wouldn’t pay attention to them.

If you do receive a collections call from your utility, hang up and call the number on your bill: if it’s a legitimate call, they should not have a problem with this.

Squeeze Inn Owner Falls Victim To Scammer Claiming He Was From PG&E [CBS Sacramento]

More Info From Yelper Who Says He Was Threatened Over Negative Review

Fri, 2014-10-24 23:48

One of the messages allegedly sent via Facebook from the chef to a customer who left a one-star review on Yelp.

One of the messages allegedly sent via Facebook from the chef to a customer who left a one-star review on Yelp.

Earlier today, we told you about the apparent dispute between a Cleveland consumer and the chef/owner of a local restaurant who allegedly reacted to the customer’s negative Yelp review with a series of nasty, threatening messages on Facebook. Now that diner has reached out to Consumerist to share more of his side of the story.

First off, Ruchu, the customer who posted the one-star review said he wanted to clear up some rumors that others may have read about this situation.

He tells Consumerist that he doesn’t have any affiliation with any businesses that compete with the restaurant or its owner.

Additionally, though both the customer and the chef attended the same college, they did not know each other.

“He was years ahead and I only came to find out that he was an alum after this ordeal,” writes Ruchu. “Before this, I wouldn’t even recognize him.”

He believes there has also been some confusion about the platform for the messages that he’s screengrabbed and posted online. Some have apparently believed that these are text messages because of the narrow layout, but as anyone who has used Facebook Messenger can tell you, this is how Facebook messages appear on an iPhone.

“We did not contact each other over phone or text,” clarifies Ruchu, “only through Facebook and a few e-mails.”

Ruchu and his friends dined at the restaurant on a Sunday evening. The original Yelp review was posted the next afternoon.

That’s when things started to get strange.

Ruchu says that the chef found him on Facebook, copying a mutual friend on the original message, though neither Ruchu nor that friend know why this person was brought into the dispute. Then, according to Ruchu, the chef began “liking” every one of Ruchu’s public posts; he even apparently friend-requested the very person he was simultaneously sending these unpleasant messages to.

What wasn’t included in the earlier story — because we’re just seeing it now — are the messages and e-mails that were sent after that initial batch we told you about.

Ruchu later responded to the chef, suggesting that an apology was called for.

“Not only did you take my opinions on your business too personally, you attacked my girlfriend and friend,” he wrote, pointing to the racially charged comments and threats in the earlier messages. “You showed that you are [incapable] of receiving criticism.”

Surprisingly, given the vitriol on display in the initial messages, the chef’s response to this request was not filled with the same unhinged anger.

“I do apologize for my harsh words, particularly getting personal,” writes the chef, who does say he interpreted the review as an attempt to sabotage his business.

While Ruchu was skeptical of the apology, he says the chef ultimately did provide a video message to demonstrate his sincerity. (We have not seen this video and Ruchu says he is not showing it to anyone.)

Ruchu updated his Yelp review to mention both the Facebook messages and the apology, but apparently the owner was not thrilled with this update.

According to e-mails shown by Ruchu to Consumerist, the chef asked Ruchu to remove this update but leave the original 1-star review.

“I’m fine with the bad reviews that we have and don’t wish to edit any of them,” reads one e-mail about the possibility of removing the update.

But Ruchu says that the restaurant then began using his full name as a hashtag on its Instagram photos, which he believed was an attempt to publicly mock him.

So after a few weeks of this, that’s how the boycott page on Facebook, which has screengrabbed some of these mentions for posterity, came to be.

We’re still hoping to hear back from the restaurant, and will update this story if we get any additional info.

Amazon Takes $170 Million Loss On Fire Phone Flop

Fri, 2014-10-24 23:30

firephoneDespite Amazon advertising the device on every doorstep and dropping the price under a buck, the company’s Fire Phone, companion smartphone to its line of tablets and TV streaming devices, failed to catch on with the public. Maybe it was the AT&T exclusivity, or the fact that it runs a customized version of Google’s Android operating system, without access to Google’s app marketplace.

Heck, over in the United Kingdom, you don’t have to pay a nominal 99 pence to get the Fire phone: it’s free with a new contract on Amazon’s exclusive partner in that country, carrier O2. The phone accounted for $170 million of Amazon’s $437 million loss last quarter.

“There are a lot of reasons it failed, but they key is that Amazon provided no good reason for consumers to buy it,” one analyst explained to CNET. It did have some pretty nice headphones, but you can buy those separately. No phone needed. With no clear advantages or compelling reason to buy the device, consumers just aren’t interested. Maybe the Amazon pop-up stores will pique their interest…but probably not.

Amazon takes $170M charge on Fire Phone [CNET]

Apple Pay Lets Man Scan, Use Wife’s Citi Credit Card Without Additional Verification

Fri, 2014-10-24 23:08

Apple Pay allows you to easily scan cards into the Passbook app, but Citi is allowing some cards to be added without additional verification if they meet certain conditions.

Apple Pay allows you to easily scan cards into the Passbook app, but Citi is allowing some cards to be added without additional verification if they meet certain conditions.

One of the neat features of the new Apple Pay system is that it lets iPhone 6 users quickly scan and verify credit cards into their Passbook so they can use those accounts without ever providing participating businesses with their card numbers. But how easy is it to just scan in someone else’s card and start using it without that person’s permission?

That was the question posed by our Consumer Reports colleague Glenn Derene, who put Apple Pay’s easy scanning ability to the test, with surprising results.

( function() { var func = function() { var iframe_form = document.getElementById('wpcom-iframe-form-6adcdb65e85c401279188c178f5c95f4-544abfe610dae'); var iframe = document.getElementById('wpcom-iframe-6adcdb65e85c401279188c178f5c95f4-544abfe610dae'); if ( iframe_form && iframe ) { iframe_form.submit(); iframe.onload = function() { iframe.contentWindow.postMessage( { 'msg_type': 'poll_size', 'frame_id': 'wpcom-iframe-6adcdb65e85c401279188c178f5c95f4-544abfe610dae' }, window.location.protocol + '//' ); } } // Autosize iframe var funcSizeResponse = function( e ) { var origin = document.createElement( 'a' ); origin.href = e.origin; // Verify message origin if ( '' !== ) return; // Verify message is in a format we expect if ( 'object' !== typeof || undefined === ) return; switch ( ) { case 'poll_size:response': var iframe = document.getElementById( ); if ( iframe && '' === iframe.width ) iframe.width = '100%'; if ( iframe && '' === iframe.height ) iframe.height = parseInt( ); return; default: return; } } if ( 'function' === typeof window.addEventListener ) { window.addEventListener( 'message', funcSizeResponse, false ); } else if ( 'function' === typeof window.attachEvent ) { window.attachEvent( 'onmessage', funcSizeResponse ); } } if (document.readyState === 'complete') { func.apply(); /* compat for infinite scroll */ } else if ( document.addEventListener ) { document.addEventListener( 'DOMContentLoaded', func, false ); } else if ( document.attachEvent ) { document.attachEvent( 'onreadystatechange', func ); } } )();

After familiarizing himself with the scanning and verification process by uploading a couple of cards that actually belonged to him, Derene then attempted to add two of his CR co-workers’ cards (presumably with their knowledge).

“[A]t first it looked as if those cards were going to be approved,” he writes, but the attempt to scan other people’s cards hit a roadblock when the issuing banks requested additional verification via text message, e-mail, or over the phone.

This is the typical sort of two-factor authentication that most financial institutions employ for people logging onto their websites or mobile apps for the first time. Without being able to provide the requested security info, Derene was unable to add his colleagues’ cards to his Apple Pay.

But when he scanned in his wife’s Citibank MasterCard (with her knowledge but without any verification info that would give him access to her account), Derene says there were no additional steps required to authorize the card.

“That was unexpected, since it is my wife’s private card, and she has never authorized me as a user,” he explains. “Also, that card isn’t associated with our family iTunes account. In fact, I have no current financial relationship with Citibank at all.”

But that didn’t stop Derene from going on a wild spending spree with his wife’s card at McDonald’s, where he used Apple Pay to purchase five (5) cheeseburgers and fries; none of which he shared with his wife (or with any Consumerist staffers).

The spree continued at Walgreens, where he purchased cleaning supplies using Apple Pay.

“All the transactions were quick and seamless with the Apple Pay system,” writes Derene.

Just in case this was some sort of glitch, Derene convinced one of his married co-workers to see if he could use Apple Pay to get the same unfettered access to his wife’s Citi MasterCard.

“He was able to add her card to his account with no additional verification, and he bought several items using Apple Pay with her card,” writes Derene, adding that the co-worker’s wife did receive an e-mail from Citi welcoming her to Apple Pay and letting her know that she could remove the card from the system if she had concerns.

When contacted for comment on the ease of scanning and using their spouses’ cards, Apple pointed to the card-issuing banks, saying it is up to these institutions to decide how to authorize their customers’ cards for use on Apple Pay.

A rep for Citi shed a little light on the issue, saying that since Derene was able to provide all the relevant info from the card — number, expiration date, CVV code — and since the address on the family’s iTunes account is the same as the address for his wife’s card, the account was verified.

The rep also pointed out that, as part of the authorization process, Derene had agreed to the terms and conditions, certifying that the card was his.

Derene points out that easy access to a spouse’s credit card is nothing new, and that he could have just as easily added her card info to his Amazon account before going on a spending spree, all without an iPhone of Apple Pay.

But that doesn’t change the fact that the Apple Pay system of adding cards could be improved to prevent this sort of unauthorized access.

“Since the system already has the ability to do two-step verification, why didn’t the banks and Apple make it the only way to authorize a card for use?” asks Derene, who says it only takes a few seconds to legitimately verify a card.

“Sure, it’s not as convenient as simply pointing a iPhone camera at your credit card and instantly authorizing it for use,” he concludes, “but I know that my wife would have appreciated the extra verification step—and she also wishes I had brought her home at least one of those cheeseburgers she paid for.”

Costco Takes Unusual Stance That Retail Employees Should Have Thanksgiving Day Off

Fri, 2014-10-24 22:35



As the beginning of Black Friday and thus the holiday shopping season has crept backwards into the early hours of Thanksgiving, we at Consumerist have taken a cantankerous stance against these early openings. Even we can take heart, though: a few businesses have confirmed that they will not be opening on Thanksgiving Day, because they’d like employees to spend the holiday with their loved ones or something.

ThinkProgress, a progressive political site, also has an anti-Brown Thursday stance, and they’ve already started compiling a list of chain retailers that will be closing their doors during the holiday. It includes Dillard’s, Burlington [Coat Factory], REI, and American Girl. The latest addition is Costco, which also made a point of staying closed on Thanksgiving Day of last year, along with warehouse club competitor BJ’s.

Last year, retailers waited to announce their plans, even to their own employees, which threw many workers’ holiday plans into disarray. While experts have made predictions, most malls and stores haven’t announced their Thanksgiving plans yet.

Costco Will Be Closed On Thanksgiving Because Employees ‘Deserve The Opportunity’ To Be With Family [ThinkProgress]

Take Our Poll (function(d,c,j){if(!d.getElementById(j)){var pd=d.createElement(c),s;;pd.src='';s=d.getElementsByTagName(c)[0];s.parentNode.insertBefore(pd,s);} else if(typeof jQuery !=='undefined')jQuery(d.body).trigger('pd-script-load');}(document,'script','pd-polldaddy-loader'));

Windows Update Breaking Counterfeit Computer Chips That Users Don’t Even Know They Own

Fri, 2014-10-24 22:28



Most of us have, at least once, had a Windows Update that made something work less well than it used to, instead of better. But it’s rare for a system software update to break part of your computer’s hardware entirely. And it’s even more rare for the update to break your computer on purpose. And yet with one particular kind of adapter chip, that’s exactly what’s happening.

As Ars Technica reports, the chips in question are in adapters that allow newer, USB-based hardware to connect with older machines that have serial ports. (Serial ports are the ones that use little pins that you have to line up on both ends, and they have gone rapidly out of use as other technology, like USB, has become widely adopted.)

Most of the chips are made by a Scottish company called FTDI. The FTDI chips are a widespread standard. But just like anything else on earth that gets to be a popular choice, knockoffs abound and can be hard to spot.

The company that makes an adapter may or may not know whether they put real or fake FTDI chips into it, but the customer on the end who buys and uses the adapter will have absolutely no way to tell. It would be like trying to inspect every hose inside of a washing machine before you buy it to be sure they came from the right factory before Whirlpool put them together. Realistically, end users can’t really do it.

The chips in these adapters need software system drivers to work in the same way that your printer needs the right system driver to work. The driver comes from FTDI but, as with most modern devices, Windows can grab and update the driver for you when you do a Windows Update.

In August, Ars Technica explains, FTDI — apparently sick and tired of all the counterfeit chips — changed their driver and the end-user license agreement for it. So the new driver deliberately scrambles knockoff chips, making them unusable.

The new EULA even says: “Use of the Software as a driver for, or installation of the Software onto, a component that is not a Genuine FTDI Component, including without limitation counterfeit components, MAY IRRETRIEVABLY DAMAGE THAT COMPONENT.”

In other words, updating the software on your adapter will completely brick your adapter if the chip inside it is fake. The chip that you have no way of tracing the provenance of. And because of the way that Windows Update can pull drivers down for you, you don’t have to go looking to update the driver on purpose. Your computer will helpfully do it for you.

End result? Run Windows Update, and suddenly discover some of your hardware is broken. And from the looks of it, very intentionally so.

As Public Knowledge points out, “The fact that disabling countless devices without warning can harm millions of innocent users and manufacturers should be a screaming sign that this is the wrong thing to do.” And not just “bad service” or “ethically questionable” wrong, either, but, if intentional, straight up illegal-wrong.

IP infringement does not give the infringed rights to destroy others’ property. Public Knowledge writes:
So whether or not FTDI has any trademark rights, copyrights, or other rights in whatever the knockoff chips are copying, the actual physical chips themselves are the property of their users, and FTDI doesn’t have the right to break them. A French vintner can’t stroll down the aisles of an American wine store with a hammer, shattering bottles of “California Champagne.” Roving gangs of Nike enforcers can’t rip fake Jordans off the feet of passing kids. And we don’t have Givenchy shock troops marching down Canal Street taking flamethrowers to fake handbags.

“If your IP rights are being infringed,” Public Knowledge concludes, “the proper course of action is to go to court, not take the law into your own hands.”

A Microsoft representative told Ars Technica that since the issue became widely reported, those two drivers have been removed from Windows Update. They added, “Our engineering team is engaging with FTDI to prevent these problems with their future driver updates via Windows Update.”

Windows Update drivers bricking USB serial chips beloved of hardware hackers [Ars Technica]
IP Rights Aren’t a License to Kill Devices (And No, Fine Print Doesn’t Make It OK) [Public Knowledge]

Kids Tasked With Dumping Alaska Village’s “Honey Buckets” Likely Psyched To Finally Get Indoor Plumbing

Fri, 2014-10-24 22:15

Line'em up, boys. (catastrophegirl)

Line’em up, boys. (catastrophegirl)

Aren’t chores the worst, kids? Yes, sure, taking out the trash and emptying the dishwasher are both bummer gigs, but let’s all just thank our lucky stars that we were never in charge of dumping buckets of human waste at the town receptacle. To that end, kids in one Alaska village where many homes don’t have indoor plumbing are probably pretty pumped to hear that “honey bucket” duty is almost at an end.

Those dark and stinky days are almost over for children in a western Alaskan village, reports the Associated Press, as the more than 100 homes in the area will soon be getting indoor plumbing after an influx of cash from the U.S. Department of Agriculture.

The $12.5 million in funding for Alaska is part of $325 million in grants and loans going to rural communities nationwide, as part of an effort to bring the whole country up to date with the modern world.

“It’s really designed to make sure people live in communities and in areas that provide the basic protections and the guarantee of basic protections that we all, as Americans, ought to have,” Agriculture Secretary Tom Vilsack told the AP. “It’s an adequate supply of quality water. It’s the ability to treat sewage properly so that it doesn’t do harm or damage to the environment.”

The remote village of Akiachak will get $5 million in grant money for constructing sewer mains and other essential systems that will then be hooked up to the 100 houses in the community that still use something called the “Honey Bucket” system for waste. That’s not to mention having to go outside to chip away at ice in the winter and bringing it home to melt.

The system right now works as un-sweetly as its name: It’s usually up to the family’s children to haul away large buckets used as toilets and bring it to village receptacles for dumping. Those buckets can leak when overfull, said the chairman of the village tribal council, who lives in one of the homes without indoor plumbing.

He’s excited for the future, that’s for darn sure.

“It’s going to be real different,” he said. “The whole community will be really happy.”

Here’s where we cut to a shot of all the kids doing jumping high fives all over town.

Alaska village to get indoor plumbing as USDA gives $352M for rural water systems nationwide [Associated Press]

AT&T Says U-Verse False Alarm Came From Radio Station

Fri, 2014-10-24 21:55

This is not an alert message. It just looks like one. (KXAN-TV)

This is not an alert message. It just looks like one. (via KXAN-TV)

Earlier this morning, AT&T U-Verse subscribers woke up to an alarming, unexplained Emergency Alert Message on their screens. Now the company is trying to shed a bit of light on what exactly happened.

“A Federal Emergency Management Agency (FEMA) investigation indicates that a nationally syndicated radio show not affiliated with AT&T accidentally sent a message over the National Emergency Alert System,” reads a statement from AT&T. “This false message was carried on our network, as well as some other providers. We apologize to our customers.”

Evenflo Agrees To Recall 202,000 Rear-Facing Infant Car Seats Over Tricky Buckle

Fri, 2014-10-24 21:40

evenfloembrace35Earlier this year, both Graco and Evenflo recalled almost six million car seats, all told, due to a safety buckle that regulators said could be tricky to open in the case of an emergency, and hamper attempts to get kids out of the car safely. And now, despite pushing back against a recall for additional rear-facing infant seats that use the same buckle, but that the companies argued don’t pose the same risk, Evenflo says it’s agreed to recall 202,000 more car seats.

The latest spate of recalls is for the Embrace 35, which was “manufactured at various times from December 2011 through May 2014,” Evenflo says in a report (PDF) posted on the National Highway Traffic Safety Administration website.

The same buckle made by AmSafe Commercial Products was at the heart of this year’s earlier recalls for other models of Graco and Evenflo seats, after complaints that the daily wear and tear of mess kids gumming up the works made it difficult or impossible to get a child out in an emergency.

But both companies had resisted issuing recalls for rear-facing seats, reports the New York Times, saying that the part of the seat that holds the child could be detached from the base and taken out of the car that way, thus there was no “unreasonable risk” to children’s safety, reports the New York Times.

It seems Evenflo has changed its tune after the NHTSA continued to demand a recall of the rear-facing seats, saying it “acquiesced” to regulators on Oct. 14.

“Child seats serve one purpose: to keep our children safe from harm during a crash and its aftermath,” said Anthony Foxx, secretary of the Department of Transportation. “If the seat is defective, we will force a recall as we have done today.”

Affected model numbers include: 30711365, 31511040,31511323, 31511400, 3151198, 3151953, 31521138, 46811205, 46811237, 48111200, 48111215, 48111215A,48111218, 48111234, 48111235, 48111235A, 48111462, 48411391, 48411391D, 48411392, 48411504, 48411504D, 52911307A,52921040, 55311138, 55311238 and 55311292.

Evenflo will notify registered owners and provide a remedy kit, including a replacement buckle and instructions for easy consumer removal of the AmSafe buckle and installation of the newly-designed replacement buckle. Owners may contact Evenflo’s toll-free number at 1-800-490-7591.

Evenflo Recalls 202,000 Child Safety Seats [New York Times]