Posts
Have a Carbonated Beverage and a Pleasant Facial Expression
"It shouldn't surprise you that a system that is designed to be manufactured as cheaply as possible is designed with no security constraints whatsoever." - Peter Neumann, as quoted on thinkexist.com
This is a quick design note. I was observing a process taking place during a break today, and it contained a couple of reminders about design. The issue is that we have the desire to go to a cashless system of paying for things. Noble, but problematic, because we are held hostage by physical constraints. The eventual goal is to eliminate the use of currency, but until the physical problems that attend swiping of cards are overcome, that won't work.
Of course, as normally happens with these types of things, one thought leads to another. The following are the two design reminders, followed by a chain of questions. If you develop any of these ideas into an actionable business plan, or a profitable invention, I'll need a T-shirt, and maybe a steak dinner or something of that sort (as well as due attribution and a spot on the patent form...).
Reminder #1 - If it's digital, yet has a physical component, then it's not purely digital, and the mechanical design points and weaknesses need to be addressed: I saw a student attempting to use his credit card to purchase a soda from a machine. It took him a couple of minutes to get the card to swipe. I don't know if the stripe was dirty, or the reader was dirty, but it was an interesting process to see him get it to work. At one point I thought he was just going to give up, but it finally worked after he cleaned it repeatedly, swiped it multiple times, and generally did the things one normally does when something that should work doesn't. I had $1.25 in quarters, and purchased a soda in 10 seconds. Thinking about that famous commercial promoting credit card use versus a check, I thought it especially humorous, but it did lead me to some questions.
Question #1 for the designers of that soda vending system: Why not include a keypad so that if the card won't swipe correctly the user can enter their card number and PIN? how much more does a swiper with a keypad cost, over time?
Question #2 for the designers of that soda vending system: Why is the quicktap method not already deployed? It's in the stores, and would get the machines set up to be usable far into the future. And, it would eliminate the scanning problem.
Question #1 for the credit card system designers: Why is there not an authentication scheme that uses a digitally-stored fingerprint as the PIN? The technology to read fingerprints exists widely, and (I'm thinking the scanning of fingerprints could be a service provided by all Visa-issuing banks to record fingerprints for users who are in a different area from their home banks). The payoff would then be nearly theft-proof cards that could be used if the swiper works, if it's entered via a keypad with PIN, if it's entered via keypad with a fingerprint, or if it's tapped.
Question #1 for the makers of soda machines: Why is there no optional machinery to use pennies? Smaller machines wouldn't have room, but I don't know how many times I've seen a student have enough to get something with pennies, but not with silver coins. This might not be really valid in a scenario of a machine inside a hotel, but for machines on a high school or college campus, there would be interest. Perhaps a joint venture with CoinStar?
Reminder #2 - If a cashless system is truly desired, there needs to be a web-based kiosk site: I was recently in a hotel with a business center. I used the system to print out some documents, and the system there was one where you receive a PIN, which you then enter when you are beside the printer and it prints out your document. Those systems have been around a while, but I had yet to use one, and so when I finally did, a new fusion hit me. Ordering something from your office could be a dual-click purchase (one-click is already owned by Amazon).
Question #3 for the designers of that soda vending system: Why not borrow a page out of the eBook phenomenon and allow people to register a credit card, then when they want to order up a soda they just do so online? They coudl even have a one-time use PIN sent to their cell phones, which they then enter on the pad when they're at the machine. The stock of the machine could easily be controlled remotely, and when one is purchased, the ones on hand could be decremented by one so that there is enough reserved to fulfill the outstanding purchases, all the make sure that they'd not get to the machine only to find their selection was not there.
Question #4 for the designers of that soda vending system: Expanding on the previous thought, why is it that the machine itself doesn't have its own cell number, and when someone receives a text message telling them their PIN, they could alternately go stand in front of the machine, then click a return link that would send the vend signal to the machine's number, and they'd not need to do anything other than click a single link?
Question #2 for the credit card system designers: Bridging off of the previous question, why not have a 'text for code' system where a card holder could text message a number, and a one-time use number could be sent to their phone that could then be used anywhere? A pre-set limit could be set up, and the number could be entered on the keypad at the cash register.
Question #1 for the makers of checkout scanners, a thought, really, inspired by the above, but not directly connected: Why is it not yet possible to have a smartphone display a bar code on the screen that was sent to it via a credit card's one-time use request system. The last scan of the grocery order would be the payment. No swiping, no validation code to enter, no ZIP code to enter, etc.
"It shouldn't surprise you that a system that is designed to be manufactured as cheaply as possible is designed with no security constraints whatsoever." - Peter Neumann, as quoted on thinkexist.com
This is a quick design note. I was observing a process taking place during a break today, and it contained a couple of reminders about design. The issue is that we have the desire to go to a cashless system of paying for things. Noble, but problematic, because we are held hostage by physical constraints. The eventual goal is to eliminate the use of currency, but until the physical problems that attend swiping of cards are overcome, that won't work.
Of course, as normally happens with these types of things, one thought leads to another. The following are the two design reminders, followed by a chain of questions. If you develop any of these ideas into an actionable business plan, or a profitable invention, I'll need a T-shirt, and maybe a steak dinner or something of that sort (as well as due attribution and a spot on the patent form...).
Reminder #1 - If it's digital, yet has a physical component, then it's not purely digital, and the mechanical design points and weaknesses need to be addressed: I saw a student attempting to use his credit card to purchase a soda from a machine. It took him a couple of minutes to get the card to swipe. I don't know if the stripe was dirty, or the reader was dirty, but it was an interesting process to see him get it to work. At one point I thought he was just going to give up, but it finally worked after he cleaned it repeatedly, swiped it multiple times, and generally did the things one normally does when something that should work doesn't. I had $1.25 in quarters, and purchased a soda in 10 seconds. Thinking about that famous commercial promoting credit card use versus a check, I thought it especially humorous, but it did lead me to some questions.
Question #1 for the designers of that soda vending system: Why not include a keypad so that if the card won't swipe correctly the user can enter their card number and PIN? how much more does a swiper with a keypad cost, over time?
Question #2 for the designers of that soda vending system: Why is the quicktap method not already deployed? It's in the stores, and would get the machines set up to be usable far into the future. And, it would eliminate the scanning problem.
Question #1 for the credit card system designers: Why is there not an authentication scheme that uses a digitally-stored fingerprint as the PIN? The technology to read fingerprints exists widely, and (I'm thinking the scanning of fingerprints could be a service provided by all Visa-issuing banks to record fingerprints for users who are in a different area from their home banks). The payoff would then be nearly theft-proof cards that could be used if the swiper works, if it's entered via a keypad with PIN, if it's entered via keypad with a fingerprint, or if it's tapped.
Question #1 for the makers of soda machines: Why is there no optional machinery to use pennies? Smaller machines wouldn't have room, but I don't know how many times I've seen a student have enough to get something with pennies, but not with silver coins. This might not be really valid in a scenario of a machine inside a hotel, but for machines on a high school or college campus, there would be interest. Perhaps a joint venture with CoinStar?
Reminder #2 - If a cashless system is truly desired, there needs to be a web-based kiosk site: I was recently in a hotel with a business center. I used the system to print out some documents, and the system there was one where you receive a PIN, which you then enter when you are beside the printer and it prints out your document. Those systems have been around a while, but I had yet to use one, and so when I finally did, a new fusion hit me. Ordering something from your office could be a dual-click purchase (one-click is already owned by Amazon).
Question #3 for the designers of that soda vending system: Why not borrow a page out of the eBook phenomenon and allow people to register a credit card, then when they want to order up a soda they just do so online? They coudl even have a one-time use PIN sent to their cell phones, which they then enter on the pad when they're at the machine. The stock of the machine could easily be controlled remotely, and when one is purchased, the ones on hand could be decremented by one so that there is enough reserved to fulfill the outstanding purchases, all the make sure that they'd not get to the machine only to find their selection was not there.
Question #4 for the designers of that soda vending system: Expanding on the previous thought, why is it that the machine itself doesn't have its own cell number, and when someone receives a text message telling them their PIN, they could alternately go stand in front of the machine, then click a return link that would send the vend signal to the machine's number, and they'd not need to do anything other than click a single link?
Question #2 for the credit card system designers: Bridging off of the previous question, why not have a 'text for code' system where a card holder could text message a number, and a one-time use number could be sent to their phone that could then be used anywhere? A pre-set limit could be set up, and the number could be entered on the keypad at the cash register.
Question #1 for the makers of checkout scanners, a thought, really, inspired by the above, but not directly connected: Why is it not yet possible to have a smartphone display a bar code on the screen that was sent to it via a credit card's one-time use request system. The last scan of the grocery order would be the payment. No swiping, no validation code to enter, no ZIP code to enter, etc.
