I've used ATMs where you slide your card (and retain possession of the card through the transaction). They always prompt at the end whether you'd like to make another transaction and if you say "yes" they require you to slide your card a second time. I haven't seen one that didn't work this way for at least a couple decades, so I'm surprised they missed this when adding tap functionality.
Not only an UI issue. Users apparently also did not do the elementary step of hiding the PIN they entered. This is only mentioned at the end of the article:
> Chase did not say why multiple withdrawals did not trigger a fraud alert, or why the bank did not review surveillance video -- but each transaction requires entering a PIN -- which the thieves had apparently captured. So always, cover the keypad, and log out before you walk away.
"So customers tap their card instead -- and here's the trick. When you tap, the account remains open for more transactions, unless the customer proactively logs out."
How can a customer log out in these circumstances?
I wonder if this is a US thing, because contactless payments are different around the world, in Japan they have have higher limits, but are still limited, where as in the UK its lower limits than Japan.
It indicates a number of things, the trust and oversight within the financial system, but also a reflection of the society in general.
Never leave an ATM without getting a receipt. Never leave a gas station without getting a receipt. That is the one thing that means that your session is terminated.
> To her shock, Bongiorno saw three more withdrawals from her account -- $940 was gone.
What does a receipt prove? That you have a document for one withdrawal, and most people could be forgiven for assuming a withdrawal is a single transaction.
The ATM operator could see if subsequent transactions took place, but Chase probably cant, unless it forcibly introduces a time limit of 5 to 10 mins on each withdrawal from the same machine. In part this is a data sharing contract with ATM operators.
This is where mobile phones in particular SS7 can be used to place your mobile phone and apple watch next to the ATM in order to prevent fraud, but then also highlights who is data sharing with who, especially if your phone doesnt log the cell tower traffic management pinball wizard in order to triangulate the phone's location.
Phones don't log that info. Cell towers do. there is no way to have a cellular phone and not be triangulable. not with a cell network with fully overlapped coverage areas.
I've seen Render.com pop up a lot lately on HN. Even have a pinned tab for the migration from Heroku to Render. I have some work stuff on both Heroku and EC2 (gpu instances) and a lot of side projects between both. That said I have a few questions if you dont mind.
First is there anything you think that Heroku is still better at then Render is today? Not including stuff thing might come later, but if I had to use todays stack.
I see some locations/regions but would like to know more about where the datacenters are, and how close to AWS networks they are.
What tuning options do I have for Postgres and Redis.
I really like the pipelines feature in Heroku. Being able to automatically deploy to a staging environment from main and then be able to promote that exact slug to production is pretty cool. I’ve yet to find a tool that has replicated that experience or something like it without getting in the weeds with Docker.
As far as I know it’s not possible to have separate environments where you’re guaranteed a bit-for-bit match going from staging to production in Render. You have to build for each environment, which if your builds are deterministic should be fine, but I’ve definitely seen that go haywire where you find out your build is in fact not deterministic in some subtle way.
> More recently, all Git-based deployments (which is to say, virtually all deployments) to Heroku were blocked and review apps were halted for all users as a result of a GitHub OAuth token leak.
It should read "all GitHub-based deployments". You can still deploy with `git push heroku main`.
It caught my eye too, but for a different reason, this bit doesn't seem right:
> which is to say, virtually all deployments
My understanding is if deploying with `git push heroku main`, that application's GitHub repository was not viewable by hackers (but those apps deployed through 'Heroku GitHub Deploys' were). (please tell me if my understanding is incorrect).
I think most Heroku users would deploy with `git push heroku main`, although that's purely hunch.
Unrelated, but I'd add one more thing to the article, which is that Heroku docs aren't easy to give feedback on. I'd love for the docs to be on GitHub so shortcomings or inaccuracies can quickly be addressed. Currently, to point out a correction to the docs, you'd have to write a support ticket and 100% chance that support ticket isn't going beyond the person who received it, so nothing will get actioned.
My story’s similar to @dnilasor’s sibling comment except with a little twist. I’m a Dev Advocate at Render now but used to be a Dev Advocate at Heroku.
I’m very excited about the potential future of Render.
I'm currently on Heroku (want to get off it!), and the main thing that's keeping me from trying out Render is the lack of point in time recovery for Postgres. Having had to use it once on Heroku it's an absolute life saver, I would be nervous of not having it. Does Render have any plans to implement a Postgress WAL point in time recovery/restore feature?
Thanks, done and done. As I said over on my comment at the above link it is one of those features that if you have every had to use it you cant live without it. I hope I would never have to use it but need it to be there just in case we screwup!
One of the things I have loved about Heroku is that once you have an account and have the CLI installed, you can create and deploy apps entirely through the CLI. You don't ever have to visit the Heroku dashboard during the initial deployment process.
Is this possible at all on Render? I haven't gone through the process on Render yet, but it looks like it requires a visit to the site at some point for each project that you want to deploy.
Thanks for sharing your experience, Raja. It's great to read a more personal experience about someone using Render rather than just seeing a number go up on one of our internal dashboards.
Had you ever used a platform like Render (or Heroku, Fly, Railway, etc) or only VPSs?
