Congress concerned over MagicBand security issues..

[disneyfan55]

It is not on the band itself.

Then how does it work for charging, has to be there somewhere.

 

[mesaboy2]

Then how does it work for charging, has to be there somewhere.

It connects to Disney's servers, using a unique identifier on the band. All your data is on the servers, which makes the band worthless by itself.

 

[doconeill]

Some of this I don't understand -- I'm no RFID expert.

Unless they get the pin, as you say, 1) is a no-go.

How can a skimmer do these items 2)-5)? Assume they skim the unique ID from the band -- practically speaking, how do they find out my room number, my FP+ reservations, or use this to enter the park as me?

Wouldn't they need to be able to transfer that ID# to a new band for 2)-5), and access Disney's database for 4)?

Sent from my iPhone using DISBoards

Well, they'd need to do that for 1) as well. They need to transfer it to a band or card.

They themselves don't need to access Disney's database. They just need to use the device. Which is why I said they'd have to get REALLY lucky to find your room without stalking you to begin with.

They could access your FP+ information, and potentially ADRs, etc. at a kiosk - not entirely sure what will be available at a kiosk, unless they PIN-protect that as well.

I read on the WDW blog that charging could be made using the wristband. That would lead me to think the credit card info has to be there somewhere? To be honest, I don't provide WDW with my credit card info on the room key card. I keep my credit cards in protected sleeves and use remove only when using. Too many have had issue with the RFID in the credit cards being stolen with readers. I just don't see the need for all the RFID radiation either.

They'd do it the same way the KTTW cards work. The KTTW cards do not have credit card info either. The credit card is associated with your room. the KTTW card/RFID device simply has a code. When you charge something, you are charging it to your room - the POS terminal only verifies that the charge is allowed with the resort computers. The resort computers will in turn charge your credit card later.

For guests not at a resort, and if in fact they do end up allowing them charging privileges, it would likely be done similarly - set up an account with Disney with a credit card attached, and the RFID device would link to that account. The charges would be done to the credit card via the central computer.

As for RFID radiation - the cards themselves emit absolutely nothing unless within the field of a reader - and the reader itself emits more energy than the RFID device, and it's still not much. So unless you are standing next to the reader for some time, you aren't getting much. I suspect you'd have to stand there for days on end to have any effect

 

[dawnball]

Tracking MAC addresses only works if you have Wi-Fi on all the time. I turn it off quite a bit...it saved on the battery when it won't be able to or I don't want it to connect to any random hotspot. And truthfully I should know this but I don't know offhand if a client device beacons it's search for a hotspot, or it sits passively waiting for the SSID broadcast...regardless, it will let them know they are in the store - that's about it. Wi-Fi does not give location info.

Retailers already get most all they need based on your purchases. Don't need to track you in the store for that.

If that were true, then retailers wouldn't be tracking you. It's relatively trivial to put your purchases (if they're on a credit card, or associated with a discount card) with your MAC address. The match isn't perfect, but it lets them see how often people come in, how long they stay, etc. What sales get people in the door, but don't produce sales...

And yes - it only works if you have wifi on, and mine is off except when I'm intentionally connecting. Cell phones (in particular, this isn't true of all wifi devices) will broadcast for wifi networks they've seen before if wifi is on, which does broadcast your MAC address, even if you don't connect. That's how you connect to non-broadcasting networks.

And I seriously doubt any retailers in the Pacific Northwest are going to invest in compatible tracking technology on the very slight chance someone has been to Disney and continues to wear their MagicBand while in their shops, AND that the battery still works...

Like I said initially, I have my doubts that magicband would take off to that degree, merely that if it did - it's been demonstrated that tracking customer presence/visits is valuable to retailers, and the equipment to collect the data isn't prohibitively expensive.

I'm not personally concerned about magicband, for myself or my kid, but "Oh, no one would ever track random RFID information" doesn't play a part in my lack of concern.

 

[doconeill]

If that were true, then retailers wouldn't be tracking you.

I'd need more information before I believe they are. And they don't have a way to track my purchases with the mac either. So their benefit of knowing a particular phone was in the store for X minutes is of limited use.

 

[SpacePlace]

I'm actually quite glad they did this. I am guessing we'll never see the response that Disney sends to Congress, however. I'd like to know all the answers to these questions myself.

We should be able to see it as it should be public knowledge. Since the letter has been made public, I would guess that any response would be sent through the same channel.

 

[doconeill]

We should be able to see it as it should be public knowledge. Since the letter has been made public, I would guess that any response would be sent through the same channel.

The response is already very public..

 

[SpacePlace]

Oh not this again. It is cheaper, easier, and more lucrative to skim credit card numbers. No one is going to steal your Magic Band RFID.

Unless it's Mr. Slugworth who wants to take it back to his factory and learn how to make it too. Remember, every Disney guest gets one band, and one is enough for anyone!

 

[dadddio]

But as I said, it would be difficult to opt out completely and still be able to take advantage of things. You need to provide at least a minimal amount of information to use MDE - I'm not sure the minimum but at least an email address and as we are led to understand a ticket. Not yet sure what else would be required in order to make FP+ reservations, etc.

If you are opting out of MyMagic+ (of which MDE is a defined part) because you don't want to provide ANY personal information, I don't see how you could participate.

And even in-park, they say they are asking for an email address at a minimum to participate in FP+.

So it isn't clear what you have access to if you opt-out completely. It's clear that you won't have a single device to access it though, which was fairly obvious.

I don't understand. Why is giving them an email address a big deal? You can create a 'burner' email in about a minute. Heck, I keep a separate email address live just to give to companies rather than give out my regular email address.

 

[dadddio]

You'd think so - but stores are already tracking people by their cell phones (specifically by the mac address used when you scan for open wifi). If Disney RFID bracelets became that popular (which I don't see happening), then stores will start snooping that too.

The payoff is uncertain, but retail establishments have demonstrated that they see significant value in tracking shopper data.

Those stores would then apparently know that a Disney bracelet was in their store and where it went. That wouldn't know anything about you or your personal information.

 

[dadddio]

Yes I agree. I don't like all that info on an RFID.

All what information?

Once again, the only information n the magic band is a number that identifies the magic band. Any guest information resides in Disney's internal computer system, not on the band.

 

[dadddio]

Hmm...while scanning Deadline for bits of news for one of my other web sites, I came across this very interesting quote attributed to Iger last week:

Now, this is VERY interesting, because we know by the specs of the band that they are not GPS, and according to the attachments in Iger's letter, it is not GPS based. But it seems that he is in fact thinking in that direction - and I wonder if THAT had a lot to do with what transpired.

Alternatively, he may have been misquoted.

It should also be noted that when you are referencing an article like this, it's helpful if you cite your source. Thanks.

 

[dadddio]

I'm only on page 21 for reading, so forgive me if this has already been asked/answered.

When Disney says they don't market to children, is that a Disney child (9 and under)? So anyone over 10 would still be marketed to?

His letter gave the age of 13.

 

[dadddio]

Thanks. So any "child" over 13 is fair game. That doesn't sit well with me.

The government set that age, not Disney.

 

[dadddio]

It amazes me how progressives like Markey are so concerned about Disney collecting data all the while Obamacare and now these new potential gun laws will be collecting and amassing more data on you then Disney ever will. You better be more worried about the tens of thousand of new IRS agents and your doctor.

Lets not introduce political hot topics to this thread. It will just get it shut down and points assessed.

 

[dadddio]

Nice...they can yell at duffers electronically because they aren't playing fast enough

Can they make DGPS devices small enough yet? I thought they were somewhat larger.

I still don't see them using it in a restaurant...I don't think the servers are doing geocache hunting..."Nope, 4 feet further west...oops, sorry sir, didn't mean to trip over you..."

In a more appropriate thread, I'll. tell the stories of the geocaches that used to be in WDW and DL.

 

[meowmarie]

Unless it's Mr. Slugworth who wants to take it back to his factory and learn how to make it too. Remember, every Disney guest gets one band, and one is enough for anyone!

 

[Disney_Princess83]

While they have said the Magic Band wont be a GPS, in someways this is actually inaccurate. They won't be able to type in your Magic Band Serial number and locate where you are. However if they put readers throughout the park, they will be able to track your movements. Everytime you walk past a scanner, it reads your band and places you there. If they put these at every shop entrance/exit, they would know you walked in to the Emporium at 1:47pm and walked out at 2:12pm. If they had a reader at the register, even if you paid cash, they would be able to match you with your purchase.

In some ways a GPS is better because, in general, they're not 100% accurate. They can't pinpoint you to the exact place you are. However the chips readers could place you precisely.

 

[doconeill]

I don't understand. Why is giving them an email address a big deal? You can create a 'burner' email in about a minute. Heck, I keep a separate email address live just to give to companies rather than give out my regular email address.

I didn't say it was a big deal myself. It is, however, a personal bit of information that falls under some rules, and some people don't have the ability to just whip out an address in about a minute - or know that they can - whenever asked for an email address.

Alternatively, he may have been misquoted.

It should also be noted that when you are referencing an article like this, it's helpful if you cite your source. Thanks.

I did say it was from Deadline. I forget why I couldn't post the link before, but here is a link:

http://www.deadline.com/2013/01/disney-video-game-violence-measures-bob-iger/

 

[Granny square]

While they have said the Magic Band wont be a GPS, in someways this is actually inaccurate. They won't be able to type in your Magic Band Serial number and locate where you are. However if they put readers throughout the park, they will be able to track your movements. Everytime you walk past a scanner, it reads your band and places you there. If they put these at every shop entrance/exit, they would know you walked in to the Emporium at 1:47pm and walked out at 2:12pm. If they had a reader at the register, even if you paid cash, they would be able to match you with your purchase.

In some ways a GPS is better because, in general, they're not 100% accurate. They can't pinpoint you to the exact place you are. However the chips readers could place you precisely.

And the issue of knowing where their customers are and what they are purchasing is what? If you walk into my sister's shop she personally watches and knows her customers and their practices.