Magic Bands Not As Secure As Advertised!

bb&h · Jan 26, 2015

My wife and I were at WDW over the weekend and not once, but twice at expensive sit down restaurants, the waitstaff overrode the pin function because of spotty wifi. I repeat, the pin function was overridden! This should not happen under any circumstances! If the wifi is spotty, fix it, don't make my information less secure!

We spoke to the manager at Brown Derby about this. I told him it was the programmer's lazy way out. If a program can be written to override the pin, a program can be written to take the pin offline and make them have to match in the back to complete the transaction.

The magicbands are advertised as convenient and secure, well, this weekend they were not. Disney, fix the wifi, or find another work around, you have no right no just decide to make my information lass secure.

Andrew C · Jan 26, 2015

bb&h said:
My wife and I were at WDW over the weekend and not once, but twice at expensive sit down restaurants, the waitstaff overrode the pin function because of spotty wifi. I repeat, the pin function was overridden! This should not happen under any circumstances! If the wifi is spotty, fix it, don't make my information less secure!

We spoke to the manager at Brown Derby about this. I told him it was the programmer's lazy way out. If a program can be written to override the pin, a program can be written to take the pin offline and make them have to match in the back to complete the transaction.

The magicbands are advertised as convenient and secure, well, this weekend they were not. Disney, fix the wifi, or find another work around, you have no right no just decide to make my information lass secure.

This is old news. But I appreciate the reminder and looking out.

RandomPrincess · Jan 26, 2015

bb&h said:
My wife and I were at WDW over the weekend and not once, but twice at expensive sit down restaurants, the waitstaff overrode the pin function because of spotty wifi. I repeat, the pin function was overridden! This should not happen under any circumstances! If the wifi is spotty, fix it, don't make my information less secure!

We spoke to the manager at Brown Derby about this. I told him it was the programmer's lazy way out. If a program can be written to override the pin, a program can be written to take the pin offline and make them have to match in the back to complete the transaction.

The magicbands are advertised as convenient and secure, well, this weekend they were not. Disney, fix the wifi, or find another work around, you have no right no just decide to make my information lass secure.

Did they ask for ID or something to verify who you were?

Tom · Jan 26, 2015

Someone posted a while back about this, and I didn't believe them. Now it's confirmed.

I agree, grossly unacceptable and insecure. It's the same as turning off the PIN on a debit card.

PhotoDave219 · Jan 26, 2015

bb&h said:
My wife and I were at WDW over the weekend and not once, but twice at expensive sit down restaurants, the waitstaff overrode the pin function because of spotty wifi. I repeat, the pin function was overridden! This should not happen under any circumstances! If the wifi is spotty, fix it, don't make my information less secure!

We spoke to the manager at Brown Derby about this. I told him it was the programmer's lazy way out. If a program can be written to override the pin, a program can be written to take the pin offline and make them have to match in the back to complete the transaction.

The magicbands are advertised as convenient and secure, well, this weekend they were not. Disney, fix the wifi, or find another work around, you have no right no just decide to make my information lass secure.

Thanks for the heads up.

SnarkyMonkey · Jan 26, 2015

Meh. I had no idea that they advertised them as secure. But then again, I don't use them for payment.

MagicHappens1971 · Jan 26, 2015

I don't think this will exploit the information due to the fact that hackers most likely couldn't access the information on the band anyway. This just overrides the systems function to get the card. Which couldn't most likely be done by any hacker unless they were holding one of the devices.

Bolt · Jan 26, 2015

I guess when I swipe my credit card at any store outside of Disney I have never been asked to show ID. Never really took them as Fort Knox type of security. You lose it - you report it.

lazyboy97o · Jan 26, 2015

JakeSpadaro said:
I don't think this will exploit the information due to the fact that hackers most likely couldn't access the information on the band anyway. This just overrides the systems function to get the card. Which couldn't most likely be done by any hacker unless they were holding one of the devices.

No, but someone could grab another person's MagicBand and go shopping.

MagicHappens1971 · Jan 26, 2015

lazyboy97o said:
No, but someone could grab another person's MagicBand and go shopping.

They don't bypass it in the stores.

MagicHappens1971 · Jan 26, 2015

Bolt said:
I guess when I swipe my credit card at any store outside of Disney I have never been asked to show ID. Never really took them as Fort Knox type of security. You lose it - you report it.

The only store I've ever been to that has asked for ID is the disney store.

dumboflyer · Jan 26, 2015

I was at WDW earlier this month with a group of 13--we always had at least 5-6 separate checks, and every meal at least two of our party had what the OP described happen. The server would try to scan a band, it would not work, they would walk away and come back, and then *poof*, no PIN needed. The server explained this with the very clever line "sometimes they don't need a PIN entered, and sometimes they do. We never know." Funny, since every server said the exact same thing... And we ate at Boma, Sanaa, Biergarten, Rose & Crown, Kona, and Ohana. Same thing from every server, vastly different geographic locations across WDW. Huh.

Honestly though, it's still so convenient that I don't care. And since it runs through my credit card, I'm only responsible for a max of $50 in fraudulent charges, which I'm sure I could convince WDW to pay if that happened.

flynnibus · Jan 26, 2015

Its no biggie because it goes on your house account anyways. youd contest the charge with disney

ImagineerDude · Jan 26, 2015

JakeSpadaro said:
The only store I've ever been to that has asked for ID is the disney store.

Me too! And at a Hard Rock Cafe gift shop, coincidentally on the same trip.

Rob562 · Jan 27, 2015

flynnibus said:
Its no biggie because it goes on your house account anyways. youd contest the charge with disney

This is the key point that I was about to chime in with. The system is as secure as Disney is willing to be with *their* money on the line. (I will explain)

When you scan your Band, you are *not* directly charging your credit card. The Band does not have your credit card info. Heck, the restaurant computer system does not have your credit card info. The only thing that happens when you purchase something by scanning your Band is that the restaurant system tells the Disney room charging system to put a charge of $xx.xx on your account.

That room charge account is essentially *Disney's* liability. When you open the account, Disney doesn't put a hold on your credit card. The only thing they do is see if the card is valid. So if someone were to open up a room charge account with a card with only $1 on it, anything charged to that account is then Disney's liability. Disney is saying that for each Value resort room, they're willing to put $500 worth of charges on the line before they make the person settle the bill. $1000 for Moderate, and so forth.

If there is an errant charge on your room account, all it takes are a few key strokes by a manager at the front desk and it's gone. That's the beauty of the room charge account from Disney's standpoint. Since everything is handled solely on an in-house account system, they don't pay the transaction fees for every charge that goes through, and errors are quickly taken care of. There's no reason to deal with crediting the credit card company. They just have to weigh what level of money they're willing to risk not getting to get lots of Guests to part with their money by using the room charge.

At no point is your personal info or credit card information "unsecure", at least from the standpoint of the Bands and room charging.

Yes, I'll admit that there's the possibility of an errant charge going through to your card on file if you don't look at your bill until your checkout day and they've already pushed all your charges through. In those instances you'd have to deal with the front desk and wait a day or two for the credit to go back on your credit card.

But that can be avoided by getting a copy of your bill every few days and checking it for errant charges. And something tells me that the folks on here who perceive the Disney room charge system as unsecure are probably doing that already...

-Rob

figment5002000 · Jan 27, 2015

Wouldn't it just be easier to not put a credit on file for your magic band. You don't have to have charging permisson on your magic band if your afarid some would could get it and charge things to your card. But then again it just as easier for scammer to get your credit card number by hacking the computer or send a virus or something.

Bolt · Jan 27, 2015

Also - up until 2 years ago, there was no pin associated with the Key to The World card.

SnarkyMonkey · Jan 27, 2015

Rob562 said:
When you scan your Band, you are *not* directly charging your credit card. The Band does not have your credit card info. Heck, the restaurant computer system does not have your credit card info. The only thing that happens when you purchase something by scanning your Band is that the restaurant system tells the Disney room charging system to put a charge of $xx.xx on your account.

Oh, I just assumed that the OP knew this. That's why I wasn't understanding why this was such a big deal.

figment5002000 said:
Wouldn't it just be easier to not put a credit on file for your magic band. You don't have to have charging permisson on your magic band if your afarid some would could get it and charge things to your card. But then again it just as easier for scammer to get your credit card number by hacking the computer or send a virus or something.

I also thought about this. I just assumed that anyone who was at all the type to worry about security would not use this option.

EdC · Jan 27, 2015

I think the ability to review your bill on the go should be a feature added to the 'My Disney Experience' app. Then again, if checking your balance is easy enough, perhaps people won't be letting go of their money as easily.

dreamfinder · Jan 27, 2015

Rob562 said:
This is the key point that I was about to chime in with. The system is as secure as Disney is willing to be with *their* money on the line. (I will explain)

And especially with something like food, they aren't losing all that much if the charges are contested. Contest a $200 meal charge? Not much different from a a manager choosing to comp the table because of bad service, terrible food, etc with the actual cost of the food being somewhat trivial. Contest a $200 merch purchase? They are potentially out $100-150 worth of merch that takes a bigger hit on their bottom line (as trivial as that $200 seems).

Magic Bands Not As Secure As Advertised!

bb&h

New Member

Andrew C

You know what's funny?

RandomPrincess

Keep Moving Forward

Tom

Beta Return

PhotoDave219

Well-Known Member

SnarkyMonkey

Well-Known Member

MagicHappens1971

Well-Known Member

Bolt

Well-Known Member

lazyboy97o

Well-Known Member

MagicHappens1971

Well-Known Member

MagicHappens1971

Well-Known Member

dumboflyer

Well-Known Member

flynnibus

ImagineerDude

Well-Known Member

Rob562

Well-Known Member

figment5002000

Member

Bolt

Well-Known Member

SnarkyMonkey

Well-Known Member

EdC

Well-Known Member

dreamfinder

Well-Known Member