Travellers “in the know” are well aware you never, ever, under any circumstance, pay in your own currency, because the exchange rate is always abysmal. It’s estimated that Brits lose £1m every day due to DCC. You should always opt to pay in the local currency.

Many people claim DCC is not a scam because the customer is given an option. This is a myth and needs to be dispelled.

Firstly, the service provided by DCC is absolutely unnecessary. Most cards on the Visa/Mastercard network can pay in any currency. Cross-border payments is one of the main problems these networks set out to solve. And in the rare circumstance the card has some kind of currency restriction on it, you wouldn’t be relying on DCC; you just wouldn’t be using the card overseas.

Secondly, DCC leverages ignorance, deception, and urgency, which are all typical hallmarks of a scam. Ignorance, because many people don’t know the exchange rate offered by their bank or why the terminal is even giving them an option. Deception, because the commission is integrated into the rate instead of being displayed separately, and UI is design discourages users from selecting the local currency. And urgency, because the user only has a few seconds to select an option.

Here’s a PoS in Poland offering DCC on an Australian card. Notice the threat of “additional conversion fees may be applied by your card issuer”, making their rate appear favourable. My bank charged me $7.22 for this transaction, meaning it would have cost me an additional 9.6% if I selected AUD instead of PLN at the terminal.

There was an even worse one which I wasn’t able to capture. It showed a screen similar to above, and after selecting PLN, it showed a confirmation screen which said something to effect of “Guaranteed exchange rate of 1 PLN = 0.4188 AUD. Do you accept? No / Yes”. This is extremely deceptive because you need to press No to pay in the local currency, but your instinct is to press Yes to confirm the option you previously selected. When you only have a few seconds to pick an option, your brain isn’t primed to interpret a negative confirmation.

A predatory process that tricks someone into purchasing a service they didn’t ask for, don’t need, provides no value, adds confusion, and costs up to 12% more than if the service simply wasn’t offered, easily falls into the definition of a scam. And I’d be willing to bet that no modern neobank/digital bank has ever offered a worse rate than DCC.

It doesn’t matter if the user is given an option. All scams involve deceiving someone into performing an action that isn’t in their best interests, that’s what differentiates scams from theft. No one calls pickpocketing a scam.

It blows my mind DCC is allowed to fly, especially in the EU. Someone needs to regulate the heck out of this ASAP.

The post DCC is a straight-up scam appeared first on Christian Varga.

I’m not a 1Password employee/investor begging you to stay. I’m not going to make a list of all the 1Password features missing in Passwords.

I’m here to convince you that Passwords neither protects nor guarantees access to your passwords in a worst case scenario. Such as:

1. Apple nukes your Apple Account for no reason (it happens)
2. Your Apple Account is compromised (it happens)
3. Your Apple Account is illegitimately recovered (it happens)
4. You are mugged and forced to provide your passcode at gunpoint (it happens) and the thief remotely wipes all your devices to prevent you from applying iCloud lock to the phone

In any of these scenarios, you’re absolutely toast. Even if you can recover your Apple Account, those precious days/weeks without access to anything are crucial in preventing further damage. But account recovery is not guaranteed. And if the attacker wipes your passwords from iCloud, there’s no export, no history, no backup. Your passwords, and worse – TOTP codes, are gone forever.

I’m not a 1Password fanboy. I’ve been jaded since they replaced their beautiful fast native apps with slow buggy Electron. However, more than anything, I need my password manager to protect my passwords from unauthorised access while also never preventing me from accessing my passwords, especially in an emergency situation where I’m under attack. 

I have complete faith 1Password will never randomly close my account because a hallucinating AI flagged my account for no reason. I have complete faith 1Password will never allow someone without my recovery code or secret ket to recover my account (as in, it’s literally impossible due to end-to-end encryption). And I have complete faith that if I can provide my recovery code or secret key + master password, I’ll be able to access my account without entering step-up purgatory. And if literally everything else fails, 1Password allows back up and export, which isn’t possible with Passwords (as of writing). 

But I hear you say: what if someone forces you to provide your 1Password master password at gunpoint? What then?

This is not a scenario I’m concerned with. Street thieves may have room temperature IQ, but they’re smart enough to know you’ll remotely lock a stolen device as soon as you get home. They’ve clued on – so the reason they demand passcodes is because they want to beat you to the punch. If they lock you out of every other device you own then you can’t lock the phone before they sell it. They aren’t interested in taking over your digital identity. They aren’t interested in your 1Password master password.

But stolen Device Protection helps, right? It may help this one specific scenario. However, it introduces a whole set of new problems. Specifically, if FaceID breaks from a drop or just stops working, you’re completely dead in the water if you have Always require additional security measures turned on or if significant locations flakes out (which it does for me constantly) as there’s no passcode/password fallback. Besides, stolen device protection does nothing for the first three scenarios mentioned above. 

Passwords is a step in the right direction but I won’t be migrating any time soon. 

The post iOS 18 Passwords – not a replacement for 1Password appeared first on Christian Varga.

However, I recently noticed they were offering an airport transfer from Stansted for €12. Having booked a few National Express coaches before, this seemed decent value – sure enough the same ticket booked directly with National Express is £17 + £1.50 booking fee if you don’t have an account.

So I decided to give Ryanair a go. 2 hours after booking my flight, I received a QR code ticket from National Express.

This was a surprisingly pleasant experience – near half the price and more convenient than booking with National Express (all I had to do was tick a box).

Next time you’re booking a flight with Ryanair, have a quick look at the upsells – turns out some of them are actually decent!

Note: you can also book a transfer via Ryanair without a flight, but this seems to be the same price as booking direct with National Express. So the best prices are bundled with flights.

The post Should you buy your National Express transfer through Ryanair? appeared first on Christian Varga.

When flying Ryanair, every passenger on every flight must check-in online in advance to avoid a £30/£55 airport check-in fee. If you’re issued with a boarding pass after checking in, you have two options – you can either access it using the Ryanair app or print out a hard copy. If you can’t do either of these, you’ll have to pay a £20 boarding card re-issue fee at the airport. Also, if you’re flying from Turkey, Morocco, Israel, Lebanon, or Kefalonia, you must print your boarding pass as these countries / airports don’t accept mobile boarding passes.

However, not everyone is issued with a boarding pass after check-in. For example, non-EU citizens can only get a boarding pass at the airport. When checking in using the app, you’ll get a massive warning telling you that you must print the boarding pass after check-in. But here’s the problem, you don’t get a boarding pass – just a screen that says “This is not a mobile boarding pass. Please go to the ticket desk to print out your boarding pass.“, and there’s no ability to print anything.

If you log into the website, you’ll be greeted with the following message: “Passengers on this booking who are travelling with Non-EU ID documents will be required to print their boarding pass and present it at the ticket desk to have their documents checked and stamped upon arrival at the airport“. Unlike the app, you have the ability to download/print the “boarding pass”. However, on the document in massive bold writing is stated “THIS IS NOT A BOARDING CARD. Go to ticket desk for visa/document check & boarding card“.

So here’s the million dollar question. Do we, or do we not, need to print this “not a boarding card” document? We’re warned that we must print our boarding pass, but we don’t have a boarding pass – just a random document that isn’t a boarding pass.

I’ve spent quite a bit of time researching this. Here are some threads you can peruse yourself:

• Ryanair “this is not a boarding card”
• “This is not a boarding card”
• Ryanair App not allowing me to print boarding pass. Worried about fines.
• What happens if I can’t print my Ryanair boarding passes?

None of these threads answer definitively whether it’s safe to arrive at the airport without a printed copy of this document.

So I went ahead and tried it myself. First from Manchester to Wrocław, then back again. In both cases, I got away without having to print the THIS IS NOT A BOARDING CARD pdf, but I did have to open the Ryanair app to prove I checked in.

Combining this experience with others on the internet, I can find a few examples where people didn’t print this document and were OK, but I haven’t found an example where someone was forced to pay the £20 boarding card re-issue fee for not printing it. So you’ll probably be ok if you don’t print it, as long as you can prove you checked in on the Ryanair app. But if you have access to a printer, we’d recommend just printing it to avoid the anxiety.

Ryanair could really do with updating their website / app to explain this situation a bit better for the thousands of non-EU citizens who fly on their planes every day. Until then, the best we can do is learn from anecdotal experiences.

The post Ryanair – do I need to print THIS IS NOT A BOARDING CARD? appeared first on Christian Varga.

Unfortunately there’s no logical explanation for this irritating behaviour, and knowing Apple this probably won’t ever be fixed. Reduce Loud Sounds is a solution in search of a problem. Volume Limit was far simpler, worked better, and didn’t have annoying quirks like this.

The post Headphones always connect to iPhone at 50% volume appeared first on Christian Varga.

<link
  rel="alternate"
  type="application/rss+xml"
  title="<?php bloginfo( 'name' ) ?> &raquo; Feed"
  href="<?php bloginfo( 'rss2_url' ) ?>"
/>
<link
  rel="alternate"
  type="application/rss+xml"
  title="<?php bloginfo( 'name' ) ?> &raquo; Comments Feed"
  href="<?php bloginfo( 'comments_rss2_url' ) ?>"
/>

Or if you can’t edit header.php, you could add a hook to your functions.php file which achieves the same effect:

add_action( 'wp_head', function () {
  ?>
  <link
    rel="alternate"
    type="application/rss+xml"
    title="<?php bloginfo( 'name' ) ?> &raquo; Feed"
    href="<?php bloginfo( 'rss2_url' ) ?>"
  />
  <link
    rel="alternate"
    type="application/rss+xml"
    title="<?php bloginfo( 'name' ) ?> &raquo; Comments Feed"
    href="<?php bloginfo( 'comments_rss2_url' ) ?>"
  />
  <?php
} );

However, there’s an even easier way. Instead constructing the link tags manually, all you need to do is add one line of code to your theme’s functions.php file:

add_theme_support( 'automatic-feed-links' );

This will automatically construct & inject the link tags into your theme’s head. Perfect!

The post How to add RSS auto-discovery to your WordPress site appeared first on Christian Varga.

In iOS 14, Apple released a new feature for iOS called Unlock with Apple Watch. This feature works the opposite way around – your watch can now unlock your iPhone when you’re wearing a face covering.

This comes with a weird caveat – when the Unlock with Apple Watch setting is enabled on your iPhone, the behaviour of the Unlock with iPhone setting on your watch is inexplicably altered. Instead of simply looking at your phone, you now need to swipe up and wait roughly 3 seconds for the invasive notification at the top of the screen to say Unlocked. If you lock your phone, interact with the notification, or swipe it away, your watch won’t unlock.

This new behaviour makes the feature slower and less reliable than entering the passcode on the watch. Personally, I found it so irritating that I just completely turned off Unlock with iPhone.

However, as mask mandates are slowing going away, the Unlock with Apple Watch iPhone setting is becoming less useful. If you no longer need your watch to unlock your phone, turning off Unlock with Apple Watch (under Settings -> Face ID & Passcode) on your iPhone allows you to restore the old Unlock with iPhone behaviour where you only need to glance at your phone to unlock your watch.

Unlock with Apple Watch can be found on your iPhone under Settings -> FaceID & Passcode
Unlock with iPhone can be found on your watch under Settings -> Passcode

At the time of writing, this works on iOS 16. I really hope future versions of iOS don’t make the Unlocking notification permanent.

Update: As of iOS 17, the behaviour has changed yet again. Now, even with Unlock with Apple Watch turned off, you’ll still get an Unlocked by this iPhone notification at the top of the screen when your watch is locked and you unlock your iPhone. However, thankfully, you can dismiss / swipe it away and the watch will still unlock.

The post Unlock with Apple Watch breaks Unlock with iPhone appeared first on Christian Varga.

In watchOS 9, Apple removed Power Saving Mode and replaced it with Low Power Mode. Low Power Mode can be enabled independently of Workout and disables most background tasks which makes it much more consistent with iOS. However, unlike Power Saving Mode, it doesn’t disable continuous heart rate monitoring during workouts.

To bring back the functionality of Power Saving Mode during workouts, you also need to enable Fewer GPS and Heart Rate Readings (under Settings -> Workout). This does what it says on the tin, and has advantages over Power Saving Mode as you still get some heart rate measurements instead of none.

While Low Power Mode is available on all watches running watchOS 9, Fewer GPS and Heart Rate Readings is only available on current generation watches (SE gen 2, Series 8, and Ultra). Older watches don’t get this feature. So after upgrading a Series 7 or below to watchOS 9, you lose the ability to kill the biggest source of battery drain during long workouts*. Of course, once you’ve figured this out, it’s too late. In typical Apple fashion you can’t downgrade watchOS; you can only avoid upgrading.

Apple removing features or only giving new features to new devices isn’t exactly news. However, I find this case particular egregious because the feature wasn’t “removed”; it was replaced with a slightly modified version which is now only available on current generation watches. Also, this feature just collects data from a couple of sensors on an interval (opposed to continuously). The watch already does this at rest, why can’t it do the same during a workout? This isn’t a hardware limitation. Removing a power saving feature from old devices – the ones that need it the most – is a quintessential example of planned obsolescence in action.

* There is somewhat of a way to restore the old functionality: by manually disabling the heart rate sensor under Privacy settings before long workouts. This is pretty hacky, but the fact that Apple wants me to buy a new watch to restore functionality I previously had on my current watch had gives me all the motivation I need to keep my Series 4 going as long as possible. Even if it means digging through settings to manually disable certain sensors before long hikes.

The post Apple nerfed previous generation watches with watchOS 9 appeared first on Christian Varga.

Later on, I took another another look at the SMS. On closer inspection I realised that it doesn’t fit the profile for a phishing attack as there’s no link to follow and no action to take. So if it isn’t a phishing attack, could it be a legitimate SMS from PayPal? And if so, what’s going on – has my PayPal password been compromised?

After a bit of searching, it turns out the SMS is legit, but my password hasn’t been compromised.

Let’s back up for a second. PayPal contains a lot of Personal Identifying Information (PII), is connected to my bank account, and contains detailed transaction history for purchases going back to the time I opened my account. With this in mind, I have both a complex password and TOTP to protect my account. These two measures should, in theory, keep my account super secure – even if someone managed to brute-force the unique random password on my account, they’d also need access to my authenticator app to complete the login. Forget these, because PayPal’s default* method of login is now passwordless with a one-time code sent via SMS. Yes, the very same medium that is generally considered unsafe for two-factor authentication is used by PayPal as the only factor; bypassing both password and TOTP. You cannot disable this method of login, and you cannot remove your phone number from your account.

To be clear, I’m not talking about 2FA over SMS, because that would still required your password. With PayPal’s new method of login, neither your password nor TOTP is required. You enter your email address or phone number, an SMS is sent to your phone, and this OTP alone grants full access to your account. It’s Single Factor Authentication over SMS with no way to opt out.

Incredibly, it gets worse. If a bad actor wanted to gain access to your account, they’d still need to know your phone number. PayPal helps them by partially revealing a significant portion of your phone number on the login screen after you’ve entered your email address.

Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent* and the phone number is partially revealed. Remember Mat Honan, who’s digital life was destroyed when his iCloud account was wiped in a targeted attack? In that attack, the hacker used social engineering to obtain a partial credit card number from an Amazon employee which Apple then accepted as verification of identity. With PayPal no such social engineering is required; instead revealing half your phone number to anyone who merely enters your email address on the login screen.

Of course, PayPal also allows users to log in by entering their phone number. Now armed with a partial, a bad actor needs only to enumerate the remaining digits to reveal your full phone number. It’s literally as if PayPal wants their users to get hacked.

It blows my mind that any information about an account is revealed before authentication. My personal opinion is that a login form shouldn’t even reveal the existence of an account until the user is authenticated.

What can you do about all of this? Remove as much PII from PayPal as possible. Remove your credit cards & bank accounts. Create a custom email address just for PayPal. See if you can somehow use a different phone number for PayPal. However, the absolute best thing to do is close your PayPal account. SMS is a public unencrypted medium and the recipient is not guaranteed to be the account owner. Using this as the sole factor for authentication is absolutely not sufficient to protect what is effectively a bank account.

* After writing this article, it has been noted that most users are defaulted into the password flow instead of the passwordless one-time SMS flow, so I may have been part of an A/B test. Regardless, even if you’re defaulted into the regular password + TOTP flow, you’ll still have the option to “Try another way” or “Log in with a one-off code” which will push you into the one-time SMS flow and bypass your password + TOTP.

The post What’s going on with security at PayPal? appeared first on Christian Varga.

Google offers no way to natively block certain domains from appearing in search results. However, it’s possible to use a tool such as uBlock Origin (or any other ad blocker) to remove unwanted content from a page.

I’m maintaining a list of garbage domains and using it to filter Google and DuckDuckGo’s search results page. There are two ways to implement this list.

1. The automatic way

Follow these instructions and import my filter list. This filter list should be compatible with most other ad blockers if you don’t use uBlock Origin. I’ll keep this list up to date so if any new clones pop up, they’ll be removed just as quickly.

2. The manual way

Follow these instructions and manually copy the rules from my filter list. This list won’t be kept up-to-date, but you’ll have full control over the content.

If you notice any sites that aren’t included in this list, please post a comment below or make an issue on the GitHub repo.

The post How to hide Stack Overflow / GitHub clones from Google search results appeared first on Christian Varga.