MedallionClass app is a security nightmare.

[c-boy]

MrB,  I take it your not a big fan of the show To Catch A Smuggler 

Edited June 11, 2021 by c-boy

[TNTLAMB]

I hesitate to point out this app is the least of your problems if someone snags your phone and can get in. Click on settings and the thief can go to every site, every credit card, bank account etc you have or ever have had complete wit logins and passwords. You guys are worried about the wrong things..... Surley NO ONE swipes their real credit card for onboard purchases, but instead uses a low limit card to register and settles their account with their real card (with cashback privleges) And I can't IMAGINE anyone using apple/android pay without doing the same.....

 

[mek]

23 minutes ago, TNTLAMB said:

I hesitate to point out this app is the least of your problems if someone snags your phone and can get in. Click on settings and the thief can go to every site, every credit card, bank account etc you have or ever have had complete wit logins and passwords. You guys are worried about the wrong things..... Surley NO ONE swipes their real credit card for onboard purchases, but instead uses a low limit card to register and settles their account with their real card (with cashback privleges) And I can't IMAGINE anyone using apple/android pay without doing the same.....

 

But I don't use my smart phone for anything other than phone calls - no personal information is stored on it and I don't have any attention of ever using it for that purpose either.

I was under the impression that the Medallion app on a phone was optional and a key card was still available.  I don't care if they need to track me on the ship because of covid, but not interested in tying anything on to my phone.

 

Edited June 11, 2021 by mek

[TNTLAMB]

3 minutes ago, mek said:

But I don't use my smart phone for anything other than phone calls - no personal information is stored on it and I don't have any attention of ever using it for that purpose either.

I was under the impression that Medallion app on a phone was optional and a key card was still available.  I don't care if they need to track me on the ship because of covid, but not interested in tying anything on to my phone.

 

You may not but that doesn't mean your stuff isn't all on there unless you have sync turned off. Both apple and android sync your accounts so your history is available including passwords.....

 On android click on settings click passwords and see whats listed. IF they are there you can delete them

 

[mek]

4 minutes ago, TNTLAMB said:

You may not but that doesn't mean your stuff isn't all on there unless you have sync turned off. Both apple and android sync your accounts so your history is available including passwords.....

 On android click on settings click passwords and see whats listed. IF they are there you can delete them

 

Syncs my accounts with what?  

[TNTLAMB]

2 minutes ago, mek said:

Syncs my accounts with what?  

If its android or apple your sign up for either is the same on the phone.  Unless you turn off the sync the history carries forward. to all your devices. Even if the sync is turned off a thief can turn it on and acess it all. Thats assuming you have a data package or even something as inoccuous as google maps.

 

[mek]

28 minutes ago, TNTLAMB said:

If its android or apple your sign up for either is the same on the phone.  Unless you turn off the sync the history carries forward. to all your devices. Even if the sync is turned off a thief can turn it on and acess it all. Thats assuming you have a data package or even something as inoccuous as google maps.

 

Sorry, but I simply don't understand - I have an iPhone and use a Mac, but I don't store any passcodes or account information on either - so where is this information coming from?

I don't do on-line banking either.

[TNTLAMB]

as long as you don't save passwords, you should be okay although your cookies will show up on both

 

[mek]

1 hour ago, TNTLAMB said:

as long as you don't save passwords, you should be okay although your cookies will show up on both

 

Nope - never do that.

[brisalta]

1 hour ago, mek said:

Sorry, but I simply don't understand - I have an iPhone and use a Mac, but I don't store any passcodes or account information on either - so where is this information coming from?

I don't do on-line banking either.

 

You can use an email address that is only used for registering the phone with Apple or Google depending on which type of phone it is.

[Steelers36]

2 hours ago, mek said:

But I don't use my smart phone for anything other than phone calls - no personal information is stored on it and I don't have any attention of ever using it for that purpose either.

If this is true - and I believe you - I fail to see why bother owning a smartphone?

[Steelers36]

3 hours ago, c-boy said:

MrB,  I take it your not a big fan of the show To Catch A Smuggler 

And besides, even if that is your coordinates, it is a large development/residence and without additional info, it really only locates you in SW Tulsa.

[brisalta]

On 6/10/2021 at 10:18 AM, CruiseMrB said:

Android App referenced here.

1. Requests / requires waaay too many rights. Files, contacts, emails, camera, location. You name it, it wants it.
2. You can login using only your booking number without any password or PIN. That booking number is only 6 alphanumeric characters long and might be on your phone already in an email, sms message, or text file.
3. You can login using a username and password, but that does not sync well with password managers (tried 2 of them.) So to login, you shorten your password to something you can remember. Bad news.
4. Once logged in, it stays logged in, with no further acknowledgement. And it stays logged in over power on / power off.

 

Here are the real problems:

1. Once you are logged in once, the app wants /requires you to take pictures of your passport. If someone steals your phone, they can change everything, including your passport information. Huge ID theft issue for you, security threat for everyone else. The chain of custody of that information is toast. You can't trust that the person who is listed is actually the person who is travelling.
2. Your credit card on-ship payment information is live. Anyone who gets your phone can start charging things.

 

So....What to do if this is now required?

1. Install the app on your phone in your house.
2. Fill in all the travel docs as required.
3. Order Madallion through the app.
4. If required to access documents for check-in, do so. 
5. Once in your room, and your medallion is confirmed to be working, remove the battery from your phone (if possible) and then put the phone in a safe place. BTW, don't assume the safe is "safe". There 's a good chance that there is a known default master code for that safe model or that Princess has a master code that is more known than you would like.

If you want to keep your phone on your person, have it lock up after 5 or 10 seconds (no more than 15), and have it require either biometric (face or finger) or PIN to unlock. Yeah, it's a pain. But there is waaaaaayyyyyy too much information swimming around in the MedallionClass app.

 

 

 

 

 

It definitely seems like the app is a huge security risk. I suspect that Princess does not have a computer security team. ( The web site has a bunch of security problems as well).

I suspect that the app violates computer security and privacy regulations in a number of jurisdictions. I await for the egg to appear on some executive's face at Princess.

[caribill]

5 hours ago, Nerkbuck said:

 Protect your phone while traveling as much as your passport.

 

Which on a cruise ship means Princess has it in their custody or I have locked it in my cabin safe unless a port requires me to carry it ashore.

[caribill]

5 hours ago, Av8tor said:

It's been my experience that cash (except for tips) and  physical credit cards are not accepted for onboard purchases.  You must use your cruise card or medallion...

 

Credit cards are accepted at the onboard boutiques.

[caribill]

5 hours ago, dog said:

These threads are so long so I will post here. I looked up my current booking in Personalizer at the very top of page there is: Luggage Tags & travel summary button

under that a

Help

button which takes me to frequently asked questions. 
link— before your cruise—

explains printing boarding passes & luggage tags from Personalizer after paid in full 75 days before cruise 

or

medall app to make check in faster. 
 

worth reading

 

a d of course. Things can change 

 

On of the threads has a screen shot that shows a Personalizer saying that boarding passes will be available on the app with no indication they will be still available via the Personalizer.

[caribill]

3 hours ago, mek said:

But I don't use my smart phone for anything other than phone calls - no personal information is stored on it and I don't have any attention of ever using it for that purpose either.

 

 

 

Looks like a simple flip phone would do what you want without the expense of purchasing a smart phone.

[dog]

1 hour ago, caribill said:

On of the threads has a screen shot that shows a Personalizer saying that boarding passes will be available on the app with no indication they will be still available via the Personalizer.

Time will tell.  

[memoak]

3 hours ago, caribill said:

 

Credit cards are accepted at the onboard boutiques.

I have never seen anything accepted for payment on board except for you cruise card

[Steelers0854]

On 6/10/2021 at 1:51 PM, Condocat said:

I agree.  Used Apple Pay once and had my credit card information unknowingly scanned off my phone at the airport!    Might be worth placing the phone in a foil pouch to protect it from that type of activity.

 

I find this very this is very unnerving.....  

 

This isn’t possible.  Apple Pay generates a unique number every time you use it and only is usable once, therefore if the transaction at the merchant went through no one else could have used that information but the merchant.  Someone would have had to literally placed a device next to your phone after you authenticated in Apple Pay for the purchase, to intercept the valid number in which case the merchants transaction would not have gone through and you would have had to re-do the payment.  There is no known way for someone to have “scanned” your card off of your iPhone and used it.  More than likely it was compromised in some other way.

[caribill]

4 hours ago, memoak said:

I have never seen anything accepted for payment on board except for you cruise card

Next time you are on Princess, look near the door to a boutique. There will be (as you see at on shore businesses) a sign on a window with the cards accepted. Besides MC, Visa, AX, Diners, it will also show the Princess Visa and, in the past, a cruise card.

[caribill]

41 minutes ago, caribill said:

Next time you are on Princess, look near the door to a boutique. There will be (as you see at on shore businesses) a sign on a window with the cards accepted. Besides MC, Visa, AX, Diners, it will also show the Princess Visa and, in the past, a cruise card.

 

[ontheweb]

5 hours ago, caribill said:

 

Looks like everything but cash.😉

[Condocat]

10 hours ago, Steelers0854 said:

 

This isn’t possible.  Apple Pay generates a unique number every time you use it and only is usable once, therefore if the transaction at the merchant went through no one else could have used that information but the merchant.  Someone would have had to literally placed a device next to your phone after you authenticated in Apple Pay for the purchase, to intercept the valid number in which case the merchants transaction would not have gone through and you would have had to re-do the payment.  There is no known way for someone to have “scanned” your card off of your iPhone and used it.  More than likely it was compromised in some other way.

My phone was in my back pocket of my jeans and it was scanned!   It occurred while not in use.  That is the scary part.

 

Learned my lesson...my wallet is now has RFID blocking so this will not happen again.  I also have a handbag I use when I travel that is also RFID blocking.   Basically, it's foil that blocks the radio waves. 

[Condocat]

Attached is an interesting article about "electronic pick-pocketing"

 

https://www.npr.org/sections/alltechconsidered/2017/07/04/535518514/there-are-plenty-of-rfid-blocking-products-but-do-you-need-them