MedallionClass app is a security nightmare.

[CruiseMrB]

Android App referenced here.

1. Requests / requires waaay too many rights. Files, contacts, emails, camera, location. You name it, it wants it.
2. You can login using only your booking number without any password or PIN. That booking number is only 6 alphanumeric characters long and might be on your phone already in an email, sms message, or text file.
3. You can login using a username and password, but that does not sync well with password managers (tried 2 of them.) So to login, you shorten your password to something you can remember. Bad news.
4. Once logged in, it stays logged in, with no further acknowledgement. And it stays logged in over power on / power off.

 

Here are the real problems:

1. Once you are logged in once, the app wants /requires you to take pictures of your passport. If someone steals your phone, they can change everything, including your passport information. Huge ID theft issue for you, security threat for everyone else. The chain of custody of that information is toast. You can't trust that the person who is listed is actually the person who is travelling.
2. Your credit card on-ship payment information is live. Anyone who gets your phone can start charging things.

 

So....What to do if this is now required?

1. Install the app on your phone in your house.
2. Fill in all the travel docs as required.
3. Order Madallion through the app.
4. If required to access documents for check-in, do so. 
5. Once in your room, and your medallion is confirmed to be working, remove the battery from your phone (if possible) and then put the phone in a safe place. BTW, don't assume the safe is "safe". There 's a good chance that there is a known default master code for that safe model or that Princess has a master code that is more known than you would like.

If you want to keep your phone on your person, have it lock up after 5 or 10 seconds (no more than 15), and have it require either biometric (face or finger) or PIN to unlock. Yeah, it's a pain. But there is waaaaaayyyyyy too much information swimming around in the MedallionClass app.

 

 

 

Edited June 10, 2021 by CruiseMrB

[c-boy]

[chrysalis]

Only 7 threads about the app now.....

[CruiseMrB]

1 minute ago, chrysalis said:

Only 7 threads about the app now.....

It's a big change to require that app and that effects a lot of things. So, yeah.

[Condocat]

I agree.  Used Apple Pay once and had my credit card information unknowingly scanned off my phone at the airport!    Might be worth placing the phone in a foil pouch to protect it from that type of activity.

 

I find this very this is very unnerving.....  

[Steelers36]

1 hour ago, c-boy said:

+1

[dog]

1 hour ago, c-boy said:

Just like 

[beaglesandducks]

These are excellent points   all the information we are required by princess to input to this app could be hacked somewhere along the way  now i have another headache incoming

[pms4104]

6 minutes ago, beaglesandducks said:

These are excellent points   all the information we are required by princess to input to this app could be hacked somewhere along the way  now i have another headache incoming

Well, it does seem to be the season for hacks, data breaches, ransomware, possible Cloud bursts.

[caribill]

13 hours ago, CruiseMrB said:

Android App referenced here.

1. Requests / requires waaay too many rights. Files, contacts, emails, camera, location. You name it, it wants it.
2. You can login using only your booking number without any password or PIN. That booking number is only 6 alphanumeric characters long and might be on your phone already in an email, sms message, or text file.

 

For certain uses, such as having others set up to dine with you, you have to enter in other people's booking number.

 

So not only can your booking be compromised and b\to mischievous activity if some gets a hold of your phone, so can other people's if you entered their info.

[Sprocket]

Not fail safe but I leave my phone buried in my purse, never understood those who leave it out on bar tops or restaurant tables.  

[kitty2264]

18 hours ago, c-boy said:

like it

[Roberto256]

19 hours ago, CruiseMrB said:

The chain of custody of that information is toast. You can't trust that the person who is listed is actually the person who is travelling.

 

 

That will only change when Princess is burned by the wrong person embarking.

 

Like a last minute unauthorized substitution, or something.

 

[Ride-The-Waves]

Simple solution: Don't use the app.  Corporate apps are designed to do only one thing: get your information for sales and marketing.  Anytime you use an app you give up privacy.  

[CruiseMrB]

14 minutes ago, Ride-The-Waves said:

Simple solution: Don't use the app.  Corporate apps are designed to do only one thing: get your information for sales and marketing.  Anytime you use an app you give up privacy.  

Becoming close to, if not already, an absolute requirement for passage and booking. Location tracking is going to be a thing. The phone is an easy way to do it.

 

Personally, I'm going with the medallion hardware and not hooking my credit card to it (if possible.) I buy very little on the ship, and those things that I do buy, I'll use cash or physical credit card.

 

Before loading the app on my phone for testing (my cruise is over 150 days away), I was thinking about using the app on an old burner phone that I have in a drawer. But the app has my passport picture and no security to speak of, so using a burner doesn't get me far.

 

[dog]

1 hour ago, CruiseMrB said:

Becoming close to, if not already, an absolute requirement for passage and booking. Location tracking is going to be a thing. The phone is an easy way to do it.

 

Personally, I'm going with the medallion hardware and not hooking my credit card to it (if possible.) I buy very little on the ship, and those things that I do buy, I'll use cash or physical credit card.

 

Before loading the app on my phone for testing (my cruise is over 150 days away), I was thinking about using the app on an old burner phone that I have in a drawer. But the app has my passport picture and no security to speak of, so using a burner doesn't get me far.

 

Don’t you have to provide a credit card prior to check in?

 

[CruiseMrB]

1 minute ago, dog said:

Don’t you have to provide a credit card prior to check in?

 

Yes, and that's perfectly fine. But tying to an open phone is another kettle of fish.

[Nerkbuck]

I understand you concerns and I think most of us have them also, but Princess is going to require the app use for their ease. When is our government going to start holding companies criminally liable for data breaches? Companies have no responsibility after data breaches other than paying for  credit monitoring. We all know that is worthless until after the crime is committed. When will cell phone companies use RFI technology to stop criminals from having the ability to scan your phone within close proximity? Can't they use the same technology as wallets? For now, all we can do is utilize the Biometrics and security built into the phones incase you lose it. Protect your phone while traveling as much as your passport.

[Av8tor]

1 hour ago, CruiseMrB said:

 

Personally, I'm going with the medallion hardware and not hooking my credit card to it (if possible.) I buy very little on the ship, and those things that I do buy, I'll use cash or physical credit card.

 

It's been my experience that cash (except for tips) and  physical credit cards are not accepted for onboard purchases.  You must use your cruise card or medallion...

[dog]

These threads are so long so I will post here. I looked up my current booking in Personalizer at the very top of page there is: Luggage Tags & travel summary button

under that a

Help

button which takes me to frequently asked questions. 
link— before your cruise—

explains printing boarding passes & luggage tags from Personalizer after paid in full 75 days before cruise 

or

medall app to make check in faster. 
 

worth reading

 

a d of course. Things can change 

 

Edited June 11, 2021 by dog

[c-boy]

hold on there Nerkbuck, I'm not going to ask the government to do something I can do for myself.  When my credit card was used for unauthorized purchase's I was notified immediately.  The only ones to loose out on the action, were Foot Locker and Kohls. I had a new card by 5 pm the next day. 

[CruiseMrB]

c-boy: Take the coordinates out of your location signature. It returns a street address. You could fudge them up a bit to something that's close, but public. Like a park or government building.

 

My guess is that the address is not completely accurate (but could be).  Even if it's not accurate in being YOUR address, it's completely evil and unfair to the party to whose address is returned.

 

Yeah, I'm paranoid about information floating around. 30 years as a sysadmin. Hence my location.

 

 

Edited June 11, 2021 by CruiseMrB

[ontheweb]

2 hours ago, Ride-The-Waves said:

Simple solution: Don't use the app.  Corporate apps are designed to do only one thing: get your information for sales and marketing.  Anytime you use an app you give up privacy.  

Simpler solution---don't have a smartphone.

[Lady Arwen]

59 minutes ago, Av8tor said:

It's been my experience that cash (except for tips) and  physical credit cards are not accepted for onboard purchases.  You must use your cruise card or medallion...

You are absolutely correct.  No cruiseline accepts any form of payment onboard other than your personal cruise card, or for Princess, the medallion.

[CruiseMrB]

10 minutes ago, Lady Arwen said:

You are absolutely correct.  No cruiseline accepts any form of payment onboard other than your personal cruise card, or for Princess, the medallion.

Or now, your phone as a replacement for the physical medallion.