Related story and wondering if the OP may have been chasing red herrings. I recently noticed an unauthorized charge for a small amount on my credit card (something about FB/Meta). Likely someone probing the card to see if anyone would notice. I called the CC company, had them removed the charge, canceled the card and had them send me a new card (5-7 business days). With the brand new unused card (new CC number, new expiration date, new CVV), the fraudulent payments resumed (again FB/Meta). How is this possible? The reason: digital wallets. Your credit card number, etc. transfers via digital wallets even when you cancel the card. I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online. You have to speak to a human in a call center. You then have to sit through a lecture about how all your renewing payments are going to reset and you will have to re-establish them will all merchants. "Yes, I understand that. Please cancel the card and all digital wallets!" Then you have to hold for twenty minutes (why? what are they doing? manually canceling all the digital wallets?). The lesson I learned here is that canceling your credit card may not be what you think. Also recurring payments must be incredibly lucrative and canceling them must amount to a big loss in revenue. (Edited for grammar.)
I’m not sure about “digital wallets”, but the concept of updating credit card details after a new card is issued does exist, and it’s a service offered by credit card companies.
Ideally, the issuer is able to investigate what type of fraud exactly happened on the card, and in case of a suspected compromised card number they can choose to simply not perform account updates or carry over tokens to the new card.
Practically, it's of course not that simple or clear-cut. As most things in payments, this too is a trade-off of cardholder inconvenience, support effort, fraud losses etc.
I discovered this "quirk" when the local ice rink started charging me for dozens of charges — I was watching them come in. There were two "child2 thechao"s (insert crazy common name); and ... they just picked one and started charging. They didn't want to reverse the charges because the mom of child2 didn't want to pay.
Indeed, I suspect that's what went on here. I don't think there even exist 99 providers of what's customary called a digital wallet (e.g. Apple/Google Pay), and there's no definitely no single person that uses 99 of them.
It's bad service from GP's card company though, with network tokens they should be able to see which specific token was abused, and revoke just that one.
Interesting. I recently cancelled and reordered a card and I have still been able to make purchases via Amazon without ever making an update. In this case I am happy about it because I am lazy but had no idea how it was working. Presume this is what is going on.
Yep. I've been able to use the "wrong" (but still valid) expiration date on my AmEx for a long time. I've had other credit cards where the autopay info was never updated and it just kept working for at least 6 months.
Account Updater functionality isn't necessarily even involved there. In the end whether to accept a transaction is up to the issuer, and quite often they'll keep accepting recurring transactions on otherwise outdated card information.
Funny, the Amex on my Pixel Watch stopped working only a couple weeks after the physical card expiry.
It was quite confusing, because a) I received a replacement physical card several months before the card expiry, so by the time my watch stopped working I'd entirely forgotten about it, b) there's no indication anywhere in the Android/Wear OS of what the expiry date is or that it might be expired and c) there's no indication at the point of sale that the virtual card is expired, simply a generic "Declined" message.
You can run a charge with only the card number if you have sufficient trust. Each additional piece you add reduces liability and transaction fees (add exp, add cvc, add 3ds, ...)
I also noticed that my Google Wallet cards no longer have expiration dates- when a card expires and they issue a new one, the Wallet card works without any intervention on my part
Wallets usually don't store the card information directly anyway, but only a token, which can be re-associated with new underlying card details when the card is replaced.
The token itself does also have an expiry date (it's a mandatory field in most protocols), but that can be updated as well, I believe.
Because people use credit cards for the rewards (cash, mileage, whatever) or because they don’t actually have the money now. They don’t want to pay for a unique number for every transaction (which doesn’t actually preserve privacy since most of the stuff you’re buying online needs a shipping address) nor do they want the money immediately pulled from their bank account.
> I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online.
This is highly dependent on your bank. For example, Bank of America lets you view and delete any cards that have been added to a digital wallet right on their website.
Only digital wallets, or also any merchant that saved the card using a token? The latter is getting more and more common, but usually happens transparently to the cardholder.
Theoretically, it would allow a pretty neat feature of being able to manage all merchants that have a copy of the card in the banking app and revoke said copies – but since token use is not mandatory, that would be fairly confusing, so I haven't seen this yet as far as I remember.
FWIW, India has taken a pretty radical step towards that future at a regulatory level by effectively mandating merchants to no longer store the underlying card number and use tokens instead. I suspect that such an interface would be more common there, but I don't have any personal experience.
Half of my cards can't even be added to non-iPhone devices without a verification phone call to some poor support agent who's never heard of a "Pixel Watch", has no idea what the workflow is on his end to manually verify cards being added, and just wants me to "use the iPhone app to verify".
Heaven forbid if I try to add a card to an Apple Wallet on a Mac where no iOS or Android app exists.
Digital wallets as in Apple/Google Pay? I had a similar thing happen and I am wondering what did you make of this double charge, what did the attackers do in your opinion?
no it's like a continuation of your credit card for recurring payments.
It's called Automatic Billing Updater (ABU)
the idea is that if you ask for a new credit card after being stolen, your say utility providers or other like netflix subscriptions can seamlessly switch over to the new credit card number.
it worked fine for a while, but of course the problem is that afterwards the stolen credit card credentials started to be refreshed as well.
(used ai to fetch the list below).
Visa: Visa Account Updater (VAU)
Mastercard: Automatic Billing Updater (ABU)
American Express: Cardrefresher
General: Recurring Payment Tokenization
if it was a 0 or 1 dollar auth, its likely a fraud check done by said company to make sure you still exist.
one or more of those digital wallets are some subscription supporting thing, and if that auth failed or had an address mismatch or wrong kind of card, they will disable your account until you update your card.
Settlement the part where the bank agrees to transfer money from your account (in this case increasing your debt on the card) to the merchant is completely separate from Authorization.
Authorization is the modern EMV ("Chip and pin") authentication, the CVV stuff for online, and any other mechanism by which the bank protects themselves from your fraud and, maybe, as an afterthought protects merchants.
The network is completely OK with Amazon saying here's a card number, we say they're paying us $400. That's just a settlement, goes on your bill. No sophisticated cryptography, nothing even as clever as a 4 digit PIN, or remembering your mother's maiden name, just OK, we trust you. Which means you, as a consumer, need to read your credit card bills and dispute anything you don't recognise or you'll pay.
There is very little incentive for the networks to care if you get ripped off. If you don't dispute it then everybody is happy, and if you do they just claw it back from the merchant and it's not their problem.
Payment processors don't allow just brute forcing all card numbers a.k.a. card enumeration or card testing [1][2] and card schemes penalise merchants and payment processors heavily if they don't take measures against it [3].
The rate they try becomes very non frequent when they use multiple card validation apis. I'm not sure how it can be related when it's different pan numbers, different source ips etc.
Enumerating CVC2 with a single PAN is a different story.
That’s untrue. While I would be willing to believe that for a brief period of time there was a bug that could expose it, having been at Stripe between 2017 and 2020, it was my experience that they had a robust system preventing PANs from being disclosed.
That included efforts to mask PANs that were in the wrong place.
We didn’t want them in our internal logging systems, and we certainly didn’t want to leak them back to the merchants.
>As a consumer, I thought I was safe; when saving my credit card to a billion dollar valued european merchant, or when i purchase something from supermarket and ignore the receipt, but the reality is slightly different from that.
>I got the money back via chargeback in short time.
So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.
Banks don’t really eat the loss, instead they ensure all their services have enough of a markup to cover the cost of fraud.
All consumers collectively pay for all the fraud, it’s just that we don’t tend to realize it as it’s not a specific line item on any of our bills, instead we all pay just a little more than we should for everything we buy.
yes, obviously all of the bank's money comes from consumers. what other scenario do you see where a bank(etc) "eats the loss" but the money somehow comes from somewhere else
While it may be obvious to you that your fees include covering all the banks losses to fraud, I think that most people assume the bank makes less profit or something due to such incidents, when the truth is they just raise their prices to maintain profits.
Quite often, the merchant is unfortunately the one eating the fraud, which is creating a bit of a principal-agent problem (in that the issuing bank earns interchange on every transaction, so if they aren't liable for fraud, their default incentive would be to just approve as much as feasible and figure everything out later via chargebacks).
3DS changes that calculus quite a bit, though, and in-person payments are usually the issuing bank's liability as well.
It never ceases to amaze me how many people don't even look at their bank/credit card statements and just let their credit cards auto-pay.
Back when I was poor, I was logging into my bank and credit card accounts at least twice/week. I always knew within $20 how much money I had.
As a well-paid tech worker, I'm still checking at each paycheck (2x/month) and paying the credit card card off every time, but I'm still scanning the statements for any unexpected charges and to keep a pulse on my spending.
Fun anecdote, my wife started talking to me while I was scanning my statement once and she noticed there was a $20 charge from a business named "Your Side Chick" that she questioned in a joking way. It was from a food cart that specializes in chicken strips.
FWIW, I find looking at my statement and trying to remember if I actually made a random purchase of $8.63 to some unrecognizable name three weeks ago to be a much more difficult workflow than just enabling email notifications for every transaction so I can triage them quickly / at my convenience.
The foot cart scene in the Portland metro area is really good. Those chicken strips were amazing and the sauce was superb. And despite hating both kale and cole slaw, their kale cole slaw was delicious.
It's my experience that the bank will give up against a motivated chargeback counterparty.
My experience with ebay (stolen credit card) in particular was that things were going well until e-bay sent their stack of paperwork to my bank. Then my chargeback was reversed and shortly after that even my bank account was closed.
So you're not in the clear once you get your chargeback back. That is done initially while they give the other party time to respond. I think it took 30 days or so for ebay to bury me in paperwork, get the chargeback unwound again, and their schpeel was so effective that my bank themselves then accused me of being the fraudster.
As for
> The bank ate the loss for the fraud
I'm not 100% that's true. The entire reason why the chargebackee wants to contest it is because either the chargebackee or the chargebacker is eating the loss. The bank isn't eating that loss. There is no way E-bay would have bothered contesting my chargeback and paying their white collar workers for professional time researching if the bank was just going to eat it.
USA. In USA your chargeback initially is usually taken on face. They'll usually reverse the charge within a week or so. But after that they let the merchant appeal it.
Most merchants won't. But if they do, your bank isn't going to bat for you. If it looks like it's going to take them much time or effort to deal with it they're liable to just throw up their hands and let you duke it out in small claims court.
In my case they had a megacorp ready to fight it on one side, and little old me on the other. So some lady on the phone just insinuated I was a lying scammer and told me my case had been reversed. There was some sort of appeal process I tossed my hat into but it went straight to radio silence and I've not heard from them in years. I would have taken them to court but I moved cross country around the same time and it would cost me $2000 or so for airfare and hotel rooms to show up to the right courts to get $1000 in judgements.
I am a bit confused about your situation. Did you have a stolen card used to make a purchase at ebay that was not under your account? Or did you make a purchase at ebay and have an issue with the product you received?
Scammer created two e-bay accounts. One with my name but e-mail address "pirate" something. A second one, a scammer merchant account to wash the money.
They stole my credit card and used the bogus "me" ebay account to generate invoices (to my real address) and payments for goods from the second scammer merchant account. Then they found tracking numbers to my zip code. They bought the (fake) items from their scammer merchant account using their scammer "me" account. They used those tracking numbers to show the items were shipped and received to someone in my zip code (which is the only publicly available data from the tracking number). Of course, at no point were any of the goods "purchased" by "me" even real, but rather just ways to wash the credit card returns.
When I discovered what happened, I requested ebay refund it. Ebay claimed that since the accounts weren't actually mine (only in my name) I had no right to request a refund. So I could claim they were mine and then be ineligible for a refund because the underlying reason would be vaporized, or not claim them as mine and then be unable to ask for a refund because it's not actually my account -- a catch 22. The tracking numbers, again, since they weren't actually to me, the shipping companies refused to reveal the underlying data to me and I couldn't get any of the evidence showing it wasn't me.
At that point, I had my bank do a chargeback. Which they initially granted. I thought it was a done deal at that point.
Ebay sent all these invoices matching my name, with tracking numbers to my zip code, with my credit card being billed, etc to my bank along with a bunch of pages of banking mumbo jumbo about how the chargeback was wrong. At that point my bank turned face, called me a liar, and reinstated the charges. Not long after this, I noticed e-bay shut down the scammer account but they never refunded me the money. I assume the scammer had sucked out the money faster than e-bay could act to claw it back and when e-bay realized they'd be holding the bag they decided to dump it on the fraud victims.
You didn't provide any evidence that the charge was fraudulent. If they have a tracking number you gotta provide something, at least a police report.
Also you likely filed "merchandise/services not received" when you should have filed "unauthorized transaction". Even if you really did get the item, you don't have to pay for it if it was ordered by someone else using your card.
Honestly the only thing I had was one tracking number was generated an entire day before the supposed purchase, the 'pirate' email address (they were taunting me), that the religious items purchased were not of my religion, and that ebay had closed the scammer account. But my bank was not interested in taking on ebay. To the scammers credit, by creating both the buyer and seller account they made their scam a lot more resistant.
Also it was charged back as fraud. I had other fraud transactions that day and my bank reversed them. They were too scared to fight ebay or something.
I've learned proving a negative of "prove you didnt buy this" is pretty hard and thus fraud protection is more of a facade that only kind of works.
> If it looks like it's going to take them much time or effort to deal with it they're liable to just throw up their hands and let you duke it out in small claims court.
In the US, couldn't you just make it their problem by not paying the disputed portion of your bill? (I haven't tried this myself and don't know how hard it is to dispute a negative credit report without going to small claims court in the end.)
If 3D secure was mandatory everywhere that would help a lot, but if I understand correctly, it’s not really used in the US and with them being so big, card issuers are largely forced to allow non 3D secure requests or their clients will be unable to use their cards for too many things.
So an enormously good anti-fraud mechanism is severely handicapped.
It’s really frustrating for most of the rest of the world.
I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance.
No, the laws are different- and more consumer friendly in the US- so the US consumer behavior is different.
Back when credit cards were first starting out (which happened in the US) the US Congress passed a law- the Fair Credit Billing Act of 1974- that consumers were only liable for $50 of losses as long as they reported the missing credit card within 60 days of the end of the fraudulent billing cycle. This was back when credit cards purchases were all made on paper with the machine that went "kachunk" and transferred a carbon copy of your card- everything was done completely offline. That law has not been changed, in fact, most banks completely waive the $50 and don't hold card-holders liable for anything reported (basically, annoying a customer over $50 isn't worth it to the bank). Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle. The result is that American banks have invested an enormous amount in real-time monitoring of credit card transactions, and are doing lots of stuff to monitor this- they care deeply since ultimately they are on the hook- but the consumer doesn't care. This is why US card's from the consumer perspective are so much laxer, because our banks have invested far more on the back-end because the consumer is held harmless in a way they aren't with European cards.
As a totally separate issue, the EU has regulated the amount of interchange fees that card-companies can charge, but the US has not capped them. The result is that US card-holders can get significant kickbacks for using cards (especially true for the top decile of wealth), in a way that is functionally impossible with EU issued cards that have capped interchange fees. There is a big lawsuit happening now to try and allow merchants to only accept low-fee cards (the standard VISA/MC/AMEX deal requires treating all cards equally, which gives them an incentive to push people to higher interchange cards). We will see what happens with that suit, but until then, American high-spenders can have much higher rewards on their cards, which also encourages greater use of the cards- and making them have less friction than the EU versions.
> Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle.
For card-not-present transactions (i.e. online ones) the liability is on the merchant. They however also have an incentive NOT to use 3DS because it adds real friction to purchases. I'm also not sure if all USA banks even support 3DS.
This theory explains why cardholders in the US are still using cards despite these being relatively less secure than in other countries, but fails to explain why issuing banks wouldn't take steps to protect their own fraud losses, such as introducing 3DS or PINs.
The actual explanation lies in the game theory of fraud prevention; see my sibling comment for details.
Why would the law being different mean they wouldn't use 3DS though? Surely it'd cut out a good amount of fraud along with the realtime monitoring? I understand that US consumers don't have a stake in this, but can't all the banks just agree to enforce 3DS? I can't imagine Americans are going to stop using their cards because of a small amount of friction added
Because adding friction will deter many impulse purchases. Americans use credit cards constantly. The equilibrium would be perturbed in a way very much not advantageous for the credit card issuers if consumers became more cautious about using credit cards.
It’s the same reason credit card issuers are willing to pay Apple a few basis points to participate in Apple Pay: reducing friction has a non-linear impact on propensity to pay.
They could, but it's one of those things that really only work if everybody joins. Because 3DS is rarely used right now, a portion of merchants don't even support it, so if you start enforcing is as a single bank, your customers will start complaining their card doesn't work. The banking industry in the US is also more decentralized than in the EU, so getting everybody to join in simultaneously is hard.
The window of opportunity for 3DS has also more or less passed, the industry is moving on to the next generation of tech (wallets/tokenization), that should be both easier to use and more secure.
Exactly, if citizens could convince US lawmakers to make it mandatory, it would be a huge net benefit to society as a whole.
I suspect that banks and merchants would lobby against it due the work involved. After all, they’ve already marked up their services and goods to cover the cost of fraud/insurance. So right now they don’t pay the cost of it, instead all their customers do through higher prices than they would otherwise have needed to pay.
> Exactly, if citizens could convince US lawmakers to make it mandatory, it would be a huge net benefit to society as a whole.
That's not obviously true. Adding security would likely reduce fraud, but would also make transactions more difficult and time consuming, and may also make recovering from fraud more difficult and time consuming.
Legislate that the banks are liable for refunding this class of fraud and you'll find they suddenly take this stuff a lot more seriously and "discover" the technology.
I don't understand your point. The banks and credit card companies are already responsible. If I have a fraudulent charge I call and tell them it's fraudulent and they say okay and take it off and either getit back from the issuer or eat the difference.
I think what you're missing is the bank and credit card companies rarely eat the difference. The business who sold the item which was charged back is the one paying the cost of the transaction (no income, lost item) plus a chargeback processing fee (typically $15 per chargeback).
They can also punish you for doing so, like banning you from the bank.
They also report account closures to ChexSystems, which can make it harder to open accounts at other banks for years. Credit card issuers can drop you and ding your credit. Definitively not your fault, but still your problem, and the consequences are for you.
IIRC, MasterCard SecureCode and Visa's verified-by-visa were more of a thing in the US maybe like decade or two ago? I think NewEgg and B&H did support it at one point? Afterwards, everyone has simply disabled the thing, and you simply get a wave-through by most issuers when shopping on foreign sites, where you get redirected to issuer's website, then back to the online shop, without having to type or confirm anything.
Back when it was a thing, it was quite a nightmare, where you had to register for a 3ds account, often separate from your normal online account, and keep a separate password etc. Then those iframe windows look exactly like the phishing websites, too.
Honestly, it's much ado about nothing. If the transaction is suspicious or likely fraudulent, today, you already get an SMS or an alert within bank's app on your phone. All you have to do is confirm and retry the transaction a minute later. This works for both in-person transactions, as well as remote ones, with the same flow, unlike 3ds, which only works for online shopping.
> I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
The general idea is that if the conversion rate drop of a given security mechanism is higher than the average fraud rate, it doesn't make financial sense to deploy it.
However, at the industry-wide level, this is a pretty classical coordination problem, in that conversion rate only drops because there still is a simpler alternative around unless all merchants and banks were to enforce 3DS at the same time. If there's nothing more convenient left to move to, users will for better or worse have to learn the new, more secure thing, and conversion rates will go up again.
This is what the EU has done with mandating 3DS for many payments, but even there regulators have recognized that a 100% coverage is counterproductive, and there's a sweet spot somewhere in the middle.
As more evidence for the same general idea: US credit cards don't have PINs, because any individual bank introducing them would see a huge drop in usage rates since customers would just use their competitor's card without a PIN instead. In other markets, all cards have PINs (whether due to regulatory invention or card network incentive), and people have just gotten used to them.
Capital One also offers it for their credit cards, which makes them the only ones usable in countries where requiring 3DS is common. (No idea why this is a thing actually – merchants get the fraud chargeback liability shift as soon as they request 3DS, whether the issuer actually supports it or not.)
The real problem is that in the US, almost no merchants request it in my experience, despite the fact that they'd get an almost free (in terms of conversion rate dropoff) liability shift. I suppose the few US issuers that do support it have a bad enough implementation that the conversion drop is still significant.
a) It still affects their bottom-line: the issuer might still try to dispute this using a different code despite payment scheme (formal term for Visa et al.) rules, and the merchant targeted is prone for fraud (for example, airlines have been hit with this by exploiting tourists looking for cheaper tickets by offering them suspiciously cheap tickets on seemingly-trustworthy websites by fraudsters and funding them by insecure cards)
b) Misinterpretation of mandatory rules: PDS2 is applicable only for EEA customer - EEA merchant, but some extended it for whole world despite the rules literally dictating the limits
c) Soft friction for encouraging domestic card usage: because of accept-all rules by payment schemes (and no local rules that allowed merchants in a region to reject international payments), this is a way to block US cards by guise of fraud prevention (because international cards are expensive for merchants to process)
Wow, c) never occured to me but makes total sense.
b) can probably explain this happening for EU merchants, but I've also seen this in Japan and Central America, and I think even before PSD2 in the EU.
That's what I love about the payments space: While you're absorbed in your own game of checkers, you never know if your opponent is actually playing 1d or 10d chess :)
Yeah from a software dev perspective the implementations are shockingly terrible from a UX perspective. I'm surprised Stripe doesn't make it automatic with their integration
Huh? Your conclusion does not follow. A large fraction of the interchange fee is kicked back to customers.
The size of the pie being so much bigger means the issuer’s tolerance for fraud is much larger, but it’s orthogonal to whether there’s actually more fraud. In practice credit cards fraud actually impacting customers is vanishingly rare at this point.
If you take a look at some of the more "expensive" cards, interchange is often higher than 2%, yet issuers often pay as much only on certain categories, and flat cashback cards usually pay 1.5% (2% is relatively rare).
Compare that difference to a total interchange of 0.3% in the EU.
I once had a person that was hired by my company and then started bragging about finding a way to add stored value to gift cards. Then come to find out they were under investigation by the FBI. This was a government contractor mind you, so the biggest security guard I’ve ever seen showed up to escort them out.
People should have a separate card for online payments and have just enough money on it for a payment.
I know that I am naïve :)
Back to the article: Weak point was a password that lead to another merchant not using 3D secure.
It seems from the article that bad actors have fully automated system, so (big) merchants should have handle automatic login attempts from the same ip address with different accounts. I see it from our wordfence logs that ip rotation is not so quick so it could be handled with some permanent ip blocking.
I agree with the seperate card. That was my seperate card and luckily the amount was not quite big because of that.
>Weak point was a password that lead to another merchant not using 3D secure
Well leaking a password shouldn't cause leaking a whole ass credit card data imo. The same data is printed on physical receipts the markets print, sometimes 4 digits, sometimes 10 digits. It's still possible to brute force from unattended physical receipts on the market.
My previous bank provided this virtual card service on demand. You create the card for a single purchase with a specific amount and that’s it. I moved to an other bank when getting an affordable mortgage loan became impossible in it for me.
Virtual credit cards have been a thing for years. I remember bank of america or Citi providing them to me 15+ years ago. If I recall it was a java app or maybe even a standalone exe. Shocked they never took off more broadly.
Robinhood absolutely nails this. Best virtual credit card system I have ever used. So seamless. Can auth a card for one time use, 24 hours, or indefinite until you cancel. Such a great UI / UX
MBNA (which got bought out by Chase) had a Flash-based virtual card app back in the early 2000's. I really enjoyed using it. I also can't understand why they haven't taken off, especially in the world of Everything Is A Subscription we're living in now. I adored being able to set expiration dates and spend limits to save ugly negotiations about ending subscriptions.
Recently I got an sms from my bank about a suspicious transaction overseas from my wife’s card, it was literally listed as zero USD, at a time when she was not using her phone or computer.
I initially thought the sms itself was phishing, but after checking online, the sms format matched and the bank webpage ensured the feedback process will not ask for any information so we proceeded to confirm that we did not purchase anything.
The bank immediately cancelled the card and shipped a new one.
My initial thought is that the bank safety system could be overreacting, but it was likely that someone was doing exactly what is described in this article and the bank detected it earlier.
One other thing to add to the story is that the merchants can’t select what level of security they want from the credit card processor. For example, with authorize.net, you can accept the payment with the address doesn’t matter it doesn’t match.
I guess the real question here is how are they able to steal from you? Were they purchasing gift cards from a merchant with lax security?
It’s one thing to guess a number it’s another thing to get the money out of the system
> merchants can’t select what level of security they want from the credit card processor
That really depends on the processor; many processors do allow merchants specify your acceptance rules in quite deep detail.
There's a bit of a dichotomy in the processor market: on one side you have those that aim to make it simple for their customers and unburden them, while on the other side you have those that expose all the complexities and give intricate controls. The first side won't allow you to specify security requirements, while the second side will give you a hundred options (of course there's also processors positioning them in between). The two sides generally target different customers.
They absolutely are. Fun example: when Revolut launched in Japan few years back they had a period of a relatively explosive success (especially within the immigrant community), so most of the cards of the period were issued with the same expiration month and with the same IIN (I'm assuming specific to Japan as well) which left very little entropy and lead to brute-force attacks via merchants not requiring 3DS (Uber etc.). Within only one community (approx. 1.5k people) we have had a handful of a 100% verified cases when the card was compromised without any exposure at all (i.e. the card was not used online or offline).
In all cases Revolut promptly reverted the charges and eventually they did a complete reissue of the cards for Japanese market (not sure how they've got around the entropy issue: maybe they've randomized the expiry dates or spread out IINs some more).
Unlike US, in some regions such as JP,TW,HK, almost every online card transaction requires 3D Secure. But many real-world cases show that banks then refuse to take responsibility for fraudulent transactions once 3DS was completed, even when the OTP leak was caused by failures in the banking and telecom systems rather than by the cardholder.
The EU has banned plain SMS tokens for SCA. You need an OTP + PIN or password, or more likely authorize the transaction from a mobile app with biometrics.
> The data they took with the attempt of purchase is the card is still usable (not cancelled)
The payment flows should not distinguish between a nonexistent card, a cancelled card, and a valid card that needs 3D Secure. I bet the banks could even implement that without any cooperation on the part of the merchants.
When my bank account got drained, I could not pay rent or any bills. I had enough cash for about a week of food. It took 4 weeks for the bank to decide I could be made whole. Ever since then I have never even put a debit card in my wallet. I know what the laws say. I have read endless "well banks usually[...]" type messages. and yet all the same I one day awoke to find myself transformed into a giant cockroach.
EFTA Reg E gives banks 10 days to make you whole (less an optional $50 deductible depending on when the fraud was reported). My experience going back decades is that they've simply reverted the charges instantly. What bank were you using? My experience is with the usual suspects --- Citi, Chase, and BofA.
Under the law, credit card issuers actually have more time to deliberate before making you whole, not less.
That's not quite accurate. They have 10 days to issue you a temporary credit if the investigation is going to take more than 10 days. They are willing to issue the credit immediately precisely because it's temporary. If the investigation resolves in your favor the credit becomes permanent and you never know the difference. If it takes more than 30 days - well, I worked with BofA about 15 years ago and saw more than a few customers who ended up with a giant mess because that temporary credit expired after 30 days resulting in a snowball effect of failed payments and NSF charges.
sorry, I ninja edited my comment to avoid having an identical discussion as the previous many times I brought up this topic.
It is nice that you know what the law is but that isn't the same as the law being followed. Also the bank was PNC, not the biggest guy ever but not a small player either.
> You can reverse the charges on debit cards, but the money is withdrawn at the time the charge is made. This is not the case for credit cards.
In a sense it is though, because it lowers your available credit by the amount of the charge. And the fraudsters are going to try to run you right up to your credit limit, so you end up at the same problem: You now have legitimate charges being declined because the fraudsters locked up your payment card.
You have a debit card backup though in that scenario. Arguably, you can just do the reverse and have a credit card backup, but some things don't accept credit card as payment.
Having multiple credit cards in the US is quite common, since there's no practical downside (unlike having multiple checking accounts, which locks up liquidity at usually no interest payment) and it can even be beneficial for your credit score.
That's not the problem. After all, if it happened to your debit card you could likewise make purchases on a different card, regardless of whether the other card is a debit or credit card.
It's also not that hard to get two debit cards. There are credit unions with no minimum balance requirement.
The actual problem is that if it happens to any card, all the stuff configured to use that card is now failing. You have a toll tag and the company goes to charge your card for a road toll, it's a perverse unaccountable bureaucracy that has captured the government so enjoy your $50 declined payment fee. You have autopay on for several services which will naturally suspend your account if you don't pay them. That's an inconvenience for something like Netflix but for your various information services it can be a big problem even if all they do is turn it off temporarily, and an even bigger problem if the turning it off involves deleting your stuff. Likewise for things like insurance where a gap in coverage can cause you to get fined or negatively impact your future rates.
Some of that can be mitigated by chasing it all down and switching them before the charge comes, but the labor to do that is a significant cost in itself and plenty of people aren't going to recognize the need to do it until it's too late, or try to and still miss some.
But then you need to have money in the other checking account too.
Still, completely agree with your larger point. It's a big hassle having to switch cards, and the status quo (i.e., the industry being in a multi-decade transition period towards acceptable security) is sometimes the worst of both worlds:
Half of all merchants don't support automatic card updates and need to be manually fixed, while the other half do and have a chance of keeping your card alive in a fraudster's account where it's on file if your issuer is not careful.
Most US banks will credit your account for the amount of the dispute immediately upon starting the investigation, so it is functionally equivalent from a consumer perspective.
For most of my adult life I haven't been able to get a credit card --- even after we sold Matasano Security, with the proceeds of that acquisition sitting in a money market checking account at the giant bank I use, that bank would still only issue me a secured card. I pay my bills and all, but at some point when I was like 19 I bought a shirt at Nordstroms and they signed me up for a card and I didn't pay enough attention so I presumably still somehow owe them $40, and it wrecked my credit score.
No part of my life has been harder for not having revolving credit. I had a family, with two kids, starting in my very early 20s; I have lived on ramen wages several times since then; I've bought houses, rented cars, all that stuff. There's really been no point I can think of where I felt like having a revolving credit card would have made any of it more manageable.
I'd get points and stuff (I have a card now, it has a fuckload of points on it) but that's just an incentive to use the cards, not an intrinsic case for them.
I think most people would be much better off just using debit cards, and operating with the funds they actually have. And, again: it is in fact easy for me to say that today, but I believed the same thing when I was younger.
The crazy thing is coming to realize how little your credit score matters if you decide not to play this game. People say it will impact your ability to get a mortgage or a lease, but: not my experience!
>> I think most people would be much better off just using debit cards, and operating with the funds they actually have.
Totally agree, but - and this is another example where the rich(er) benefit - if you actually have the money and good financial discipline you're better to put everything on your CC and pay it off in full monthly. Let the merchants finance for free for 3 weeks, plus maybe get perks like purchase protection and extended warranty.
> No part of my life has been harder for not having revolving credit.
Maybe not harder, but one undeniable downside is that you've been paying roughly 2% more for roughly every purchase you've ever made (other than rent or mortgage payments and a few other exceptions) than you would have if you had good credit and used a credit card, due to how the US payments market is structured.
To be clear, I'm not saying that this is a reasonable state of affairs, but it's the reality.
Another issue that comes to mind are rental cars – while there's no real difference in risk protection to merchants (it's not like a credit card on file can magically make a wrecked or never-returned car reappear), many rental car agencies require them; I suspect because they use them as something of a proxy indicator of "generally responsible-enough behavior to have been issued one by an institution also exposed to risk".
I am much, much less afraid of paying a little more on transactions, or of card theft resolution, than I am of racking up credit card debt. Everybody I know that got into a hole on credit card debt was smarter and better organized than I am. I see it as an inherently predatory product.
I've never needed credit but chose to get credit cards to establish a credit history for the future, and use their cash back programs. I get 3-5% back on all my purchases, so they've paid well over the years, and I have a good credit score.
> Under the law, credit card issuers actually have more time to deliberate before making you whole, not less.
Could be but in my personal experience, it has been the exact opposite. That said, I don't use banks. I work with credit unions exclusively. Maybe they have very different rules when it comes to handling debit card fraud.
The only time I have needed a debit card are when a place doesn't accept credit or charges a heavy markup for credit. Someone here mentioned Robinhood virtual credit card - I need to look into it, but I use a similar service and I keep my debit card locked only to unlock it for the exact window I am actually using it.
> rented cars, all that stuff. There's really been no point I can think of where I felt like having a revolving credit card would have made any of it more manageable.
I'm unaware when you last rented a car but when I rented a car last month, the company put a $500 hold on my credit card. That credit card hold went away after I returned the car in good condition a week later. I imagine, if I had used a debit card, that $500 hold would have made $500 disappear from my bank balance during that time. When my nephew rented a car, they put a $2000 hold on his credit card, I'm assuming because he's younger than 21. He certainly doesn't have $2000 to spare in his bank account.
The same credit card got me a free upgrade on the rental car, primary insurance protection during the rental period (I didn't have to buy the $40/day rental insurance) and got me 5% cashback on the full rental amount essentially undoing state taxes. The estimated cash value of these would have been ~$500 for the week. Using the debit card from my credit union would have got me exactly $0 (plus a reduced balance the whole time).
OTOH, a credit union shipped me a chipped debit card preactivated. The debit card shipped via regular USPS mail and was stolen along the way. I always keep $400 in my checking account, so the theif emptied my card at Target and 7/11. Within hours of receiving text about the charges, I called my credit union, informed them of the detail. They sent me a binder full of documents to sign. The whole time the money wasn't refunded. They took a month to review evidence and refunded me $50 (of the $400) and told me I would have to provide additional evidence that needed wet signatures, notarizied to receive the rest ($350). Every notarizied page in my jurisdiction costs $150.
> EFTA Reg E gives banks 10 days to make you whole
Interesting - any idea if this applies to credit unions too (because then you just got $350 back into my pocket!)
> I presumably still somehow owe them $40, and it wrecked my credit score.
> People say it will impact your ability to get a mortgage or a lease, but: not my experience!
Are these mortgages or a leases after you became wealthy or around the time when your credit score was wrecked? I imagine the effects of the Nordstroms credit card wore away 5-7 years (I don't recall exactly which) after the $40 was reported as late. So if more than 7 years passed between these two events, you might have a perfect FICO score now, even though you don't know it. I imagine you can just go to CreditKarma for free and use their free "dispute" charge option to permanently erase that Nordstrom black spot forever. I don't think anyone cares a multimillionaire had a forgotten $40 invoice when they were 19.
Also, for anyone above $1MM in liquid networth, most financial institutions treat the credit history as a signal and not the primary signal. I believe you have been above that by a healthy amount for a while now :)
PS: I am a HUGE fan of yours. I wrote all of the above expecting you absolutely wouldn't have a second to read a word but if you do, Thank You not only for reading (I hope atleast some of it helps you) but for your comments on HN from which I have learned a lot.
I bought my first property in 2000, when I was in my very early 20s, and definitely wasn't wealthy. I bought a house in Ann Arbor in 2004, when I had no savings and was living on an ordinary developers salary; another in Chicago in 2005 (don't do what I did) when were starting Matasano. We sold Matasano in 2012 and my credit score was bad enough then that I was still required to get a secured card despite a relatively enormous sum of money parked in my account.
I think EFTA covers the mechanism of how debit cards work, not the institutions that issue them, but I'm not an expert. I would lean towards keeping an account for the card I use in normal transactions at one of the Big Four banks.
> another in Chicago in 2005 (don't do what I did) when were starting Matasano
Uff. I perhaps can imagine what you were going through the next 10 years.
PS: I actually would like to hear your thoughts on where cybersec is headed in the age of LLMs (Mythos or not), would it be OK for me to reach out about it (unless you've written about it already)?
In addition to nominal fraud prevention (and how is any debit card better) there’s nothing better to claw back transaction fees, so what the fuck am I supposed to do?
I'm not saying debit cards are better at fraud prevention and response; I'm saying they're roughly equivalent. The downsides of credit cards are self-evident.
The downsides aren’t really self-evident to me. I’ve been using credit cards for everything I can for 35 years and I can’t think of any downsides. Even the cards I’ve had that had annual fees I chose to pay that fee because the benefits were worth more than the fee to me.
I can think of plenty of times where the upsides of having a credit card were realized though.
No, I don’t know of anybody who has a big credit card debt. I don’t think I’ve ever carried a credit card balance past my payment date.
I did have a six-figure debt to a bank and if didn’t make my payments they would take the house from my family! Much higher stakes than any credit card debt I’ve ever had.
I do have a debit card though and it’s actually not that different from a credit card. If I spend money not in my account I would get charged a $25 overdraft fee plus interest.
I think that's weird, because I can count off 6 or 7 just off the top of my head, people I know reasonably well, all of them well-educated, and smarter & better organized than I am. I don't really understand the argument we'd be having here: obviously, empirically, credit card debt is an enormous problem in the United States.
I haven’t really talked about that kind of stuff with people I know. I could be surrounded by people who have big debt and just don’t know.
A quick googling says that about half of all credit card holders carry some kind of balance each month, so clearly there must be some people in my orbit not paying it off.
I’m too much of a cheapskate to carry a balance and pay interest. And it’s my cheapskate tendencies that makes me use the credit card for everything for the benefits.
I 100% get it. I have minmaxer friends who do the same thing, are very good at it, and will never get into trouble. My thing is, revolving credit is a default in the US, and it's not a sensible default for most people.
So maybe I’m wrong but the belief is that debit card protections are worse than a credit card in the US. I really don’t have the personal time to test this, but I do know that when I dispute on a credit card it is initially removed until proven valid.
Again maybe I’m wrong but I don’t agree they are equivalent. It sure fucking feels that way, the money isn’t threatened from my account.
how is it not also your money when using a credit card? It's in the name, "credit" card. you have to pay it off, no? (i have never ever used a credit card)
You are making a purchase ON credit, and unless you are wildly negligent the merchant who accepts payment for the fraudulent purchase eats the costs. You may have to pay the balance owed while the chargeback works through the system but you will not ultimately pay for it.
Plus - like it or not - our society builds your credit based on your use of a credit card. And if you pay your balance in full every month I'm not sure why anyone would prefer paying up front (debit) vs. free financing.
As I understand it, debit cards do have some fraud protection too, but even if it's the same (I don't think it is), it's a way different power dynamic if you're begging for a bank to give you money back (debit card) vs just disputing your credit card bill.
In practice credit cards just have way better fraud protections.
We had a 5.15 cent charge for "TikTok" on a business card we never used. We have very good password hygene, and we have Ubikey authentication for all our business accounts. The bank initially told us to file a police report (!) for identity theft.
I knew it wasn't identity theft. We got a notice a week later that the charge had been reversed; we never bothered with a police report, we just cancelled the card. It had been flagged as suspicious by the bank when it was initially processed, but I'm not sure what was wrong. Perhaps one factor, like expiration date or zip code wasn't right.
I have a feeling it was stolen with some scheme like this where people just guess numbers by some algorithm.
Credit cards as a while use a security model from...what, the 1970s? Sure, they've patched by adding the 3-digit CVC, but really? A huge industry can't do better than that? Honestly, it's pathetic...
Between 3DS for online payments and EMV for POS payments (both launched in the 1990s), payment cards could be plenty secure – if the industry were to decide to mandate them for every payment.
The fact that it hasn't is an interesting study in game theory and economics.
Credit cards are a horrible idea. We are essentially forced to use them. It's like giving every person you buy from the password to your bank account and trust them not to steal your money. Wire transfers are better.
Arguably it's even more ironic how credit card applications work in the US: Based on yet another, even shorter number used as both an identifier and a bearer token, and that one you can't even change ever...
Some have speculated that the entire credit card system is compromised, end to end. I think the real question is why NSA didn't intervene in the early 1990s. Online commerce was just beginning, and the importance of electronic funds transfer was obvious, but the method wasn't set in stone. NSA knew about public key crypto well before the rest of us did. They could have helped set up very secure electronic payments, but chose not to for unknown reasons.
I heard a rumor that NSA suggested changes to DES encryption that strengthened it from differential cryptanalysis attacks that the public cryptologists weren't aware of yet.
That isn't a rumor? It's a pretty well documented fact that the NSA was involved in the design of DES and that the magic numbers that people initially assumed were a back door of some sort turned out to make differential cryptanalysis more difficult than randomly chosen ones would have.
Reminds me of when I wrote a lightweight blockchain from scratch including the Lamport OTS (quantum resistant) signature scheme and then most of the leaders from my crypto community at the time turned against me for no reason.
The signature scheme I implemented was thoroughly tested. Implemented from reading the Lamport and Merkel academic papers and under 1000 lines of code in total so pretty easy to audit... Nobody found an issue with it in 5 years. But the suppression was suspicious. The narrative of "Don't roll your own crypto" is suspicious... Is it really better to use the same library as hundreds of thousands of other projects? Is that really lower risk? Didn't we learn from the Axios hack that popularity doesn't provide security.
Okay but... so what? Authentication is a means, not an end. They seem to be missing that what matters at the end of the day is how much money/time/resources actually get lost, and who's on the hook for it. If that's negligible then isn't that mission accomplished? If we could live in a society where your name was enough and you didn't need a card number at all, and yet theft was still low and you still got your money back, that would be even better, not worse.
Why credit card numbers are full persistent baffles me. They were never meant to be memorable, and the whole process is electronic: surely this can be replaced by cryptography at this point?
I've deliberately demagnetized me and my wife's cards and we have black electrical tape over the numbers in public now.
Online purchases are the last remaining problem which would be completely solved if payments were to random keys rather then depending on everyone having the same number.
PANs are indeed going away and every transaction could already be tokenized, today. But then the US were 20 years behind on EMV, and SCA is still not a thing.
I'll get the usual hate for this, but in this instance using bitcoin is safer, since it forces you to verify the transaction on your phone (i.e. you use your phone to pay - either scanning QR code or now NFC).
In the US the Square payment terminals can now accept bitcoin from any lightning enabled wallet app, CashApp does it natively, etc.
Related story and wondering if the OP may have been chasing red herrings. I recently noticed an unauthorized charge for a small amount on my credit card (something about FB/Meta). Likely someone probing the card to see if anyone would notice. I called the CC company, had them removed the charge, canceled the card and had them send me a new card (5-7 business days). With the brand new unused card (new CC number, new expiration date, new CVV), the fraudulent payments resumed (again FB/Meta). How is this possible? The reason: digital wallets. Your credit card number, etc. transfers via digital wallets even when you cancel the card. I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online. You have to speak to a human in a call center. You then have to sit through a lecture about how all your renewing payments are going to reset and you will have to re-establish them will all merchants. "Yes, I understand that. Please cancel the card and all digital wallets!" Then you have to hold for twenty minutes (why? what are they doing? manually canceling all the digital wallets?). The lesson I learned here is that canceling your credit card may not be what you think. Also recurring payments must be incredibly lucrative and canceling them must amount to a big loss in revenue. (Edited for grammar.)
I’m not sure about “digital wallets”, but the concept of updating credit card details after a new card is issued does exist, and it’s a service offered by credit card companies.
Blog post from Stripe:
https://stripe.com/resources/more/what-is-a-card-account-upd...
it's called automatic billing updaters.
like
Visa: Visa Account Updater (VAU) https://developer.visa.com/capabilities/vau Mastercard: Automatic Billing Updater (ABU)
it worked fine for sometime, but the problem is that now the stolen credentials are being refreshed now as well.
Ideally, the issuer is able to investigate what type of fraud exactly happened on the card, and in case of a suspected compromised card number they can choose to simply not perform account updates or carry over tokens to the new card.
Practically, it's of course not that simple or clear-cut. As most things in payments, this too is a trade-off of cardholder inconvenience, support effort, fraud losses etc.
There are also "network tokens" that allow you to skip this step and instead remain linked to the new credit card when it changes.
I discovered this "quirk" when the local ice rink started charging me for dozens of charges — I was watching them come in. There were two "child2 thechao"s (insert crazy common name); and ... they just picked one and started charging. They didn't want to reverse the charges because the mom of child2 didn't want to pay.
Indeed, I suspect that's what went on here. I don't think there even exist 99 providers of what's customary called a digital wallet (e.g. Apple/Google Pay), and there's no definitely no single person that uses 99 of them.
It's bad service from GP's card company though, with network tokens they should be able to see which specific token was abused, and revoke just that one.
Interesting. I recently cancelled and reordered a card and I have still been able to make purchases via Amazon without ever making an update. In this case I am happy about it because I am lazy but had no idea how it was working. Presume this is what is going on.
Yep. I've been able to use the "wrong" (but still valid) expiration date on my AmEx for a long time. I've had other credit cards where the autopay info was never updated and it just kept working for at least 6 months.
Account Updater functionality isn't necessarily even involved there. In the end whether to accept a transaction is up to the issuer, and quite often they'll keep accepting recurring transactions on otherwise outdated card information.
Funny, the Amex on my Pixel Watch stopped working only a couple weeks after the physical card expiry.
It was quite confusing, because a) I received a replacement physical card several months before the card expiry, so by the time my watch stopped working I'd entirely forgotten about it, b) there's no indication anywhere in the Android/Wear OS of what the expiry date is or that it might be expired and c) there's no indication at the point of sale that the virtual card is expired, simply a generic "Declined" message.
You can run a charge with only the card number if you have sufficient trust. Each additional piece you add reduces liability and transaction fees (add exp, add cvc, add 3ds, ...)
I also noticed that my Google Wallet cards no longer have expiration dates- when a card expires and they issue a new one, the Wallet card works without any intervention on my part
Wallets usually don't store the card information directly anyway, but only a token, which can be re-associated with new underlying card details when the card is replaced.
The token itself does also have an expiry date (it's a mandatory field in most protocols), but that can be updated as well, I believe.
That's very much contrary to my experience just a couple months ago that I detailed in another post: https://news.ycombinator.com/item?id=47981956
Check out privacy.com, you can make your own cards. One per service if you want.
Been doing this for a while now for ebay and other stuff. I'm always shocked at how many people have no idea this exists.
Because people use credit cards for the rewards (cash, mileage, whatever) or because they don’t actually have the money now. They don’t want to pay for a unique number for every transaction (which doesn’t actually preserve privacy since most of the stuff you’re buying online needs a shipping address) nor do they want the money immediately pulled from their bank account.
> I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online.
This is highly dependent on your bank. For example, Bank of America lets you view and delete any cards that have been added to a digital wallet right on their website.
Only digital wallets, or also any merchant that saved the card using a token? The latter is getting more and more common, but usually happens transparently to the cardholder.
Theoretically, it would allow a pretty neat feature of being able to manage all merchants that have a copy of the card in the banking app and revoke said copies – but since token use is not mandatory, that would be fairly confusing, so I haven't seen this yet as far as I remember.
FWIW, India has taken a pretty radical step towards that future at a regulatory level by effectively mandating merchants to no longer store the underlying card number and use tokens instead. I suspect that such an interface would be more common there, but I don't have any personal experience.
Half of my cards can't even be added to non-iPhone devices without a verification phone call to some poor support agent who's never heard of a "Pixel Watch", has no idea what the workflow is on his end to manually verify cards being added, and just wants me to "use the iPhone app to verify".
Heaven forbid if I try to add a card to an Apple Wallet on a Mac where no iOS or Android app exists.
For my case, it was almost certain. As it happened single day, the card i use was a virtual card only used in couple big ecommerce websites etc.
If it was leaked somewhere else, i think they wouldn't bother logging in some unrelated account of mine in an ecommerce website.
Digital wallets as in Apple/Google Pay? I had a similar thing happen and I am wondering what did you make of this double charge, what did the attackers do in your opinion?
no it's like a continuation of your credit card for recurring payments.
It's called Automatic Billing Updater (ABU)
the idea is that if you ask for a new credit card after being stolen, your say utility providers or other like netflix subscriptions can seamlessly switch over to the new credit card number.
it worked fine for a while, but of course the problem is that afterwards the stolen credit card credentials started to be refreshed as well.
(used ai to fetch the list below).
Visa: Visa Account Updater (VAU) Mastercard: Automatic Billing Updater (ABU) American Express: Cardrefresher General: Recurring Payment Tokenization
if it was a 0 or 1 dollar auth, its likely a fraud check done by said company to make sure you still exist.
one or more of those digital wallets are some subscription supporting thing, and if that auth failed or had an address mismatch or wrong kind of card, they will disable your account until you update your card.
Same here, had a 200 EUR charge from Meta / FB - still waiting for my new card.
This blog doesn't mention the most critical part
Settlement the part where the bank agrees to transfer money from your account (in this case increasing your debt on the card) to the merchant is completely separate from Authorization.
Authorization is the modern EMV ("Chip and pin") authentication, the CVV stuff for online, and any other mechanism by which the bank protects themselves from your fraud and, maybe, as an afterthought protects merchants.
The network is completely OK with Amazon saying here's a card number, we say they're paying us $400. That's just a settlement, goes on your bill. No sophisticated cryptography, nothing even as clever as a 4 digit PIN, or remembering your mother's maiden name, just OK, we trust you. Which means you, as a consumer, need to read your credit card bills and dispute anything you don't recognise or you'll pay.
There is very little incentive for the networks to care if you get ripped off. If you don't dispute it then everybody is happy, and if you do they just claw it back from the merchant and it's not their problem.
> if you do they just claw it back from the merchant and it's not their problem.
This is true for non-3DS online payments, but not for in-person payments or when using 3DS online. In those cases, the issuer is usually liable.
Payment processors don't allow just brute forcing all card numbers a.k.a. card enumeration or card testing [1][2] and card schemes penalise merchants and payment processors heavily if they don't take measures against it [3].
1) https://stripe.com/newsroom/news/card-testing-surge
2) https://stripe.com/blog/the-ml-flywheel-how-we-continually-i...
3) https://docs.stripe.com/disputes/monitoring-programs#enumera...
The rate they try becomes very non frequent when they use multiple card validation apis. I'm not sure how it can be related when it's different pan numbers, different source ips etc.
Enumerating CVC2 with a single PAN is a different story.
Until 6 years ago Stripe didn't obfuscate card numbers in API logs at all.
That’s untrue. While I would be willing to believe that for a brief period of time there was a bug that could expose it, having been at Stripe between 2017 and 2020, it was my experience that they had a robust system preventing PANs from being disclosed.
That included efforts to mask PANs that were in the wrong place.
We didn’t want them in our internal logging systems, and we certainly didn’t want to leak them back to the merchants.
This is pretty much a PCI DSS requirement for anyone that directly handles PANs.
>As a consumer, I thought I was safe; when saving my credit card to a billion dollar valued european merchant, or when i purchase something from supermarket and ignore the receipt, but the reality is slightly different from that.
>I got the money back via chargeback in short time.
So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.
Banks don’t really eat the loss, instead they ensure all their services have enough of a markup to cover the cost of fraud.
All consumers collectively pay for all the fraud, it’s just that we don’t tend to realize it as it’s not a specific line item on any of our bills, instead we all pay just a little more than we should for everything we buy.
yes, obviously all of the bank's money comes from consumers. what other scenario do you see where a bank(etc) "eats the loss" but the money somehow comes from somewhere else
While it may be obvious to you that your fees include covering all the banks losses to fraud, I think that most people assume the bank makes less profit or something due to such incidents, when the truth is they just raise their prices to maintain profits.
I don't see the difference between the two TBH.
If the rate of fraud reduced bonus payments to executives.
> The bank ate the loss for the fraud
Quite often, the merchant is unfortunately the one eating the fraud, which is creating a bit of a principal-agent problem (in that the issuing bank earns interchange on every transaction, so if they aren't liable for fraud, their default incentive would be to just approve as much as feasible and figure everything out later via chargebacks).
3DS changes that calculus quite a bit, though, and in-person payments are usually the issuing bank's liability as well.
> The bank ate the loss for the fraud and you were made whole
_If_ you notice the fraudulent charge.
It never ceases to amaze me how many people don't even look at their bank/credit card statements and just let their credit cards auto-pay.
Back when I was poor, I was logging into my bank and credit card accounts at least twice/week. I always knew within $20 how much money I had.
As a well-paid tech worker, I'm still checking at each paycheck (2x/month) and paying the credit card card off every time, but I'm still scanning the statements for any unexpected charges and to keep a pulse on my spending.
Fun anecdote, my wife started talking to me while I was scanning my statement once and she noticed there was a $20 charge from a business named "Your Side Chick" that she questioned in a joking way. It was from a food cart that specializes in chicken strips.
FWIW, I find looking at my statement and trying to remember if I actually made a random purchase of $8.63 to some unrecognizable name three weeks ago to be a much more difficult workflow than just enabling email notifications for every transaction so I can triage them quickly / at my convenience.
$20 for food cart chicken strips is the real scam.
The foot cart scene in the Portland metro area is really good. Those chicken strips were amazing and the sauce was superb. And despite hating both kale and cole slaw, their kale cole slaw was delicious.
[dead]
It's my experience that the bank will give up against a motivated chargeback counterparty.
My experience with ebay (stolen credit card) in particular was that things were going well until e-bay sent their stack of paperwork to my bank. Then my chargeback was reversed and shortly after that even my bank account was closed.
So you're not in the clear once you get your chargeback back. That is done initially while they give the other party time to respond. I think it took 30 days or so for ebay to bury me in paperwork, get the chargeback unwound again, and their schpeel was so effective that my bank themselves then accused me of being the fraudster.
As for
> The bank ate the loss for the fraud
I'm not 100% that's true. The entire reason why the chargebackee wants to contest it is because either the chargebackee or the chargebacker is eating the loss. The bank isn't eating that loss. There is no way E-bay would have bothered contesting my chargeback and paying their white collar workers for professional time researching if the bank was just going to eat it.
in what country?
USA. In USA your chargeback initially is usually taken on face. They'll usually reverse the charge within a week or so. But after that they let the merchant appeal it.
Most merchants won't. But if they do, your bank isn't going to bat for you. If it looks like it's going to take them much time or effort to deal with it they're liable to just throw up their hands and let you duke it out in small claims court.
In my case they had a megacorp ready to fight it on one side, and little old me on the other. So some lady on the phone just insinuated I was a lying scammer and told me my case had been reversed. There was some sort of appeal process I tossed my hat into but it went straight to radio silence and I've not heard from them in years. I would have taken them to court but I moved cross country around the same time and it would cost me $2000 or so for airfare and hotel rooms to show up to the right courts to get $1000 in judgements.
I am a bit confused about your situation. Did you have a stolen card used to make a purchase at ebay that was not under your account? Or did you make a purchase at ebay and have an issue with the product you received?
Scammer created two e-bay accounts. One with my name but e-mail address "pirate" something. A second one, a scammer merchant account to wash the money.
They stole my credit card and used the bogus "me" ebay account to generate invoices (to my real address) and payments for goods from the second scammer merchant account. Then they found tracking numbers to my zip code. They bought the (fake) items from their scammer merchant account using their scammer "me" account. They used those tracking numbers to show the items were shipped and received to someone in my zip code (which is the only publicly available data from the tracking number). Of course, at no point were any of the goods "purchased" by "me" even real, but rather just ways to wash the credit card returns.
When I discovered what happened, I requested ebay refund it. Ebay claimed that since the accounts weren't actually mine (only in my name) I had no right to request a refund. So I could claim they were mine and then be ineligible for a refund because the underlying reason would be vaporized, or not claim them as mine and then be unable to ask for a refund because it's not actually my account -- a catch 22. The tracking numbers, again, since they weren't actually to me, the shipping companies refused to reveal the underlying data to me and I couldn't get any of the evidence showing it wasn't me.
At that point, I had my bank do a chargeback. Which they initially granted. I thought it was a done deal at that point.
Ebay sent all these invoices matching my name, with tracking numbers to my zip code, with my credit card being billed, etc to my bank along with a bunch of pages of banking mumbo jumbo about how the chargeback was wrong. At that point my bank turned face, called me a liar, and reinstated the charges. Not long after this, I noticed e-bay shut down the scammer account but they never refunded me the money. I assume the scammer had sucked out the money faster than e-bay could act to claw it back and when e-bay realized they'd be holding the bag they decided to dump it on the fraud victims.
You didn't provide any evidence that the charge was fraudulent. If they have a tracking number you gotta provide something, at least a police report.
Also you likely filed "merchandise/services not received" when you should have filed "unauthorized transaction". Even if you really did get the item, you don't have to pay for it if it was ordered by someone else using your card.
Honestly the only thing I had was one tracking number was generated an entire day before the supposed purchase, the 'pirate' email address (they were taunting me), that the religious items purchased were not of my religion, and that ebay had closed the scammer account. But my bank was not interested in taking on ebay. To the scammers credit, by creating both the buyer and seller account they made their scam a lot more resistant.
Also it was charged back as fraud. I had other fraud transactions that day and my bank reversed them. They were too scared to fight ebay or something.
I've learned proving a negative of "prove you didnt buy this" is pretty hard and thus fraud protection is more of a facade that only kind of works.
> If it looks like it's going to take them much time or effort to deal with it they're liable to just throw up their hands and let you duke it out in small claims court.
In the US, couldn't you just make it their problem by not paying the disputed portion of your bill? (I haven't tried this myself and don't know how hard it is to dispute a negative credit report without going to small claims court in the end.)
If 3D secure was mandatory everywhere that would help a lot, but if I understand correctly, it’s not really used in the US and with them being so big, card issuers are largely forced to allow non 3D secure requests or their clients will be unable to use their cards for too many things.
So an enormously good anti-fraud mechanism is severely handicapped.
It’s really frustrating for most of the rest of the world.
I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance.
No, the laws are different- and more consumer friendly in the US- so the US consumer behavior is different.
Back when credit cards were first starting out (which happened in the US) the US Congress passed a law- the Fair Credit Billing Act of 1974- that consumers were only liable for $50 of losses as long as they reported the missing credit card within 60 days of the end of the fraudulent billing cycle. This was back when credit cards purchases were all made on paper with the machine that went "kachunk" and transferred a carbon copy of your card- everything was done completely offline. That law has not been changed, in fact, most banks completely waive the $50 and don't hold card-holders liable for anything reported (basically, annoying a customer over $50 isn't worth it to the bank). Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle. The result is that American banks have invested an enormous amount in real-time monitoring of credit card transactions, and are doing lots of stuff to monitor this- they care deeply since ultimately they are on the hook- but the consumer doesn't care. This is why US card's from the consumer perspective are so much laxer, because our banks have invested far more on the back-end because the consumer is held harmless in a way they aren't with European cards.
As a totally separate issue, the EU has regulated the amount of interchange fees that card-companies can charge, but the US has not capped them. The result is that US card-holders can get significant kickbacks for using cards (especially true for the top decile of wealth), in a way that is functionally impossible with EU issued cards that have capped interchange fees. There is a big lawsuit happening now to try and allow merchants to only accept low-fee cards (the standard VISA/MC/AMEX deal requires treating all cards equally, which gives them an incentive to push people to higher interchange cards). We will see what happens with that suit, but until then, American high-spenders can have much higher rewards on their cards, which also encourages greater use of the cards- and making them have less friction than the EU versions.
> Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle.
For card-not-present transactions (i.e. online ones) the liability is on the merchant. They however also have an incentive NOT to use 3DS because it adds real friction to purchases. I'm also not sure if all USA banks even support 3DS.
This theory explains why cardholders in the US are still using cards despite these being relatively less secure than in other countries, but fails to explain why issuing banks wouldn't take steps to protect their own fraud losses, such as introducing 3DS or PINs.
The actual explanation lies in the game theory of fraud prevention; see my sibling comment for details.
Why would the law being different mean they wouldn't use 3DS though? Surely it'd cut out a good amount of fraud along with the realtime monitoring? I understand that US consumers don't have a stake in this, but can't all the banks just agree to enforce 3DS? I can't imagine Americans are going to stop using their cards because of a small amount of friction added
Because adding friction will deter many impulse purchases. Americans use credit cards constantly. The equilibrium would be perturbed in a way very much not advantageous for the credit card issuers if consumers became more cautious about using credit cards.
It’s the same reason credit card issuers are willing to pay Apple a few basis points to participate in Apple Pay: reducing friction has a non-linear impact on propensity to pay.
> can't all the banks just agree to enforce 3DS
They could, but it's one of those things that really only work if everybody joins. Because 3DS is rarely used right now, a portion of merchants don't even support it, so if you start enforcing is as a single bank, your customers will start complaining their card doesn't work. The banking industry in the US is also more decentralized than in the EU, so getting everybody to join in simultaneously is hard.
The window of opportunity for 3DS has also more or less passed, the industry is moving on to the next generation of tech (wallets/tokenization), that should be both easier to use and more secure.
> I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
Do you think we are requesting to have less secure payment methods or something?
No, we don't "prefer to get defrauded", but things like this are a matter of negotiation between the card issuers and the merchants.
> but things like this are a matter of negotiation between the card issuers and the merchants.
Not necessarily, the EU has mandated strong customer authentication by law (PSD2), and as a result has practically universal 3DSecure support.
Exactly, if citizens could convince US lawmakers to make it mandatory, it would be a huge net benefit to society as a whole.
I suspect that banks and merchants would lobby against it due the work involved. After all, they’ve already marked up their services and goods to cover the cost of fraud/insurance. So right now they don’t pay the cost of it, instead all their customers do through higher prices than they would otherwise have needed to pay.
> Exactly, if citizens could convince US lawmakers to make it mandatory, it would be a huge net benefit to society as a whole.
That's not obviously true. Adding security would likely reduce fraud, but would also make transactions more difficult and time consuming, and may also make recovering from fraud more difficult and time consuming.
The costs may not justify the benefits.
Bold of you to assume that the public has more influence on legislation than lobbyists do in the US.
Ah, the natural call of the wild European: blaming individual Americans for a century of policy failures with truly majestic smugness.
Who should be blamed then? Do you not vote your lawmakers? Do you not vote with your wallet by buying from non-3d-secure merchants?
Yes, I vote for leaders. So does everyone else, unfortunately.
Legislate that the banks are liable for refunding this class of fraud and you'll find they suddenly take this stuff a lot more seriously and "discover" the technology.
I don't understand your point. The banks and credit card companies are already responsible. If I have a fraudulent charge I call and tell them it's fraudulent and they say okay and take it off and either getit back from the issuer or eat the difference.
I think what you're missing is the bank and credit card companies rarely eat the difference. The business who sold the item which was charged back is the one paying the cost of the transaction (no income, lost item) plus a chargeback processing fee (typically $15 per chargeback).
They can also punish you for doing so, like banning you from the bank.
They also report account closures to ChexSystems, which can make it harder to open accounts at other banks for years. Credit card issuers can drop you and ding your credit. Definitively not your fault, but still your problem, and the consequences are for you.
Quite hard to do when banks are major bribers of politicians.
IIRC, MasterCard SecureCode and Visa's verified-by-visa were more of a thing in the US maybe like decade or two ago? I think NewEgg and B&H did support it at one point? Afterwards, everyone has simply disabled the thing, and you simply get a wave-through by most issuers when shopping on foreign sites, where you get redirected to issuer's website, then back to the online shop, without having to type or confirm anything.
Back when it was a thing, it was quite a nightmare, where you had to register for a 3ds account, often separate from your normal online account, and keep a separate password etc. Then those iframe windows look exactly like the phishing websites, too.
Honestly, it's much ado about nothing. If the transaction is suspicious or likely fraudulent, today, you already get an SMS or an alert within bank's app on your phone. All you have to do is confirm and retry the transaction a minute later. This works for both in-person transactions, as well as remote ones, with the same flow, unlike 3ds, which only works for online shopping.
> I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
The general idea is that if the conversion rate drop of a given security mechanism is higher than the average fraud rate, it doesn't make financial sense to deploy it.
However, at the industry-wide level, this is a pretty classical coordination problem, in that conversion rate only drops because there still is a simpler alternative around unless all merchants and banks were to enforce 3DS at the same time. If there's nothing more convenient left to move to, users will for better or worse have to learn the new, more secure thing, and conversion rates will go up again.
This is what the EU has done with mandating 3DS for many payments, but even there regulators have recognized that a 100% coverage is counterproductive, and there's a sweet spot somewhere in the middle.
As more evidence for the same general idea: US credit cards don't have PINs, because any individual bank introducing them would see a huge drop in usage rates since customers would just use their competitor's card without a PIN instead. In other markets, all cards have PINs (whether due to regulatory invention or card network incentive), and people have just gotten used to them.
FWIW, HSBC USA Mastercard uses 3D secure if it's something you want and you're in the states.
Capital One also offers it for their credit cards, which makes them the only ones usable in countries where requiring 3DS is common. (No idea why this is a thing actually – merchants get the fraud chargeback liability shift as soon as they request 3DS, whether the issuer actually supports it or not.)
The real problem is that in the US, almost no merchants request it in my experience, despite the fact that they'd get an almost free (in terms of conversion rate dropoff) liability shift. I suppose the few US issuers that do support it have a bad enough implementation that the conversion drop is still significant.
> No idea why this is a thing actually
a) It still affects their bottom-line: the issuer might still try to dispute this using a different code despite payment scheme (formal term for Visa et al.) rules, and the merchant targeted is prone for fraud (for example, airlines have been hit with this by exploiting tourists looking for cheaper tickets by offering them suspiciously cheap tickets on seemingly-trustworthy websites by fraudsters and funding them by insecure cards)
b) Misinterpretation of mandatory rules: PDS2 is applicable only for EEA customer - EEA merchant, but some extended it for whole world despite the rules literally dictating the limits
c) Soft friction for encouraging domestic card usage: because of accept-all rules by payment schemes (and no local rules that allowed merchants in a region to reject international payments), this is a way to block US cards by guise of fraud prevention (because international cards are expensive for merchants to process)
Wow, c) never occured to me but makes total sense.
b) can probably explain this happening for EU merchants, but I've also seen this in Japan and Central America, and I think even before PSD2 in the EU.
That's what I love about the payments space: While you're absorbed in your own game of checkers, you never know if your opponent is actually playing 1d or 10d chess :)
Yeah from a software dev perspective the implementations are shockingly terrible from a UX perspective. I'm surprised Stripe doesn't make it automatic with their integration
One problem is that the UX is largely defined by the issuer. 3DS (on the web) is literally an issuer-rendered iframe.
How much is lost to fraud that would be prevented by 3d secure, 0.1%?
In Europe, the max interchange fee is 0.3%. In the US, the average is 2%. So the relative impact of fraud is much higher.
There is also an additional (usually pretty high) fee for getting chargebacks.
Huh? Your conclusion does not follow. A large fraction of the interchange fee is kicked back to customers.
The size of the pie being so much bigger means the issuer’s tolerance for fraud is much larger, but it’s orthogonal to whether there’s actually more fraud. In practice credit cards fraud actually impacting customers is vanishingly rare at this point.
A large fraction, yes, but I believe in absolute numbers, US issuers still retain much more interchange than European ones.
The numbers are even public: https://usa.visa.com/content/dam/VCOM/download/merchants/vis...
If you take a look at some of the more "expensive" cards, interchange is often higher than 2%, yet issuers often pay as much only on certain categories, and flat cashback cards usually pay 1.5% (2% is relatively rare).
Compare that difference to a total interchange of 0.3% in the EU.
I once had a person that was hired by my company and then started bragging about finding a way to add stored value to gift cards. Then come to find out they were under investigation by the FBI. This was a government contractor mind you, so the biggest security guard I’ve ever seen showed up to escort them out.
What does “add stored value to gift cards” mean?
I'm guessing it means they can fraudulently add money to a store gift card without it costing anything.
I think it means "take a gift card with $10 value stored and make it a gift card with $20 stored".
People should have a separate card for online payments and have just enough money on it for a payment.
I know that I am naïve :)
Back to the article: Weak point was a password that lead to another merchant not using 3D secure.
It seems from the article that bad actors have fully automated system, so (big) merchants should have handle automatic login attempts from the same ip address with different accounts. I see it from our wordfence logs that ip rotation is not so quick so it could be handled with some permanent ip blocking.
Tbh, fraud for credit cards is covered by the bank, so I typically just don't care. I just check my statements for anything that looks off.
I agree with the seperate card. That was my seperate card and luckily the amount was not quite big because of that.
>Weak point was a password that lead to another merchant not using 3D secure
Well leaking a password shouldn't cause leaking a whole ass credit card data imo. The same data is printed on physical receipts the markets print, sometimes 4 digits, sometimes 10 digits. It's still possible to brute force from unattended physical receipts on the market.
Mercury now offers personal bank accounts. You can create virtual debit cards just like companies can with Brex/Mercury/Ramp etc.
Why should they, if they're not liable for any resulting fraud of the status quo?
Not affiliated, but Capital One Eno virtual cards work well for this purpose.
I think https://privacy.com is the best solution we can have with the current system.
My previous bank provided this virtual card service on demand. You create the card for a single purchase with a specific amount and that’s it. I moved to an other bank when getting an affordable mortgage loan became impossible in it for me.
Virtual credit cards have been a thing for years. I remember bank of america or Citi providing them to me 15+ years ago. If I recall it was a java app or maybe even a standalone exe. Shocked they never took off more broadly.
Robinhood absolutely nails this. Best virtual credit card system I have ever used. So seamless. Can auth a card for one time use, 24 hours, or indefinite until you cancel. Such a great UI / UX
It didn’t take off because it was easier to eat the costs of fraud than to maintain the system. It didn’t catch on simply because it’s pro-consumer.
MBNA (which got bought out by Chase) had a Flash-based virtual card app back in the early 2000's. I really enjoyed using it. I also can't understand why they haven't taken off, especially in the world of Everything Is A Subscription we're living in now. I adored being able to set expiration dates and spend limits to save ugly negotiations about ending subscriptions.
Recently I got an sms from my bank about a suspicious transaction overseas from my wife’s card, it was literally listed as zero USD, at a time when she was not using her phone or computer.
I initially thought the sms itself was phishing, but after checking online, the sms format matched and the bank webpage ensured the feedback process will not ask for any information so we proceeded to confirm that we did not purchase anything.
The bank immediately cancelled the card and shipped a new one.
My initial thought is that the bank safety system could be overreacting, but it was likely that someone was doing exactly what is described in this article and the bank detected it earlier.
It’s 2026, I have a laser guided vacuum robot that auto cleans my floors… we just flung people around the moon…
And we still don’t use public/private keys to secure transactions. Why
One other thing to add to the story is that the merchants can’t select what level of security they want from the credit card processor. For example, with authorize.net, you can accept the payment with the address doesn’t matter it doesn’t match.
I guess the real question here is how are they able to steal from you? Were they purchasing gift cards from a merchant with lax security?
It’s one thing to guess a number it’s another thing to get the money out of the system
> merchants can’t select what level of security they want from the credit card processor
That really depends on the processor; many processors do allow merchants specify your acceptance rules in quite deep detail.
There's a bit of a dichotomy in the processor market: on one side you have those that aim to make it simple for their customers and unburden them, while on the other side you have those that expose all the complexities and give intricate controls. The first side won't allow you to specify security requirements, while the second side will give you a hundred options (of course there's also processors positioning them in between). The two sides generally target different customers.
They absolutely are. Fun example: when Revolut launched in Japan few years back they had a period of a relatively explosive success (especially within the immigrant community), so most of the cards of the period were issued with the same expiration month and with the same IIN (I'm assuming specific to Japan as well) which left very little entropy and lead to brute-force attacks via merchants not requiring 3DS (Uber etc.). Within only one community (approx. 1.5k people) we have had a handful of a 100% verified cases when the card was compromised without any exposure at all (i.e. the card was not used online or offline).
In all cases Revolut promptly reverted the charges and eventually they did a complete reissue of the cards for Japanese market (not sure how they've got around the entropy issue: maybe they've randomized the expiry dates or spread out IINs some more).
Pretty standard now to keep your card frozen when not in use, at least for me personally.
Some banks let you set specific limits for recurring payments.
Unlike US, in some regions such as JP,TW,HK, almost every online card transaction requires 3D Secure. But many real-world cases show that banks then refuse to take responsibility for fraudulent transactions once 3DS was completed, even when the OTP leak was caused by failures in the banking and telecom systems rather than by the cardholder.
The EU has banned plain SMS tokens for SCA. You need an OTP + PIN or password, or more likely authorize the transaction from a mobile app with biometrics.
Another mistake:
> The data they took with the attempt of purchase is the card is still usable (not cancelled)
The payment flows should not distinguish between a nonexistent card, a cancelled card, and a valid card that needs 3D Secure. I bet the banks could even implement that without any cooperation on the part of the merchants.
Rate limiting and anomaly detection are the real gatekeepers here. A lot of "fraud prevention" is still reactive.
At least with a credit card you have some fraud protection. Report it and the charge should be reversed. And chargebacks are possible.
With a debit card you’re playing with your own money.
That has not been my experience with debit cards in the US at major banks, at all, over decades.
(I'm pathologically avoidant of credit cards, which I think are mostly pointless.)
When my bank account got drained, I could not pay rent or any bills. I had enough cash for about a week of food. It took 4 weeks for the bank to decide I could be made whole. Ever since then I have never even put a debit card in my wallet. I know what the laws say. I have read endless "well banks usually[...]" type messages. and yet all the same I one day awoke to find myself transformed into a giant cockroach.
EFTA Reg E gives banks 10 days to make you whole (less an optional $50 deductible depending on when the fraud was reported). My experience going back decades is that they've simply reverted the charges instantly. What bank were you using? My experience is with the usual suspects --- Citi, Chase, and BofA.
Under the law, credit card issuers actually have more time to deliberate before making you whole, not less.
That's not quite accurate. They have 10 days to issue you a temporary credit if the investigation is going to take more than 10 days. They are willing to issue the credit immediately precisely because it's temporary. If the investigation resolves in your favor the credit becomes permanent and you never know the difference. If it takes more than 30 days - well, I worked with BofA about 15 years ago and saw more than a few customers who ended up with a giant mess because that temporary credit expired after 30 days resulting in a snowball effect of failed payments and NSF charges.
sorry, I ninja edited my comment to avoid having an identical discussion as the previous many times I brought up this topic.
It is nice that you know what the law is but that isn't the same as the law being followed. Also the bank was PNC, not the biggest guy ever but not a small player either.
You can reverse the charges on debit cards, but the money is withdrawn at the time the charge is made. This is not the case for credit cards.
> You can reverse the charges on debit cards, but the money is withdrawn at the time the charge is made. This is not the case for credit cards.
In a sense it is though, because it lowers your available credit by the amount of the charge. And the fraudsters are going to try to run you right up to your credit limit, so you end up at the same problem: You now have legitimate charges being declined because the fraudsters locked up your payment card.
You have a debit card backup though in that scenario. Arguably, you can just do the reverse and have a credit card backup, but some things don't accept credit card as payment.
Having multiple credit cards in the US is quite common, since there's no practical downside (unlike having multiple checking accounts, which locks up liquidity at usually no interest payment) and it can even be beneficial for your credit score.
That's not the problem. After all, if it happened to your debit card you could likewise make purchases on a different card, regardless of whether the other card is a debit or credit card.
It's also not that hard to get two debit cards. There are credit unions with no minimum balance requirement.
The actual problem is that if it happens to any card, all the stuff configured to use that card is now failing. You have a toll tag and the company goes to charge your card for a road toll, it's a perverse unaccountable bureaucracy that has captured the government so enjoy your $50 declined payment fee. You have autopay on for several services which will naturally suspend your account if you don't pay them. That's an inconvenience for something like Netflix but for your various information services it can be a big problem even if all they do is turn it off temporarily, and an even bigger problem if the turning it off involves deleting your stuff. Likewise for things like insurance where a gap in coverage can cause you to get fined or negatively impact your future rates.
Some of that can be mitigated by chasing it all down and switching them before the charge comes, but the labor to do that is a significant cost in itself and plenty of people aren't going to recognize the need to do it until it's too late, or try to and still miss some.
> It's also not that hard to get two debit cards.
But then you need to have money in the other checking account too.
Still, completely agree with your larger point. It's a big hassle having to switch cards, and the status quo (i.e., the industry being in a multi-decade transition period towards acceptable security) is sometimes the worst of both worlds:
Half of all merchants don't support automatic card updates and need to be manually fixed, while the other half do and have a chance of keeping your card alive in a fraudster's account where it's on file if your issuer is not careful.
Most US banks will credit your account for the amount of the dispute immediately upon starting the investigation, so it is functionally equivalent from a consumer perspective.
In fact, all US banks should be doing this, or they'd be in violation of Regulation E.
That's true, but it's not the claim the parent commenter made.
Why do you think they’re pointless?
For most of my adult life I haven't been able to get a credit card --- even after we sold Matasano Security, with the proceeds of that acquisition sitting in a money market checking account at the giant bank I use, that bank would still only issue me a secured card. I pay my bills and all, but at some point when I was like 19 I bought a shirt at Nordstroms and they signed me up for a card and I didn't pay enough attention so I presumably still somehow owe them $40, and it wrecked my credit score.
No part of my life has been harder for not having revolving credit. I had a family, with two kids, starting in my very early 20s; I have lived on ramen wages several times since then; I've bought houses, rented cars, all that stuff. There's really been no point I can think of where I felt like having a revolving credit card would have made any of it more manageable.
I'd get points and stuff (I have a card now, it has a fuckload of points on it) but that's just an incentive to use the cards, not an intrinsic case for them.
I think most people would be much better off just using debit cards, and operating with the funds they actually have. And, again: it is in fact easy for me to say that today, but I believed the same thing when I was younger.
The crazy thing is coming to realize how little your credit score matters if you decide not to play this game. People say it will impact your ability to get a mortgage or a lease, but: not my experience!
>> I think most people would be much better off just using debit cards, and operating with the funds they actually have.
Totally agree, but - and this is another example where the rich(er) benefit - if you actually have the money and good financial discipline you're better to put everything on your CC and pay it off in full monthly. Let the merchants finance for free for 3 weeks, plus maybe get perks like purchase protection and extended warranty.
> No part of my life has been harder for not having revolving credit.
Maybe not harder, but one undeniable downside is that you've been paying roughly 2% more for roughly every purchase you've ever made (other than rent or mortgage payments and a few other exceptions) than you would have if you had good credit and used a credit card, due to how the US payments market is structured.
To be clear, I'm not saying that this is a reasonable state of affairs, but it's the reality.
Another issue that comes to mind are rental cars – while there's no real difference in risk protection to merchants (it's not like a credit card on file can magically make a wrecked or never-returned car reappear), many rental car agencies require them; I suspect because they use them as something of a proxy indicator of "generally responsible-enough behavior to have been issued one by an institution also exposed to risk".
I am much, much less afraid of paying a little more on transactions, or of card theft resolution, than I am of racking up credit card debt. Everybody I know that got into a hole on credit card debt was smarter and better organized than I am. I see it as an inherently predatory product.
I've never needed credit but chose to get credit cards to establish a credit history for the future, and use their cash back programs. I get 3-5% back on all my purchases, so they've paid well over the years, and I have a good credit score.
> Under the law, credit card issuers actually have more time to deliberate before making you whole, not less.
Could be but in my personal experience, it has been the exact opposite. That said, I don't use banks. I work with credit unions exclusively. Maybe they have very different rules when it comes to handling debit card fraud.
The only time I have needed a debit card are when a place doesn't accept credit or charges a heavy markup for credit. Someone here mentioned Robinhood virtual credit card - I need to look into it, but I use a similar service and I keep my debit card locked only to unlock it for the exact window I am actually using it.
> rented cars, all that stuff. There's really been no point I can think of where I felt like having a revolving credit card would have made any of it more manageable.
I'm unaware when you last rented a car but when I rented a car last month, the company put a $500 hold on my credit card. That credit card hold went away after I returned the car in good condition a week later. I imagine, if I had used a debit card, that $500 hold would have made $500 disappear from my bank balance during that time. When my nephew rented a car, they put a $2000 hold on his credit card, I'm assuming because he's younger than 21. He certainly doesn't have $2000 to spare in his bank account.
The same credit card got me a free upgrade on the rental car, primary insurance protection during the rental period (I didn't have to buy the $40/day rental insurance) and got me 5% cashback on the full rental amount essentially undoing state taxes. The estimated cash value of these would have been ~$500 for the week. Using the debit card from my credit union would have got me exactly $0 (plus a reduced balance the whole time).
OTOH, a credit union shipped me a chipped debit card preactivated. The debit card shipped via regular USPS mail and was stolen along the way. I always keep $400 in my checking account, so the theif emptied my card at Target and 7/11. Within hours of receiving text about the charges, I called my credit union, informed them of the detail. They sent me a binder full of documents to sign. The whole time the money wasn't refunded. They took a month to review evidence and refunded me $50 (of the $400) and told me I would have to provide additional evidence that needed wet signatures, notarizied to receive the rest ($350). Every notarizied page in my jurisdiction costs $150.
> EFTA Reg E gives banks 10 days to make you whole
Interesting - any idea if this applies to credit unions too (because then you just got $350 back into my pocket!)
> I presumably still somehow owe them $40, and it wrecked my credit score.
> People say it will impact your ability to get a mortgage or a lease, but: not my experience!
Are these mortgages or a leases after you became wealthy or around the time when your credit score was wrecked? I imagine the effects of the Nordstroms credit card wore away 5-7 years (I don't recall exactly which) after the $40 was reported as late. So if more than 7 years passed between these two events, you might have a perfect FICO score now, even though you don't know it. I imagine you can just go to CreditKarma for free and use their free "dispute" charge option to permanently erase that Nordstrom black spot forever. I don't think anyone cares a multimillionaire had a forgotten $40 invoice when they were 19.
Also, for anyone above $1MM in liquid networth, most financial institutions treat the credit history as a signal and not the primary signal. I believe you have been above that by a healthy amount for a while now :)
PS: I am a HUGE fan of yours. I wrote all of the above expecting you absolutely wouldn't have a second to read a word but if you do, Thank You not only for reading (I hope atleast some of it helps you) but for your comments on HN from which I have learned a lot.
I bought my first property in 2000, when I was in my very early 20s, and definitely wasn't wealthy. I bought a house in Ann Arbor in 2004, when I had no savings and was living on an ordinary developers salary; another in Chicago in 2005 (don't do what I did) when were starting Matasano. We sold Matasano in 2012 and my credit score was bad enough then that I was still required to get a secured card despite a relatively enormous sum of money parked in my account.
I think EFTA covers the mechanism of how debit cards work, not the institutions that issue them, but I'm not an expert. I would lean towards keeping an account for the card I use in normal transactions at one of the Big Four banks.
> another in Chicago in 2005 (don't do what I did) when were starting Matasano
Uff. I perhaps can imagine what you were going through the next 10 years.
PS: I actually would like to hear your thoughts on where cybersec is headed in the age of LLMs (Mythos or not), would it be OK for me to reach out about it (unless you've written about it already)?
Well good for you. Us poors in the US like them for what they’re worth.
Like what? That banks will make you instantly whole on card fraud to debit cards, and are legally required to do so? I like that too.
In addition to nominal fraud prevention (and how is any debit card better) there’s nothing better to claw back transaction fees, so what the fuck am I supposed to do?
I'm not saying debit cards are better at fraud prevention and response; I'm saying they're roughly equivalent. The downsides of credit cards are self-evident.
The downsides aren’t really self-evident to me. I’ve been using credit cards for everything I can for 35 years and I can’t think of any downsides. Even the cards I’ve had that had annual fees I chose to pay that fee because the benefits were worth more than the fee to me.
I can think of plenty of times where the upsides of having a credit card were realized though.
You don't know anybody in 5-figure+ credit card debt? I know several. I don't know anybody in debit card debt.
No, I don’t know of anybody who has a big credit card debt. I don’t think I’ve ever carried a credit card balance past my payment date.
I did have a six-figure debt to a bank and if didn’t make my payments they would take the house from my family! Much higher stakes than any credit card debt I’ve ever had.
I do have a debit card though and it’s actually not that different from a credit card. If I spend money not in my account I would get charged a $25 overdraft fee plus interest.
I think that's weird, because I can count off 6 or 7 just off the top of my head, people I know reasonably well, all of them well-educated, and smarter & better organized than I am. I don't really understand the argument we'd be having here: obviously, empirically, credit card debt is an enormous problem in the United States.
I haven’t really talked about that kind of stuff with people I know. I could be surrounded by people who have big debt and just don’t know.
A quick googling says that about half of all credit card holders carry some kind of balance each month, so clearly there must be some people in my orbit not paying it off.
I'd be one of them, but I can't be, because I don't use credit cards.
I’m too much of a cheapskate to carry a balance and pay interest. And it’s my cheapskate tendencies that makes me use the credit card for everything for the benefits.
I 100% get it. I have minmaxer friends who do the same thing, are very good at it, and will never get into trouble. My thing is, revolving credit is a default in the US, and it's not a sensible default for most people.
So maybe I’m wrong but the belief is that debit card protections are worse than a credit card in the US. I really don’t have the personal time to test this, but I do know that when I dispute on a credit card it is initially removed until proven valid.
Again maybe I’m wrong but I don’t agree they are equivalent. It sure fucking feels that way, the money isn’t threatened from my account.
how is it not also your money when using a credit card? It's in the name, "credit" card. you have to pay it off, no? (i have never ever used a credit card)
You are making a purchase ON credit, and unless you are wildly negligent the merchant who accepts payment for the fraudulent purchase eats the costs. You may have to pay the balance owed while the chargeback works through the system but you will not ultimately pay for it.
Plus - like it or not - our society builds your credit based on your use of a credit card. And if you pay your balance in full every month I'm not sure why anyone would prefer paying up front (debit) vs. free financing.
As I understand it, debit cards do have some fraud protection too, but even if it's the same (I don't think it is), it's a way different power dynamic if you're begging for a bank to give you money back (debit card) vs just disputing your credit card bill.
In practice credit cards just have way better fraud protections.
It comes with fraud protection and your money does not move anywhere until the end of the next month. With a debit card your money moves immediately.
In the US at least, there are still federal protections for debit card fraud: https://uslawexplained.com/debit_card
We had a 5.15 cent charge for "TikTok" on a business card we never used. We have very good password hygene, and we have Ubikey authentication for all our business accounts. The bank initially told us to file a police report (!) for identity theft.
I knew it wasn't identity theft. We got a notice a week later that the charge had been reversed; we never bothered with a police report, we just cancelled the card. It had been flagged as suspicious by the bank when it was initially processed, but I'm not sure what was wrong. Perhaps one factor, like expiration date or zip code wasn't right.
I have a feeling it was stolen with some scheme like this where people just guess numbers by some algorithm.
Credit cards as a while use a security model from...what, the 1970s? Sure, they've patched by adding the 3-digit CVC, but really? A huge industry can't do better than that? Honestly, it's pathetic...
Between 3DS for online payments and EMV for POS payments (both launched in the 1990s), payment cards could be plenty secure – if the industry were to decide to mandate them for every payment.
The fact that it hasn't is an interesting study in game theory and economics.
https://en.wikipedia.org/wiki/3-D_Secure
BBVA has dynamic CVC
Credit cards are a horrible idea. We are essentially forced to use them. It's like giving every person you buy from the password to your bank account and trust them not to steal your money. Wire transfers are better.
Arguably it's even more ironic how credit card applications work in the US: Based on yet another, even shorter number used as both an identifier and a bearer token, and that one you can't even change ever...
Why not debit cards too?
Some have speculated that the entire credit card system is compromised, end to end. I think the real question is why NSA didn't intervene in the early 1990s. Online commerce was just beginning, and the importance of electronic funds transfer was obvious, but the method wasn't set in stone. NSA knew about public key crypto well before the rest of us did. They could have helped set up very secure electronic payments, but chose not to for unknown reasons.
What do you mean by "compromised end to end"? A compromise implies that something isn't working as originally designed.
Credit and debit cards (except for 3DS and EMV) are working exactly as designed; the design just isn't very good from a security perspective.
"The RSA algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT"
NSA prefers compromised security so that answers your question
Credit card system was already around for decades before though
I heard a rumor that NSA suggested changes to DES encryption that strengthened it from differential cryptanalysis attacks that the public cryptologists weren't aware of yet.
That isn't a rumor? It's a pretty well documented fact that the NSA was involved in the design of DES and that the magic numbers that people initially assumed were a back door of some sort turned out to make differential cryptanalysis more difficult than randomly chosen ones would have.
Reminds me of when I wrote a lightweight blockchain from scratch including the Lamport OTS (quantum resistant) signature scheme and then most of the leaders from my crypto community at the time turned against me for no reason.
The signature scheme I implemented was thoroughly tested. Implemented from reading the Lamport and Merkel academic papers and under 1000 lines of code in total so pretty easy to audit... Nobody found an issue with it in 5 years. But the suppression was suspicious. The narrative of "Don't roll your own crypto" is suspicious... Is it really better to use the same library as hundreds of thousands of other projects? Is that really lower risk? Didn't we learn from the Axios hack that popularity doesn't provide security.
Oh okay, so this is why Amex launched the online card in the app that changes the Cvv2 every few minutes.
Amex was late to the party with virtual cards.
None of my banks or credit cards support them... not sure how widespread it really is.
3-digits? What is this, an OTP for ants?
I had no idea amex offers virtual cards... but I looked everywhere in the app and cannot find any such option?
https://www.americanexpress.com/en-gb/services/ways-to-pay/d...
>We have invited a small pilot group to the Digital Card feature now. The feature will become available to more Cardmembers soon.
Okay but... so what? Authentication is a means, not an end. They seem to be missing that what matters at the end of the day is how much money/time/resources actually get lost, and who's on the hook for it. If that's negligible then isn't that mission accomplished? If we could live in a society where your name was enough and you didn't need a card number at all, and yet theft was still low and you still got your money back, that would be even better, not worse.
Why credit card numbers are full persistent baffles me. They were never meant to be memorable, and the whole process is electronic: surely this can be replaced by cryptography at this point?
I've deliberately demagnetized me and my wife's cards and we have black electrical tape over the numbers in public now.
Online purchases are the last remaining problem which would be completely solved if payments were to random keys rather then depending on everyone having the same number.
PANs are indeed going away and every transaction could already be tokenized, today. But then the US were 20 years behind on EMV, and SCA is still not a thing.
[dead]
[dead]
I'll get the usual hate for this, but in this instance using bitcoin is safer, since it forces you to verify the transaction on your phone (i.e. you use your phone to pay - either scanning QR code or now NFC). In the US the Square payment terminals can now accept bitcoin from any lightning enabled wallet app, CashApp does it natively, etc.