DE version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
52% Positive
Analyzed from 5520 words in the discussion.
Trending Topics
#card#credit#cards#fraud#bank#more#don#pay#banks#merchants
Discussion (144 Comments)Read Original on HackerNews
Blog post from Stripe:
https://stripe.com/resources/more/what-is-a-card-account-upd...
It's bad service from GP's card company though, with network tokens they should be able to see which specific token was abused, and revoke just that one.
like
Visa: Visa Account Updater (VAU) https://developer.visa.com/capabilities/vau Mastercard: Automatic Billing Updater (ABU)
it worked fine for sometime, but the problem is that now the stolen credentials are being refreshed now as well.
Practically, it's of course not that simple or clear-cut. As most things in payments, this too is a trade-off of cardholder inconvenience, support effort, fraud losses etc.
The token itself does also have an expiry date (it's a mandatory field in most protocols), but that can be updated as well, I believe.
This is highly dependent on your bank. For example, Bank of America lets you view and delete any cards that have been added to a digital wallet right on their website.
Theoretically, it would allow a pretty neat feature of being able to manage all merchants that have a copy of the card in the banking app and revoke said copies – but since token use is not mandatory, that would be fairly confusing, so I haven't seen this yet as far as I remember.
FWIW, India has taken a pretty radical step towards that future at a regulatory level by effectively mandating merchants to no longer store the underlying card number and use tokens instead. I suspect that such an interface would be more common there, but I don't have any personal experience.
If it was leaked somewhere else, i think they wouldn't bother logging in some unrelated account of mine in an ecommerce website.
It's called Automatic Billing Updater (ABU)
the idea is that if you ask for a new credit card after being stolen, your say utility providers or other like netflix subscriptions can seamlessly switch over to the new credit card number.
it worked fine for a while, but of course the problem is that afterwards the stolen credit card credentials started to be refreshed as well.
(used ai to fetch the list below).
Visa: Visa Account Updater (VAU) Mastercard: Automatic Billing Updater (ABU) American Express: Cardrefresher General: Recurring Payment Tokenization
Settlement the part where the bank agrees to transfer money from your account (in this case increasing your debt on the card) to the merchant is completely separate from Authorization.
Authorization is the modern EMV ("Chip and pin") authentication, the CVV stuff for online, and any other mechanism by which the bank protects themselves from your fraud and, maybe, as an afterthought protects merchants.
The network is completely OK with Amazon saying here's a card number, we say they're paying us $400. That's just a settlement, goes on your bill. No sophisticated cryptography, nothing even as clever as a 4 digit PIN, or remembering your mother's maiden name, just OK, we trust you. Which means you, as a consumer, need to read your credit card bills and dispute anything you don't recognise or you'll pay.
There is very little incentive for the networks to care if you get ripped off. If you don't dispute it then everybody is happy, and if you do they just claw it back from the merchant and it's not their problem.
This is true for non-3DS online payments, but not for in-person payments or when using 3DS online. In those cases, the issuer is usually liable.
1) https://stripe.com/newsroom/news/card-testing-surge
2) https://stripe.com/blog/the-ml-flywheel-how-we-continually-i...
3) https://docs.stripe.com/disputes/monitoring-programs#enumera...
Enumerating CVC2 with a single PAN is a different story.
>I got the money back via chargeback in short time.
So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.
Quite often, the merchant is unfortunately the one eating the fraud, which is creating a bit of a principal-agent problem (in that the issuing bank earns interchange on every transaction, so if they aren't liable for fraud, their default incentive would be to just approve as much as feasible and figure everything out later via chargebacks).
3DS changes that calculus quite a bit, though, and in-person payments are usually the issuing bank's liability as well.
All consumers collectively pay for all the fraud, it’s just that we don’t tend to realize it as it’s not a specific line item on any of our bills, instead we all pay just a little more than we should for everything we buy.
_If_ you notice the fraudulent charge.
Back when I was poor, I was logging into my bank and credit card accounts at least twice/week. I always knew within $20 how much money I had.
As a well-paid tech worker, I'm still checking at each paycheck (2x/month) and paying the credit card card off every time, but I'm still scanning the statements for any unexpected charges and to keep a pulse on my spending.
Fun anecdote, my wife started talking to me while I was scanning my statement once and she noticed there was a $20 charge from a business named "Your Side Chick" that she questioned in a joking way. It was from a food cart that specializes in chicken strips.
My experience with ebay (stolen credit card) in particular was that things were going well until e-bay sent their stack of paperwork to my bank. Then my chargeback was reversed and shortly after that even my bank account was closed.
So you're not in the clear once you get your chargeback back. That is done initially while they give the other party time to respond. I think it took 30 days or so for ebay to bury me in paperwork, get the chargeback unwound again, and their schpeel was so effective that my bank themselves then accused me of being the fraudster.
As for
> The bank ate the loss for the fraud
I'm not 100% that's true. The entire reason why the chargebackee wants to contest it is because either the chargebackee or the chargebacker is eating the loss. The bank isn't eating that loss. There is no way E-bay would have bothered contesting my chargeback and paying their white collar workers for professional time researching if the bank was just going to eat it.
Most merchants won't. But if they do, your bank isn't going to bat for you. If it looks like it's going to take them much time or effort to deal with it they're liable to just throw up their hands and let you duke it out in small claims court.
In my case they had a megacorp ready to fight it on one side, and little old me on the other. So some lady on the phone just insinuated I was a lying scammer and told me my case had been reversed. There was some sort of appeal process I tossed my hat into but it went straight to radio silence and I've not heard from them in years. I would have taken them to court but I moved cross country around the same time and it would cost me $2000 or so for airfare and hotel rooms to show up to the right courts to get $1000 in judgements.
In all cases Revolut promptly reverted the charges and eventually they did a complete reissue of the cards for Japanese market (not sure how they've got around the entropy issue: maybe they've randomized the expiry dates or spread out IINs some more).
So an enormously good anti-fraud mechanism is severely handicapped.
It’s really frustrating for most of the rest of the world.
I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance.
Back when credit cards were first starting out (which happened in the US) the US Congress passed a law- the Fair Credit Billing Act of 1974- that consumers were only liable for $50 of losses as long as they reported the missing credit card within 60 days of the end of the fraudulent billing cycle. This was back when credit cards purchases were all made on paper with the machine that went "kachunk" and transferred a carbon copy of your card- everything was done completely offline. That law has not been changed, in fact, most banks completely waive the $50 and don't hold card-holders liable for anything reported (basically, annoying a customer over $50 isn't worth it to the bank). Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle. The result is that American banks have invested an enormous amount in real-time monitoring of credit card transactions, and are doing lots of stuff to monitor this- they care deeply since ultimately they are on the hook- but the consumer doesn't care. This is why US card's from the consumer perspective are so much laxer, because our banks have invested far more on the back-end because the consumer is held harmless in a way they aren't with European cards.
As a totally separate issue, the EU has regulated the amount of interchange fees that card-companies can charge, but the US has not capped them. The result is that US card-holders can get significant kickbacks for using cards (especially true for the top decile of wealth), in a way that is functionally impossible with EU issued cards that have capped interchange fees. There is a big lawsuit happening now to try and allow merchants to only accept low-fee cards (the standard VISA/MC/AMEX deal requires treating all cards equally, which gives them an incentive to push people to higher interchange cards). We will see what happens with that suit, but until then, American high-spenders can have much higher rewards on their cards, which also encourages greater use of the cards- and making them have less friction than the EU versions.
The actual explanation lies in the game theory of fraud prevention; see my sibling comment for details.
They could, but it's one of those things that really only work if everybody joins. Because 3DS is rarely used right now, a portion of merchants don't even support it, so if you start enforcing is as a single bank, your customers will start complaining their card doesn't work. The banking industry in the US is also more decentralized than in the EU, so getting everybody to join in simultaneously is hard.
The window of opportunity for 3DS has also more or less passed, the industry is moving on to the next generation of tech (wallets/tokenization), that should be both easier to use and more secure.
It’s the same reason credit card issuers are willing to pay Apple a few basis points to participate in Apple Pay: reducing friction has a non-linear impact on propensity to pay.
The general idea is that if the conversion rate drop of a given security mechanism is higher than the average fraud rate, it doesn't make financial sense to deploy it.
However, at the industry-wide level, this is a pretty classical coordination problem, in that conversion rate only drops because there still is a simpler alternative around unless all merchants and banks were to enforce 3DS at the same time. If there's nothing more convenient left to move to, users will for better or worse have to learn the new, more secure thing, and conversion rates will go up again.
This is what the EU has done with mandating 3DS for many payments, but even there regulators have recognized that a 100% coverage is counterproductive, and there's a sweet spot somewhere in the middle.
As more evidence for the same general idea: US credit cards don't have PINs, because any individual bank introducing them would see a huge drop in usage rates since customers would just use their competitor's card without a PIN instead. In other markets, all cards have PINs (whether due to regulatory invention or card network incentive), and people have just gotten used to them.
Do you think we are requesting to have less secure payment methods or something?
No, we don't "prefer to get defrauded", but things like this are a matter of negotiation between the card issuers and the merchants.
Not necessarily, the EU has mandated strong customer authentication by law (PSD2), and as a result has practically universal 3DSecure support.
I suspect that banks and merchants would lobby against it due the work involved. After all, they’ve already marked up their services and goods to cover the cost of fraud/insurance. So right now they don’t pay the cost of it, instead all their customers do through higher prices than they would otherwise have needed to pay.
The real problem is that in the US, almost no merchants request it in my experience, despite the fact that they'd get an almost free (in terms of conversion rate dropoff) liability shift. I suppose the few US issuers that do support it have a bad enough implementation that the conversion drop is still significant.
The size of the pie being so much bigger means the issuer’s tolerance for fraud is much larger, but it’s orthogonal to whether there’s actually more fraud. In practice credit cards fraud actually impacting customers is vanishingly rare at this point.
Robinhood absolutely nails this. Best virtual credit card system I have ever used. So seamless. Can auth a card for one time use, 24 hours, or indefinite until you cancel. Such a great UI / UX
I know that I am naĂŻve :)
Back to the article: Weak point was a password that lead to another merchant not using 3D secure.
It seems from the article that bad actors have fully automated system, so (big) merchants should have handle automatic login attempts from the same ip address with different accounts. I see it from our wordfence logs that ip rotation is not so quick so it could be handled with some permanent ip blocking.
>Weak point was a password that lead to another merchant not using 3D secure
Well leaking a password shouldn't cause leaking a whole ass credit card data imo. The same data is printed on physical receipts the markets print, sometimes 4 digits, sometimes 10 digits. It's still possible to brute force from unattended physical receipts on the market.
I initially thought the sms itself was phishing, but after checking online, the sms format matched and the bank webpage ensured the feedback process will not ask for any information so we proceeded to confirm that we did not purchase anything.
The bank immediately cancelled the card and shipped a new one.
My initial thought is that the bank safety system could be overreacting, but it was likely that someone was doing exactly what is described in this article and the bank detected it earlier.
I guess the real question here is how are they able to steal from you? Were they purchasing gift cards from a merchant with lax security?
It’s one thing to guess a number it’s another thing to get the money out of the system
That really depends on the processor; many processors do allow merchants specify your acceptance rules in quite deep detail.
There's a bit of a dichotomy in the processor market: on one side you have those that aim to make it simple for their customers and unburden them, while on the other side you have those that expose all the complexities and give intricate controls. The first side won't allow you to specify security requirements, while the second side will give you a hundred options (of course there's also processors positioning them in between). The two sides generally target different customers.
> The data they took with the attempt of purchase is the card is still usable (not cancelled)
The payment flows should not distinguish between a nonexistent card, a cancelled card, and a valid card that needs 3D Secure. I bet the banks could even implement that without any cooperation on the part of the merchants.
With a debit card you’re playing with your own money.
(I'm pathologically avoidant of credit cards, which I think are mostly pointless.)
Under the law, credit card issuers actually have more time to deliberate before making you whole, not less.
In a sense it is though, because it lowers your available credit by the amount of the charge. And the fraudsters are going to try to run you right up to your credit limit, so you end up at the same problem: You now have legitimate charges being declined because the fraudsters locked up your payment card.
No part of my life has been harder for not having revolving credit. I had a family, with two kids, starting in my very early 20s; I have lived on ramen wages several times since then; I've bought houses, rented cars, all that stuff. There's really been no point I can think of where I felt like having a revolving credit card would have made any of it more manageable.
I'd get points and stuff (I have a card now, it has a fuckload of points on it) but that's just an incentive to use the cards, not an intrinsic case for them.
I think most people would be much better off just using debit cards, and operating with the funds they actually have. And, again: it is in fact easy for me to say that today, but I believed the same thing when I was younger.
The crazy thing is coming to realize how little your credit score matters if you decide not to play this game. People say it will impact your ability to get a mortgage or a lease, but: not my experience!
Plus - like it or not - our society builds your credit based on your use of a credit card. And if you pay your balance in full every month I'm not sure why anyone would prefer paying up front (debit) vs. free financing.
In practice credit cards just have way better fraud protections.
The fact that it hasn't is an interesting study in game theory and economics.
Credit and debit cards (except for 3DS and EMV) are working exactly as designed; the design just isn't very good from a security perspective.
Credit card system was already around for decades before though
The signature scheme I implemented was thoroughly tested. Implemented from reading the Lamport and Merkel academic papers and under 1000 lines of code in total so pretty easy to audit... Nobody found an issue with it in 5 years. But the suppression was suspicious. The narrative of "Don't roll your own crypto" is suspicious... Is it really better to use the same library as hundreds of thousands of other projects? Is that really lower risk? Didn't we learn from the Axios hack that popularity doesn't provide security.
I've deliberately demagnetized me and my wife's cards and we have black electrical tape over the numbers in public now.
Online purchases are the last remaining problem which would be completely solved if payments were to random keys rather then depending on everyone having the same number.