
Payment Systems in the US Are Bad - wkoszek
http://www.barelyusable.com/payments-systems-in-the-us-are-bad#.ViUnOa0SEVg.hackernews
======
ceejayoz
> Basically my bank knows I have a long password, but they don’t want it all.
> They want only the selected letters. Why? Well, if somebody was to intercept
> the letters that I’ve typed on the keyboard, they would only get a part of
> my password. And if I refresh the page, it will ask for a different set of
> letters.

> I feel it’s fairly safe, yet I hate it.

You should hate it, and it undermines the argument that Poland's doing things
any better. Being able to ask you for just certain characters in your password
means the password is NOT stored securely. It's not being one-way hashed, it's
being stored either as plain-text or with reversible encryption.

~~~
nemothekid
> _Being able to ask you for just certain characters in your password means
> the password is NOT stored securely._

Thinking about this, they could create N different permutations of the
password and encrypt those, and when you login it asks for 1 of N permutations
of your password.

The downside being if there are N finite permutations and the attacker has
one, the could just refresh the page until they go the permutation that is
needed.

~~~
hartator
I don't think it's technically possible because they do display some of the
letters.

They are just probably stored plain text or encrypted the password somewhere
but I don't there is way to be a one way hash.

I'll be on just plain incompetence.

------
Area12
When I moved from the USA to New Zealand in the early 90s I was surprised at
how much easier the banking was. Sure it's a much smaller country with only
about 25 banks (about six banks have most of the accounts). The key here is
that every account number has the same format and is unique across the
country, and the banks co-operate to make transfers easy. Paper checks are so
rare you can shop for weeks and never see anybody pull out a checkbook. A
debit card system (EFTPOS) was live in the 90s and all of the big consumer
banks supported it; soon most shops supported it too. If you are using the
web, paying somebody in a different bank is as easy as if they were at your
bank. If you pay somebody at the same bank as you the money transfer is nearly
instant; if they are at a different bank it may take 1-2 days.

It's not fair to compare a country of 318 million with a country of 4.5
million, but a little co-operation between the big players might be a good
start. New Zealand's banking co-ordination was the result of an industry
consortium, not a government agency.

------
shalmanese
My favorite anecdote about how structurally behind the US banking system is is
the Check 21 act:
[https://en.wikipedia.org/wiki/Check_21_Act](https://en.wikipedia.org/wiki/Check_21_Act)

9/11 caused severe problems for the US banking industry because $6Bn worth of
paper checks were still being flown around the country daily on jet planes.
The grounding of all planes on the week after 9/11 severely gummed up the
workings of the financial system because bits of paper weren't getting to
where they needed to be. It took until 2004 for congress to finally force
banks to end this archaic practice.

Business Insider has a good article about the entire process:
[http://www.businessinsider.com/the-death-of-the-paper-
check-...](http://www.businessinsider.com/the-death-of-the-paper-check-2013-3)

------
intortus
The explosion of payment/transfer options in US online banking is basically
because there is a vast menu of combined authentication and pricing schemes.
So we end up with dozens of awkwardly branded, difficult to use, expensive
products, some of which you can only use between accounts at the same bank.

Now that most banks offer mobile deposits, personal checks are the best money
transfer product.

------
knd775
Slightly off topic, but ITT people seem to not be understanding the difference
between hashing and encrypting.

This is a bit scary. One-way hashing is not reversible (except by brute
force), while two-way encryption is reversible. This is a massive difference
that I wish more people understood.

------
pbreit
Not a great article.

First, there are 1000s of banks in the USA. In many/most other countries,
there are fewer than 10 making it much easier to coordinate.

Second, there's much more "pull" in the USA where recipients pull funds from
senders. This is a key reason why commerce is so much larger in the USA.
"push" adds a lot of friction to commerce transactions.

~~~
legulere
The US system is still pretty bad. Banking throughout Europe works a bit
differently everywhere, but the basis is that you have wire transfer for
basically free (inside the Eurozone, this covers the whole Eurozone). Paying
rent? Just set up a monthly wire transfer.

"Pull" also works and is common in many european countries through direct
debit. You give amazon/your electricity provider/whomever your bank account
number and they just pull the money from you. No sketchy credit card companies
needed, fraud is pretty minuscule.

~~~
tadfisher
> The US system is still pretty bad. Banking throughout Europe works a bit
> differently everywhere, but the basis is that you have wire transfer for
> basically free (inside the Eurozone, this covers the whole Eurozone). Paying
> rent? Just set up a monthly wire transfer.

The reason this came to be is that the Eurozone sets up a more beneficial
system for the banks than the status quo. Barriers to international transfers
hurt both small and large banks, and having many sets of laws and politics
around the rules made them exceedingly difficult to change. The Eurozone fixes
this.

In the US, interbank transfers are regulated by the banks themselves (NACHA)
and the majority are performed in partnership with the Federal Reserve. The
banks have all the power to improve payment and transfer systems, and none of
the impetus. We have been stuck on a 40-year-old daily batch-file processing
system because the banks make too much money on wire fees.

It took threatened action by the Fed and Congress for NACHA to finally make
same-day transfers mandatory for 2016. Note that this is still not a real-time
system, and we are very, very far from such.

> "Pull" also works and is common in many european countries through direct
> debit. You give amazon/your electricity provider/whomever your bank account
> number and they just pull the money from you. No sketchy credit card
> companies needed, fraud is pretty minuscule.

This is how ACH pull works in the United States. It is enticing because the
ACH network is very low-cost and the credit card networks are not involved.
And yet it is a consistent source of fraudulent activity. There is nothing
inherent in a "pull" model that prevents fraud; you need additional controls
around the relationship to prevent that.

~~~
legulere
It actually is way older than the eurozone, those systems were just
generalized to apply to all of the EU + EFTA with the SEPA payment system. I
guess this stems more from a stronger hands off approach in the US.

> There is nothing inherent in a "pull" model that prevents fraud; you need
> additional controls around the relationship to prevent that.

I read a bit up on direct debit and it seems like they have fraud problems in
the UK, while there's next to no fraud in Germany. I guess the reasons are
that you can revert it for several weeks, it's perfectly traceable who did it

