
Why Credit Card Fraud Is Still a Thing - feross
https://krebsonsecurity.com/2020/07/heres-why-credit-card-fraud-is-still-a-thing/
======
marvinblum
Or, you could go for a debit card with a pin, like in good old Germany. Credit
cards require artificial fraud protection just because it's literally
unprotected once someone gets the details. Why is there no secret involved?
Just for the few seconds it takes to enter a pin?

[Edit] I'd like to add, that most German debit cards work differently from
what some of you might consider a debit card. Here, the money is withdrawn
from your bank account on the same day (most of the time), and you cannot go
into debt. Of course, there are exceptions from this.

~~~
supernova87a
CC companies in the US made the moronic determination that the American
consumer could not handle the complexity of the PIN. Or that it would take too
much education and infrastructure change to get that to work. So we had a dumb
hybrid approach, and usually the retailer pays for the fallout of this
decision.

Secondly, I (and others) will not use my debit card for transactions (to the
full extent that I can take this position practically), as debit cards do not
have the same protections against fraud as CCs do.

Lastly, an observation, I'm surprised that given the potential penalties (in
fraudulent charges), restaurants and other retailers don't just bite the
bullet and buy the $100 terminals to get off the swipe system. Maybe it's a
little more expensive if they have to replace those big clunky POS / order
taking machines. But this technology always ends up costing cheaper than what
the complaining businesses say they will have to pay in the beginning.

~~~
rini17
Most of Europe is moving to contactless card payments and PIN is needed only
for large amounts (over 20 euro, recently raised to 60 euro) and for cash
withdrawals. The result is I already happened to forget the PIN, fortunately I
had another card.

So, stolen card can be used for small payments, but there's easy process to
immediately block it (via app or internet banking).

~~~
ulfw
Good banks allow you to pick your own PIN. For some reason in Europe few do
that.

~~~
fomine3
Looks strange. All my 10+ cards in Japan allow to pick a PIN.

~~~
_trampeltier
Japan is funny anyway. 15 years ago I could go to every ATM to get cash. Now I
think it is just possible to get cash from a 7-Eleven ATM with a non japanese
card.

~~~
fomine3
Now we can withdraw cash from ticket vending machine on train station but
maybe no one actually use it.

[https://www.gmo-pg.com/en/corp/newsroom/press/gmo-
paymentgat...](https://www.gmo-pg.com/en/corp/newsroom/press/gmo-
paymentgateway/2019/0424.html)

------
bluecalm
When I started my business I faced the problem of charge backs after sending
goods to the scammer. I've looked for what Visa and MasterCard recommends to
prevent it. Their advice: "contact the buyer to make sure it's not fraud". My
question was: how I am supposed to contact the buyer if it's the scammer who
actually filled in the contact info form. No answer to that.

One very easy step preventing most of the fraud in my case and I imagine many
others would be an option to request a registered email or phone contact to
the actual card owner. "Hello it's bluecalm from org X, we have noticed your
order and it's marked as suspicious by our system, can you please confirm you
made that order? Yes - great, we are sending you the product right now. No?
Well, contact your bank as your card info was stolen".

It's such an easy and obvious step. Let me contact the actual card owner using
the info they provided. I think the problem is lack of incentives. It's the
seller who covers the cost. At least some of it should be on card companies to
encourage them to actually do something about it. Right now they seem to just
not care.

~~~
DaiPlusPlus
What CC/Merchant system do you use? Have you looked at Stripe’s anti-fraud
system?

~~~
bluecalm
Shopify with PayPal and Braintree. Shopify is usually quite good at flagging
transactions. The problem if there are some false positives and just
cancelling every flagged order would cost too much business.

------
larrik
So last Saturday I got a brand new credit card from a brand new bank that I
opened because my main credit card got compromised and I wanted a backup.

Saturday evening I verify receipt of the card, and then put the card on the
counter and left it there. Sunday night / Monday morning, at 1am, I get a text
that the new card was compromised as someone was attempting to use it to pay
some scammer. I never left the house with the card, I never typed it into a
computer beyond the verification process from my own home.

Wat.

~~~
stimpson_j_cat
I got a notification that my new card was used for fraud while it was _in the
mail on the way to me_

~~~
gruez
don't cards require activation prior to use?

~~~
stimpson_j_cat
Yes! Fraud dept told me it was someone entering random numbers. What does that
explain?! shrug

------
vinay_ys
India moved to chip and pin a long time ago and stopped magnetic stripe
swiping soon after. And for all CNP, there's additional factor of
authentication (majorly, SMS OTP from the issuing bank). These are mandated by
the regulator (RBI) and everyone had to comply quite quickly. Yes, receiving
SMS OTP for every CNP transaction is a hassle but for majority of the people
this is the only way they have ever used cards, so they are okay with it.

So, this killed the type of fraud that the author discusses. But there are
other types of frauds (social engineering, ATM skimming etc) for which major
defense in India is fixed rules based daily limits and mandatory SMS
notifications of any deposit/withdrawal on your account. Of course it doesn't
help very small account holders.

~~~
xmprt
That's an interesting system. Do prepaid cards work without SMS OTP? And how
long do lines get if you have to wait for OTP every time you make a
transaction? Lastly, are cash transactions still commonplace (almost all my
transactions were cash when I was a kid)?

~~~
vinay_ys
For majority of the people, cash is still the main mode of payment. A new
mobile payment called UPI that supports P2P payments based on simple virtual
payment handle (<yourhandle>@<pspbank>) and QR based P2M (merchant) payments
is growing rapidly to replace cash.

Government is giving free/basic bank account to everyone through a program
called Jan Dhan Yojna. So anyone with a smartphone and a free/basic bank
account or even more basic payment bank account (requires lesser kyc) can pay
using UPI. (Of course KYC is still a challenge but way better than other
countries due to a national biometric id system called Aadhaar and central kyc
registries for financial institutions).

And regulator is taking a very interesting approach to open banking through
unbundling. For example, see
[https://sahamati.org.in](https://sahamati.org.in) for financial data
unbundling.

------
miketery
I think its because fraud justifies CC companies charging their fees - i.e.
consumers want peace of mind, so they don't complain when CC takes 3-4% cut
from merchants on transactions. If fraud was non existent then CC companies
couldn't justify those fees (i.e. insurance).

------
mysterypie
> _Card-not-present accounts fetched a much steeper supplier commission of 80
> percent, but mainly because these cards were in such high demand and low
> supply._

Some part of that statement doesn't make sense. Normally if something is in
high demand, then it is easier to sell it, therefore the seller can demand
that the middleman i.e., BriansClub, accept a _lower_ commission. In real
estate for example, when there is a lot of demand for houses (in a "sellers'
market), you as a seller can easily negotiate a lower commission from your
brokerage agent.

One clarification: When there's high demand and low supply, the end-buyer will
pay a much higher price of course. But the middleman (like BriansClub) should
be charging a lower commission as a percentage, though he or she might end up
making more money because it's a higher priced item being sold. So Krebs's
explanation of why they charge a higher commission for card-not-present
doesn't make sense.

~~~
superhuzza
You're getting it totally backwards here. The supplier commission is how much
of the card's value BriansClub is paying to the supplier:

"On average, BriansClub paid suppliers commissions ranging from 50-60 percent
of the total value of the cards sold."

High demand + low supply of these cards means that the suppliers are getting a
better "price" when selling them to BriansClub, the middleman.

~~~
mysterypie
You are right, thank you. It’s a non-standard way they used the word
commission.

------
stormdennis
I really wish the Krebs site rendered better on mobile browsers. It's a bit of
a pain to read.

~~~
mey
If you are on Android, I suggest getting Firefox.
[https://support.mozilla.org/en-US/kb/view-articles-reader-
vi...](https://support.mozilla.org/en-US/kb/view-articles-reader-view-firefox-
android) The article can be flipped over into Reader Mode and is easy to read
in that way.

~~~
stormdennis
I am using firefox as it happens but there's no reader view on offer for that
site unfortunately

~~~
vel0city
That's strange, on Firefox for Android v68.11.0 every article for
krebsonsecurity.com can render in the reader mode. The main home page does not
work for this, but individual articles work fine.

------
eximius
Because there isn't a secret required to use them?

Chipped cards 'solve' physical card use fraud (assuming they actually do the
crypto they can do - there was another article about it not always being
enabled).

If processing networks just allowed it to be easy to generate one-time codes
to replace putting in CN, exp, and CVV, then online fraud would be solved too.

We have the tools to solve the problem, card networks just haven't deployed
them.

~~~
noahtallen
Yeah. Also, all of my chipped cards can be swiped if the merchant or network
or PoS doesn’t support it. Not sure of the mechanics, but that alone seems to
defeat the purpose entirely

------
rob-olmos
It'd be cool if payment cards had a built-in LCD screen for the PIN as a TOTP.
That shouldn't be much harder for consumers than the existing card
verification/security code.

~~~
Symbiote
It's not built-in, but an external device can generate an OTP (maybe a TOTP?).
Some European banks have used this system for over 10 years, but others just
use SMS or nothing.

[https://en.wikipedia.org/wiki/Chip_Authentication_Program](https://en.wikipedia.org/wiki/Chip_Authentication_Program)

~~~
dzhiurgis
Why not use card itself as u2f? Most phones now has nfc reader now.

Could be used for both - online purchases and bank logins.

~~~
Symbiote
Perhaps the banks did't want to trust the security of the phone?

Bear in mind these card readers were introduced in the UK and Sweden in 2007,
around the same time as the first iPhone.

~~~
dzhiurgis
Yet literally every bank trusts the security of the phone + telco when sending
you 2FA token via unencrypted SMS...

------
stmw
I am probably biased [1], but it seems that one-time credit card numbers for
at least online transactions are the answer here. Chips and pins are helpful,
but not for ecommerce... One way to do this is with Abine Blur
([https://www.abine.com](https://www.abine.com)), which has a browser plugin
that automatically creates a new CC number for you. [1] : co-founder of Abine

~~~
strombofulous
How does Abine differ from Privacy.com? I can't tell but from the pricing page
I get the impression that you have to pay to use abine.

~~~
carstenhag
Same here. Very confusing website. Also: I'm a German user and some parts of
the page are randomly German, while most are English. Same on the checkout
page which is a no go for me. Assets are pixelated, the page looks scammy in
general.

~~~
stmw
Sorry for delay, missed the question. I'll pass on the feedback about the
webpage, that's no good. In terms of comparisons, Abine Blur also does masked
phone numbers, masked emails, password management and blocking tracking - in
addition to masked credit cards. Here's a recent review,
[https://uk.pcmag.com/password-managers/38259/abine-blur-
prem...](https://uk.pcmag.com/password-managers/38259/abine-blur-premium)

------
krimeo
Now if only we had a payment method where the account credentials (ideally
these credentials would be cryptographically verified, that is, it would be
possible to transfer funds only if you have access to the private key) are not
disclosed to anyone and also payments would be as easy as scanning a QR code.

~~~
criddell
Don't you get a lot of that by using a payment system that uses the EMVCo
tokenization scheme?

Apple Pay, for example, uses it.

[https://www.emvco.com/emv-technologies/payment-
tokenisation/](https://www.emvco.com/emv-technologies/payment-tokenisation/)

------
ggm
Every finance system that wants to remove your burdens has to arrive at a
point where they ask if you permit them to do things with your money without
your consent every time, or in every respect.

It can be one-time or it can be repeat, but the third party actor quality
here, is really strong.

A ->wants money to go to -> B but money is vested through entity C and the
transfer invokes entity D in front of B..

There are events here which are 'do I have your permission to do things with
your money, through agents you don't know' which is really hard to remove.

Even TTP intermediaries doing A <-> B introductions have this burden. It feels
like its baked into the system than something 'optimising' here has
'..except.. you can exploit it' baked-in.

------
lifeisstillgood
>>> BriansClub earned close to $104 million in gross revenue from 2015 to
early 2019, and listed over 19 million unique card numbers for sale.

100M for _selling_ card numbers - it actually defrauding just selling card
numbers ... holy cow.

~~~
grezql
And you have "Jokers stash" / jStash which is even bigger than Briansclub.

Other mentions: YaleLodge

UniCC

Creditcard fraud is a big profiting business and has a huge ecosystem built
around

~~~
cortesoft
I wonder if the banks could save money on fraud prevention by just buying all
their stolen credentials on the open market and cancelling them all.

I know that would mess up with incentives to steal those credentials, but it
still might be worth it.

~~~
meowface
I believe many of them regularly do exactly that.

------
paulpauper
Ppl steal Credit Cards not for the cash on the card, but for the credentials,
which are used to register for services with a credit limit, and then the
limit is spent. So a single credit card can be used on hundreds of services
such as Amazon Cloud hosting ,Facebook ads, Google ads, etc. all without
spending any money. The billing occurs only hfter the trial limit is spent.
Google Ads will give a $400 credit limit on a new user.

------
manuelmagic
I'm sorry to see how many people here on HN are commenting debit/credit card
systems without really knowing the topic, spreading false notions, clichés,
absolute conclusions from personal anecdotes or simply by stating easy
stereotypes towards banks and financial institutions.

I'm usually learning a lot from HN but I'm sad to say this discussion is full
with low quality contents.

------
ohduran
I was expecting a one liner: "because banks do not lose money if fraud
happens, as they simply trickle down costs to their customers".

~~~
manuelmagic
That's an oversimplification that's simply not true everywhere in the world.

------
juancn
I still don't get why not all cards have two-factor purchases.

Just have my bank or a Visa (or whatever) app send a push notification that I
can approve or reject the charge.

------
StavrosK
I know I'm in the minority here, but I really _really_ like cryptocurrency
flows for this sort of thing. You open the wallet on your phone, scan a QR
code, and you've paid, no need to fish for credit cards, enter additional info
because your transaction looks weird, etc etc.

I wish more sites supported it, and I try to support it on all of mine. I
use/recommend OpenNode, though I wish they had Monero integration, but I guess
everyone has their own pet cryptocurrency they'd like supported everywhere.

~~~
iknowstuff
See also: WeChat, Eurozone's [SCT
Inst]([https://www.europeanpaymentscouncil.eu/what-we-do/sepa-
insta...](https://www.europeanpaymentscouncil.eu/what-we-do/sepa-instant-
credit-transfer)), Blik

------
Alupis
I can only speak from the ecommerce industry, where you make online payments:

Honestly, credit card fraud still exists because Visa/Mastercard/Amex/Discover
et al have a near-zero liability for fraud. They foist it upon the merchant.

It would be trivial for Visa to notice an account suddenly starts making
purchases from out of the country, or exceeded some threshold of declines,
etc. But, they don't care.

If you, the merchant, accept a fraudulent order, even if it appears fine, you
are on the hook for the chargeback + chargeback fee. Good luck winning one of
these disputes - they're heavily weighed towards the customer. You practically
will lose every claim, and be out all the money for the product, plus the
chargeback fee. Everything can be perfect on the order, AVS, CVV2 code, etc...
doesn't matter.

This is why companies like Bolt Payments have sprung up - attempting to
offload that risk from the merchant. They're making a business doing what Visa
could do if they wanted to - pool card data together and look for illegitimate
patterns, and block them.

~~~
marcinzm
>It would be trivial for Visa to notice an account suddenly starts making
purchases from out of the country, or exceeded some threshold of declines,
etc. But, they don't care.

I've had CC companies send me fraud alerts plenty of times and have had them
block payments automatically as well. So please don't make straw man argument.

Moreover, what I love when I go on a vacation to a foreign country is having
my credit card stop working and trying to figure out how to make an
international phone call to get it fixed. Credit card companies value improved
customer experience over catching some larger percentage of fraud.

~~~
Alupis
> So please don't make straw man argument.

Your anecdata doesn't coincide with reality. Maybe your card company does -
probably issued through a bank - but most people's don't, and Visa/Amex
proper, etc certainly do not.

You would be surprised by the number of fraudulent orders that are placed on
major ecommerce sites daily. It's up to the ecommerce site to detect the
fraud, and hopefully refund the order in full before a chargeback hits.

Visa literally has all the transaction data for all issued Visa accounts. They
can stop fraud dead, if they had a financial interest in doing so. As-is, they
(and their issuers/gateways/processors) actually profit off fraud, via the
chargeback fee.

The millions of accounts Krebs mentions in the article? Did they all get fraud
alerts when the "carding" transaction was processed on their card... to verify
it was a live account and had available balance? Nope.

