

Non-US Cards Used At Target Fetch Premium - panarky
http://krebsonsecurity.com/2013/12/non-us-cards-used-at-target-fetch-premium/

======
paul9290
Damn it i want two way verification on any purchase over X amount! Meaning
anytime a charge over X amount (an amount i set) tries to go thru I get a text
message asking for me to approve or deny it.

This is getting ridiculous! 1st Adobe who I will never do business with again
(had to cancel my accounts & open new ones) and now Target!

~~~
objclxt
Although it's not two-factor, some banks will send you push messages or texts
for every transaction taking place on the card. I use Simple, they do the
former. One nice feature about Simple is you can disable the debit card
directly from within the app, and then re-enable it if you need to (for
example, if you lose your wallet temporarily).

Simple also sent me a new debit card automatically without prompting, their
systems having noticed I'd shopped at Target last week.

The problem with the two factor system as you describe is that while it works
for 'cardholder not present' transactions (and there already exist standard
two-factor methods for such payments, not that many banks use them), it would
make retail POS payments incredibly slow. You'd have to wait for a text/push,
you might not have any reception, then you've got to reply, etc. This is one
reason why EMV is, for all its failings, more attractive than mag-stripe: it
is considerably harder and more expensive to clone EMV cards.

~~~
panarky
You don't need to wait for a text or push notification, and you don't have to
be online.

Just use a time-based one-time password.

It's instant, secure, and simple. And already available free in Google
Authenticator.

[https://en.wikipedia.org/wiki/Time-based_One-
time_Password_A...](https://en.wikipedia.org/wiki/Time-based_One-
time_Password_Algorithm)

[http://code.google.com/p/google-
authenticator/](http://code.google.com/p/google-authenticator/)

------
dobbsbob
Interesting that it's cheaper for the banks to buy back their own cards than
reissue them during giftmas.

~~~
onedognight
> Interesting that it's cheaper for the banks to buy back their own cards than
> reissue them during giftmas.

They are not "buying back" anything. The cards can be resold at will.

~~~
dobbsbob
>They are not "buying back" anything. The cards can be resold at will

I see you have never carded. The banks are searching by BiN to find their own
cards, and according to Krebs, buying them back. They said they did this to
avoid having to reissue cards during Giftmas which is their biggest shopping
holiday thus saving money.

------
minimax
If we used chip and PIN in the US would this still have been possible?

~~~
jrockway
Can you buy things online with chip and PIN?

~~~
yosoyzenitram
Yes, you can -
[http://en.wikipedia.org/wiki/3-D_Secure](http://en.wikipedia.org/wiki/3-D_Secure)

When I buy something online using my CC, and if the payment processor supports
that (mostly local/european shops), I get redirected to a page on my bank for
verification. Some banks require the PIN to be entered, some others to enter
your login credentials, some coordinates from your code card or even verify
with a SMS code.

Not exactly using the chip, but it involves the PIN surely.

~~~
martinml
If the payment gateway decides to not implement this kind of protection, the
payment goes through anyway (I'm guessing it'll be more expensive for the
merchant, but still).

------
kylebrown
Cool, you can buy CC's there using bitcoin (also Western Union, MoneyGram, and
Lesspay). Explains why you can't do the reverse (buy bitcoin with a CC).

~~~
nemothekid
Bitcoin has always been a popular choice with black marketplaces far before
Bitcoin was popular (think SR and the like), and only became more popular as
LibertyReserve fell over.

However it isn't really used as a currency, and more as a transport mechanism
for cash (seeing how Bitcoin isn't anonymous at all, I'd imagine the strongest
reason for these guys to use bitcoin is you can't chargeback with bitcoin)

