Open question; What's the long game on securing the way credit cards work? Who's working on something interesting that could thwart the whole 'name+number+ccv' leak thing that's been perpetuating in this industry for decades?
I'm just reaching out for anyone who knows about any grand plans, initiatives or rehabs of how credit cards currently work. Keen to read more.
This is a solved problem, really, some banks are less keen on implementing it: generate single use / single purpose credit card numbers in your ebank / mobile app. Leaks are total useless. Also, more than a decade ago already many European banks were sending a text SMS above a treshold and only approved on a positive reply. Today you'd likely offer sending a push notification.
You have 16 digits on a Visa/MasterCard, the first six is the bank identifier and the last is a checksum digit thus you have 9 digits to "waste" -- and you can recycle them.
Bank of America has discontinued their ShopSafe system for single-use credit cards. Citibank seems to still have their virtual credit card system, but it requires Flash. Are any banks currently embracing it?
The impression I've gotten is that since most of the costs of fraud are on the bank, rather than the cardholder, there's not much incentive for the cardholder to go through the trouble of using single-use cards. And so it's a better investment for the bank to develop good fraud detection algorithms.
In my anecdotal experience, the fraud detection has gotten really good. Every time in the past decade that someone's gotten hold of my credit card number, the bank's caught it nearly immediately.
Specifically, in the EU new Payment Services Directive 2 requires two-factor authentication on online payments. Banks and issuers do not bulge, as merchants pay most of the fraud cost, so government and regulators need to intervene.
Funnily enough PayPal and Stripe were lobbying against this "harming of consumer experience."
Single purpose cards only work for details used for securing online transactions. Many compromised cards come from breached small business POS terminals.
Active confirmation of purchases would be great if it were available, but I. Not aware of any US card issuers that allow you to opt-in to such a service.
I learned about privacy.com here on HN and it has been very helpful for me. You can create virtual cards for single-use or recurring payments. Each card can only be used by one vendor. You also set a max amount.
Exactly, some implementations can even lock it to a single "message" (what you see on the credit card statement) so that it can't be used for a different purchase. Needs cooperation from the merchant not to put the subscription date in the message but otherwise, it's not exactly rocket science.
> KrebsOnSecurity [has] a link to 26 million credit and debit cards. So far the banking sector is [not in a hurry for] re-issuing cards.
Krebs should publish those card numbers to light a fire under the feet of the bankers to re-issue the cards and get them to demand better security on merchant terminals or servers or wherever the info came from. Of course he should publish only the numbers, without the associated names, CVVs, expiry dates, PINs, or other security info.
I don't think there is a risk in publishing just numbers, is there? The search space for valid card numbers is so tiny that I find it hard to believe that anyone could generate a false transaction with just the number and no other associated info.
Krebs could go a step further and provide a verification site à la haveibeenpwned.com where your enter your card number, or the last ten digits or something, and it tells you whether you've been pwned.
I find this kind of black hat cybercrime stuff fascinating. If I wanted to learn more about it (just for learning sake) what would be some good resources?
Honestly, join these groups and read what they talk about on the forum. Look up what the bigger fraud marketplaces are. Go on tor and read stuff in the dark net markets. All of them more or less talk about methods they're using and they help each other out. This type of stuff ranges from low level script kiddie (copy cat) people to high-level hackers that develop their own methods, search out vulnerabilities and so on.
A good podcast I would recommend is called dark net diaries. They have lots of episodes on cryber crime. Episode 32 specifically talks about carding and how the secret service took down a guy who acquires the credit card numbers. Most of it involves putting malware on point of sale machines or hacking companies.
Learn Russian and read their forums. Otherwise it'll be a bit more difficult. If you don't know anyone involved in fraud it can be difficult to get inside. You really won't get anywhere if you don't have much to offer.
Are these idiots really still using bitcoin for doing shady stuff lol? Bitcoin can totally be traced. Most people using it are so weak in terms of their security.
This is not looking at the whole picture. The key is, you do not allow your BTC usage to comingle with your real identity. This means you both buy and sell stuff solely with BTC. If you want to buy stuff in the "real world" then you can trade some for Monero or maybe ZCash, and then convert to USD. (Optionally mix it further in other ways..)
BTC is really "psuedoanonymous" because while you can certainly trace my transactions if you know a wallet address, you still have no idea who or where I am as long as I do not reveal that wallet to be connected to any "real world" identity.
This is still not easy though. For example, if you're serious then you must only transmit transactions within Tor, otherwise the originating IP may single you out. Ideally you should use different wallets for each transactions, and only pool them together after they have each been converted to XMR or similar.
There's lots of gotchas but frankly it's a decent system.
It doesn't seem like an extrapolation given how you phrased it. If you meant to say that "it is only idiocy if you don't know how to anonymize your Bitcoin usage", that is not at all how your comment comes across.
The parent comment cast the first stone by calling the bitcoin users idiots because bitcoin is traceable.
The gap between knowing enough to trace bitcoin, and knowing enough to make bitcoin untraceable is tiny, which means anyone understanding enough to know that bitcoin is traceable bit not bothering to research how it can be untraceable is an idiot (when they go online and call all users idiots, dsspite not having done a tiny bit of research into something pretty well known int the community).
Not normally my choice of words, but I chose to use the language of the comment to humble him a little.
And I was talking to the commenter directly, not generalizing to all bitcoin users. THAT IS an unwarranted extrapolation.
I'm just reaching out for anyone who knows about any grand plans, initiatives or rehabs of how credit cards currently work. Keen to read more.