Hacker News new | past | comments | ask | show | jobs | submit login
Why Credit Card Fraud Is Still a Thing (krebsonsecurity.com)
160 points by feross 7 days ago | hide | past | favorite | 180 comments

Or, you could go for a debit card with a pin, like in good old Germany. Credit cards require artificial fraud protection just because it's literally unprotected once someone gets the details. Why is there no secret involved? Just for the few seconds it takes to enter a pin?

[Edit] I'd like to add, that most German debit cards work differently from what some of you might consider a debit card. Here, the money is withdrawn from your bank account on the same day (most of the time), and you cannot go into debt. Of course, there are exceptions from this.

CC companies in the US made the moronic determination that the American consumer could not handle the complexity of the PIN. Or that it would take too much education and infrastructure change to get that to work. So we had a dumb hybrid approach, and usually the retailer pays for the fallout of this decision.

Secondly, I (and others) will not use my debit card for transactions (to the full extent that I can take this position practically), as debit cards do not have the same protections against fraud as CCs do.

Lastly, an observation, I'm surprised that given the potential penalties (in fraudulent charges), restaurants and other retailers don't just bite the bullet and buy the $100 terminals to get off the swipe system. Maybe it's a little more expensive if they have to replace those big clunky POS / order taking machines. But this technology always ends up costing cheaper than what the complaining businesses say they will have to pay in the beginning.

> CC companies in the US made the moronic determination that the American consumer could not handle the complexity of the PIN

Or maybe they did the math, found that the average US consumer has a handful of credit cards, and figured that if they put a PIN on their card it would get used less. Resulting in less profit for the credit card company.

At least in Europe PIN cards can still be swiped, so you don’t have that problem.

Only up to a certain threshold. After that you have to enter the pin.

I don't think this is correct, because competition hasn't created a better outcome.

Competition doesn't produce good outcomes, it produces winners who then have a monopoly and can create barriers to entry so that competition no longer exists.

Ever heard of market regulation?

Also, don't forget the "winners" are appointed by the consumers, if everyone likes your product what can you do about it?

Are consumers supposed to skip the best option just because the company behind it is getting too big?

> Ever heard of market regulation?

Yes, that's what I'm suggesting.

> Also, don't forget the "winners" are appointed by the consumers, if everyone likes your product what can you do about it?

Ever heard of market regulation?

Shifting blame onto consumers doesn't fix the problem. Instead of establishing who is to blame, we could fix the problem.

> Are consumers supposed to skip the best option just because the company behind it is getting too big?

This is exactly why blaming consumers doesn't fix the problem.

Ah yes, my mistake!

For who?

The big credit card banks make a lot of money.

> restaurants and other retailers don't just bite the bullet and buy the $100 terminals

Because it's never $100 cash.

It's $100, and a subscription fee for the service, and a percentage of the transaction. Indefinitely.

If you already have a really good deal with your provider, this may be a more significant hit to profit than fraud--especially for a restaurant (where fraud is less because you can't reconvert the food into cash unlike merchandise).

I hate the "SaaS" subscription model, but it's infected everything.

That's fair to complain about rent-seeking aspects of SaaS, but credit cards existed before the word SaaS was ever used, and subscription services existed long before computers did.

Thing is, even if merchants didn't buy a new $100 terminal, if they're already accepting credit cards with an old terminal, they're already paying a subscription fee and a percentage of transaction, so in this specific case, it is $100 cash. (Pedantically, it's closer to $300 https://www.merchantequip.com/processing-equipment/wireless-...)

Most of Europe is moving to contactless card payments and PIN is needed only for large amounts (over 20 euro, recently raised to 60 euro) and for cash withdrawals. The result is I already happened to forget the PIN, fortunately I had another card.

So, stolen card can be used for small payments, but there's easy process to immediately block it (via app or internet banking).

Since it often is completely unencrypted just use an android phone or whatever to get the details. And since the small-payment-limitation is just in the payment terminal you don't have to care about that either. And blocking the card isn't even immediate.

Card doesn't even need to leave victims pocket to read it.

You can't make this stuff up.

Are you claiming that contactless payment are unencrypted?

There really isn't a "payment", the card broadcast everything needed to anyone who asks. There is no handshake or anything.

And yes, it is unencrypted in a lot of countries.

There are even apps in the play store for reading them.

This is just wrong. https://en.wikipedia.org/wiki/EMV#Transaction_flow

Card processes transactions internally, tracks usage limits for offline, etc. Other way you couldn't read transaction history with these android apps. (but I think history access is now restricted and can't be read from new cards)

No, there are different solutions, and where I live the common practice is to perform the contactless operation while the cashier is still scanning the goods (and thus the total has not even been established), and just press ok when the final total is presented and be on your way. (if the total exceeds a certain number you will be prompted to enter your PIN, but you do not need to use your card again)

It pretty much is the same thing as swiping the magnetic stripe.

I've read out the information from the card myself and there are multiple demonstrations of it where they have a more powerful antenna and read it from peoples pockets in their wallets.

>It pretty much is the same thing as swiping the magnetic stripe.

It's not, magnetic stripe is dumb data store, EMV transaction does cryptographic authorization on card. If final amount isn't known it performs transaction with some dummy value, but from EMV view it is still transaction.

What would the point be of a cryptographic authorization if anyone+anything could just query the card details? As is trivially demonstrated.

Maybe it is highly advanced data store that in the end just sends out the secret in plaintext. Doesn't really make a difference though.

Because it is cryptographic authorization that allows to make payment, not just card details. You can read it, but card number is not enough to make payment in card-present mode.

Whole point of EMV is that card cannot be cloned, as is trivially done with magnetic stripe card. You can do relay attacks, but this is so cumbersome, with PIN required at higher amounts, that I doubt anyone actually does it in practice.

Doesn't matter? I'll just use the details that I got on the internet instead.

Card not present transactions are ridiculously insecure, but that's totally different matter. That is complaining that EMV doesn't protect against transactions not made by EMV.. of course it doesn't. And these can be chargebacked easily anyway.

I forgot my PIN too on some cards but that’s because they didn’t have an app that allowed me to easily customize the PIN. But yeah contactless is so practical, paying in the US is such a slow experience in comparison.

I’d say about half of the stores I frequent have contactless payment terminals in the U.S. Far from universal but it’s not like it doesn’t exist here.

yeah but my US bank cards don't support it :( if I pay with my European cards people freak out ("WHAT IS THIS!!!")

I think Coronavirus has pushed many US banks to issue contactless cards. Just got new contactless ones from Amex, Chase, and Bank of America in the past couple months.

Good banks allow you to pick your own PIN. For some reason in Europe few do that.

Really only few? I thought it normal to change your pin in the ATM.

Looks strange. All my 10+ cards in Japan allow to pick a PIN.

Japan is funny anyway. 15 years ago I could go to every ATM to get cash. Now I think it is just possible to get cash from a 7-Eleven ATM with a non japanese card.

Now we can withdraw cash from ticket vending machine on train station but maybe no one actually use it.


>CC companies in the US made the moronic determination that the American consumer could not handle the complexity of the PIN. [...] So we had a dumb hybrid approach, and usually the retailer pays for the fallout of this decision.

I don't think there's anything specifically wrong (security-wise) with chip + sign for processing. Sure, you don't need to enter a pin to verify the transaction, but it's not like you can clone the chip, so there isn't any security issues there. AFAIK the only issue is that for some banks, the magstripe information can be read off the chip, that can be used afterwards to spoof a magstripe transaction, which the bank allows (for legacy reasons). The core problem is allowing legacy transactions, not in not having a pin.

What's the purpose of a signature even? The retailer is not allowed to (by terms of service) ask you for any ID to compare it against. This is just trappings for show.

Interestingly, here in Finland retailers are required by their terms to check your ID for magstripe purchases over 50 EUR. This policy predates chip cards, i.e. not a new thing.

So there is some regional variation in practices.

Same in Italy, with old swipe cards you have to show an ID; some merchandiser don't ask but they should.

Anyway, this mostly faded away since most of new cards are chip&pin and, more importantly, in Italy most of the people use debit cards (Bancomat is the common debit circuit here) or... cash :-\

The purpose of the signature is that you sign it when you get the card, then if it gets stolen, they check that signature with the signature of the person signing it.

Of course, no one checks these days.

No, it signifies your acceptance of the card terms. Nobody is qualified to make an accurate comparison.

I picked up my grandmother's medicine from a costco pharmacy for a while. One time, there was some question of whether she had picked up her medicine or a charge or something. To resolve this, the pharmacist printed a sheet of the latest signatures associated with her account. All were indeed mine.

No one was ever checking. It would have been pointless to try.

Aren't there suppose to sign the back of your card in the provided space? Or is it different by country?

If you lose the card someone can just use it if there is no pin. Lose a card with a pin it can’t be used.

I do agree that it's one deficiency, but it doesn't matter much. The vast majority of fraud isn't from people finding credit cards off the ground and going into stores with it. There aren't organized criminal rings for it because it simply doesn't scale. Not to mention that you have a very limited window to spend it compared to a skimmed card. The banks probably figured that adding pin adds marginal security for significantly more hassle.

> The vast majority of fraud isn't from people finding credit cards off the ground and going into stores with it

I must confess that I actually did once find a credit card on the ground while walking through an outdoor parking lot--and I did start using it in stores.

It was one of those mini cards some banks issued that were designed to go on a key ring for convenience. From the wear on it, it had been out there at least a couple days.

When I picked it up I had every intention of reporting it to the bank. However, when I picked it up and saw the name and photo--they were mine!

I pulled out my key ring and sure enough, my card was missing. I didn't use that card much, but still, I used my key ring several times a day so I have no idea how I failed to notice that it was missing.

As to how it fell off, there was a hole in the corner for the key ring to go through, and the card had cracked between the hole and the edge. The next two times my bank issues to me new cards and included a key right card, the same kind of crack developed. I stopped using them after that as the risk of losing them seemed to high.

Bank of America stopped issuing them in 2010, after 8 years. I wonder if it had anything to do with a high lost card rate?

The movement towards eWallets is a better UX than a pin, as the device is a witness factor (chip) while the device-level auth (passcode or <body part>Id) represents similar proof as a pin. The added benefit, here, is that users can order online with as much safety as at a terminal (Maybe I'm missing a nuance or two here?) and no terminal is necessary.

> retailers don't just bite the bullet and buy the $100 terminals to get off the swipe system

I think its been about a year or more for me since I last swiped my card (or saw it swiped). 100% chip/EMV or Apple Wallet here.

I severely miss swiping every time I have to sit there for ten seconds staring at a terminal with the chip in, waiting for it to obnoxiously beep. Phone NFC is a bit nicer when it works (often doesn't) but I wish it didn't require authentication. Swiping feels like the golden age of shopping convenience.

With the exception of Amex and Discover and a few others that issue their own cards, Visa and MasterCard don't issue the cards. Thousands of banks and credit unions do. They're the ones responsible for managing fraud on those accounts.

The banks decided the PIN part of chip and PIN only protects against physical theft -- what they call "lost and stolen" fraud.

Assuming that is accurate, given the costs associated in dealing with customers who forget their PINs, and the fact that Visa massively pushed for chip and signature, it's not hard to see why none of the banks wanted to be the hardest card to use in the wallet: Lost and stolen is an infinitesimal amount of loss for them when compared to counterfeits and e-commerce fraud.

The average US card user has something like 5+ cards. You are not supposed to re-use or write down pins. PIN use would not scale past one or two cards.

What’s the difference in fraud protection debit vs credit?

I’m not a fan of using credit cards as you’re constantly in debt and need to make sure you’re paying back your balance.

Better protected with a CC because you are spending a banks money and not your own. Obviously they will care alot more about theirs, however nowadays Debit Cards have very similar protections. Just pay the full balance every month and you never go into debt and with the right card you will earn a free vacation once a year with the bonuses.

You are protected by consumer credit laws with a credit card which puts responsibility on the retailer and card issuer. You can issue a charge back and it's their mess to sort out.

A debit card puts the onus on you. Your bank will probably help you but they're doing so for good customer service, not because the law tells them to.

If you are the victim of fraud or faulty goods, a credit card is on your side. Otherwise with a debit card you may have to rely on the courts.

Rule of thumb, use a credit card for everything but set it to clear the balance every month.

> You are protected by consumer credit laws

What country are you referring to? Is it a widespread thing?

Retailers buy POS terminals? Not rent them from their bank?

> as debit cards do not have the same protections against fraud as CCs do.

I am curious: how often were you defrauded, how and where?

Doesn't matter, what matters is sleeping safely at night that if a company gets hacked and loses card details, my credit card being fraudulently used is the banks problem. With a debit card it's my problem that the bank isn't legally required to help with.

In Europe (at least in some countries) local law dictates that unauthorized debit card payments are to be reimbursed by banks.

Reimbursed, sure. After the money is already out of your account for potentially multiple days, while your other payments bounce. With a credit card the only thing stolen is the bank’s money.

You are saying that poor people (as in, people who have not enough money in their account to sustain living after a fraudulent transaction) should have creditcards instead of debitcards? Here I would not even be able to get a cc if I made under a certain amount/month which would not make me poor enough for that. Or do you mean something else? Cards (debit/credit) normally (and for good reasons like this) have limits far below what I have in my account and the bank is good at detecting fraudulent transactions. Credit is considered not good for people who are not well off here; there are entire tv campaigns to dissuade them from it so I am curious if you are recommending it and if that is normal in, presumably, the US.

Debit cards in the U.S. are usually only limited by the amount of cash in your checking account (sometimes not even then, US banks are big on “overdraft protection”). If it’s the day after payday and you have $1200 in your account, and someone steals your debit card, you can very easily be drained to near zero. The only saving grace would be if the banks fraud detection kicked in due to unusual purchase patterns. I’d still rather the thief steal the banks money, not mine.

That is not true here in the eu. You can reverse debit card transactions and direct bank debit transactions.

Having chip/pin is orthogonal to the card being a credit or debit card. If anything, at least in the US a credit card has better protections in the event you are defrauded. If a fraudster drains your debit card, your money will be gone until they reverse the charges which can be days or weeks. In the meantime you won't be able to pay your bills or your rent, which can cause you to rack up late fees. On the other hand, if a fraudster drains your credit card, they stole your bank's money, not your money. The money is still in your account.

I have never used a credit card when living in Europe, it was a debit card... but it is effectively debited at the end of the month only. So you have to pay in full at the end of the month. And the bank is responsible for the security on the card, so if it is hacked somehow, the bank has to fix/pay for it. So, it is a bit strange when moving to US, and then being responsible for the poor security of the cards (debits or credits) provided by my US bank. Now the anti-fraud system is pretty sophisticated. I once got my CC being copied at a fast food, charged fraudulently like less than 30min after my order at the fast food, and have the CC company called and asked to verify the fraudulent charge. It is just strange not spend that money upfront with better security on the cards, rather than let it wide open and then build complex/velocity/AI system to point potential fraudulent charges, call me, cancel charges, and send me a new CC.

> but it is effectively debited at the end of the month only. So you have to pay in full at the end of the month.

In the US, you've described "Charge Cards." Some of the cards American Express offers are charge cards. (I don't know of other vendors with such cards.)

Diners Club, although they're a very small player. Some corporate cards as well, I believe. Possibly some of the niche cards targeted at people with very bad credit act this way as well.

Basically the very large majority of consumers won't see a charge card besides AmEx.

Wait, how are you responsible for poor card security? You are protected from more than $50 in liability by federal law, and more than $0 by virtually every issuers policy. More often than not, your issuer automatically detects and blocks fraudulent purchases.


It’s the first of the month and your mortgage and car payment is debited. Except some asshat drained your account and the overdraft exceeds your accounts limit.

Eventually everything gets fixed, but you deal with a lot of stress and risk.

There’s literally no reason to not carry a credit card and have the bank hold the risk.

>I have never used a credit card when living in Europe, it was a debit card... but it is effectively debited at the end of the month only. So you have to pay in full at the end of the month.

This is pretty much how the high tier credit cards work in the US (or atleast how the people who own them say they work). The CSR has some insane 28% APR, way higher than Chase's mid tier card. Amex's premium cards (Gold, Platinum) also work the same way.

In your case, what happens when you don't have enough money at the end of the month? You are effectively in debt.

Not sure where you got your APR info, but it is not correct. CSR's advertised APR[1] is 17% to 24%, which of course varies based on your credit history. I checked my own account and see my CSR's APR is 16%, and it's sometimes possible to get a decrease if you ask. (To compare, I also have a Freedom, the mid-tier card, at 15% and the Amazon card at 18.25%.)

I also have an Amex, which is nominally a charge card, but they are now functionally no different than a credit card. It has an 18.25% APR for the "Pay Over Time" balance.

Of course, none of this really matters if you're using the cards responsibly, because you pay the statement balance in full every month. The grace period means there is no interest at all. No credit card has a good interest rate (outside of promos), and if you need to borrow money, there are better ways of doing it.

Any credit card should be treated like a charge card or debit card. Don't spend more than you have, put it on auto pay, zero interest is charged, your bank account is debited once a month, and along the way you collect lucrative rewards and get better fraud protection and fringe benefits.

(Admittedly, this all assumes that you can qualify for a decent card and can use it responsibly, which sadly the majority of Americans cannot.)

1. https://applynow.chase.com/FlexAppWeb/pricing.do?card=G3L2&p...

Yes, you are in debt. Depending on your bank, your history with the bank, and the amount owed, it can go from nothing, to triggering a penalty, or an immediate freeze of all your bank accounts (across all banks/institutions in the country). The whole freeze happened to me (not my fault), it is pretty impressive. All debit/credit cards are rejected immediately, you better have some spare... and visit the bank that issued the asset freeze and fix it. So, yeah, you learn quickly to not over spend.

At some point someone is paying for the fraud, and it's not the bank, it's the merchant, that increase slightly the price to account for that, so in the end you pay for it. Same for cashback.

I work in the credit card industry. It's more complicated then that. Depending on who has EMV enabled correctly greatly shifts the fraud load. But banks can and do pay a huge part of the fraud which is passed on to consumers in higher interest rates. Merchants pay "cashback" by some definition but it's fungible. If there were no cashback that money would go directly to the banks and the end user would have lower interest rates.

What I mean is it's like every insurance, they estimate the risk and collect enough money to pay for this.

As you say, it is orthogonal. Why not have both? You pay for the fraud with higher fees compared to a system where fraud is prevented by additional security.

Credit cards do have this, that's one of the use-cases of the pin on the back. The eWallet products being pushed by various companies neatly bridges the chip/pin to the card, giving chip/pin style protections digitally.

Most phones require you to use some form of passcode (6 digits, TouchId, FaceId) which are effectively pins prior to using a payment method. Additionally, there are secure chips in your devices to do the actual processing. This means that digital purchases through eWallet methods are effectively chip + pin while still getting credit card fraud protections.

When I lived in Europe, all my cards required 2FA via 3-D Secure for online orders (variously marketed as Verified by Visa and so on). This would ask me to use my bank's authenticator to generate a one-time code.

I've seen 3-D Secure flash by when doing online orders in the US, but it's never required any authentication. It just says "3-D Secure" briefly and then it's seemingly skipped. This banks simply not roll it out?

It's rolled out, they're typically incredibly invasive fingerprinting scripts that also port scan you/your LAN.

Amex's 3D implementation seems to consistently ask for a 6-character passcode if it doesn't pass through.

Yeah, I worked for a certain security company, and it took me way too long to realize the reason "3d Secure never effing works" was because I was using it from my corporate LAN, which was blocked/flagged due to scanning activity.

I really never got credit cards, I didn't even own one until I had to make some purchases on American websites. In the Netherlands and most EU countries we all have debit cards protected by a pin, and all transactions are basically instant and increasingly contactless.

As for purchasing stuff on-line we have a system called 'iDeal' which is supported by every bank. You just go the the checkout, scan a QR code with your banking app, accept the purchase in the app and it's done.

It still comes to me as a surprise that in a connected world like today you can make a purchase in someone's name by just knowing a bunch of numbers on a piece of plastic, no verification needed.

Credit cards vs debit cards has nothing to do with security. Both debit and credit cards have chips, both have instant and contactless transactions, both can be setup up for 2FA with your bank when you purchase online (not all banks may offer this feature, but a lot do).

The main difference is that credit cards allow you to carry a balance. Why use a credit card? Because most banks offer cash back deals when you do. I get a 3% discount on all my transactions when I use my CC, some get points to travel for free. Credit cards help you build a good credit score to get better interest rates on loans and mortgages.

> Because most banks offer cash back deals when you do. I get a 3% discount on all my transactions when I use my CC, some get points to travel for free.

That's an American thing, it's non-existant in Europe (at least in The Netherlands). Also, in the end it's not a discount, it's just your own money that you get back in an inconvenient way. It's paid from the creditcard fees that retailers pay, which pass it on to you (either directly as a fee, or indirectly as higher prices). The whole idea of e.g. paying less for gas when you pay in cash is insane in most of Europe.

> Credit cards help you build a good credit score to get better interest rates on loans and mortgages.

Credit scores are another American thing that seem insane to most Europeans.

Yes, and the article is about American CC.

Why are credits scores insane? How do lenders evaluate if it's risky or not to issue a loan to an individual? How do you reward individuals who manage their finance correctly?

Lending seems to be far less of a thing in most european countries. Not taking into account bussiness loands, the only loan most people take on in their lives is a mortage. (Which has a lot of requirements).

Also, a "credit score" kind of system does exist in most countries, but it is usually an administrative record kept by a goverment agency which blacklists you from taking out more loans if you cannot pay them.

It seems the system is mostly based around a negative feedback loop. (Punishing people who haven't payed) instead of a positive one.

Credit cards in the UK offer section 75 protection, so are definitely worth it for purchases over £100


I use my credit card for all my purchases and pay the balance off in full every month, mainly for the rewards, but that peace of mind for big purchases is great too.

You can make a purchase on an American website with a debit card.

The point of the credit card is to borrow money and pay it back later. That's all.

Most Americans have both Debit and Credit cards and will switch between them based on their financial need.

> You just go the the checkout, scan a QR code with your banking app, accept the purchase in the app and it's done.

And those people who don't have data for their phone?

> that in a connected world like today

Not everyone is connected.

> And those people who don't have data for their phone?

It works fine over wifi. For those without internet at all, well, then you can't order anything online either ;)

(I know of at least one bank, but there are probably more, that also offers a (free) hardware device for people without a smartphone.)

> You just go the the checkout, scan a QR code with your banking app

Ugh, no thank you. I just wave my watch over the device and I'm done. Nothing to take out, no apps involved.

For online purchase?

Actually, yes. I use ApplePay whenever possible. It pops up a dialog that allows me to choose the email and physical addresses I want to expose, and the card to use, and then I either use the fingerprint scanner on my laptop to confirm, or double-click the button on my watch.

Does debit vs credit really matter? I have a pin for both my MC debit and credit cards (same with Visa earlier) and any online purchase requires 2FA (MasterCard SecureCode and VerifiedByVisa respectively).

I wouldn’t make a transaction online without those 2FA measures and I wouldn’t make an in person transaction without pin. I haven’t checked actually but I assume the cards can’t be used without pin/2FA e.g if the details were leaked.

I don't know how much stock I'd put into SecureCode etc. Recently I discovered that American Express's SafeKey could easily bypassed on BestBuy.com by leaving the browser tab open for ~15 minutes.

I assume it's up to the e-commerce site to implement the check, and in this case it had timed out and they decided to process the order anyway.

Sure, you'll probably win any chargeback, but they don't necessarily prevent the charges in the first place.

2FA doesn't always ask for a PIN, depending on some fingerprinting the payment can be processed without further checks.

With the new 3D secure EU regulation this will become the standard in Europe. My credit card works without that security measurements at the moment.

> I wouldn’t make a transaction online without those 2FA measures and I wouldn’t make an in person transaction without pin.

Even if you don't, if your card details get leaked, fraudsters definitely will. You can't prevent that by shopping selectively.

Hopefully they can soon block non-SecureCode transactions soon, since there are almost no such stores now. I haven’t seen one for years.

Same that happened with pins 20 years ago, once all stores had them, you could no longer make a purchase with just card+signature.

What’s needed is a block for use in countries where this hasn’t happened. Not sure if that’s the case.

In the EU, it will soon be mandatory for both merchants and issuers to support 3DS, whereas in the US it is still pretty uncommon – and card details work worldwide.

A geo block could theoretically work, and I know of some issuers doing just that, but it's also pretty inconvenient when traveling or shopping online.

Both my Debit and CC have pins. However there does not seem a means by which I can force my bank to only accept purchases which provide it.

Let alone have a SMS mode where I have to approve all purchases made on the card. Provide retailer, state, and cost.

In this case, the bank is defrauded, not you.

CVV is suppose to be the secret that no merchant is suppose to store. It doesn't work. It can be easily be skimmed from a hacked site and users can be tricked to give it up with a phishing site.

Want to fix credit card fraud online. Make the banks require support for extended address verification so merchants can verify the email address is connected to the credit card. Credit card fraud will be caught faster with less risk to the merchant and credit card holder. People will notice the order confirmation email of fraudulent purchase and reach out to the bank and merchant instead of the old way of waiting till you get your credit card statement. Also for high risk orders(eg: billing doesn't match shipping or digital goods), having a known email helps mitigate risk because they can confirm that the order legitimate before fulfillment.


...and if your bank happens to suck, then the loss of getting owned by one is now your problem, not theirs.

Idk in Canada all visas and MasterCards have PINs.

They can be tapped at most retailers for dollar amounts under $100, but there is an extra charge for the merchant (likely due to the risk?).

My partner owns a clinic and we don’t allow taps as a result. We also only ever do card present, chip + pin transactions. This means we save between 0.4-0.8% of the transaction price depending on the card.

95% of all Enterprise car rental fraud occurs with debit cards (as per a recent conversation with a manager)


I will not use my debit card at anything other than an ATM.

If someone steals my credit card (happens on average once a year), the missing money is the banks problem.

If someone steals my debit card, the missing money is my problem.

Oh can’t pay my mortgage because my checking got drained? Sucks to be me...

That is literally how almost every country’s debit card works

Many people miss the fact that fraudulent purchases are not their problem. Adding a pin, at least in Canada, potentially puts the onus on the cardholder to prove they didn't make the purchase. Although, even though the language of the contract says this, the companies generally don't enforce that. But chip/signature still means the store and the credit card company are risk managing it as part of the cost.

> Here, the money is withdrawn from your bank account on the same day (most of the time), and you cannot go into debt.

Where do debit cards not work like this?

Another ridiculous fact - a legitimate cardholder cannot use the card if they haven't got the physical card with them for the pin on the back (unless they wrote that down somewhere). The bank will not give it to you (and may not have it). Ironic, considering an attacker would have that pin 100% of the time, whereas the legitimate cardholder might not.

A chip is much better than a pin. A pin can be stolen, just like the card.

With a chip, the secret data never leaves the card during a transaction. Even if the business is hacked, or if the POS system is compromised, the stolen data can't be used for anything.

With a pin, if someone hacks a POS system (or installs a fraudulent one over it), they can capture both the number AND the pin at the same time.

Germany also uses chips. In fact every country I ever lived used chips + pins.

What's artificial about fraud protection that doesn't depend on a pin?

A pin verifies the bearer, systems that don't require them evaluate each transaction. It's not like US merchants are all choosing to stop accepting credit cards, so fraud probably isn't that big a problem.

Hrm. No. At least for Deutsche Bank Privatkunden it is real-time. I guess it has to be for the others too, because how else can you ensure not going into debt? Incoming money could take a while, but no longer than a full workday either.

How is that different than other debit cards? It shouldn't be possible to go into debt with a debit card. And, typically you need to used your pin to use a debit card. These is different than a credit card.

I don't understand your [Edit]. Of course that's how debit cards work. Debit cards exist in the US too, and they work exactly like that, with a chip, a PIN and withdrawal on the same day.

And why not make the secret mandatory only for amounts > $THRESHOLD

Pin limit was raised from €20 to €40 for my card due to Corona (slightly higher risk to have fewer people touch the keypads).

Well, that has become a practice already, even in countries like Germany where most people still prefer cash. I think it's < 50€ for my card, but even then I usually get asked for the pin.

When I started my business I faced the problem of charge backs after sending goods to the scammer. I've looked for what Visa and MasterCard recommends to prevent it. Their advice: "contact the buyer to make sure it's not fraud". My question was: how I am supposed to contact the buyer if it's the scammer who actually filled in the contact info form. No answer to that.

One very easy step preventing most of the fraud in my case and I imagine many others would be an option to request a registered email or phone contact to the actual card owner. "Hello it's bluecalm from org X, we have noticed your order and it's marked as suspicious by our system, can you please confirm you made that order? Yes - great, we are sending you the product right now. No? Well, contact your bank as your card info was stolen".

It's such an easy and obvious step. Let me contact the actual card owner using the info they provided. I think the problem is lack of incentives. It's the seller who covers the cost. At least some of it should be on card companies to encourage them to actually do something about it. Right now they seem to just not care.

What CC/Merchant system do you use? Have you looked at Stripe’s anti-fraud system?

Shopify with PayPal and Braintree. Shopify is usually quite good at flagging transactions. The problem if there are some false positives and just cancelling every flagged order would cost too much business.

So last Saturday I got a brand new credit card from a brand new bank that I opened because my main credit card got compromised and I wanted a backup.

Saturday evening I verify receipt of the card, and then put the card on the counter and left it there. Sunday night / Monday morning, at 1am, I get a text that the new card was compromised as someone was attempting to use it to pay some scammer. I never left the house with the card, I never typed it into a computer beyond the verification process from my own home.


I got a notification that my new card was used for fraud while it was in the mail on the way to me

don't cards require activation prior to use?

Yes! Fraud dept told me it was someone entering random numbers. What does that explain?! shrug

Which bank?

I think it was US Bank but this was some years ago

Probably not what is happening, but I've wondered if NFC cards can be compromised in the mail.

I would imagine: - you could locate the cards without opening the envelope - maybe you could make a charge without opening the envelope

Which bank is it from? Name and shame!

There are frauds that happen during the shipping. Or there could be a malware on the computer. Why do you assume that the bank is at fault?

India moved to chip and pin a long time ago and stopped magnetic stripe swiping soon after. And for all CNP, there's additional factor of authentication (majorly, SMS OTP from the issuing bank). These are mandated by the regulator (RBI) and everyone had to comply quite quickly. Yes, receiving SMS OTP for every CNP transaction is a hassle but for majority of the people this is the only way they have ever used cards, so they are okay with it.

So, this killed the type of fraud that the author discusses. But there are other types of frauds (social engineering, ATM skimming etc) for which major defense in India is fixed rules based daily limits and mandatory SMS notifications of any deposit/withdrawal on your account. Of course it doesn't help very small account holders.

That's an interesting system. Do prepaid cards work without SMS OTP? And how long do lines get if you have to wait for OTP every time you make a transaction? Lastly, are cash transactions still commonplace (almost all my transactions were cash when I was a kid)?

For majority of the people, cash is still the main mode of payment. A new mobile payment called UPI that supports P2P payments based on simple virtual payment handle (<yourhandle>@<pspbank>) and QR based P2M (merchant) payments is growing rapidly to replace cash.

Government is giving free/basic bank account to everyone through a program called Jan Dhan Yojna. So anyone with a smartphone and a free/basic bank account or even more basic payment bank account (requires lesser kyc) can pay using UPI. (Of course KYC is still a challenge but way better than other countries due to a national biometric id system called Aadhaar and central kyc registries for financial institutions).

And regulator is taking a very interesting approach to open banking through unbundling. For example, see https://sahamati.org.in for financial data unbundling.

SMS OTP is only for online transactions (On the bank's website, amazon, etc)

Physical Card + 4 digit PIN is at the ATM or the bank. So no long lines waiting for OTP.

I think its because fraud justifies CC companies charging their fees - i.e. consumers want peace of mind, so they don't complain when CC takes 3-4% cut from merchants on transactions. If fraud was non existent then CC companies couldn't justify those fees (i.e. insurance).

> Card-not-present accounts fetched a much steeper supplier commission of 80 percent, but mainly because these cards were in such high demand and low supply.

Some part of that statement doesn't make sense. Normally if something is in high demand, then it is easier to sell it, therefore the seller can demand that the middleman i.e., BriansClub, accept a lower commission. In real estate for example, when there is a lot of demand for houses (in a "sellers' market), you as a seller can easily negotiate a lower commission from your brokerage agent.

One clarification: When there's high demand and low supply, the end-buyer will pay a much higher price of course. But the middleman (like BriansClub) should be charging a lower commission as a percentage, though he or she might end up making more money because it's a higher priced item being sold. So Krebs's explanation of why they charge a higher commission for card-not-present doesn't make sense.

You're getting it totally backwards here. The supplier commission is how much of the card's value BriansClub is paying to the supplier:

"On average, BriansClub paid suppliers commissions ranging from 50-60 percent of the total value of the cards sold."

High demand + low supply of these cards means that the suppliers are getting a better "price" when selling them to BriansClub, the middleman.

You are right, thank you. It’s a non-standard way they used the word commission.

My reading was that the card sellers had "negotiated" (Market equilibrium) a higher commission, meaning that the card sellers do get more money (Which makes sense, as the supply/demand for what they are selling is more in their favor).

I read it as [BriansClub] pays 80% of the sale to the hackers for that data.

I really wish the Krebs site rendered better on mobile browsers. It's a bit of a pain to read.

If you are on Android, I suggest getting Firefox. https://support.mozilla.org/en-US/kb/view-articles-reader-vi... The article can be flipped over into Reader Mode and is easy to read in that way.

I am using firefox as it happens but there's no reader view on offer for that site unfortunately

That's strange, on Firefox for Android v68.11.0 every article for krebsonsecurity.com can render in the reader mode. The main home page does not work for this, but individual articles work fine.

I suggest you don't. I switch away from firefox for this exact reason.

Opera just displays the website correctly, no reader mode required. (Althoug aviable. I never use it and I think its only necessary for other browsers because their normal browsing feature is broken).

Define "correctly"? This is how both Firefox and Chrome display the site on my phone: https://imgz.org/ixAQ9mUp/

That's what's "correct". If you mean that Opera forces reader mode on every site, you have an odd definition of correctness.

By "correctly" I mean "doing what is indented". I feel that the ultimate goal of the user of a blog is to read it. So by "correctly" I mean readable. This is how it looks on my phone with opera:

https://ibb.co/wgmNJxQ https://ibb.co/BLqwBH1

That is the correct way to display it. In contrast to Chrome, that gives this complete nonsensical output:


Do you have any use for this picture? Does this have any utility to you? Because for me it does not. For me this "unreadable mode" and I don't need such a mode. If it is useful for you: How do you use this? And why?

I double-tap on the text to zoom to it, which is what Opera does, or use reader mode to get an even better view of it.

I really wish mobile browsers would follow better standards of user interfaces. They're a bit of a pain to use.

Because there isn't a secret required to use them?

Chipped cards 'solve' physical card use fraud (assuming they actually do the crypto they can do - there was another article about it not always being enabled).

If processing networks just allowed it to be easy to generate one-time codes to replace putting in CN, exp, and CVV, then online fraud would be solved too.

We have the tools to solve the problem, card networks just haven't deployed them.

Yeah. Also, all of my chipped cards can be swiped if the merchant or network or PoS doesn’t support it. Not sure of the mechanics, but that alone seems to defeat the purpose entirely

It'd be cool if payment cards had a built-in LCD screen for the PIN as a TOTP. That shouldn't be much harder for consumers than the existing card verification/security code.

It's not built-in, but an external device can generate an OTP (maybe a TOTP?). Some European banks have used this system for over 10 years, but others just use SMS or nothing.


Why not use card itself as u2f? Most phones now has nfc reader now.

Could be used for both - online purchases and bank logins.

Perhaps the banks did't want to trust the security of the phone?

Bear in mind these card readers were introduced in the UK and Sweden in 2007, around the same time as the first iPhone.

Yet literally every bank trusts the security of the phone + telco when sending you 2FA token via unencrypted SMS...

> Why not use card itself as u2f? Most phones now has nfc reader now.

Most budget Android phones don't, and the iPhone one is locked down.

Some banks now have an in-app token.

Many bank apps also have some form of jailbreak/root detection. If the detection is tripped, the app will either kill itself, or disable the in-app token.

Lets not try to solve the problem for everyone. It’s obviously an opt in. If they really wanted it to work they could design card that also plugs into usb-c or micro-usb port to work as hardware token.

Also iPhones can now read NFC card. My partner already used her passport to get onto SmartId system in Lithuania.

In-app tokens rely on your phone - loose it and you are really screwed. Wanna let your accountant to use account while you on vacation - you can’t. Plus setup (or suspicious logins) normally depends on a SMS 2FA.

I am probably biased [1], but it seems that one-time credit card numbers for at least online transactions are the answer here. Chips and pins are helpful, but not for ecommerce... One way to do this is with Abine Blur (https://www.abine.com), which has a browser plugin that automatically creates a new CC number for you. [1] : co-founder of Abine

How does Abine differ from Privacy.com? I can't tell but from the pricing page I get the impression that you have to pay to use abine.

Same here. Very confusing website. Also: I'm a German user and some parts of the page are randomly German, while most are English. Same on the checkout page which is a no go for me. Assets are pixelated, the page looks scammy in general.

Sorry for delay, missed the question. I'll pass on the feedback about the webpage, that's no good. In terms of comparisons, Abine Blur also does masked phone numbers, masked emails, password management and blocking tracking - in addition to masked credit cards. Here's a recent review, https://uk.pcmag.com/password-managers/38259/abine-blur-prem...

Now if only we had a payment method where the account credentials (ideally these credentials would be cryptographically verified, that is, it would be possible to transfer funds only if you have access to the private key) are not disclosed to anyone and also payments would be as easy as scanning a QR code.

Don't you get a lot of that by using a payment system that uses the EMVCo tokenization scheme?

Apple Pay, for example, uses it.


Every finance system that wants to remove your burdens has to arrive at a point where they ask if you permit them to do things with your money without your consent every time, or in every respect.

It can be one-time or it can be repeat, but the third party actor quality here, is really strong.

A ->wants money to go to -> B but money is vested through entity C and the transfer invokes entity D in front of B..

There are events here which are 'do I have your permission to do things with your money, through agents you don't know' which is really hard to remove.

Even TTP intermediaries doing A <-> B introductions have this burden. It feels like its baked into the system than something 'optimising' here has '..except.. you can exploit it' baked-in.

>>> BriansClub earned close to $104 million in gross revenue from 2015 to early 2019, and listed over 19 million unique card numbers for sale.

100M for selling card numbers - it actually defrauding just selling card numbers ... holy cow.

And you have "Jokers stash" / jStash which is even bigger than Briansclub.

Other mentions: YaleLodge


Creditcard fraud is a big profiting business and has a huge ecosystem built around

I wonder if the banks could save money on fraud prevention by just buying all their stolen credentials on the open market and cancelling them all.

I know that would mess up with incentives to steal those credentials, but it still might be worth it.

I believe many of them regularly do exactly that.

I'm sorry to see how many people here on HN are commenting debit/credit card systems without really knowing the topic, spreading false notions, clichés, absolute conclusions from personal anecdotes or simply by stating easy stereotypes towards banks and financial institutions.

I'm usually learning a lot from HN but I'm sad to say this discussion is full with low quality contents.

Ppl steal Credit Cards not for the cash on the card, but for the credentials, which are used to register for services with a credit limit, and then the limit is spent. So a single credit card can be used on hundreds of services such as Amazon Cloud hosting ,Facebook ads, Google ads, etc. all without spending any money. The billing occurs only hfter the trial limit is spent. Google Ads will give a $400 credit limit on a new user.

I was expecting a one liner: "because banks do not lose money if fraud happens, as they simply trickle down costs to their customers".

That's an oversimplification that's simply not true everywhere in the world.

I still don't get why not all cards have two-factor purchases.

Just have my bank or a Visa (or whatever) app send a push notification that I can approve or reject the charge.

I know I'm in the minority here, but I really really like cryptocurrency flows for this sort of thing. You open the wallet on your phone, scan a QR code, and you've paid, no need to fish for credit cards, enter additional info because your transaction looks weird, etc etc.

I wish more sites supported it, and I try to support it on all of mine. I use/recommend OpenNode, though I wish they had Monero integration, but I guess everyone has their own pet cryptocurrency they'd like supported everywhere.

See also: WeChat, Eurozone's [SCT Inst](https://www.europeanpaymentscouncil.eu/what-we-do/sepa-insta...), Blik

I can only speak from the ecommerce industry, where you make online payments:

Honestly, credit card fraud still exists because Visa/Mastercard/Amex/Discover et al have a near-zero liability for fraud. They foist it upon the merchant.

It would be trivial for Visa to notice an account suddenly starts making purchases from out of the country, or exceeded some threshold of declines, etc. But, they don't care.

If you, the merchant, accept a fraudulent order, even if it appears fine, you are on the hook for the chargeback + chargeback fee. Good luck winning one of these disputes - they're heavily weighed towards the customer. You practically will lose every claim, and be out all the money for the product, plus the chargeback fee. Everything can be perfect on the order, AVS, CVV2 code, etc... doesn't matter.

This is why companies like Bolt Payments have sprung up - attempting to offload that risk from the merchant. They're making a business doing what Visa could do if they wanted to - pool card data together and look for illegitimate patterns, and block them.

>It would be trivial for Visa to notice an account suddenly starts making purchases from out of the country, or exceeded some threshold of declines, etc. But, they don't care.

I've had CC companies send me fraud alerts plenty of times and have had them block payments automatically as well. So please don't make straw man argument.

Moreover, what I love when I go on a vacation to a foreign country is having my credit card stop working and trying to figure out how to make an international phone call to get it fixed. Credit card companies value improved customer experience over catching some larger percentage of fraud.

> So please don't make straw man argument.

Your anecdata doesn't coincide with reality. Maybe your card company does - probably issued through a bank - but most people's don't, and Visa/Amex proper, etc certainly do not.

You would be surprised by the number of fraudulent orders that are placed on major ecommerce sites daily. It's up to the ecommerce site to detect the fraud, and hopefully refund the order in full before a chargeback hits.

Visa literally has all the transaction data for all issued Visa accounts. They can stop fraud dead, if they had a financial interest in doing so. As-is, they (and their issuers/gateways/processors) actually profit off fraud, via the chargeback fee.

The millions of accounts Krebs mentions in the article? Did they all get fraud alerts when the "carding" transaction was processed on their card... to verify it was a live account and had available balance? Nope.

In Europe there are many banks where you can use their app to enable or disable countries, online payments, ATM withdrawals and sometimes even NFC payments of a specific card. Works super great!

Isn’t this what 3D secure is? Visa has a way to pause the flow and ask a question, if it determines there is a risk. Like the users IP being in a strange country, or any other condition they can think of.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact