[Edit] I'd like to add, that most German debit cards work differently from what some of you might consider a debit card. Here, the money is withdrawn from your bank account on the same day (most of the time), and you cannot go into debt. Of course, there are exceptions from this.
Secondly, I (and others) will not use my debit card for transactions (to the full extent that I can take this position practically), as debit cards do not have the same protections against fraud as CCs do.
Lastly, an observation, I'm surprised that given the potential penalties (in fraudulent charges), restaurants and other retailers don't just bite the bullet and buy the $100 terminals to get off the swipe system. Maybe it's a little more expensive if they have to replace those big clunky POS / order taking machines. But this technology always ends up costing cheaper than what the complaining businesses say they will have to pay in the beginning.
Or maybe they did the math, found that the average US consumer has a handful of credit cards, and figured that if they put a PIN on their card it would get used less. Resulting in less profit for the credit card company.
Also, don't forget the "winners" are appointed by the consumers, if everyone likes your product what can you do about it?
Are consumers supposed to skip the best option just because the company behind it is getting too big?
Yes, that's what I'm suggesting.
> Also, don't forget the "winners" are appointed by the consumers, if everyone likes your product what can you do about it?
Ever heard of market regulation?
Shifting blame onto consumers doesn't fix the problem. Instead of establishing who is to blame, we could fix the problem.
> Are consumers supposed to skip the best option just because the company behind it is getting too big?
This is exactly why blaming consumers doesn't fix the problem.
The big credit card banks make a lot of money.
Because it's never $100 cash.
It's $100, and a subscription fee for the service, and a percentage of the transaction. Indefinitely.
If you already have a really good deal with your provider, this may be a more significant hit to profit than fraud--especially for a restaurant (where fraud is less because you can't reconvert the food into cash unlike merchandise).
I hate the "SaaS" subscription model, but it's infected everything.
Thing is, even if merchants didn't buy a new $100 terminal, if they're already accepting credit cards with an old terminal, they're already paying a subscription fee and a percentage of transaction, so in this specific case, it is $100 cash. (Pedantically, it's closer to $300 https://www.merchantequip.com/processing-equipment/wireless-...)
So, stolen card can be used for small payments, but there's easy process to immediately block it (via app or internet banking).
Card doesn't even need to leave victims pocket to read it.
You can't make this stuff up.
And yes, it is unencrypted in a lot of countries.
There are even apps in the play store for reading them.
Card processes transactions internally, tracks usage limits for offline, etc. Other way you couldn't read transaction history with these android apps. (but I think history access is now restricted and can't be read from new cards)
It pretty much is the same thing as swiping the magnetic stripe.
I've read out the information from the card myself and there are multiple demonstrations of it where they have a more powerful antenna and read it from peoples pockets in their wallets.
It's not, magnetic stripe is dumb data store, EMV transaction does cryptographic authorization on card. If final amount isn't known it performs transaction with some dummy value, but from EMV view it is still transaction.
Maybe it is highly advanced data store that in the end just sends out the secret in plaintext. Doesn't really make a difference though.
Whole point of EMV is that card cannot be cloned, as is trivially done with magnetic stripe card. You can do relay attacks, but this is so cumbersome, with PIN required at higher amounts, that I doubt anyone actually does it in practice.
I don't think there's anything specifically wrong (security-wise) with chip + sign for processing. Sure, you don't need to enter a pin to verify the transaction, but it's not like you can clone the chip, so there isn't any security issues there. AFAIK the only issue is that for some banks, the magstripe information can be read off the chip, that can be used afterwards to spoof a magstripe transaction, which the bank allows (for legacy reasons). The core problem is allowing legacy transactions, not in not having a pin.
So there is some regional variation in practices.
Anyway, this mostly faded away since most of new cards are chip&pin and, more importantly, in Italy most of the people use debit cards (Bancomat is the common debit circuit here) or... cash :-\
Of course, no one checks these days.
I must confess that I actually did once find a credit card on the ground while walking through an outdoor parking lot--and I did start using it in stores.
It was one of those mini cards some banks issued that were designed to go on a key ring for convenience. From the wear on it, it had been out there at least a couple days.
When I picked it up I had every intention of reporting it to the bank. However, when I picked it up and saw the name and photo--they were mine!
I pulled out my key ring and sure enough, my card was missing. I didn't use that card much, but still, I used my key ring several times a day so I have no idea how I failed to notice that it was missing.
As to how it fell off, there was a hole in the corner for the key ring to go through, and the card had cracked between the hole and the edge. The next two times my bank issues to me new cards and included a key right card, the same kind of crack developed. I stopped using them after that as the risk of losing them seemed to high.
Bank of America stopped issuing them in 2010, after 8 years. I wonder if it had anything to do with a high lost card rate?
I think its been about a year or more for me since I last swiped my card (or saw it swiped). 100% chip/EMV or Apple Wallet here.
The banks decided the PIN part of chip and PIN only protects against physical theft -- what they call "lost and stolen" fraud.
Assuming that is accurate, given the costs associated in dealing with customers who forget their PINs, and the fact that Visa massively pushed for chip and signature, it's not hard to see why none of the banks wanted to be the hardest card to use in the wallet: Lost and stolen is an infinitesimal amount of loss for them when compared to counterfeits and e-commerce fraud.
I’m not a fan of using credit cards as you’re constantly in debt and need to make sure you’re paying back your balance.
A debit card puts the onus on you. Your bank will probably help you but they're doing so for good customer service, not because the law tells them to.
If you are the victim of fraud or faulty goods, a credit card is on your side. Otherwise with a debit card you may have to rely on the courts.
Rule of thumb, use a credit card for everything but set it to clear the balance every month.
What country are you referring to? Is it a widespread thing?
I am curious: how often were you defrauded, how and where?
In the US, you've described "Charge Cards." Some of the cards American Express offers are charge cards. (I don't know of other vendors with such cards.)
Basically the very large majority of consumers won't see a charge card besides AmEx.
It’s the first of the month and your mortgage and car payment is debited. Except some asshat drained your account and the overdraft exceeds your accounts limit.
Eventually everything gets fixed, but you deal with a lot of stress and risk.
There’s literally no reason to not carry a credit card and have the bank hold the risk.
This is pretty much how the high tier credit cards work in the US (or atleast how the people who own them say they work). The CSR has some insane 28% APR, way higher than Chase's mid tier card. Amex's premium cards (Gold, Platinum) also work the same way.
In your case, what happens when you don't have enough money at the end of the month? You are effectively in debt.
I also have an Amex, which is nominally a charge card, but they are now functionally no different than a credit card. It has an 18.25% APR for the "Pay Over Time" balance.
Of course, none of this really matters if you're using the cards responsibly, because you pay the statement balance in full every month. The grace period means there is no interest at all. No credit card has a good interest rate (outside of promos), and if you need to borrow money, there are better ways of doing it.
Any credit card should be treated like a charge card or debit card. Don't spend more than you have, put it on auto pay, zero interest is charged, your bank account is debited once a month, and along the way you collect lucrative rewards and get better fraud protection and fringe benefits.
(Admittedly, this all assumes that you can qualify for a decent card and can use it responsibly, which sadly the majority of Americans cannot.)
Most phones require you to use some form of passcode (6 digits, TouchId, FaceId) which are effectively pins prior to using a payment method. Additionally, there are secure chips in your devices to do the actual processing. This means that digital purchases through eWallet methods are effectively chip + pin while still getting credit card fraud protections.
I've seen 3-D Secure flash by when doing online orders in the US, but it's never required any authentication. It just says "3-D Secure" briefly and then it's seemingly skipped. This banks simply not roll it out?
Amex's 3D implementation seems to consistently ask for a 6-character passcode if it doesn't pass through.
As for purchasing stuff on-line we have a system called 'iDeal' which is supported by every bank. You just go the the checkout, scan a QR code with your banking app, accept the purchase in the app and it's done.
It still comes to me as a surprise that in a connected world like today you can make a purchase in someone's name by just knowing a bunch of numbers on a piece of plastic, no verification needed.
The main difference is that credit cards allow you to carry a balance. Why use a credit card? Because most banks offer cash back deals when you do. I get a 3% discount on all my transactions when I use my CC, some get points to travel for free. Credit cards help you build a good credit score to get better interest rates on loans and mortgages.
That's an American thing, it's non-existant in Europe (at least in The Netherlands). Also, in the end it's not a discount, it's just your own money that you get back in an inconvenient way. It's paid from the creditcard fees that retailers pay, which pass it on to you (either directly as a fee, or indirectly as higher prices). The whole idea of e.g. paying less for gas when you pay in cash is insane in most of Europe.
> Credit cards help you build a good credit score to get better interest rates on loans and mortgages.
Credit scores are another American thing that seem insane to most Europeans.
Why are credits scores insane? How do lenders evaluate if it's risky or not to issue a loan to an individual? How do you reward individuals who manage their finance correctly?
Also, a "credit score" kind of system does exist in most countries, but it is usually an administrative record kept by a goverment agency which blacklists you from taking out more loans if you cannot pay them.
It seems the system is mostly based around a negative feedback loop. (Punishing people who haven't payed) instead of a positive one.
I use my credit card for all my purchases and pay the balance off in full every month, mainly for the rewards, but that peace of mind for big purchases is great too.
The point of the credit card is to borrow money and pay it back later. That's all.
Most Americans have both Debit and Credit cards and will switch between them based on their financial need.
> You just go the the checkout, scan a QR code with your banking app, accept the purchase in the app and it's done.
And those people who don't have data for their phone?
> that in a connected world like today
Not everyone is connected.
It works fine over wifi. For those without internet at all, well, then you can't order anything online either ;)
(I know of at least one bank, but there are probably more, that also offers a (free) hardware device for people without a smartphone.)
Ugh, no thank you. I just wave my watch over the device and I'm done. Nothing to take out, no apps involved.
I wouldn’t make a transaction online without those 2FA measures and I wouldn’t make an in person transaction without pin. I haven’t checked actually but I assume the cards can’t be used without pin/2FA e.g if the details were leaked.
I assume it's up to the e-commerce site to implement the check, and in this case it had timed out and they decided to process the order anyway.
Sure, you'll probably win any chargeback, but they don't necessarily prevent the charges in the first place.
Even if you don't, if your card details get leaked, fraudsters definitely will. You can't prevent that by shopping selectively.
Same that happened with pins 20 years ago, once all stores had them, you could no longer make a purchase with just card+signature.
What’s needed is a block for use in countries where this hasn’t happened. Not sure if that’s the case.
A geo block could theoretically work, and I know of some issuers doing just that, but it's also pretty inconvenient when traveling or shopping online.
Let alone have a SMS mode where I have to approve all purchases made on the card. Provide retailer, state, and cost.
Want to fix credit card fraud online. Make the banks require support for extended address verification so merchants can verify the email address is connected to the credit card. Credit card fraud will be caught faster with less risk to the merchant and credit card holder. People will notice the order confirmation email of fraudulent purchase and reach out to the bank and merchant instead of the old way of waiting till you get your credit card statement. Also for high risk orders(eg: billing doesn't match shipping or digital goods), having a known email helps mitigate risk because they can confirm that the order legitimate before fulfillment.
...and if your bank happens to suck, then the loss of getting owned by one is now your problem, not theirs.
They can be tapped at most retailers for dollar amounts under $100, but there is an extra charge for the merchant (likely due to the risk?).
My partner owns a clinic and we don’t allow taps as a result. We also only ever do card present, chip + pin transactions. This means we save between 0.4-0.8% of the transaction price depending on the card.
If someone steals my credit card (happens on average once a year), the missing money is the banks problem.
If someone steals my debit card, the missing money is my problem.
Oh can’t pay my mortgage because my checking got drained? Sucks to be me...
Where do debit cards not work like this?
With a chip, the secret data never leaves the card during a transaction. Even if the business is hacked, or if the POS system is compromised, the stolen data can't be used for anything.
With a pin, if someone hacks a POS system (or installs a fraudulent one over it), they can capture both the number AND the pin at the same time.
A pin verifies the bearer, systems that don't require them evaluate each transaction. It's not like US merchants are all choosing to stop accepting credit cards, so fraud probably isn't that big a problem.
One very easy step preventing most of the fraud in my case and I imagine many others would be an option to request a registered email or phone contact to the actual card owner. "Hello it's bluecalm from org X, we have noticed your order and it's marked as suspicious by our system, can you please confirm you made that order? Yes - great, we are sending you the product right now. No? Well, contact your bank as your card info was stolen".
It's such an easy and obvious step. Let me contact the actual card owner using the info they provided. I think the problem is lack of incentives. It's the seller who covers the cost. At least some of it should be on card companies to encourage them to actually do something about it. Right now they seem to just not care.
Saturday evening I verify receipt of the card, and then put the card on the counter and left it there. Sunday night / Monday morning, at 1am, I get a text that the new card was compromised as someone was attempting to use it to pay some scammer. I never left the house with the card, I never typed it into a computer beyond the verification process from my own home.
I would imagine:
- you could locate the cards without opening the envelope
- maybe you could make a charge without opening the envelope
So, this killed the type of fraud that the author discusses. But there are other types of frauds (social engineering, ATM skimming etc) for which major defense in India is fixed rules based daily limits and mandatory SMS notifications of any deposit/withdrawal on your account. Of course it doesn't help very small account holders.
Government is giving free/basic bank account to everyone through a program called Jan Dhan Yojna. So anyone with a smartphone and a free/basic bank account or even more basic payment bank account (requires lesser kyc) can pay using UPI. (Of course KYC is still a challenge but way better than other countries due to a national biometric id system called Aadhaar and central kyc registries for financial institutions).
And regulator is taking a very interesting approach to open banking through unbundling. For example, see https://sahamati.org.in for financial data unbundling.
Physical Card + 4 digit PIN is at the ATM or the bank. So no long lines waiting for OTP.
Some part of that statement doesn't make sense. Normally if something is in high demand, then it is easier to sell it, therefore the seller can demand that the middleman i.e., BriansClub, accept a lower commission. In real estate for example, when there is a lot of demand for houses (in a "sellers' market), you as a seller can easily negotiate a lower commission from your brokerage agent.
One clarification: When there's high demand and low supply, the end-buyer will pay a much higher price of course. But the middleman (like BriansClub) should be charging a lower commission as a percentage, though he or she might end up making more money because it's a higher priced item being sold. So Krebs's explanation of why they charge a higher commission for card-not-present doesn't make sense.
"On average, BriansClub paid suppliers commissions ranging from 50-60 percent of the total value of the cards sold."
High demand + low supply of these cards means that the suppliers are getting a better "price" when selling them to BriansClub, the middleman.
Opera just displays the website correctly, no reader mode required. (Althoug aviable. I never use it and I think its only necessary for other browsers because their normal browsing feature is broken).
That's what's "correct". If you mean that Opera forces reader mode on every site, you have an odd definition of correctness.
That is the correct way to display it. In contrast to Chrome, that gives this complete nonsensical output:
Do you have any use for this picture? Does this have any utility to you? Because for me it does not. For me this "unreadable mode" and I don't need such a mode. If it is useful for you: How do you use this? And why?
Chipped cards 'solve' physical card use fraud (assuming they actually do the crypto they can do - there was another article about it not always being enabled).
If processing networks just allowed it to be easy to generate one-time codes to replace putting in CN, exp, and CVV, then online fraud would be solved too.
We have the tools to solve the problem, card networks just haven't deployed them.
Could be used for both - online purchases and bank logins.
Bear in mind these card readers were introduced in the UK and Sweden in 2007, around the same time as the first iPhone.
Most budget Android phones don't, and the iPhone one is locked down.
Some banks now have an in-app token.
Many bank apps also have some form of jailbreak/root detection. If the detection is tripped, the app will either kill itself, or disable the in-app token.
Also iPhones can now read NFC card. My partner already used her passport to get onto SmartId system in Lithuania.
In-app tokens rely on your phone - loose it and you are really screwed. Wanna let your accountant to use account while you on vacation - you can’t. Plus setup (or suspicious logins) normally depends on a SMS 2FA.
Apple Pay, for example, uses it.
It can be one-time or it can be repeat, but the third party actor quality here, is really strong.
A ->wants money to go to -> B but money is vested through entity C and the transfer invokes entity D in front of B..
There are events here which are 'do I have your permission to do things with your money, through agents you don't know' which is really hard to remove.
Even TTP intermediaries doing A <-> B introductions have this burden. It feels like its baked into the system than something 'optimising' here has '..except.. you can exploit it' baked-in.
100M for selling card numbers - it actually defrauding just selling card numbers ... holy cow.
Creditcard fraud is a big profiting business and has a huge ecosystem built around
I know that would mess up with incentives to steal those credentials, but it still might be worth it.
I'm usually learning a lot from HN but I'm sad to say this discussion is full with low quality contents.
Just have my bank or a Visa (or whatever) app send a push notification that I can approve or reject the charge.
I wish more sites supported it, and I try to support it on all of mine. I use/recommend OpenNode, though I wish they had Monero integration, but I guess everyone has their own pet cryptocurrency they'd like supported everywhere.
Honestly, credit card fraud still exists because Visa/Mastercard/Amex/Discover et al have a near-zero liability for fraud. They foist it upon the merchant.
It would be trivial for Visa to notice an account suddenly starts making purchases from out of the country, or exceeded some threshold of declines, etc. But, they don't care.
If you, the merchant, accept a fraudulent order, even if it appears fine, you are on the hook for the chargeback + chargeback fee. Good luck winning one of these disputes - they're heavily weighed towards the customer. You practically will lose every claim, and be out all the money for the product, plus the chargeback fee. Everything can be perfect on the order, AVS, CVV2 code, etc... doesn't matter.
This is why companies like Bolt Payments have sprung up - attempting to offload that risk from the merchant. They're making a business doing what Visa could do if they wanted to - pool card data together and look for illegitimate patterns, and block them.
I've had CC companies send me fraud alerts plenty of times and have had them block payments automatically as well. So please don't make straw man argument.
Moreover, what I love when I go on a vacation to a foreign country is having my credit card stop working and trying to figure out how to make an international phone call to get it fixed. Credit card companies value improved customer experience over catching some larger percentage of fraud.
Your anecdata doesn't coincide with reality. Maybe your card company does - probably issued through a bank - but most people's don't, and Visa/Amex proper, etc certainly do not.
You would be surprised by the number of fraudulent orders that are placed on major ecommerce sites daily. It's up to the ecommerce site to detect the fraud, and hopefully refund the order in full before a chargeback hits.
Visa literally has all the transaction data for all issued Visa accounts. They can stop fraud dead, if they had a financial interest in doing so. As-is, they (and their issuers/gateways/processors) actually profit off fraud, via the chargeback fee.
The millions of accounts Krebs mentions in the article? Did they all get fraud alerts when the "carding" transaction was processed on their card... to verify it was a live account and had available balance? Nope.