Hacker News new | past | comments | ask | show | jobs | submit login
Visa Advertising Solutions (VAS) Opt Out (visa.com)
513 points by enjoyyourlife on Dec 29, 2020 | hide | past | favorite | 245 comments

The form doesn't require any sort of authentication, so I imagine someone could write a script to submit all (or a large portion of) the set of card numbers to this API. Might need to work around rate limiting and so on, but seems feasible?

Also, if there is any sort of timing difference on valid/invalid card numbers. Boom... timing attack / CC oracle :)

Checked and the Mastercard one someone posted below doesn't seem to be vulnerable to this. My real card number and a dummy mastercard number with valid prefix and check digit both returned a 200 OK in around 1.01s. A random 16digit number without valid check digit returned 400 Bad Request in about 800ms. Decided to check that one since they have a completely useless machine-readable catchpa.

For Visa it was 835ms for valid, 762ms for dummy, prefix and check digit appears to be checked client side.

100ms is /massive/ for a timing delta but you really need a lot of samples. I have exploited timing deltas that were not much more than a handful of machine code instructions in terms of execution time. But you really do need a lot of samples to confirm small deltas. It starts getting impractical for many APIs (someone will notice, hopefully).

> someone will notice, hopefully

Or more likely "someone will notice, eventually"

This comment is why I love hackernews

See: https://rdist.root.org/2010/07/19/exploiting-remote-timing-a... and Crosby 2007. I got into infosec around 06 and tptacek, Nate Lawson and some others were my heroes. Now I run my own consulting firm with a bunch of cool people :)

Also in infosec: what is old is new. We still find shitty comparison routines (timing attacks) and SQL injection... some day :)

I just found a use-case for the sleep( rand(1000) ) function :-)


If the rand function produces uniform random numbers, then with enough samples the signal comes out ontop the noise.

If it is non-uniform, then with enough samples you can determine the non uniformity, and you are at square 1 again.

Use proper security instead of obscurity.

Easily accommodated for. I can get the execution run-time and store in an average in memory for some time-period and have the sleep function top-up the difference between the two paths. Not sure what the "proper security" method is to prevent execution deltas.

Why not just run the thing (which takes some small fraction of time), then pad to five seconds, and respond. Since your work will be done in milliseconds, padding to nearest five seconds will remove any noise.

And it's not a thing anyone has a legitimate interest in submitting more than that per second.

Adding five seconds to everything just adds five seconds, it doesn't matter if the difference between the two requests is .01s or 5.01s.

The parent said "pad to 5 seconds" not "add 5 seconds". Thus everything would be 5 seconds (never 5.01). The difference between a hit and a miss would be exactly 0s. Note that I'm not advocating for or against this solution; rather, clarifying the conversation.

Pad to, not pad by.

I.e. the padding to add is (5 - duration_of_operation) with duration of operation being far lower than 5 s.

Depends. With comparison functions you can implement a constant time comparison that takes the same amount of time. In this case it isn’t really a crypto problem, so anything where we are confident about things taking the same amount of time is fine. Basically in some parent method/func make sure we always spend 2000ms or whatever time is that is always greater than the max runtime of the slowest path. Secondary / defense in depth mitigations would be rate limiting this page and making it purposefully slow on response, just to make it that much harder to collect samples / abuse it without being noticed. The captcha is a nice touch, but it didn’t seem particularly strong (a good captcha solver could break it). Still, captcha will chase off a lot of script kiddies. You don’t have to be faster than the bear, just faster than the slowest person ;)

rand() produces linear distributon, which is uniform. Do I understand properly that rand() + rand() would return normal distribution, so #2, for which you can determine the non uniformity?

What would be a proper first step to harden API for timing attacks?

Adding any random noise, even perfect randomness, doesn't prevent the attack. It just means the attacker needs more samples.

rand() + rand() does not produce normal, but adding together a few thousand rands does start to approach it. Central limit theorem.

rand() + rand() does not give normal. If there is any statistical difference between the timings, it's in theory possible to break.

An easy mitigation would be to just drop the card number into a queue and process asynchronously without waiting and returning to the user.

Flood the queue with invalid numbers and timings can still be worked out.

I would have gone for `sleep(1000)` and have it run in parallel with the actual function, so that every request takes 1000 milliseconds

I'd expect any submissions to this are just appended to a database without any actual validation beyond the trivial Luhn checksum and then there's a batch process once a day (maybe the same one that actually generates whatever marketing "insights" they claim to provide) that reads from there and ignores any card numbers from the opt-out DB.

You would hope that. I’ve been in infosec doing application security as a consultant a long time. Developers have often destroyed my hopes :)

> You would hope that. I’ve been in infosec doing application security as a consultant a long time. Developers have often destroyed my hopes :)

I used to work at a big bank in the US and the parent's description sounds exactly like how it would work.

You could be right but I have found almost this exact bug in production systems (credit card oracle sitting on the public Internet of a big card processor with no rate limiting and a really obvious timing delta). Both scenarios (batch or live processing) are pretty likely IMO. Just depends on what mess of APIs you happen to end up on.

Government and banks have been continuously using computers since the 60s, so as a result there’s a lot of “fancy web API to collect data… that gets batch processed by an ETL on a mainframe overnight.” Much more of it than I realized as a young dev at least.

Huh... create script to fill DB with all possible Visa numbers, tomorrow's "marketing insight" will suddenly be an empty file because everything will be excluded.

Bonus, if they can't separate which exclusions were from legitimate requests and which came from this script, they can't just delete those entries from the database.

Of course, no one should do this...

> Bonus, if they can't separate which exclusions were from legitimate requests and which came from this script, they can't just delete those entries from the database.

I think they would probably just declare them all invalid, and roll back to yesterday.

I think that millions of requests from a particular IP address might give the game away.

Perfect use case for Splunk.

Coming from the industry - MC & Visa typically don't know if exact card is valid or not. They admit range of numbers to an issuer (bank, revolut-type, whatever), and issuers system is queried for each transaction - card can be created at any time without notifying card schemes.

There's some exceptions (tokens etc.), but not relevant to this use case.

There's already Luhn and a list of valid starting digits...

Yes, which aids the spamming.

The first 6 digits of a card number is called the BIN code. That leaves just 9 digits that have to be spammed.

The fact that BIN lists are publicly available is reducing the space significantly.

I think the parent meant "card number that actually is in use and works" when saying "valid", not "follows the rules of card numbers".

Card number alone doesn't get you anywhere.

An expiration date will get you a bit farther, but you really need the CVV also.

Which would give you worthless information

Why would you want to make an option intended to give some semblance of privacy useless?

The net result of submitting all card numbers will not be "oh, well, I guess all card numbers are private now.." it will instead be "clear that table and start over."

They'll just throw out all the ones spammed from your IP. If you become obnoxious they will call the FBI because this would be a CFAA violation.

Not a lawyer - would it really be a violation of the CFAA? I'd also be surprised if Visa involved the FBI for someone excessively hitting their API...

I didn’t check, but the terms of service surely state that you must only enter your own active card numbers for which you are the authorized account holder.

Doing otherwise -> access in excess of authority -> CFAA violation

Just because you can easily walk through an unlocked door doesn’t mean doing so is always legal.

CFAA is draconian, the courts are behind the times, and even if you win, it'd be in court where you don't want to be in the first place.

But then you are giving VISA a perfect reason to throw out all optouts and start fresh. Stuff like this happened during FTC net neutrality debate

Haven't people been sent to jail for doing this much or less? I recall something happening to a guy who probed AT&T's phone number registry or something?

How is this illegal? You make a form that says “XYZ” and buy a domain “abc.com” and if someone enters a random submission they go to jail for it?

Maybe I’m misunderstanding.

If something is sufficiently scary to the lay person, you have a good chance of going to jail. I wouldn't make the mistake of thinking that laws are interpreted and applied fairly.

You wouldn't go to jail for 1 submission. But if courts could prove that you created a bot that tried many combinations, in my opinion you should.

It's like lockpicking a door lock. Even if you don't get in, I'm sure it's still a crime.

Assuming it's not your own door.

In the UK, I would guess (IANAL) that it would come under "unauthorised modification of computer material" in The Misuse of Computers Act. Essentially, you're allowed to use websites under their terms of use/fair use etc, but if you're being malicious, that's not cool.

Not one submission. Hundreds or thousands of submissions could be seen as a DoS. Yes, it's a stretch. Yes, they will try to use this to get you. Do you really want to play legal chicken with Visa?

Of course not this is just a civil liberties thought experiment. It’s not clear the founding fathers intended for this. Who makes the list? Is MasterCard bad (probably, visa equivalent)? AmEx? Brex? Mint? Random form on hacker news?

Who decides? On what criteria? Can you appeal? Are they elected or appointed officials? Who supervises the “list makers”?

As the other person linked, it did happen, although perhaps it would not happen again. On the other hand, I would not risk it, especially since any competent database admin would have your edits rolled back quickly. What would it accomplish? They'll undo the edits then make it harder to remove yourself from the list in the future. Who does that serve?

Hmm, this one is surprisingly dangerous under Computer Fraud and Abuse Act. VISA is certainly a financial institution and as such this site is a protected site. And this likely falls under "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;"

Act of DOS could be considered damage, not to even metion opt-out from revenue source...

There's an unspoken assumption here and elsewhere that the captcha doesn't present any kind of difficulty at all; is that true? If so, why?

Most open source text captchas have ML/DL or OpenCV OCR solutions and more advanced captchas like gcaptcha/hcaptcha you can send to a solver farm like 2captcha. The cost for the farm solutions is pretty cheap.

I'd only seen relatively pricey solver farm solutions, hence the question. What constitutes "cheap" here? For a baseline, .05USD/captcha seems not cheap to me.

2captcha is about 0.0005/solve, give or take do to their failure rate. There are other services as well and pre-paid bulk purchases lead to lower pricing. I wouldn't want to ballot stuff the crazy number that is the combination of all Visa credit cards but for much smaller problem spaces 2captcha and others are very reasonably priced.

I would easily pay 0.0005 per solve if it meant I don't have to deal with a captcha again when browsing.

There is buster: https://github.com/dessant/buster

Wasn't something I mentioned earlier but using the reCAPTCHA audio is also another solution for gcap. I haven't ever used it personally but always seemed like a cool idea.

I use it all the time and it works very well. I got my own tts api token so that I don’t run into overquota errors from the shared default token.

It’s also very satisfying to know I’m not an unpaid mechanical Turk for google anymore and that it’s a machine solving another machine’s challenge.

I'll try that, thanks! I can confirm audio CAPTCHAs are much easier, I always use those.

I assume there is a business opportunity here.

The biggest issue here is solve latency. If I'm on a page with a captcha, I would definitely pay $0.0005 to not have to solve the captcha (hell, I'd pay $0.01), but I'm not sure I'd pay $0.0005 and wait 30 seconds.

"Break something and then sell the solution" is always a business opportunity.

Can be had much cheaper, especially if OK with a non-zero failure rate (and/or bit more latency). Note that my hands-on experience with this stuff is now relatively dated, from a "prior career" -- coming up on 10 years now, even. If anything though, then I'd guess that it's become cheaper over time, not more expensive.

Look again, that is per thousand captchas.

Still pretty expensive if you wanted to do every single Valid CC #, though.

If you're about to make a billion calls per visa card issuer then you can afford a small amount of engineering effort to break that specific captcha. Most individual captchas are pretty rudimentary and can be attacked with simple image processing techniques and pattern matching.

This one in particular is simple enough that nearly any technique you wanted to throw at it would succeed with minimal fine tuning. I'd be shocked if it took an afternoon even if you'd never broken a captcha or done any image processing before, and that's without borrowing an off-the-shelf ML solution.

Plus, even if you had a 50% failure rate you'd just need twice as many calls. That's not trivial, but it doesn't really affect the viability of the idea.

apitruecaptcha.org seems to working for this captcha which uses AI/ML out of the box

please opt me out

Here's an equivalent form for MasterCard: https://www.mastercard.us/en-us/vision/corp-responsibility/c...

Is it just me, or is the wording hugely misleading?

> To opt-out from our anonymization of your personal information to perform data analyses, please provide your Mastercard or Maestro payment card number

What we're opting out from is the use of the data, right?

I guess the charitable interpretation is that this was written by somebody incompetent, not by someone trying to be deliberately obfuscatory...

Its the banking industry: it is intentionally misleading/ They've gotten in trouble for it a number of times and even when the Obama administration cracked down on it, they eventually learned how to legally make their fine print incomprehensible again after a few years.

This post contains some strong statements. Some are likely not verifiable here ("it is intentionally misleading"), but others ("the Obama administration cracked down on it") deserve sources, even if well attested -- they're not common knowledge.

That's a good point, those contain assumptions that need some backing up because they might not hold up water, even if it's the common perception in politics of American culture.

But otherwise it probably comes down to occams razor and they had some random corporate web guy half-ass the copy on the website which they aren't investing any sort of high quality resources.

It's easy to mistake poor workmanship or miss information as some sort of purposeful evasion.

Hell, another scenario is the lawyers gave it a run by an neutered the text in an effort to make it non-liable and no-one decided to make it readable again.

Not that I like defending these monopolies. Just some better understanding of how things like this work IRL over the years.

I can assure you that many lawyers worked on some boilerplate Ts&Cs that were applied here or that many lawyers reviewed the language on this specific page rather than a “random web guy”.

You should look up the Consumer Financial Protection Bureau

I'm still pissed at Obama for not making Warren the chair of it.

She's no more qualified than any other Masshole when it comes to dutifully towing the party line[1] and but she was uniquely qualified to head the CFPB and shouldn't have been passed over for that.

[1] Which is basically all she's done in congress but as someone who was a republican until they stopped being fiscally conservative and who studied markets and fought for the little guy all her life who can blame her for being a little tepid on some of the fiscally wilder things that come out of the Bernie/AOC crowd and the jackboot-ier things that come out of the authoritarian neoliberal old guard.

> To opt-out from our anonymization of your personal information

Doesn’t opting out from anonymization mean opting in for PII?


I bet in the mind of a bank exec, it may very well. An amusing point.

There are laws in some countries preventing this, but your point is entirely valid and even makes me wonder about opting out.

Heeeey, wait a minute, is this some banking MILDEC type scenario? Who are you? (j/k)

Pretty obvious to me that this text being misleading is deliberate. Certainly went through some expensive lawyers to get it just barely defensible enough.

Even Apple makes opting out of sharing data with advertisers (IDFA) confusing[0]

> Allow apps to ask permission to track you across apps and websites owned by other companies.

[0] https://blog.gingerlime.com/2020/does-ios-14-protect-your-pr...

If Apple made that say “allow apps to track you” and everyone set it to off and they didn’t mention that apps that don’t ask will still try to track you they’d be exposing themselves to a lawsuit when a company tracked Apple users without the IDFA.

I think it could be better stated, but changing to to “allow apps to track you” would not be a setting they could actually offer.

Yeah I’m sure plenty of lawyers laboured over this thing... Still doesn’t make it easy to understand. I think they could say that they (Apple) does not allow to track you, and they won’t facilitate tracking, but if an app does this covertly and without Apple’s blessing, it’s on the app and not on Apple. Of course that would put Apple on the line. Apple claims to care about privacy, but apprently not enough :)

I get "System Error" when I submit my card number

Same here. I have a suspicion like they designed it for 5 queries/day and we just blew it.

So I tried it again after 24 hours on two different cards. First one worked right off the bat. Second one gave "System error" three times one row and worked on the fourth try. I think we’re looking at some real "enterprise-grade" software on MasterCard side.

If this is about the MC form, I found that if I pasted my CC number (such as from a pass manager), it would bork unless:

- I entered the number

- Then moved to the front of the input field

- Deleted a char, and re-entered it, because

- an end-of-field char change removes the whole number

Wait a sec, even two seconds, and the number will auto-obscure.

Then it works.

I got this in Chrome, it worked in Edge

Same here, “System error”

Same but for Australian card holders. Interestingly or maybe deliberately the captcha doesn't show so you can't submit. https://www.mastercard.com.au/en-au/about-mastercard/what-we...

Anyone have one for Amex? Or Discover?

(or JCB? What other weird cards do HN users even have?)

For Amex, I found this: https://global.americanexpress.com/account-management/privac... (Maybe the checkbox at the bottom does a similar thing)

Sadly that option doesn't even exist on the Canadian site for whatever reason.

I did manage to find this (https://optout.aboutads.info/?c=3&lang=en) which they claim to honour.

I probably should be purging cookies more often :/

I wish these provided a confirmation number or receipt

Perfect. I was wondering if it was the same site because the are the same company, or aren’t, IDK.

My favorite visa data to sell/buy is airfares. Visa gets the airport code of your departure and arrival, so you can group people into like “visiting Florida during the first week of June”. Or “flys to the Bahamas very often”.

Good stuff.

What kind of individual data is in that set of “flys to the Bahamas very often”? Zip codes? Closest city?

Not sure what you meant, but you buy data like that based on airport codes, dates, frequency, and tier (like top 10% of spenders). I’ve only used visa data for targeted advertising. Like tourism destinations target people who are flying to their destination in the near future.

What data do you get on each person who matches the query?

Often you get the data in aggregate, bought and sold as an “audience”. It’s a Boolean flag if a person in the audience. Basically an array of IDs for people in the audience (true). Almost always the data seller masks the ID of people in the audience to the buyer. This then creates opportunity for third party “matching services” or “identity resolution” who can de-anonymize, link, and re-anonymize. Link audiences together, e.g. flies to Bahamas often AND lives in the US North East AND has a mortgage. Facebook and Google’s success relies heavily on simplifying huge amounts of the programmatic advertising backend, but the audience selling is still a huge part of the industry, like Acxiom et al.

Much of this buying and selling of data within the paid advertising industry hides in plain sight because it goes by so many names - contextual targeting, relevancy data, media enrichment, lead enhancement, blah blah blah...

This is correct. I worked at oracle, who is the go between for advertisers/agencies and vendors like visa who sell data but don’t do the “client facing” kind of stuff.

Aren’t Oracle (and Salesforce) currently dealing with a class action suit in Europe because of these services?

If oracle isn’t getting sued, they’re not doing business the oracle way. Unrelated, I no longer work there.

I guess if it's anonymized they just want to find patterns. So if 70% of men aged 40-65 who "flies to the Bahamas often" also like to eat at the local 5-star restaurant there, they can go to that restaurant and tell them to either join the Visa Perks experience to reach the other 30%, or maybe tell them to put out ads at the airport. You can even tell them which months these visitors like to come, so you can time those ads...

To verify that this is a legit site:

Go to: https://usa.visa.com/legal/global-privacy-notice/additional-...

Then click on: “Visa Products & Services: How does Visa use personal information to benefit consumers and businesses?”

Then scroll to the bottom of that section and you’ll see the VAS link: ”U.S. cardholders can opt out of Visa using their card transaction data for VAS.” where you can opt out.

iPhones will auto capitalize text in the capatcha box, so make sure the text is all lowercase.

The site is already marketingreportoptout.visa.com. How would your random link add anything?

The "random link" is on a domain that the Wayback machine has back to 2001. Whereas the marketingreportoptout subdomain doesn't appear to be there at all. I could certainly imagine a compromise where somebody who doesn't have access to the main sites still manages to sneak in a plausible-sounding subdomain.

That's not how any of this works.

Plus the site uses a certificate that is not only issued by but also owned by Cloudflare according to its metadata. It's undistinguishable from a free tier Cloudflare cert unless you know what exactly you need to look for.

Does that mean that you don't trust subdomains by default? That seems a bit extreme/unnecessary.

I don't know that I trust anything by default. It's always a risk assessment. When I saw a kinda basic-looking site asking for my credit card number, I definitely looked at the domain, and alongcomplicatedthingineverheardof.visa.com was definitely more concerning than, say, www.visa.com.

Can't even trust myself these days, its really awful. /s

This is not realistic or even probable.

You are suggesting people do something that is completely unnecessary. It's a subdomain of visa.com. If your concern was valid, you could put your comment disclaimer on every single link ever posted on hackernews.

It can be hard to clearly identity website urls on a mobile browser, but also as others pointed out here there is a common attack called sub domain takeover.

I don’t personally like typing my credit cards into websites without making sure it is legit.

It astounds me how many of these official sites look like bad phishing attempts.

That's on purpose. They don't want people opting out.

What would be better is if the US had (does it?) a nation-wide law requiring explicit opt-in, as opposed to having to opt out of surveillance. Small steps forward.

Also, does this form really amount to anything other than "we promise we won't spy you that much?" Are banks audited in this regard, or are they subject to the same non-existent regulations as the Sillycon Valley surveillance?

I will take what I can get, but the obviously correct thing is for user targeting and sale of third party information to be illegal, never-mind opt in.

You're ten steps ahead :)

“Better” for who? The corporations or the people? United States usually favors one over the other by design.

We the People. Though I think US law/courts also regards corporations as people.

By design, democracy favors entities who care, and therefore lobby for change. Corporations do the majority of the lobbying and it shows.

Sometimes I wonder how certain deals show up as website advertisements and recommendations. Certain blog posts or forum posts appear magically in my search result knowing what I was planning for. Deals and YouTube recommendations also seemed coincidental. Now I know that my debit card has been also leaking my purchase patterns and location. I better add more hosts to my Raspberry Pi-Hole.

Are you suggesting to just block the ads? What I find more annoying is the fact that the data is collected in the first place, as well as the opt-out vs opt-in by default. Your pi-hole won't protect you from that, since the moment you swipe that baby, Visa knows.

I try to opt-out whenever I can but I’m pretty sure there are several other blind-spots I haven’t blocked. Pi-hole does that for both the US and worldwide. I just need to figure out how to proxy my phone web requests home through VPN or WireGuard.

I've found it easier to use NextDNS rather than maintaining a Pi-hole and routing everything through my home connection.

I can vouch for this also, they are a partner of Firefox DOH feature so good enough for me

Your credit card mostly on gets merchant name and total purchase value, so the uses are fairly niche. It’s more likely merchants themselves indirectly selling your purchase data.

You can sometimes click the small blue triangle in the corner of an ad (called adchoices) to see how it was targeted.

One hundred percent of the time when I've clicked that button, it says "XYZCorp is advertising to people located in the United States", even when the ad is clearly more targeted than that.

So, assuming that this is FB or Goog, then that makes sense. FB certainly encourage advertisers to use broad targeting with conversion optimisation.

This means that the audience is 18+ living in USA, but the combination of the targeting plus the optimisation (click and conversion prediction, mostly) means that it seems much more targeted than it is.

Ah, I wish it was better than that.

If I recall correctly, when I worked on ecommerce payment processing several years ago, the payment processor got a full itemized list for each transaction. Another comment here mentioned airport codes for airfares (https://news.ycombinator.com/item?id=25577366).

That was my comment actually. You could be right, as I’ve only used visa data for advertising which was merchant names only. Lots of merchants do sell itemized data though.

Stripe/etc definitely get itemized, but credits cards get less as far as I know.

That was my comment actually.

Lol, I should probably pay more attention to usernames :)

I've worked on the payment processing end, but as I said that was several years ago, as well as on the consumer data end (e.g. using services like Plaid). You could equally be right about what ends up going from Stripe/Braintree/etc to Visa/Mastercard/etc, though comments/links about Level 3 payment data make me think that the itemized level of detail will increase in usage, and also as you say transactional data is certainly bought and sold outside of the payment networks.

Level 3 cc processing is becoming more common though.

Why does the cert say Cloudflare and not Visa?

It says "Verified by: Cloudflare, Inc." AND Organization is also Cloudflare, Inc.

Shouldn't the Organization be Visa?

How do I know that this is Visa?

Genuinely curious since I've not seen certs like this..

I believe it is the standard free level, "Universal SSL" cert that Cloudflare will provide sites on free tier, if they opt for proxying through Cloudflare.

So all credit card numbers submitted by the form are viewable by Cloudflare? That does not inspire confidence

Does it matter? I really feel like I am missing some key knowledge about why people care that their credit card number might be stolen—especially when compared to much more immutable private information like your email address, home address, or phone number.

Cardholder agreements for credit cards typically say that you aren’t liable for any fraudulent charges so long as you report them within a couple of billing cycles. I once had my credit card number stolen, called the bank to report it, and they reversed the charge and sent me a new card via FedEx Express. The whole process took less than ten minutes.

What don’t I know? Is it just that when companies emphasise “no credit card information was stolen” in their data breach announcements that this gives a false impression that this data is more important to keep secret, or what?

I think part of it is successful brainwashing from banks to make people believe credit card number theft === identity theft === the individuals responsibility, not the banks.

Otoh, it can be pretty time consuming and annoying to charge back transactions and get a new card. In Switzerland for instance I have to print out a multi page form, fill it in, send it back by physical mail (yup) then my bank follows up after a few weeks a a few more phone calls. And I have to pay a fee to get the card replaced. So yeah the transactions aren’t on me but the hassle and fees are... This was much more straightforward in North America though.

There are a lot of people who don't care at all about their personal info, and the only negative effect of an identity theft is having to call the bank and changing your CC# (my mother for example who has had her ID stolen multiple times because she is careless with her personal info)

Yes, and you also have no guarantee that Cloudflare is sending them back to the origin over a secure connection. 3 of the 4 SSL options they give customers would be considered insecure by browser standards.

But since you are trusting Visa and it is trusting Cloudflare in this arrangement (and it's not very different from if you used a bulk hosted site and technically the bulk host could be eavesdropping) actually only one of those 4 options makes a practical difference.

The case where the backend is plaintext HTTP is different because a third party between Cloudflare and Visa could eavesdrop that silently (split fibre can make this utterly seamless for normal network technology) with no permission from either of them.

But in the other three cases either Visa, or Cloudflare, or both would have to agree to let somebody else snoop, which agreement they could make even if this was on-premises at Visa's own facility. That's not a technical problem, that's Visa betrayed you for whatever reason.

Arguably one of the options that would be "considered insecure by browser standards" is actually safer for Cloudflare sites, because you can't attack it from the Web PKI. Cloudflare Origin CA isolates you from such an attack, bad guys would need to attack Cloudflare to get a valid certificate from them, certificates from another CA would not work if it's locked down to Cloudflare Origin CA.

Does CloudFlare specifically matter? Most services you use are not SSL-terminated on own servers, so most of the time there’s a third party that can theoretically access your data.

It's the standard Cloudflare cert, the plan used for the site is irrelevant.

Source: Using CF Enterprise.

On my side, Firefox Android, it is verified as "Cloudflare\, Inc", which looks even more suspicious

may be

This is the first time you encountered a cloudflare site?

> your opt out will be honored for five years. After five years, you will need to resubmit your card number.

This requirement seems very easy to abuse. Annoying and inconveniencing users into submission already works wonders, people accept all kinds of EULAs, cookie conditions and privacy policies. I wouldn't want expiring user choices to become another tool in this arsenal.

the fact that you were at any time automatically opted in means they already scraped your whole history anyway. They will do it again in the future anyway since you will be automatically opted in in the future too. Get Zuckerd

It looks like with just a billion calls to that endpoint you can opt out every card for a given visa issuer.

Wonder what would happen if someone managed to opt out every single Visa card. Would Visa have to honor that, or would that be grounds to allow them to opt everybody back in?

Or would they just create a "different" marketing campaign, and just opt everybody into that one?

They would have a legitimate reason to doubt that all cards individually opted out and so they'd probably send people a letter or post a notice somewhere (updated ToS, idk) that there is now a new form that makes it more annoying for you to opt out (have to enter other details, send a letter, whatever) and that opt-outs after date X (when the mass additions started happening) have not been processed.

Or you do it like the EU and make excessive data processing opt-in. (Where by "excessive" I mean something that doesn't fall within recital 47 of GDPR: "legitimate [e.g. marketing] interests of [the company] may provide a legal basis for processing, provided that [users' rights] are not overriding, taking into consideration the reasonable expectations of [users]". It's a grey area where this line is exactly, but Visa can't simply do whatever they want. They have to tell you what data they process, but nobody reads that, and for unexpected (arguably excessive) things they'd have to ask you to opt in.) But I guess that's a little beyond the scope of this comment thread.

Alternatively, they check their web server logs for the IP address(es) from which 99% of requests came, and then undo the opt-outs of those numbers. Then they add a better CAPTCHA.


Source: That is what everyone did when microsoft turned Do Not Track on by default on IE. That's what you get with "self regulation".

Visa will just say, on their news page: "we updated our terms and condition, if you opted out in the past you must opt out again"

The only winning move against corporation involves NOT giving them your money. Anything else is futile in the current US legal landscape.

Oh, and they will probably work with the FBI to get whoever did that behind bars pretty quick.

Only one way to find out! What are the possible legal risks to an innocent researcher testing this worthy hypothesis? Asking for a friend of course ;)

In the US? Jail, probably. The CFAA is given very broad reach, especially when you mess with corporations.

IANAL, though.

Probably the same thing that happened ~10 years ago in a very similar situation https://www.eff.org/cases/us-v-auernheimer

Pretty sure that someone would be prosecuted for violating the CFAA.

Not saying that’s right, just that’s my commentary on the state of things today.

No worries - I'd expect a dozen visa.ru.evil mirrors to pop up asking for the same information if the legit one goes sideways.

Not all heroes wear capes

>U.S cardholders may opt out of Visa

So is the rest of the world not covered by this data collection effort or are they just denied the opportunity to opt out at all?

In EU you would have to opt in since there are actual data protections for consumers (that's if it is abusing user specific data which I have to assume it is)

EU data protections wouldn’t apply here since it’s aggregated - not sure where the EU opt out is though

So where do I go to see my profile and data? I got a kick out of requesting my lexis nexis profiles - which eventually resulted in two very large packets of paper (several hundred pages) arriving in the mail.

If you want a real trip, I'd suggest getting your data from DT Client Services via CCPA request if you are in California. That was really shocking.

What process did you follow? Were there costs associated with printing, delivery, etc?

I sent them an email with my request. The email address can be found on the CA Attorney General's webpage here https://oag.ca.gov/data-brokers?combine=dt+client I used the form from Epic which is on this page https://epic.org/ccpa/ There are no costs associated with this and they are required to provide the information to you up to two times in a year. Not every business must comply.

I highly recommend requesting your data from Verizon (if you’re a vzw customer). A 10mb spreadsheet, very enlightening. Not too difficult to request but took 2-3 weeks to arrive.

What is the process requesting from lexis nexis?

I did that about 10 years ago. The packet didn't make much sense to me then. I wonder if I still have it somewhere. It would be interesting to request it again and see what changed.

I wonder what is their policy in EU. Do they automatically process your data without any opt-out?

It doesn’t exist. VAS is a US product offered by Visa US, supporting US cardholders only.


as a european I'm totally ok without this support.

They still aggregate and sell insights from their collected data.


Does it include Canada?

In EU opt-out schemes are illegal if it has anything to do with personal information. a person has to opt-in to share personal info.

Pet peeve: Why do they use subdomains (marketingreportoptout.visa.com), thus making it a bit easier for the scammers to register similar domains?

marketingreportoptout-visa.com is still available for any scammer to register. It costs Visa (or anyone) less than $200 to register it for 10 years. Can't they at least register these very obvious domains?

How difficult is it to use URLs like this? visa.com/marketingoptout visa.com/links

From a technical standpoint, it is possible to configure separate DNS records for subdomains, so something.visa.com can be set up completely independently from their main website. And it won't have to share cookies either, making it more secure. For visa.com/something, you would need to add a routing rule at the application level in whatever server is hosting visa.com.

No, this can be done in the loadbalancer before any application. You can load balance on L7. This would be a trivial thing.

A trivial thing that would became a mess really fast on a complex website.

A new subdomain for every different "website" is the clean solution in my opinion.

Nothing is trivial for a decades-old website.

This website doesn't seem to be ADA compliant. There's a CAPTCHA, but no audio option. I guess blind people have to stay in that database, whether they want to or not.

This is the most dodgy looking “enter your CC info” site to ever exist.

I can’t imagine why /s

Generally I’ve found that most opt out pages regarding advertising looks like they been built with just the basic understanding of html.

This is intentional

It should be illegal for this to use an opt-out approach rather than opt-in. If it's my data, you should be legally required to pay me to use it, at the price I demand, or not use it at all. Only with my consent, and not at the threat of not receiving service should I decline.

Like the fox offering an opt-out list to the chickens...

It's probably a service mandated by regulation, not out of the goodness of VISA.

I doubt it. They state "Because your issuing bank may change your card number, your opt out will be honored for five years. After five years, you will need to resubmit your card number." This strikes me as the kind of bullshit that would not be permitted if the opt-out was legally mandated. I suspect this opt-out may instead be an attempt to avoid regulation, by trying to appear to be doing the right thing even without regulation.

All legally mandated electronic opt-out requirements have time limits AFAIK.

Credit score companies (5 years): https://www.optoutprescreen.com/

Spam mail (10 years): https://www.dmachoice.org/

The government's page about this tells a different story: https://www.consumer.ftc.gov/articles/0262-stopping-unsolici...

> To opt out permanently: You may begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.

> Telemarketing [...] Telephone numbers on the registry will only be removed when they are disconnected and reassigned, or when you choose to remove a number from the registry.

Meanwhile, the DMAchoice site says:

> It is not a tool to effectuate rights under any specific law including the California Consumer Privacy Act (CCPA).

So I'm not buying that legally mandated opt-outs come with the annoying expiration dates.

If you also read optoutprescreen.com, permanent opt-out is only possible through using physical forms, not electronically.

And it's probably running on the slowest and cheapest hardware they can buy, without any monitoring.

Seriously, people don't understand how opt-outs are nonsense. Say I am facebook. In 2020 I make an opt-out data grab. I turn it on and grab all the data, and then put up a site to opt-out. Then in 2021 I make another grab with a new opt-out. They literally don't care who opts out, they never need to even look at that list because they already grabbed it all.

Any way to verify that this is legitimate and not a phishing page for active card numbers?

It's coming from visa.com, somebody would have had to hijack their domain first to set up a phishing scam like this.

Yes, by checking the SSL cert.

The certificate used on this website says it’s owned by Cloudflare. That doesn’t help in this instance.

Especially since this means anything you submit will be decrypted by Cloudflare. It may then be transmitted in the clear to whoever runs the backend sever that Cloudflare is proxying for.

Thanks, SSL is an area I'm not very knowledgeable in.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact