Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Automatic fraud detection is making my life hell
402 points by aiProgMach 10 months ago | hide | past | favorite | 388 comments
I've been in India for a while now, to support family member as she's here for medical reasons. I rely on online services to save on cash especially that it's hard to carry cash from my country (for "security" reasons, as most airports limit how much cash you can carry).

Yet, many online services are giving me hell with their "smart" anti fraud detection and things like that, at this point I can really understand the position of the people who are dooming about cashless society, because at some point here I felt trapped not being able to get services I needed so much (until I asked shop owner to pay for me and I paid him in cash + small profit...).

The thing is, the attitude of these companies is so frustrating; like if my card was already accepted once and I successfully approved the payment via 3D secure with my bank, who are you (as a random online service) to assume you can act as my big brother? Even more, if I'm using a balance paid by gift card, who give Amazon or other services the right to put my account on hold while it still contains my hard earned money (I had to try literally multiple services just to buy expensive gift card as Amazon payment won't allow me to choose the correct currency of my Card). Mind you, I'm just a random guy and not world class criminal, or an Activist who's being actively targeted, this make me wonder what these services can do once we go completely cashless.

Simple tasks like downloading region-specific Indian apps become unnecessarily complex, as Google play have this "smart" rule that says I can only change my region once per year, what?? It's just an app just give me the apk, and you can just ask for my location! (I had to install the apks from some random websites at risk of getting some malware...).

I would said what this experience taught me as a developer, but it won't matter, as most products are designed to help the stake holders and upper managers and even Governments, and a dev's empathy won't matter much...

Apologies for this vent, but I really felt I need to post something about this frustrating situation I'm in.




Wrong assumptions programmers make about fraud prevention:

-- A mobile phone number uniquely identifies a single person.

-- Every person has a mobile phone number and they only have one mobile phone number.

-- If a person's mobile phone number is associated with VoIP or Google Voice, that indicates fraud.

-- Every person always has their mobile phone handy and it is always able to receive calls and SMS messages under all circumstances.

-- Mobile phones are never lost or stolen and their batteries never run down.

-- Mobile phone numbers last forever.

-- An email address uniquely identifies a person.

-- Every person has an email address and they only have one email address.

-- Every person is always able to receive email under all circumstances.

-- Email addresses last forever.

-- People never travel to foreign countries.

-- A person's IP address always determines where they are located.

-- Geolocated IP addresses are always accurate.

-- Geolocated IP addresses always indicate the preferred and correct human language of the person on the other end.

-- The IP address for a customer will never change during a given session (i.e. LEO satellite internet does not exist).

-- If the IP address for a customer changes "too quickly", that indicates fraud (i.e. LEO satellite internet does not exist).

-- Your customer will never connect to you through a VPN.

-- If your customer connects to you through a VPN, they are doing something fraudulent, rather than trying to get around your geolocation brain damage.


The problem with many of these examples is that 99% of the time, it is a sign of fraud, and 1% of the time it’s a false positive.

> If a person's mobile phone number is associated with VoIP or Google Voice, that indicates fraud.

I’ve been using this heuristic (along with VPN and IP geo lookup) when screening job candidates after a massive influx of developers outside the US applying for US-only remote roles. I discovered that VOIP phone numbers on a resume is extremely highly correlated with the applicant lying about where they live.

If it weren’t for this screening step, I literally wouldn’t be able to hire anyone because the volume of fraud is so incredibly high that it drowns out legitimate candidates.

I wish there were a way to detect fraud while never having a false positive.

But the reality is that a lot of the heuristics you listed are indeed strongly correlated with fraud. It sucks, but it’s also not realistic to optimize for the 1% of false positives at the expense of the 99%.


The cost of the false positives are much higher than the false negatives.

Temporarily slowing down down 99 scammers is not worth stranding one normal person in a foreign country with no means to access their money and no means to recover their account.

The reality is that most lockdown-type protection schemes are just a roadbump, not a solution. They slow down the attacker. In fact, hackers are employing account lockouts to lock security teams and management out of their own accounts when they launch an attack.

I'm with OP on this one. The banks have completely failed to protect against fraud while causing massive economic damage with their clueless security design.


> Temporarily slowing down down 99 scammers is not worth stranding one normal person in a foreign country with no means to access their money and no means to recover their account.

To that one person it obviously isn't worth it. To the company it absolutely is.


So many transactions are flagged as false positives (way more than 1%), while there are a lot of false negatives because the tools don't improve as quickly as the scammers. The case for blocking transactions is getting weaker - we should instead strengthen the post-fraud response mechanisms, and then analyse the additional data we gain.


My primary phone number is a Google Voice number, and I am entirely legitimate. Just curious, how often are other people filtering with this kind of criteria?

I have been considering migrating away from GV for unrelated reasons, but if that sort of thing automatically makes me less attractive when looking for gigs then I'd like to prioritize actually doing that.


I primarily use Google Voice, especially since I’ve been out of the USA for a while. I haven’t had any major problems, but I have noticed things getting a little more difficult. I was recently denied a savings account at a bank with whom I already have a credit card because they couldn’t text my Google Voice number. They offered to try calling me at a different phone number that’s known to be associated with me, I couldn’t just give them a different number, but I hadn’t uses their proposed number in nearly 20 years.


Long story short, GV or VOIP numbers will forever be a big red flag for me moving forward.

Longer story:

A few months ago, I posted a job for a remote US-based developer. 90% of the applicants were not in the US. Some of those who were immediately rejected re-applied with new US addresses and phone numbers, but that's another story. In the end, hired someone who was a great fit, passed the background checks, etc. The only odd thing was their phone number was GV and didn't match the location of their address. My mobile number doesn't match where I currently live and lots of people use GV, so we didn't think much of it.

About 4 weeks in, they sent me a message on a Sunday saying there was a family emergency. They would not be online during normal business hours, but would check in and would still work on tasks as they could. No big deal, I asked for follow-up on two assigned tasks so they could be handed off to someone else to finish a sprint that week.

After two days, haven't heard anything, reassigned the tasks and tried to reach out to check on the person. Phone number goes to the generic GV voicemail prompt, I leave a message. I tried calling the emergency contact, same thing. I reach out through LinkedIn & personal email, no RESPONSE. At this point, we disabled accounts and access to systems. No real reason or policy why, just seemed like a good idea.

Two days later, now Thursday, I start getting calls from a random phone number (also GV from another area of the US), but leaving no messages. Then I get texts, "This is <missing_dev> I've been trying to reach you, please call me back." I call back within 3 minutes, straight to GV generic voicemail.

A few hours later, the number calls again, I answer "Hey, this is <missing_dev>, I was trying to get some work done but it seems my accounts are disabled". After explaining the situation, they simply offered "Well, everything is good now and I'm ready to work." I tried asking some basic things like, are they okay, is their family okay, can we help with something, did you get arrested? Anything to give them a opportunity to offer something. The only response they gave was, "I'm back now and ready to work, if you'll enable my accounts." Over and over.

I explained it wasn't that simple, walked through the communication inconsistencies and asked how that would affect their reliability in the future. You will only need one guess for the response, "I'm back now and ready to work, if you'll enable my accounts."

I thanked them for reaching out and said I'd talk to HR and CEO so we could discuss (both had also reached out through personal LinkedIn, email and phone numbers to check on the person, no responses).

They were still in the 90 day probationary period, so we let them go. They were a very good developer, smart, good coding practices, but inconsistency is a killer. And yes, a GV or VOIP number will be a hurdle any future applicant needs to overcome with flying colors.


One quick trick that has worked for me to weed these people out is saying “You live in <city>? That’s great! We have another employee who lives 30 minutes away, would you be able to do an in person interview later in the process?”

They will make excuses (and blame Covid) for why they can’t meet in person. At that point you can politely reject the candidate.

If you already hired one that you’re suspicious of, ask them if they’re willing to fly to you to meet in person. If they’re legitimate, then they’ll fly out and you’ll have a great opportunity to meet the new employee in person (a good practice in general IMO), and if they’re not in the US they’ll have a bunch of excuses why they can’t.

They will never admit to anything and when confronted with the lie they’ll continue to deny it with silly excuses or they’ll totally ghost you.

Longevity is not part of this scam. The goal is to get a couple paychecks and bounce. (1 month of a US salary is a ton of money to them)


> If they’re legitimate, then they’ll fly out

Just curious, how do you expect someone without a job to pay for this?


They don’t. The company would buy or reimburse their plane ticket.


We had plans to get together as a company (about 15 of us from all over the US) about 3 months later. They seemed excited about this. But, we never made it that far.


> The only odd thing was their phone number was GV and didn't match the location of their address.

How is that even remotely odd? Ever since cell phones became popular the phone area code no longer means anything. People tend to have the area code of wherever they were when they got that phone, which is often many location moves in the past.


> I wish there were a way to detect fraud while never having a false positive.

There is: networking. People you trust will tell you about candidates they know about.

> it’s also not realistic to optimize for the 1%

It's not about what's realistic, it's about what's right. Nobody should be falsely treated like a criminal. That 1% should carry enough legal liability to completely offset if not exceed the gains of preventing the 99%. If even one innocent person suffers, it's unacceptable.


It’s acceptable to reject a candidate because they’re not “a friend of a friend”, but it’s not acceptable to reject a candidate because they submitted an application with an IP address from Pakistan with a VOIP phone number?


> It’s acceptable to ... but it's not...

Wrong framing. The parent didn't set it up as a means to filter. In your situation you have a list of applicants that you are filtering. In the parent's scenario they do not yet have applicants, they simply ask their network if there's any suggested candidates which then forms the list that they will filter from.

It's as discriminatory as posting on Linkedin but not on Indeed. The discrimination would come from the counterfactual question of: supposing they posted the job listing to a larger network _and_ supposing a clearly more qualified applicant applied, would that better applicant be turned down due to nepotism. That's the difference. No one is getting upset at family businesses despite almost certainly failing the counterfactual.


In the first case, you're not rejecting candidates at all. Nor are you treating them like potential fraudsters.


The result is the same, and it's the result that is the issue. If potential applicants aren't given consideration because they're not in the network, it doesn't matter that the hiring committee thinks they're innocent, or isn't technically rejecting them.

It's a bad heuristic.


Be careful with your logic and framing. I explained why it was poor framing above. But the way you've (and the gp) framed it is dangerous. Swap "voip numbers" for "x skin color" and you're in clear unethical and illegal territory. But swap the attributes of the parent and you don't get this issue. If parent is x race and all their friends are also x race you're not discriminating against y race through their means because they aren't turning down based on race, it is just closer to changing the odds. The problem isn't when you change the odds (unless there's an extreme manipulation) but rather how you respond to samples from the distribution.


This is wrong. You are expected to discriminate against samples from the distribution in a variety of ways, like the formatting of their resume and their work history; it only becomes unethical when you discriminate based on race, gender, etc. If you replace "voip numbers" with "x skin color", of course that would be unethical, but being able to switch phrases to make them unethical is irrelevant, because we're not discussing the unethical case.

The example of networking you give has even more potential for unethical behavior than filtering voip numbers.


Any thread about online scamming will include comments from a bunch of online scammers telling you that the things you can do to make their life harder are unethical.


I'm confused about what such applicants hope to gain by this. What's their business model? They're going to have to give you a SS# or EIN (if they're a self-employed consultant) before you can send them a paycheck, right? And the Social Security Administration has a website where you can verify SS numbers. So what's the play here?


The applicant is actually three people involved in a scam. One is an US person that can provide valid US SSN or other magic numbers, but otherwise doesn't know first thing about anything. Second is the person running the scam, located anywhere. Third is a person from low-cost country that's skilled enough to pass the interview pretending to be the first person, who might also be responsible for doing the actual job such the interviews succeed. The fat US salary is split between the three parties.

This is actually the case of a thing you mentioned, just sadly in reverse. A phone number may indeed not identify a single person. It may represent three unrelated individuals at the same time.

FWIW, I'm 100% with you on your list. Even if it's only 1% of false positives, it's a massive number of people at global scale, and frankly also a big percentage. Outside of tech, hardly anyone is allowed this kind of error rate.



This is a good description of the problem - kinda from both sides. Thank you! But based on this, wouldn't the right defense be to insist for some camera feed?

1) Most phones have a camera now - besides the plausible excuse of the candidate's computer not having a working one. 2) When no camera is working, it usually shouldn't be a big problem to postpose the interview for a few days. The time for a camera solution to be procured by the candidate. 3) For an extra test of the candidate being able to engineer their way around a broken or missing camera in less than a week.


How would a camera determine their place of residence?


Of course. The conversations point out that one frequent problem is the hiring process managed, interviewed and finally filled by different persons.

Place of residence is a different issue. Many people connect behind a VPN. A video feed during the interview would at least hint at the time zone they are in.

Third different issue is right to work in the US. This is an issue you have even in person in the US. Solved with legal documents. Social Security card, green card, US passport... then tax ID, then ongoing tax filings by the employer - Which may be a little easy to forge when presented in pictures but seem to still be sufficient legally. (And here camera helps with "person doesn't match ID".)

Anyway. You are right! Camera solves only part of the problem.


Basically you are getting a mole infiltrated into your company. There was even an US govt warning about North Korean IT workers, heuristics included.

> The hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences, including sanctions under U.S., ROK, and United Nations (UN) authorities.

This is the funniest part:

> Repeated requests for prepayment; anger or aggression when the request is denied.

https://www.ic3.gov/Media/Y2023/PSA231018


Maybe they provide credentials for a stolen identity?



Or you know, your brain

And don't accept candidates without video chatting first, or who behave weirdly in interviews


I'm not a fan of video chat during hiring interviews. It's a great way to discriminate (race, sex, age, disabilities) right out the gate


How do you communicate in real time? Even a phone call can lead to bias unfortunately (accent, name, etc). Unless you fully are anonymous it is hard to eliminate bias


Well phones have worked rather well for the past few decades. These days video calls tend to lead to rejection while phone calls leads to a successful engagement. Seems as though lack of video is more anonymous and removes the ability to judge someone based on their backdrop


I use my Google Voice number for everything that’s not family or friend.


yes, he understands that, he's saying you would not make it past the screening; you anecdotally fit into his "false positive" category.


Likewise. It's amazing how much SMS spam I get on Google Voice number relative to my primary number. Google Voice makes it easy to blackhole numbers and at least some form of spam filtering. If it's going to rule out potential employers, so be it.


This kinda scares me you are screening out Google Voice Numbers. Google Voice was my primary phone number for over 5 years, I had a real phone number but I was always giving out only Google Voice. Google Voice is a very powerful tool:

* your phone number keeps working even if you lose your phone (I could still answer phone calls when my phone broke). * Traveling abroad is a breeze, just change sim cards on arrival and your US phone number still works via data on Google Voice. No need for expensive travel passes, and you get to choose your operator that has a lot more data. * Having full SMS & call support on a website is very nice, I always hate typing with the phone. iMessage doesn't solve everything since you need a mac (I frequently switch OS & devices).

Also I think e-sims will make lying and fraud much more common. A month ago chatgpt was denying creating a work account for me because I've already had this phone number associated with my previous account. And they were blocking Google Voice. I went to USMobile.com, payed 7$ to create an esim with another phone number, and I had sms with a second phone number on my phone working in less than 10 minutes.


Seems to me you are filtering against agile, tech-aware candidates - prefering less agile, less tech-aware candidates. These are your false positives. A time saver for sure, but perhaps not optimal for filling the positions.

As opposed to, for example, demanding a video feed (and giving time for an alleged engineer to engineer their way past an alleged broken camera.)

It used to be that demanding a photo or video was frowned upon as being a bit too easy to use to filter on race or gender. But I guess not anymore.


damn so I've been missing out on jobs because back in highschool I thought it was cool I could text from any browser without my phone


> The problem with many of these examples is that 99% of the time, it is a sign a fraud, and 1% of the time it’s a false positive.

That’s the key. It may very well be the wrong business decision to care about this 1%.


This is exactly it. Nobody assumes these factors are always true. Absolutely nobody in the fraud prevention chain.

They're just true often enough that the company is better off declining to serve the few exceptions than it is trying to build things around the edge cases.


it makes sense that every company ever has a bunch of broken by design security features that were justified after the fact by "risk model", after failing to arrest anyone who pointed out that they were broken, that award people who are uneducated and even moreso not self-accountable to just manage their password or key properly. it makes sense that these features that cannot be opted out require you to constantly give every company your personal id, location, comprehensive profile of your voice and speech patterns (and mouse movement patterns), and selfies using proprietary apps which require you to own highly specific products from 1 or 3 companies.

it makes sense to require email as a second captcha^H^H^H backup authentication thing^H^H^H mechanism we cant explain for your security which requires using one of the 4 remaining email services all of which cant be used without phone verification (btw all these will do things like, lock you out when you switch phone number which is even smaller space than IPv4). what if use different emails for two companies and they are corroborated at some point? do they think i'm identity hopping? but wait, should i be punished for using the same email for my games as my bank? is my email address my identity or should i use multiple to mitigate risk? oooooh i'm thinking too hard, it just makes sense because an adult on HN said they are also totally adults making these decisions based on sound reasoning. if i thought too hard that would also break the risk model because it would no longer be secret which is essential for it to work, and therefore i would be a criminal.

it makes sense that someone can just steal my money from my bank account because he spent an hour figuring out how it really auths you (actually they just learned all they need is the last restaurant you ate at and a rough amount you spent, totally not a guessable number) whereas i assumed just nobody having my password would be sufficient.

it makes sense that my keyboard, monitor, and speaker each have their own OS that takes 10 seconds to boot and also have remote code execution vulnerabilities, because none of that would ever matter for a casual user. it makes sense that my dishwasher doesn't work, that doesn't matter for a casual user since regurgitating crap onto the dishes only gives you disease 1% of the time, its green!

it makes sense that my random photo id is a password and i give it to 50 different companies because everything in the world is good.

some ceo said so, it all makes good business sense.

tl;dr you're literally just defending the garbage dystopia Richard Stallman warned about 70 years ago or whatever.


I don't think it's safe to write off that 1% if you don't first make sure you understand who that 1% is and how decisions like this, especially at scale, could harm those people. If a person says that they are eligible to work in the USA, that should be taken in good faith. If 99% of applicants are fraudulently answering this question, you're probably doing something wrong and need to figure out what's broken in your application process, rather than aggressively filtering out applicants based on correlation. It would be better to filter them out with a more robust application process that doesn't attract these scattershot job applications typically pushed by bots.


> I don't think it's safe to write off that 1% if you don't first make sure you understand who that 1% is and how decisions like this, especially at scale, could harm those people.

Businesses prioritize profit, not "safety" or whatever else you're talking about. Profit always comes first.


laws and regulations are supposed to provide a counter to a corporation's amoral greed which prioritizes profit over all else (including human life or suffering) and the harms that greed causes on a societal/global level.

If enough people are being wrongly treated because companies won't (and arguably shouldn't) care about the harms they are causing, that's when government should step in and find a way to force them to stop acting in ways that we (those of us who aren't amoral monsters) deem unacceptable.

It sounds like it might be time for governments to step up and address this situation with fraud detection, but hopefully part of that will involve cracking down harder on the rampant fraud going on that caused these flawed detection systems to be seen as necessary in the first place


Businesses control the government.


Idk, if your aim is to find the "best talent", then what's the chance that they stumble along and you treat them like shit?

That's what's going to happen when you say "out of this other group, this 99% of people who I didn't want anyway, many of the Google Voice people were fraudsters".

Same thing for asking people to reverse a linked list on a whiteboard, or getting them to re-do their résumé, but in your HTML form instead of just emailing you their pdf. If you do ever get your dream candidate, you've pissed them off.


With most interview processes, your aim is to have a high degree of certainty that you will find someone in the top 1% or so of people, not to find the absolute best person. Given that, arbitrary filters that save your time are very much worth it.


Tragedy of the Commons Ruins Everything Around Me.


I’d be interested to see actual statistics on this.

I encounter anti-fraud challenges fairly regularly just because I have the same name as another family member and we once shared an address. Years ago.

A number of clients and friends have reported constant hassles wrought of poor anti-fraud implementations.

Older folks and less technically inclined are particularly at risk of falling through these cracks, as are frequent international travelers.

The 99%/1% thing is a good colloquialism but I don’t think the numbers would be there.

Loads of people are using VoIP numbers everyday for perfectly legit purposes. I’m not saying you’re making up your troubles. Just that clearly there are assumptions in anti-fraud technology generally that impact wide swaths of people, whether they understand why or not.


When I lived in the US, I primarily used Google Voice, as I could still use it in foreign countries.

When I had asked T-Mobile to enable international roaming on a particular date, they said they would, but then didn't end up doing it, messing up my travel plans because I didn't have Internet when I arrived. Luckily I was in my home country (Australia) where I could speak the language, but it was a foreign city.

I eventually used someone else's phone to speak to a T-Mobile rep and was sent through a credit check, asking me my American social security number. I'm not American, I don't remember off-hand what government ID I was given there. Luckily I happened to have taken my social security card with me on vacation. I told them, if I can afford to travel internationally, you'd probably think I could also afford a phone plan; why am I being put through this bullshit and why can't you just keep your promises?


At some point every serious fraudster circumvents the protection and you are only blocking legitimate people.

OK this is probably an overstatement, but the 99% to 1% ratio must to be questioned though.


- Different signals mean different things in different contexts

VOIP phone numbers can indicate an increase in the chance of fraud in some contexts, and be almost meaningless in others


So you wont hire anyone who uses google fi? That's pretty lousy.


Google fi phone numbers are not VOIP they operate as a MVNO. Google voice numbers are VOIP.


It's been a while since I worked with this, but when Google Fi started, their numbers would often show up as Google Voice in carrier lookups, sometimes only for the first few days of service though.


As of 2018 when I last used Google Fi, my number was still being blocked by services that block VOIP numbers, even after having that number in Fi for years.


he completely explained why he needs to do this.


> US-only remote roles.

The entire premise of remote is that it shouldn't matter where you work from, as long as you get the work done. This is extremely, incredibly harmful. I hope you know that.


To be clear, “US Only” means “eligible to work in the US”.

The candidates that I’m calling fraudulent are answering “Yes” to a question on our applicant form asking if they’re eligible to work in the US.

There’s absolutely nothing wrong with a US company wanting to hire US employees.

(FWIW I also hire contract developers outside the US… have nothing against outsourcing, but I prefer to do so knowingly rather than being conned)


> The candidates that I’m calling fraudulent are answering “Yes” to a question on our applicant form asking if they’re eligible to work in the US.

The dumb thing is that a lot (and I do mean a lot) of hiring platforms ask this question even when the job is advertized as not being in the US. It's hard to take seriously anymore.


Country of residence makes a difference for legal reasons, foreign remote employees are not the same as domestic remote employees.

Some companies have an established process to handle the different requirements of a global workforce, and for them hiring one more person from country X doesn't cause any issues; but if your HR, legal and accounting is set up for domestic operations, then hiring a foreign employee may easily add so much overhead that it's not worth the hassle.


This is completely normal and legally necessary in many cases. Your hyperbole is mildly harmless. I hope you know that.


> This is completely normal

Yes, it is. It's even hard for a US citizen like me to find jobs that don't require some proof of citizenship that I don't have. IDs cost money here, money that I don't have because I can't get a job, because they want my ID.


You still need to provide accurate data for location, mainly due to taxes. I'm also getting from the post that there's an implication that they are receiving outside the us applicants.


One boring but absolutely valid reason you might want to hire remote people in the same country is that they're within a few time zones of everybody else so you can have online meetings during normal business hours.


I tried to place some online bets for a friend who is in prison.

But the betting sites don't allow you to use an ethernet cable to connect to your router o_O (unless you also enable wifi.. except my desktop doesn't have wifi)

https://helpcenter.il.betrivers.com/hc/en-us/articles/360049...


What is the heuristic they are checking for here? That problematic actors overwhelmingly will be unable to show an active wifi adapter?


If you get a list of wifi networks, you can look them up in various databases too check possible locations of the device.


... which reminds me of an experiment I keep meaning to run:

Can I do a quick wifi survey (somewhere) and then replicate the SSIDs and channels in a completely different location and fool one of these SSID mapping functions ?

What are these functions scanning for to perform the geolocation other than SSID and frequency and MAC addresses ? Relative or triangulated signal strength ?


Almost certainly. I'd guess most of these services are usinf BSSID (more or less mac address of the access point) instead of SSID and not using channel number or signal strength.

If you report GPS position and BSSIDs anytime you see them, you can probably approximate a location when you only have a BSSID. IIRC, precision is fairly low for wifi approximated position, but maybe it's gotten better since I last looked.

If you want to do a test, I'm happy to send you BSSIDs or whatever you need by email (address in profile) and you can geospoof to my house. I run too many APs, so it should work with just mine, but I can sometimes see neighbor APs as well.

Google's api documentation [1] has only the macAddress as a required field, and that you need at least two addresses; but it does accept a signal strength measurement, as well as channel and snr. Other apis may vary.

[1] https://developers.google.com/maps/documentation/geolocation...


You can find bssid and other details from around the world at https://wigle.net/map


Yes I think that would work. I remember moving house before withing the same city and moving our wifi router with us. For a while my phone kept placing me at my old house, when it didn't have a GPS signal.


Most routers these days default to auto channel assignment. And the triangulation near any thicker wall will break down anyway. I'd be surprised if they looked up more than SSID for a match and then adjusted the location slightly based on signal strength.


Almost everyone uses wifi for everything now. If you're using Ethernet there is a very high probability you are actually a proxy/vpn exit on a rack in some random residential location.


Well that's a shitty filter because now criminals will use wifi or fake using wifi. And then they will get right through. It's not that hard to fake. Security Theater.


You're filtering for people using vpns to access your site from a country other than the one they are claiming. They likely aren't criminal operations just users operating outside the bounds of your service. They aren't going to have the ability to do anything but sign up for a vpn service so it works quite well for stopping them.


I'm guessing that's bots in data centers.


How do they scan for wifi?


You have to download an app :(


The browser connection API maybe?


All these can be the wrong assumptions for sure. Working in a space with some fraud though I can tell you the majority of users verify fine and there ate only the few percentage that don’t for any number of reasons some what you have given above. For smaller vendors though things to consider are

- a charge back can come up to 6 months later. A loss of that is not only a loss of funds but a charge back fee

- too many charge backs could affect the merchant account with the potential of a loss of being able to run your business and this can extend to PayPal or anything merchants run charges through.

- Fees may go up like interchange fees on running credit cards if an account is deemed higher risk.

- blacklisting from visa or Mastercard or merchant accounts in general is not unheard of. Loosing access to running credit cards would be the end of many businesses.

So mom and pop shops need to be aware of fraud and ensure it is low or taken care of. You can’t just accept every order and hope for the best. Fraud does exists and when only a few percentage of users meet your list of incorrect fraud assumptions it’s easy to see why they are used at least for extra verification.

One good thing for merchants for those who accept crypto like Bitcoin is all the risk moves to the sender not the merchant. There are no charge backs - so merchants who take crypto should be able to be a bit more lenient on payments and verification.


The problem is that it's not acceptable for online providers to converge on making life miserable for "a few percent" of people.

This is a market failure: to save the cost of a few bucks, huge costs are imposed on these individuals. The answer is to have some mechanism whereby people who run into these issues can pay (once) the small cost of being validated in an alternative way (like, actually talking to a human and explaining what's going on, which is how these issues got solved in meatspace originally)


>The answer is to have some mechanism whereby people who run into these issues can pay (once) the small cost of being validated in an alternative way (like, actually talking to a human and explaining what's going on, which is how these issues got solved in meatspace originally)

The answer is to have electronic money accounts and transfer services be operated by the government, and to make it the government's problem to go after criminals rather than have the businesses left holding the bag.

That way the business is not incentivized to discriminate, as long as they get the money through the government money transfer service, they are guaranteed it as if they received cash.

Corollary is that you also need a law that guarantees the right for everyone to have an electronic money account that can send and receive money and that no government can take that ability away from you at any point in time.

And the government has to operate an identity verification API. And again, the onus is on the government to go after criminals committing fraud.

Once you put the onus of fraud or damages on a business, then every business will obviously start discriminating to minimize those costs.


For small and mid sized players, it’s not to save a few bucks. If your fraud prevention isn’t locked down tight then you will draw enough fraud that it threatens your ability to take payments at all. This stuff can kill a business in a bad day or two.

Take it up with the payment providers. They provide fraud prevention but like to leave vendors guessing about how to configure it, and make it a premium add-on, which is kinda fucked up since they’ll boot you off for letting too much fraud through. It’s a protection racket on the vendor side—they’re also being screwed by this state of affairs.


It's not to save the cost of a few bucks. Once people find out your site is easily susceptible to fraud, the majority of your traffic will be fraudulent. It only takes a few minutes to post a repeatable scam you found in a scamming discord for bragging rights, or to write a Python script to repeat the task over and over.


But humans are the easiest to con.

I've worked in fraud prevention professionally for years and adding a human verification layer to the equation would make me vastly less likely to believe a suspicious applicant was legitimate.


This is secondary to the main topic, but:

The externalization of costs onto customers is something I've noticed hard with the pandemic. Going to get medication at the pharmacy while fewer and fewer people worked and hours were closed, and finding out after the pandemic it's shitty still with multiple pharmacy chains having workers walk out and protest these conditions. As a customer - waiting in line for a refill can be endless. Being on hold in a call center, because you won't pay people enough to work your shit jobs, and handle issues locally, meanwhile, the time-cost is externalized on to us in longer wait times.

Workers/Customers lose, somebody's winning, but it ain't us.

(Again, this is NOT the same issue and not a complaint about the main topic).


How is the fix for this not an online pharmacy? The only reason I use an in person pharmacy is credit card points as it codes as grocery.


Nobody contests that it's convenient. The question is whether it's technically correct. And the point is that it's not. Just because it's easy doesn't mean you found a solution.


> only the few percentage that don’t

Few percent of transactions for a payment processor means a few billion transactions. Visa on its own processes ~200B transactions a year. That's not a great threshold.


It's a trade-off though, right? Presumably it's better for the company to lose out on a small percentage due to false positives than to allow them through and subsequently incur a larger percentage of false negatives. They can aim for obtaining those transactions without incurring extra fraud but it has to be worth the cost and risk of the changes to the system.


> Geolocated IP addresses always indicate the preferred and correct human language of the person on the other end.

My Google Maps language (on my PC) is STILL in Portuguese, but I only happened to be visiting Portugal (for 3 days) when they did the subdomain switch... Every time I change it back to English, it changes the language back the next time I visit the site. It's super frustrating.


Make sure you’re not visiting with a bookmark that includes the specific language code.

I had a similar issue with some history item that would annoyingly point me to the previous version of a page. Only to realize that I was opening a permalink to it.


I'll add another to that list:

-- People will never have a physical mailing address that contains "funny" numbers like "000", "420", "69420", or "80085".


-- No one was born on 4/20/69

-- Forced SMS based MFA should be used to protect logins for mobile phone accounts


>Forced SMS based MFA should be used to protect logins

I have now closed three remote banking accounts (i.e. no nearby physical locations), after they began requiring 2FA via SMS [which I do not participate/allow/text].

My most-recent bank is literally down the street from me so I can walk over when 2FA becomes ubiquitous. Such an annoying "feature".


I used to work in a building in SF where the address was either 123 Main St. or 123 Mission St. Someone in sales had an issue giving that address to a cab driver, IIRC. Amusingly, the company did (and still does) ML for fraud detection.


Or that some towns may have... unusual substrings (Scunthorpe, Shitterton, Fingringhoe, and the ever-famous Fucking in Austria, now renamed to Fugging).


I once had a friend that lived at, no shit, 1337 High.


I used to live in Baltimore, where there are numbered streets that include ½ symbol streets, and worse, house numbers including ½ numbered houses.


I believe Galveston, TX has lettered half streets, example: 123 A ½ St


How does one enter "½" into a webform?


What’s funny about 420?


Look up 4/20.


Uh, no. Look up 4:20. The funny number is the time, not the date.


Oh! Just shows you how little I know about this stuff. Thanks!


Ah.

Well, that's pretty stupid. Are you going to rule out 911 and 666 and 13 too? (Not directed at you personally, it's a rhetorical question.)


Programmers make these assumptions? How about product/program managers?


I would say it's both.


It has nothing to do with wrong assumptions, it has everything to do with the statistical similarity to fraudulent transactions and acceptable failure rates.


Or laziness? "Quick and dirty" is so tempting.


You have no idea how much justification it takes to reject orders. It is not done lightly.


I'm aware. There is also such a thing as "choosing one's battles", sure. You can't make a crusade of every little detail. But you must raise the issue.

Proposed way to do it: One argument I have used in the past on the job is that 0.5% here, 0.5% there, after 40 corners have been cut, does add up. It's enough to transform a project from "quick and dirty" to "customer support headache" and "bad press".


- Twilio etc. cam deliver SMS to any network

- The networks Twilio etc. can’t deliver to are small and don’t have millions of users


I'm calling BS on this list. Pretty much noone makes any of these assumptions. The thing with many of these (eg VoIP, Google Voice, VPN etc) is that the population who use these for legitimate purposes is too small for most devs to care about given the cost of fraud from people who are using these things nefariously. Both type I and type II errors are important but they mostly only care about type II errors because type I errors just piss off a small number of good people whereas type II errors cost them money and if they go unabated will get them shut down by payment processors, banks, regulators etc.


> Geolocated IP addresses always indicate the preferred and correct human language of the person on the other end.

This one is only tangentially related to fraud prevention. But I've never really understood this. Is the Accept-Language header really so inaccurate?


> Is the Accept-Language header really so inaccurate?

I'd say so yeah. Many many old people here (in a country where English isn't the primary language) use 'misconfigured' browsers.

It's getting better nowadays I suppose with new installers defaulting to our native language but (even though I tend to prefer the English version myself) I think it's a good default. I do prefer an easy way to change it though (or a quick confirmation on the first visit.)


Why would LEO satellite internet cause frequent change of IP addresses? Shouldn't all that moving-satellite stuff be handled on a lower level of the OSI Model (probably Layer 2: Data Link), and the IP stuff at Layer 3 isn't affected?


With Starlink, the downlink location determines your externally-visible IP address and that can change every 90 seconds or so based on where the closest satellite to you is at the moment. I'm in New Mexico and I frequenly see ads on web pages directing me to shops in Denver or Dallas because those are the downlink locations for me.

You can see the issue better on this visualization:

https://starlink.sx/


I think there must be something going on here. Changing your IP address would screw with all sorts of things. You never be able to do online gaming. Video streaming would stop working every time your IP changed. Anything that streams would just die and not recover for a while.


> Video streaming would stop working every time your IP changed. Anything that streams would just die and not recover for a while.

Not if the client has buffered enough data, allowing it to reconnect in background while playback continues.


OK that's strange but makes sense, so it's the publicly-routable IP after "network address translation" (NAT) that keeps changing.


— everyone has a USA taxpayer ID


or even 'All American citizens have a USA taxpayer ID'


I have such immense disdain for Capital One and MasterCard for how they implement 3DS.

I have been in Germany for 6 weeks. I have spent thousands of dollars between flights, train tickets, and hotels. Guess what I have to do every, single, time I buy a 3EUR train ticket? Receive an SMS on my American cellphone number.

Their "solution" is to have a family member in the US add their number to my account, wake up in the middle of the night and relay TOTP codes to me. FOR A 3EUR TRAIN TICKET. Multiple times a day. From the same damn train company.

I'm willing to pay $1000 yearly fee for a competent credit card company that sends me TOTPs over Email (just like they send me charges [but of course, not refunds/canceled-authorizations]). Or let's me use a Security Key.

The funny thing is, they happily text these codes to VOIP SMS numbers, which I can (and do) route to my email anyway.

It's abusrd that my Xbox account is both more secure and less annoying to use than my credit card. Again, for a 3EUR train ticket. I feel like we're slowly entering this dystopia Kafque-esk nightmare, and yet, as always, there's people in the comments here insisting this is fine, or that I deserve it.

I'm going to assume the people saying "use cash" have never set foot into the real world. Yes, let me put cash into the non-existent train ticket machines, or to the non-existent train attendants. In the 3 minutes I have before my train comes.


Not the same (it’s a debit card), but when Schwab locked my debit card after I tried to buy a transport pass in Poland, a quick phone call got me a human who apologized, put a travel alert on my account, and gave me $50 for the inconvenience.

As for C1, they updated the app while I was in Ukraine, and it wouldn’t even let me log in; I had to use a VPN.


If Schwab would fix their account security to allow plain TOTP instead of the scam that is Symantec VIP, I would have nothing but good... well, there was the two times, yes, two times in a month that I had to spend hours on the phone telling them to stop letting people randomly transfer securities into my account without my consent. They assured me that (1) it would be illegal for me to refuse the request to take back the money and (2) that I could not block future transfers-in from happening and they could not implement a system requiring my authorization before such transfers. The clawback letter from the originating bank even pointed out that they hadn't noticed until I raised flags.

I loathe American financial companies, mostly because they all seem rankly incompetent.


> If Schwab would fix their account security to allow plain TOTP instead of the scam that is Symantec VIP

Symantec VIP is just TOTP with a proprietary app/enrollment process. It has been reverse engineered [1], allowing you to use any TOTP app. I have been accessing Schwab and other banking sites this way for years.

[1] https://github.com/dlenski/python-vipaccess


Oh this is great thanks. I've been annoyed by symantec for a long time.


I know, and I still resent them for making me run Python. Hell, even Ameriprise got their act together and has support for plain TOTP. I about fell out of my chair when I saw that.


Interesting. I was considering opening a second account specifically as a backup card and hedge against lockouts while travelling, and Schwab was high on my list, but it sounds like based on your experience that they are not fit for purpose.


The way it was explained to me is that this (a glorfied Excel sheet of transfers that get executed at a certain hour of each day) is just how intra-bank securities transfers work and that I mostly got unlucky that (1) the intended recipient was at Schwab (2) whoever was doing these transfers has dyslexia and my account was a number transpose off.

For the most part, their customer support has been excellent. I had an ATM in France eat a card, and so I infact have two bank accounts with them. They refund ATM fees, have never given me a hard time about international withdrawals, do support TOTP, albeit in a round-about way, send very prompt email alerts with customizable thresholds. Of all the banks I've had, I'm most happy with them. Just consider if you need access to a physical branch. Luckily, despite my whining, my needs are rather simple.


Thanks for the information!


I've used Schwab for 11 years and nobody has ever transferred securities into my account without my request. My biggest complaint is not supporting U2F/WebAuthn/Passkeys. My second biggest complaint is that their brokerage billpay was extremely broken and always locked me out of my account. That was always a "call support" type situation. But... they fixed that! They knew the system was bad, so they replaced it with one that's not bad.

In general, I think they have done a fine job. I have worked with them to transfer in old 401(k) accounts. I used a wire transfer out of Schwab to buy my apartment, which cleared in less than a minute. I have called support and they have been helpful and efficient. I really don't have any complaints.


Get a Google Voice account to accept the SMSes for you, it's free and Capital One will complain about the number but accept it.

I permanently live overseas but with US bank accounts and cards, and all my cards go through cycles and phases. Sometimes they want to send SMSes for months to verify account access, then they stop. Same for transactions. Some will refuse to work on Amazon.de for months, then start working. Some physical cards will work on contactless terminals then completely stop working or become unreliable. (The workaround is to add them to Google Wallet).

One interesting thing is that even when banks insist you notify them that you're OS, if you keep using your card OS they will just accept it and ignore the period you've stated as being OS.


I was one of Google Voice's first customers, then a Fi customer, they horribly mistreated, left me stranded in unknown-to-me areas with no functioning service and basically told me... not nice things. Then, told me their systems could transfer my number from Fi back to Voice. So, no, I'll go with my home-made solution, Telnyx has been amazing. They (1) manually gave me an account with a Gmail address, (2) fixed their HCaptcha-before-2FA login bug for me, (3) tracked down and blocked spammers for me multiple times now, and I'm probably the tiniest customer they have. And they're not Google.


"I'm willing to pay $1000 yearly fee for a competent credit card company that sends me TOTPs over Email ..."

Just spend a few dollars per month on an MVNO SIM card and put a 2FA MULE on your desk back home:

https://kozubik.com/items/2famule/


it’s not mastercard but your bank. there are plenty of banks which implement mastercards 3ds via app (eg N26).


And here I am trying to give Capital One some good faith. I've called them three times since I've been here and they insist that MasterCard forces them to do this.

Just reaffirms my suspicions that I need to shop around. I'm traveling and putting enough money on this card to start looking at ones that actually charge a fee and have decent "rewbates", I mean "rewards".

Less sarcastically, thanks for the heads up. I'd be greatful for any other hints of people that might not hate their credit card provider they want I do.


> Or let's me use a Security Key.

In my region of the world there's currently one bank that lets you register such a device.

And that apparently is some sort of ground breaking innovation.


Because SMS delivery exhausts location data, but dedicated TOTP devices don't.


Not sure if it works in Germany as a US citizen, but next time try walking into a bank, explaining the situation and asking for a prepaid card. (E.g. we have the Mastercard Red in Austria.) It will take some time, you'll have to show ID, but it may solve the 3 EUR annoyance.


> Yes, let me put cash into the non-existent train ticket machines, or to the non-existent train attendants

Insisting on paying cash is how you prevent those machines from disappearing.

That's why it's important.


This is your bank's problem. I am Australian, while roaming internationally incoming SMS is free. Next my bank sends in app notifications, not texts.


Incoming international SMS is free for US carriers too. I use it all the time to receive one time codes.


Yeah a 3EUR charge shouldn't get "3D secure'd" especially for a recurring customer

I think you can even get a prepaid card in Germany for that if the trip is long enough. You might need a mailing address for that

> let me put cash into the non-existent train ticket machines, or to the non-existent train attendants

That's a bit weird, I've always seen machines around


Can't you open an account with Revolut?


Trust me, I'm taking notes! I've tried researching this, but "credit card company that sends TOTP over email" is not really Google-able. Revolut is on my list now, though. Thanks!


Welcome to 21st century!

I travel with debit cards from 3 different banks for this reason. Look for banks that issue virtual cards that can be used with Apple Pay / Google Pay. But you also need ideally two physical cards, since one bank may block your physical card for "fraud" while traveling, and now you're stuck and unable to buy a train ticket.

Credit cards are only necessary for car rentals, which is a major pain, but sometimes they can just make a reservation charge of 1000 EUR that they later cancel.

The benefit of virtual cards is that you usually get a notification (if you have internet) that your card is blocked, and details about the transaction, which makes it easier to unblock, and understand why the transaction/card was blocked.


Also need credit cards for some hotels, and a high limit if you plan to stay at several hotels in quick succession, as it takes a few days to weeks for a hold to be released.


Why? Are they afraid of people emptying their minibar and leaving without paying after wetting their bedsheets?


theft of items and/or damage of property, yes

possibly to charge for overstays/ late checkouts / parking / other fees, too


Also, psychology. It's easier to drop by the hotel bar/restaurant when you have a 50 dollar prepayment that you can spend.


With several of my (physical) credit cards, I get an SMS and Email when a charge is blocked, and I can log into my internet banking to assert that the charge was actually me. About 5 minutes later the card is unblocked and I can retry the charge.


Amex UK gives the option to receive OTP via email or SMS.

Looks like Amex US is similar: https://www.americanexpress.com/us/security-center/safekey/


I'd avoid Revolut, they're worse than banks with regard to verifications.


You can verify purchases in app with Wise (aka transferwise). A kinda travel / international card.


Now try logging into your email account to get those OTPs when traveling through China... :(


HSBC does send them over email and SMS, and in-app notification as well.


wise.com is pretty good for international card stuff. You send them a bit of money and they send you a card etc.


I wanted to use them, but they'd only accept payment via Plaid, that ridiculous service where I have to hand my banking password to a third party -- you know, the exact thing that we all know to never ever do. That's a nope for me, sadly.


That's not true at all. You can move money via ACH.


Are you sure? My USD Wise "account" has no sort code nor account number (unlike other currency accounts I hold), so nobody can initiate an ACH transfer into it. There is a button to initiate an ACH transfer "in" but it has to come from my linked bank account. Linked with the aforementioned Plaid.


I am 100% sure, I’ve been using Wise for the last year using ACH for deposits into my USD account


Except the card won't work as they say it should as chip-n-pin in Europe (signature required every time and of course it doesn't work for transit). At least not if you're me. Spent hours going back and forth with their support to be finally told that I should try requesting a new card.


Yeah, they send verification codes via app notifications. I am so glad I got one before my international vacation this summer. Wise card worked where nothing else would.


Wells Fargo has TOTP over their App. They used to suck as an international option, but now they are my go to. They also give you a little device that generates TOTP numbers offline. Quite handy if your mobile is disconnected, you lose your number, etc...


Wouldn't you pay far less for roaming fees than $1000 for the short periods you are out of the country?


If you do this multiple times a day, why not buy a monthly ticket?


I move to random corners of the world every 2-3 years and this is starting to give me real anxiety every time I try to make a purchase. One of my credit cards makes me jump through all of the verification and "Was this really you?" messages, then still locks my account half the time.

So many online stores will approve my purchase and bill the card with no issue, then cancel it a few hours later for vague security reasons. I remember when the credit card companies ran commercials about how easy and secure credit cards are, especially compared to checks, but now I feel like a criminal every time I try to use mine. I wonder if this violates any part of the merchant agreement that these stores are getting a 100% valid authorization on my credit card, but still aren't willing to accept my payment.


I found that notifying my providers of upcoming moves eliminates this. Call them, tell them what you're doing and ask their advice (b/c there may be something you overlooked or they may have special problems of their own).

Anyway, they're doing you a service and notifying them is good etiquette. And like good etiquette, it often greases the wheels of commerce.


Note that this is about large tech service providers “taking this into their own hands.” The basic problem is that a lot of these companies deal with people who store their card information and then use an insecure password or so, or reuse the password at a different website... Someone else gets into the account and requests a transaction to a new address.

Also fun story about how your advice doesn't always work, I was locked out from my money multiple times on my honeymoon in Greece despite repeated calls to the bank, repeated unlockings of said account, “hi I am actually standing at an ATM in this bank branch, can we track this account lockup in real time?”... I think with all of the time on hold I actually might have spent something like 20+ hours in the trip trying to debug it over the several times it happened.

When we finally resolved it, I'm not 100% sure about the explanation, but it was something like “the person you called a week ago put in country code GE for Georgia rather than GR for Greece, and that is the first place everybody else who has serviced your request has probably looked, but they all probably thought GE was right because you have to memorize that DE is Germany and so people get confused real easily...”


That does help a bit with the banks, but I've not had any luck at all with the stores who cancel my orders after the payment goes through. They refuse to budge, assuming I even get a response, and won't give me any information about why my orders are cancelled, citing more vague security reasons.

I did have success with a privacy.com card once, at a store that cancelled orders from all of my other cards. I'm guessing they see it as a prepaid card and can't get as much info on those.


Neither my bank nor my credit card company even want pre-notification at this point and don't provide a way to do it at this point. I admittedly haven't had issues either internationally or in the US for quite a few years at this point, but I always carry a varied set of credit cards when traveling.


Stores are not payment processors and don’t want to be due to compliance reasons. You’d have to ask who is processing their payments and contact those people and have the store also contact them most likely and that still doesn’t mean you’ll get anything done.


The way the incentives work, if a store is mostly sure you're legit, that's not good enough and they would lose money if they served people indistinguishable from you; if their margins aren't huge, even being 90% sure may not be good enough.


When I worked at a bank, I heard that the travel notifications weren't actually used by the fraud department at all and were just there as window dressing to make the customer feel better.


Having to contact the provider to spend one's own money is simply outrageous.

And yet, I also have started to make preemptive contact with them to avoid the complete hassle of having the card blocked for fraud that is NOT fraud.


If you’re free to be scammed out of your money, with no repercussions to others, sure it’s unreasonable to stop you. But with (American) credit cards, it’s the backing financial institution that bears the burden of fraud; merchants accepting fraudulent transactions are punished as well.


If you were talking about asking someone’s permission to surfs your own cash money, that would be outrageous.

A bank account or a credit card is a relationship where you rent someone else’s infra to make payments. Makes sense to work together to minimise friction for both parties.


> I found that notifying my providers of upcoming moves eliminates this.

you seem to be older. I used this too. Until 5 or so years ago. Now my bank just says i "don't have to notify them anymore as they don't have this in the system, since it is all automated for my convenience"


Not so much. Many credit unions, including mine, still seem to require it (and absolutely have flagged transactions and our cards when we've forgotten).

But yes, none of my credit cards (Chase, Citi, Amex) require (or even offer) travel notifications.


When I was traveling abroad, I placed an order on Walmart, shipping to my home address, so that it would be there for me when I got back home. Walmart cancelled the order, "due to location restrictions on placing and shipping orders", even though the delivery address was in the US! I have no idea why the physical location of the computer placing the order should matter to Walmart. Eventually I just had to get my friend order for me.


A tailscale node on your AppleTV at home will fix the issue for you.


Wireguard on a $15 Raspberry Pi Zero works as well[1], for those who don't have AppleTVs.

1. Or OpenVPN on your router. It's probably to gove yourself a tunnel to your home-network you can use from your phone or laptop from anywhere in the world. Avoid default ports if you can.


Tailscale is wireguard, just with outsourced admin.

I'm getting paid to develop and operate network infrastructure, I don't want to have a second job doing it without compensation.


The only admin work I ever do is generating a new config when I get or replace a peer device. I imagine this is inescapable even on Tailscale? Are there specific, recurring tasks that you think would cause it to rise to the level of a second job, rather than a once-and-done 5 minute install?


The fact you have to state avoid default ports if you can kinda really highlights why this is not the best idea right?


Shopify does use the IP location distance Vs shipping address as a risk factor for fraud. I see it often on my Shopify stores where they will flag an order as high risk for that reason.

Same thing if someone used a VPN.


I don't know how the numbers break down, but plenty of people that buy credit card numbers are happy to orchestrate a scheme to ship packages to the US and have someone forward them to the scammer. Or steal them off your porch.

It is probably exceptionally rare for a fraud protection algorithm to be in place to inconvenience and spite you. Rather, some ne'er-do-well has cooked up a bafflingly complicated scheme that looks like your legitimate business. Such is the tragedy of operating at scale.


Highly recommend: https://wise.com


I've had the best luck sticking to ApplePay, PayPal as the backup, and finally my CC (the Apple Pay one).

I can't think of a payment hurdle for online purchases that I haven't been able to overcome in the past year or two while spending 99% of my time OCONUS.


Have you tried the temporary/virtual card numbers?

(I have no idea if they would work, I'm just curious)


Name and shame so we can avoid if we choose?


I wholeheartedly support digitization, having been involved in the realms of development, system administration, and everything computer-related since my early days. However, what irks me is when I'm bound to use products or services from providers who fail to execute their roles properly despite being compensated for it.

A recent incident at my child's school serves as a pertinent example. They transitioned from a traditional cash-based food delivery system to a new digital platform. While trying to register on this platform, I was prompted to provide an "email". I input my usual email address only to be met with an "invalid email" response. After multiple back-and-forths with both the school and the platform's support, I discovered that by "email", they actually meant a "Gmail account".

For context, I've been using my own domain for my email, which ends in .international, for over a decade now—longer than my 9-year-old child has been alive. Despite this, they deemed my email domain "new". The situation reached a head when the school's principal called me, trying to understand the issue. After explaining the situation, he assured me that the problem was on my end, stating that he had consulted with other teachers and they were in agreement that "<my domain name>.international" wasn't a "real platform".


Well in my opinion, this is what it means to support digitisation. It means accepting that these situations will become more and more commonplace. It is simply the price you pay.

In your other comment you mention that people handling email should be familiarising themselves properly with RFCs. Yeah. Maybe. Probably actually you're right.

Putting aside the problem of ehether they actually _have to_ or _will_ for a second. Do you think it's reasonable that the people at your child's school will? No, of course not. And they're the ones who will choose these providers. Not you.

To support digitisation is to support the tyranny of technical ignorance in every facet of our lives.


Frankly, examples like GP's are a compelling argument for professional licensure for software developers, because "only accepting gmail addresses as valid emails" should be considered professional malpractice.


The effect will be marginal; it will just create a huge administrative bonanza, and the number of times where it will be used (i.e. software devs being "disbarred") will be few enough that it won't matter much in practice.


The purpose of licensure is that it effectively allows the licensed individual to hold themselves hostage in a negotiation. Without licenses, Management says "add feature X", and even though you know feature X is evil personified, you look at the pros and cons of implementing it or not, and you end up with "my professional conscience" vs "getting fired". With licenses, you end up with "every future job" vs "this job" which is quite a bit more balanced in the direction of "don't add evil feature X".


No, I think the situation is more nuanced than this. Why do the people at the school have providers who only accept gmail? Because some extremely technical people who understand exactly what they’re doing have led the web further and further into platform lock-in, and others go along with it.


In this case it's relatively benign; the worst result is that they'll have to create a (free) gmail account to forward to their domain. It's annoying and stupid, bit in the grand scheme of things, acceptable.

But in other cases the results are much more severe.

I got vaccinated for Covid. But I couldn't get a "Covid passport" because I didn't have the right government account and couldn't get one as I didn't have eligible housing. I literally had the "proof of vaccinations", but turns out that doesn't count as "proof". Great. You know what sucks more than a Covid lockdown? One where you see everyone else go out and have fun and you're allowed to do fuck all.


Taken to the logical conclusion, this public school (which your child is compulsed to attend)is requiring you to agree to a private company's ToS and extreme data exfiltration and arbitration clauses, so your child can be fed.

Even worse yet, by refusing to get a google account, you could be tried for child abuse, since the school won't feed your child if you won't agree to google's ToS.

I really hope you didn't acquiesce. And I hope you hired an attorney to fight these laughable and horrific abuses.


Wow, that is bonkers. Could you maybe get them actually to try sending you an email to that address and show them that, yes, you do receive the damnned thing?


I initially wrote a much longer comment, detailing multiple instances like these from just the past few months. But then I just deleted it because it will be too long. As for them - They will just tell "huh, he is hacker and can send fake emails from fake non-existing platforms".

It's like me attempting to demonstrate my possession of a private key for an SSL certificate to someone who lacks even a basic understanding of what a "browser" is, or who has never encountered terms like HTTP or HTTPS.

Another thought, more closely aligned with the original poster's point: if someone pushes to transition everything to a digital format, he must first understand what that means. For instance, if you're looking to gather email addresses, take the time to familiarize yourself with relevant RFCs. Understand that the local part of the email is determined by the user, not you. So, if I decide my email address should be "john with space here-doe!@#$%^&"@example.international, and I've set up my server to accept messages directed to this address, and given that IANA recognizes ".international" as a valid TLD, then it's a legitimate email. For clarity's sake, my actual email is of the format first.last@example.international, without any "non-standard" characters.

And as a connection to the OP - they are pushing for debit/credit cards society and when they make sure that all your money are with them and you don't have a single cent on you - they just cut you because you're just 0.001% and an edge case. But that is their point of view. From your point of view its like this: At home if my card stops working i can go to my bank the very next day and get it sorted. I can walk for 15 minutes and be at my mom's place where I can eat everything for free. The next day you are in another country where you don't know anybody and if your card stops there, they just leave you to the wolves. For them you're the edge case - 0.001%. For you - this is all your food, shelter, health. It feels a bit unfair.


Yeah I agree, the push towards digitalization combined with a lack of care for "edge cases" is kind of scary. People might say, oh, it only affects 0.3% but, in the US, that's roughly a million people so hardly trivial. The problem is that it is difficult to make truly flexible software and no-one has the financial incentive to do so. Increasingly, people don't even want to invest in humans at the edge to try and work around issues. Companies like google just ignore you.


And just in case - I am not that weirdo that just refuses google. No - I have google account, youtube premium, etc. But my google account is with my own email and not with gmail.com. I have microsoft, twitter/X, facebook, amazon, everything that you probably have. All sites. And I was there 10 years ago when .international was introduced. I remember few sites that don't accept it in the first year or two. Then everything went smooth. And 10years later someone is creating brand new site and limit the tld in the email to 3 characters :) The last company that I remember that was having problems was Activision/Blizzard. And when I wrote to them and pointed out that they are not potato but tech company and should watch for such things it took them about 1 month to fix all their sites/account management/billing.


I'm inclined to think that this is caused by prejudice against nonstandard TLDs which many, many services have; that it would work if the OP had their custom .com or .org domain.


> if my card was already accepted once and I successfully approved the payment via 3D secure with my bank, who are you (as a random online service) to assume you can act as my big brother? Even more, if I'm using a balance paid by gift card, who give Amazon or other services the right to put my account on hold while it still contains my hard earned money[?]

There are many payment methods around the world that have different rules, but for Visa, MC, and Amex cards issued by American banks, the merchant, not the card issuer, has the liability to repay fraudulent on-line purchases (so-called "card not present" transactions). The merchant is the one accepting the risk, not your bank. So they decide which transactions they will accept liability for and which they will decline and what you need to do to prove that their liability is low.

In addition, some second-factor systems (like possibly 3D secure) shift the liability from the merchant to the issuer when passed, but banking rules are arcane, and it is likely that 3D secure only shifts the liability for the one transaction that triggered it, and not any subsequent transactions.


Yes, you are right. But concerns about fraud are still understandable. I try to avoid scammers, so I select games for myself on the https://gamblizard.ca/best-canadian-online-casinos/real-mone... service, where all the sites offered are legal and verified. This is very important for me, because I don’t want my money to disappear into oblivion.


Every time I travel abroad, some company's poorly thought out software goes bonkers and then it becomes my problem to solve. Hey, companies: People travel. Sometimes very frequently. This is not an edge case or an obscure P3 bug. If you're assuming that a mere sudden change in IP to a different country is "suspicious" then you're doing it wrong. Your software is a mess and can't seem to deal with it. Maybe take a break from cramming unwanted features and go fix some unglamorous bugs for a change.


One thing I try to do to avoid this is to always make a purchase at the airport before I go overseas. This seems to calm down the algos a bit. I used to go through this a bunch too.


One day my card got cloned and I see some withdrawals from a foreign country. I promptly report it, transactions reversed and the bank issued a new card. After this, I was getting fraud alerts and either informative or confirmation SMS when that was triggered in the past. It seemed to follow whenever a transaction passed $100, then $500, then $1000 and a certain frequency or off-hours.

It's like the risk threshold got a reset with the new issued plastic. Eventually the algorithm was trained I suppose, back it was back to where it was, and stopped getting alerts for anything out of the usual. This resonates with the experience of friends in the same bank, who hardly ever use their credit cards, so whatever they buy gets flagged and someone calls to make sure it's them.

Old fashioned banks who are behind the times in technology, but keep richer clients, are usually less annoying, both with the fraud algos thing and also the KYC stuff, and sometimes the difference is massive.


Great idea, spend your money to earn the privilege of spending your money later.


I hear you- but buying a coffee or magazine I wanted anyway isn't such a big price to pay to help ensure I'm not in an annoying situation where my card is declined somewhere and I have to call internationally to get it sorted.


I do the same, and again when I land. Try to double down on signaling to the black box.


That is a great idea and as another frequent traveler I’ll take this to heart.

While shaking my head and muttering to myself that I guess this is where we are now.


“It approves of rereading.”


Obviously I sympathize, but I find it extremely odd that OP is complaining about cards being declined but doesn't once explain whether he/she tried phoning their credit card to unblock? Because that generally works -- you call once, let them know you're traveling and where, and then your card works fine. Occasionally you have to call again for a specific high-value ($500+) transaction, but it's rarely more than a 5-minute phone call.

And then as to buying/using gift cards in India, on a non-Indian account, of course that's going to raise every suspicion under the sun, given that that's a mechanism used by some of the most prevalent scams in the world.

So I'm really confused, because this "vent" reads like somebody not going through the basic steps to use credit cards abroad, and then engaging in the biggest red-flag types of transactions.

And the fact that they're complaining the airport doesn't allow them to carry enough cash (isn't the limit $10K?) really raises red flags for me. If you need to transfer large amounts of money safely between countries to your family, that's what wire transfers or Western Union is for. That's been the case for many decades now.

The more I re-read this post, the less and less sense it makes.


The problem is it’s in a foreign country which is about to pass up china for population. More people - more scams and pickpockets. The way we pay for things in the USA is very different. You pay with QR codes or apps. Most places in the US has Apple Pay broken sticker on them, does not accept any other method, wants cash, or a credit card.

The verification and such required are difficult. Most cards do not allow you to load INR on them (local currency). So there are a lot of foreign transaction fees.

PayTM, pay through mobile, the country’s biggest online wallet, doesn’t allow you to charge money with a foreign card. This means that PayTM doesn’t work for foreigners. The only way to load money on a PayTM wallet as a foreigner is to have an Indian friend transfer funds with his or her local debit or credit card.

https://travel.economictimes.indiatimes.com/news/technology/...

There is a lot of anti-terrorism money laundering issues. Someone I know had their facial recognition stop working and they had to go to the bank to get it working again. In person. Traveling overseas? Sorry.


> Most places in the US has Apple Pay broken sticker on them

Citation needed. At least in my experience, over the last 12 months, the last time I saw "Apple Pay broken" was at one location, affected all tap-to-pay, and lasted for maybe 2 days.


https://discussions.apple.com/thread/255199188

I have seen them at Starbucks at airports and a few restaurants. A few people have issues with their Apple Pay. It’s probably an issue with the customer’s phone or setup and the employee wants to get on with their day, then they post a sign.

I hope it gets wider adoption.

https://nitter.net/search?f=tweets&q=apple+pay+not+working&s...


1- The issue is rarely from the debit card it's always accepted, most of the times the payment will be cancelled from the service provider side

2- It's not technically non-Indian account, I'm opening accounts using valid Indian mobile number (tied to my visa and a real address), I always disclose that I'm not Indian when needed.

3- I was even trying to open Indian bank account to transfer money but no success so far (while possible in theory as I understood).

There are legitimate reasons for not wiring money if that was even an option, because you don't pay the hospital large amount ahead, and when it's time there's not enough time to wire the money.


Ah sorry, it was hard to understand what types of transactions you were talking about. Yes, the reality is that when you try to live in a foreign country and do non-touristy "resident" things like buy things online or pay bills, but when you don't actually have a work visa that allows you to open a local bank account -- the systems aren't built for that. And local merchants really do put themselves at the risk of scams -- even with debit cards, transactions can be reversed by banks (stolen debit cards are a thing), and then the merchant is out of merchandise and money. It sucks, and you just wind up having to rely on a friend or family member to do your online purchases. It's such a small group of people, that companies don't do much to support those edge cases.

I still don't understand why you couldn't wire money though. That's what wiring money internationally is for. If timing with the hospital is an issue, you just wire yourself or your family member in advance -- that's usually more common than attempting to a the hospital directly. (And even if you do have to wire the hospital directly, you can provide proof of the fact that the wire was initiated from your bank.) The only problem I can think of with wiring money is the fact that the money is illegal or someone is trying to evade taxes or something. If the money is perfectly legal, then what is the problem?


> because you don't pay the hospital large amount ahead, and when it's time there's not enough time to wire the money.

This was their justification against wire transfers. Obviously I don't know how the accounts receivable department works in Indian hospitals because I've never been to India let alone a hospital there, but this strikes me as unusual. A couple days delay to pay large sums of money seems more than reasonable.


wiring money via international accounts is instantaneous, last time I had wired money to me (last week). Or at least within an hour or two. The issue here, probably, is that there is usually a fairly large fee attached to it from the receiving bank. My bank, it's 25 bucks, flat rate. Each and every wire, even if it is 5 bucks being wired.


I'll take your word for it, a glance at google told me a wire transfer from a foreign bank will typically take about 2 days to clear, but I've only ever done wire transfers domestically. But yeah, a $25 fee might be the hold up, except if I'm understanding the OP, the wire transfer would be for costly medical care. Typically if I'm looking at paying a large bill, the bill blinds me from the pain of being nickel and dimed on fees. So I think we're probably not talking about paying $5 at 7-11.


It’s India. The land of the thrifty, always looking for a deal (cultural stereotype). It’s the reason so many US companies have a hard time breaking into that market though.

My boss and I spent several weeks in India talking to people and learning the cultural basics just to figure out how to price our products. If you want to sell there, you need extremely competitive pricing with discounts, in a very price-sensitive market. Like, if you know the coupon culture in the US, it’s like that times 100.


Yep, so a SWIFT (international transfer) can take 1-4 days, depending on the bank.

https://www.keycurrency.co.uk/SWIFT-transfer/


Unfortunately it’s not always as easy. Last year I tried to do a remittance of 3500€ and it failed on both a debit and credit card of my bank, blocking them. The bank called me to confirm the transactions, which I did. I tried again and they blocked the card again.

So I did an instant transfer to another bank account and used its debit card without a hitch, as usual.

Some banks just won’t let you use your money as you please. Your luck is in finding a bank that does.


Cards aren't generally meant for sending cash -- I honestly don't even know what you mean by sending a remittance using a credit card, or even a debit card. If you're talking about using e.g. Venmo or Zelle, they're generally intended for social transactions of tens/hundreds of dollars, not for thousands, and especially not for thousands cross-border.

For transferring thousands of dollars, that's what wire transfers are for, and basically every bank has supported them for decades. You shouldn't need any luck at all.


What does it mean “they’re not meant for it?” I have money on it, some site accepts the card, it works, it worked. The limitation you’re suggesting is purely theoretical.

In my specific case, I needed cash to buy a used vehicle in a country where not everyone has a bank account, so your preconception about money may not apply here.

Wire transfers across borders are expensive and slow anyway. Remitly was available within minutes and at 0 cost (first transfer is free).


If I did not misunderstand what OP was saying, I think he is saying Amazon or other company hold his account but not the card issuing bank itself.


One of my favorites amongst this stupid platforms is PayPal. I have moved countries/continents. Once I forgot to close my account before moving (still had some $100 on it), after I could never access it as it wanted a phone call to my non existent former phone number to confirm this is really me, ok my fault. Now I have moved again when I want to pay with PayPal I can't because my account is associated to a different country. It is impossible to change the country. The FAQ say you have to close and reopen a new account), but if I try to close the account I get to an error page. This would all be not so bad if it wasn't for the merchants who use PayPal and disallow payment without an account. In the end the easiest was to just open a new account with a different email.

Somebody mentioned Google services, and that was a big issue as well. I still have bank accounts in my former country of residence, so I need access to apps from that country (the 2fa App that is used there). On the other hand I need to access some apps here (school notifications, banks...) Google obviously knows better than to allow me to get apps from different regions. The solution was again to just create another account. The whole system is really screwed up. I'm not sure what they are actually trying to prevent, considering that in the end one can work around the restrictions quite easily with multiple accounts, but one would think with the world moving closer together these things would actually get easier.


Yes, PayPal once locked me from reading their developer docs because I opened it from the wrong country. These guys never heard of remote working apparently?


PayPal refuse to close an account(↑) I didn't knowingly consent to the creation of, and certainly never provided any photographic ID for, because I refuse to 'prove my identity' to delete it.

There's not even a real phone number (0s) or address (ABC nonsense) on the bloody thing, but of course giving up some PII they don't have will somehow verify that I have the authority to close an account which is basically name + email address (I've provided those!).

(↑: it comes from the scummy dark park pattern checkout process where you say you want to pay with card not PayPal, and the it turns out the card payment is actually provided by PayPal and here you go have an account with the details you provided to the merchant not PayPal, wouldn't that be helpful. It's certainly not GDPR compliant, but try making PayPal care.)


Note: You probably meant †, not ↑


Well I meant any character I could type (and find again easily for the second one) that would be unique within the comment and not give me italics, but sure.

I often use ^, since it's kind of like 'imagine there's a superscript here', think I just inadvertently held on it and ↑ popped up and up and I went with it.


> I meant any character I could type

Here’s how to type “†”:

<https://en.wikipedia.org/w/index.php?title=Dagger_(mark)&old...>


> imagine there's a superscript here

A superscript what? It’s an adjective, not a noun.


Oh yeah it's crazy, I have three phones for three different countries just to keep up with stuff. A little expensive but at least I can receive sms verification and incoming calls without paying roaming apparently.


>who are you (as a random online service) to assume you can act as my big brother?

we're the people who suffer the consequences of the fraud. if your card gets used fraudulently, you call your bank and get the transactions cancelled, no big deal.

if my website lets a fraudulent transaction through, my processing fees go up. if my website lets more than a couple fraudulent transactions through (or not even necessarily frauddulent, but transactions that the issuing banks classify as high-risk) the credit card companies shut off my ability to process payments and my business shuts down. so yeah, sorry if it inconveniences you, but accepting a payment from some random guy who even slightly matches some fraud characteristics isn't worth risking my business over.


Yup. Having been on this side of the fraud business, I empathize with the OP but will definitely defend overly-aggressive fraud systems. As you make more money, it's less of an impact on your business, and you can tone them down. But at day 1, if people are only signing up for your service to see if their stolen credit card numbers work, there might not be day 2 unless you're aggressive about blocking this. So, sometimes innocent civilians will get caught up in the safety net.


Wow nice of them to pass the responsibility on to you.


yet another reason why credit and debit card companies need to be surgically removed from our lives. They are parasites.


It is frustrating. From a consumer's POV, the system just denies you stuff for no apparent reason.

From a bank's POV, they're losing billions of dollars to card fraud operations, and there are very clever fraudsters who do their best to be indistinguishable from legit users.

Legit users in rare situations (such as being cross-border) are often collateral damage. You can only understand what heuristic you're triggering by knowing a bit about patterns of fraud, which is an unreasonable demand on innocent consumers.


Some comments try to justify this - they’re wrong.

Even if it was just 1% of users, outright ignoring their issues is not acceptable. And far more than 1% travel abroad or do other suspicious activity (such as buying things at a place you’ve never purchased from before).

And there are services that handle this correctly. Starling bank (UK) is a fave of mine. Confirm in an app, enter full password in some cases, but that’s it. I had to make some sketchy looking transactions and no matter, they never block your account or make you jump through additional hoops.


> Confirm in an app, enter full password in some cases, but that’s it

That's only on the bank's side. There's a major problem where the merchant later cancels the transaction on their side despite successful 3D-Secure.

Either 3DS doesn't actually offload liability (so even accepting a fully 3DS-verified transaction is a risk), or merchants aren't up to date on what they are and aren't liable for.


I did a year of travel worldwide in over a dozen countries, and I had the most problems using my credit and debit cards in India. Particularly online, even at large, legitimate businesses like major airlines.

It becomes a tense situation when you are trying to buy a flight that you absolutely have to take, and despite 4 different credit/debit cards you still can't get any purchase on multiple different airlines go through! I even tried to go to the offices, but they were often difficult to find, non-existent, or just not open at the times you'd expect them to be. And good luck trying to purchase on a telephone, between trying to dial in international number, bad connections, and language issues!

FWIW, I had the most success with debit cards. I suspect it's because international companies feel more comfortable with cash in hand, vs. an American CC which can be easily charged back.


That's how I effectively lost my Azure account.

"According to our records, you originally registered this account while in Russia, and there is no way to change the country of the account. So we will continue to apply sanctions to this account despite the well-confirmed fact that you have moved out for good. We will also not allow attaching any non-Russian debit cards to that account, as we generally prohibit attaching foreign cards to any account. Please make a new account and enjoy."


Tried a premium credit card yet? One that costs $400/yr?

I had a number to call and talk to someone with no wait if I had an issue.

I dealt with some issues and I ultimately found out that they(the store) want to fingerprint you online. Things you do to avoid that make purchasing things online difficult.

My ip address didn’t match the city I was in or receiving the item in = flag. Using a non-default dns service or vpn? I turn all that off and WiFi when I make a purchase.

If you’re okay throwing money at the problem, get a second phone to buy things with that you don’t do anything else on which has separate logins.

My favorite joke scene about a cashless society was that some criminals couldn’t figure out who to rob because no one accepted cash anymore or held it in a store. Their only option was to rob another gang.


> My favorite joke scene about a cashless society was that some criminals couldn’t figure out who to rob because no one accepted cash anymore or held it in a store. Their only option was to rob another gang.

In a cashless society, the robbers who are left are the ones in the credit card money chain itself, where everybody is taking their share of the money flowing through it. I.e. “The best way to rob a bank is to own it.” The best kind of crimes are the legal ones.


My credit card company likes to aggressively flag transactions as fraudulent "for my protection" — even though it's really for their protection. The upshot is that purchases at my local Apple Store (which is walking distance from where I live) get flagged. I have bought many things from Apple over the years, and buy things there at least a couple times a year. So it's pretty silly for these transactions to be flagged.

The worst part is that they don't pro-actively notify me of the flagging via app notification, email, or phone call. I have to track them down and tell them the transaction was authorized. Or more likely I just get out a different credit card and use that one instead.


This happens because the cost of developing (or buying) good software and people to build a decent anti-fraud system is very clear to measure and the impact of the false positives is not. Also, as credit card fraud is usually the bank's responsibility, it makes sense for the leaders of that area to go towards more false positives than false negatives.

But it does not need to be that way and the government can and should help.

In my country (Brazil) banking is well regulated industry and we also have some good consumer laws. Both those things help a lot to show a clear impact of badly designed anti-fraud system to the banks. For example, the central bank has an online channel, where you can open a complaint, which the bank is obligated to answer/solve in 5 days and might get fined millions if they get lots of valid ones.

I used to get my card denied very often, with no heads-up or call to confirm. So I raised a complaint at the Central Bank, got an apology letter and call from my bank manager and I never again had my credit card blocked anywhere.


My problem is different, the bank approve my payment after 3D secure check, the offender is the service provider, they cancel the order and issue a refund with a vague statement!


The cost of false positives is obvious though: lost custom?


It is obvious but not easy to measure. And companies act like what is not easy to measure doesn't exist.


I am no longer allowed to buy anything at Ikea. The web site declines both my credit card and debit card. I called my credit card company, and no issues there. I called Ikea and tried to order through a person, but my cards were also declined that way. They can't give me any explanation. This happened in 2019 and again the next time I tried in 2021.


i know ikea doesn't accept bitcoin, but what happens if you pay cash


I was only trying to buy online and wasn't close enough to a store to want to try that.


Dealing with fraud detection is a real pain!

Every 3 months, I have to pay the school fee for my 3 kids. The amount is almost the same for all three. The first payment always goes off without a hitch. But, when I go to pay for the second kid, bam, it locks up the account. Our local branch is utterly clueless. Then we will have to jump through multiple hoops to get the account activated. This whole drama happens like clockwork every three months. It doesn't matter that it's just a school payment, and doesn't matter that thousands of parents are making payment around that time.

Friends holding accounts in other banks face the same issues. So, it is not isolated to my bank and changing banks will not help.

So, now, we've decided to take the one-kid-a-day approach. It's a bit more work, 'cause I have to remember to make those payments over three days, but it sure beats the headache of reactivating the account every time.


> who are you (as a random online service) to assume you can act as my big brother?

They are not trying to protect you. As a card holder you would not be damaged by fraudulant purchases apart from the inconvenience of reporting them. They are protecting themselves because if that transaction is later found to be fraudulant then they will have to return the funds and will likely be unable to recover the product they shipped or other costs incurred.


I run a SaaS based in the EU. Most of my US customers have problems with their subscriptions, because US banks automatically assume that any "foreign" charge must be fraud, and block it.

I am wasting so much time explaining that they need to contact their bank, and they waste so much time calling their banks… it's disheartening.


> because US banks automatically assume that any "foreign" charge must be fraud, and block it.

Wow amazing logic there

Sometimes I do wonder if there's one or two thinking neurons in the whole "fraud prevention" department of US banks or if they're just cargo-culting practices someone invented in the 70s


The part about all of this that bothers me is that, 99% of the time, the fraud that is going on is of a fraudulent advertising nature.

I've worked as an 'IT guy' (short form for 'I do basically everything') for many small businesses, a lot of which were computer repair shops that, in their small town feel, spent a lot of time just helping old people navigate how to use a computer. Many times I had people come in that found a clearly fake site advertising some too good to be true deal and didn't realize, spent their money, and never got anything or got like a toothbrush when they ordered a desk.

This fraud protection doesn't protect in any way against that. I've helped probably 2,000 instances of fraud in this way just telling them "you need to file a claim with your bank and get your money back because you're never going to get that product" and hundreds upon hundreds of issues where they're like " oh Microsoft is going to delete my computer if I don't pay them 30 Bitcoin" and other bullshit like that. Maybe two times in my 10 plus year career has anyone actually had their cards stolen and used overseas.

Just kinda wild to think about that my bank cares more about me travelling to new York than it does making a 6000$ purchase on coinbase.


I would like to emphasize his point. When we get into a digital only currency world, you are loosing control. He is giving a real life example. Nothing hypothetical. Think about blocked - without given reason - Google accounts and such. Could be you bank account, in the future, too!


The beauty of cash is that it is money, not merely pinky-promising to be money. The “cashless” world was supposed to prevent fraud but clearly it doesn’t work. Instead we’re moving into a world of reputation and heuristics, with implications down to the level of individuals and small businesses.

I don’t particularly like to carry cash. But being shadow banned from existing by deliberately obscured algorithms could be much worse.


Counterpoint: My dad sold a lot of pot in the 80s, and subscribed to High Times Magazine. They had an ad for a board game called "Dealer McDope", and he mailed an order for it with (naturally) cash, and waited. Eventually, he gets a reply in the mail: "No money, no game!" He was pissed.

My mom loves that story.


I think "loosing" should just be declared a language norm at this point.


This is only true if you're talking about central bank digital currencies. And frankly I worry about anyone who isn't worried about those.


I am of the opinion that these restrictions are used (quietly) to preform a kind of capital restrictions while not (officially) having such capital restrictions in place. This happens because governments (or populations?) have accepted that, say, an agriculture bill (or law) can have sections that cover tech. So if you are trying to do something and you don't want to say it, you slip it in under "fraud" or "AML" or something else.

Now that everyone (including third-world countries) have figured that out; and legacy companies (big Tech, MasterCard/Visa, big banks) know that this makes their customer life hellish however it kills competition: They'll bend over backward, forward and multi-laterally to implement anything that any lawmaker asks them for.

If you are a very simple simpleton, say a government official with a single income, a regular rental, and regular bills (your groceries and your kids pencils), you'll very unlikely face any issue. But start to deviate from that, and everything starts breaking. Governments are becoming hostile to anything that doesn't fit their narrative.

This is only getting worse from here...


I worked on one of these Fraud detection systems at Airbnb. Statistically, You are in 1% population with the your usage patterns. For most part, all ML models which are used to detect fraud have to take a trade off between precision/recall - meaning how often they let good guys suffer vs let bad guys in. BUt what most of these systems are missing is the appeal and escape path.


> But what most of these systems are missing is the appeal and escape path.

Are there any such systems that do have effective escape/appeal paths? If so, what do they look like?


Even if they exist, I am willing to bet they consume the limited time and energy of the people whose only crime was not living the same lifestyle as 99% of everyone else.


I live in California and nike.com just cancelled my last two orders without notice because they "couldn't verify my billing information", according to the chat rep. It's the same billing information I use everywhere for years.


Years ago I kept having Blizzard cancel my subscription to World of Warcraft because of unspecified problems with the payment information. I'd get locked out, I'd pay again, and a couple days later they'd be angry again over my invalid payment information.

I eventually learned that what they meant by "invalid" was "sure, your payment information is already associated with your account, but it doesn't match the preferred card listed on your account".


As an expat, I've experienced lots of issues with my US bank recently. They started adding a 2fa through SMS, and they have no way for me to turn it off. I've been looking for banks to switch to, but it is hard to Google banks that don't require a phone number. What I've ended up doing is attempting to open an account and then stopping when they ask for a phone number. The solution I found was to open a Schwab international brokerage account. They're okay with people who do not reside in the US, provide a debit card, can be used to pay of CCs, can deposit/write checks and allow money transfers. The only issue is that I suspect that my money is not protected by the government if Schwab goes bankrupt.


The “fraud prevention” people are told that they are fraud prevention people, even though the rest of the company are “customer service” people.

So they build “fraud prevention” systems, and heavily discount any notion of customer service — they’re perfectly willing to lose some customers in the name of fraud prevention - not because they must, but because their focus and incentives are indifferent to customer service. They see it as an inevitable cost of business - when it’s an inevitable cost of not caring about that aspect of the business.


If a business is the source of too much fraud, the payment processors will naturally cut them off, which has the side effect of forcing them all to try their best to stem the bleeding.

With the natural problem that many of them won't be all that good at it.


As someone who's previously been involved in KYC/AML I've a long held suspicion that these policies are in place to benefit the United States while deliberately inconveniencing everyone else.


That's exactly what they are for. KYC/AML is just the financial arm of their total global surveillance program.


I'm talking more in terms of retaining a competitive advantage. The processes you might implement in Japan wouldn't be implemented in the US despite them having a basis in international law.


I do have the same suspicion: https://news.ycombinator.com/item?id=38048156

I also think that the other countries started doing the same thing and this is starting to make the system as weird as it gets.


Can you explain? I'm not sure I get how this benefits the US specifically.

I'm not American but have held and used cards from a European and Asian country and am not sure how the behavior is any different.


Another workaround: As far as Google Play is concerned just create new accounts and add them to your phone. I have this setup because I end up having to download region blocked Australian, UK and German apps.


Doesn't that then put you at risk of Google's anti fraud measures, which, in my opinion, is much more difficult to work around? At least with your bank you can call them and eventually get it resolved.

I ask because I've thought of doing this but have always been worried Google would not only shut that account down but my main one as well.


One thing I have started doing is using a VPN with the location set to my home location 100% of the time when home. Then, when logging in abroad I use the VPN to my home location.

It seems that using the VPN 100% of the time has trained many of these smart services to fingerprint that as my default fingerprint.

Of course, this doesn't help when interacting with services that detect/block VPNs. Or the even more annoying situation where VPNs are blocked and also all traffic from the country you are in is also blocked (occurs occasionally when trying to access US sites from SE Asia)

edit: WRT comments mentioning that you can call your bank or set a travel notice: that is how things used to work. Chase, for example, no longer lets you set a travel notice as they use a "smart" automated system. That said, my Chase travel card used via apple/android pay has never given me trouble so their system does seem better than most


This sort of thing is where I hope Bitcoin can help more people.


> This sort of thing is where I hope Bitcoin can help more people.

It is a use for a Bitcoin like system

(The transaction costs, planet destroying character, and slow speed probably not Bitcoin)

It is the intersection of money laundering and normal requirements

Stopping crime by stopping money laundering will always have these problems, surely?

Is there a way to inhibit CC fraud, and money laundering without making life difficult for people who are in the tails of the distributions?

Even cash will not suffice as many places no longer accept it


> Stopping crime by stopping money laundering will always have these problems, surely?

Yes.

Money laundering detection inescapably relies on private actors making a pre-prosecution estimate of whether money was earned illegitimately.

Private actors have much less information available to them than real law public sector enforcement.

And even with full information, trials cannot be predicted deterministically so there will always a gap those publicly deemed guilty and those privately deemed guilty.

Those in later category will suffer unjust financial hardship.


> Stopping crime by stopping money laundering will always have these problems, surely?

I believe so. The optimal amount of fraud is non-zero.

https://news.ycombinator.com/item?id=32701913


> Is there a way to inhibit CC fraud, and money laundering without making life difficult for people who are in the tails of the distributions?

Yes. Have better customer support and actually fix issues when they happen.

This ends up costing someone money.


> This ends up costing someone money.

I do not think it will be paid for by reducing profits...

...you and I will pay that bill


Yes, but there's still so much supporting software waiting to be built.


tip regarding google play, each account can have an independent region, create a new google account and set it to your new location, keep the original where it was, it has 0 impact on how you use the apps after installation, if the app uses google auth you can login with either accounts


Nice will try that, thanks!


Blame Anti Money Laundering regulations and chargebacks.

AML is a nightmare for banks, most BS they pull off is because the government is worried they won't be able to steal all your tax money.

Strong authentication is another BS regulation with the sole goal of killing small banks with

Chargebacks are convenient for the customer - but they have a cost on the entire system, including banks caring about people stealing a CC and spending.


I am glad I found a bank (N26) that rarely if ever blocks my payments online. I travel frequently and my previous credit card would block all kinds of payments regularly.

If possible, find yourself a bank that enables you to spend money and leaves “security” in your hands. My 2FA is via app, never SMS.

Side note: someone stole and used my card number and the bank immediately refunded me. Can’t get any better than this.


I have completely lost access to my Amazon account because I had the audacity to use a correct login and password from a recognized machine in a different part of the world from my shipping address. I called customer service and they said the only thing I can do is create a new account with a different email.


Strange. I live in Canada, and visit Brazil often. I have never had any trouble using my only Amazon account to log in to Amazon USA, Amazon Brazil, or Amazon Canada. I have both Brazilian and Canadian addresses set up as shipping options on my account, and I often make purchases on Amazon Brazil while in Canada and have them shipped to the Brazilian address.


How old was your account when you lost access to it?


At least 15 years, but the past 7 years or so I only used it when I would receive a gift card for Amazon or had no other option for a specific brand's product. I think the last time I used it was 2 or 3 years ago. I'm sure that was a factor, but not being able to recover the account with the email address it's tied to doesn't make sense to me.


> who are you (as a random online service) to assume you can act as my big brother?

Card companies make the random online service pay a fee anytime someone does a chargeback. Yes it shouldn't be their job, but card companies make push this responsibility onto them.


Could you use crypto instead? Use USDC (or some other semi reliable stable coin). Exchange for stable coin in other currency. Then withdraw to local bank in India. Move in small amounts at first to test everything out, check fees, etc.


Update, Amazon basically said they won't accept to remove the hold on my account, saying:

> The information you supplied was reviewed by Amazon but we cannot remove the hold on your account at this time. For details, check for an email or text message from Amazon describing next steps. Please contact us for further concerns.

I provided my visa + passport + card pic + selfie + Screens of latest Gift card order (email and from the website), still they won't remove the hold and effectively stealing the money in the account. I can't believe this is being done in good faith, this is clear theft, because what else they need?


Update 2: I received an email with very dismissal tone from amazon telling me the account will be closed. The funds are still there, I'm planning to apply for consumer complain against them, I'm willing to go to the end with this.


I use cash for so so so much. I will bring a couple of thousand USD on a trip and convert it to the local currency to avoid exactly this hassle. Not just for me but for the merchant as well.

Cash is king-many, many times.


Not really a solution, as there’s plenty of countries now (eg Australia, nz) where cash is not useful anymore, because many physical merchants no longer accept it. The number grows every year.


> (until I asked shop owner to pay for me and I paid him in cash + small profit...).

I tried that once, family member specifically. They ended up getting blocked too. Customer support told me to take a hike.


Most people in the US don’t ever leave their home country, and when they do, it’s usually to a small number of other first world countries.

I came close to being bankrupted this year because my US health insurer doesn’t support customers remaining insured if they live a lifestyle that involves being away from paper mail delivery for a few months at a time. (I live elsewhere half the year and they cancelled my policy with only paper mail notice after my payment card on file expired.)

It’s really terrible.


I tried to message the CTO and SVP revenue of adidas for this same reason.

I was literally trying to hand money to the company in 5 different attempts.

I finally gave up, with a borderline ulcer

I ll never try adidas.com again


I couldn’t activate a capital one credit card in the US with a real U.S. phone number. I didn’t just need a phone number associated with my name, I needed to be the one paying for the plan. I was on a family plan and I wasn’t the primary. Then I tried verifying my passport through their proprietary portal and it rejected me for unknown reasons. So I said fuck me then and cancelled the card.


(Tell HN:)

Also:

> Yet, many online services are giving me hell with their "smart" anti fraud detection and things like that

To provide a contrarian opinion, credit card testing, free trial abuse, and other forms of fraud are a thing, so companies usually have to layer other anti-fraud mechanisms on top of 3D secure.

That being said, what service are you facing issues with? I do see Amazon as one of the listed services, but they do eventually remove such suspensions. (My experience was with AWS though.)


I lost my 25-years old Amazon account when their AI grew suspicious of my credit card. After spending several hours on the phone, sending countless batches of "documentation" and taking selfies in various difficult poses, I gave up and just use Walmart online and ebay now. Saved a lot of money btw.


Currently I'm at the 3rd attempt to unlock my account, let's see, hope you're right.


I am Australian of Indian origin who also visits family each year. I had no such issues you mention (except the google region change). My Australian bank allows cash withdrawal from ATM without forex fee, most shops in Tier1&2 cities I go to accept credit cards. Verification is through in app notification, I get a local SIM. My Australian SIM has free incoming SMS.

The only issue is some places now accept UPI payments only.


Interestingly I, kind of, have the opposite problem, so to speak.

I recently moved to a foreign country, admittedly an "easy" western European country, and I fully expected my credit cards to start refusing more or less every transaction. Not so. Not a single transaction has been delayed, or denied.

I travel back and forth my home country and my new home semi-regularly with no issues with using my credit cards. I'm not sure this is a good thing either.


Which "easy" western european country are you in? Credit cards are extremely uncommon in many western european countries. They really only exist here so we can make international payments, primarily to US-based companies. Everything is debit card based. France: PayPal, Carte Bancaire. Most closely resembles the US credit card system. But it seems the french use their local debit accounts to make payments. Belgium: PayPal, BanContact (any local bank debit accounts) Netherlands: iDeal (any local bank debit account) Germany: PayPal, SOFORT (local bank debit accounts)

TLDR: In EU for online purchases, you want to have an PayPal + local debit account to cover most purchases. For interrnational payments, you can have a credit card for those extremely rare cases where vendors only accept credit cards.


I wish I have the same problem :)


Though it can have its own quirks (speed, access to exchange between currencies, etc), Bitcoin has been a life saver for situations like this.

If it's an option, it'd be worth exploring using a service that allows you to pay for gift cards (including things like Visa gift cards) to the services you need using Bitcoin.


When I was on a trip to another country, Revolut blocked my card. I complained, they apologized, gave me €20 as a compensation and seemingly fixed something, at least it didn't happen again during several subsequent trips. Speak with your bank. Maybe change your bank.


Wise.com works wonderfully in India. I know it’s late this time around but it should work fine next time around. And American Express has been a pretty reliable option for me for an extended period of time. Wishing your family all the best in this time.


this is why bitcoin and zcash is so important: your keys, your coins, period. as long as the bank or other card issuer or merchant is on the hook for stolen cards and identity fraud, they'll be paranoid about anything that looks 'suspicious' and cut off your access to your funds just in case

(of course if you want to keep your bitcoin in a 'bank' you can, but the important thing is that the choice is yours, not the government's; and merchants who accept bitcoin aren't at risk of incurring chargebacks)

online payment is coming one way or another; let's make sure it's self-sovereign, secure by design, and privacy-protecting. we've already gone a long way down a very dark road, and it's going to get a lot worse before it gets better, with oppressive governments freezing the funds of family members of dissidents and journalists, genocides, and targeted overseas assassinations facilitated by our insecure-by-design payment system

today bitcoin already solves the 'hard to carry cash from one country to another' problem pretty comprehensively; you can buy bitcoin in one country, write your electrum seed phrase on a slip of paper (or memorize it, or read it over the phone to a relative who writes it down), reinstall electrum on a fresh, trustworthy phone after you arrive, and change the bitcoin to local currency with a local counterparty. no cell phone for corrupt cops to copy keys from at the airport, no briefcases full of bills, nothing to declare at customs. and you don't have to care if the tiffin wallah accepts bitcoin (does he accept paytm yet?) because you just need to find one willing counterparty in the entire country

zcash is more difficult to use this way because there aren't as many counterparties


that sucks man i know your pain. i hate having to jump though hoops just to do transactions online. i understand the things they do is to prevent fraud but treating everybody as a potential criminal is mildly disrespectful


> is mildly disrespectful

From their perspective (at least in this case), it's just business. Using one currency to buy gift cards in India's currency is a huge red flag in and of itself. Scammers exist everywhere, surely, but I don't know of many other countries where it's common news to see an entire office building full of scammers working telephones and computers with remote desktop sessions open on "client" computers to extort money from unsuspecting people (often using gift cards on services like Google Pay or Amazon as the vehicle.)

It's truly terrible that we live in a world where access to those services is almost a necessity for modern living, and that those services are more or less available depending on your region. It's also truly terrible that those office buildings exist. I assume the OP is on the right side of all of this, and is truly a victim of it, but it's hard for me to distinguish if I have more empathy for the innocent casualties of the war on scammers in India, or the innocent casualties of scammers in the rest of the world. Because without a basically divine way of determining guilt automatically, at least one of those groups is going to continue being slammed in the victim seat.

I'd hope that if victims of these anti-fraud algorithms in India were so prevalent, that the Indian government would do more to prevent these bad faith businesses from sprouting up in the first place. It would seem to me like that would benefit literally the entire world. Easier said than done, I'm sure. Probably even talking about an entire government reform for that effort.


the 2fa with a phone number drives me crazy when i travel. I couldnt get into my accounts because of it on one trip. frustrating that sites assume you always have a connected phone. had this happen on a airplane too


Probably due to increased reliance on non deterministic systems such as those based on ai. I except overall quality of all services, including fraud detection, to drop.


> as Google play have this "smart" rule that says I can only change my region once per year, what??

Create a work profile and a separate Google account with Island or Shelter.


I’m close to putting all my money in crypto and using prepaid cards to avoid the utter hell I have to deal with to pay for something using a normal bank.


I only have two data points (well, three now with OP): but I susped this is on purpose.

BR and CN both are painful for me for this reason. Try to use a credit card, they will try to SMS a phone number I haven't used in my bank for 3 or more years.

Now that OP tells us about IN i'm starting to see a pattern: for a fraud and insurance company, or being realistic, the payment processor middle man who offers those services at a loss, making their client lose a few sales while pushing their customers (you) to instant electronic payments (BR:pix, IN:UPI, CN:IBPS etc) is a much better deal (for the middle man)!


To quickly solve some of your pain, pay a VPN node in America and just proxy requests through it.

Small amount of money compared to the stress.


VPN is a #1 sign of a fraudster, you will quickly learn this truing to use a VPN.


Parent may mean a VPN in the traditional (before wall to wall shills on YouTube) sense. Where you tunnel to your own network: home or office.


I got an Apple Card, tried buying NextDNS with it, it declined for fraud detection 9 times over a few weeks(and I manually and immediately approved the transaction after each one and also called them around the 4th time). I asked Goldman sacks , they said NextDNS is not ESG enough or some such trash.

Yeah, I think we should be worried.


That seems suspect. Although it's theoretically possible to detect what your dns provider is and block it, I highly doubt GS cares enough about it to implement it.


sounds like you are literally trying to launder money

system seems to be working as intended


So you move around a lot between 2 locations. Is it possible to set up two completely isolated systems (e.g. bank accounts, online accounts & devices), including a cheap second phone. The only interface between your two isolated systems would be the proven international money transfer services? Global money transfer between individuals (or yourself) I believe is the focus of all these remittance services of which I see all these ads lately. Of course they will charge a fee. I believe your use case is super common and many services target this use case.

TLDR: Global money transfer is probably not something you can do casually and frequently. There are specific services, and fees, and headaches. Probably you want to minimize the amount of individual transactions as much as possible to minimize the headaches (of course there are cashflow limitations).


you are using the wrong credit card/bank if you travel overseas. You should try something like Wise bank that will let you deposit money in different currencies


    I had to try literally multiple services just to buy expensive gift card
So instead of contacting your bank or Amazon, you did the most money-laundering-looking thing you could do. Heckuva job there!


I work in fraud detection in the US and the number of people that end up making their legit purchases look like fraud is way too high.


> I work in fraud detection in the US and the number of people that end up making their legit purchases look like fraud is way too high.

I don't think you meant it. But that is blaming the victim

A bit uncool

One of the main features of capitalism is you can dispose of your property as you like.


Oh but the victim is usually the problem. PEBKAC is a thing. If you use a VPN, fake name, and aliased email to place an order online you can't really complain when the company cancels your order for looking suspicious.

Seems to me you subscribe to the "customer is always right" mentality and if you knew anything about working in a customer facing fashion you would know just how wrong that mentality is.


ah, and that is our problem now? If I like to use my browser with uBlock, buying a gift card on a sunday 4am right, sharing data from my phone, different city and with my new laptop, it is still your problem for not letting it go through.


If you use a VPN, fake name, and aliased email to place an order online you can't really complain when the company cancels your order for looking suspicious.


How do we solve that?


You provide the most accurate and valid information you can when placing an order online.


hmm no, my bank is fine, Amazon customer service told me they won't accept my card, that was the only option, but excuse me, how is 100-200$ gift card is money laundering?


Buying gift cards with stolen credit cards is like fraud/money laundering 101. The amount is not really a differentiator either because a lot of carders will run smaller test transactions to see if the card is still active.


Well, you cannot blame companies from protecting their businesses, as long as you don't have to use them. Just use cash.

However, if that becomes problematic (like WeChat in China), then things go bad very quickly.


> it's hard to carry cash from my country (for "security" reasons, as most airports limit how much cash you can carry).


Tell HN:


You do understand India is a country with huge number of scammers who targets US people, and they are causing US billions of dollars of damage [1] each year? Sure, you might not be a criminal, but how would these companies know? Plus, since you mention "gift card", you do know that scammers use gift cards to launder money, right?

India doesn't put heavy hammer on scammers for various reasons. For example, since the scammers are mostly targeting foreign countries, and Indian police are well known for accepting bribes from these scammers, the scamming business is de-facto welcomed. They are too short-sighted to not see that the "industry" is damaging India's global reputation, which transitively affects you in negative way. It's unfortunate, and hope the situation improves over the time.

[1] https://www.ftc.gov/news-events/news/press-releases/2023/02/...


Your comment takes an (unfair IMO) position that it somehow matters what country the OP was in. It's not like the auth systems are designed for higher scrutiny in specific countries. There is more than one way to confirm identity, but somehow BigTech and Co keep assuming a happy path environment for you.

Case in point: my US bank insists on sending an OTP to my US number (and US number alone) for any transaction, making it impossible for me to move money when abroad. The problem exists in the other direction too, my foreign account only allows verification thru one mechanism. It's really frustrating.


I worked in the payment card industry for awhile a few years back. There are entire countries that are blocked by card providers due to fraud.

Unfair or not, it actually makes a difference. I was in a neat position to see some of the attempts in real time. It blew me away how much attempted fraud there is. Think of it like spam email - it's that bad.


I was the operator of a webserver for a small B2B shop for a number of years. We only had a couple dozen local customers, we hand-delivered custom orders with a dedicated truck. If you weren't local, there was nothing on that website that would have mattered to you.

But there were on the order of 50x more attempts from bots trying to log into our Wordpress instance from India (all illegitimate) than from actual customers. It was ridiculous.


Similar situation for a local small business I’ve worked for. Typically I’d respond to contact form spam with a notice to the source network. US-registered networks tended to reliably address the problem while IN- just ignored me, if their contact information worked at all.


>It's not like the auth systems are designed for higher scrutiny in specific countries

Of course it matters and of course they are.

Everything you describe and OP describes are frictions that apply by virtue of you not being in the US, on purpose.


> sending an OTP to my US number (and US number alone) for any transaction, making it impossible for me to move money when abroad

Strictly speaking it doesn't make it impossible. You have made a choice not to pay roaming fees while using your USA number while abroad.


SMS on roaming can be a hit or miss. I travel internationally every year and I am always worried that some SMSs wont reach and it happens from time to time. I especially hate those product/services that only do SMS based 2FA.


Nope. I travel to EU often with roaming on. OTP SMSs for many services don't come through. It's a real pain.


Very strange. How about regular SMS? Are they dropped too? I had zero issues with TMo, and I don't even need roaming for this.


It's weird, regular SMSs do come through, as far as I know. It's hard to tell as I don't get many SMSs, mostly iMessage and Whatsapp. I'm on AT&T, and something about automated messages from those 5-6 digit numbers never show up when you want them to.


Just FYI (because your OTP hell was my OTP hell until recently) if you fly to another country, disable roaming in the phone, and don’t make outbound calls, your phone will receive these OTP messages for free with most US cell providers.


> huge number of scammers who targets US people

Scammers, as a category, target everyone. You think Indians don't get conned into sharing their OTP/passwords or financial details?

> They are too short-sighted to not see that the "industry" is damaging India's global reputation

India has one of the lowest police officers to population ratios in the world. They are so swamped with day-to-day crimes and other nonsense and providing protection to events and politicians that India's "global reputation" is simply not on their radar.

You cannot buy a SIM for your phone or open a bank account without providing ten types of identity documents but these scammers seem to have an infinite supply of phone numbers and bank accounts. That is just the way things are.


> Scammers, as a category, target everyone. You think Indians don't get conned into sharing their OTP/passwords or financial details?

Right, but it's a lens thing. US merchants don't care that they're also targeting non-Americans. They care about "target US people" as a subset of that.


Laundering money using 100-200$ gift cards?


A few years ago, gift cards are THE currency in scamming world for shifting funds between victim and money launderer. They would ask victim to go to 8 different department stores to buy as many gift cards as the store allows then tell them the card number. It's pretty normal the victim hands them over 20 $200 gift cards. And the scammers will keep phishing the victim over and over again until there is no more money to squeeze.

Nowadays many scammers switch to digital concurrency like Bitcoin, which is even less traceable and hard to shut down, but that's only because banks and stores have put in the counter-measurements you encounter to combat them.

There are many scamming related materials available online. Many scam-baiters put their video on Youtube, such as Jim Browning [1] and Kitboga [2].

[1] https://www.youtube.com/@JimBrowning

[2] https://www.youtube.com/@KitbogaShow


Absolutely. Walmart used to have a policy of refunding gift cards in cash. You'd buy many at one location, and return them at another. Less trackable. Gift cards are also used quite regularly in human/sex trafficking to control the victims.


Your comments are ill-informed as several remote terminal providers have joined with scam-baiters and India police to combat this...new as in the effort started in Jan2023.

You need to update your information and knowledge


Just because there are efforts to combat the problem to some degree does not mean the problem is solved or that there isn't a major problem to begin with.


A workaround (edit: in some of those cases): Setup a Tailscale exit node in the country where you're normally located - with a residential IP. E.g. in your apartment back home, or at a friend's.


This might help in specific cases yes, but in case of websites that give physical services (e.g delivery of products) it won't help much


In this case it might actually make it worse. Why are you suddenly, while in the US (for example), ordering physical services in India?

My bank locked my credit card once due to suspected fraud. I asked what triggered it and they said "You never buy gas on this card". This was 15 years ago and I'm sure the algorithms have only gotten better.

A different bank used to ask you to tell them if you were planning on traveling so that your card would continue to work, they stopped doing it and said that they had improved their fraud detection and this was no longer necessary. My guess is that they take the data provided by airlines[0] when you book a flight and use that to tell where and when you're traveling.

[0] https://www.marqeta.com/blog/data-details-what-is-level-1-2-...


My favorite was the time I used my Disney credit card to book a trip to Disney World - flight, hotel, tickets, everything. No problem. Then I get to Disney World and my card gets locked when I try to buy a churro because I used my card in a new location.


Not to mention the number of apps (and increasingly websites) which will require location services. So now you have a GPS location in India, and you're making credit card purchases alternating between USA IP's and India point-of-sale machines (and presumably sometimes Indian IP's for apps/sites that might block USA IP's) throughout the day.

As a fellow world traveler / international worker, I do still think this is wrong-headed on the part of the banks, but it's the current paradigm in which we all operate.

In the past it helped for me to call my banks and let them know I am traveling "for the next year" and to ease up on the fraud protection. But now with more and more layers of fraud protection, it's often not my bank that's the gatekeeper.

It's things like not being able to download a local version of an app, or not being able to get a local payment account (like as in UPI payments in India, I don't know if its hard for foreigners to get that specifically but in other countries it can be very difficult without being integrated into the local payment platforms)

P.S. - Re: location services...I like the catchphrase "Any device you truly own would lie on your behalf. If it won't lie for you, you don't own it." I should be able to tell my iPhone to report my location wherever I damn well want to pretend to be.


My bank has a mode that prevents purchases from merchants more than "100 km from me" ... it turns out the ice cream truck from another city was "more than 100 km from me".

That was entertaining and embarrassing because the machine was returning "insufficient funds" for a $2 ice cream, while I'm scrambling in the app trying to figure out how to turn that shit off.


>Not to mention the number of apps (and increasingly websites) which will require location services.

Like what? I've never encountered this.


I have a Raspberry Pi at home running an OpenVPN server, and a client config for each of my devices, and it's been extremely useful ever since.


How do you expose the Raspberry Pi so that you can reach it from the outside internet?

My OpenVPN runs on a Digital Ocean droplet and I use it to tunnel into my home network, but having a direct route might be better.


If it's openvpn you can just port forward from your router to the RaspberryPi's internal ip address.

If it's a webserver you can do the same, or use something like Cloudflare tunnels to expose the service.


Or, like the original post said, use Tailscale, which can punch a hole through the NAT for you.


Port forwarding is easy and self-reliant compared to using a third party's free service though

Not saying that's for everyone but I do feel like the default should be to click the two buttons in your router interface and third parties a fallback option or conscious choice. Probably just as quick as signing up for tailscale, if it weren't for that all routers feel like they need to reinvent a UI so it's never twice the same


Not everyone can get port forwarding, though. If you're stuck behind one of those terrible CGNAT+no IPv6 ISPs, you can't host your own services from home that easily. There are more of those shit tier internet providers out there than you'd hope or expect.


> How do you expose the Raspberry Pi so that you can reach it from the outside internet?

I had this issue recently trying to enable port forwarding on a comcast router, which is no longer allowed.

Turns out the answer is "stop the router from blocking ipv6 connections". You can just connect directly to whatever device you want over ipv6.


Port forwarding in my home router. I have it forwarded to 53 UDP since some public networks have firewalls, but the DNS port is almost never blocked.


I just wanted to share this just incase anyone is in a situation where they don’t trust their partners anymore. There is no harm in wanting to know what your second half is into, it saves you from wasting more years of your life with people who do not deserve you. I will leave the hacker’s contacts below just incase anyone needs his services and assistance. Just a mail to remotespywise @gmil com.


I sympathize with you. There should be no fraud prevention of any kind. They should just eat the cost without bothering us in any way.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: