Hacker News new | past | comments | ask | show | jobs | submit login

Most of what he says is obvious stuff and the emphasis he puts on how much he modifies stuff makes me assume he's someone that just runs programs and doesn't have any unique insight, but he does make one interesting point:

> Try to use "Verified-By-Visa" and "Mastercard-Securecode" as rarely as possible. If only your CVV2 code is getting sniffed, you are not liable for any damage, because the code is physicly printed and could have been stolen while you payed with your card at a store. Same applies if someone cloned your CC reading the magnetic stripe or sniffing RFID. Only losing your VBV or MCSC password can cause serious trouble.

Does anyone know if this (using verified-by-visa, mastercard-securecode remove any payment protection if you get key-logged etc) is correct?




As someone in the financial payment industry, let me shed some light on it. 3DSecure (the generic name) when used, generally prevents the user from issuing chargebacks, even in the case of fraud. It's a Terms & Conditions change basically for that purchase. Since your credentials can be hijacked at your web browser level, it is possible to give up your credentials AND give up your ability to re-mediate the issue later.

If you are purchasing stuff online, I advise using a credit card and CVV. Federal law (in the US) limits your damages to $50 total in the event of Fraud. (Not true of debit cards, or 3DSecure).

http://en.wikipedia.org/wiki/3-D_Secure


The only merchant that I've ever seen this used at is Newegg and they make it mandatory for Visa.


Although the mandatory sign-up for VBV on Newegg is old news (~3 years ago now?), any time you get a "you are now being redirected to your credit card's website for a mandatory additional agreement," that should be a huge red flag.

You can cancel the "mandatory" VBV page by pressing the back button. At first, the VBV page did have a tiny link that let you opt-out, but it disappeared some time in 2009.

I was quite surprised when I had finally given up and was ready to empty the Newegg shopping cart, only to find the order was accepted when I used the back button to escape VBV.


does this mean i have more than $50 fraid liability if something goes south with my newegg purchase? if so- thus is a real reason not to risk doing business with them.


Kind of sad, the last time I built a PC I had to have the hardware within 2 days. Newegg said the order went through and then the next day I got an e-mail to call and verify my order. I cancelled the order, found everything on Amazon for the same price and had it shipped overnight it.

I don't know how many times now I've gone to an e-commerce site and the stupid Mastercard-Securecode has popped up, or my order has been frozen for verification -- and I immediately go straight to Amazon. Perhaps the real beneficiary here is Amazon. They know my order history and they know when I order a $4000 TV to an address I been shipping $X amount of stuff to without incident.


I've also shifted all my business from newegg to amazon for that reason and also this one: newegg's packing is horrible. What am I supposed to do with an enormous pile of packing peanuts from the box that's three times larger than it needs to be? If you want to collapse the box, good luck pouring all those peanuts into a garbage bag without getting them everywhere. And if you don't have access to a dumpster, you get to waste a ton of space in your garbage can.

With amazon, you get to stab the air bubbles with a knife and wad them up.

Also, reliable ship times are neat.


Bean bag chair!


same thing happened to me. on a whim, i wanted a very specific poster. i went to order it from the first place i found it and then had trouble on the order enty. after 10 minites of frustration i decided to check amazon, and found it cheaper and with free shipping, as im on prime. amazon really is the walmart of the web. my last newegg purchase was split as many of the pieces were cheaper on amazon, and i have more trust in them.


I'm not familiar with this service. What is the advantage to the consumer in exchange for losing their fraud liability protection?


Nothing. This 'feature' is entirely designed to reduce the banks' liability. It shifts the onus of security onto you (from the banks and the merchants).


It sounds like in principle it might also reduce fraud overall. Thus, maybe 80% of the fraud goes away and 20% remains, but that liability is shifted to the consumer rather than the bank (who otherwise passes it to the merchant anyway). If the merchant has reduced fraud liability, they may be able to offer lower prices. So, in principle there might be a long-term win for the consumer. In practice, who knows.


I think the idea of a pin at checkout is a good one to reduce fraud. However this is more work for the consumer, and reduces the bank's liability. Most consumers would probably prefer this, as it makes their card more secure and reduces the possibility of fraud hassles, which are annoying regardless of liability. Having something that is more work for the consumer and could save the bank money switch the liability to the consumer is just obnoxious.


There is now Chip and pin fraud. With chip and pin the liability is now on the consumer to prove it wasn't their transaction. Customers have had to take the banks to court in the UK to get fraud losses removed. In these cases it has been proven that Chip and pin is infallible. Same applies online with 3-D secure.


> I think the idea of a pin at checkout is a good one to reduce fraud.

For in-person transactions, merchants can check your signature against the one on the card or alternatively ask to see a photo ID. The process is there, though it's hardly ever done.


Given the fact that your signature is on the card, this seem rather ineffective. Approximate signatures are easy to forge and no merchant will deny a transaction based on a different signature.

In fact, that is not the purpose of your signature. The purpose is that you are signing a contract and agreeing to pay. It has nothing to do with security or fraud and merchants are not supposed to check signature matches - only that you signed.

A smiley face is a valid signature, as long as it is you and you agree to the credit card contract.


Actually, signing the receipt has everything to do with fraud. If you use a credit card in a transaction you are required to pay regardless of whether you sign an agreement saying so. The difference is, if the merchant does not collect your signature, they are liable for any chargebacks AKA reports of fraud whereas the bank would be if the merchant did collect the signature. [1][2]

My point in bringing up the signature line on the back of the card is that, while it might not meet your personal standard of effectiveness, it is an example of "a pin at checkout is a good one to reduce fraud. However it is more work for the consumer, and reduces the bank's liability." Signature verification is an old-fashioned, and perhaps imperfect, nonetheless established method of security.

If you have ever used traveler's checks, you will know that they also use signature-matching as the method of security/verification.

[1] http://www.npr.org/templates/story/story.php?storyId=9227832... [2] http://minnesota.cbslocal.com/2012/02/14/good-question-why-d...


Because if you did not sign, there is no written contract for that transaction, so there is far less of a case that the charge is valid. Regardless of what the signature looks like, you are liable if it was you (or someone you authorized) who signed and you are not liable otherwise. You are even liable if you charged for the transaction but did not sign - there is just no written, signed contract, so you are presumed not to have agreed to the charge.

None of the above is legal advice as IANAL, however I do believe it is correct.

Do you really think a merchant can verify those electronic scribbles on a tiny, crappy pen input device? No. Any mark made by you with the intent to sign is a legal signature.

Read more here:

http://www.npr.org/templates/story/story.php?storyId=9227832...


You are entirely correct. The difference between online payments and any POS transaction can be summed up in three words, 'card not present'.

3DS attempts to create a 'cardholder present' situation, hence the shift of liability.


Did you think I was arguing a smiley face is not a valid signature?


None really. A) Fraud liability effectively shifts to you, versus the often waived $50 limit, and B) it interjects an authorisation from your issuing bank into the checkout process oftentimes screwing it up.


VBV (or 3D secure as it is called today) is part of a move by the credit card companies and the banks to push the risk to the most vulnerable party, the consumer.

The idea is that this absolutely crack proof scheme requires you to authenticate yourself to your bank in a fairly complex three way handshake.

In the old (read pre-VBV) days the card companies and issuing banks would saddle the merchants with any charges that were disputed using the chargeback mechanmism.

Verified-by-Visa removes this safeguard by adding an additional layer of authentication which supposedly has the same strength as you being on-premise and signing on the dotted line to authorize your purchase. This will effectively remove a lot of the excuses that you might have had such as 'it wasn't me', 'I wasn't there' and 'I never meant to buy this', which were the most common excuses consumers would come up with after using a service for anywhere up to 6 months and then yanking back all 6 months worth of payments and saddling the merchants with the loss of income, pay-outs to affiliates already made and additional charge-back fees on top of that.

So even if the goal was a fairly noble one it looks as though the whole idea is predicated on one tiny little detail, which is that VBV is supposedly hack-proof, but in fact this is highly dependent on both your bank and the security of their implementation. Neither of those are as ironclad as they should be to remove all doubt.

But of course the banks/card companies are not willing to end up holding the bag if there is trouble so it falls to the consumer to prove that they really were not involved in the transaction and that is very hard.

On the positive side in this whole debate: Even if a consumer is defrauded there is always someone who benefits and following the money usually leads to the perp. That's why it is hard to order stuff online with credit cards that were not issued in the country that the person using them is from, that's why it is hard to spend your money on three different continents with the same credit card within a single day and so on.

Lots and lots of money goes in to early warning fraud detection (before the fraud happens) and this nips a very large percentage of potential fraud in the bud.


> VBV is supposedly hack-proof

Something very strange I noticed with Verified by Visa and with Mastercard Secure Code is that both sometimes forget that you have already enrolled and make you re-enroll (i.e., answer their weak "security questions", like date of birth, and then choose a password).

It happened once with Verified by Visa and twice with Mastercard Secure Code so far. (No, my card numbers had not changed.)

These systems can't be trusted to even reliably remember my previous password.


> Does anyone know if this (using verified-by-visa, mastercard-securecode remove any payment protection if you get key-logged etc) is correct?

Yes. It's the whole point of the system, to remove even more risk from the CC companies and banks, and put it on you.


When a website asks me to use one of these, and I don't want to, how do I decline but still make the purchase? It always seems like my options are take-it-and-like-it or don't complete the transaction. Is there a third option?


I've had certain websites require VbV for purchases. I can only assume the transaction fees are lower for such transactions, or they got some kind of other deal from their merchant bank.

The worst part is the information required for the "I forgot my password" process is often not terribly hard to get hold of (date of birth, that kind of thing).

The best option at this stage is probably to have a "normal" credit card for everyday use which is specifically NOT VbV enabled, and a special VbV credit card that you keep at home for internet purchases from companies that require it. Or just don't buy from those companies.


> I've had certain websites require VbV for purchases. I can only assume the transaction fees are lower for such transactions, or they got some kind of other deal from their merchant bank.

Transaction fees are not the problem, putting a stop to consumer fraud and charge-backs are the net win for the merchant.


I had this pop up today, the wording was pretty misleading.

In my case not activating Secure By Visa let me proceed with the transaction normally, but they certainly tried to imply it was necessary.


Use AmEx.


wondering the same thing


Paypal.


Verified by Visa is a fucking joke.

In Canada it pops up a browser window that prompts for various personal information and its URL points at ... drumroll ... https://secureserver.net. If that's not by the book appearance of a phishing site, I don't know what is.


It's actually https://www.securesuite.net.

I very suspicious of that the first time I was subjected to Verified by Visa.

The other thing that infuriated me about Verified by Visa is that when you are forced to sign up for it, it thanks you for choosing to sign up. The only choice I had was to sign up or not make the transaction!


Really? Because SecureServer.net is a domain used in GoDaddy's webmail:

https://login.secureserver.net/


I typed it from memory, so it might be off. Regardless though - the URL had "secure" and "server" in it, but no "visa".


I really wouldn't be surprised. The security group at my university do a lot of stuff on banking security, and from what I've heard, this was one of the main reasons behind the switch to chip-and-PIN in the UK --- the user is now liable when his card gets stolen and used.


See, for example, Tetris on a ('secure hardware' platform) chip & pin machine[1]

The same group (security research at cambridge) are also the ones who produced the 'chip and pin is a joke'[2] paper you might be referring to.

[1] http://www.lightbluetouchpaper.org/2006/12/24/chip-pin-termi...

[2] http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-i...


That's not really true.

The user is liable if the card is stolen, and it is used to conduct fraud using the PIN code.

If the card is stolen, and the fraudster simply uses it online, or via some place that doesn't ask for a PIN, then you are not liable for that fraud.

I'm sure there are rare edge cases, but my experience with Barclays has always been very good in this regard.


The problem is that there is no way of knowing that the criminal even knows the user's PIN, due to flaws in the chip-and-PIN protocol. See http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-i...


And, from many years of personal experience, quite a lot of people don't treat their card and PIN securely. This might be in the form of (and these are genuine examples):

1. Writing the PIN on a post-it note and sticking it to the back of the card.

2. Writing the PIN on some paper and keeping it in the same place the card is kept.

3. Giving the card to someone else (partner, kids, relatives, etc.), along with the PIN, to run an errand for them.

4. Saying the PIN out loud as they type it in.

5. Asking the customer assistant/whoever is dealing with the transaction to enter the PIN for them.

Chip&Pin, while claiming to be more secure, enabled and made convenient basic forms of fraud, such as that in points 3 and 5.

I'd actually argue that the shifting of liability from the card issuer/merchant to the card holder/customer in the UK is a direct consequence of C&P allowing careless people to be more lax with the security of their card.


The worst thing is the chip+pin machines that do not have any shield to hide you punching the pin in, and then to just add insult to injury, they're the kind of buttons that you have to forcefully press with all your might to get them to register. So it's blatantly obvious to anyone taking notice which buttons you pressed.


Here's how I do it

Cover the pad with one hand (and maybe your wallet) and type it with the other

You can do it quite naturally. Of course it helps if you type the pin fast as well (by fast I mean not taking 1s per digit)


Richard Clayton (etc) have lots of interesting stuff about bank security (and the lack of) - they've attacked chip and pin, which means that if someone does manage to defraud the card the owner might have some chance of getting the cash back.


My experience with mastercard-securecode is that I can just enter gibberish until it fails the check, then my purchase goes through anyway.


I've only used VbV once or twice, years ago. Do they still use iframes? I've never understood why they try to make the site more "secure" by using these services, but then use an iframe so the average user can't easily confirm if the login screen is legit or not.


In the UK I see it occasionally. Oddly enough it's mainly when I order food online.

It really peeves me that they are training people to accept entering sensitive information into something it would be so very easy to fake. There's nothing to prove that it is actually what it says it is. On top of that, if you forget your phrase the security question (the usual researchable ones) and answer sequence happens within the iframe without recourse to any external site or emails.

As other comments have said, none of this is for the customers benefit.


at least for mastercard this is true: as per my banks tos i have to take care that nobody gains access my 'securecode' and i am liable for any unauthorized charges. (because the 'securecode' is supposed to guarantee that it is me who is using the card)


Somewhere in the thread he says that he started coding around operation payback. That is december 2010. I would assume that either he is truely a genius or that his abilities to program properly are limited.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: