I just got an email from my credit union that they're "transitioning from email passcode delivery to more secure methods such as phone calls and text messages". I need to send them this video.
That credit union is awful for many other reasons, so I don't keep much in that account, but I wonder why banking in the US is so bad at security. I don't think I have a single bank or credit card online account that allows for TOTP. It's all SMS or phone call, with one bank allowing for app push notifications.
Is there a compliance check box that requires SMS over something with at least some security?
I'm surprised they're putting SMS 2fa in now. In 2016 the NIST released new guidelines that essentially "banned" SMS 2fa use. It's heavily suggested that US banks follow NIST guidelines, I'm unsure if there's any actual legal requirement for them to.
You could always send the portion of the guidelines to as many credit union people as possible. Someone may bite.
That's not entirely correct. The main purpose is how US federal agencies handle stuff such as digital identities, this includes all digital identities - employees and citizens/other. Private institutions can use it as guidance for whatever purpose.
You can find this information in the abstract of revisions https://pages.nist.gov/800-63-3/sp800-63-3.html
My favorite was the time I used my Disney credit card to book a trip to Disney World - flight, hotel, tickets, everything. No problem. Then I get to Disney World and my card gets locked when I try to buy a churro because I used my card in a new location.
I move to random corners of the world every 2-3 years and this is starting to give me real anxiety every time I try to make a purchase. One of my credit cards makes me jump through all of the verification and "Was this really you?" messages, then still locks my account half the time.
So many online stores will approve my purchase and bill the card with no issue, then cancel it a few hours later for vague security reasons. I remember when the credit card companies ran commercials about how easy and secure credit cards are, especially compared to checks, but now I feel like a criminal every time I try to use mine. I wonder if this violates any part of the merchant agreement that these stores are getting a 100% valid authorization on my credit card, but still aren't willing to accept my payment.
I found that notifying my providers of upcoming moves eliminates this. Call them, tell them what you're doing and ask their advice (b/c there may be something you overlooked or they may have special problems of their own).
Anyway, they're doing you a service and notifying them is good etiquette. And like good etiquette, it often greases the wheels of commerce.
Note that this is about large tech service providers “taking this into their own hands.” The basic problem is that a lot of these companies deal with people who store their card information and then use an insecure password or so, or reuse the password at a different website... Someone else gets into the account and requests a transaction to a new address.
Also fun story about how your advice doesn't always work, I was locked out from my money multiple times on my honeymoon in Greece despite repeated calls to the bank, repeated unlockings of said account, “hi I am actually standing at an ATM in this bank branch, can we track this account lockup in real time?”... I think with all of the time on hold I actually might have spent something like 20+ hours in the trip trying to debug it over the several times it happened.
When we finally resolved it, I'm not 100% sure about the explanation, but it was something like “the person you called a week ago put in country code GE for Georgia rather than GR for Greece, and that is the first place everybody else who has serviced your request has probably looked, but they all probably thought GE was right because you have to memorize that DE is Germany and so people get confused real easily...”
That does help a bit with the banks, but I've not had any luck at all with the stores who cancel my orders after the payment goes through. They refuse to budge, assuming I even get a response, and won't give me any information about why my orders are cancelled, citing more vague security reasons.
I did have success with a privacy.com card once, at a store that cancelled orders from all of my other cards. I'm guessing they see it as a prepaid card and can't get as much info on those.
Neither my bank nor my credit card company even want pre-notification at this point and don't provide a way to do it at this point. I admittedly haven't had issues either internationally or in the US for quite a few years at this point, but I always carry a varied set of credit cards when traveling.
Stores are not payment processors and don’t want to be due to compliance reasons. You’d have to ask who is processing their payments and contact those people and have the store also contact them most likely and that still doesn’t mean you’ll get anything done.
The way the incentives work, if a store is mostly sure you're legit, that's not good enough and they would lose money if they served people indistinguishable from you; if their margins aren't huge, even being 90% sure may not be good enough.
When I worked at a bank, I heard that the travel notifications weren't actually used by the fraud department at all and were just there as window dressing to make the customer feel better.
If you’re free to be scammed out of your money, with no repercussions to others, sure it’s unreasonable to stop you. But with (American) credit cards, it’s the backing financial institution that bears the burden of fraud; merchants accepting fraudulent transactions are punished as well.
If you were talking about asking someone’s permission to surfs your own cash money, that would be outrageous.
A bank account or a credit card is a relationship where you rent someone else’s infra to make payments. Makes sense to work together to minimise friction for both parties.
> I found that notifying my providers of upcoming moves eliminates this.
you seem to be older. I used this too. Until 5 or so years ago. Now my bank just says i "don't have to notify them anymore as they don't have this in the system, since it is all automated for my convenience"
Not so much. Many credit unions, including mine, still seem to require it (and absolutely have flagged transactions and our cards when we've forgotten).
But yes, none of my credit cards (Chase, Citi, Amex) require (or even offer) travel notifications.
When I was traveling abroad, I placed an order on Walmart, shipping to my home address, so that it would be there for me when I got back home. Walmart cancelled the order, "due to location restrictions on placing and shipping orders", even though the delivery address was in the US! I have no idea why the physical location of the computer placing the order should matter to Walmart. Eventually I just had to get my friend order for me.
Wireguard on a $15 Raspberry Pi Zero works as well[1], for those who don't have AppleTVs.
1. Or OpenVPN on your router. It's probably to gove yourself a tunnel to your home-network you can use from your phone or laptop from anywhere in the world. Avoid default ports if you can.
The only admin work I ever do is generating a new config when I get or replace a peer device. I imagine this is inescapable even on Tailscale? Are there specific, recurring tasks that you think would cause it to rise to the level of a second job, rather than a once-and-done 5 minute install?
Shopify does use the IP location distance Vs shipping address as a risk factor for fraud. I see it often on my Shopify stores where they will flag an order as high risk for that reason.
I don't know how the numbers break down, but plenty of people that buy credit card numbers are happy to orchestrate a scheme to ship packages to the US and have someone forward them to the scammer. Or steal them off your porch.
It is probably exceptionally rare for a fraud protection algorithm to be in place to inconvenience and spite you. Rather, some ne'er-do-well has cooked up a bafflingly complicated scheme that looks like your legitimate business. Such is the tragedy of operating at scale.
I've had the best luck sticking to ApplePay, PayPal as the backup, and finally my CC (the Apple Pay one).
I can't think of a payment hurdle for online purchases that I haven't been able to overcome in the past year or two while spending 99% of my time OCONUS.
You can also look at it as discussion forums for pretty much any topic with single sign-on. Think of anything and you'll probably find it plus porn of it on Reddit with a quick search.
That credit union is awful for many other reasons, so I don't keep much in that account, but I wonder why banking in the US is so bad at security. I don't think I have a single bank or credit card online account that allows for TOTP. It's all SMS or phone call, with one bank allowing for app push notifications.
Is there a compliance check box that requires SMS over something with at least some security?
reply