Author Topic: Why am I doing that's causing my credit cards to get fraudulently used?  (Read 2931 times)

0 Members and 1 Guest are viewing this topic.

Offline Bassman59

  • Super Contributor
  • ***
  • Posts: 1045
  • Country: us
  • Yes, I do this for a living
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?

I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online

Masking the CCV is a great idea. It prevents the cashier who takes your card at the restaurant from writing it down. Again, that's a habit that restaurants really need to break, or be broken of.

 You don't need the CCV with in-person point-of-sale purchases, but you need it for online purchases. And since I do online purchases from my laptop, I have my credit card account list on it, so I can refer to the CCV when necessary. That list is stored in an encrypted disk image, with a unique password not known to the password manager.

Apple Pay makes all of this uninteresting.
 

Offline langwadt

  • Super Contributor
  • ***
  • Posts: 1011
  • Country: dk
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?

I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online

Masking the CCV is a great idea. It prevents the cashier who takes your card at the restaurant from writing it down. Again, that's a habit that restaurants really need to break, or be broken of.

 You don't need the CCV with in-person point-of-sale purchases, but you need it for online purchases. And since I do online purchases from my laptop, I have my credit card account list on it, so I can refer to the CCV when necessary. That list is stored in an encrypted disk image, with a unique password not known to the password manager.

Apple Pay makes all of this uninteresting.

it isn't such a big issue anymore, everything here is chip and they bring the terminal to the table

 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3251
  • Country: au
I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online

What a great idea.  :-+

There is no reason for it to be printed on the card, as long as you know what it is.
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2538
  • Country: fr
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?

I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online

Um, like any order online? That's where you need all that and it is trivial for the merchant to store the card info - e.g. Paypal does it, Amazon does it, etc. - for the user's convenience, along with a pre-approval for future debit. But also a huge liability should their systems get breached.

You don't need CCV when paying in person and you are not supposed to let someone else handle your card (it is, in fact, explicitly stipulated by most banks in their contracts - if you do, you could be held responsible for any fraud). It is very rare to find a restaurant or anything else where you would give the card to a waiter or cashier to swipe it out of your view these days - most transactions above 20€ require pin (smaller payments can be done using the wireless chip by simply touching the card) so they would have to bring you the terminal anyway.

The in-person payments are mostly a solved issue everywhere else but in the US. That's why e.g. stuff like Apple Pay is completely pointless and fairly rare here - most small payments are handled using the NFC chip and everything else by chip & pin. Every merchant who wants to accept cards has to have the terminal anyway. Apple Pay would add only yet another middleman charging fees to the merchant on top of the usual credit card fees (which are high enough already that many small stores refuse to accept cards here or require a minimum purchase if you want to pay by card) and adding unnecessary breach risk and privacy issues. Credit card use history is every marketer's wet dream.

The $50 liability cap for credit card fraud in the US is also part of the problem - because the card holders know their liability is capped like this, there is no pressure on the banks to fix their utterly broken system from this side. We typically don't have that, any caps and limits are per bank, so there was a very quick progress made on this front in Europe after the card fraud has exploded.


« Last Edit: May 17, 2018, 07:21:59 pm by janoc »
 

Offline rbm

  • Regular Contributor
  • *
  • Posts: 189
  • Country: ca
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The mechanisms underpinning Verified by Visa and its MasterCard equivalent Securecode are being replaced with 3D Secure very soon.  This is a very good thing. 3DS will provide issuers and merchants with risk-based card-not-present authorisations, validating the identity of the cardholder who is presenting the account details.  Cardholders will not need to remember passwords to use 3DS which will reduce friction and cart abandonment at the time of purchase.  CNP fraud should drop significantly once 3DS is fully deployed (and if merchants elect to use it).

Counterfeit card-present fraud rates have dropped significantly in the USA since the liability shift in 2016, and those rates should approach levels commensurate with other areas of the world where chip technology has been in use for some time.  Consumers should see less compromise of their credit cards over the next few years, particularly from online channels.
- Robert
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2538
  • Country: fr
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The mechanisms underpinning Verified by Visa and its MasterCard equivalent Securecode are being replaced with 3D Secure very soon.  This is a very good thing. 3DS will provide issuers and merchants with risk-based card-not-present authorisations, validating the identity of the cardholder who is presenting the account details.  Cardholders will not need to remember passwords to use 3DS which will reduce friction and cart abandonment at the time of purchase.  CNP fraud should drop significantly once 3DS is fully deployed (and if merchants elect to use it).

Counterfeit card-present fraud rates have dropped significantly in the USA since the liability shift in 2016, and those rates should approach levels commensurate with other areas of the world where chip technology has been in use for some time.  Consumers should see less compromise of their credit cards over the next few years, particularly from online channels.

The problem with these schemes is that:

a) Not every merchant uses it - as long as there are major merchants not using it, laundering stolen credit cards will be possible.
b) They are a major pain to integrate into existing payment workflows => many major merchants don't use it ...
c) It is problematic for the paying client - e.g. the current systems that send a code by SMS to the client's phone fail miserably if the SMS takes time to arrive (SMS is not a guaranteed service - the message can take long time to arrive or not even arrive at all, so a very poor channel for such verification). The result is the payment timing out before the client has a change to enter the code. Or, if they are on roaming abroad, all bets are off because the text may never arrive. And if they don't have a phone on them (but do have a the card!)  tough luck ...
d) The system has a fundamental issue that the client has no way to validate that the security prompt on the screen actually comes from the bank's website. This is the same issue that the older "Verified by VISA" systems had - the prompt is in a frame loaded from a 3rdparty server. So this opens the card holder to potential phishing or man in the middle attacks.
e) Coincidentally, Australia refused to implement 3D Secure exactly for these reasons - it is a broken-by-design system that doesn't really solve the issue and only pushes responsibility (and expense, because the merchants have to pay for accessing it) on the card holders and merchants.





« Last Edit: May 17, 2018, 11:15:08 pm by janoc »
 

Offline langwadt

  • Super Contributor
  • ***
  • Posts: 1011
  • Country: dk
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The mechanisms underpinning Verified by Visa and its MasterCard equivalent Securecode are being replaced with 3D Secure very soon.  This is a very good thing. 3DS will provide issuers and merchants with risk-based card-not-present authorisations, validating the identity of the cardholder who is presenting the account details.  Cardholders will not need to remember passwords to use 3DS which will reduce friction and cart abandonment at the time of purchase.  CNP fraud should drop significantly once 3DS is fully deployed (and if merchants elect to use it).

Counterfeit card-present fraud rates have dropped significantly in the USA since the liability shift in 2016, and those rates should approach levels commensurate with other areas of the world where chip technology has been in use for some time.  Consumers should see less compromise of their credit cards over the next few years, particularly from online channels.

The problem with these schemes is that:

a) Not every merchant uses it - as long as there are major merchants not using it, laundering stolen credit cards will be possible.
b) They are a major pain to integrate into existing payment workflows => many major merchants don't use it ...
c) It is problematic for the paying client - e.g. the current systems that send a code by SMS to the client's phone fail miserably if the SMS takes time to arrive (SMS is not a guaranteed service - the message can take long time to arrive or not even arrive at all, so a very poor channel for such verification). The result is the payment timing out before the client has a change to enter the code. Or, if they are on roaming abroad, all bets are off because the text may never arrive. And if they don't have a phone on them (but do have a the card!)  tough luck ...
d) The system has a fundamental issue that the client has no way to validate that the security prompt on the screen actually comes from the bank's website. This is the same issue that the older "Verified by VISA" systems had - the prompt is in a frame loaded from a 3rdparty server. So this opens the card holder to potential phishing or man in the middle attacks.
e) Coincidentally, Australia refused to implement 3D Secure exactly for these reasons - it is a broken-by-design system that doesn't really solve the issue and only pushes responsibility (and expense, because the merchants have to pay for accessing it) on the card holders and merchants.

last time I tried I couldn't use my Visa online if I was in a different country

 

Offline CatalinaWOW

  • Super Contributor
  • ***
  • Posts: 2794
  • Country: us
There are many theoretical vulnerabilities - but my experience is that most are not currently a problem.  My cards have been compromised roughly a dozen times over the last few years, with the following breakdown.

1.  Most of the compromises have been data breaches at one or another major retailer.  No actual charges to my accounts have occurred and the only way I have known of them is the bank notifying me and sending a new card.

2.  On three occasions charges have appeared on my card.  In all three cases the bank's fraud detection software caught them and I received a phone call asking if they were valid within a few minutes or hours of the charges.  All three cases were after use at a small retailer where an employee apparently copied necessary information and passed it to a confederate in a nearby city.  The fraud detection software must have some pretty interesting features because in one of the three cases the purchase occurred in a very plausible next step on my travel itinerary, and involved modest size purchases of a type that is well within my purchasing history pattern. 

Interestingly, I have one credit card that I reserve for use in on line purchases.  This card has never been compromised, despite being used for purchases at a wide range of sites ranging from large scale enterprises down to places that are clearly mom and pop shops whose monthly sales are probably small multiples of my purchases.
 

Offline Bassman59

  • Super Contributor
  • ***
  • Posts: 1045
  • Country: us
  • Yes, I do this for a living
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?

I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online

Masking the CCV is a great idea. It prevents the cashier who takes your card at the restaurant from writing it down. Again, that's a habit that restaurants really need to break, or be broken of.

 You don't need the CCV with in-person point-of-sale purchases, but you need it for online purchases. And since I do online purchases from my laptop, I have my credit card account list on it, so I can refer to the CCV when necessary. That list is stored in an encrypted disk image, with a unique password not known to the password manager.

Apple Pay makes all of this uninteresting.

it isn't such a big issue anymore, everything here is chip and they bring the terminal to the table

As you are likely quite aware, America is a really stupid country, ruled by charlatans and thieves who are supported by the Common Clay of the New West (you know, morons). Rick Law's assertions above about the reasons why things like bringing a wireless POS terminal to a table are not done here is correct. The cost of undoing fraud from the banks' and merchants' point of view is minor compared to the cost of implementing reasonable security. After all, it's not the merchant or bank who gets fucked -- it's the customer who has to unravel the problems.
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2538
  • Country: fr
There are many theoretical vulnerabilities - but my experience is that most are not currently a problem.  My cards have been compromised roughly a dozen times over the last few years, with the following breakdown.
...

The problem is that nobody is going to bother with a man-in-the-middle attack when all they need is to trivially phish or skim your card. Once those holes are closed, even the more complex attacks will become common.

The main issue is that the banks and credit card companies are replacing the systems at great expense (mainly for the merchants) and a lot of inconveniencing for the users (all card payments will need to be authenticated by some extra channel in the future - pin, code over phone, etc.) - but it doesn't really solve the problems it was meant to solve.

Granted, it is a very non-trivial issue to solve at the scale the cards are being used at but deploying another half-assed solution "with mostly theoretical vulnerabilities" today will mean we have a big problem 5-10 years later. Magnetic strip and a signature were also considered secure not so many years ago - until cheap card readers and Internet allowing to empty the accounts within seconds became available ...

I still remember a teller at my bank in 2001 or so telling me that if someone scams me on my VISA card, I will need to bring a receipt from the merchant and then they will reverse the charge if the bank determines it was fraudulent. They couldn't understand that a scammer who stole my card data is not very likely to issue me a receipt ... That's often the level of knowledge some of the banks have about security issues like this. They understand vaults and safes, computers not so much (at least some of them).

« Last Edit: May 18, 2018, 07:51:09 am by janoc »
 

Offline CatalinaWOW

  • Super Contributor
  • ***
  • Posts: 2794
  • Country: us
There are many theoretical vulnerabilities - but my experience is that most are not currently a problem.  My cards have been compromised roughly a dozen times over the last few years, with the following breakdown.
...

The problem is that nobody is going to bother with a man-in-the-middle attack when all they need is to trivially phish or skim your card. Once those holes are closed, even the more complex attacks will become common.

The main issue is that the banks and credit card companies are replacing the systems at great expense (mainly for the merchants) and a lot of inconveniencing for the users (all card payments will need to be authenticated by some extra channel in the future - pin, code over phone, etc.) - but it doesn't really solve the problems it was meant to solve.

Granted, it is a very non-trivial issue to solve at the scale the cards are being used at but deploying another half-assed solution "with mostly theoretical vulnerabilities" today will mean we have a big problem 5-10 years later. Magnetic strip and a signature were also considered secure not so many years ago - until cheap card readers and Internet allowing to empty the accounts within seconds became available ...

I still remember a teller at my bank in 2001 or so telling me that if someone scams me on my VISA card, I will need to bring a receipt from the merchant and then they will reverse the charge if the bank determines it was fraudulent. They couldn't understand that a scammer who stole my card data is not very likely to issue me a receipt ... That's often the level of knowledge some of the banks have about security issues like this. They understand vaults and safes, computers not so much (at least some of them).

I think what you are missing in this is that the banks (at least the good ones) have already installed AI transaction monitoring.  The "pretty good, but not bulletproof" security on the cards themselves is just the first layer, and only has to be good enough to keep the workload on successive layers manageable.  Emptying accounts in seconds doesn't happen.  Try emptying your account quickly by making a series of purchases.  Your card will stop working.  Even if all the charges are legitimate.  The banks protect themselves.  I have triggered this myself and it requires additional authentication answers to get the card to work again.  I agree there are paths around this too, but it obviously has worked well enough so far that the bank losses are acceptable and the inconvenience to vendors and card users is also acceptable.

I agree that the level of security knowledge of bank tellers and even bank officers is often laughable, but they aren't the ones allocating funds to security or designing security measures.  The ones who are likely to lose money (either by direct losses or by losing the confidence of users and thus losing the business) put the time in to learn what they need to, and hire those who can implement a plan to achieve their goals.   
 

Offline rbm

  • Regular Contributor
  • *
  • Posts: 189
  • Country: ca
The problem with these schemes is that:

a) Not every merchant uses it - as long as there are major merchants not using it, laundering stolen credit cards will be possible.
The card brands could use techniques to get the merchant to adopt those systems by (1) offering rewards for using the system (eg. possibly lower interchange rates) and (2) discouraging merchants from choosing not to use the system.

b) They are a major pain to integrate into existing payment workflows => many major merchants don't use it ...
See above. There are APIs that simplify the integration and the online shopping cart providers will provide both the connectors to the service as well as the consulting to help the merchant.

c) It is problematic for the paying client
The client sees nothing.  It's frictionless and that's the point.

d) The system has a fundamental issue that the client has no way to validate that the security prompt on the screen actually comes from the bank's website.
See above.  There are no prompts for the user to validate.  But they are still protected.
- Robert
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2538
  • Country: fr
The problem with these schemes is that:

a) Not every merchant uses it - as long as there are major merchants not using it, laundering stolen credit cards will be possible.
The card brands could use techniques to get the merchant to adopt those systems by (1) offering rewards for using the system (eg. possibly lower interchange rates) and (2) discouraging merchants from choosing not to use the system.


That's not how it works. The typical approach to a merchant from banks is "my way or the highway" (i.e. find someone else to process your payments if you don't agree to our fees, terminal rent and onerous conditions). Many, especially small, merchants are even refusing to accept carts outright for this reason.


b) They are a major pain to integrate into existing payment workflows => many major merchants don't use it ...
See above. There are APIs that simplify the integration and the online shopping cart providers will provide both the connectors to the service as well as the consulting to help the merchant.

That's again not how this works. The APIs do exist but their integration is your (= merchant's) problem. The bank/card issuer will not help you at all there. If this was so easy, why there would be such proliferation of services such as Stripe that outsource all this and will do the payment processing for you.

c) It is problematic for the paying client
The client sees nothing.  It's frictionless and that's the point.

I don't see how requiring additional authentication from the client is "nothing" or "frictionless".


d) The system has a fundamental issue that the client has no way to validate that the security prompt on the screen actually comes from the bank's website.
See above.  There are no prompts for the user to validate.  But they are still protected.

Then we are likely talking about totally different things. ECB requires explicitly that all card payments will have to be authenticated by a separate channel, e.g. that code delivered by a text message. 3D Secure was designed for exactly that, as a replacement for "Verified by Visa" and other similar systems. If there is no "prompt", there is no authentication and thus no protection.

This description of 3D Secure explicitly talks about these codes (one time pad codes) and also the redirect to the secure portal where the code has to be entered by the card holder:
https://support.payfast.co.za/article/17-how-does-3d-secure-work

It is definitely no magic there, the only significant difference between 3-D Secure and the earlier schemes is that it is unified and not proprietary for each card issuer, which was an unmanageable mess.
 

Offline rbm

  • Regular Contributor
  • *
  • Posts: 189
  • Country: ca
I don't see how requiring additional authentication from the client is "nothing" or "frictionless".
It is frictionless because there is no interaction with the legitimate cardholder with 3DS v2.0; the account number authentication by the issuer is risk-based meaning the decision to allow the transaction through without challenge or to increase the challenge to the cardholder is determined by factors provided by the merchant to the issuer. The legitimate user's experience with the purchase is they provide their card details on the merchant's web site, and the acknowledgement is returned so long as the issuer doesn't reply back to the merchant that the transaction is risky.  If the transaction is identified as risky be the issuer, then the merchant can choose to further challenge the cardholder.  A fraudster attempting to use a compromised account number would not provide correct details to the issuer and thus there would be a higher chance that the transaction would be identified as risky and the fraudster would be challenged to provide information they do not possess.   
This description of 3D Secure explicitly talks about these codes (one time pad codes) and also the redirect to the secure portal where the code has to be entered by the card holder:
https://support.payfast.co.za/article/17-how-does-3d-secure-work
That page describes 3DS v1.0.  The new one, 3DS v2.0, has done away with passwords or OTP.
« Last Edit: May 20, 2018, 11:45:47 am by rbm »
- Robert
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf