"FU^%ING" Credit-Cards!!!

[greenpossum]

A colleague of mine works for a company that configures and services these units, unless it has been specifically requested, there is a valid reason for the request AND the bank authorizes it, by default the mag strip is no longer usable in Aus, even as a fallback. There is also an additional monthly fee and you wave protections as a merchant due to the lower security of the device as the responsibility is now on the merchant more than ever to prevent fraud. Many countries have also completely blocked the use of the mag strip specifically due to fraud and many POS machines today do not even have the ability to read the mag strip.

I rarely have to resort to swipe but I haven't come across any that have the swipe blocked. Of course they may simply replace it with a unit that doesn't even have a magstripe reader, making the issue moot. So who knows what the real numbers are, except that they will decline.

[gnif]

I rarely have to resort to swipe but I haven't come across any that have the swipe blocked. Of course they may simply replace it with a unit that doesn't even have a magstripe reader, making the issue moot. So who knows what the real numbers are, except that they will decline.

Yes, that could be the case, no way to know without the numbers and I bet that larger corporations like Woolworths and Coles would rather lose a small amount due to mag stripe fraud then the possible loss of sales when it's actually needed.

[greenpossum]

Yes, that could be the case, no way to know without the numbers and I bet that larger corporations like Woolworths and Coles would rather lose a small amount due to mag stripe fraud then the possible loss of sales when it's actually needed.

Also note that the magstripe reader is still needed for gift cards and similar that do not have a chip. This is also losing ground to e-gift cards and apps.

[Brumby]

They didn't even know what Git or Subversion was, source control for them was a samba share over a VPN to developers in India and they insisted that they have direct access to the production servers and couldn't understand why we wouldn't let them.

[cliffyk]

In the US, a credit card holder can only be held liable for a maximum of $50 in fraudulent charges, per the 1974 Fair Credit Billing Act ($0 if you have reported the card compromised prior to the unauthorized charges. In practice, most card issuers do not hold the cardholder liable for any fraudulent use, as the most they would get would be $50 and a pissed off customer.

My wife checks our card transactions EACH Morning via the bank's online portal. Just last month I got gas at a local (Saint Augustine, FL) Sunoco station and within 2 hours there was a $499 charge made at a Sunoco in Philadelphia. How this was done is unknown, but we had to get new cards but did not lose a penny--Sunoco did not seem especially concerned about this and pretty much blew us off, last time I get gas from them.

Prior to the FCBA, and because credit card transactions are a loan, courts had held that under the 1968 Truth in Lending Act it was the card issuer's responsibility to prevent fraudulent use.  The FCBA was technically an amendment to the TILA, which was part of the 1968 Consumer Credit Protection Act (a reaction to the direction the lending industry headed in the 60s. 

There are only modest protections for fraudulent debit card use, just $50 for 2 days after the first use, $500 for 2 to 60 days hence (and good luck on actually getting that). Once 60 days have passed since you received your statement your money is gone.

Bottom line, if it's your debit card that's been hacked you're screwed...

[Halcyon]

Wouldn't a sensible solution simply be to enforce multi-factor authentication on ALL card transactions, whether it be online or using a PIN pad? I know with certain merchants that use Verified by Visa, I'm prompted for a password for online transactions on my bank card, but it's not as common as perhaps it should be.

[gnif]

Wouldn't a sensible solution simply be to enforce multi-factor authentication on ALL card transactions, whether it be online or using a PIN pad? I know with certain merchants that use Verified by Visa, I'm prompted for a password for online transactions on my bank card, but it's not as common as perhaps it should be.

You would think, but the ease of spending money pinless adds, combined with the cost to replace worn out keypads might be more then they lose in fraud.

[greenpossum]

Wouldn't a sensible solution simply be to enforce multi-factor authentication on ALL card transactions, whether it be online or using a PIN pad? I know with certain merchants that use Verified by Visa, I'm prompted for a password for online transactions on my bank card, but it's not as common as perhaps it should be.

It would slow down transactions at your supermarket or servo unacceptably. However for dubious overseas purchases over the Internet, I have been asked to enter a one time code sent to my mobile number. Some providers also provide apps that can generate appropriate one time codes at time of use.

[DrG]

/--/
There are only modest protections for fraudulent debit card use, just $50 for 2 days after the first use, $500 for 2 to 60 days hence (and good luck on actually getting that). Once 60 days have passed since you received your statement your money is gone.

Bottom line, if it's your debit card that's been hacked you're screwed...

Additionally, I think that the fraud with a debit card can incur additional problems since the fraudulent uses can reduce your account balance before they are detected, possibly resulting in bounced checks. I wonder how easy that is to rectify.

Some of this is coming back to me and reminds me why I dumped whatever debit cards I had.

[Brumby]

While I understand the position, it seems credit providers are looking towards making things easier...

The recent increase of floor limit from $100 to $200 for tap and go payments (as a "concession" to the COVID-19 situation) is one move I don't see reverting.  I daresay retailers - especially those with high transaction rates - would agree.  I've noticed the speed of service at Bunnings (Yes, I know I spend far too much time there  ) for tap and go versus other variants of EFTPOS is quite marked.

(Oh, snap...)

[wilfred]

And yeah checks are HORRIBLE, I always get stuck behind somebody slowly writing a check, especially at the farm/utility/hardware stores.

And those are the kind of people that invariably wait until they see the total to write in the other information. like date , who the check is for etc ...
I have to work very hard not to kick them so hard they bounce of the ceiling and when coming down bounce once more off the floor ... i hate check writers.

You'd kick my 90 year old aunt until she bounced from the ceiling?

I hope someone in the queue will help her to her feet again.

[Brumby]

Bunnings have very high ceilings, especially in the single story stores.  Kicking anybody - or anything for that matter - would be quite the achievement.

[Rerouter]

Don't know the full details, but have heard of remote NFC payments being possible, there is enough of a delay period between expected responses that you can record it, and play back remotely, so theif 1 sits up next to where a card is, theif 2 starts a payment, and the reader and the card are essentially linked via TCPIP, however that would not explain the italy thing, think it only gave you about 500km of wiggle room.

[Halcyon]

Don't know the full details, but have heard of remote NFC payments being possible, there is enough of a delay period between expected responses that you can record it, and play back remotely, so theif 1 sits up next to where a card is, theif 2 starts a payment, and the reader and the card are essentially linked via TCPIP, however that would not explain the italy thing, think it only gave you about 500km of wiggle room.

These sorts of playback attacks won't work on card payment systems, since the challenge-response changes on each transaction. There are anecdotal reports of NFC "skimming" occurring or at least being possible, however in the real world, we're yet to see it actually occur. Of course it's possible to "read" someones card using an actual legitimate payment terminal through their wallet/pants, however even on legitimate terminals, the anti-collision mechanism kicks in. If more than one card responds, then all are rejected.

Companies have taken advantage of these scare campaigns to sell consumers RF blocking wallets and although I acknowledge that there are legitimate uses for such things, for the most part, it's never going to be a problem for most people. I've also seen charlatans who claim to be part of the cyber security community claiming that it's a huge issue (a person who actually calls himself an "eVestigator" is one example -- He is the laughing stock of the cyber security world and most people in the industry know him for all the wrong reasons).

[Rerouter]

Not playback, literally remote man in the middle. one end a fake card that records the challenge, gets broadcast to the remote unit which play the challenge to the actual card, records the response, then sends it back to the fake card to play to the terminal. due to the cmplexity, I have only heard about it in cases where the card is stationary so they do not have to worry about collisions or the exact timing of the challenge

[pardo-bsso]

Ha so much for security.

I can't find it at the moment but Ross Anderson had a lengthy dissertation on ways to attack the pin+chip. This is a small talk at Computerphile:

[/url]

For something I deem risky (like buying online on shops that nobody knows) I use mostly what here is called a 'refill-able' credit card.

Meanwhile in this part of the world the banks stopped all international transactions (because a lot of reasons) and I find out when one of our many hosting providers  called asking why we didn't pay on time (it was on automatic billing).

And to add more fun Wirecard vanishes with part of our funds.

(sorry for the derail)

[bd139]

All the redneck shops seem to accept PayPal these days so I go down that route. Their buyer dispute system is pretty good. I just got £45 back out of digital river and Lenovo who are significantly bigger fish, for sending me a duff laptop battery out just by opening a dispute.

[Simon]

Yea, unless the big boys get way better deals on credit cards than they get with paypal as big boys papal is cheaper than mainstrea crudit card handlers although stripe are even cheaper than paypal.

[Bassman59]

My wife checks our card transactions EACH Morning via the bank's online portal. Just last month I got gas at a local (Saint Augustine, FL) Sunoco station and within 2 hours there was a $499 charge made at a Sunoco in Philadelphia. How this was done is unknown, but we had to get new cards but did not lose a penny--Sunoco did not seem especially concerned about this and pretty much blew us off, last time I get gas from them.

All of the banks, even my local credit union, offer text message notifications for any transaction on your accounts. So as soon as a credit card charge is made, I get a text indicating such. Also bank apps can notify you of transactions. It's really great -- now you can see, in real time, what is being charged to an account, and you can call the bank and get them to deal with it before they notify you of possible fraud.

Bottom line, if it's your debit card that's been hacked you're screwed...

This is the truth. Imagine the scenario where the bad guy gets your debit number and clears out your checking account right before the mortgage payment hits. Sure, eventually the bank will make you whole, but at the cost of dealing with bounced-check/insufficient-funds fees.

ALWAYS use a credit card at point of sale. NEVER a debit card.

[Rick Law]

In the US, a credit card holder can only be held liable for a maximum of $50 in fraudulent charges, per the 1974 Fair Credit Billing Act ($0 if you have reported the card compromised prior to the unauthorized charges. In practice, most card issuers do not hold the cardholder liable for any fraudulent use, as the most they would get would be $50 and a pissed off customer.
...
...
Prior to the FCBA, and because credit card transactions are a loan, courts had held that under the 1968 Truth in Lending Act it was the card issuer's responsibility to prevent fraudulent use.  The FCBA was technically an amendment to the TILA, which was part of the 1968 Consumer Credit Protection Act (a reaction to the direction the lending industry headed in the 60s. 

There are only modest protections for fraudulent debit card use, just $50 for 2 days after the first use, $500 for 2 to 60 days hence (and good luck on actually getting that). Once 60 days have passed since you received your statement your money is gone.

Bottom line, if it's your debit card that's been hacked you're screwed...

These are critical differences between Credit Card vs Debit Card that many are not aware of.  When my teenage kid was old enough to get a "student account" complete with Debit Card plus Credit Card, even the bank staff doing the paper work didn't know that difference in liability protection.  I had to explain to my kid this very point that Federal Law limits your liability whereas Debit Card has far fewer protection mandated by law.  Relying on protections "Mandated by Law" sounds more comforting than relying on protection driven merely by "good will of the bank".

Convenience is a purchase paid for with risk.

I use cash whenever I can, and checks (cheques) if I can't use cash; credit card payment as my last resort, and debit card is a never.

Funny thing in the USA, Federal Laws also prevents retailer from charging more for use of Credit Card (probably a trade off for making them limit user liability to $50) -- but, no law against giving a "cash discount."  You can see the result in most car refilling stations, the price per gallon they show on the pump has both "price" and a lower "cash price" displayed side by side.  Oh, typically, gas station's own branded credit card get the cash price but other brands (like Bank X visa card or master charge credit card) don't.

I saved far more money from cash discounts over the credit card's "x% money back".

Here is an article on how Debit Card differs from Credit Card.
Forbes Magazine October 2016 "What I Learned When My Husband's Debit Card Was Stolen":
^{https://www.forbes.com/sites/nextavenue/2016/10/30/what-i-learned-when-my-husbands-debit-card-was-stolen}

[Halcyon]

Discounts for cash payments in Australia pretty much don't exist. The only time where you might see this happen is in the building trade where you might get a discount for "cash". Basically it's the operator not declaring the income so no tax is paid on it. That being said, legitimate operators don't generally discount just because you're paying with cash.

You also won't see two prices depending on how you pay in retail stores. Sure, in some places you can negotiate a price, but method of payment has nothing to do with it.

As I mentioned earlier, I use my debit card for 99.9% of transactions, whether it be thousands of dollars or a $2 coffee. Merchant fees are fairly low so there really isn't an excuse for any business not to accept card (in fact, it would probably drive them out of business). I might use an ATM perhaps once, maybe twice per year and use cash to purchase anything perhaps five times a year, if that. Usually it's for ebay sellers where I'm picking up the items and they prefer cash. I never keep cash on me and I have a bucket of coins at home which I haven't touched in years.

That being said, my bank offers me the same protections as most credit card providers do, minus the fees or interest payments. If I make an "odd" payment that gets flagged (such as when I bought my last laptop), the bank is on the phone to me within 10 minutes. The payment is held until I give the OK. Likewise I've had transactions which I have disputed (such as when I don't receive the goods/services I ordered) and the bank has reversed those charges with very little questions asked. I can also use my debit card anywhere a credit card is accepted. I don't use credit cards at all and probably never will. I have no need for them.

[HobGoblyn]

I like the debit card/phone app bank account I use mainly for overseas travel (won’t advertise it).

From the phone app it gives me the following options

View pin
Unlock pin/cvs (use after exceeding 3 tries)
Reset contactless limit
Enable/disable contactless payments
Enable/disable online transactions
Enable/disable location based security
Enable/disable swipe payments
Enable/disable ATM withdrawals

I’ve had this for about 3 years now, I keep everything disabled unless I’m about to use it, then only enable the payment method I’m about to use. Takes seconds, uses fingerprint id on my iPhone to log in, so no typing in codes etc

[bd139]

That’s pretty nice.

[SilverSolder]

The contracts that merchants sign with credit card companies often specifically prohibit giving discounts for using cash...   they don't want the costs associated with using a card to be visible to the consumer, for obvious reasons. 

The US gas station example is about the only one I can think of where this rule is not in place - perhaps the exception that proves the rule, perhaps they were never able to get that industry to conform to their policies from the beginning.  Consumers are extremely conscious about the price of gas, every tenth of a penny counts here.  I can't think of any other industry that majors on price in the same way...

[Simon]

The contracts that merchants sign with credit card companies often specifically prohibit giving discounts for using cash...   they don't want the costs associated with using a card to be visible to the consumer, for obvious reasons. 

The US gas station example is about the only one I can think of where this rule is not in place - perhaps the exception that proves the rule, perhaps they were never able to get that industry to conform to their policies from the beginning.  Consumers are extremely conscious about the price of gas, every tenth of a penny counts here.  I can't think of any other industry that majors on price in the same way...

Fuel is a necessity, people will have to buy it. The only incentive to accept card is that it means the motorist caught short will have to pay by card but most customers would come purposefully so the first card company to cave in sets the stage for the others.