Why am I doing that's causing my credit cards to get fraudulently used?

[stevelup]

I use it all the time in every single retailer I visit now. Because the UK has had contactless for many years, Apple Pay was rolled out all but instantly to most places. There are very few places that don't accept it now (I actually can't personally think of anywhere).

All my cards in one place - no need to carry a wallet any more.

Every single transaction is done using a randomly generated token and authenticated by me so no possibility of fraud.

Instant feedback on the transaction so you know it was carried out correctly and for the correct amount.

Unlike some other platforms, all the data is stored in the secure area on the phone and is never transmitted to any third parties (or Apple).

No third party apps needed.

I'd say it was the future rather than being pointless!

[Mr. Scram]

I use it all the time in every single retailer I visit now. Because the UK has had contactless for many years, Apple Pay was rolled out all but instantly to most places. There are very few places that don't accept it now (I actually can't personally think of anywhere).

All my cards in one place - no need to carry a wallet any more.

Every single transaction is done using a randomly generated token and authenticated by me so no possibility of fraud.

Instant feedback on the transaction so you know it was carried out correctly and for the correct amount.

Unlike some other platforms, all the data is stored in the secure area on the phone and is never transmitted to any third parties (or Apple).

No third party apps needed.

I'd say it was the future rather than being pointless!

"No possibility of fraud." Are you willing to vouch for that? 

No third party apps needed? It already is a third party app.

[CJay]

We're pretty much completely Chip and PIN here in the UK though it is still possible to use the magstripe if you need to (you can still demand a non chip card if you meet certain criteria) and if there are problems with a store's C&P authorisation connection they can still fall back all the way to the really old fashioned card imprint machine.

However, having a chip does not stop fraud, I've been caught once after giving my card details to a book website in the 'states, Barclays called me and asked if I'd authorised payments to three websites offering a varied selection of porn (I hadn't, just for crystal clarity), turns out the book website was compromised and someone was using details stolen from it to extract small amounts of money via, I would assume' their own porn sites.

It all got refunded and the book purchase was cancelled, fortuitiously as I found another copy of the book for much less a few days later.

[StuUK]

Simply using your card... fact of the matter is that card payments, irrespective of the mechanism (chip or stripe) are a massive and lucrative target for criminals and despite the supposed penalties for non PCI compliance many retailers pay little attention (including some very big retailers). There can be many 'data handlers' in the chain and many potential attack vectors.

You can reduce your chances of this happening by avoiding using your card online unless it's via third party processors such as PayPal who handle all the sensitive data NOT the retailer but that is still no guarantee.

Fact is there will always be card fraud with existing technologies and where people are involved...

[xrunner]

My number gets stolen at least once per year, but all I ever see is the bank telling me so in an email and getting a new card in the mail soon. I never see the fraudulent charges (if there were any). The banks take care of it, because they are willing to let these things happen for the sake of customer convenience I guess.

But one neat thing my bank has is a system called Shop Safe, available online when I check my credit card account, more people should use it. What it does is let you generate a new credit card number linked only to your main number. Then you use that number online for a merchant - but each number is for only one merchant. Once it's used by you, it's only good for that merchant - even if it got stolen it's no good for any other merchant. Also you can make it have any dollar amount limit you want, and any expiration you want. If you are buying $100 worth of goodies from Newegg, you make the card limit say $125 to cover shipping. Then even if it got stolen, and then even if the crook tried to use it at Newegg, it wouldn't be worth much. But you can keep using that number for as long as you want for each merchant if you go into the app and increase the limit and expiration date. It's really neat.

But really, the banks are always going to take care of fraud charges. I've never had to pay a cent in my life. That's just the price they are willing to pay for customer convenience. 

[Mr. Scram]

My number gets stolen at least once per year, but all I ever see is the bank telling me so in an email and getting a new card in the mail soon. I never see the fraudulent charges (if there were any). The banks take care of it, because they are willing to let these things happen for the sake of customer convenience I guess.

But one neat thing my bank has is a system called Shop Safe, available online when I check my credit card account, more people should use it. What it does is let you generate a new credit card number linked only to your main number. Then you use that number online for a merchant - but each number is for only one merchant. Once it's used by you, it's only good for that merchant - even if it got stolen it's no good for any other merchant. Also you can make it have any dollar amount limit you want, and any expiration you want. If you are buying $100 worth of goodies from Newegg, you make the card limit say $125 to cover shipping. Then even if it got stolen, and then even if the crook tried to use it at Newegg, it wouldn't be worth much. But you can keep using that number for as long as you want for each merchant if you go into the app and increase the limit and expiration date. It's really neat.

But really, the banks are always going to take care of fraud charges. I've never had to pay a cent in my life. That's just the price they are willing to pay for customer convenience. 

I'm not sure whether patching a problem that never should have existed in the first place is really neat. It's also not really convenient to have to change credit cards once a year. I couldn't imagine that being remotely acceptable, but somehow in the US it is and on a huge scale.

[orion242]

For those excited about chip & pin, they may want to consider the liability shift.   Sounds like C&P transactions are extremely hard to reverse if fraudulent since nobody wants to admit the system has some issues.  Currently in the US we just laugh it off since its not our money at risk.  Does it come with some hassles of replacing cards a few times a year, sure.  IMO that's alot better situation than a bank telling me to piss off, its a C&P transaction and I'm just trying to scam them.  There have been a handful of these cases already.

It also seems C&P has done little more than to push thieves to move their game to the online world where the chip doesn't come into play.  So what do they do in Euro land when your C&P card info is lifted and used in online shops?  Card replacement?  If so, how is that solving anything really?

https://securityintelligence.com/chip-and-pin-fraud-the-new-face-of-credit-crime/

[Mr. Scram]

For those excited about chip & pin, they may want to consider the liability shift.   Sounds like C&P transactions are extremely hard to reverse if fraudulent since nobody wants to admit the system has some issues.  Currently in the US we just laugh it off since its not our money at risk.  Does it come with some hassles of replacing cards a few times a year, sure.  IMO that's alot better situation than a bank telling me to piss off, its a C&P transaction and I'm just trying to scam them.  There have been a handful of these cases already.

It also seems C&P has done little more than to push thieves to move their game to the online world where the chip doesn't come into play.  So what do they do in Euro land when your C&P card info is lifted and used in online shops?  Card replacement?  If so, how is that solving anything really?

https://securityintelligence.com/chip-and-pin-fraud-the-new-face-of-credit-crime/

Older magnetic strip cards have been duplicated by manipulating PIN devices and copying both card info and the associated PIN number. The pin number is sometimes stolen by installing a false keypad, placing a camera or other techniques that allow them to intercept the PIN. It's much harder to do this with chip cards. Either way, the number of times this happens is a lot smaller than credit card theft happens in the US. I can't imagine being the victim once a year and being fine with that, even if the bank notices and intervenes. Banks are as lenient as they are with credit cards in the US. You can expect to have the costs covered, unless it's a matter of gross negligence or intent.

[Bassman59]

Using Apple Pay is solving one problem and getting into another. What I pay should be between me, my bank and the retailer. I don't need Apple meddling with that.

Apple Pay wouldn't be necessary if your bank and your retailer took security seriously. Why don't we have chip and PIN here? I have no idea. Why don't the banks push a secure replacement for credit cards? I have no idea. Why don't the retailers demand from those banks a secure replacement for credit cards? I have no idea. Would any solution pushed by one bank be accepted by all of the others? I have no idea.

Apple Pay (and the Samsung and Android equivalents) wouldn't exist if the banks and the retailers cared about fighting fraud.

[Rick Law]

What I find frustrating is that the big banks clearly don't care. There are any number of methods they could employ to keep people secure.

Here in the U.S., they really don't care. That's why we still have credit cards with mag stripes. That's why we have credit cards with chips but no PINs.
...
...

Here on this forum, we probably all know why banks don't care already, but it is useful to put it in words.   As long as the cost of prevention exceeds the cost of lost, there is no reason to attack the problem.  Between card fees and annual membership fees (from all customer), they are making a good enough margin.  Lost due to thief is just another line item that all customers pay for - the card company just adds it up like cost for their infrastructure or their phone bill.  All card users paid.

By now, I am over my credit card stage.  There was a time I just flip out the card to pay - for everything.
Now, I prefer cash.  The best way to prevent credit card trouble is not to use them.  As long as they still take cash, I prefer using cash.  It also help college students and others who needs those jobs at the cash register.  Besides, I do find myself spending less when I have to count cash to pay.

* * *

By the way, how would chip be better when so many transactions (and fraud) are with on-line payments?  With on-line payments, the merchants will never come close to your card, magnetic strip or chip.  Is that not just lipstick on a corpse?

[Mr. Scram]

Online payments are authenticated through means other than just your number or the PIN. Different banks have different solutions, but a common factor is that the retailer won't have relevant card information needed to duplicate the transaction. It's basically a one way thing.

[NiHaoMike]

By the way, how would chip be better when so many transactions (and fraud) are with on-line payments?  With on-line payments, the merchants will never come close to your card, magnetic strip or chip.  Is that not just lipstick on a corpse?

The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.

[IanB]

By the way, how would chip be better when so many transactions (and fraud) are with on-line payments?  With on-line payments, the merchants will never come close to your card, magnetic strip or chip.  Is that not just lipstick on a corpse?

The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.

There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.

[Jeroen3]

The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.

Like the Raboscanner, it uses the chip and pin on the card to solve a challenge presented by colored qr-ish code. It then asks "transferring €xxx to yyy", you press "yes" and you get the signing code.
Unfortunately, they're going to end this device in favor of "other mechanisms", probably apps or sms.

[wraper]

By the way, how would chip be better when so many transactions (and fraud) are with on-line payments?  With on-line payments, the merchants will never come close to your card, magnetic strip or chip.  Is that not just lipstick on a corpse?

The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.

There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.

The issue is the same as with chip. Unless it's supported by everyone, it does not stop fraud.

[orion242]

There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.

Visa and mastercard have the same here.  I see it on maybe 1 in 50 sites I buy something from, pretty useless.

I used to have a card that the website would allow one time card numbers.  That was pretty cool but discontinued.  Apparently the card issuers got alot of flack since may merchants use the CC number to make sure someone isn't signing up for trial offers and such multiple times.

[rsjsouza]

By the way, how would chip be better when so many transactions (and fraud) are with on-line payments?  With on-line payments, the merchants will never come close to your card, magnetic strip or chip.  Is that not just lipstick on a corpse?

The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.

There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.

The issue is the same as with chip. Unless it's supported by everyone, it does not stop fraud.

I agree. In Brazil there was a mandate to upgrade 100% of the card reader machines at once (at the expense of the shop owner, of course). This forced everyone to quickly adapt to the new system by using PIN numbers otherwise long forgotten (as they were rarely used by credit card users). Since most credit cards there are tied to your bank account, they reduced the effort by requiring only the first four out of the six or eight digits of your regular PIN - quite a convenient move.

Here in the US this is a complete joke - the wide range of machines that only have the magnetic stripe to the ones equipped with the chip that sometimes allow the transaction to go with minimal intervention (just press the green button) to even ask for your signature in the stupid touchscreen (a completely useless authentication method).

[Rick Law]

By the way, how would chip be better when so many transactions (and fraud) are with on-line payments?  With on-line payments, the merchants will never come close to your card, magnetic strip or chip.  Is that not just lipstick on a corpse?

The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.

There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.

The issue is the same as with chip. Unless it's supported by everyone, it does not stop fraud.

And now round-robin back to what I said when I put the known problem into words in my earlier reply: "As long as the cost of prevention exceeds the cost of lost, there is no reason to attack the problem.  Between card fees and annual membership fees (from all customer), they are making a good enough margin."

As lost increases, their first step will likely be keep pumping up the fees to cover lost: be it in service fees, late fees, international transaction fees, currency conversion fees...  Until there is no room left for fee increase, the lost doesn't bite.  Until then, they don't have to incur cost to attack the problem.  They are fat and happy taking their percentage we paid via the cost of item.

The chips, mag strips, bio-data, what not, are all just window dressing.  The technology exist to cut fraud to near zero if they really want to do it.  The profit motive is just not there.  We the customer are willing to cover the lost with the increased price of merchandise or card service fees, so why would they?

[senso]

I dont understand how something like MBNet isn't global by now..

Its a virtual card, you have to enable the service in the bank/ebanking, and currently they moved away from the website,so all cards are created in the app that asks for a pin/fingerprint, and each card has a 1 month expire date, with a max value, the global MBNet service also has another max month value that can't be exceeded.

You need to pay 25$, create a card with a 28€ value, due to Paypall/random fees, use it to pay, if someone grabs the number/ccv/date, the card is already expired, because after being used once the card expires and can't be billed again.

There is also a variant that can have up to 1 year expire date(like paying netflix), with a total and monthly limit, and at any time, balance can be checked and the card can be canceled.

Its a free(or near free, never saw any extra charges for it in my account)..

[janoc]

Online payments are authenticated through means other than just your number or the PIN. Different banks have different solutions, but a common factor is that the retailer won't have relevant card information needed to duplicate the transaction. It's basically a one way thing.

Um, nope. All the information that you need to do a payment online (or using an imprinter - that's still a thing!) is the name of the cardholder, the card number, the expiration date and the 3 digit CVC code (usually non-embossed and on the reverse side of the card). All this info is also on the magnetic strip (minus the CVC code).

The retailers are not supposed to store the CVC number, but who will check and enforce that ... So if you have an unscrupulous retailer or they get hacked, it is pretty easy to steal money from you using fraudulent transactions.

There are the programs like Verified by Visa that demand a secondary authentication from you, e.g. by a code sent to your phone, but these don't work everywhere/not all retailers support them, so banks still accept transactions even without them. Then basically the only defense is whether or not the bank has some suspicious activity monitoring in place and whether or not they flag such transactions. May or may not happen - having the triggers too loose means lots of false alarms and unhappy customers.

Coincidentally, the chip & pin doesn't really solve any of this - if someone steals the data above, they can make purchases online and then flog them e.g. on eBay to launder the money and none would be any wiser. Whether or not you have chip on the card only affects whether someone in Russia or Romania can fabricate a cloned magnetic card to withdraw money from an ATM. If the original card has a chip and the clone doesn't, such transaction will be flagged and may be refused. Even that isn't guaranteed because the cards are often configured to allow payment using the magnetic strip if the chip isn't working for whatever reason. So it somewhat protects against primitive skimmers but doesn't protect at all  against stuff like online fraud.

Why banks don't care too much about this? Well, because fixing it would cost a lot of money and the money lost due to fraud is negligible compared to that. They don't care about your ruined credit score. Also a lot of banks, especially in Europe, are pushing the responsibility on the user - e.g. for debit cards I don't ever recall seeing that bank would be responsible for a fraudulent transaction, at least not without a major uphill battle. It is assumed that those can't be used without a pin, so you had to provide the pin somehow or have been negligent, so it is your fault (never mind it could have been stolen or skimmed or something). For credit cards it is only slightly better, with a lot of onerous fine print in the contracts where the bank is trying to weasel out of responsibility.

[Rick Law]

...
...
Why banks don't care too much about this? Well, because fixing it would cost a lot of money and the money lost due to fraud is negligible compared to that. They don't care about your ruined credit score. Also a lot of banks, especially in Europe, are pushing the responsibility on the user - e.g. for debit cards I don't ever recall seeing that bank would be responsible for a fraudulent transaction, at least not without a major uphill battle. It is assumed that those can't be used without a pin, so you had to provide the pin somehow or have been negligent, so it is your fault (never mind it could have been stolen or skimmed or something). For credit cards it is only slightly better, with a lot of onerous fine print in the contracts where the bank is trying to weasel out of responsibility.

  (Emphasis added)

In the USA, fine print in the contract for credit cards wont do it.  We have a specific law regarding that:15 USC 1643.  That law specifically limits card holder liability to $50.  This law actually was pushed for by the card industry to promote card use when the concept of using a credit card was still new.

That law does not apply to debit card - that is why I instructed my young daughter never to use her debit card like another credit card but use it for ATM only.  There is no protection (from that law) with debit card against fraud or when resolving charge discrepancies when a debit card was used for purchases.

[Mr. Scram]

Um, nope. All the information that you need to do a payment online (or using an imprinter - that's still a thing!) is the name of the cardholder, the card number, the expiration date and the 3 digit CVC code (usually non-embossed and on the reverse side of the card). All this info is also on the magnetic strip (minus the CVC code).

The retailers are not supposed to store the CVC number, but who will check and enforce that ... So if you have an unscrupulous retailer or they get hacked, it is pretty easy to steal money from you using fraudulent transactions.

There are the programs like Verified by Visa that demand a secondary authentication from you, e.g. by a code sent to your phone, but these don't work everywhere/not all retailers support them, so banks still accept transactions even without them. Then basically the only defense is whether or not the bank has some suspicious activity monitoring in place and whether or not they flag such transactions. May or may not happen - having the triggers too loose means lots of false alarms and unhappy customers.

Coincidentally, the chip & pin doesn't really solve any of this - if someone steals the data above, they can make purchases online and then flog them e.g. on eBay to launder the money and none would be any wiser. Whether or not you have chip on the card only affects whether someone in Russia or Romania can fabricate a cloned magnetic card to withdraw money from an ATM. If the original card has a chip and the clone doesn't, such transaction will be flagged and may be refused. Even that isn't guaranteed because the cards are often configured to allow payment using the magnetic strip if the chip isn't working for whatever reason. So it somewhat protects against primitive skimmers but doesn't protect at all  against stuff like online fraud.

Why banks don't care too much about this? Well, because fixing it would cost a lot of money and the money lost due to fraud is negligible compared to that. They don't care about your ruined credit score. Also a lot of banks, especially in Europe, are pushing the responsibility on the user - e.g. for debit cards I don't ever recall seeing that bank would be responsible for a fraudulent transaction, at least not without a major uphill battle. It is assumed that those can't be used without a pin, so you had to provide the pin somehow or have been negligent, so it is your fault (never mind it could have been stolen or skimmed or something). For credit cards it is only slightly better, with a lot of onerous fine print in the contracts where the bank is trying to weasel out of responsibility.

We need to distinguish credit cards from regular debit cards. Credit cards tend to be unsafer for legacy reasons, but it's also obvious work is being done to eliminate the worst issues.

Debit cards tend to be well protected with one way authentication mechanisms. They also seem to be more commonly used in place of credit cards, whereas it seems credit cards are the standard in the US. They're also typically covered by the same leniency in the case of fraudulent transactions. Banks understand it's important that people trust the system. If your bank makes a habit of blaming the customer, you need to switch to a decent bank.

[Rick Law]

...
Debit cards tend to be well protected with one way authentication mechanisms. They also seem to be more commonly used in place of credit cards, whereas it seems credit cards are the standard in the US. They're also typically covered by the same leniency in the case of fraudulent transactions. Banks understand it's important that people trust the system. If your bank makes a habit of blaming the customer, you need to switch to a decent bank.

re: "They're also typically covered by the same leniency in the case of fraudulent transactions."

Just to ensure folks in the USA doesn't get suckered by banks/card companies...

No!  Not in the USA!  15 USC 1643 specifically limit credit card user to $50 liability whereas debit card liability is defined by you and the bank with the user agreement.  The banks will try to limit their own liability by conflating the two (credit card vs debit card) but the language in the law is clear.  With 15 USC 1643, credit card holder liability is limited to $50.

Notice because of 15 USC 1643, the different wording in the advice from the US Federal Trade Commission's website:

Credit Card Loss or Fraudulent Charges
Under the FCBA, your liability for unauthorized use of your credit card tops out at $50. However, if you report the loss before your credit card is used, the FCBA says you are not responsible for any charges you didn’t authorize. If your credit card number is stolen, but not the card, you are not liable for unauthorized use.

ATM or Debit Card Loss or Fraudulent Transfers.
If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions. If someone uses your ATM or debit card before you report it lost or stolen, your liability depends on how quickly you report it:

Above quoted from:
^{https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards}

[langwadt]

do you use the cards in places that handle the card and possibly memorize the card number and ccv ?

I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online

[Mr. Scram]

re: "They're also typically covered by the same leniency in the case of fraudulent transactions."

Just to ensure folks in the USA doesn't get suckered by banks/card companies...

No!  Not in the USA!  15 USC 1643 specifically limit credit card user to $50 liability whereas debit card liability is defined by you and the bank with the user agreement.  The banks will try to limit their own liability by conflating the two (credit card vs debit card) but the language in the law is clear.  With 15 USC 1643, credit card holder liability is limited to $50.

Notice because of 15 USC 1643, the different wording in the advice from the US Federal Trade Commission's website:

Credit Card Loss or Fraudulent Charges
Under the FCBA, your liability for unauthorized use of your credit card tops out at $50. However, if you report the loss before your credit card is used, the FCBA says you are not responsible for any charges you didn’t authorize. If your credit card number is stolen, but not the card, you are not liable for unauthorized use.

ATM or Debit Card Loss or Fraudulent Transfers.
If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions. If someone uses your ATM or debit card before you report it lost or stolen, your liability depends on how quickly you report it:

Above quoted from:
^{https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards}

I was talking about the EU.