EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: engineheat on May 13, 2018, 10:01:57 pm
-
Twice this year, I had to cancel my credit cards due to unauthorized use, usually by someone out of state. I'm trying to pinpoint the problem but I'm not an expert on technology.
I make purchases online and pay my bills online, and I only do this at my home wifi, which has a password. Could it be that unscrupulous site/vendors can use your credit card information? It seems someone with your numbers can make a fake card and use it at physical locations, because that seems to be the case.
Or is it because Chrome stores your credit card info and that gets accessible when you use a public wifi later, even if you are not doing any shopping?
Thanks
-
If you know the card number and expiration date, you can definitely make a physical card with a magnetic stripe. Chip cards are harder to fake, but until nobody accepts striped cards, chips are useless.
I generally, don't give the card number to small sites with unknown reputation. They either have PayPal option or don't get my business.
-
More likely it was skimmer at ATM or point of sales.
-
More likely it was skimmer at ATM or point of sales.
Yes, they've got very good at making them hard to spot when you're standing in front of a cash-point (ATM) in a hurry. I got caught twice in the last year I was living down South. Then you've also got to watch for fake refund phishing expeditions if you use Ebay these days. I never use links in Emails any more.
-
I just hate those stupid "anti-skimmer" devices banks place on many ATMs. Because of that crap you never know for sure is it's really an anti-skimmer or skimmer mimicking it :palm:.
-
You just happen to live in a country which is behind everyone in the world in adopting chip and pin technology.
-
You just happen to live in a country which is behind everyone in the world in adopting chip and pin technology.
It does not matter where you live. As long as magnetic stripe is still accepted somewhere, you still can be fucked. It does not matter if you card has a chip if it still has a magnetic stripe.
-
SWMBO and I have been with Bank of America since 2004. We have had our credit card and debit card hijacked multiple times. BofA does an excellent job of catching it, actually catching it before us every time. Once the claim is filed, the money is back within 24 hours. We pretty much accepted that this is a fact of life.
-
Mine get hacked, too. and I suspect it is small websites holding the credit card data getting breached. Even large retailers (Target, Panera, etc) are getting breached as well. I agree this is the new normal until they devise a new system like biometric or mutli-factor.
Some card companies implement a virtual number system (Discover used to have it, Capital One does it now) where you can generate a specific number for each website you visit.
-
SWMBO and I have been with Bank of America since 2004. We have had our credit card and debit card hijacked multiple times. BofA does an excellent job of catching it, actually catching it before us every time. Once the claim is filed, the money is back within 24 hours. We pretty much accepted that this is a fact of life.
Similar experience with Citi: throughout our lifetime with them (2007 and on), we had our cards cloned twice and preemptively replaced by them at least five times (due to hacking to vendors such as Home Depot or Target). This has become a fact of life.
The only annoyance is to re-enter this information on all the auto pay sites...
-
Gas pumps of a particular brand all have a common key. Most gas stations I visit now have stickers to warn if the pump cabinet has been opened. I live in rural Arkansas (7500 pop) and they caught some guys trying to install a skimmer at a local gas station in the middle of the night. I got hit about that time just as I was leaving on a trip.
The clever ones collect the data via bluetooth, so once it's installed they just go buy gas to collect the data for resale on the dark web. The credit card companies are not yet adept at figuring out where the skimmers are and preemptively issuing new cards.
-
Gas pumps of a particular brand all have a common key. Most gas stations I visit now have stickers to warn if the pump cabinet has been opened. I live in rural Arkansas (7500 pop) and they caught some guys trying to install a skimmer at a local gas station in the middle of the night. I got hit about that time just as I was leaving on a trip.
The clever ones collect the data via bluetooth, so once it's installed they just go buy gas to collect the data for resale on the dark web. The credit card companies are not yet adept at figuring out where the skimmers are and preemptively issuing new cards.
I was thinking of this too. Hackaday did a piece on this.
https://hackaday.com/tag/card-skimmer/
-
Only ever got done once ! It was on an unused card that I only keep for my ISP who insists on direct draw. My ONLY direct draw account !
15 mins after a deduction, the card amassed $11,000 from several European countries ! I wrote up a detailed report with questions on -
Why didn't the system realize I couldn't have been in 8 European countries when I was in OZ 15 mins earlier? -how did they go so far over my limit?
Plus I identified the source of the breach etc etc No answers ... they didn't chase it ... not worth their time ... just reimbursed it.
They didn't even want to reduce the limit to $2-3K, until I threatened to cancel my cards.
-
SWMBO and I have been with Bank of America since 2004. We have had our credit card and debit card hijacked multiple times. BofA does an excellent job of catching it, actually catching it before us every time. Once the claim is filed, the money is back within 24 hours. We pretty much accepted that this is a fact of life.
Similar experience with Citi: throughout our lifetime with them (2007 and on), we had our cards cloned twice and preemptively replaced by them at least five times (due to hacking to vendors such as Home Depot or Target). This has become a fact of life.
The only annoyance is to re-enter this information on all the auto pay sites...
My card does have a chip on it. So I guess from reading the answers this isn't rare and especially with the hacking going on.
I thought my wifi or the way I use computer isn't secure enough...
-
US version of a chip is a joke. The bit that tells the readers if your card has a chip is on the stripe, so you can just overwrite that bit and your card does not have a chip anymore.
This will continue to happen until chip is the only option with no magnetic stripe even present on the card.
-
I've never had my card details fraudulently obtained, however I guess I'm fortunate enough to know what I'm looking for in terms of skimming devices or EFTPOS machines which have tampered software.
As much as a I don't like Paypal as a company, I use them for almost every purchase I make online, particularly overseas ones. It adds an extra level of protection and if something does go wrong, you're more likely to get your money back.
I would also advise to cover up your PIN whenever you use an ATM or EFTPOS machine with both hands. ATM skimmers normally rely on a small pinhole camera to capture your PIN in addition to card data. On the subject of ATMs, give the card slot a good wiggle, skimming devices are normally just taped on.
Use alternative methods to pay bills, for example, I pay all my bills online but I manually transfer the amount using BPAY (via my internet banking) or do a once-off direct debit request. It takes no additional time and it saves me those 1-2% credit card transaction fees.
If you must use credit cards, insist on a low credit limit. If a bank refuses to lower your spending limit or apply extra security measures, I would reconsider using that bank. For example, I use Visa Debit which is linked to my normal savings account, but I can stipulate my own daily transaction limits for card transactions. The default is $1000 per day but I can decrease or increase that anywhere up to $10,000.
Finally, get into the habit of checking your statements/internet banking frequently. I check mine at least once a week.
-
I've had two instances, I think it was, both probably in relation to data leaks from retailers. The charges were detected immediately, and a new card issued.
Tim
-
I've had two instances, I think it was, both probably in relation to data leaks from retailers. The charges were detected immediately, and a new card issued.
This has been my experience. It seems using my card at a "dodgy" on-line retailer has allowed my card details to be stolen and fraudulently used. I am very wary of that now.
I second the above advice to use only Paypal-equipped sites for card processing unless it is a major retailer you trust.
You can also use a service like ShopSafe: https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go (https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go)
This will prevent your virtual card being accepted by anyone other than the original retailer you made the purchase from, so even if the card details are stolen the card will not work and any fraudulent transactions will be declined.
-
What I find frustrating is that the big banks clearly don't care. There are any number of methods they could employ to keep people secure. For example, for those who just use their card for online purchases, have it "disabled" by default, until you log in to your internet banking and "enable" the card for x number of minutes for x amount of dollars. So simple.
-
Please note that ShopSafe requires you to have Adobe Flash installed on your computer.
Seriously?
-
You just happen to live in a country which is behind everyone in the world in adopting chip and pin technology.
It does not matter where you live. As long as magnetic stripe is still accepted somewhere, you still can be fucked. It does not matter if you card has a chip if it still has a magnetic stripe.
That is technically true, however the chip cards have a modifying effect on social behavior.
For me if feels weird if a shop assistant asks to physically handle my card because there is no reason for them to do so, I just tap it.
Second reason is chip payments are so simple and all pervasive (in Australia) that I never carry cash now and so have no reason to use an ATM - seriously the only people who carry cash are kids looking to buy drugs :)
OP - This is not relevant to you if, as you say, you only use your card online. Your WiFi password is not the issue here and by that I mean it is a very unlikely attack vector. Most likely is you have used your card on unscrupulous sites, or you have a trojan on your computer. The first issue really just takes a bit of 'internet wizdom' such as only putting your card in to sites you know and trust. Check the URL matches and that it is secure..
The second, if your running Windows you can do a free scan with this tool, it is regularly updated.
https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx (https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx)
Next I would look at your browser 'add-ons' some of those can be nasty.
If your worried about Chrome storing credit card information then you can delete it, but it would not have done so without asking you.
Stick this in your URL and it will take you to your autofill settings where you can delete the card number.
chrome://settings/autofill?search=Autofill
-
Skimming is basically history here. The payment provider, Currence*, basically issued: "Starting 2012, the old magnet strip card will not work anymore".
Everyone is on chip now, or wireless, and it's the best method ever. You have to explicitly tell the bank you want the magstrip to work abroad.
Maybe you just have to form an angry mob with pitchforks and torches to tell the banks you don't want this crap anymore.
*collaboration of major banks responsible for national retail payment services, they also made iDEAL which was a huge revolution in online shopping with debit cards.
-
What I find frustrating is that the big banks clearly don't care. There are any number of methods they could employ to keep people secure.
Here in the U.S., they really don't care. That's why we still have credit cards with mag stripes. That's why we have credit cards with chips but no PINs. That's why restaurants still take credit cards back to some hidden POS terminal and run them, out of sight of the customer. All of this is completely stupid, but retailers won't upgrade their POS terminals. This is ridiculous, because the banks have said that all retailers as of October of last year must upgrade to chip-card readers or else the banks won't reimburse the retailers without upgrades for fraudulent transactions.
I'm at the point where I ask retailers, "why don't you take Apple Pay? Do you really not care about fraudulent transactions?" I usually get blank stares.
Also, never ever ever use debit cards for point-of-sale purchases. Sure, if the card is compromised, the bank will reimburse you for the losses. But what happens if the bad guy wipes out your checking account right before the mortgage payment hits your bank through the ACH system? Or, if you're like me, you pay all of your bills on payday, so they all hit the bank at the same time? NSF fees, charged by the payees, add up.
-
Here in the U.S., they really don't care. That's why we still have credit cards with mag stripes. That's why we have credit cards with chips but no PINs. That's why restaurants still take credit cards back to some hidden POS terminal and run them, out of sight of the customer. All of this is completely stupid, but retailers won't upgrade their POS terminals. This is ridiculous, because the banks have said that all retailers as of October of last year must upgrade to chip-card readers or else the banks won't reimburse the retailers without upgrades for fraudulent transactions.
I'm at the point where I ask retailers, "why don't you take Apple Pay? Do you really not care about fraudulent transactions?" I usually get blank stares.
Also, never ever ever use debit cards for point-of-sale purchases. Sure, if the card is compromised, the bank will reimburse you for the losses. But what happens if the bad guy wipes out your checking account right before the mortgage payment hits your bank through the ACH system? Or, if you're like me, you pay all of your bills on payday, so they all hit the bank at the same time? NSF fees, charged by the payees, add up.
Using Apple Pay is solving one problem and getting into another. What I pay should be between me, my bank and the retailer. I don't need Apple meddling with that.
-
Using Apple Pay is solving one problem and getting into another. What I pay should be between me, my bank and the retailer. I don't need Apple meddling with that.
I've never understood the real point of Apple Pay, apart from giving Apple more access to your personal information. Most banks here allow you to pay for things using their own applications via NFC, even the smaller credit unions are on-board with this. Similarly, you can now make instantaneous intra-bank payments 24/7/365, where before they used to take about 12-48 hours for most transactions.
-
I use it all the time in every single retailer I visit now. Because the UK has had contactless for many years, Apple Pay was rolled out all but instantly to most places. There are very few places that don't accept it now (I actually can't personally think of anywhere).
All my cards in one place - no need to carry a wallet any more.
Every single transaction is done using a randomly generated token and authenticated by me so no possibility of fraud.
Instant feedback on the transaction so you know it was carried out correctly and for the correct amount.
Unlike some other platforms, all the data is stored in the secure area on the phone and is never transmitted to any third parties (or Apple).
No third party apps needed.
I'd say it was the future rather than being pointless!
-
I use it all the time in every single retailer I visit now. Because the UK has had contactless for many years, Apple Pay was rolled out all but instantly to most places. There are very few places that don't accept it now (I actually can't personally think of anywhere).
All my cards in one place - no need to carry a wallet any more.
Every single transaction is done using a randomly generated token and authenticated by me so no possibility of fraud.
Instant feedback on the transaction so you know it was carried out correctly and for the correct amount.
Unlike some other platforms, all the data is stored in the secure area on the phone and is never transmitted to any third parties (or Apple).
No third party apps needed.
I'd say it was the future rather than being pointless!
"No possibility of fraud." Are you willing to vouch for that? ;D
No third party apps needed? It already is a third party app.
-
We're pretty much completely Chip and PIN here in the UK though it is still possible to use the magstripe if you need to (you can still demand a non chip card if you meet certain criteria) and if there are problems with a store's C&P authorisation connection they can still fall back all the way to the really old fashioned card imprint machine.
However, having a chip does not stop fraud, I've been caught once after giving my card details to a book website in the 'states, Barclays called me and asked if I'd authorised payments to three websites offering a varied selection of porn (I hadn't, just for crystal clarity), turns out the book website was compromised and someone was using details stolen from it to extract small amounts of money via, I would assume' their own porn sites.
It all got refunded and the book purchase was cancelled, fortuitiously as I found another copy of the book for much less a few days later.
-
Simply using your card... fact of the matter is that card payments, irrespective of the mechanism (chip or stripe) are a massive and lucrative target for criminals and despite the supposed penalties for non PCI compliance many retailers pay little attention (including some very big retailers). There can be many 'data handlers' in the chain and many potential attack vectors.
You can reduce your chances of this happening by avoiding using your card online unless it's via third party processors such as PayPal who handle all the sensitive data NOT the retailer but that is still no guarantee.
Fact is there will always be card fraud with existing technologies and where people are involved...
-
My number gets stolen at least once per year, but all I ever see is the bank telling me so in an email and getting a new card in the mail soon. I never see the fraudulent charges (if there were any). The banks take care of it, because they are willing to let these things happen for the sake of customer convenience I guess.
But one neat thing my bank has is a system called Shop Safe, available online when I check my credit card account, more people should use it. What it does is let you generate a new credit card number linked only to your main number. Then you use that number online for a merchant - but each number is for only one merchant. Once it's used by you, it's only good for that merchant - even if it got stolen it's no good for any other merchant. Also you can make it have any dollar amount limit you want, and any expiration you want. If you are buying $100 worth of goodies from Newegg, you make the card limit say $125 to cover shipping. Then even if it got stolen, and then even if the crook tried to use it at Newegg, it wouldn't be worth much. But you can keep using that number for as long as you want for each merchant if you go into the app and increase the limit and expiration date. It's really neat.
But really, the banks are always going to take care of fraud charges. I've never had to pay a cent in my life. That's just the price they are willing to pay for customer convenience. :-//
-
My number gets stolen at least once per year, but all I ever see is the bank telling me so in an email and getting a new card in the mail soon. I never see the fraudulent charges (if there were any). The banks take care of it, because they are willing to let these things happen for the sake of customer convenience I guess.
But one neat thing my bank has is a system called Shop Safe, available online when I check my credit card account, more people should use it. What it does is let you generate a new credit card number linked only to your main number. Then you use that number online for a merchant - but each number is for only one merchant. Once it's used by you, it's only good for that merchant - even if it got stolen it's no good for any other merchant. Also you can make it have any dollar amount limit you want, and any expiration you want. If you are buying $100 worth of goodies from Newegg, you make the card limit say $125 to cover shipping. Then even if it got stolen, and then even if the crook tried to use it at Newegg, it wouldn't be worth much. But you can keep using that number for as long as you want for each merchant if you go into the app and increase the limit and expiration date. It's really neat.
But really, the banks are always going to take care of fraud charges. I've never had to pay a cent in my life. That's just the price they are willing to pay for customer convenience. :-//
I'm not sure whether patching a problem that never should have existed in the first place is really neat. It's also not really convenient to have to change credit cards once a year. I couldn't imagine that being remotely acceptable, but somehow in the US it is and on a huge scale.
-
For those excited about chip & pin, they may want to consider the liability shift. Sounds like C&P transactions are extremely hard to reverse if fraudulent since nobody wants to admit the system has some issues. Currently in the US we just laugh it off since its not our money at risk. Does it come with some hassles of replacing cards a few times a year, sure. IMO that's alot better situation than a bank telling me to piss off, its a C&P transaction and I'm just trying to scam them. There have been a handful of these cases already.
It also seems C&P has done little more than to push thieves to move their game to the online world where the chip doesn't come into play. So what do they do in Euro land when your C&P card info is lifted and used in online shops? Card replacement? If so, how is that solving anything really?
https://securityintelligence.com/chip-and-pin-fraud-the-new-face-of-credit-crime/
-
For those excited about chip & pin, they may want to consider the liability shift. Sounds like C&P transactions are extremely hard to reverse if fraudulent since nobody wants to admit the system has some issues. Currently in the US we just laugh it off since its not our money at risk. Does it come with some hassles of replacing cards a few times a year, sure. IMO that's alot better situation than a bank telling me to piss off, its a C&P transaction and I'm just trying to scam them. There have been a handful of these cases already.
It also seems C&P has done little more than to push thieves to move their game to the online world where the chip doesn't come into play. So what do they do in Euro land when your C&P card info is lifted and used in online shops? Card replacement? If so, how is that solving anything really?
https://securityintelligence.com/chip-and-pin-fraud-the-new-face-of-credit-crime/
Older magnetic strip cards have been duplicated by manipulating PIN devices and copying both card info and the associated PIN number. The pin number is sometimes stolen by installing a false keypad, placing a camera or other techniques that allow them to intercept the PIN. It's much harder to do this with chip cards. Either way, the number of times this happens is a lot smaller than credit card theft happens in the US. I can't imagine being the victim once a year and being fine with that, even if the bank notices and intervenes. Banks are as lenient as they are with credit cards in the US. You can expect to have the costs covered, unless it's a matter of gross negligence or intent.
-
Using Apple Pay is solving one problem and getting into another. What I pay should be between me, my bank and the retailer. I don't need Apple meddling with that.
Apple Pay wouldn't be necessary if your bank and your retailer took security seriously. Why don't we have chip and PIN here? I have no idea. Why don't the banks push a secure replacement for credit cards? I have no idea. Why don't the retailers demand from those banks a secure replacement for credit cards? I have no idea. Would any solution pushed by one bank be accepted by all of the others? I have no idea.
Apple Pay (and the Samsung and Android equivalents) wouldn't exist if the banks and the retailers cared about fighting fraud.
-
What I find frustrating is that the big banks clearly don't care. There are any number of methods they could employ to keep people secure.
Here in the U.S., they really don't care. That's why we still have credit cards with mag stripes. That's why we have credit cards with chips but no PINs.
...
...
Here on this forum, we probably all know why banks don't care already, but it is useful to put it in words. As long as the cost of prevention exceeds the cost of lost, there is no reason to attack the problem. Between card fees and annual membership fees (from all customer), they are making a good enough margin. Lost due to thief is just another line item that all customers pay for - the card company just adds it up like cost for their infrastructure or their phone bill. All card users paid.
By now, I am over my credit card stage. There was a time I just flip out the card to pay - for everything.
Now, I prefer cash. The best way to prevent credit card trouble is not to use them. As long as they still take cash, I prefer using cash. It also help college students and others who needs those jobs at the cash register. Besides, I do find myself spending less when I have to count cash to pay.
* * *
By the way, how would chip be better when so many transactions (and fraud) are with on-line payments? With on-line payments, the merchants will never come close to your card, magnetic strip or chip. Is that not just lipstick on a corpse?
-
Online payments are authenticated through means other than just your number or the PIN. Different banks have different solutions, but a common factor is that the retailer won't have relevant card information needed to duplicate the transaction. It's basically a one way thing.
-
By the way, how would chip be better when so many transactions (and fraud) are with on-line payments? With on-line payments, the merchants will never come close to your card, magnetic strip or chip. Is that not just lipstick on a corpse?
The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.
-
By the way, how would chip be better when so many transactions (and fraud) are with on-line payments? With on-line payments, the merchants will never come close to your card, magnetic strip or chip. Is that not just lipstick on a corpse?
The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
-
The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.
Like the Raboscanner (https://nl.wikipedia.org/wiki/Rabo_Scanner), it uses the chip and pin on the card to solve a challenge presented by colored qr-ish code. It then asks "transferring €xxx to yyy", you press "yes" and you get the signing code.
Unfortunately, they're going to end this device in favor of "other mechanisms", probably apps or sms.
-
By the way, how would chip be better when so many transactions (and fraud) are with on-line payments? With on-line payments, the merchants will never come close to your card, magnetic strip or chip. Is that not just lipstick on a corpse?
The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The issue is the same as with chip. Unless it's supported by everyone, it does not stop fraud.
-
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
Visa and mastercard have the same here. I see it on maybe 1 in 50 sites I buy something from, pretty useless.
I used to have a card that the website would allow one time card numbers. That was pretty cool but discontinued. Apparently the card issuers got alot of flack since may merchants use the CC number to make sure someone isn't signing up for trial offers and such multiple times.
-
By the way, how would chip be better when so many transactions (and fraud) are with on-line payments? With on-line payments, the merchants will never come close to your card, magnetic strip or chip. Is that not just lipstick on a corpse?
The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The issue is the same as with chip. Unless it's supported by everyone, it does not stop fraud.
I agree. In Brazil there was a mandate to upgrade 100% of the card reader machines at once (at the expense of the shop owner, of course). This forced everyone to quickly adapt to the new system by using PIN numbers otherwise long forgotten (as they were rarely used by credit card users). Since most credit cards there are tied to your bank account, they reduced the effort by requiring only the first four out of the six or eight digits of your regular PIN - quite a convenient move.
Here in the US this is a complete joke - the wide range of machines that only have the magnetic stripe to the ones equipped with the chip that sometimes allow the transaction to go with minimal intervention (just press the green button) to even ask for your signature in the stupid touchscreen (a completely useless authentication method).
-
By the way, how would chip be better when so many transactions (and fraud) are with on-line payments? With on-line payments, the merchants will never come close to your card, magnetic strip or chip. Is that not just lipstick on a corpse?
The right solution is some cryptographic signing microcontroller built into the card itself, that can be used for online purchases. A little like the hardware wallets for cryptocurrency. In order for a valid transaction to be created, the card itself must sign it.
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The issue is the same as with chip. Unless it's supported by everyone, it does not stop fraud.
And now round-robin back to what I said when I put the known problem into words in my earlier reply: "As long as the cost of prevention exceeds the cost of lost, there is no reason to attack the problem. Between card fees and annual membership fees (from all customer), they are making a good enough margin."
As lost increases, their first step will likely be keep pumping up the fees to cover lost: be it in service fees, late fees, international transaction fees, currency conversion fees... Until there is no room left for fee increase, the lost doesn't bite. Until then, they don't have to incur cost to attack the problem. They are fat and happy taking their percentage we paid via the cost of item.
The chips, mag strips, bio-data, what not, are all just window dressing. The technology exist to cut fraud to near zero if they really want to do it. The profit motive is just not there. We the customer are willing to cover the lost with the increased price of merchandise or card service fees, so why would they?
-
I dont understand how something like MBNet isn't global by now..
Its a virtual card, you have to enable the service in the bank/ebanking, and currently they moved away from the website,so all cards are created in the app that asks for a pin/fingerprint, and each card has a 1 month expire date, with a max value, the global MBNet service also has another max month value that can't be exceeded.
You need to pay 25$, create a card with a 28€ value, due to Paypall/random fees, use it to pay, if someone grabs the number/ccv/date, the card is already expired, because after being used once the card expires and can't be billed again.
There is also a variant that can have up to 1 year expire date(like paying netflix), with a total and monthly limit, and at any time, balance can be checked and the card can be canceled.
Its a free(or near free, never saw any extra charges for it in my account)..
-
Online payments are authenticated through means other than just your number or the PIN. Different banks have different solutions, but a common factor is that the retailer won't have relevant card information needed to duplicate the transaction. It's basically a one way thing.
Um, nope. All the information that you need to do a payment online (or using an imprinter - that's still a thing!) is the name of the cardholder, the card number, the expiration date and the 3 digit CVC code (usually non-embossed and on the reverse side of the card). All this info is also on the magnetic strip (minus the CVC code).
The retailers are not supposed to store the CVC number, but who will check and enforce that ... So if you have an unscrupulous retailer or they get hacked, it is pretty easy to steal money from you using fraudulent transactions.
There are the programs like Verified by Visa that demand a secondary authentication from you, e.g. by a code sent to your phone, but these don't work everywhere/not all retailers support them, so banks still accept transactions even without them. Then basically the only defense is whether or not the bank has some suspicious activity monitoring in place and whether or not they flag such transactions. May or may not happen - having the triggers too loose means lots of false alarms and unhappy customers.
Coincidentally, the chip & pin doesn't really solve any of this - if someone steals the data above, they can make purchases online and then flog them e.g. on eBay to launder the money and none would be any wiser. Whether or not you have chip on the card only affects whether someone in Russia or Romania can fabricate a cloned magnetic card to withdraw money from an ATM. If the original card has a chip and the clone doesn't, such transaction will be flagged and may be refused. Even that isn't guaranteed because the cards are often configured to allow payment using the magnetic strip if the chip isn't working for whatever reason. So it somewhat protects against primitive skimmers but doesn't protect at all against stuff like online fraud.
Why banks don't care too much about this? Well, because fixing it would cost a lot of money and the money lost due to fraud is negligible compared to that. They don't care about your ruined credit score. Also a lot of banks, especially in Europe, are pushing the responsibility on the user - e.g. for debit cards I don't ever recall seeing that bank would be responsible for a fraudulent transaction, at least not without a major uphill battle. It is assumed that those can't be used without a pin, so you had to provide the pin somehow or have been negligent, so it is your fault (never mind it could have been stolen or skimmed or something). For credit cards it is only slightly better, with a lot of onerous fine print in the contracts where the bank is trying to weasel out of responsibility.
-
...
...
Why banks don't care too much about this? Well, because fixing it would cost a lot of money and the money lost due to fraud is negligible compared to that. They don't care about your ruined credit score. Also a lot of banks, especially in Europe, are pushing the responsibility on the user - e.g. for debit cards I don't ever recall seeing that bank would be responsible for a fraudulent transaction, at least not without a major uphill battle. It is assumed that those can't be used without a pin, so you had to provide the pin somehow or have been negligent, so it is your fault (never mind it could have been stolen or skimmed or something). For credit cards it is only slightly better, with a lot of onerous fine print in the contracts where the bank is trying to weasel out of responsibility.
(Emphasis added)
In the USA, fine print in the contract for credit cards wont do it. We have a specific law regarding that:15 USC 1643. That law specifically limits card holder liability to $50. This law actually was pushed for by the card industry to promote card use when the concept of using a credit card was still new.
That law does not apply to debit card - that is why I instructed my young daughter never to use her debit card like another credit card but use it for ATM only. There is no protection (from that law) with debit card against fraud or when resolving charge discrepancies when a debit card was used for purchases.
-
Um, nope. All the information that you need to do a payment online (or using an imprinter - that's still a thing!) is the name of the cardholder, the card number, the expiration date and the 3 digit CVC code (usually non-embossed and on the reverse side of the card). All this info is also on the magnetic strip (minus the CVC code).
The retailers are not supposed to store the CVC number, but who will check and enforce that ... So if you have an unscrupulous retailer or they get hacked, it is pretty easy to steal money from you using fraudulent transactions.
There are the programs like Verified by Visa that demand a secondary authentication from you, e.g. by a code sent to your phone, but these don't work everywhere/not all retailers support them, so banks still accept transactions even without them. Then basically the only defense is whether or not the bank has some suspicious activity monitoring in place and whether or not they flag such transactions. May or may not happen - having the triggers too loose means lots of false alarms and unhappy customers.
Coincidentally, the chip & pin doesn't really solve any of this - if someone steals the data above, they can make purchases online and then flog them e.g. on eBay to launder the money and none would be any wiser. Whether or not you have chip on the card only affects whether someone in Russia or Romania can fabricate a cloned magnetic card to withdraw money from an ATM. If the original card has a chip and the clone doesn't, such transaction will be flagged and may be refused. Even that isn't guaranteed because the cards are often configured to allow payment using the magnetic strip if the chip isn't working for whatever reason. So it somewhat protects against primitive skimmers but doesn't protect at all against stuff like online fraud.
Why banks don't care too much about this? Well, because fixing it would cost a lot of money and the money lost due to fraud is negligible compared to that. They don't care about your ruined credit score. Also a lot of banks, especially in Europe, are pushing the responsibility on the user - e.g. for debit cards I don't ever recall seeing that bank would be responsible for a fraudulent transaction, at least not without a major uphill battle. It is assumed that those can't be used without a pin, so you had to provide the pin somehow or have been negligent, so it is your fault (never mind it could have been stolen or skimmed or something). For credit cards it is only slightly better, with a lot of onerous fine print in the contracts where the bank is trying to weasel out of responsibility.
We need to distinguish credit cards from regular debit cards. Credit cards tend to be unsafer for legacy reasons, but it's also obvious work is being done to eliminate the worst issues.
Debit cards tend to be well protected with one way authentication mechanisms. They also seem to be more commonly used in place of credit cards, whereas it seems credit cards are the standard in the US. They're also typically covered by the same leniency in the case of fraudulent transactions. Banks understand it's important that people trust the system. If your bank makes a habit of blaming the customer, you need to switch to a decent bank.
-
...
Debit cards tend to be well protected with one way authentication mechanisms. They also seem to be more commonly used in place of credit cards, whereas it seems credit cards are the standard in the US. They're also typically covered by the same leniency in the case of fraudulent transactions. Banks understand it's important that people trust the system. If your bank makes a habit of blaming the customer, you need to switch to a decent bank.
re: "They're also typically covered by the same leniency in the case of fraudulent transactions."
Just to ensure folks in the USA doesn't get suckered by banks/card companies...
No! Not in the USA! 15 USC 1643 specifically limit credit card user to $50 liability whereas debit card liability is defined by you and the bank with the user agreement. The banks will try to limit their own liability by conflating the two (credit card vs debit card) but the language in the law is clear. With 15 USC 1643, credit card holder liability is limited to $50.
Notice because of 15 USC 1643, the different wording in the advice from the US Federal Trade Commission's website:
Credit Card Loss or Fraudulent Charges
Under the FCBA, your liability for unauthorized use of your credit card tops out at $50. However, if you report the loss before your credit card is used, the FCBA says you are not responsible for any charges you didn’t authorize. If your credit card number is stolen, but not the card, you are not liable for unauthorized use.
ATM or Debit Card Loss or Fraudulent Transfers.
If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions. If someone uses your ATM or debit card before you report it lost or stolen, your liability depends on how quickly you report it:
Above quoted from:
https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards (https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards)
-
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?
I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online
-
re: "They're also typically covered by the same leniency in the case of fraudulent transactions."
Just to ensure folks in the USA doesn't get suckered by banks/card companies...
No! Not in the USA! 15 USC 1643 specifically limit credit card user to $50 liability whereas debit card liability is defined by you and the bank with the user agreement. The banks will try to limit their own liability by conflating the two (credit card vs debit card) but the language in the law is clear. With 15 USC 1643, credit card holder liability is limited to $50.
Notice because of 15 USC 1643, the different wording in the advice from the US Federal Trade Commission's website:
Credit Card Loss or Fraudulent Charges
Under the FCBA, your liability for unauthorized use of your credit card tops out at $50. However, if you report the loss before your credit card is used, the FCBA says you are not responsible for any charges you didn’t authorize. If your credit card number is stolen, but not the card, you are not liable for unauthorized use.
ATM or Debit Card Loss or Fraudulent Transfers.
If you report an ATM or debit card missing before someone uses it, the EFTA says you are not responsible for any unauthorized transactions. If someone uses your ATM or debit card before you report it lost or stolen, your liability depends on how quickly you report it:
Above quoted from:
https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards (https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards)
I was talking about the EU. ;)
-
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?
I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online
Masking the CCV is a great idea. It prevents the cashier who takes your card at the restaurant from writing it down. Again, that's a habit that restaurants really need to break, or be broken of.
You don't need the CCV with in-person point-of-sale purchases, but you need it for online purchases. And since I do online purchases from my laptop, I have my credit card account list on it, so I can refer to the CCV when necessary. That list is stored in an encrypted disk image, with a unique password not known to the password manager.
Apple Pay makes all of this uninteresting.
-
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?
I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online
Masking the CCV is a great idea. It prevents the cashier who takes your card at the restaurant from writing it down. Again, that's a habit that restaurants really need to break, or be broken of.
You don't need the CCV with in-person point-of-sale purchases, but you need it for online purchases. And since I do online purchases from my laptop, I have my credit card account list on it, so I can refer to the CCV when necessary. That list is stored in an encrypted disk image, with a unique password not known to the password manager.
Apple Pay makes all of this uninteresting.
it isn't such a big issue anymore, everything here is chip and they bring the terminal to the table
-
I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online
What a great idea. :-+
There is no reason for it to be printed on the card, as long as you know what it is.
-
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?
I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online
Um, like any order online? That's where you need all that and it is trivial for the merchant to store the card info - e.g. Paypal does it, Amazon does it, etc. - for the user's convenience, along with a pre-approval for future debit. But also a huge liability should their systems get breached.
You don't need CCV when paying in person and you are not supposed to let someone else handle your card (it is, in fact, explicitly stipulated by most banks in their contracts - if you do, you could be held responsible for any fraud). It is very rare to find a restaurant or anything else where you would give the card to a waiter or cashier to swipe it out of your view these days - most transactions above 20€ require pin (smaller payments can be done using the wireless chip by simply touching the card) so they would have to bring you the terminal anyway.
The in-person payments are mostly a solved issue everywhere else but in the US. That's why e.g. stuff like Apple Pay is completely pointless and fairly rare here - most small payments are handled using the NFC chip and everything else by chip & pin. Every merchant who wants to accept cards has to have the terminal anyway. Apple Pay would add only yet another middleman charging fees to the merchant on top of the usual credit card fees (which are high enough already that many small stores refuse to accept cards here or require a minimum purchase if you want to pay by card) and adding unnecessary breach risk and privacy issues. Credit card use history is every marketer's wet dream.
The $50 liability cap for credit card fraud in the US is also part of the problem - because the card holders know their liability is capped like this, there is no pressure on the banks to fix their utterly broken system from this side. We typically don't have that, any caps and limits are per bank, so there was a very quick progress made on this front in Europe after the card fraud has exploded.
-
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The mechanisms underpinning Verified by Visa and its MasterCard equivalent Securecode are being replaced with 3D Secure very soon. This is a very good thing. 3DS will provide issuers and merchants with risk-based card-not-present authorisations, validating the identity of the cardholder who is presenting the account details. Cardholders will not need to remember passwords to use 3DS which will reduce friction and cart abandonment at the time of purchase. CNP fraud should drop significantly once 3DS is fully deployed (and if merchants elect to use it).
Counterfeit card-present fraud rates have dropped significantly in the USA since the liability shift in 2016, and those rates should approach levels commensurate with other areas of the world where chip technology has been in use for some time. Consumers should see less compromise of their credit cards over the next few years, particularly from online channels.
-
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The mechanisms underpinning Verified by Visa and its MasterCard equivalent Securecode are being replaced with 3D Secure very soon. This is a very good thing. 3DS will provide issuers and merchants with risk-based card-not-present authorisations, validating the identity of the cardholder who is presenting the account details. Cardholders will not need to remember passwords to use 3DS which will reduce friction and cart abandonment at the time of purchase. CNP fraud should drop significantly once 3DS is fully deployed (and if merchants elect to use it).
Counterfeit card-present fraud rates have dropped significantly in the USA since the liability shift in 2016, and those rates should approach levels commensurate with other areas of the world where chip technology has been in use for some time. Consumers should see less compromise of their credit cards over the next few years, particularly from online channels.
The problem with these schemes is that:
a) Not every merchant uses it - as long as there are major merchants not using it, laundering stolen credit cards will be possible.
b) They are a major pain to integrate into existing payment workflows => many major merchants don't use it ...
c) It is problematic for the paying client - e.g. the current systems that send a code by SMS to the client's phone fail miserably if the SMS takes time to arrive (SMS is not a guaranteed service - the message can take long time to arrive or not even arrive at all, so a very poor channel for such verification). The result is the payment timing out before the client has a change to enter the code. Or, if they are on roaming abroad, all bets are off because the text may never arrive. And if they don't have a phone on them (but do have a the card!) tough luck ...
d) The system has a fundamental issue that the client has no way to validate that the security prompt on the screen actually comes from the bank's website. This is the same issue that the older "Verified by VISA" systems had - the prompt is in a frame loaded from a 3rdparty server. So this opens the card holder to potential phishing or man in the middle attacks.
e) Coincidentally, Australia refused to implement 3D Secure exactly for these reasons - it is a broken-by-design system that doesn't really solve the issue and only pushes responsibility (and expense, because the merchants have to pay for accessing it) on the card holders and merchants.
-
There is a system in Europe called "Verified by VISA". When you use your card for an online purchase it redirects to a portal where you have to enter some proof of identity and a password to verify the transaction. Enter incorrect details and the transaction is declined.
The mechanisms underpinning Verified by Visa and its MasterCard equivalent Securecode are being replaced with 3D Secure very soon. This is a very good thing. 3DS will provide issuers and merchants with risk-based card-not-present authorisations, validating the identity of the cardholder who is presenting the account details. Cardholders will not need to remember passwords to use 3DS which will reduce friction and cart abandonment at the time of purchase. CNP fraud should drop significantly once 3DS is fully deployed (and if merchants elect to use it).
Counterfeit card-present fraud rates have dropped significantly in the USA since the liability shift in 2016, and those rates should approach levels commensurate with other areas of the world where chip technology has been in use for some time. Consumers should see less compromise of their credit cards over the next few years, particularly from online channels.
The problem with these schemes is that:
a) Not every merchant uses it - as long as there are major merchants not using it, laundering stolen credit cards will be possible.
b) They are a major pain to integrate into existing payment workflows => many major merchants don't use it ...
c) It is problematic for the paying client - e.g. the current systems that send a code by SMS to the client's phone fail miserably if the SMS takes time to arrive (SMS is not a guaranteed service - the message can take long time to arrive or not even arrive at all, so a very poor channel for such verification). The result is the payment timing out before the client has a change to enter the code. Or, if they are on roaming abroad, all bets are off because the text may never arrive. And if they don't have a phone on them (but do have a the card!) tough luck ...
d) The system has a fundamental issue that the client has no way to validate that the security prompt on the screen actually comes from the bank's website. This is the same issue that the older "Verified by VISA" systems had - the prompt is in a frame loaded from a 3rdparty server. So this opens the card holder to potential phishing or man in the middle attacks.
e) Coincidentally, Australia refused to implement 3D Secure exactly for these reasons - it is a broken-by-design system that doesn't really solve the issue and only pushes responsibility (and expense, because the merchants have to pay for accessing it) on the card holders and merchants.
last time I tried I couldn't use my Visa online if I was in a different country
-
There are many theoretical vulnerabilities - but my experience is that most are not currently a problem. My cards have been compromised roughly a dozen times over the last few years, with the following breakdown.
1. Most of the compromises have been data breaches at one or another major retailer. No actual charges to my accounts have occurred and the only way I have known of them is the bank notifying me and sending a new card.
2. On three occasions charges have appeared on my card. In all three cases the bank's fraud detection software caught them and I received a phone call asking if they were valid within a few minutes or hours of the charges. All three cases were after use at a small retailer where an employee apparently copied necessary information and passed it to a confederate in a nearby city. The fraud detection software must have some pretty interesting features because in one of the three cases the purchase occurred in a very plausible next step on my travel itinerary, and involved modest size purchases of a type that is well within my purchasing history pattern.
Interestingly, I have one credit card that I reserve for use in on line purchases. This card has never been compromised, despite being used for purchases at a wide range of sites ranging from large scale enterprises down to places that are clearly mom and pop shops whose monthly sales are probably small multiples of my purchases.
-
do you use the cards in places that handle the card and possibly memorize the card number and ccv ?
I usually put a sticker over the ccv, makes it harder to just look at the card and get enough info to use it online
Masking the CCV is a great idea. It prevents the cashier who takes your card at the restaurant from writing it down. Again, that's a habit that restaurants really need to break, or be broken of.
You don't need the CCV with in-person point-of-sale purchases, but you need it for online purchases. And since I do online purchases from my laptop, I have my credit card account list on it, so I can refer to the CCV when necessary. That list is stored in an encrypted disk image, with a unique password not known to the password manager.
Apple Pay makes all of this uninteresting.
it isn't such a big issue anymore, everything here is chip and they bring the terminal to the table
As you are likely quite aware, America is a really stupid country, ruled by charlatans and thieves who are supported by the Common Clay of the New West (you know, morons). Rick Law's assertions above about the reasons why things like bringing a wireless POS terminal to a table are not done here is correct. The cost of undoing fraud from the banks' and merchants' point of view is minor compared to the cost of implementing reasonable security. After all, it's not the merchant or bank who gets fucked -- it's the customer who has to unravel the problems.
-
There are many theoretical vulnerabilities - but my experience is that most are not currently a problem. My cards have been compromised roughly a dozen times over the last few years, with the following breakdown.
...
The problem is that nobody is going to bother with a man-in-the-middle attack when all they need is to trivially phish or skim your card. Once those holes are closed, even the more complex attacks will become common.
The main issue is that the banks and credit card companies are replacing the systems at great expense (mainly for the merchants) and a lot of inconveniencing for the users (all card payments will need to be authenticated by some extra channel in the future - pin, code over phone, etc.) - but it doesn't really solve the problems it was meant to solve.
Granted, it is a very non-trivial issue to solve at the scale the cards are being used at but deploying another half-assed solution "with mostly theoretical vulnerabilities" today will mean we have a big problem 5-10 years later. Magnetic strip and a signature were also considered secure not so many years ago - until cheap card readers and Internet allowing to empty the accounts within seconds became available ...
I still remember a teller at my bank in 2001 or so telling me that if someone scams me on my VISA card, I will need to bring a receipt from the merchant and then they will reverse the charge if the bank determines it was fraudulent. They couldn't understand that a scammer who stole my card data is not very likely to issue me a receipt ... That's often the level of knowledge some of the banks have about security issues like this. They understand vaults and safes, computers not so much (at least some of them).
-
There are many theoretical vulnerabilities - but my experience is that most are not currently a problem. My cards have been compromised roughly a dozen times over the last few years, with the following breakdown.
...
The problem is that nobody is going to bother with a man-in-the-middle attack when all they need is to trivially phish or skim your card. Once those holes are closed, even the more complex attacks will become common.
The main issue is that the banks and credit card companies are replacing the systems at great expense (mainly for the merchants) and a lot of inconveniencing for the users (all card payments will need to be authenticated by some extra channel in the future - pin, code over phone, etc.) - but it doesn't really solve the problems it was meant to solve.
Granted, it is a very non-trivial issue to solve at the scale the cards are being used at but deploying another half-assed solution "with mostly theoretical vulnerabilities" today will mean we have a big problem 5-10 years later. Magnetic strip and a signature were also considered secure not so many years ago - until cheap card readers and Internet allowing to empty the accounts within seconds became available ...
I still remember a teller at my bank in 2001 or so telling me that if someone scams me on my VISA card, I will need to bring a receipt from the merchant and then they will reverse the charge if the bank determines it was fraudulent. They couldn't understand that a scammer who stole my card data is not very likely to issue me a receipt ... That's often the level of knowledge some of the banks have about security issues like this. They understand vaults and safes, computers not so much (at least some of them).
I think what you are missing in this is that the banks (at least the good ones) have already installed AI transaction monitoring. The "pretty good, but not bulletproof" security on the cards themselves is just the first layer, and only has to be good enough to keep the workload on successive layers manageable. Emptying accounts in seconds doesn't happen. Try emptying your account quickly by making a series of purchases. Your card will stop working. Even if all the charges are legitimate. The banks protect themselves. I have triggered this myself and it requires additional authentication answers to get the card to work again. I agree there are paths around this too, but it obviously has worked well enough so far that the bank losses are acceptable and the inconvenience to vendors and card users is also acceptable.
I agree that the level of security knowledge of bank tellers and even bank officers is often laughable, but they aren't the ones allocating funds to security or designing security measures. The ones who are likely to lose money (either by direct losses or by losing the confidence of users and thus losing the business) put the time in to learn what they need to, and hire those who can implement a plan to achieve their goals.
-
The problem with these schemes is that:
a) Not every merchant uses it - as long as there are major merchants not using it, laundering stolen credit cards will be possible.
The card brands could use techniques to get the merchant to adopt those systems by (1) offering rewards for using the system (eg. possibly lower interchange rates) and (2) discouraging merchants from choosing not to use the system.
b) They are a major pain to integrate into existing payment workflows => many major merchants don't use it ...
See above. There are APIs that simplify the integration and the online shopping cart providers will provide both the connectors to the service as well as the consulting to help the merchant.
c) It is problematic for the paying client
The client sees nothing. It's frictionless and that's the point.
d) The system has a fundamental issue that the client has no way to validate that the security prompt on the screen actually comes from the bank's website.
See above. There are no prompts for the user to validate. But they are still protected.
-
The problem with these schemes is that:
a) Not every merchant uses it - as long as there are major merchants not using it, laundering stolen credit cards will be possible.
The card brands could use techniques to get the merchant to adopt those systems by (1) offering rewards for using the system (eg. possibly lower interchange rates) and (2) discouraging merchants from choosing not to use the system.
That's not how it works. The typical approach to a merchant from banks is "my way or the highway" (i.e. find someone else to process your payments if you don't agree to our fees, terminal rent and onerous conditions). Many, especially small, merchants are even refusing to accept carts outright for this reason.
b) They are a major pain to integrate into existing payment workflows => many major merchants don't use it ...
See above. There are APIs that simplify the integration and the online shopping cart providers will provide both the connectors to the service as well as the consulting to help the merchant.
That's again not how this works. The APIs do exist but their integration is your (= merchant's) problem. The bank/card issuer will not help you at all there. If this was so easy, why there would be such proliferation of services such as Stripe that outsource all this and will do the payment processing for you.
c) It is problematic for the paying client
The client sees nothing. It's frictionless and that's the point.
I don't see how requiring additional authentication from the client is "nothing" or "frictionless".
d) The system has a fundamental issue that the client has no way to validate that the security prompt on the screen actually comes from the bank's website.
See above. There are no prompts for the user to validate. But they are still protected.
Then we are likely talking about totally different things. ECB requires explicitly that all card payments will have to be authenticated by a separate channel, e.g. that code delivered by a text message. 3D Secure was designed for exactly that, as a replacement for "Verified by Visa" and other similar systems. If there is no "prompt", there is no authentication and thus no protection.
This description of 3D Secure explicitly talks about these codes (one time pad codes) and also the redirect to the secure portal where the code has to be entered by the card holder:
https://support.payfast.co.za/article/17-how-does-3d-secure-work
It is definitely no magic there, the only significant difference between 3-D Secure and the earlier schemes is that it is unified and not proprietary for each card issuer, which was an unmanageable mess.
-
I don't see how requiring additional authentication from the client is "nothing" or "frictionless".
It is frictionless because there is no interaction with the legitimate cardholder with 3DS v2.0; the account number authentication by the issuer is risk-based meaning the decision to allow the transaction through without challenge or to increase the challenge to the cardholder is determined by factors provided by the merchant to the issuer. The legitimate user's experience with the purchase is they provide their card details on the merchant's web site, and the acknowledgement is returned so long as the issuer doesn't reply back to the merchant that the transaction is risky. If the transaction is identified as risky be the issuer, then the merchant can choose to further challenge the cardholder. A fraudster attempting to use a compromised account number would not provide correct details to the issuer and thus there would be a higher chance that the transaction would be identified as risky and the fraudster would be challenged to provide information they do not possess.
This description of 3D Secure explicitly talks about these codes (one time pad codes) and also the redirect to the secure portal where the code has to be entered by the card holder:
https://support.payfast.co.za/article/17-how-does-3d-secure-work
That page describes 3DS v1.0. The new one, 3DS v2.0, has done away with passwords or OTP.