Related story and wondering if the OP may have been chasing red herrings. I recently noticed an unauthorized charge for a small amount on my credit card (something about FB/Meta). Likely someone probing the card to see if anyone would notice. I called the CC company, had them removed the charge, canceled the card and had them send me a new card (5-7 business days). With the brand new unused card (new CC number, new expiration date, new CVV), the fraudulent payments resumed (again FB/Meta). How is this possible? The reason: digital wallets. Your credit card number, etc. transfers via digital wallets even when you cancel the card. I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online. You have to speak to a human in a call center. You then have to sit through a lecture about how all your renewing payments are going to reset and you will have to re-establish them will all merchants. "Yes, I understand that. Please cancel the card and <i>all</i> digital wallets!" Then you have to hold for twenty minutes (why? what are they doing? manually canceling all the digital wallets?). The lesson I learned here is that canceling your credit card may not be what you think. Also recurring payments must be incredibly lucrative and canceling them must amount to a big loss in revenue. (Edited for grammar.)
[delayed]
For my case, it was almost certain. As it happened single day, the card i use was a virtual card only used in couple big ecommerce websites etc.<p>If it was leaked somewhere else, i think they wouldn't bother logging in some unrelated account of mine in an ecommerce website.
If 3D secure was mandatory everywhere that would help a lot, but if I understand correctly, it’s not really used in the US and with them being so big, card issuers are largely forced to allow non 3D secure requests or their clients will be unable to use their cards for too many things.<p>So an enormously good anti-fraud mechanism is severely handicapped.<p>It’s really frustrating for most of the rest of the world.<p>I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?<p>Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance.
Payment processors don't allow just brute forcing all card numbers a.k.a. card enumeration or card testing [1][2] and card schemes penalise merchants and payment processors heavily if they don't take measures against it [3].<p>1) <a href="https://stripe.com/newsroom/news/card-testing-surge" rel="nofollow">https://stripe.com/newsroom/news/card-testing-surge</a><p>2) <a href="https://stripe.com/blog/the-ml-flywheel-how-we-continually-improve-our-models-to-reduce-card-testing" rel="nofollow">https://stripe.com/blog/the-ml-flywheel-how-we-continually-i...</a><p>3) <a href="https://docs.stripe.com/disputes/monitoring-programs#enumeration-monitoring" rel="nofollow">https://docs.stripe.com/disputes/monitoring-programs#enumera...</a>
I once had a person that was hired by my company and then started bragging about finding a way to add stored value to gift cards. Then come to find out they were under investigation by the FBI. This was a government contractor mind you, so the biggest security guard I’ve ever seen showed up to escort them out.
Virtual credit cards have been a thing for years. I remember bank of america or Citi providing them to me 15+ years ago. If I recall it was a java app or maybe even a standalone exe. Shocked they never took off more broadly.<p>Robinhood absolutely nails this. Best virtual credit card system I have ever used. So seamless. Can auth a card for one time use, 24 hours, or indefinite until you cancel. Such a great UI / UX
>As a consumer, I thought I was safe; when saving my credit card to a billion dollar valued european merchant, or when i purchase something from supermarket and ignore the receipt, but the reality is slightly different from that.<p>>I got the money back via chargeback in short time.<p>So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.
> The bank ate the loss for the fraud and you were made whole<p>_If_ you notice the fraudulent charge.
It's my experience that the bank will give up against a motivated chargeback counterparty.<p>My experience with ebay (stolen credit card) in particular was that things were going well until e-bay sent their stack of paperwork to my bank. Then my chargeback was reversed and shortly after that even my bank account was closed.<p>So you're not in the clear once you get your chargeback back. That is done initially while they give the other party time to respond. I think it took 30 days or so for ebay to bury me in paperwork, get the chargeback unwound again, and their schpeel was so effective that my bank themselves then accused <i>me</i> of being the fraudster.
Rate limiting and anomaly detection are the real gatekeepers here. A lot of "fraud prevention" is still reactive.
Another mistake:<p>> The data they took with the attempt of purchase is the card is still usable (not cancelled)<p>The payment flows should not distinguish between a nonexistent card, a cancelled card, and a valid card that needs 3D Secure. I bet the banks could even implement that without any cooperation on the part of the merchants.
People should have a separate card for online payments and have just enough money on it for a payment.<p>I know that I am naïve :)<p>Back to the article: Weak point was a password that lead to another merchant not using 3D secure.<p>It seems from the article that bad actors have fully automated system, so (big) merchants should have handle automatic login attempts from the same ip address with different accounts. I see it from our wordfence logs that ip rotation is not so quick so it could be handled with some permanent ip blocking.
Tbh, fraud for credit cards is covered by the bank, so I typically just don't care. I just check my statements for anything that looks off.
Mercury now offers personal bank accounts. You can create virtual debit cards just like companies can with Brex/Mercury/Ramp etc.
My previous bank provided this virtual card service on demand. You create the card for a single purchase with a specific amount and that’s it. I moved to an other bank when getting an affordable mortgage loan became impossible in it for me.
I agree with the seperate card. That was my seperate card and luckily the amount was not quite big because of that.<p>>Weak point was a password that lead to another merchant not using 3D secure<p>Well leaking a password shouldn't cause leaking a whole ass credit card data imo. The same data is printed on physical receipts the markets print, sometimes 4 digits, sometimes 10 digits. It's still possible to brute force from unattended physical receipts on the market.
Not affiliated, but Capital One Eno virtual cards work well for this purpose.
I think <a href="https://privacy.com" rel="nofollow">https://privacy.com</a> is the best solution we can have with the current system.
Credit cards as a while use a security model from...what, the 1970s? Sure, they've patched by adding the 3-digit CVC, but really? A huge industry can't do better than that? Honestly, it's pathetic...
At least with a credit card you have some fraud protection. Report it and the charge should be reversed. And chargebacks are possible.<p>With a debit card you’re playing with your own money.
That has not been my experience with debit cards in the US at major banks, <i>at all</i>, over decades.<p>(I'm pathologically avoidant of credit cards, which I think are mostly pointless.)
You can reverse the charges on debit cards, but the money is withdrawn at the time the charge is made. This is not the case for credit cards.
That's true, but it's not the claim the parent commenter made.
Most US banks will credit your account for the amount of the dispute immediately upon starting the investigation, so it is functionally equivalent from a consumer perspective.
Why do you think they’re pointless?
For most of my adult life I haven't been able to get a credit card --- even after we sold Matasano Security, with the proceeds of that acquisition sitting in a money market checking account at the giant bank I use, that bank would still only issue me a secured card. I pay my bills and all, but at some point when I was like 19 I bought a shirt at Nordstroms and they signed me up for a card and I didn't pay enough attention so I presumably still somehow owe them $40, and it wrecked my credit score.<p>No part of my life has been harder for not having revolving credit. I had a family, with two kids, starting in my very early 20s; I have lived on ramen wages several times since then; I've bought houses, rented cars, all that stuff. There's really been no point I can think of where I felt like having a revolving credit card would have made any of it more manageable.<p>I'd get points and stuff (I have a card now, it has a fuckload of points on it) but that's just an incentive to use the cards, not an intrinsic case for them.<p>I think most people would be much better off just using debit cards, and operating with the funds they actually have. And, again: it is in fact easy for me to say that today, but I believed the same thing when I was younger.<p>The crazy thing is coming to realize how little your credit score matters if you decide not to play this game. People say it will impact your ability to get a mortgage or a lease, but: not my experience!
>> I think most people would be much better off just using debit cards, and operating with the funds they actually have.<p>Totally agree, but - and this is another example where the rich(er) benefit - if you actually have the money and good financial discipline you're better to put everything on your CC and pay it off in full monthly. Let the merchants finance for free for 3 weeks, plus maybe get perks like purchase protection and extended warranty.
Well good for you. Us poors in the US like them for what they’re worth.
how is it not also your money when using a credit card? It's in the name, "credit" card. you have to pay it off, no? (i have never ever used a credit card)
You are making a purchase ON credit, and unless you are wildly negligent the merchant who accepts payment for the fraudulent purchase eats the costs. You may have to pay the balance owed while the chargeback works through the system but you will not ultimately pay for it.<p>Plus - like it or not - our society builds your credit based on your use of a credit card. And if you pay your balance in full every month I'm not sure why anyone would prefer paying up front (debit) vs. free financing.
As I understand it, debit cards do have some fraud protection too, but even if it's the same (I don't think it is), it's a way different power dynamic if you're begging for a bank to give you money back (debit card) vs just disputing your credit card bill.<p>In practice credit cards just have way better fraud protections.
It comes with fraud protection and your money does not move anywhere until the end of the next month. With a debit card your money moves immediately.
In the US at least, there are still federal protections for debit card fraud: <a href="https://uslawexplained.com/debit_card" rel="nofollow">https://uslawexplained.com/debit_card</a>
Why not debit cards too?
Some have speculated that the entire credit card system is compromised, end to end. I think the real question is why NSA didn't intervene in the early 1990s. Online commerce was just beginning, and the importance of electronic funds transfer was obvious, but the method wasn't set in stone. NSA knew about public key crypto well before the rest of us did. They could have helped set up very secure electronic payments, but chose not to for unknown reasons.
"The RSA algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT"
NSA prefers compromised security so that answers your question<p>Credit card system was already around for decades before though
Okay but... so what? Authentication is a means, not an end. They seem to be missing that what matters at the end of the day is how much money/time/resources actually get lost, and who's on the hook for it. If that's negligible then isn't that mission accomplished? If we could live in a society where your name was enough and you didn't need a card number at all, and yet theft was still low and you still got your money back, that would be even better, not worse.
Oh okay, so this is why Amex launched the online card in the app that changes the Cvv2 every few minutes.
[dead]