Ask HN: 2FA for Credit Cards?
I never understood the idea of CVC. Every website asks for it - so it seems like an extension of the card number. Why isn't there an app (or some digital way) to verify the card is mine, like authentication systems have 2FA? It will change for every transaction, unlike CVC.
96 comments
[ 3.7 ms ] story [ 1130 ms ] threadEdit: this is what I'm talking about: https://news.ycombinator.com/item?id=3962944 and https://randomfoo.net/2011/06/22/mastercard-securecode-and-s...
Looks like I misremembered the details. Still, super sketchy.
https://en.wikipedia.org/wiki/3-D_Secure
https://www.mastercard.com/gateway/payment-solutions/securit...
https://www.visa.co.uk/partner-with-us/payment-technology/st...
https://www.barclaycard.co.uk/business/business-matters/frau...
I assume fraud is minimal enough that the profit of convenience outweighs it.
The EU+UK and Visa/MasterCard have different policies for these. Low-value [1] contactless purchases only occasionally require a PIN, higher-value in-person purchases always do, and online ones require the 2FA system linked above.
[1] https://en.wikipedia.org/wiki/Contactless_payment#CVM_limit
I've bought things for 700-800$ that don't require any checks.
Online: SCA used to be wonky but today I pick up my phone and touch the fingerprint sensor, done.
It's hardly inconvenient, and we enjoy significantly lower transaction fees.
I was in salt lake city where it was trialed at Jamba Juices and other fast food merchants.
I remember going to the US in 2015 and 2016 and while Apple/Samsung Pay had started to gain traction, the idea of tapping my card to pay was still science-fiction.
In the UK, they also have additional verification steps, which can cause some issue when they go async to a payment system that expects to get a verification immediately.
I've had Apple take payment twice because the 2FA verification text took too long to come through from a phone order for collection and I ended up buying the item in the store.
UPI, India's smartphone/app based payment system also requires entering a PIN to make the payments.
The CVC is smaller in size and located on the rear of the card to defeat snooping via over the shoulder/cctv/cameras..
Everything about banking in the USA was seemingly decades behind my experiences in Northern Europe, so it may take a while for American banks to figure out credit card 2FA… (They still regularly use paper checks in America. Bank transfers don’t exist. Many operations require a visit to a bank branch, of which there are absurdly many. I’m surprised they didn’t have mechanical calculators.)
In this case you need to log in to your bank website and accept the transaction.
https://www.bankid.no/en/company/
It's also used as a general digital ID provider.
Any transactions using non-indian banks or cards go through without asking any OTP.
Edit: And bank transfers do exist, I don't know how you can get away with just flat out asserting they don't. That's ridiculous. Wire transfers are very old but still supported for a fee, and ACH transfers are ubiquitous. They aren't as quick and easy as in Europe, but they certainly do exist. Zelle is also a pretty recent cross-bank platform for transfers that has made things much easier.
Or, say, the fees paid for your child's karate class?
Or a 'cash' gift for a teenage nephew?
Those are/were cases where cheques were used in Britain, but the first and second are now often a portable chip debit/credit card reader, or else an electronic transfer. The third could still be a cheque, or could be an electronic bank transfer.
(No-one has paid by cheque in a shop since about 2011, when the system to protect against fraud in this case was removed.)
I forgot a third development, which is thanks to Stripe and other mobile-friendly payment processors. All you need is a smartphone, and they send you a mini card reader that plugs into your phone. I see them all the time at farmers markets and even paid for a tow truck using one once.
> Or a 'cash' gift for a teenage nephew?
Kids these days use Venmo or rarely paypal. I don't like them and my family uses Zelle to send money to each other from our different banks. Same when we do collections at work for an employee's retirement gift, the organizer just sent their mobile and asked everyone to send money through Zelle. People even pay their landlords with Zelle now.
Did you mean Square? They were one of the first (if not the first) payment processors, iirc, to make it easy for merchants to offer card-swipe to customers, via the mobile phone attachment you mentioned.
If it's possible, this functionality must be extremely well hidden.
Wire transfers aren't the same as European-style bank transfers because they're slow, expensive and seem to have weird manual validation steps.
Zelle is a proprietary kludge that has very low transfer limits, and most people don't seem to know it exists. I certainly wasn't able to pay my Manhattan rent using Zelle, so it's not a replacement for bank transfers either.
Having worked closely with multiple banks' credit card departments, this assertion is incorrect. American banks (and merchants) choose to not implement more security for card-not-present transactions because it meaningfully dents conversion rates for online commerce. Same goes for credit card PINs which are extremely common in Europe but rarely seen in the US. Most merchants and banks are okay with a non-zero level of fraud because stricter fraud prevention methods negatively impact user experience.
Here's an article going into more depth about the tradeoffs involved: https://bam.kalzumeus.com/archive/optimal-amount-of-fraud/
To put another one out there, there's no universal and practical way to electronically transfer money from one person to another. The only options are cash, checks, wire transfers and ACH. Wire transfers are expensive and ACH is difficult to use.
In the SEPA area you can transfer money to anybody else within about a day for the cost of a local transfer (usually free) with nothing but an IBAN (which can be freely-given, unlike a US bank account number).
Plus, the US has been behind for a long time for card-present transactions as well. Only in the past few years have chips started to see widespread use.
The FedNow system, scheduled to roll out next year, is designed to fulfill this purpose.
https://www.federalreserve.gov/paymentsystems/fednow_about.h...
This is only true for retail banking, not business banking.
The rule of thumb about the US financial system is that it goes out of its way to facilitate commerce between consumers and businesses (debit cards, credit cards), where intermediaries can take a cut of each transaction and the liability for fraud is clearly defined (merchants are generally liable for fraud and consumers have recourse in the form of chargebacks).
Conversely, retail to retail customer transactions have higher likelihood of fraud, a costly chargeback or reversal process and hardly make any money for the banks.
I'm glad US banks don't require me to install proprietary apps on my phone.
It's impressive how far behind US financial institutes are.
Paying online without a code from SMS or push notification is an exception, usually happens when you save your payment method when buying something through a well known giant like PayPal or Steam.
It seems this is yet another example - didn't even realise US cards didn't have 2FA for online transactions.
I am a heavy credit card user, and over my lifetime I've only had two instance of unauthorized purchase. Both times, the bank caught it algorithmically and prevented the purchase anyway.
We do too. And much cheaper transaction fees.
Fraud isn't your bank's problem, customers are paying for it.
Fraud rates on credit cards in the EU are 3.6 cents per 100 euro
The difference is 6.65 cents/100 which is 0.0665%
So, it isn't fraud losses that explain the difference in processing rates between the US and EU
(numbers from 2019)
https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudre...
https://nilsonreport.com/upload/content_promo/NilsonReport_I...
Anyway the European report is very interesting because it shows that ATM and POS fraud is fairly marginal in Europe, which justifies pushing better SCA mechanisms as the most effective way to reduce fraud.
It is pretty funny when I use my US credit card abroad and the payment terminal spits out a receipt I have to sign. So many confused people on restaurant waitstaff xD
What do you mean? Credit cards are incredibly rare in European countries, and all that i know of don't have any option outside of paying it in full at the end of the month.
FWIW, all the cards I see on their French site are described as:
> Une carte de paiement internationale à débit
https://www.americanexpress.com/fr/carte-de-paiement/types-c...
and a search for 'crédit' returns no results.
It's easy to see there's a huge variance in people with a credit card. Even the 5% rate in Albania is hardly "incredibly rare": https://www.statista.com/statistics/968220/credit-card-owner...
Picking the lowest EU country on that list (Lithuania, 12%), the first bank I found has a 45 day interest-free credit period, and a 14-17% interest rate if you borrow for longer: https://www.seb.lt/en/private/cards/mastercard-standard
Given the snails-pace rollout of contactless in the US, this seems like conjecture. Paying is much less hassle in Europe in my experience - having to sign paper, waiting for your card to be brought back? This is hassle.
You usually don't need to do this anymore though. I think I have eaten out in the US about 15 times this year, and never needed to hand out my credit card. Many restaurants have a QR code on the check that allows you to pay online. Some have credit card terminals on tables (Ziosk). Others let you pay at the register when you leave.
1. Ye, it'd be great if I could configure it to do 2FA on all online transactions. Does anyone know what exactly triggers 2FA?
2. I have an account with BTG Pactual (Brazil) and their virtual card gets a new CVC after each transaction, pretty cool.
AFAIK, 3DS is opt-in on the merchant side, as it requires integration work. Visa & MS are pushing the envelope by only insuring against fraud if 3DS is properly setup. If the merchant chooses not to implement it (and some have decided not to, to reduce checkout friction), they have to bear the financial risk of the fraudulent transactions.
One of my banks embeds their login form, which asks for a portion of your login credentials (probably secure enough in recent browsers, but still a bit yucky). My other bank requires transactions to be approved in the account management interface (either via their mobile app or by logging into their website in another tab). Other banks use one-time-password generators for their website, and reuse that system as their second factor.
as in physically getting hold of a SIM card and putting it into another phone? That's what SIM PIN codes are supposed to protect against, but nobody uses them anymore because they are disabled by default now and set to 0000. But you can still do it, every SIM has a PIN and PUK codes.
But SMS isn't 100% secure for different reasons though.