Tell HN: Automatic fraud detection is making my life hell
Yet, many online services are giving me hell with their "smart" anti fraud detection and things like that, at this point I can really understand the position of the people who are dooming about cashless society, because at some point here I felt trapped not being able to get services I needed so much (until I asked shop owner to pay for me and I paid him in cash + small profit...).
The thing is, the attitude of these companies is so frustrating; like if my card was already accepted once and I successfully approved the payment via 3D secure with my bank, who are you (as a random online service) to assume you can act as my big brother? Even more, if I'm using a balance paid by gift card, who give Amazon or other services the right to put my account on hold while it still contains my hard earned money (I had to try literally multiple services just to buy expensive gift card as Amazon payment won't allow me to choose the correct currency of my Card). Mind you, I'm just a random guy and not world class criminal, or an Activist who's being actively targeted, this make me wonder what these services can do once we go completely cashless.
Simple tasks like downloading region-specific Indian apps become unnecessarily complex, as Google play have this "smart" rule that says I can only change my region once per year, what?? It's just an app just give me the apk, and you can just ask for my location! (I had to install the apks from some random websites at risk of getting some malware...).
I would said what this experience taught me as a developer, but it won't matter, as most products are designed to help the stake holders and upper managers and even Governments, and a dev's empathy won't matter much...
Apologies for this vent, but I really felt I need to post something about this frustrating situation I'm in.
405 comments
[ 2.3 ms ] story [ 273 ms ] threadMy bank locked my credit card once due to suspected fraud. I asked what triggered it and they said "You never buy gas on this card". This was 15 years ago and I'm sure the algorithms have only gotten better.
A different bank used to ask you to tell them if you were planning on traveling so that your card would continue to work, they stopped doing it and said that they had improved their fraud detection and this was no longer necessary. My guess is that they take the data provided by airlines[0] when you book a flight and use that to tell where and when you're traveling.
[0] https://www.marqeta.com/blog/data-details-what-is-level-1-2-...
As a fellow world traveler / international worker, I do still think this is wrong-headed on the part of the banks, but it's the current paradigm in which we all operate.
In the past it helped for me to call my banks and let them know I am traveling "for the next year" and to ease up on the fraud protection. But now with more and more layers of fraud protection, it's often not my bank that's the gatekeeper.
It's things like not being able to download a local version of an app, or not being able to get a local payment account (like as in UPI payments in India, I don't know if its hard for foreigners to get that specifically but in other countries it can be very difficult without being integrated into the local payment platforms)
P.S. - Re: location services...I like the catchphrase "Any device you truly own would lie on your behalf. If it won't lie for you, you don't own it." I should be able to tell my iPhone to report my location wherever I damn well want to pretend to be.
Like what? I've never encountered this.
That was entertaining and embarrassing because the machine was returning "insufficient funds" for a $2 ice cream, while I'm scrambling in the app trying to figure out how to turn that shit off.
My OpenVPN runs on a Digital Ocean droplet and I use it to tunnel into my home network, but having a direct route might be better.
If it's a webserver you can do the same, or use something like Cloudflare tunnels to expose the service.
Not saying that's for everyone but I do feel like the default should be to click the two buttons in your router interface and third parties a fallback option or conscious choice. Probably just as quick as signing up for tailscale, if it weren't for that all routers feel like they need to reinvent a UI so it's never twice the same
I had this issue recently trying to enable port forwarding on a comcast router, which is no longer allowed.
Turns out the answer is "stop the router from blocking ipv6 connections". You can just connect directly to whatever device you want over ipv6.
While shaking my head and muttering to myself that I guess this is where we are now.
It's like the risk threshold got a reset with the new issued plastic. Eventually the algorithm was trained I suppose, back it was back to where it was, and stopped getting alerts for anything out of the usual. This resonates with the experience of friends in the same bank, who hardly ever use their credit cards, so whatever they buy gets flagged and someone calls to make sure it's them.
Old fashioned banks who are behind the times in technology, but keep richer clients, are usually less annoying, both with the fraud algos thing and also the KYC stuff, and sometimes the difference is massive.
I don't think you meant it. But that is blaming the victim
A bit uncool
One of the main features of capitalism is you can dispose of your property as you like.
Seems to me you subscribe to the "customer is always right" mentality and if you knew anything about working in a customer facing fashion you would know just how wrong that mentality is.
From a bank's POV, they're losing billions of dollars to card fraud operations, and there are very clever fraudsters who do their best to be indistinguishable from legit users.
Legit users in rare situations (such as being cross-border) are often collateral damage. You can only understand what heuristic you're triggering by knowing a bit about patterns of fraud, which is an unreasonable demand on innocent consumers.
They are not trying to protect you. As a card holder you would not be damaged by fraudulant purchases apart from the inconvenience of reporting them. They are protecting themselves because if that transaction is later found to be fraudulant then they will have to return the funds and will likely be unable to recover the product they shipped or other costs incurred.
I am wasting so much time explaining that they need to contact their bank, and they waste so much time calling their banks… it's disheartening.
Wow amazing logic there
Sometimes I do wonder if there's one or two thinking neurons in the whole "fraud prevention" department of US banks or if they're just cargo-culting practices someone invented in the 70s
But it does not need to be that way and the government can and should help.
In my country (Brazil) banking is well regulated industry and we also have some good consumer laws. Both those things help a lot to show a clear impact of badly designed anti-fraud system to the banks. For example, the central bank has an online channel, where you can open a complaint, which the bank is obligated to answer/solve in 5 days and might get fined millions if they get lots of valid ones.
I used to get my card denied very often, with no heads-up or call to confirm. So I raised a complaint at the Central Bank, got an apology letter and call from my bank manager and I never again had my credit card blocked anywhere.
So many online stores will approve my purchase and bill the card with no issue, then cancel it a few hours later for vague security reasons. I remember when the credit card companies ran commercials about how easy and secure credit cards are, especially compared to checks, but now I feel like a criminal every time I try to use mine. I wonder if this violates any part of the merchant agreement that these stores are getting a 100% valid authorization on my credit card, but still aren't willing to accept my payment.
Anyway, they're doing you a service and notifying them is good etiquette. And like good etiquette, it often greases the wheels of commerce.
I did have success with a privacy.com card once, at a store that cancelled orders from all of my other cards. I'm guessing they see it as a prepaid card and can't get as much info on those.
you seem to be older. I used this too. Until 5 or so years ago. Now my bank just says i "don't have to notify them anymore as they don't have this in the system, since it is all automated for my convenience"
But yes, none of my credit cards (Chase, Citi, Amex) require (or even offer) travel notifications.
Also fun story about how your advice doesn't always work, I was locked out from my money multiple times on my honeymoon in Greece despite repeated calls to the bank, repeated unlockings of said account, “hi I am actually standing at an ATM in this bank branch, can we track this account lockup in real time?”... I think with all of the time on hold I actually might have spent something like 20+ hours in the trip trying to debug it over the several times it happened.
When we finally resolved it, I'm not 100% sure about the explanation, but it was something like “the person you called a week ago put in country code GE for Georgia rather than GR for Greece, and that is the first place everybody else who has serviced your request has probably looked, but they all probably thought GE was right because you have to memorize that DE is Germany and so people get confused real easily...”
And yet, I also have started to make preemptive contact with them to avoid the complete hassle of having the card blocked for fraud that is NOT fraud.
A bank account or a credit card is a relationship where you rent someone else’s infra to make payments. Makes sense to work together to minimise friction for both parties.
(I have no idea if they would work, I'm just curious)
1. Or OpenVPN on your router. It's probably to gove yourself a tunnel to your home-network you can use from your phone or laptop from anywhere in the world. Avoid default ports if you can.
I'm getting paid to develop and operate network infrastructure, I don't want to have a second job doing it without compensation.
Same thing if someone used a VPN.
It is probably exceptionally rare for a fraud protection algorithm to be in place to inconvenience and spite you. Rather, some ne'er-do-well has cooked up a bafflingly complicated scheme that looks like your legitimate business. Such is the tragedy of operating at scale.
I can't think of a payment hurdle for online purchases that I haven't been able to overcome in the past year or two while spending 99% of my time OCONUS.
I ask because I've thought of doing this but have always been worried Google would not only shut that account down but my main one as well.
India doesn't put heavy hammer on scammers for various reasons. For example, since the scammers are mostly targeting foreign countries, and Indian police are well known for accepting bribes from these scammers, the scamming business is de-facto welcomed. They are too short-sighted to not see that the "industry" is damaging India's global reputation, which transitively affects you in negative way. It's unfortunate, and hope the situation improves over the time.
[1] https://www.ftc.gov/news-events/news/press-releases/2023/02/...
Case in point: my US bank insists on sending an OTP to my US number (and US number alone) for any transaction, making it impossible for me to move money when abroad. The problem exists in the other direction too, my foreign account only allows verification thru one mechanism. It's really frustrating.
Of course it matters and of course they are.
Everything you describe and OP describes are frictions that apply by virtue of you not being in the US, on purpose.
Unfair or not, it actually makes a difference. I was in a neat position to see some of the attempts in real time. It blew me away how much attempted fraud there is. Think of it like spam email - it's that bad.
But there were on the order of 50x more attempts from bots trying to log into our Wordpress instance from India (all illegitimate) than from actual customers. It was ridiculous.
Strictly speaking it doesn't make it impossible. You have made a choice not to pay roaming fees while using your USA number while abroad.
You need to update your information and knowledge
Scammers, as a category, target everyone. You think Indians don't get conned into sharing their OTP/passwords or financial details?
> They are too short-sighted to not see that the "industry" is damaging India's global reputation
India has one of the lowest police officers to population ratios in the world. They are so swamped with day-to-day crimes and other nonsense and providing protection to events and politicians that India's "global reputation" is simply not on their radar.
You cannot buy a SIM for your phone or open a bank account without providing ten types of identity documents but these scammers seem to have an infinite supply of phone numbers and bank accounts. That is just the way things are.
Right, but it's a lens thing. US merchants don't care that they're also targeting non-Americans. They care about "target US people" as a subset of that.
Nowadays many scammers switch to digital concurrency like Bitcoin, which is even less traceable and hard to shut down, but that's only because banks and stores have put in the counter-measurements you encounter to combat them.
There are many scamming related materials available online. Many scam-baiters put their video on Youtube, such as Jim Browning [1] and Kitboga [2].
[1] https://www.youtube.com/@JimBrowning
[2] https://www.youtube.com/@KitbogaShow
It becomes a tense situation when you are trying to buy a flight that you absolutely have to take, and despite 4 different credit/debit cards you still can't get any purchase on multiple different airlines go through! I even tried to go to the offices, but they were often difficult to find, non-existent, or just not open at the times you'd expect them to be. And good luck trying to purchase on a telephone, between trying to dial in international number, bad connections, and language issues!
FWIW, I had the most success with debit cards. I suspect it's because international companies feel more comfortable with cash in hand, vs. an American CC which can be easily charged back.
"According to our records, you originally registered this account while in Russia, and there is no way to change the country of the account. So we will continue to apply sanctions to this account despite the well-confirmed fact that you have moved out for good. We will also not allow attaching any non-Russian debit cards to that account, as we generally prohibit attaching foreign cards to any account. Please make a new account and enjoy."
I eventually learned that what they meant by "invalid" was "sure, your payment information is already associated with your account, but it doesn't match the preferred card listed on your account".
Also:
> Yet, many online services are giving me hell with their "smart" anti fraud detection and things like that
To provide a contrarian opinion, credit card testing, free trial abuse, and other forms of fraud are a thing, so companies usually have to layer other anti-fraud mechanisms on top of 3D secure.
That being said, what service are you facing issues with? I do see Amazon as one of the listed services, but they do eventually remove such suspensions. (My experience was with AWS though.)
A recent incident at my child's school serves as a pertinent example. They transitioned from a traditional cash-based food delivery system to a new digital platform. While trying to register on this platform, I was prompted to provide an "email". I input my usual email address only to be met with an "invalid email" response. After multiple back-and-forths with both the school and the platform's support, I discovered that by "email", they actually meant a "Gmail account".
For context, I've been using my own domain for my email, which ends in .international, for over a decade now—longer than my 9-year-old child has been alive. Despite this, they deemed my email domain "new". The situation reached a head when the school's principal called me, trying to understand the issue. After explaining the situation, he assured me that the problem was on my end, stating that he had consulted with other teachers and they were in agreement that "<my domain name>.international" wasn't a "real platform".
It's like me attempting to demonstrate my possession of a private key for an SSL certificate to someone who lacks even a basic understanding of what a "browser" is, or who has never encountered terms like HTTP or HTTPS.
Another thought, more closely aligned with the original poster's point: if someone pushes to transition everything to a digital format, he must first understand what that means. For instance, if you're looking to gather email addresses, take the time to familiarize yourself with relevant RFCs. Understand that the local part of the email is determined by the user, not you. So, if I decide my email address should be "john with space here-doe!@#$%^&"@example.international, and I've set up my server to accept messages directed to this address, and given that IANA recognizes ".international" as a valid TLD, then it's a legitimate email. For clarity's sake, my actual email is of the format first.last@example.international, without any "non-standard" characters.
And as a connection to the OP - they are pushing for debit/credit cards society and when they make sure that all your money are with them and you don't have a single cent on you - they just cut you because you're just 0.001% and an edge case. But that is their point of view. From your point of view its like this: At home if my card stops working i can go to my bank the very next day and get it sorted. I can walk for 15 minutes and be at my mom's place where I can eat everything for free. The next day you are in another country where you don't know anybody and if your card stops there, they just leave you to the wolves. For them you're the edge case - 0.001%. For you - this is all your food, shelter, health. It feels a bit unfair.
In your other comment you mention that people handling email should be familiarising themselves properly with RFCs. Yeah. Maybe. Probably actually you're right.
Putting aside the problem of ehether they actually _have to_ or _will_ for a second. Do you think it's reasonable that the people at your child's school will? No, of course not. And they're the ones who will choose these providers. Not you.
To support digitisation is to support the tyranny of technical ignorance in every facet of our lives.
But in other cases the results are much more severe.
I got vaccinated for Covid. But I couldn't get a "Covid passport" because I didn't have the right government account and couldn't get one as I didn't have eligible housing. I literally had the "proof of vaccinations", but turns out that doesn't count as "proof". Great. You know what sucks more than a Covid lockdown? One where you see everyone else go out and have fun and you're allowed to do fuck all.
Even worse yet, by refusing to get a google account, you could be tried for child abuse, since the school won't feed your child if you won't agree to google's ToS.
I really hope you didn't acquiesce. And I hope you hired an attorney to fight these laughable and horrific abuses.
There are many payment methods around the world that have different rules, but for Visa, MC, and Amex cards issued by American banks, the merchant, not the card issuer, has the liability to repay fraudulent on-line purchases (so-called "card not present" transactions). The merchant is the one accepting the risk, not your bank. So they decide which transactions they will accept liability for and which they will decline and what you need to do to prove that their liability is low.
In addition, some second-factor systems (like possibly 3D secure) shift the liability from the merchant to the issuer when passed, but banking rules are arcane, and it is likely that 3D secure only shifts the liability for the one transaction that triggered it, and not any subsequent transactions.
It is a use for a Bitcoin like system
(The transaction costs, planet destroying character, and slow speed probably not Bitcoin)
It is the intersection of money laundering and normal requirements
Stopping crime by stopping money laundering will always have these problems, surely?
Is there a way to inhibit CC fraud, and money laundering without making life difficult for people who are in the tails of the distributions?
Even cash will not suffice as many places no longer accept it
Yes.
Money laundering detection inescapably relies on private actors making a pre-prosecution estimate of whether money was earned illegitimately.
Private actors have much less information available to them than real law public sector enforcement.
And even with full information, trials cannot be predicted deterministically so there will always a gap those publicly deemed guilty and those privately deemed guilty.
Those in later category will suffer unjust financial hardship.
Yes. Have better customer support and actually fix issues when they happen.
This ends up costing someone money.
I do not think it will be paid for by reducing profits...
...you and I will pay that bill
I believe so. The optimal amount of fraud is non-zero.
https://news.ycombinator.com/item?id=32701913
BR and CN both are painful for me for this reason. Try to use a credit card, they will try to SMS a phone number I haven't used in my bank for 3 or more years.
Now that OP tells us about IN i'm starting to see a pattern: for a fraud and insurance company, or being realistic, the payment processor middle man who offers those services at a loss, making their client lose a few sales while pushing their customers (you) to instant electronic payments (BR:pix, IN:UPI, CN:IBPS etc) is a much better deal (for the middle man)!
And then as to buying/using gift cards in India, on a non-Indian account, of course that's going to raise every suspicion under the sun, given that that's a mechanism used by some of the most prevalent scams in the world.
So I'm really confused, because this "vent" reads like somebody not going through the basic steps to use credit cards abroad, and then engaging in the biggest red-flag types of transactions.
And the fact that they're complaining the airport doesn't allow them to carry enough cash (isn't the limit $10K?) really raises red flags for me. If you need to transfer large amounts of money safely between countries to your family, that's what wire transfers or Western Union is for. That's been the case for many decades now.
The more I re-read this post, the less and less sense it makes.
2- It's not technically non-Indian account, I'm opening accounts using valid Indian mobile number (tied to my visa and a real address), I always disclose that I'm not Indian when needed.
3- I was even trying to open Indian bank account to transfer money but no success so far (while possible in theory as I understood).
There are legitimate reasons for not wiring money if that was even an option, because you don't pay the hospital large amount ahead, and when it's time there's not enough time to wire the money.
I still don't understand why you couldn't wire money though. That's what wiring money internationally is for. If timing with the hospital is an issue, you just wire yourself or your family member in advance -- that's usually more common than attempting to a the hospital directly. (And even if you do have to wire the hospital directly, you can provide proof of the fact that the wire was initiated from your bank.) The only problem I can think of with wiring money is the fact that the money is illegal or someone is trying to evade taxes or something. If the money is perfectly legal, then what is the problem?
This was their justification against wire transfers. Obviously I don't know how the accounts receivable department works in Indian hospitals because I've never been to India let alone a hospital there, but this strikes me as unusual. A couple days delay to pay large sums of money seems more than reasonable.
My boss and I spent several weeks in India talking to people and learning the cultural basics just to figure out how to price our products. If you want to sell there, you need extremely competitive pricing with discounts, in a very price-sensitive market. Like, if you know the coupon culture in the US, it’s like that times 100.
https://www.keycurrency.co.uk/SWIFT-transfer/
The verification and such required are difficult. Most cards do not allow you to load INR on them (local currency). So there are a lot of foreign transaction fees.
PayTM, pay through mobile, the country’s biggest online wallet, doesn’t allow you to charge money with a foreign card. This means that PayTM doesn’t work for foreigners. The only way to load money on a PayTM wallet as a foreigner is to have an Indian friend transfer funds with his or her local debit or credit card.
https://travel.economictimes.indiatimes.com/news/technology/...
There is a lot of anti-terrorism money laundering issues. Someone I know had their facial recognition stop working and they had to go to the bank to get it working again. In person. Traveling overseas? Sorry.
Citation needed. At least in my experience, over the last 12 months, the last time I saw "Apple Pay broken" was at one location, affected all tap-to-pay, and lasted for maybe 2 days.
I have seen them at Starbucks at airports and a few restaurants. A few people have issues with their Apple Pay. It’s probably an issue with the customer’s phone or setup and the employee wants to get on with their day, then they post a sign.
I hope it gets wider adoption.
https://nitter.net/search?f=tweets&q=apple+pay+not+working&s...
So I did an instant transfer to another bank account and used its debit card without a hitch, as usual.
Some banks just won’t let you use your money as you please. Your luck is in finding a bank that does.
For transferring thousands of dollars, that's what wire transfers are for, and basically every bank has supported them for decades. You shouldn't need any luck at all.
In my specific case, I needed cash to buy a used vehicle in a country where not everyone has a bank account, so your preconception about money may not apply here.
Wire transfers across borders are expensive and slow anyway. Remitly was available within minutes and at 0 cost (first transfer is free).
I tried that once, family member specifically. They ended up getting blocked too. Customer support told me to take a hike.