Tell HN: Automatic fraud detection is making my life hell

402 points by aiProgMach ↗ HN
I've been in India for a while now, to support family member as she's here for medical reasons. I rely on online services to save on cash especially that it's hard to carry cash from my country (for "security" reasons, as most airports limit how much cash you can carry).

Yet, many online services are giving me hell with their "smart" anti fraud detection and things like that, at this point I can really understand the position of the people who are dooming about cashless society, because at some point here I felt trapped not being able to get services I needed so much (until I asked shop owner to pay for me and I paid him in cash + small profit...).

The thing is, the attitude of these companies is so frustrating; like if my card was already accepted once and I successfully approved the payment via 3D secure with my bank, who are you (as a random online service) to assume you can act as my big brother? Even more, if I'm using a balance paid by gift card, who give Amazon or other services the right to put my account on hold while it still contains my hard earned money (I had to try literally multiple services just to buy expensive gift card as Amazon payment won't allow me to choose the correct currency of my Card). Mind you, I'm just a random guy and not world class criminal, or an Activist who's being actively targeted, this make me wonder what these services can do once we go completely cashless.

Simple tasks like downloading region-specific Indian apps become unnecessarily complex, as Google play have this "smart" rule that says I can only change my region once per year, what?? It's just an app just give me the apk, and you can just ask for my location! (I had to install the apks from some random websites at risk of getting some malware...).

I would said what this experience taught me as a developer, but it won't matter, as most products are designed to help the stake holders and upper managers and even Governments, and a dev's empathy won't matter much...

Apologies for this vent, but I really felt I need to post something about this frustrating situation I'm in.

405 comments

[ 2.3 ms ] story [ 273 ms ] thread
A workaround (edit: in some of those cases): Setup a Tailscale exit node in the country where you're normally located - with a residential IP. E.g. in your apartment back home, or at a friend's.
This might help in specific cases yes, but in case of websites that give physical services (e.g delivery of products) it won't help much
In this case it might actually make it worse. Why are you suddenly, while in the US (for example), ordering physical services in India?

My bank locked my credit card once due to suspected fraud. I asked what triggered it and they said "You never buy gas on this card". This was 15 years ago and I'm sure the algorithms have only gotten better.

A different bank used to ask you to tell them if you were planning on traveling so that your card would continue to work, they stopped doing it and said that they had improved their fraud detection and this was no longer necessary. My guess is that they take the data provided by airlines[0] when you book a flight and use that to tell where and when you're traveling.

[0] https://www.marqeta.com/blog/data-details-what-is-level-1-2-...

My favorite was the time I used my Disney credit card to book a trip to Disney World - flight, hotel, tickets, everything. No problem. Then I get to Disney World and my card gets locked when I try to buy a churro because I used my card in a new location.
Not to mention the number of apps (and increasingly websites) which will require location services. So now you have a GPS location in India, and you're making credit card purchases alternating between USA IP's and India point-of-sale machines (and presumably sometimes Indian IP's for apps/sites that might block USA IP's) throughout the day.

As a fellow world traveler / international worker, I do still think this is wrong-headed on the part of the banks, but it's the current paradigm in which we all operate.

In the past it helped for me to call my banks and let them know I am traveling "for the next year" and to ease up on the fraud protection. But now with more and more layers of fraud protection, it's often not my bank that's the gatekeeper.

It's things like not being able to download a local version of an app, or not being able to get a local payment account (like as in UPI payments in India, I don't know if its hard for foreigners to get that specifically but in other countries it can be very difficult without being integrated into the local payment platforms)

P.S. - Re: location services...I like the catchphrase "Any device you truly own would lie on your behalf. If it won't lie for you, you don't own it." I should be able to tell my iPhone to report my location wherever I damn well want to pretend to be.

>Not to mention the number of apps (and increasingly websites) which will require location services.

Like what? I've never encountered this.

My bank has a mode that prevents purchases from merchants more than "100 km from me" ... it turns out the ice cream truck from another city was "more than 100 km from me".

That was entertaining and embarrassing because the machine was returning "insufficient funds" for a $2 ice cream, while I'm scrambling in the app trying to figure out how to turn that shit off.

I have a Raspberry Pi at home running an OpenVPN server, and a client config for each of my devices, and it's been extremely useful ever since.
How do you expose the Raspberry Pi so that you can reach it from the outside internet?

My OpenVPN runs on a Digital Ocean droplet and I use it to tunnel into my home network, but having a direct route might be better.

If it's openvpn you can just port forward from your router to the RaspberryPi's internal ip address.

If it's a webserver you can do the same, or use something like Cloudflare tunnels to expose the service.

Or, like the original post said, use Tailscale, which can punch a hole through the NAT for you.
Port forwarding is easy and self-reliant compared to using a third party's free service though

Not saying that's for everyone but I do feel like the default should be to click the two buttons in your router interface and third parties a fallback option or conscious choice. Probably just as quick as signing up for tailscale, if it weren't for that all routers feel like they need to reinvent a UI so it's never twice the same

Not everyone can get port forwarding, though. If you're stuck behind one of those terrible CGNAT+no IPv6 ISPs, you can't host your own services from home that easily. There are more of those shit tier internet providers out there than you'd hope or expect.
> How do you expose the Raspberry Pi so that you can reach it from the outside internet?

I had this issue recently trying to enable port forwarding on a comcast router, which is no longer allowed.

Turns out the answer is "stop the router from blocking ipv6 connections". You can just connect directly to whatever device you want over ipv6.

Port forwarding in my home router. I have it forwarded to 53 UDP since some public networks have firewalls, but the DNS port is almost never blocked.
Every time I travel abroad, some company's poorly thought out software goes bonkers and then it becomes my problem to solve. Hey, companies: People travel. Sometimes very frequently. This is not an edge case or an obscure P3 bug. If you're assuming that a mere sudden change in IP to a different country is "suspicious" then you're doing it wrong. Your software is a mess and can't seem to deal with it. Maybe take a break from cramming unwanted features and go fix some unglamorous bugs for a change.
One thing I try to do to avoid this is to always make a purchase at the airport before I go overseas. This seems to calm down the algos a bit. I used to go through this a bunch too.
Great idea, spend your money to earn the privilege of spending your money later.
I hear you- but buying a coffee or magazine I wanted anyway isn't such a big price to pay to help ensure I'm not in an annoying situation where my card is declined somewhere and I have to call internationally to get it sorted.
I do the same, and again when I land. Try to double down on signaling to the black box.
That is a great idea and as another frequent traveler I’ll take this to heart.

While shaking my head and muttering to myself that I guess this is where we are now.

One day my card got cloned and I see some withdrawals from a foreign country. I promptly report it, transactions reversed and the bank issued a new card. After this, I was getting fraud alerts and either informative or confirmation SMS when that was triggered in the past. It seemed to follow whenever a transaction passed $100, then $500, then $1000 and a certain frequency or off-hours.

It's like the risk threshold got a reset with the new issued plastic. Eventually the algorithm was trained I suppose, back it was back to where it was, and stopped getting alerts for anything out of the usual. This resonates with the experience of friends in the same bank, who hardly ever use their credit cards, so whatever they buy gets flagged and someone calls to make sure it's them.

Old fashioned banks who are behind the times in technology, but keep richer clients, are usually less annoying, both with the fraud algos thing and also the KYC stuff, and sometimes the difference is massive.

“It approves of rereading.”

    I had to try literally multiple services just to buy expensive gift card
So instead of contacting your bank or Amazon, you did the most money-laundering-looking thing you could do. Heckuva job there!
hmm no, my bank is fine, Amazon customer service told me they won't accept my card, that was the only option, but excuse me, how is 100-200$ gift card is money laundering?
Buying gift cards with stolen credit cards is like fraud/money laundering 101. The amount is not really a differentiator either because a lot of carders will run smaller test transactions to see if the card is still active.
I work in fraud detection in the US and the number of people that end up making their legit purchases look like fraud is way too high.
How do we solve that?
You provide the most accurate and valid information you can when placing an order online.
> I work in fraud detection in the US and the number of people that end up making their legit purchases look like fraud is way too high.

I don't think you meant it. But that is blaming the victim

A bit uncool

One of the main features of capitalism is you can dispose of your property as you like.

Oh but the victim is usually the problem. PEBKAC is a thing. If you use a VPN, fake name, and aliased email to place an order online you can't really complain when the company cancels your order for looking suspicious.

Seems to me you subscribe to the "customer is always right" mentality and if you knew anything about working in a customer facing fashion you would know just how wrong that mentality is.

ah, and that is our problem now? If I like to use my browser with uBlock, buying a gift card on a sunday 4am right, sharing data from my phone, different city and with my new laptop, it is still your problem for not letting it go through.
If you use a VPN, fake name, and aliased email to place an order online you can't really complain when the company cancels your order for looking suspicious.
tip regarding google play, each account can have an independent region, create a new google account and set it to your new location, keep the original where it was, it has 0 impact on how you use the apps after installation, if the app uses google auth you can login with either accounts
It is frustrating. From a consumer's POV, the system just denies you stuff for no apparent reason.

From a bank's POV, they're losing billions of dollars to card fraud operations, and there are very clever fraudsters who do their best to be indistinguishable from legit users.

Legit users in rare situations (such as being cross-border) are often collateral damage. You can only understand what heuristic you're triggering by knowing a bit about patterns of fraud, which is an unreasonable demand on innocent consumers.

> who are you (as a random online service) to assume you can act as my big brother?

They are not trying to protect you. As a card holder you would not be damaged by fraudulant purchases apart from the inconvenience of reporting them. They are protecting themselves because if that transaction is later found to be fraudulant then they will have to return the funds and will likely be unable to recover the product they shipped or other costs incurred.

I run a SaaS based in the EU. Most of my US customers have problems with their subscriptions, because US banks automatically assume that any "foreign" charge must be fraud, and block it.

I am wasting so much time explaining that they need to contact their bank, and they waste so much time calling their banks… it's disheartening.

> because US banks automatically assume that any "foreign" charge must be fraud, and block it.

Wow amazing logic there

Sometimes I do wonder if there's one or two thinking neurons in the whole "fraud prevention" department of US banks or if they're just cargo-culting practices someone invented in the 70s

This happens because the cost of developing (or buying) good software and people to build a decent anti-fraud system is very clear to measure and the impact of the false positives is not. Also, as credit card fraud is usually the bank's responsibility, it makes sense for the leaders of that area to go towards more false positives than false negatives.

But it does not need to be that way and the government can and should help.

In my country (Brazil) banking is well regulated industry and we also have some good consumer laws. Both those things help a lot to show a clear impact of badly designed anti-fraud system to the banks. For example, the central bank has an online channel, where you can open a complaint, which the bank is obligated to answer/solve in 5 days and might get fined millions if they get lots of valid ones.

I used to get my card denied very often, with no heads-up or call to confirm. So I raised a complaint at the Central Bank, got an apology letter and call from my bank manager and I never again had my credit card blocked anywhere.

My problem is different, the bank approve my payment after 3D secure check, the offender is the service provider, they cancel the order and issue a refund with a vague statement!
The cost of false positives is obvious though: lost custom?
It is obvious but not easy to measure. And companies act like what is not easy to measure doesn't exist.
I move to random corners of the world every 2-3 years and this is starting to give me real anxiety every time I try to make a purchase. One of my credit cards makes me jump through all of the verification and "Was this really you?" messages, then still locks my account half the time.

So many online stores will approve my purchase and bill the card with no issue, then cancel it a few hours later for vague security reasons. I remember when the credit card companies ran commercials about how easy and secure credit cards are, especially compared to checks, but now I feel like a criminal every time I try to use mine. I wonder if this violates any part of the merchant agreement that these stores are getting a 100% valid authorization on my credit card, but still aren't willing to accept my payment.

I found that notifying my providers of upcoming moves eliminates this. Call them, tell them what you're doing and ask their advice (b/c there may be something you overlooked or they may have special problems of their own).

Anyway, they're doing you a service and notifying them is good etiquette. And like good etiquette, it often greases the wheels of commerce.

That does help a bit with the banks, but I've not had any luck at all with the stores who cancel my orders after the payment goes through. They refuse to budge, assuming I even get a response, and won't give me any information about why my orders are cancelled, citing more vague security reasons.

I did have success with a privacy.com card once, at a store that cancelled orders from all of my other cards. I'm guessing they see it as a prepaid card and can't get as much info on those.

Neither my bank nor my credit card company even want pre-notification at this point and don't provide a way to do it at this point. I admittedly haven't had issues either internationally or in the US for quite a few years at this point, but I always carry a varied set of credit cards when traveling.
Stores are not payment processors and don’t want to be due to compliance reasons. You’d have to ask who is processing their payments and contact those people and have the store also contact them most likely and that still doesn’t mean you’ll get anything done.
The way the incentives work, if a store is mostly sure you're legit, that's not good enough and they would lose money if they served people indistinguishable from you; if their margins aren't huge, even being 90% sure may not be good enough.
> I found that notifying my providers of upcoming moves eliminates this.

you seem to be older. I used this too. Until 5 or so years ago. Now my bank just says i "don't have to notify them anymore as they don't have this in the system, since it is all automated for my convenience"

Not so much. Many credit unions, including mine, still seem to require it (and absolutely have flagged transactions and our cards when we've forgotten).

But yes, none of my credit cards (Chase, Citi, Amex) require (or even offer) travel notifications.

Note that this is about large tech service providers “taking this into their own hands.” The basic problem is that a lot of these companies deal with people who store their card information and then use an insecure password or so, or reuse the password at a different website... Someone else gets into the account and requests a transaction to a new address.

Also fun story about how your advice doesn't always work, I was locked out from my money multiple times on my honeymoon in Greece despite repeated calls to the bank, repeated unlockings of said account, “hi I am actually standing at an ATM in this bank branch, can we track this account lockup in real time?”... I think with all of the time on hold I actually might have spent something like 20+ hours in the trip trying to debug it over the several times it happened.

When we finally resolved it, I'm not 100% sure about the explanation, but it was something like “the person you called a week ago put in country code GE for Georgia rather than GR for Greece, and that is the first place everybody else who has serviced your request has probably looked, but they all probably thought GE was right because you have to memorize that DE is Germany and so people get confused real easily...”

When I worked at a bank, I heard that the travel notifications weren't actually used by the fraud department at all and were just there as window dressing to make the customer feel better.
Having to contact the provider to spend one's own money is simply outrageous.

And yet, I also have started to make preemptive contact with them to avoid the complete hassle of having the card blocked for fraud that is NOT fraud.

If you were talking about asking someone’s permission to surfs your own cash money, that would be outrageous.

A bank account or a credit card is a relationship where you rent someone else’s infra to make payments. Makes sense to work together to minimise friction for both parties.

If you’re free to be scammed out of your money, with no repercussions to others, sure it’s unreasonable to stop you. But with (American) credit cards, it’s the backing financial institution that bears the burden of fraud; merchants accepting fraudulent transactions are punished as well.
Have you tried the temporary/virtual card numbers?

(I have no idea if they would work, I'm just curious)

When I was traveling abroad, I placed an order on Walmart, shipping to my home address, so that it would be there for me when I got back home. Walmart cancelled the order, "due to location restrictions on placing and shipping orders", even though the delivery address was in the US! I have no idea why the physical location of the computer placing the order should matter to Walmart. Eventually I just had to get my friend order for me.
A tailscale node on your AppleTV at home will fix the issue for you.
Wireguard on a $15 Raspberry Pi Zero works as well[1], for those who don't have AppleTVs.

1. Or OpenVPN on your router. It's probably to gove yourself a tunnel to your home-network you can use from your phone or laptop from anywhere in the world. Avoid default ports if you can.

Tailscale is wireguard, just with outsourced admin.

I'm getting paid to develop and operate network infrastructure, I don't want to have a second job doing it without compensation.

The only admin work I ever do is generating a new config when I get or replace a peer device. I imagine this is inescapable even on Tailscale? Are there specific, recurring tasks that you think would cause it to rise to the level of a second job, rather than a once-and-done 5 minute install?
The fact you have to state avoid default ports if you can kinda really highlights why this is not the best idea right?
Shopify does use the IP location distance Vs shipping address as a risk factor for fraud. I see it often on my Shopify stores where they will flag an order as high risk for that reason.

Same thing if someone used a VPN.

I don't know how the numbers break down, but plenty of people that buy credit card numbers are happy to orchestrate a scheme to ship packages to the US and have someone forward them to the scammer. Or steal them off your porch.

It is probably exceptionally rare for a fraud protection algorithm to be in place to inconvenience and spite you. Rather, some ne'er-do-well has cooked up a bafflingly complicated scheme that looks like your legitimate business. Such is the tragedy of operating at scale.

Name and shame so we can avoid if we choose?
I've had the best luck sticking to ApplePay, PayPal as the backup, and finally my CC (the Apple Pay one).

I can't think of a payment hurdle for online purchases that I haven't been able to overcome in the past year or two while spending 99% of my time OCONUS.

Another workaround: As far as Google Play is concerned just create new accounts and add them to your phone. I have this setup because I end up having to download region blocked Australian, UK and German apps.
Doesn't that then put you at risk of Google's anti fraud measures, which, in my opinion, is much more difficult to work around? At least with your bank you can call them and eventually get it resolved.

I ask because I've thought of doing this but have always been worried Google would not only shut that account down but my main one as well.

You do understand India is a country with huge number of scammers who targets US people, and they are causing US billions of dollars of damage [1] each year? Sure, you might not be a criminal, but how would these companies know? Plus, since you mention "gift card", you do know that scammers use gift cards to launder money, right?

India doesn't put heavy hammer on scammers for various reasons. For example, since the scammers are mostly targeting foreign countries, and Indian police are well known for accepting bribes from these scammers, the scamming business is de-facto welcomed. They are too short-sighted to not see that the "industry" is damaging India's global reputation, which transitively affects you in negative way. It's unfortunate, and hope the situation improves over the time.

[1] https://www.ftc.gov/news-events/news/press-releases/2023/02/...

Your comment takes an (unfair IMO) position that it somehow matters what country the OP was in. It's not like the auth systems are designed for higher scrutiny in specific countries. There is more than one way to confirm identity, but somehow BigTech and Co keep assuming a happy path environment for you.

Case in point: my US bank insists on sending an OTP to my US number (and US number alone) for any transaction, making it impossible for me to move money when abroad. The problem exists in the other direction too, my foreign account only allows verification thru one mechanism. It's really frustrating.

>It's not like the auth systems are designed for higher scrutiny in specific countries

Of course it matters and of course they are.

Everything you describe and OP describes are frictions that apply by virtue of you not being in the US, on purpose.

I worked in the payment card industry for awhile a few years back. There are entire countries that are blocked by card providers due to fraud.

Unfair or not, it actually makes a difference. I was in a neat position to see some of the attempts in real time. It blew me away how much attempted fraud there is. Think of it like spam email - it's that bad.

I was the operator of a webserver for a small B2B shop for a number of years. We only had a couple dozen local customers, we hand-delivered custom orders with a dedicated truck. If you weren't local, there was nothing on that website that would have mattered to you.

But there were on the order of 50x more attempts from bots trying to log into our Wordpress instance from India (all illegitimate) than from actual customers. It was ridiculous.

Similar situation for a local small business I’ve worked for. Typically I’d respond to contact form spam with a notice to the source network. US-registered networks tended to reliably address the problem while IN- just ignored me, if their contact information worked at all.
> sending an OTP to my US number (and US number alone) for any transaction, making it impossible for me to move money when abroad

Strictly speaking it doesn't make it impossible. You have made a choice not to pay roaming fees while using your USA number while abroad.

Nope. I travel to EU often with roaming on. OTP SMSs for many services don't come through. It's a real pain.
Very strange. How about regular SMS? Are they dropped too? I had zero issues with TMo, and I don't even need roaming for this.
It's weird, regular SMSs do come through, as far as I know. It's hard to tell as I don't get many SMSs, mostly iMessage and Whatsapp. I'm on AT&T, and something about automated messages from those 5-6 digit numbers never show up when you want them to.
SMS on roaming can be a hit or miss. I travel internationally every year and I am always worried that some SMSs wont reach and it happens from time to time. I especially hate those product/services that only do SMS based 2FA.
Just FYI (because your OTP hell was my OTP hell until recently) if you fly to another country, disable roaming in the phone, and don’t make outbound calls, your phone will receive these OTP messages for free with most US cell providers.
Your comments are ill-informed as several remote terminal providers have joined with scam-baiters and India police to combat this...new as in the effort started in Jan2023.

You need to update your information and knowledge

Just because there are efforts to combat the problem to some degree does not mean the problem is solved or that there isn't a major problem to begin with.
> huge number of scammers who targets US people

Scammers, as a category, target everyone. You think Indians don't get conned into sharing their OTP/passwords or financial details?

> They are too short-sighted to not see that the "industry" is damaging India's global reputation

India has one of the lowest police officers to population ratios in the world. They are so swamped with day-to-day crimes and other nonsense and providing protection to events and politicians that India's "global reputation" is simply not on their radar.

You cannot buy a SIM for your phone or open a bank account without providing ten types of identity documents but these scammers seem to have an infinite supply of phone numbers and bank accounts. That is just the way things are.

> Scammers, as a category, target everyone. You think Indians don't get conned into sharing their OTP/passwords or financial details?

Right, but it's a lens thing. US merchants don't care that they're also targeting non-Americans. They care about "target US people" as a subset of that.

Laundering money using 100-200$ gift cards?
Absolutely. Walmart used to have a policy of refunding gift cards in cash. You'd buy many at one location, and return them at another. Less trackable. Gift cards are also used quite regularly in human/sex trafficking to control the victims.
A few years ago, gift cards are THE currency in scamming world for shifting funds between victim and money launderer. They would ask victim to go to 8 different department stores to buy as many gift cards as the store allows then tell them the card number. It's pretty normal the victim hands them over 20 $200 gift cards. And the scammers will keep phishing the victim over and over again until there is no more money to squeeze.

Nowadays many scammers switch to digital concurrency like Bitcoin, which is even less traceable and hard to shut down, but that's only because banks and stores have put in the counter-measurements you encounter to combat them.

There are many scamming related materials available online. Many scam-baiters put their video on Youtube, such as Jim Browning [1] and Kitboga [2].

[1] https://www.youtube.com/@JimBrowning

[2] https://www.youtube.com/@KitbogaShow

I have completely lost access to my Amazon account because I had the audacity to use a correct login and password from a recognized machine in a different part of the world from my shipping address. I called customer service and they said the only thing I can do is create a new account with a different email.
Strange. I live in Canada, and visit Brazil often. I have never had any trouble using my only Amazon account to log in to Amazon USA, Amazon Brazil, or Amazon Canada. I have both Brazilian and Canadian addresses set up as shipping options on my account, and I often make purchases on Amazon Brazil while in Canada and have them shipped to the Brazilian address.
How old was your account when you lost access to it?
At least 15 years, but the past 7 years or so I only used it when I would receive a gift card for Amazon or had no other option for a specific brand's product. I think the last time I used it was 2 or 3 years ago. I'm sure that was a factor, but not being able to recover the account with the email address it's tied to doesn't make sense to me.
I did a year of travel worldwide in over a dozen countries, and I had the most problems using my credit and debit cards in India. Particularly online, even at large, legitimate businesses like major airlines.

It becomes a tense situation when you are trying to buy a flight that you absolutely have to take, and despite 4 different credit/debit cards you still can't get any purchase on multiple different airlines go through! I even tried to go to the offices, but they were often difficult to find, non-existent, or just not open at the times you'd expect them to be. And good luck trying to purchase on a telephone, between trying to dial in international number, bad connections, and language issues!

FWIW, I had the most success with debit cards. I suspect it's because international companies feel more comfortable with cash in hand, vs. an American CC which can be easily charged back.

That's how I effectively lost my Azure account.

"According to our records, you originally registered this account while in Russia, and there is no way to change the country of the account. So we will continue to apply sanctions to this account despite the well-confirmed fact that you have moved out for good. We will also not allow attaching any non-Russian debit cards to that account, as we generally prohibit attaching foreign cards to any account. Please make a new account and enjoy."

(comment deleted)
I live in California and nike.com just cancelled my last two orders without notice because they "couldn't verify my billing information", according to the chat rep. It's the same billing information I use everywhere for years.
Years ago I kept having Blizzard cancel my subscription to World of Warcraft because of unspecified problems with the payment information. I'd get locked out, I'd pay again, and a couple days later they'd be angry again over my invalid payment information.

I eventually learned that what they meant by "invalid" was "sure, your payment information is already associated with your account, but it doesn't match the preferred card listed on your account".

the 2fa with a phone number drives me crazy when i travel. I couldnt get into my accounts because of it on one trip. frustrating that sites assume you always have a connected phone. had this happen on a airplane too
(Tell HN:)

Also:

> Yet, many online services are giving me hell with their "smart" anti fraud detection and things like that

To provide a contrarian opinion, credit card testing, free trial abuse, and other forms of fraud are a thing, so companies usually have to layer other anti-fraud mechanisms on top of 3D secure.

That being said, what service are you facing issues with? I do see Amazon as one of the listed services, but they do eventually remove such suspensions. (My experience was with AWS though.)

Currently I'm at the 3rd attempt to unlock my account, let's see, hope you're right.
I lost my 25-years old Amazon account when their AI grew suspicious of my credit card. After spending several hours on the phone, sending countless batches of "documentation" and taking selfies in various difficult poses, I gave up and just use Walmart online and ebay now. Saved a lot of money btw.
I wholeheartedly support digitization, having been involved in the realms of development, system administration, and everything computer-related since my early days. However, what irks me is when I'm bound to use products or services from providers who fail to execute their roles properly despite being compensated for it.

A recent incident at my child's school serves as a pertinent example. They transitioned from a traditional cash-based food delivery system to a new digital platform. While trying to register on this platform, I was prompted to provide an "email". I input my usual email address only to be met with an "invalid email" response. After multiple back-and-forths with both the school and the platform's support, I discovered that by "email", they actually meant a "Gmail account".

For context, I've been using my own domain for my email, which ends in .international, for over a decade now—longer than my 9-year-old child has been alive. Despite this, they deemed my email domain "new". The situation reached a head when the school's principal called me, trying to understand the issue. After explaining the situation, he assured me that the problem was on my end, stating that he had consulted with other teachers and they were in agreement that "<my domain name>.international" wasn't a "real platform".

Wow, that is bonkers. Could you maybe get them actually to try sending you an email to that address and show them that, yes, you do receive the damnned thing?
I initially wrote a much longer comment, detailing multiple instances like these from just the past few months. But then I just deleted it because it will be too long. As for them - They will just tell "huh, he is hacker and can send fake emails from fake non-existing platforms".

It's like me attempting to demonstrate my possession of a private key for an SSL certificate to someone who lacks even a basic understanding of what a "browser" is, or who has never encountered terms like HTTP or HTTPS.

Another thought, more closely aligned with the original poster's point: if someone pushes to transition everything to a digital format, he must first understand what that means. For instance, if you're looking to gather email addresses, take the time to familiarize yourself with relevant RFCs. Understand that the local part of the email is determined by the user, not you. So, if I decide my email address should be "john with space here-doe!@#$%^&"@example.international, and I've set up my server to accept messages directed to this address, and given that IANA recognizes ".international" as a valid TLD, then it's a legitimate email. For clarity's sake, my actual email is of the format first.last@example.international, without any "non-standard" characters.

And as a connection to the OP - they are pushing for debit/credit cards society and when they make sure that all your money are with them and you don't have a single cent on you - they just cut you because you're just 0.001% and an edge case. But that is their point of view. From your point of view its like this: At home if my card stops working i can go to my bank the very next day and get it sorted. I can walk for 15 minutes and be at my mom's place where I can eat everything for free. The next day you are in another country where you don't know anybody and if your card stops there, they just leave you to the wolves. For them you're the edge case - 0.001%. For you - this is all your food, shelter, health. It feels a bit unfair.

Yeah I agree, the push towards digitalization combined with a lack of care for "edge cases" is kind of scary. People might say, oh, it only affects 0.3% but, in the US, that's roughly a million people so hardly trivial. The problem is that it is difficult to make truly flexible software and no-one has the financial incentive to do so. Increasingly, people don't even want to invest in humans at the edge to try and work around issues. Companies like google just ignore you.
And just in case - I am not that weirdo that just refuses google. No - I have google account, youtube premium, etc. But my google account is with my own email and not with gmail.com. I have microsoft, twitter/X, facebook, amazon, everything that you probably have. All sites. And I was there 10 years ago when .international was introduced. I remember few sites that don't accept it in the first year or two. Then everything went smooth. And 10years later someone is creating brand new site and limit the tld in the email to 3 characters :) The last company that I remember that was having problems was Activision/Blizzard. And when I wrote to them and pointed out that they are not potato but tech company and should watch for such things it took them about 1 month to fix all their sites/account management/billing.
I'm inclined to think that this is caused by prejudice against nonstandard TLDs which many, many services have; that it would work if the OP had their custom .com or .org domain.
Well in my opinion, this is what it means to support digitisation. It means accepting that these situations will become more and more commonplace. It is simply the price you pay.

In your other comment you mention that people handling email should be familiarising themselves properly with RFCs. Yeah. Maybe. Probably actually you're right.

Putting aside the problem of ehether they actually _have to_ or _will_ for a second. Do you think it's reasonable that the people at your child's school will? No, of course not. And they're the ones who will choose these providers. Not you.

To support digitisation is to support the tyranny of technical ignorance in every facet of our lives.

No, I think the situation is more nuanced than this. Why do the people at the school have providers who only accept gmail? Because some extremely technical people who understand exactly what they’re doing have led the web further and further into platform lock-in, and others go along with it.
Frankly, examples like GP's are a compelling argument for professional licensure for software developers, because "only accepting gmail addresses as valid emails" should be considered professional malpractice.
The effect will be marginal; it will just create a huge administrative bonanza, and the number of times where it will be used (i.e. software devs being "disbarred") will be few enough that it won't matter much in practice.
The purpose of licensure is that it effectively allows the licensed individual to hold themselves hostage in a negotiation. Without licenses, Management says "add feature X", and even though you know feature X is evil personified, you look at the pros and cons of implementing it or not, and you end up with "my professional conscience" vs "getting fired". With licenses, you end up with "every future job" vs "this job" which is quite a bit more balanced in the direction of "don't add evil feature X".
In this case it's relatively benign; the worst result is that they'll have to create a (free) gmail account to forward to their domain. It's annoying and stupid, bit in the grand scheme of things, acceptable.

But in other cases the results are much more severe.

I got vaccinated for Covid. But I couldn't get a "Covid passport" because I didn't have the right government account and couldn't get one as I didn't have eligible housing. I literally had the "proof of vaccinations", but turns out that doesn't count as "proof". Great. You know what sucks more than a Covid lockdown? One where you see everyone else go out and have fun and you're allowed to do fuck all.

Taken to the logical conclusion, this public school (which your child is compulsed to attend)is requiring you to agree to a private company's ToS and extreme data exfiltration and arbitration clauses, so your child can be fed.

Even worse yet, by refusing to get a google account, you could be tried for child abuse, since the school won't feed your child if you won't agree to google's ToS.

I really hope you didn't acquiesce. And I hope you hired an attorney to fight these laughable and horrific abuses.

> if my card was already accepted once and I successfully approved the payment via 3D secure with my bank, who are you (as a random online service) to assume you can act as my big brother? Even more, if I'm using a balance paid by gift card, who give Amazon or other services the right to put my account on hold while it still contains my hard earned money[?]

There are many payment methods around the world that have different rules, but for Visa, MC, and Amex cards issued by American banks, the merchant, not the card issuer, has the liability to repay fraudulent on-line purchases (so-called "card not present" transactions). The merchant is the one accepting the risk, not your bank. So they decide which transactions they will accept liability for and which they will decline and what you need to do to prove that their liability is low.

In addition, some second-factor systems (like possibly 3D secure) shift the liability from the merchant to the issuer when passed, but banking rules are arcane, and it is likely that 3D secure only shifts the liability for the one transaction that triggered it, and not any subsequent transactions.

This sort of thing is where I hope Bitcoin can help more people.
Yes, but there's still so much supporting software waiting to be built.
> This sort of thing is where I hope Bitcoin can help more people.

It is a use for a Bitcoin like system

(The transaction costs, planet destroying character, and slow speed probably not Bitcoin)

It is the intersection of money laundering and normal requirements

Stopping crime by stopping money laundering will always have these problems, surely?

Is there a way to inhibit CC fraud, and money laundering without making life difficult for people who are in the tails of the distributions?

Even cash will not suffice as many places no longer accept it

> Stopping crime by stopping money laundering will always have these problems, surely?

Yes.

Money laundering detection inescapably relies on private actors making a pre-prosecution estimate of whether money was earned illegitimately.

Private actors have much less information available to them than real law public sector enforcement.

And even with full information, trials cannot be predicted deterministically so there will always a gap those publicly deemed guilty and those privately deemed guilty.

Those in later category will suffer unjust financial hardship.

> Is there a way to inhibit CC fraud, and money laundering without making life difficult for people who are in the tails of the distributions?

Yes. Have better customer support and actually fix issues when they happen.

This ends up costing someone money.

> This ends up costing someone money.

I do not think it will be paid for by reducing profits...

...you and I will pay that bill

I only have two data points (well, three now with OP): but I susped this is on purpose.

BR and CN both are painful for me for this reason. Try to use a credit card, they will try to SMS a phone number I haven't used in my bank for 3 or more years.

Now that OP tells us about IN i'm starting to see a pattern: for a fraud and insurance company, or being realistic, the payment processor middle man who offers those services at a loss, making their client lose a few sales while pushing their customers (you) to instant electronic payments (BR:pix, IN:UPI, CN:IBPS etc) is a much better deal (for the middle man)!

Obviously I sympathize, but I find it extremely odd that OP is complaining about cards being declined but doesn't once explain whether he/she tried phoning their credit card to unblock? Because that generally works -- you call once, let them know you're traveling and where, and then your card works fine. Occasionally you have to call again for a specific high-value ($500+) transaction, but it's rarely more than a 5-minute phone call.

And then as to buying/using gift cards in India, on a non-Indian account, of course that's going to raise every suspicion under the sun, given that that's a mechanism used by some of the most prevalent scams in the world.

So I'm really confused, because this "vent" reads like somebody not going through the basic steps to use credit cards abroad, and then engaging in the biggest red-flag types of transactions.

And the fact that they're complaining the airport doesn't allow them to carry enough cash (isn't the limit $10K?) really raises red flags for me. If you need to transfer large amounts of money safely between countries to your family, that's what wire transfers or Western Union is for. That's been the case for many decades now.

The more I re-read this post, the less and less sense it makes.

1- The issue is rarely from the debit card it's always accepted, most of the times the payment will be cancelled from the service provider side

2- It's not technically non-Indian account, I'm opening accounts using valid Indian mobile number (tied to my visa and a real address), I always disclose that I'm not Indian when needed.

3- I was even trying to open Indian bank account to transfer money but no success so far (while possible in theory as I understood).

There are legitimate reasons for not wiring money if that was even an option, because you don't pay the hospital large amount ahead, and when it's time there's not enough time to wire the money.

Ah sorry, it was hard to understand what types of transactions you were talking about. Yes, the reality is that when you try to live in a foreign country and do non-touristy "resident" things like buy things online or pay bills, but when you don't actually have a work visa that allows you to open a local bank account -- the systems aren't built for that. And local merchants really do put themselves at the risk of scams -- even with debit cards, transactions can be reversed by banks (stolen debit cards are a thing), and then the merchant is out of merchandise and money. It sucks, and you just wind up having to rely on a friend or family member to do your online purchases. It's such a small group of people, that companies don't do much to support those edge cases.

I still don't understand why you couldn't wire money though. That's what wiring money internationally is for. If timing with the hospital is an issue, you just wire yourself or your family member in advance -- that's usually more common than attempting to a the hospital directly. (And even if you do have to wire the hospital directly, you can provide proof of the fact that the wire was initiated from your bank.) The only problem I can think of with wiring money is the fact that the money is illegal or someone is trying to evade taxes or something. If the money is perfectly legal, then what is the problem?

> because you don't pay the hospital large amount ahead, and when it's time there's not enough time to wire the money.

This was their justification against wire transfers. Obviously I don't know how the accounts receivable department works in Indian hospitals because I've never been to India let alone a hospital there, but this strikes me as unusual. A couple days delay to pay large sums of money seems more than reasonable.

wiring money via international accounts is instantaneous, last time I had wired money to me (last week). Or at least within an hour or two. The issue here, probably, is that there is usually a fairly large fee attached to it from the receiving bank. My bank, it's 25 bucks, flat rate. Each and every wire, even if it is 5 bucks being wired.
I'll take your word for it, a glance at google told me a wire transfer from a foreign bank will typically take about 2 days to clear, but I've only ever done wire transfers domestically. But yeah, a $25 fee might be the hold up, except if I'm understanding the OP, the wire transfer would be for costly medical care. Typically if I'm looking at paying a large bill, the bill blinds me from the pain of being nickel and dimed on fees. So I think we're probably not talking about paying $5 at 7-11.
It’s India. The land of the thrifty, always looking for a deal (cultural stereotype). It’s the reason so many US companies have a hard time breaking into that market though.

My boss and I spent several weeks in India talking to people and learning the cultural basics just to figure out how to price our products. If you want to sell there, you need extremely competitive pricing with discounts, in a very price-sensitive market. Like, if you know the coupon culture in the US, it’s like that times 100.

If I did not misunderstand what OP was saying, I think he is saying Amazon or other company hold his account but not the card issuing bank itself.
The problem is it’s in a foreign country which is about to pass up china for population. More people - more scams and pickpockets. The way we pay for things in the USA is very different. You pay with QR codes or apps. Most places in the US has Apple Pay broken sticker on them, does not accept any other method, wants cash, or a credit card.

The verification and such required are difficult. Most cards do not allow you to load INR on them (local currency). So there are a lot of foreign transaction fees.

PayTM, pay through mobile, the country’s biggest online wallet, doesn’t allow you to charge money with a foreign card. This means that PayTM doesn’t work for foreigners. The only way to load money on a PayTM wallet as a foreigner is to have an Indian friend transfer funds with his or her local debit or credit card.

https://travel.economictimes.indiatimes.com/news/technology/...

There is a lot of anti-terrorism money laundering issues. Someone I know had their facial recognition stop working and they had to go to the bank to get it working again. In person. Traveling overseas? Sorry.

> Most places in the US has Apple Pay broken sticker on them

Citation needed. At least in my experience, over the last 12 months, the last time I saw "Apple Pay broken" was at one location, affected all tap-to-pay, and lasted for maybe 2 days.

Unfortunately it’s not always as easy. Last year I tried to do a remittance of 3500€ and it failed on both a debit and credit card of my bank, blocking them. The bank called me to confirm the transactions, which I did. I tried again and they blocked the card again.

So I did an instant transfer to another bank account and used its debit card without a hitch, as usual.

Some banks just won’t let you use your money as you please. Your luck is in finding a bank that does.

Cards aren't generally meant for sending cash -- I honestly don't even know what you mean by sending a remittance using a credit card, or even a debit card. If you're talking about using e.g. Venmo or Zelle, they're generally intended for social transactions of tens/hundreds of dollars, not for thousands, and especially not for thousands cross-border.

For transferring thousands of dollars, that's what wire transfers are for, and basically every bank has supported them for decades. You shouldn't need any luck at all.

What does it mean “they’re not meant for it?” I have money on it, some site accepts the card, it works, it worked. The limitation you’re suggesting is purely theoretical.

In my specific case, I needed cash to buy a used vehicle in a country where not everyone has a bank account, so your preconception about money may not apply here.

Wire transfers across borders are expensive and slow anyway. Remitly was available within minutes and at 0 cost (first transfer is free).

> (until I asked shop owner to pay for me and I paid him in cash + small profit...).

I tried that once, family member specifically. They ended up getting blocked too. Customer support told me to take a hike.