People should have a separate card for online payments and have just enough money on it for a payment.
I know that I am naïve :)
Back to the article: Weak point was a password that lead to another merchant not using 3D secure.
It seems from the article that bad actors have fully automated system, so (big) merchants should have handle automatic login attempts from the same ip address with different accounts. I see it from our wordfence logs that ip rotation is not so quick so it could be handled with some permanent ip blocking.
Some have speculated that the entire credit card system is compromised, end to end. I think the real question is why NSA didn't intervene in the early 1990s. Online commerce was just beginning, and the importance of electronic funds transfer was obvious, but the method wasn't set in stone. NSA knew about public key crypto well before the rest of us did. They could have helped set up very secure electronic payments, but chose not to for unknown reasons.
> The data they took with the attempt of purchase is the card is still usable (not cancelled)
The payment flows should not distinguish between a nonexistent card, a cancelled card, and a valid card that needs 3D Secure. I bet the banks could even implement that without any cooperation on the part of the merchants.
I once had a person that was hired by my company and then started bragging about finding a way to add stored value to gift cards. Then come to find out they were under investigation by the FBI. This was a government contractor mind you, so the biggest security guard I’ve ever seen showed up to escort them out.
Payment processors don't allow just brute forcing all card numbers a.k.a. card enumeration or card testing [1][2] and card schemes penalise merchants and payment processors heavily if they don't take measures against it [3].
Related story and wondering if the OP may have been chasing red herrings. I recently noticed an unauthorized charge for a small amount on my credit card (something about FB/Meta). Likely someone probing the card to see if anyone would notice. I called the CC company, had them removed the charge, canceled the card and had them send me a new card (5-7 business days). With the brand new unused card (new CC number, new expiration date, new CVV), the fraudulent payments resumed (again FB/Meta). How is this possible? The reason: digital wallets. Your credit card number, etc. transfers via digital wallets even when you cancel the card. I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online. You have to speak to a human in a call center. You then have to sit through a lecture about how all your renewing payments are going to reset and you will have to re-establish them will all merchants. "Yes, I understand that. Please cancel the card and all digital wallets!" Then you have to hold for twenty minutes (why? what are they doing? manually canceling all the digital wallets?). The lesson I learned here is that canceling your credit card may not be what you think. Also recurring payments must be incredibly lucrative and canceling them must amount to a big loss in revenue. (Edited for grammar.)
> I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online.
This is highly dependent on your bank. For example, Bank of America lets you view and delete any cards that have been added to a digital wallet right on their website.
if it was a 0 or 1 dollar auth, its likely a fraud check done by said company to make sure you still exist.
one or more of those digital wallets are some subscription supporting thing, and if that auth failed or had an address mismatch or wrong kind of card, they will disable your account until you update your card.
It's a shame that a disputed charge doesn't result in the credit card company reviewing how the charge was processed, invalidating only the single saved token with a single merchant. That would save everyone a lot of time and money.
Credit cards as a while use a security model from...what, the 1970s? Sure, they've patched by adding the 3-digit CVC, but really? A huge industry can't do better than that? Honestly, it's pathetic...
Between 3DS for online payments and EMV for POS payments (both launched in the 1990s), payment cards could be plenty secure – if the industry were to decide to mandate them for every payment.
The fact that it hasn't is an interesting study in game theory and economics.
Okay but... so what? Authentication is a means, not an end. They seem to be missing that what matters at the end of the day is how much money/time/resources actually get lost, and who's on the hook for it. If that's negligible then isn't that mission accomplished? If we could live in a society where your name was enough and you didn't need a card number at all, and yet theft was still low and you still got your money back, that would be even better, not worse.
>As a consumer, I thought I was safe; when saving my credit card to a billion dollar valued european merchant, or when i purchase something from supermarket and ignore the receipt, but the reality is slightly different from that.
>I got the money back via chargeback in short time.
So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.
Quite often, the merchant is unfortunately the one eating the fraud, which is creating a bit of a principal-agent problem (in that the issuing bank earns interchange on every transaction, so if they aren't liable for fraud, their default incentive would be to just approve as much as feasible and figure everything out later via chargebacks).
3DS changes that calculus quite a bit, though, and in-person payments are usually the issuing bank's liability as well.
Virtual credit cards have been a thing for years. I remember bank of america or Citi providing them to me 15+ years ago. If I recall it was a java app or maybe even a standalone exe. Shocked they never took off more broadly.
Robinhood absolutely nails this. Best virtual credit card system I have ever used. So seamless. Can auth a card for one time use, 24 hours, or indefinite until you cancel. Such a great UI / UX
MBNA (which got bought out by Chase) had a Flash-based virtual card app back in the early 2000's. I really enjoyed using it. I also can't understand why they haven't taken off, especially in the world of Everything Is A Subscription we're living in now. I adored being able to set expiration dates and spend limits to save ugly negotiations about ending subscriptions.
If 3D secure was mandatory everywhere that would help a lot, but if I understand correctly, it’s not really used in the US and with them being so big, card issuers are largely forced to allow non 3D secure requests or their clients will be unable to use their cards for too many things.
So an enormously good anti-fraud mechanism is severely handicapped.
It’s really frustrating for most of the rest of the world.
I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance.
No, the laws are different- and more consumer friendly in the US- so the US consumer behavior is different.
Back when credit cards were first starting out (which happened in the US) the US Congress passed a law- the Fair Credit Billing Act of 1974- that consumers were only liable for $50 of losses as long as they reported the missing credit card within 60 days of the end of the fraudulent billing cycle. This was back when credit cards purchases were all made on paper with the machine that went "kachunk" and transferred a carbon copy of your card- everything was done completely offline. That law has not been changed, in fact, most banks completely waive the $50 and don't hold card-holders liable for anything reported (basically, annoying a customer over $50 isn't worth it to the bank). Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle. The result is that American banks have invested an enormous amount in real-time monitoring of credit card transactions, and are doing lots of stuff to monitor this- they care deeply since ultimately they are on the hook- but the consumer doesn't care. This is why US card's from the consumer perspective are so much laxer, because our banks have invested far more on the back-end because the consumer is held harmless in a way they aren't with European cards.
As a totally separate issue, the EU has regulated the amount of interchange fees that card-companies can charge, but the US has not capped them. The result is that US card-holders can get significant kickbacks for using cards (especially true for the top decile of wealth), in a way that is functionally impossible with EU issued cards that have capped interchange fees. There is a big lawsuit happening now to try and allow merchants to only accept low-fee cards (the standard VISA/MC/AMEX deal requires treating all cards equally, which gives them an incentive to push people to higher interchange cards). We will see what happens with that suit, but until then, American high-spenders can have much higher rewards on their cards, which also encourages greater use of the cards- and making them have less friction than the EU versions.
> I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
The general idea is that if the conversion rate drop of a given security mechanism is higher than the average fraud rate, it doesn't make financial sense to deploy it.
However, at the industry-wide level, this is a pretty classical coordination problem, in that conversion rate only drops because there still is a simpler alternative around unless all merchants and banks were to enforce 3DS at the same time. If there's nothing more convenient left to move to, users will for better or worse have to learn the new, more secure thing, and conversion rates will go up again.
This is what the EU has done with mandating 3DS for many payments, but even there regulators have recognized that a 100% coverage is counterproductive, and there's a sweet spot somewhere in the middle.
As more evidence for the same general idea: US credit cards don't have PINs, because any individual bank introducing them would see a huge drop in usage rates since customers would just use their competitor's card without a PIN instead. In other markets, all cards have PINs (whether due to regulatory invention or card network incentive), and people have just gotten used to them.
IIRC, MasterCard SecureCode and Visa's verified-by-visa were more of a thing in the US maybe like decade or two ago? I think NewEgg and B&H did support it at one point? Afterwards, everyone has simply disabled the thing, and you simply get a wave-through by most issuers when shopping on foreign sites, where you get redirected to issuer's website, then back to the online shop, without having to type or confirm anything.
Back when it was a thing, it was quite a nightmare, where you had to register for a 3ds account, often separate from your normal online account, and keep a separate password etc. Then those iframe windows look exactly like the phishing websites, too.
Honestly, it's much ado about nothing. If the transaction is suspicious or likely fraudulent, today, you already get an SMS or an alert within bank's app on your phone. All you have to do is confirm and retry the transaction a minute later. This works for both in-person transactions, as well as remote ones, with the same flow, unlike 3ds, which only works for online shopping.
One other thing to add to the story is that the merchants can’t select what level of security they want from the credit card processor. For example, with authorize.net, you can accept the payment with the address doesn’t matter it doesn’t match.
I guess the real question here is how are they able to steal from you? Were they purchasing gift cards from a merchant with lax security?
It’s one thing to guess a number it’s another thing to get the money out of the system
> merchants can’t select what level of security they want from the credit card processor
That really depends on the processor; many processors do allow merchants specify your acceptance rules in quite deep detail.
There's a bit of a dichotomy in the processor market: on one side you have those that aim to make it simple for their customers and unburden them, while on the other side you have those that expose all the complexities and give intricate controls. The first side won't allow you to specify security requirements, while the second side will give you a hundred options (of course there's also processors positioning them in between). The two sides generally target different customers.
Recently I got an sms from my bank about a suspicious transaction overseas from my wife’s card, it was literally listed as zero USD, at a time when she was not using her phone or computer.
I initially thought the sms itself was phishing, but after checking online, the sms format matched and the bank webpage ensured the feedback process will not ask for any information so we proceeded to confirm that we did not purchase anything.
The bank immediately cancelled the card and shipped a new one.
My initial thought is that the bank safety system could be overreacting, but it was likely that someone was doing exactly what is described in this article and the bank detected it earlier.
I'll get the usual hate for this, but in this instance using bitcoin is safer, since it forces you to verify the transaction on your phone (i.e. you use your phone to pay - either scanning QR code or now NFC).
In the US the Square payment terminals can now accept bitcoin from any lightning enabled wallet app, CashApp does it natively, etc.
Settlement the part where the bank agrees to transfer money from your account (in this case increasing your debt on the card) to the merchant is completely separate from Authorization.
Authorization is the modern EMV ("Chip and pin") authentication, the CVV stuff for online, and any other mechanism by which the bank protects themselves from your fraud and, maybe, as an afterthought protects merchants.
The network is completely OK with Amazon saying here's a card number, we say they're paying us $400. That's just a settlement, goes on your bill. No sophisticated cryptography, nothing even as clever as a 4 digit PIN, or remembering your mother's maiden name, just OK, we trust you. Which means you, as a consumer, need to read your credit card bills and dispute anything you don't recognise or you'll pay.
There is very little incentive for the networks to care if you get ripped off. If you don't dispute it then everybody is happy, and if you do they just claw it back from the merchant and it's not their problem.
Why credit card numbers are full persistent baffles me. They were never meant to be memorable, and the whole process is electronic: surely this can be replaced by cryptography at this point?
I've deliberately demagnetized me and my wife's cards and we have black electrical tape over the numbers in public now.
Online purchases are the last remaining problem which would be completely solved if payments were to random keys rather then depending on everyone having the same number.
Credit cards are a horrible idea. We are essentially forced to use them. It's like giving every person you buy from the password to your bank account and trust them not to steal your money. Wire transfers are better.
They absolutely are. Fun example: when Revolut launched in Japan few years back they had a period of a relatively explosive success (especially within the immigrant community), so most of the cards of the period were issued with the same expiration month and with the same IIN (I'm assuming specific to Japan as well) which left very little entropy and lead to brute-force attacks via merchants not requiring 3DS (Uber etc.). Within only one community (approx. 1.5k people) we have had a handful of a 100% verified cases when the card was compromised without any exposure at all (i.e. the card was not used online or offline).
In all cases Revolut promptly reverted the charges and eventually they did a complete reissue of the cards for Japanese market (not sure how they've got around the entropy issue: maybe they've randomized the expiry dates or spread out IINs some more).
53 comments
[ 4.7 ms ] story [ 38.0 ms ] threadI know that I am naïve :)
Back to the article: Weak point was a password that lead to another merchant not using 3D secure.
It seems from the article that bad actors have fully automated system, so (big) merchants should have handle automatic login attempts from the same ip address with different accounts. I see it from our wordfence logs that ip rotation is not so quick so it could be handled with some permanent ip blocking.
With a debit card you’re playing with your own money.
Credit and debit cards (except for 3DS and EMV) are working exactly as designed; the design just isn't very good from a security perspective.
> The data they took with the attempt of purchase is the card is still usable (not cancelled)
The payment flows should not distinguish between a nonexistent card, a cancelled card, and a valid card that needs 3D Secure. I bet the banks could even implement that without any cooperation on the part of the merchants.
1) https://stripe.com/newsroom/news/card-testing-surge
2) https://stripe.com/blog/the-ml-flywheel-how-we-continually-i...
3) https://docs.stripe.com/disputes/monitoring-programs#enumera...
This is highly dependent on your bank. For example, Bank of America lets you view and delete any cards that have been added to a digital wallet right on their website.
one or more of those digital wallets are some subscription supporting thing, and if that auth failed or had an address mismatch or wrong kind of card, they will disable your account until you update your card.
The fact that it hasn't is an interesting study in game theory and economics.
>I got the money back via chargeback in short time.
So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.
Quite often, the merchant is unfortunately the one eating the fraud, which is creating a bit of a principal-agent problem (in that the issuing bank earns interchange on every transaction, so if they aren't liable for fraud, their default incentive would be to just approve as much as feasible and figure everything out later via chargebacks).
3DS changes that calculus quite a bit, though, and in-person payments are usually the issuing bank's liability as well.
Robinhood absolutely nails this. Best virtual credit card system I have ever used. So seamless. Can auth a card for one time use, 24 hours, or indefinite until you cancel. Such a great UI / UX
So an enormously good anti-fraud mechanism is severely handicapped.
It’s really frustrating for most of the rest of the world.
I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?
Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance.
Back when credit cards were first starting out (which happened in the US) the US Congress passed a law- the Fair Credit Billing Act of 1974- that consumers were only liable for $50 of losses as long as they reported the missing credit card within 60 days of the end of the fraudulent billing cycle. This was back when credit cards purchases were all made on paper with the machine that went "kachunk" and transferred a carbon copy of your card- everything was done completely offline. That law has not been changed, in fact, most banks completely waive the $50 and don't hold card-holders liable for anything reported (basically, annoying a customer over $50 isn't worth it to the bank). Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle. The result is that American banks have invested an enormous amount in real-time monitoring of credit card transactions, and are doing lots of stuff to monitor this- they care deeply since ultimately they are on the hook- but the consumer doesn't care. This is why US card's from the consumer perspective are so much laxer, because our banks have invested far more on the back-end because the consumer is held harmless in a way they aren't with European cards.
As a totally separate issue, the EU has regulated the amount of interchange fees that card-companies can charge, but the US has not capped them. The result is that US card-holders can get significant kickbacks for using cards (especially true for the top decile of wealth), in a way that is functionally impossible with EU issued cards that have capped interchange fees. There is a big lawsuit happening now to try and allow merchants to only accept low-fee cards (the standard VISA/MC/AMEX deal requires treating all cards equally, which gives them an incentive to push people to higher interchange cards). We will see what happens with that suit, but until then, American high-spenders can have much higher rewards on their cards, which also encourages greater use of the cards- and making them have less friction than the EU versions.
The general idea is that if the conversion rate drop of a given security mechanism is higher than the average fraud rate, it doesn't make financial sense to deploy it.
However, at the industry-wide level, this is a pretty classical coordination problem, in that conversion rate only drops because there still is a simpler alternative around unless all merchants and banks were to enforce 3DS at the same time. If there's nothing more convenient left to move to, users will for better or worse have to learn the new, more secure thing, and conversion rates will go up again.
This is what the EU has done with mandating 3DS for many payments, but even there regulators have recognized that a 100% coverage is counterproductive, and there's a sweet spot somewhere in the middle.
As more evidence for the same general idea: US credit cards don't have PINs, because any individual bank introducing them would see a huge drop in usage rates since customers would just use their competitor's card without a PIN instead. In other markets, all cards have PINs (whether due to regulatory invention or card network incentive), and people have just gotten used to them.
Back when it was a thing, it was quite a nightmare, where you had to register for a 3ds account, often separate from your normal online account, and keep a separate password etc. Then those iframe windows look exactly like the phishing websites, too.
Honestly, it's much ado about nothing. If the transaction is suspicious or likely fraudulent, today, you already get an SMS or an alert within bank's app on your phone. All you have to do is confirm and retry the transaction a minute later. This works for both in-person transactions, as well as remote ones, with the same flow, unlike 3ds, which only works for online shopping.
I guess the real question here is how are they able to steal from you? Were they purchasing gift cards from a merchant with lax security?
It’s one thing to guess a number it’s another thing to get the money out of the system
That really depends on the processor; many processors do allow merchants specify your acceptance rules in quite deep detail.
There's a bit of a dichotomy in the processor market: on one side you have those that aim to make it simple for their customers and unburden them, while on the other side you have those that expose all the complexities and give intricate controls. The first side won't allow you to specify security requirements, while the second side will give you a hundred options (of course there's also processors positioning them in between). The two sides generally target different customers.
I initially thought the sms itself was phishing, but after checking online, the sms format matched and the bank webpage ensured the feedback process will not ask for any information so we proceeded to confirm that we did not purchase anything.
The bank immediately cancelled the card and shipped a new one.
My initial thought is that the bank safety system could be overreacting, but it was likely that someone was doing exactly what is described in this article and the bank detected it earlier.
Settlement the part where the bank agrees to transfer money from your account (in this case increasing your debt on the card) to the merchant is completely separate from Authorization.
Authorization is the modern EMV ("Chip and pin") authentication, the CVV stuff for online, and any other mechanism by which the bank protects themselves from your fraud and, maybe, as an afterthought protects merchants.
The network is completely OK with Amazon saying here's a card number, we say they're paying us $400. That's just a settlement, goes on your bill. No sophisticated cryptography, nothing even as clever as a 4 digit PIN, or remembering your mother's maiden name, just OK, we trust you. Which means you, as a consumer, need to read your credit card bills and dispute anything you don't recognise or you'll pay.
There is very little incentive for the networks to care if you get ripped off. If you don't dispute it then everybody is happy, and if you do they just claw it back from the merchant and it's not their problem.
I've deliberately demagnetized me and my wife's cards and we have black electrical tape over the numbers in public now.
Online purchases are the last remaining problem which would be completely solved if payments were to random keys rather then depending on everyone having the same number.
In all cases Revolut promptly reverted the charges and eventually they did a complete reissue of the cards for Japanese market (not sure how they've got around the entropy issue: maybe they've randomized the expiry dates or spread out IINs some more).