[HN Gopher] Why Credit Card Fraud Is Still a Thing ___________________________________________________________________ Why Credit Card Fraud Is Still a Thing Author : feross Score : 78 points Date : 2020-07-29 20:04 UTC (2 days ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | krimeo wrote: | Now if only we had a payment method where the account credentials | (ideally these credentials would be cryptographically verified, | that is, it would be possible to transfer funds only if you have | access to the private key) are not disclosed to anyone and also | payments would be as easy as scanning a QR code. | criddell wrote: | Don't you get a lot of that by using a payment system that uses | the EMVCo tokenization scheme? | | Apple Pay, for example, uses it. | | https://www.emvco.com/emv-technologies/payment-tokenisation/ | miketery wrote: | I think its because fraud justifies CC companies charging their | fees - i.e. consumers want peace of mind, so they don't complain | when CC takes 3-4% cut from merchants on transactions. If fraud | was non existent then CC companies couldn't justify those fees | (i.e. insurance). | paulpauper wrote: | Ppl steal Credit Cards not for the cash on the card, but for the | credentials, which are used to register for services with a | credit limit, and then the limit is spent. So a single credit | card can be used on hundreds of services such as Amazon Cloud | hosting ,Facebook ads, Google ads, etc. all without spending any | money. The billing occurs only hfter the trial limit is spent. | Google Ads will give a $400 credit limit on a new user. | mysterypie wrote: | > _Card-not-present accounts fetched a much steeper supplier | commission of 80 percent, but mainly because these cards were in | such high demand and low supply._ | | Some part of that statement doesn't make sense. Normally if | something is in high demand, then it is easier to sell it, | therefore the seller can demand that the middleman i.e., | BriansClub, accept a _lower_ commission. In real estate for | example, when there is a lot of demand for houses (in a | "sellers' market), you as a seller can easily negotiate a lower | commission from your brokerage agent. | | One clarification: When there's high demand and low supply, the | end-buyer will pay a much higher price of course. But the | middleman (like BriansClub) should be charging a lower commission | as a percentage, though he or she might end up making more money | because it's a higher priced item being sold. So Krebs's | explanation of why they charge a higher commission for card-not- | present doesn't make sense. | superhuzza wrote: | You're getting it totally backwards here. The supplier | commission is how much of the card's value BriansClub is paying | to the supplier: | | "On average, BriansClub paid suppliers commissions ranging from | 50-60 percent of the total value of the cards sold." | | High demand + low supply of these cards means that the | suppliers are getting a better "price" when selling them to | BriansClub, the middleman. | mysterypie wrote: | You are right, thank you. It's a non-standard way they used | the word commission. | alextheparrot wrote: | My reading was that the card sellers had "negotiated" (Market | equilibrium) a higher commission, meaning that the card sellers | do get more money (Which makes sense, as the supply/demand for | what they are selling is more in their favor). | Donthatme wrote: | I read it as [BriansClub] pays 80% of the sale to the hackers | for that data. | bluecalm wrote: | When I started my business I faced the problem of charge backs | after sending goods to the scammer. I've looked for what Visa and | MasterCard recommends to prevent it. Their advice: "contact the | buyer to make sure it's not fraud". My question was: how I am | supposed to contact the buyer if it's the scammer who actually | filled in the contact info form. No answer to that. | | One very easy step preventing most of the fraud in my case and I | imagine many others would be an option to request a registered | email or phone contact to the actual card owner. "Hello it's | bluecalm from org X, we have noticed your order and it's marked | as suspicious by our system, can you please confirm you made that | order? Yes - great, we are sending you the product right now. No? | Well, contact your bank as your card info was stolen". | | It's such an easy and obvious step. Let me contact the actual | card owner using the info they provided. I think the problem is | lack of incentives. It's the seller who covers the cost. At least | some of it should be on card companies to encourage them to | actually do something about it. Right now they seem to just not | care. | DaiPlusPlus wrote: | What CC/Merchant system do you use? Have you looked at Stripe's | anti-fraud system? | larrik wrote: | So last Saturday I got a brand new credit card from a brand new | bank that I opened because my main credit card got compromised | and I wanted a backup. | | Saturday evening I verify receipt of the card, and then put the | card on the counter and left it there. Sunday night / Monday | morning, at 1am, I get a text that the new card was compromised | as someone was attempting to use it to pay some scammer. I never | left the house with the card, I never typed it into a computer | beyond the verification process from my own home. | | Wat. | stimpson_j_cat wrote: | I got a notification that my new card was used for fraud while | it was _in the mail on the way to me_ | gruez wrote: | don't cards require activation prior to use? | stimpson_j_cat wrote: | Yes! Fraud dept told me it was someone entering random | numbers. What does that explain?! shrug | whitepoplar wrote: | Which bank? | stimpson_j_cat wrote: | I think it was US Bank but this was some years ago | whitepoplar wrote: | Which bank is it from? Name and shame! | ohduran wrote: | I was expecting a one liner: "because banks do not lose money if | fraud happens, as they simply trickle down costs to their | customers". | lifeisstillgood wrote: | >>> BriansClub earned close to $104 million in gross revenue from | 2015 to early 2019, and listed over 19 million unique card | numbers for sale. | | 100M for _selling_ card numbers - it actually defrauding just | selling card numbers ... holy cow. | grezql wrote: | And you have "Jokers stash" / jStash which is even bigger than | Briansclub. | | Other mentions: YaleLodge | | UniCC | | Creditcard fraud is a big profiting business and has a huge | ecosystem built around | cortesoft wrote: | I wonder if the banks could save money on fraud prevention by | just buying all their stolen credentials on the open market | and cancelling them all. | | I know that would mess up with incentives to steal those | credentials, but it still might be worth it. | rob-olmos wrote: | It'd be cool if payment cards had a built-in LCD screen for the | PIN as a TOTP. That shouldn't be much harder for consumers than | the existing card verification/security code. | stormdennis wrote: | I really wish the Krebs site rendered better on mobile browsers. | It's a bit of a pain to read. | mey wrote: | If you are on Android, I suggest getting Firefox. | https://support.mozilla.org/en-US/kb/view-articles-reader-vi... | The article can be flipped over into Reader Mode and is easy to | read in that way. | stormdennis wrote: | I am using firefox as it happens but there's no reader view | on offer for that site unfortunately | vel0city wrote: | That's strange, on Firefox for Android v68.11.0 every | article for krebsonsecurity.com can render in the reader | mode. The main home page does not work for this, but | individual articles work fine. | 1ris wrote: | I suggest you don't. I switch away from firefox for this | exact reason. | | Opera just displays the website correctly, no reader mode | required. (Althoug aviable. I never use it and I think its | only necessary for other browsers because their normal | browsing feature is broken). | inetknght wrote: | I really wish mobile browsers would follow better standards of | user interfaces. They're a bit of a pain to use. | marvinblum wrote: | Or, you could go for a debit card with a pin, like in good old | Germany. Credit cards require artificial fraud protection just | because it's literally unprotected once someone gets the details. | Why is there no secret involved? Just for the few seconds it | takes to enter a pin? | | [Edit] I'd like to add, that most German debit cards work | differently from what some of you might consider a debit card. | Here, the money is withdrawn from your bank account on the same | day (most of the time), and you cannot go into debt. Of course, | there are exceptions from this. | amelius wrote: | And why not make the secret mandatory only for amounts > | $THRESHOLD | marvinblum wrote: | Well, that has become a practice already, even in countries | like Germany where most people still prefer cash. I think | it's < 50EUR for my card, but even then I usually get asked | for the pin. | alkonaut wrote: | Pin limit was raised from EUR20 to EUR40 for my card due to | Corona (slightly higher risk to have fewer people touch the | keypads). | LargoLasskhyfv wrote: | Hrm. No. At least for Deutsche Bank Privatkunden it is real- | time. I guess it has to be for the others too, because how else | can you ensure not going into debt? Incoming money could take a | while, but no longer than a full workday either. | metaphor wrote: | https://krebsonsecurity.com/all-about-skimmers/ | | ...and if your bank happens to suck, then the loss of getting | owned by one is now your problem, not theirs. | chrismcb wrote: | How is that different than other debit cards? It shouldn't be | possible to go into debt with a debit card. And, typically you | need to used your pin to use a debit card. These is different | than a credit card. | atombender wrote: | When I lived in Europe, all my cards required 2FA via 3-D | Secure for online orders (variously marketed as Verified by | Visa and so on). This would ask me to use my bank's | authenticator to generate a one-time code. | | I've seen 3-D Secure flash by when doing online orders in the | US, but it's never required any authentication. It just says | "3-D Secure" briefly and then it's seemingly skipped. This | banks simply not roll it out? | dylz wrote: | It's rolled out, they're typically incredibly invasive | fingerprinting scripts that also port scan you/your LAN. | | Amex's 3D implementation seems to consistently ask for a | 6-character passcode if it doesn't pass through. | cortesoft wrote: | A chip is much better than a pin. A pin can be stolen, just | like the card. | | With a chip, the secret data never leaves the card during a | transaction. Even if the business is hacked, or if the POS | system is compromised, the stolen data can't be used for | anything. | | With a pin, if someone hacks a POS system (or installs a | fraudulent one over it), they can capture both the number AND | the pin at the same time. | ratww wrote: | Germany also uses chips. In fact every country I ever lived | used chips + pins. | Shivetya wrote: | Both my Debit and CC have pins. However there does not seem a | means by which I can force my bank to only accept purchases | which provide it. | | Let alone have a SMS mode where I have to approve all purchases | made on the card. Provide retailer, state, and cost. | throwaway744678 wrote: | In this case, the bank is defrauded, not you. | jonkoops wrote: | I really never got credit cards, I didn't even own one until I | had to make some purchases on American websites. In the | Netherlands and most EU countries we all have debit cards | protected by a pin, and all transactions are basically instant | and increasingly contactless. | | As for purchasing stuff on-line we have a system called 'iDeal' | which is supported by every bank. You just go the the checkout, | scan a QR code with your banking app, accept the purchase in | the app and it's done. | | It still comes to me as a surprise that in a connected world | like today you can make a purchase in someone's name by just | knowing a bunch of numbers on a piece of plastic, no | verification needed. | ars wrote: | You can make a purchase on an American website with a debit | card. | | The point of the credit card is to borrow money and pay it | back later. That's all. | | Most Americans have both Debit and Credit cards and will | switch between them based on their financial need. | | > You just go the the checkout, scan a QR code with your | banking app, accept the purchase in the app and it's done. | | And those people who don't have data for their phone? | | > that in a connected world like today | | Not everyone is connected. | supernova87a wrote: | CC companies in the US made the moronic determination that the | American consumer could not handle the complexity of the PIN. | Or that it would take too much education and infrastructure | change to get that to work. So we had a dumb hybrid approach, | and usually the retailer pays for the fallout of this decision. | | Secondly, I (and others) will not use my debit card for | transactions (to the full extent that I can take this position | practically), as debit cards do not have the same protections | against fraud as CCs do. | | Lastly, an observation, I'm surprised that given the potential | penalties (in fraudulent charges), restaurants and other | retailers don't just bite the bullet and buy the $100 terminals | to get off the swipe system. Maybe it's a little more expensive | if they have to replace those big clunky POS / order taking | machines. But this technology always ends up costing cheaper | than what the complaining businesses say they will have to pay | in the beginning. | alextheparrot wrote: | The movement towards eWallets is a better UX than a pin, as | the device is a witness factor (chip) while the device-level | auth (passcode or <body part>Id) represents similar proof as | a pin. The added benefit, here, is that users can order | online with as much safety as at a terminal (Maybe I'm | missing a nuance or two here?) and no terminal is necessary. | bsder wrote: | > restaurants and other retailers don't just bite the bullet | and buy the $100 terminals | | Because it's _never_ $100 cash. | | It's $100, and a subscription fee for the service, and a | percentage of the transaction. Indefinitely. | | If you already have a really good deal with your provider, | this may be a more significant hit to profit than fraud-- | _especially_ for a restaurant (where fraud is less because | you can 't reconvert the food into cash unlike merchandise). | | I hate the "SaaS" subscription model, but it's infected | _everything_. | fragmede wrote: | That's fair to complain about rent-seeking aspects of SaaS, | but credit cards existed before the word SaaS was ever | used, and subscription services existed long before | _computers_ did. | | Thing is, even if merchants didn't buy a _new_ $100 | terminal, if they 're already accepting credit cards with | an old terminal, they're already paying a subscription fee | and a percentage of transaction, so in this specific case, | it _is_ $100 cash. (Pedantically, it 's closer to $300 | https://www.merchantequip.com/processing- | equipment/wireless-...) | gruez wrote: | >CC companies in the US made the moronic determination that | the American consumer could not handle the complexity of the | PIN. [...] So we had a dumb hybrid approach, and usually the | retailer pays for the fallout of this decision. | | I don't think there's anything specifically wrong (security- | wise) with chip + sign for processing. Sure, you don't need | to enter a pin to verify the transaction, but it's not like | you can clone the chip, so there isn't any security issues | there. AFAIK the only issue is that for some banks, the | magstripe information can be read off the chip, that can be | used afterwards to spoof a magstripe transaction, which the | bank allows (for legacy reasons). The core problem is | allowing legacy transactions, not in not having a pin. | katbyte wrote: | If you lose the card someone can just use it if there is no | pin. Lose a card with a pin it can't be used. | gruez wrote: | I do agree that it's one deficiency, but it doesn't | matter much. The vast majority of fraud isn't from people | finding credit cards off the ground and going into stores | with it. There aren't organized criminal rings for it | because it simply doesn't scale. Not to mention that you | have a very limited window to spend it compared to a | skimmed card. The banks probably figured that adding pin | adds marginal security for significantly more hassle. | supernova87a wrote: | What's the purpose of a signature even? The retailer is not | allowed to (by terms of service) ask you for any ID to | compare it against. This is just trappings for show. | rini17 wrote: | Most of Europe is moving to contactless card payments and PIN | is needed only for large amounts (over 20 euro, recently | raised to 60 euro) and for cash withdrawals. The result is I | already happened to forget the PIN, fortunately I had another | card. | | So, stolen card can be used for small payments, but there's | easy process to immediately block it (via app or internet | banking). | AdamJacobMuller wrote: | > retailers don't just bite the bullet and buy the $100 | terminals to get off the swipe system | | I think its been about a year or more for me since I last | swiped my card (or saw it swiped). 100% chip/EMV or Apple | Wallet here. | jimmaswell wrote: | I severely miss swiping every time I have to sit there for | ten seconds staring at a terminal with the chip in, waiting | for it to obnoxiously beep. Phone NFC is a bit nicer when | it works (often doesn't) but I wish it didn't require | authentication. Swiping feels like the golden age of | shopping convenience. | rohansingh wrote: | > CC companies in the US made the moronic determination that | the American consumer could not handle the complexity of the | PIN | | Or maybe they did the math, found that the average US | consumer has a handful of credit cards, and figured that if | they put a PIN on their card it would get used less. | Resulting in less profit for the credit card company. | gruez wrote: | Having chip/pin is orthogonal to the card being a credit or | debit card. If anything, at least in the US a credit card has | better protections in the event you are defrauded. If a | fraudster drains your debit card, your money will be gone until | they reverse the charges which can be days or weeks. In the | meantime you won't be able to pay your bills or your rent, | which can cause you to rack up late fees. On the other hand, if | a fraudster drains your credit card, they stole your bank's | money, not your money. The money is still in your account. | llsf wrote: | I have never used a credit card when living in Europe, it was | a debit card... but it is effectively debited at the end of | the month only. So you have to pay in full at the end of the | month. And the bank is responsible for the security on the | card, so if it is hacked somehow, the bank has to fix/pay for | it. So, it is a bit strange when moving to US, and then being | responsible for the poor security of the cards (debits or | credits) provided by my US bank. Now the anti-fraud system is | pretty sophisticated. I once got my CC being copied at a fast | food, charged fraudulently like less than 30min after my | order at the fast food, and have the CC company called and | asked to verify the fraudulent charge. It is just strange not | spend that money upfront with better security on the cards, | rather than let it wide open and then build | complex/velocity/AI system to point potential fraudulent | charges, call me, cancel charges, and send me a new CC. | loeg wrote: | > but it is effectively debited at the end of the month | only. So you have to pay in full at the end of the month. | | In the US, you've described "Charge Cards." Some of the | cards American Express offers are charge cards. (I don't | know of other vendors with such cards.) | splonk wrote: | Diners Club, although they're a very small player. Some | corporate cards as well, I believe. Possibly some of the | niche cards targeted at people with very bad credit act | this way as well. | | Basically the very large majority of consumers won't see | a charge card besides AmEx. | champtar wrote: | At some point someone is paying for the fraud, and it's not | the bank, it's the merchant, that increase slightly the price | to account for that, so in the end you pay for it. Same for | cashback. | abarringer wrote: | I work in the credit card industry. It's more complicated | then that. Depending on who has EMV enabled correctly | greatly shifts the fraud load. But banks can and do pay a | huge part of the fraud which is passed on to consumers in | higher interest rates. Merchants pay "cashback" by some | definition but it's fungible. If there were no cashback | that money would go directly to the banks and the end user | would have lower interest rates. | champtar wrote: | What I mean is it's like every insurance, they estimate | the risk and collect enough money to pay for this. | toohotatopic wrote: | As you say, it is orthogonal. Why not have both? You pay for | the fraud with higher fees compared to a system where fraud | is prevented by additional security. | alextheparrot wrote: | Credit cards do have this, that's one of the use-cases of | the pin on the back. The eWallet products being pushed by | various companies neatly bridges the chip/pin to the card, | giving chip/pin style protections digitally. | | Most phones require you to use some form of passcode (6 | digits, TouchId, FaceId) which are effectively pins prior | to using a payment method. Additionally, there are secure | chips in your devices to do the actual processing. This | means that digital purchases through eWallet methods are | effectively chip + pin while still getting credit card | fraud protections. | alkonaut wrote: | Does debit vs credit really matter? I have a pin for both my MC | debit and credit cards (same with Visa earlier) and any online | purchase requires 2FA (MasterCard SecureCode and VerifiedByVisa | respectively). | | I wouldn't make a transaction online without those 2FA measures | and I wouldn't make an in person transaction without pin. I | haven't checked actually but I assume the cards can't be used | without pin/2FA e.g if the details were leaked. | ckorhonen wrote: | I don't know how much stock I'd put into SecureCode etc. | Recently I discovered that American Express's SafeKey could | easily bypassed on BestBuy.com by leaving the browser tab | open for ~15 minutes. | | I assume it's up to the e-commerce site to implement the | check, and in this case it had timed out and they decided to | process the order anyway. | | Sure, you'll probably win any chargeback, but they don't | necessarily prevent the charges in the first place. | lxgr wrote: | > I wouldn't make a transaction online without those 2FA | measures and I wouldn't make an in person transaction without | pin. | | Even if you don't, if your card details get leaked, | fraudsters definitely will. You can't prevent that by | shopping selectively. | marvinblum wrote: | With the new 3D secure EU regulation this will become the | standard in Europe. My credit card works without that | security measurements at the moment. | maxerickson wrote: | What's artificial about fraud protection that doesn't depend on | a pin? | | A pin verifies the bearer, systems that don't require them | evaluate each transaction. It's not like US merchants are all | choosing to stop accepting credit cards, so fraud probably | isn't _that big_ a problem. ___________________________________________________________________ (page generated 2020-07-31 23:01 UTC)