[HN Gopher] Why Credit Card Fraud Is Still a Thing
___________________________________________________________________
Why Credit Card Fraud Is Still a Thing
Author : feross
Score : 78 points
Date : 2020-07-29 20:04 UTC (2 days ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| krimeo wrote:
| Now if only we had a payment method where the account credentials
| (ideally these credentials would be cryptographically verified,
| that is, it would be possible to transfer funds only if you have
| access to the private key) are not disclosed to anyone and also
| payments would be as easy as scanning a QR code.
| criddell wrote:
| Don't you get a lot of that by using a payment system that uses
| the EMVCo tokenization scheme?
|
| Apple Pay, for example, uses it.
|
| https://www.emvco.com/emv-technologies/payment-tokenisation/
| miketery wrote:
| I think its because fraud justifies CC companies charging their
| fees - i.e. consumers want peace of mind, so they don't complain
| when CC takes 3-4% cut from merchants on transactions. If fraud
| was non existent then CC companies couldn't justify those fees
| (i.e. insurance).
| paulpauper wrote:
| Ppl steal Credit Cards not for the cash on the card, but for the
| credentials, which are used to register for services with a
| credit limit, and then the limit is spent. So a single credit
| card can be used on hundreds of services such as Amazon Cloud
| hosting ,Facebook ads, Google ads, etc. all without spending any
| money. The billing occurs only hfter the trial limit is spent.
| Google Ads will give a $400 credit limit on a new user.
| mysterypie wrote:
| > _Card-not-present accounts fetched a much steeper supplier
| commission of 80 percent, but mainly because these cards were in
| such high demand and low supply._
|
| Some part of that statement doesn't make sense. Normally if
| something is in high demand, then it is easier to sell it,
| therefore the seller can demand that the middleman i.e.,
| BriansClub, accept a _lower_ commission. In real estate for
| example, when there is a lot of demand for houses (in a
| "sellers' market), you as a seller can easily negotiate a lower
| commission from your brokerage agent.
|
| One clarification: When there's high demand and low supply, the
| end-buyer will pay a much higher price of course. But the
| middleman (like BriansClub) should be charging a lower commission
| as a percentage, though he or she might end up making more money
| because it's a higher priced item being sold. So Krebs's
| explanation of why they charge a higher commission for card-not-
| present doesn't make sense.
| superhuzza wrote:
| You're getting it totally backwards here. The supplier
| commission is how much of the card's value BriansClub is paying
| to the supplier:
|
| "On average, BriansClub paid suppliers commissions ranging from
| 50-60 percent of the total value of the cards sold."
|
| High demand + low supply of these cards means that the
| suppliers are getting a better "price" when selling them to
| BriansClub, the middleman.
| mysterypie wrote:
| You are right, thank you. It's a non-standard way they used
| the word commission.
| alextheparrot wrote:
| My reading was that the card sellers had "negotiated" (Market
| equilibrium) a higher commission, meaning that the card sellers
| do get more money (Which makes sense, as the supply/demand for
| what they are selling is more in their favor).
| Donthatme wrote:
| I read it as [BriansClub] pays 80% of the sale to the hackers
| for that data.
| bluecalm wrote:
| When I started my business I faced the problem of charge backs
| after sending goods to the scammer. I've looked for what Visa and
| MasterCard recommends to prevent it. Their advice: "contact the
| buyer to make sure it's not fraud". My question was: how I am
| supposed to contact the buyer if it's the scammer who actually
| filled in the contact info form. No answer to that.
|
| One very easy step preventing most of the fraud in my case and I
| imagine many others would be an option to request a registered
| email or phone contact to the actual card owner. "Hello it's
| bluecalm from org X, we have noticed your order and it's marked
| as suspicious by our system, can you please confirm you made that
| order? Yes - great, we are sending you the product right now. No?
| Well, contact your bank as your card info was stolen".
|
| It's such an easy and obvious step. Let me contact the actual
| card owner using the info they provided. I think the problem is
| lack of incentives. It's the seller who covers the cost. At least
| some of it should be on card companies to encourage them to
| actually do something about it. Right now they seem to just not
| care.
| DaiPlusPlus wrote:
| What CC/Merchant system do you use? Have you looked at Stripe's
| anti-fraud system?
| larrik wrote:
| So last Saturday I got a brand new credit card from a brand new
| bank that I opened because my main credit card got compromised
| and I wanted a backup.
|
| Saturday evening I verify receipt of the card, and then put the
| card on the counter and left it there. Sunday night / Monday
| morning, at 1am, I get a text that the new card was compromised
| as someone was attempting to use it to pay some scammer. I never
| left the house with the card, I never typed it into a computer
| beyond the verification process from my own home.
|
| Wat.
| stimpson_j_cat wrote:
| I got a notification that my new card was used for fraud while
| it was _in the mail on the way to me_
| gruez wrote:
| don't cards require activation prior to use?
| stimpson_j_cat wrote:
| Yes! Fraud dept told me it was someone entering random
| numbers. What does that explain?! shrug
| whitepoplar wrote:
| Which bank?
| stimpson_j_cat wrote:
| I think it was US Bank but this was some years ago
| whitepoplar wrote:
| Which bank is it from? Name and shame!
| ohduran wrote:
| I was expecting a one liner: "because banks do not lose money if
| fraud happens, as they simply trickle down costs to their
| customers".
| lifeisstillgood wrote:
| >>> BriansClub earned close to $104 million in gross revenue from
| 2015 to early 2019, and listed over 19 million unique card
| numbers for sale.
|
| 100M for _selling_ card numbers - it actually defrauding just
| selling card numbers ... holy cow.
| grezql wrote:
| And you have "Jokers stash" / jStash which is even bigger than
| Briansclub.
|
| Other mentions: YaleLodge
|
| UniCC
|
| Creditcard fraud is a big profiting business and has a huge
| ecosystem built around
| cortesoft wrote:
| I wonder if the banks could save money on fraud prevention by
| just buying all their stolen credentials on the open market
| and cancelling them all.
|
| I know that would mess up with incentives to steal those
| credentials, but it still might be worth it.
| rob-olmos wrote:
| It'd be cool if payment cards had a built-in LCD screen for the
| PIN as a TOTP. That shouldn't be much harder for consumers than
| the existing card verification/security code.
| stormdennis wrote:
| I really wish the Krebs site rendered better on mobile browsers.
| It's a bit of a pain to read.
| mey wrote:
| If you are on Android, I suggest getting Firefox.
| https://support.mozilla.org/en-US/kb/view-articles-reader-vi...
| The article can be flipped over into Reader Mode and is easy to
| read in that way.
| stormdennis wrote:
| I am using firefox as it happens but there's no reader view
| on offer for that site unfortunately
| vel0city wrote:
| That's strange, on Firefox for Android v68.11.0 every
| article for krebsonsecurity.com can render in the reader
| mode. The main home page does not work for this, but
| individual articles work fine.
| 1ris wrote:
| I suggest you don't. I switch away from firefox for this
| exact reason.
|
| Opera just displays the website correctly, no reader mode
| required. (Althoug aviable. I never use it and I think its
| only necessary for other browsers because their normal
| browsing feature is broken).
| inetknght wrote:
| I really wish mobile browsers would follow better standards of
| user interfaces. They're a bit of a pain to use.
| marvinblum wrote:
| Or, you could go for a debit card with a pin, like in good old
| Germany. Credit cards require artificial fraud protection just
| because it's literally unprotected once someone gets the details.
| Why is there no secret involved? Just for the few seconds it
| takes to enter a pin?
|
| [Edit] I'd like to add, that most German debit cards work
| differently from what some of you might consider a debit card.
| Here, the money is withdrawn from your bank account on the same
| day (most of the time), and you cannot go into debt. Of course,
| there are exceptions from this.
| amelius wrote:
| And why not make the secret mandatory only for amounts >
| $THRESHOLD
| marvinblum wrote:
| Well, that has become a practice already, even in countries
| like Germany where most people still prefer cash. I think
| it's < 50EUR for my card, but even then I usually get asked
| for the pin.
| alkonaut wrote:
| Pin limit was raised from EUR20 to EUR40 for my card due to
| Corona (slightly higher risk to have fewer people touch the
| keypads).
| LargoLasskhyfv wrote:
| Hrm. No. At least for Deutsche Bank Privatkunden it is real-
| time. I guess it has to be for the others too, because how else
| can you ensure not going into debt? Incoming money could take a
| while, but no longer than a full workday either.
| metaphor wrote:
| https://krebsonsecurity.com/all-about-skimmers/
|
| ...and if your bank happens to suck, then the loss of getting
| owned by one is now your problem, not theirs.
| chrismcb wrote:
| How is that different than other debit cards? It shouldn't be
| possible to go into debt with a debit card. And, typically you
| need to used your pin to use a debit card. These is different
| than a credit card.
| atombender wrote:
| When I lived in Europe, all my cards required 2FA via 3-D
| Secure for online orders (variously marketed as Verified by
| Visa and so on). This would ask me to use my bank's
| authenticator to generate a one-time code.
|
| I've seen 3-D Secure flash by when doing online orders in the
| US, but it's never required any authentication. It just says
| "3-D Secure" briefly and then it's seemingly skipped. This
| banks simply not roll it out?
| dylz wrote:
| It's rolled out, they're typically incredibly invasive
| fingerprinting scripts that also port scan you/your LAN.
|
| Amex's 3D implementation seems to consistently ask for a
| 6-character passcode if it doesn't pass through.
| cortesoft wrote:
| A chip is much better than a pin. A pin can be stolen, just
| like the card.
|
| With a chip, the secret data never leaves the card during a
| transaction. Even if the business is hacked, or if the POS
| system is compromised, the stolen data can't be used for
| anything.
|
| With a pin, if someone hacks a POS system (or installs a
| fraudulent one over it), they can capture both the number AND
| the pin at the same time.
| ratww wrote:
| Germany also uses chips. In fact every country I ever lived
| used chips + pins.
| Shivetya wrote:
| Both my Debit and CC have pins. However there does not seem a
| means by which I can force my bank to only accept purchases
| which provide it.
|
| Let alone have a SMS mode where I have to approve all purchases
| made on the card. Provide retailer, state, and cost.
| throwaway744678 wrote:
| In this case, the bank is defrauded, not you.
| jonkoops wrote:
| I really never got credit cards, I didn't even own one until I
| had to make some purchases on American websites. In the
| Netherlands and most EU countries we all have debit cards
| protected by a pin, and all transactions are basically instant
| and increasingly contactless.
|
| As for purchasing stuff on-line we have a system called 'iDeal'
| which is supported by every bank. You just go the the checkout,
| scan a QR code with your banking app, accept the purchase in
| the app and it's done.
|
| It still comes to me as a surprise that in a connected world
| like today you can make a purchase in someone's name by just
| knowing a bunch of numbers on a piece of plastic, no
| verification needed.
| ars wrote:
| You can make a purchase on an American website with a debit
| card.
|
| The point of the credit card is to borrow money and pay it
| back later. That's all.
|
| Most Americans have both Debit and Credit cards and will
| switch between them based on their financial need.
|
| > You just go the the checkout, scan a QR code with your
| banking app, accept the purchase in the app and it's done.
|
| And those people who don't have data for their phone?
|
| > that in a connected world like today
|
| Not everyone is connected.
| supernova87a wrote:
| CC companies in the US made the moronic determination that the
| American consumer could not handle the complexity of the PIN.
| Or that it would take too much education and infrastructure
| change to get that to work. So we had a dumb hybrid approach,
| and usually the retailer pays for the fallout of this decision.
|
| Secondly, I (and others) will not use my debit card for
| transactions (to the full extent that I can take this position
| practically), as debit cards do not have the same protections
| against fraud as CCs do.
|
| Lastly, an observation, I'm surprised that given the potential
| penalties (in fraudulent charges), restaurants and other
| retailers don't just bite the bullet and buy the $100 terminals
| to get off the swipe system. Maybe it's a little more expensive
| if they have to replace those big clunky POS / order taking
| machines. But this technology always ends up costing cheaper
| than what the complaining businesses say they will have to pay
| in the beginning.
| alextheparrot wrote:
| The movement towards eWallets is a better UX than a pin, as
| the device is a witness factor (chip) while the device-level
| auth (passcode or <body part>Id) represents similar proof as
| a pin. The added benefit, here, is that users can order
| online with as much safety as at a terminal (Maybe I'm
| missing a nuance or two here?) and no terminal is necessary.
| bsder wrote:
| > restaurants and other retailers don't just bite the bullet
| and buy the $100 terminals
|
| Because it's _never_ $100 cash.
|
| It's $100, and a subscription fee for the service, and a
| percentage of the transaction. Indefinitely.
|
| If you already have a really good deal with your provider,
| this may be a more significant hit to profit than fraud--
| _especially_ for a restaurant (where fraud is less because
| you can 't reconvert the food into cash unlike merchandise).
|
| I hate the "SaaS" subscription model, but it's infected
| _everything_.
| fragmede wrote:
| That's fair to complain about rent-seeking aspects of SaaS,
| but credit cards existed before the word SaaS was ever
| used, and subscription services existed long before
| _computers_ did.
|
| Thing is, even if merchants didn't buy a _new_ $100
| terminal, if they 're already accepting credit cards with
| an old terminal, they're already paying a subscription fee
| and a percentage of transaction, so in this specific case,
| it _is_ $100 cash. (Pedantically, it 's closer to $300
| https://www.merchantequip.com/processing-
| equipment/wireless-...)
| gruez wrote:
| >CC companies in the US made the moronic determination that
| the American consumer could not handle the complexity of the
| PIN. [...] So we had a dumb hybrid approach, and usually the
| retailer pays for the fallout of this decision.
|
| I don't think there's anything specifically wrong (security-
| wise) with chip + sign for processing. Sure, you don't need
| to enter a pin to verify the transaction, but it's not like
| you can clone the chip, so there isn't any security issues
| there. AFAIK the only issue is that for some banks, the
| magstripe information can be read off the chip, that can be
| used afterwards to spoof a magstripe transaction, which the
| bank allows (for legacy reasons). The core problem is
| allowing legacy transactions, not in not having a pin.
| katbyte wrote:
| If you lose the card someone can just use it if there is no
| pin. Lose a card with a pin it can't be used.
| gruez wrote:
| I do agree that it's one deficiency, but it doesn't
| matter much. The vast majority of fraud isn't from people
| finding credit cards off the ground and going into stores
| with it. There aren't organized criminal rings for it
| because it simply doesn't scale. Not to mention that you
| have a very limited window to spend it compared to a
| skimmed card. The banks probably figured that adding pin
| adds marginal security for significantly more hassle.
| supernova87a wrote:
| What's the purpose of a signature even? The retailer is not
| allowed to (by terms of service) ask you for any ID to
| compare it against. This is just trappings for show.
| rini17 wrote:
| Most of Europe is moving to contactless card payments and PIN
| is needed only for large amounts (over 20 euro, recently
| raised to 60 euro) and for cash withdrawals. The result is I
| already happened to forget the PIN, fortunately I had another
| card.
|
| So, stolen card can be used for small payments, but there's
| easy process to immediately block it (via app or internet
| banking).
| AdamJacobMuller wrote:
| > retailers don't just bite the bullet and buy the $100
| terminals to get off the swipe system
|
| I think its been about a year or more for me since I last
| swiped my card (or saw it swiped). 100% chip/EMV or Apple
| Wallet here.
| jimmaswell wrote:
| I severely miss swiping every time I have to sit there for
| ten seconds staring at a terminal with the chip in, waiting
| for it to obnoxiously beep. Phone NFC is a bit nicer when
| it works (often doesn't) but I wish it didn't require
| authentication. Swiping feels like the golden age of
| shopping convenience.
| rohansingh wrote:
| > CC companies in the US made the moronic determination that
| the American consumer could not handle the complexity of the
| PIN
|
| Or maybe they did the math, found that the average US
| consumer has a handful of credit cards, and figured that if
| they put a PIN on their card it would get used less.
| Resulting in less profit for the credit card company.
| gruez wrote:
| Having chip/pin is orthogonal to the card being a credit or
| debit card. If anything, at least in the US a credit card has
| better protections in the event you are defrauded. If a
| fraudster drains your debit card, your money will be gone until
| they reverse the charges which can be days or weeks. In the
| meantime you won't be able to pay your bills or your rent,
| which can cause you to rack up late fees. On the other hand, if
| a fraudster drains your credit card, they stole your bank's
| money, not your money. The money is still in your account.
| llsf wrote:
| I have never used a credit card when living in Europe, it was
| a debit card... but it is effectively debited at the end of
| the month only. So you have to pay in full at the end of the
| month. And the bank is responsible for the security on the
| card, so if it is hacked somehow, the bank has to fix/pay for
| it. So, it is a bit strange when moving to US, and then being
| responsible for the poor security of the cards (debits or
| credits) provided by my US bank. Now the anti-fraud system is
| pretty sophisticated. I once got my CC being copied at a fast
| food, charged fraudulently like less than 30min after my
| order at the fast food, and have the CC company called and
| asked to verify the fraudulent charge. It is just strange not
| spend that money upfront with better security on the cards,
| rather than let it wide open and then build
| complex/velocity/AI system to point potential fraudulent
| charges, call me, cancel charges, and send me a new CC.
| loeg wrote:
| > but it is effectively debited at the end of the month
| only. So you have to pay in full at the end of the month.
|
| In the US, you've described "Charge Cards." Some of the
| cards American Express offers are charge cards. (I don't
| know of other vendors with such cards.)
| splonk wrote:
| Diners Club, although they're a very small player. Some
| corporate cards as well, I believe. Possibly some of the
| niche cards targeted at people with very bad credit act
| this way as well.
|
| Basically the very large majority of consumers won't see
| a charge card besides AmEx.
| champtar wrote:
| At some point someone is paying for the fraud, and it's not
| the bank, it's the merchant, that increase slightly the price
| to account for that, so in the end you pay for it. Same for
| cashback.
| abarringer wrote:
| I work in the credit card industry. It's more complicated
| then that. Depending on who has EMV enabled correctly
| greatly shifts the fraud load. But banks can and do pay a
| huge part of the fraud which is passed on to consumers in
| higher interest rates. Merchants pay "cashback" by some
| definition but it's fungible. If there were no cashback
| that money would go directly to the banks and the end user
| would have lower interest rates.
| champtar wrote:
| What I mean is it's like every insurance, they estimate
| the risk and collect enough money to pay for this.
| toohotatopic wrote:
| As you say, it is orthogonal. Why not have both? You pay for
| the fraud with higher fees compared to a system where fraud
| is prevented by additional security.
| alextheparrot wrote:
| Credit cards do have this, that's one of the use-cases of
| the pin on the back. The eWallet products being pushed by
| various companies neatly bridges the chip/pin to the card,
| giving chip/pin style protections digitally.
|
| Most phones require you to use some form of passcode (6
| digits, TouchId, FaceId) which are effectively pins prior
| to using a payment method. Additionally, there are secure
| chips in your devices to do the actual processing. This
| means that digital purchases through eWallet methods are
| effectively chip + pin while still getting credit card
| fraud protections.
| alkonaut wrote:
| Does debit vs credit really matter? I have a pin for both my MC
| debit and credit cards (same with Visa earlier) and any online
| purchase requires 2FA (MasterCard SecureCode and VerifiedByVisa
| respectively).
|
| I wouldn't make a transaction online without those 2FA measures
| and I wouldn't make an in person transaction without pin. I
| haven't checked actually but I assume the cards can't be used
| without pin/2FA e.g if the details were leaked.
| ckorhonen wrote:
| I don't know how much stock I'd put into SecureCode etc.
| Recently I discovered that American Express's SafeKey could
| easily bypassed on BestBuy.com by leaving the browser tab
| open for ~15 minutes.
|
| I assume it's up to the e-commerce site to implement the
| check, and in this case it had timed out and they decided to
| process the order anyway.
|
| Sure, you'll probably win any chargeback, but they don't
| necessarily prevent the charges in the first place.
| lxgr wrote:
| > I wouldn't make a transaction online without those 2FA
| measures and I wouldn't make an in person transaction without
| pin.
|
| Even if you don't, if your card details get leaked,
| fraudsters definitely will. You can't prevent that by
| shopping selectively.
| marvinblum wrote:
| With the new 3D secure EU regulation this will become the
| standard in Europe. My credit card works without that
| security measurements at the moment.
| maxerickson wrote:
| What's artificial about fraud protection that doesn't depend on
| a pin?
|
| A pin verifies the bearer, systems that don't require them
| evaluate each transaction. It's not like US merchants are all
| choosing to stop accepting credit cards, so fraud probably
| isn't _that big_ a problem.
___________________________________________________________________
(page generated 2020-07-31 23:01 UTC)