[HN Gopher] The underground world of credit card network exploit...
___________________________________________________________________
The underground world of credit card network exploitation
Author : pimpl
Score : 347 points
Date : 2023-08-02 15:05 UTC (7 hours ago)
(HTM) web link (chargebackstop.com)
(TXT) w3m dump (chargebackstop.com)
| tamimio wrote:
| Credit cards payments are exactly just like SMS 2FA, both are
| insecure by design and served the purpose before the internet,
| trying to shove old tech into new one and expecting it to work
| well is just naive. Instead of spending time and resources by big
| corporations to create such "web environment integrity", how
| about creating a better more secure, fraudulent proof system
| instead?
| kareemc wrote:
| In my experience, Stripe used to be a lot better at catching this
| stuff - but I've noticed it's seem to have been getting worse and
| worse.
|
| Has Stripe Radar improvements slowed down or have fraudsters
| gotten better?
| bze12 wrote:
| Some advice I got a while ago about detecting fraud through
| stripe is you should probably train your own fraud detection
| model if you're serious about limiting it and have enough volume.
| Even something like a simple logistic classifier would work.
| Stripe radar isn't tuned to the specifics of your business, and
| there are other signals you can account for (like which products
| they're buying, how long it takes them to buy after opening your
| site, etc). Custom Radar rules work to an extent.
|
| I get that a lot of indie businesses probably don't have the
| resources/want to do this, so there are solutions you can buy,
| but they're expensive and mostly targeted at high volume
| merchants anyway. Maybe stripe launches a fine-tunable radar
| product someday?
| codedokode wrote:
| It is ridiculous that you can simply enter somebody's card number
| and buy something without confirming a purchase via SMS code.
| nickdothutton wrote:
| I've always found it incredible that US banks often require only
| the card number to perform a transaction. All those "card
| generators" I used to see uploaded to BBS in the late 80s and
| early 90s make sense.
| deathanatos wrote:
| That part of the article was news to me. Like, why do I have to
| deal with CVVs, expiration dates, zip codes, (not to mention
| the resulting work from the fallout from the fraud) ... if it
| doesn't even matter? How many person years of human life per
| year could pursue something ... worthwhile ... if we checked
| the CVV?
| zaroth wrote:
| I don't understand not checking CVV and Expiration Date at
| all...
|
| But for the other info, they could be carding for prepaid
| cards which have no name, address, or ZIP code to verify
| against?
| deathanatos wrote:
| Do prepaids not have ZIPs? So many things demand this info
| (heck, even some gas pumps...) ... what do people enter at
| those prompts?
|
| (I left out name; I assume name isn't matched against,
| given how fuzzy of a field it is. Most sites don't even
| prompt for the information accurately enough to make a
| match anyways.)
| cesarb wrote:
| It makes sense to me that zip codes don't matter (or might be
| a weak signal), since some countries might not have postal
| codes, or might have a different postal code format. But I
| agree with you that it doesn't make sense to not check the
| CVV and expiration date; both are printed directly in the
| card, and should match exactly (unlike the card owner name,
| which is also printed in the card, but the user might type it
| differently, for instance typing in full their middle name
| when it's abbreviated in the card).
| jaywalk wrote:
| I recently discovered, after almost a year, that I had put the
| wrong expiration date of a new card into my password manager.
| It was the correct year but the wrong month. Not a _single_
| transaction had failed with the wrong expiration date.
| zitterbewegung wrote:
| Candyjapan has a good write up on mitigating this
| https://www.candyjapan.com/behind-the-scenes/how-i-got-credi...
| pimpl wrote:
| Really interesting, thanks for sharing!
| pard68 wrote:
| Worked as the catch-all systems/CI/infrastructure/software
| engineer for an ecommerce company last year. This sort of stuff
| was so common. I'd spend at least one day a week trying to
| determine the newest pattern and prevent it. They were using our
| system to validate credit cards.
|
| Eventually I stopped more or less all attacks on our
| cart/checkout. But the requests were still coming. Eventually
| while trolling logs for an unrelated PHP problem one of the
| software engineers mentioned there was a huge amount of traffic
| hitting our page to save a payment for later. The platform would
| issue a $1.00 charge to verify that the CC was real and they'd
| moved to using that to "churn" cards.
|
| These CC thieves are very resourceful.
| bigbacaloa wrote:
| As an end _user_ of banks in both the US and EU, the banks in the
| US seem way, way behind technically and in terms of online
| usability. Both less secure and more cumbersome to use.
| xyst wrote:
| Yet another reason why the credit card industry needs to go.
| Security protocols non-existent or haven't been upgraded since
| the turn of the 21st century. The amount of middleman abuses is
| innumerable as well. The costs of dealing with these nuisances is
| passed on to the merchant (via higher transaction fees, charge
| back fees, ...), and inevitably passed on to the consumer.
|
| Let's not forget that the CC industry encourages the worst
| spending habits for consumers thus perpetuating the never ending
| cycle of slaves to debt.
| nerdawson wrote:
| Why does the US seem so far behind when it comes to banking?
|
| - Chip and PIN has been in the UK since 2004 and mandatory since
| 2006. It wasn't until a decade later that the US caught up.
|
| - Faster Payments allow for instant bank transfers (usually)
| between any bank account for free. Receiving transfers from
| clients in US (even with a US Wise bank account) was always a
| nightmare.
|
| - Since the EU introduced Strong Customer Authentication, most
| new payments have to be authorised in your mobile banking app or
| by some other means of 2FA.
|
| - Even before SCA, you'd have to get the Postcode (often digits
| that mattered) and CVV correct at the very least.
|
| These measures seem like a way of banks shifting the
| responsibility for fraud onto the customer. In either case
| though, it's the customer who loses out. In a culture that
| accepts widespread card fraud, costs increase to offset it.
| tlogan wrote:
| In my view, the U.S. is leading the way in this area.
|
| Europe seems to be shifting the burden of fraud prevention onto
| customers with methods like SMS notifications and pins. In
| contrast, in the U.S., banks and businesses are primarily
| responsible for dealing with fraud.
| dahwolf wrote:
| I'm sorry but using strong authentication to make my payment
| is not a burden, it's a bloody feature.
|
| Here's how much of a "burden" that is: you hold your ATM card
| next to the terminal. Done. Paid. Every once in a while
| (based on a configurable max per week) it will prompt for a
| PIN. Which you enter in 5 secs. That would be 1 in 10
| payments.
|
| Online payment: scan payment QR with phone, which takes me to
| my banking app. Authentication is FaceID, TouchID or PIN.
| Then you click "Yes". Done.
|
| Both methods are highly secure, require no or minimal input
| and are extremely fast.
| mndgs wrote:
| Oh, please. You're grossly misinformed. If anything, US is
| lagging lightyears behind Europe in terms of fighting fraud
| and fighting card schemes, which are stripping everyone
| equally in US, banks and customers alike.
|
| PSD2 directive intruduced a lot of novelties, which no one at
| the time had (and very few do, not even US). For instance,
| specific to this situation - remote payments above 30 eur
| must be SCA (strong customer authentication, similar to 2FA,
| but more elaborate) verified (small value exception from PSD2
| RTS). Also, banks must have both real time and post-time
| transaction monitoring in place, i.e. they must have systems
| to detect and prevent such fraudulent attemtps. There
| literally tens if not hundreds of fraud fighting measures in
| PSD2, which all banks (both acquirer and issuer) must come
| mply with. I could go on and on (not the place and format).
|
| Frankly, it's utterly unbelievable that this kind of thing
| could happen without anyone (either acquirer or issuer)
| intervenining. Not what could (should) happen here in Europe.
| daveoc64 wrote:
| It's more the case that US Consumers are indirectly funding
| crime by banks turning a blind eye to fraud.
| tlogan wrote:
| It's curious that the same product isn't cheaper in Europe
| compared to the U.S., despite Europeans not funding fraud.
| I can't help but wonder where those extra savings go.
| ArnoVW wrote:
| Products are more expensive in Europe because we have (on
| average) ~20% sales tax. And because the _general_ tax
| pressure is higher because we have more state services.
|
| In terms of PPP someone should look it up (on mobile)
| i_am_jl wrote:
| On the other hand, the EU caps credit card fees at 0.5% by
| law while in the US merchants will pay 3 times that at a
| minimum.
|
| I suspect that in the US CC processors are incentivized to
| increase their processing fees to cover the cost of fraud
| instead of building features to prevent it because they can
| and it's easier than building features. Businesses are
| incentivized to increase prices to cover the cost of fraud
| (and CC processing costs) since processors offer such poor
| tooling to prevent it.
|
| In the US the burden of fraud prevention is squarely on the
| honest consumer's wallet.
| Dma54rhs wrote:
| It's not leading the way technically but for the end consumer
| it might be better. If I get charged unfairly my bank will
| tell me to go to the police. Americans can easily just refuse
| it.
| toyg wrote:
| Not if you use a credit card; a quick call to Visa/MC/Amex
| will get your money back instantly in Europe too.
|
| The main difference is that, in Europe, _debit_ cards are
| often used in the same way as a CC - except they are just a
| direct pipe to one 's bank, and once the money comes down
| the pipe there is no easy way to push it back up.
| mnw21cam wrote:
| Chip and PIN isn't mandatory in the UK - it's just the default.
| My debit card is not Chip and PIN, because I asked the bank
| very nicely.
|
| The problem isn't the Chip and PIN itself, although it has been
| implemented less securely than it could be. The problem, as you
| point out, is that the liability for fraud has been shifted in
| law to the card holder, and that is what I objected to. See
| https://www.chipandspin.co.uk/ for more.
| 0xbadcafebee wrote:
| > These measures seem like a way of banks shifting the
| responsibility for fraud onto the customer.
|
| Onto the vendor, not the customer. The customer can chargeback
| anything instantly, and the vendor is on the hook for the
| fraud.
|
| It's intentional, so the banks and payment processors can make
| more profits. By making it easier for customers to chargeback,
| they incentivize customers to buy more stuff, by getting the
| customer to feel more comfortable charging everywhere. Charging
| more stuff makes payment processors more money.
| mistrial9 wrote:
| > US seem so far behind when it comes to banking
|
| "ahead" and "behind" halt thinking, and turn the entire topic
| into some kind of number-line position. It is not. This is
| complex and actors on both sides of the Atlantic are playing in
| bad faith to exploit changes. Second you ignore the roles
| involved. Mid-20s person with steady job is a smaller and
| smaller part of the system-in-fact, for many reasons. Some
| people say that working 20-somethings are abused and
| disenfranchised, including in the EU and elsewhere.
| np- wrote:
| > In a culture that accepts widespread card fraud, costs
| increase to offset it.
|
| Maybe, maybe not, but this is a very simplistic way of looking
| at it. If credit card fraud is responsible for X% of total
| charges, they can spend effort to deal with it, OR they can
| simply not deal with it and keeping the transactions going
| while eating the cost, they may be able to serve Y% more
| customers where Y > X and thus end up with more profit in the
| long run.
|
| This works for a lot of businesses in America because the sheer
| scale is massive (take McDonalds for example, they would
| probably be better off processing their lunch rush quickly due
| to the margins they are making rather than take even 1 second
| to verify there is no fraud). This may not work in Europe, but
| IMO you're missing an entire dimension when analyzing the true
| costs.
|
| If the fraud/benefit scale ever tipped away from favoring the
| companies, I think we would see all these major fraud
| prevention mechanisms kick in almost immediately in the US.
| ActivePattern wrote:
| As a Canadian, it does feel like stepping out of a time machine
| when you pay at restaurants in the USA. Instead of using a
| terminal at the table to pay yourself, you need to give the
| server your card and wait for them to manually process it
| somewhere. Maybe things have progressed in recent years. But we
| haven't done it that way in Canada since the early 2000's.
| danudey wrote:
| I was visiting Seattle (from Vancouver) a few years ago, and
| they didn't want me to use my chip card as a chip card
| because if they did then I couldn't tip. What the heck is
| that all about?
|
| Also, we're _still_ hearing stories about merchants in the US
| starting to accept Apple Pay, whereas it worked fine in
| almost every retailer in Canada the day it was available -
| even though it wasn 't available in Canada for a long time,
| American visitors (or Canadians with American credit cards)
| could use Apple Pay on launch day at any retailer that
| supported tap-to-pay, which was easily most of them.
| bmicraft wrote:
| > What the heck is that all about?
|
| Tax fraud? I've never seen a card reader in a restaurant
| (here in europe) where they couldn't either enter a
| completely arbitrary amount to pay, or add a tip.
| kasey_junk wrote:
| It was probably an issue with that particular merchants
| POS. Merchants have very little incentive to update their
| POS systems so technology changes are very hard to get
| rolled out. Especially for smaller merchants which many
| restaurants are.
|
| It's a network effect thing. Because tap to pay wasn't
| supported by the POS vendors US consumers did not get much
| improvement in experience because of it, so there wasn't
| demand from merchants. With Apple Pay there is a huge
| improvement for consumers (not having to carry the credit
| card) it has finally forced merchants and their supporting
| POS vendors to support it.
|
| Between that and the disruption in the POS market the iPad
| (and similar devices) brought, POS vendors have had to
| become more flexible.
| tptacek wrote:
| That's not a thing. Americans universally pay for
| restaurant meals on cards.
| wpietri wrote:
| Things have definitely changed here recently. At least in San
| Francisco, at-table terminals are now the norm in sit-down
| restaurants. Staff generally use the same device for order-
| taking and payment.
| baby_souffle wrote:
| > Things have definitely changed here recently. At least in
| San Francisco, at-table terminals are now the norm in sit-
| down restaurants. Staff generally use the same device for
| order-taking and payment.
|
| I used to work in PoS industry.
|
| This tech is new-ish to the US but not to the rest of the
| first-world. 15 years ago, paying with a CC @ the table was
| common in Europe, but the terminal could ONLY do payments.
| The devices that have been rolling out to the US are more
| like android tablets in that they can run the order taking
| half of it, too. Selling hardware to a restaurant is tricky
| and "oh, no, this only allows you to move the payment
| portion to the table; staff still have to go to central
| spot to find a table that can accommodate guests and place
| their order" was basically a non-starter. The sales pitch
| is a lot easier now that everything can be done table-side.
| wpietri wrote:
| For sure. "Bring the card to the device" and "bring the
| device to the card" seem about equivalent to me in
| convenience unless the device is something that the
| waitstaff is going to carry all the time anyhow.
| pests wrote:
| I've started to see more and more servers using a mobile POS
| with built in credit reader and receipt printer. They hand it
| to you for tip and signature and you don't have to hand your
| card to anyone.
| tlogan wrote:
| Definetly not a better experience for all consumers. Or
| waiter.
|
| I do know that some restaurant owners are removing these
| things. They do not want to look like Olive Garden :)
|
| But it really depends on a restaurant: is it high end, type
| of food / drinks, it is a date place, etc.
|
| Majority of restaurant is all about experience and event
| payment system should match that experience.
| sigwinch28 wrote:
| > Majority of restaurant is all about experience and
| event payment system should match that experience.
|
| I'm in the UK. I go to many high-end restaurants,
| cocktail bars, etc. Portable card terminals are
| essentially universal in these places. The fact it's the
| same everywhere is a feature, not a bug.
|
| It's quick. Your card never leaves your sight. No pen is
| required. Payments up to PS100 can be done using
| contactless on a physical card. Even higher amounts with
| smartphones/smart watches. Tipping is often integrated
| into the terminal where tipping is common. It's rare to
| have to put the card into the terminal.
|
| I don't think it detracts from the experience. On the
| contrary, I think it streamlines the bit between being
| finished and wanting to leave:
|
| "Please can I have the bill and a card machine, please".
| WirelessGigabit wrote:
| But now they get to see how much you're tipping them! Like
| they literally have to wait while you punch it in,
| increasing the social pressure to make up for a broken
| system.
|
| I don't go to restaurants anymore. Too much pressure.
| DiggyJohnson wrote:
| Respectfully, this seems like social anxiety or
| hyperbole. You don't go to restaurants because of the
| stress of the cultural norm of tipping? Seems more
| accurate to say you don't like eating out in general or
| because of the price of eating out once you factor in a
| tip...
| creeble wrote:
| None of these comments seem relevant to TFA, which is
| specifically about card-not-present fraud.
|
| Chip and PIN doesn't work for internet payment.
|
| Bank transfers don't work well internationally.
|
| It is trivial to turn on AVS (address verification) and CVV,
| but it can result in more declined-yet-legitimate transactions.
| Sometimes that outweighs the fraud risk that these catch.
|
| The responsibility for fraud is pushed to the merchant, not the
| customer. Yes, customers pay higher prices because merchant
| fraud gets passed on eventually, but only in the sense that
| _all_ fraud costs get passed on to consumers eventually.
| pas wrote:
| Lack of initial (mobile app push notification based)
| verification for saving the card data is the issue, no?
| DarkGauss wrote:
| We still do not use chip-and-pin on credit cards in the US. We
| use chip-and-signature for most credit cards. I'm not saying
| there aren't credit cards with chip-and-PIN, there are a some.
|
| We do use chip-and-PIN on most debit cards, but even that can
| be bypassed on 99% of terminals to fall back to chip-and-
| signature.
| ggregoire wrote:
| What's super interesting to me, lot of countries that you would
| expect to be behind the US on that topic actually have state-
| of-the-art banking techs. Even the EU is behind some of the
| stuff I've seen in LATAM.
| mndgs wrote:
| Please, name an example. Particularly, EU being behind LATAM.
| As an expert, I'm honestly interested.
| arjvik wrote:
| We have 3D Secure, but it's almost never implemented on sites!
| _puk wrote:
| Define "We".
|
| With a UK card pretty much any transaction I do online
| requires me to Auth it in app.
|
| I even found I had to do it recently for things like car
| hire, and those websites are generally just wrappers around
| local company searches (though higher sums overall).
| BaseballPhysics wrote:
| A massively diverse and deregulated banking sector.
|
| The US has literally _thousands_ of small regional banks across
| 50 fairly independent states.
|
| Rolling out major new technologies in that environment is far
| far harder.
| cubefox wrote:
| The number of banks in the US seems perfectly normal. Germany
| has ~1500 for 80 million inhabitants, the US has ~4800 for
| 300 million.
| toomuchtodo wrote:
| https://www.npr.org/2023/05/16/1176513695/does-the-u-s-
| have-...
|
| https://www.marketplace.org/2023/05/05/heres-why-the-u-s-
| has...
| TrackerFF wrote:
| If Germany is anything like the Scandinavian countries,
| those banks will just be branches of a handful of different
| banks.
|
| We really don't have any microbanks that need to roll out
| their own tech for everything - most are just part of the
| larger banks, and get all the infrastructure provided for
| them.
| tptacek wrote:
| The US is 50 related but different regulatory regimes, not
| 1.
| cubefox wrote:
| Germany also has states, although they aren't as
| independent as US states. In an case the EU is much less
| unified than the US.
| BaseballPhysics wrote:
| First, compared to the rest of the EU, Germany is a weird
| outlier with the number of banks they have (which, by the
| way, has been declining steadily for 15 years).
|
| Setting that aside, you missed the "deregulated" part.
|
| As I understand it (and I grant my understanding is pretty
| cursory) Germany has a much stronger central regulating
| body, and is subject to overall EU regulations as well.
|
| The US has multiple regional banking authorities and a ton
| of responsibility is delegated to the states, and in
| general government intervention is seen as a last resort.
|
| So it's both structural and cultural.
| cubefox wrote:
| > First, compared to the rest of the EU, Germany is a
| weird outlier with the number of banks they have (which,
| by the way, has been declining steadily for 15 years).
|
| Still, the absolute number itself seems to be not really
| the issue here. (I assume the number of US banks has
| similarly declined in the US, as fusions reduce cost.)
|
| > Setting that aside, you missed the "deregulated" part.
|
| Yeah, that part I don't object to.
| [deleted]
| asmor wrote:
| And also, a lot of german banks are actually federated
| with centralized IT departments (like Finanz Informatik)
| providing the entire bank as "blueprint". Yes, even if
| they aren't called Volksbank or Sparkasse. For instance,
| if you get an EC/GiroCard from DKB, the letter is
| suspiciously typeset in Sparkasse's corporate font.
| Scoundreller wrote:
| > We learnt that 15% of the successful fraudulent charges
| resulted in chargebacks.
|
| I Hope the other 85% are just recent transactions that haven't
| been scrutinized yet.
|
| Or did the fraudsters target a bank with high net worth clients
| that don't scrutinize smaller billings???
|
| I can see a lot of people not really scrutinizing a random
| Spotify transaction or something. Especially vendors that let you
| store multiple cards and then you don't always keep it straight
| which transaction went to which card anyway.
| mrguyorama wrote:
| Stripe is god awful at fraud prevention and it's intentional.
| They are explicitly outsourcing the cost of risk management to
| their clients. It's obscene. I work in the credit card fraud
| prevention field, and I'm not even that good at my job, but our
| team of like 3.5 people easily built and maintained a system that
| prevents this exact kind of carding attack.
|
| The primary way for a business to prevent carding attacks is to
| just be slightly more annoying to attack than the next guy. As
| far as I can tell, Stripe is happy to be the easiest large
| network to attack because they outsource the pain and cost of any
| attack to you, their users. They could easily, and for very
| little cost, prevent this from hurting you.
|
| Stripe is choosing to let you suffer to save a few bucks.
| KRAKRISMOTT wrote:
| They want to nickel and dime you and make you pay for Radar.
| It's the exact same strategy with Stripe Taxes and their
| terrible currency conversions. Provide no service up front and
| eventually you realize your stripe transaction hits two digit
| percentage of your overall price.
| thierryzoller wrote:
| What strikes me is the comment on 3DS challenges that passed. By
| law in Europe, once 3DS challenge is completed the Bank owns the
| risk and cost of the chargeback NOT the Online Shop. Can someone
| tell me how this is implemented in common processors ? Any
| experience?
| paxys wrote:
| If you are a foreign company accepting payments from the USA, you
| should simply expect this as a cost of doing business.
|
| Credit card fraud here is socialized. The end consumer is never
| liable, and so we don't bother with chip and pin, 2FA, 3D secure
| or whatever else. If we notice a suspicious transaction we simply
| tap a button in the bank's app and the charge is reversed in
| minutes.
|
| Banks and payments processors are themselves incentivized to push
| through transactions as quickly and easily as possible so people
| spend more (yay consumerism!), and like the author said you
| mostly don't even need to input the right expiry date, billing
| address or zip code.
|
| The drawback of course is that all of the liability is pushed on
| to the business, and so they have to raise prices for everyone to
| make up for it.
| skybrian wrote:
| I expect it's path-dependent legacy practices more than
| anything else. Credit cards were invented in the US, so the
| tech is old and upgrades take a long time.
|
| For manual payments, UPI in India sounds pretty great.
| Apparently the customer approves each payment on their phone
| before it goes through?
| delusional wrote:
| Your causality chain doesn't track for me. Here in Denmark we
| have the same consumer protections, the ability to do
| chargebacks and the (government funded) guarantee that the
| consumer does not lose any money if their bank account is
| drained. Yet we still have very strong protections at the time
| of purchase with mandatory chip-and-pin as well as 3D secure
| (which replaced Verified by Visa).
|
| I don't really think there's a rational reason for why you
| don't have better card security in the US. You just seemingly
| don't want it.
| tobi1449 wrote:
| My guess is the difference lies in the fact that the EU
| limits credit card fees to something around 0.5% That means
| the CC companies can't offload the financial burden of this
| onto the vendors (and they in turn onto their customers),
| which leads to them having an actual incentive to improve
| security.
| dheera wrote:
| > That means the CC companies can't offload the financial
| burden of this
|
| Most CC company (CCC) revenue comes from charging the poor
| people who can't pay their bills ("interest"). Merchant
| fees are only a small portion of revenue for most cards
| [1]. In the case of Discover for example it's less than 10%
| of their revenue, and in the case of Amex it's less than
| 33%. Other cards fall in-between.
|
| [1] https://www.valuepenguin.com/how-do-credit-card-
| companies-ma...
| trompetenaccoun wrote:
| Your link explains that the issuing banks charge
| interest, not the credit card companies - which are
| merely the payment processors. I don't know all of the
| companies listed, it's possible that some are two in one
| and have their own bank as well. Some payment processors
| are partly owned by major banks too. But take the largest
| CC company, Visa: They don't extend credit at all, they
| don't even issue their own cards iirc. All their profit
| comes from fees, because the fees are too damn high(tm).
|
| They've successfully convinced the public of the opposite
| though. It's a very common misconception that only
| "suckers" who buy on credit pay for it and that everyone
| else is getting a free service as long as they pay off
| their cards in time. In reality everyone pays because the
| merchants have to pay those fees and they pass the cost
| on to the consumer.
| dheera wrote:
| I used CC companies loosely as in {issuing banks + credit
| card companies} and their collective profit model.
|
| > In reality everyone pays
|
| Not really, credit card companies give you cash back if
| you pay on time, which is percentage-wise similar to
| merchant fees.
| Sebguer wrote:
| There's a recurring myth, very prevalent in the US, that
| credit card companies would prefer people who pay off
| their bills every month as cheap margin versus being
| predatory. It's bizarre, and as you've pointed out,
| completely unsupported by how they actually make their
| money.
| Jon_Lowtek wrote:
| The incentive for payment providers to improve their
| security is a regulation called PSD2 which directly
| requires strong customer authentication.
| trompetenaccoun wrote:
| And that is in addition to the outrageous fees CC companies
| charge merchants. In the US it's typically around 2% of the
| transaction! The EU caps it at 0.3% maximum, which still seems
| like a lot when you consider how much money they move. That's
| another cost that gets socialized and passed on to the consumer
| of course, even shoppers who pay cash have to pay for this
| through higher prices.
|
| People should know btw that with 3D secure the card owner can
| be held liable for fraudulent charges, because some banks have
| that in their terms for 3D secure. With phone 2FA all that
| needs to happen is you have your phone and wallet stolen. I've
| seen cases in the news where people lost thousands.
| carlosjobim wrote:
| > The EU caps it at 0.3% maximum
|
| That's completely untrue. Most European businesses pay much
| more than that.
| pas wrote:
| You're mixing up total cost of processing the card (which
| is what Stripe and other gateways charge) with the Visa/MC
| rent.
|
| https://ec.europa.eu/commission/presscorner/detail/fr/MEMO_
| 1...
|
| "Therefore, the Regulation caps interchange fees for
| consumer debit cards to 0.2 % and consumer credit cards to
| 0.3 % of the value of the transaction."
| toomuchtodo wrote:
| > With phone 2FA all that needs to happen is you have your
| phone and wallet stolen.
|
| Are device passcode and app biometrics insufficient security
| measures in the event of device theft?
| joncrocks wrote:
| If you have your phone set to wake-up/show notifications on
| new messages, and your bank simply sends an SMS code as
| verification, then the thief can just read the message(s)
| when they come in and input them.
| dkjaudyeqooe wrote:
| You have the option to hide the actual message, at least
| on Android.
| l__l wrote:
| Last I checked this was opt-in on Android; it's been
| default on iOS since I think 2017ish?
| J_Shelby_J wrote:
| If they have your device pin code and your device, they
| have control of your entire digital life.
|
| We've never been more vulnerable to petty crime.
| treadmill wrote:
| Wild idea: What if secure digital payment was a public
| service.
| cubefox wrote:
| FedNow:
|
| https://www.federalreserve.gov/newsevents/pressreleases/oth
| e...
|
| Unfortunately not many banks support it yet.
| Brystephor wrote:
| I think "secure" is the key part that's missing here.
| There's no incentive for a consumer to use a payment
| method such as this when paying with a bank. The reason
| is that credit cards come with consumer protection that
| this just doesn't offer.
| cubefox wrote:
| I don't think customer protection is necessary unless you
| are dealing with unusually small or shady companies. I
| live in Germany and do not own a credit card, they are
| uncommon here. Mostly we pay per bank transfer or debit
| card. Even with the possibility of fraud, this is
| probably significantly cheaper in expectation than paying
| a 2% credit card fee each time just to have the
| possibility of chargeback.
| notyourwork wrote:
| I'm not sure how much extra I pay but the hassle free peace of
| mind I have seems worth it.
| vladms wrote:
| "Hassle free peace of mind" meaning you do not need to
| remember a 4 digit code (or clicking "yes" in a phone app),
| while you need to check your credit card transaction list
| regularly to reject fraudulent transactions?
|
| I find the effort of remembering the 4 digit code/having the
| phone much smaller than the alternative ...
| Invictus0 wrote:
| I think OP is talking about never being liable for fraud
| acdha wrote:
| I've never had a card stolen where either of those would
| have helped - they're stopgaps trying to avoid upgrading
| the banking system to use public-key encryption with reuse
| protection.
|
| A couple of times, merchants with my card on file were
| compromised. The thief could make charges because the
| merchant had to be able to as well. What would have stopped
| that would have been having a way to restrict a charge to a
| particular merchant so the attacker couldn't have been able
| to get the money out.
|
| Once, my supermarket had skimmers. A code wouldn't have
| been effective unless you were very good at spotting where
| the thieves planted cameras, too. An active MFA prompt
| would help against attacks at a substantially later time
| but it'd have to include the merchant name in an
| unspoofable form to prevent real-time attacks so I wouldn't
| be asked to approve charges from SAFEWAY_, and that old-
| fashioned style of MFA is painful: it'd always make
| checkout slower and you'd have some fraction of people who
| don't have phones with them or just ran out of battery.
|
| What completely solved this problem for me was the modern
| tap systems (ApplePay). It requires more smarts on the
| client but means that I have to approve each transaction
| and the value the card reader gets can't be used anywhere
| else.
| notyourwork wrote:
| I think you misunderstood me. Peace of mind is in not
| having to worry about fraud being my responsibility to
| fight or dispute. I can call CC company or through mobile
| app, flag transaction, get my money back and never spend
| another minute on the issue.
| fsociety wrote:
| The last link the in the chain of payment processors pay for
| it.
| delfinom wrote:
| Hah, I found the focus on American banks funny because, the one
| telegram photo said to use the address of Paris France.
|
| Let me tell you, on two different organizations I am part of, I
| have ran in the last 2 years, both got hit by automated credit
| card checking bots using French banks and alot of those cards
| succeeded.
|
| (Of course there's a whole story about how both these orgs have
| resisted my previous warnings about hardening the payment
| sites...one of them even was still using Magento 1)
|
| Anecdotal but meh, the real problem is credit cards are just as
| much as kludged relics as ACH that nobody wants to really fix
| meaningfully
| topato wrote:
| Was it at least one of the hardened forks of Magento 1?!
| xyst wrote:
| Americans (yes both Canadians and people from the states) are
| shielded from the chaos that happens to process a single
| transaction. They only see the paltry rewards in the form of
| 1-2 (maybe 5) cents per dollar charged, which is translated
| into "points" (1 cent == 100 points is what I have seen with
| some "premium" cards) and makes it seem worthwhile.
|
| What they don't see is: the 3-5% or more markup of goods across
| the board (doesn't matter if you pay cash or card, especially
| for big box stores), the number of charge backs and the costs
| of dealing with it, fraudulent charges, poor security (places
| still accept mag stripe in the states), innumerable numbers of
| middleman to process transactions (bank fees, issuing card
| fees, network fees, premium card fees, ...)
|
| It's fucking chaos. I hate it.
|
| With FedNow, I am hoping that will change. Eliminate all of
| these middleman that are siphoning funds from people across the
| board. Eliminate the parasites. Eliminate the waste.
| edwinwee wrote:
| (Edwin from Stripe here.) Worth noting this is copypasta from an
| older post from a month ago
| (https://piotrmierzejewski.com/p/card-networks-exploitation).
| We've fixed most of these issues since then. This type of card
| testing has dwindled--Radar should now be catching these types of
| attacks.
|
| On the chargeback point--we hate chargebacks too and we want to
| limit them as much as possible (we're actually working on a few
| things over here that we think will help with this). The banks
| levy chargeback fees (in varying amounts) and an average of them
| show in the form of a $20 fee--it's not a Stripe-specific fee and
| we don't profit from chargebacks.
|
| We've just finished company planning for the rest of the year and
| reducing this type of fraud is a top priority. So if you think
| you're seeing something similar, please email me at
| edwin@stripe.com.
| Faaak wrote:
| Isn't this solved with 3-D Secure ? Many websites (at least in
| the EU) implement it and if mandatory, it's impossible to buy
| something without 2FA (either by SMS, phone app, ...)
| swarnie wrote:
| We're talking about an industry who proudly announced instant
| bank to bank payments last week like 2003 has just arrived in
| the colonises.
|
| Don't expect speed or creativity in the US banking sector.
| dahwolf wrote:
| Enabling 3-D secure on all transactions leads to lower
| conversion rates, therefore typically a hybrid model is used
| where its enabled/disabled per transaction whether it is needed
| based on a risk score.
| alsodumb wrote:
| That's not the case in US.
|
| It's kinda funny, but the only time Chase and Amex credit cards
| asked me for 2FA (I didn't even know they had 2FA) was when I
| used them to purchase some things in Indian website through
| local payment provider (Razorpay).
| lotsofpulp wrote:
| I have seen it multiple times at BestBuy.com and
| HomeDepot.com, and probably others.
| bonzini wrote:
| "banks (usually American ones) will happily accept transactions
| that have incorrect full name, invalid CVV / CVC, wrong
| expiration date, only partial billing address provided, with
| incorrect ZIP code. All of the above is still not enough to
| trigger a 3D secure authorisation"
|
| The solution indeed is to write manual rules to trigger 3D
| secure.
| radicality wrote:
| Even more funny is that in USA, the actual amount charged to
| the card is mutable. Take for example when you go to a
| restaurant and give your card, it's charged, and then you
| write out with a pen a tip amount, which at some future point
| gets added on to your charge.
| Detrytus wrote:
| But there are laws about that: you authorize tip with your
| signature, if they charge you more than you authorized,
| they can get in trouble. Don't see the issue here.
| zer0x4d wrote:
| The author is wrong about this.
|
| Banks don't choose to accept incorrect name, invalid CVC,
| invalid exp date or wrong billing address. It's up to the
| user (in this case him) to enable CVC Check and AVS in his
| payment processor to fail payments that don't pass this
| check. It's also up to him/Stripe to implement 3D secure and
| trigger it.
|
| https://stripe.com/docs/disputes/prevention/verification#cvc.
| ..
| zaroth wrote:
| From your link;
|
| "Radar includes a rule to block any payments that fail the
| CVC verification check, which you can enable or disable
| within the Dashboard ( _this doesn't affect payments where
| the CVC check couldn't be performed_ )."
|
| Also;
|
| "...Support for both types of AVS checks varies by country
| and card issuer (for example, certain countries don't use a
| postal code or some card issuers don't support street
| address verification)"
|
| So it appears there are cases where these checks can be
| enabled on your Dashboard, but skipped by Stripe or not
| actually performed by the issuer, I'm thinking like for
| prepaid cards?
| selimthegrim wrote:
| I've seen verified by visa triggered a few times for online
| purchases
| __MatrixMan__ wrote:
| ... Which is hell if you're in a country where your sim
| card doesn't work and your bank requires sms 2fa.
| orangepurple wrote:
| My US bank requires SMS 2FA and SMS works for free
| because I am connected to Wifi. I have VoWiFi enabled. My
| US phone plan is with a budget carrier I only pay $15 a
| month for voice, sms, and data.
| alexvoda wrote:
| Then it's a good thing that many banks in the EU now have
| 3DSecure validation through the phone app instead of SMS
| Detrytus wrote:
| What if you lose your phone? In my country banks only
| allow you to use one phone for mobile authorization, so
| you can't even have a backup phone. I really wish
| 3DSecure was optional so I can turn it of when going to
| foreign vacation.
| pas wrote:
| On a vacation I have my card (and can use PIN auth), the
| issue is usually online transactions ("card not present",
| ie. vPOS transactions).
| appplication wrote:
| What was most surprising about this is not the fact that there is
| a group of people exploiting Stripe's payments, but that the
| author had ChatGPT write a script to automatically handle
| payments processing, specifically for chargebacks. And based on
| the context in the article, the author sounds like they lacked
| the technical skill to write or validate these scripts
| themselves.
|
| This author is jumping out of the frying pan and into the fire.
| ChatGPT is cool and all, but the fact that they're trusting it to
| write critical code for handling their customers money speaks
| volumes. They're incredulous at how they feel Stripe violated
| their trust in it to manage fraud, but then go ahead and blindly
| place it in another technology they don't understand. The problem
| isn't Stripe (though, yes, they should fix this), it's the fact
| that they are just giving away trust and hoping for the best.
| systems_glitch wrote:
| Same initial reaction when I read that part :/ Let's see what
| the next level of voodoo programming looks like...
| flutas wrote:
| > the author had ChatGPT write a script to automatically handle
| payments processing, specifically for chargebacks
|
| Feels like a mischaracterization tbh.
|
| He had it make a script to go through and accept the
| chargebacks for these accounts, not handle payment processing
| or do anything to the chargebacks other than click "accept"
| essentially.
|
| > And based on the context in the article, the author sounds
| like they lacked the technical skill to write or validate these
| scripts themselves.
|
| I also don't really get where you're getting that from.
|
| The author even said
|
| > I reviewed all of the scripts carefully, and also never
| shared any customer data, IDs, or API keys. I think I saved at
| least a couple hours compared to hand-rolling these tools
| manually!
| appplication wrote:
| ChatGPT is not capable of writing production quality code.
| Many (most) companies have internal policies against
| deploying any code written by an LLM. The point isn't to slow
| devs down, but to mitigate risk. This is _especially_
| important in the customer /payments stack. This is not the
| right place to "save a couple hours". Maybe if this was for
| some one-off offline analysis, sure.
|
| The fact that it works is insufficient proof that it was the
| right thing to do. Building a habit of relying on LLM
| generated code is an inherently risky practice, and ChatGPT
| will literally warn you against trusting its outputs. Sure,
| it lets you growth hack your way through sort term problems,
| but in the long term I'm not convinced this is responsible
| decision making at the current levels of LLM technology.
|
| Or maybe I'm just a Luddite, stuck in my old ways.
| pengaru wrote:
| It's terrible, but not far removed from what's been already
| happening with "developers" copying and pasting
| StackOverflow comments into a text editor and making
| uninformed compiler-error-guided-edits until it runs then
| done!
|
| The root of the problem here is people making production
| stuff who don't know wtf they're doing. If they turn to SO
| posts, LLMs, or "developers" on fiverr/upwork doing the
| same thing, is there really much of a difference? LLMs seem
| to mostly be tightening the loop of horror that's already
| been happening.
|
| Same downward trajectory, increased velocity.
| libraryatnight wrote:
| Just seems like programming will be joining the ranks of
| most tools. There will always be craftsmen, there will
| always be professionals, and then there will be the guy
| bolting together ice chests and garbage disposals to make
| margarita mixers on his patio or the kid with a duct tape
| exhaust rig on his Honda Civic.
|
| I guess, to your point, it's only trouble if the
| margarita mixer guy is put in charge of something that
| matters? :D
|
| (might be a bad example, I've known some fine engineers
| and mechanics that are absolutely margarita mixer guy,
| but hopefully my point is taken lol)
| pixl97 wrote:
| >Just seems like programming will be joining
|
| I'd love to know about the nirvana you've been in up till
| now, because working around code from numerous large
| companies the vast majority of it is the crappest ass
| crap straight from the crapper with no redeeming
| qualities, and it has been this way forever. I'm not
| saying their isn't good parts, there are general core
| routines that sheer need for them to be performant and
| non-data corrupting forced some Sr engineer to fix them.
| kredd wrote:
| Frankly speaking, probably the latter. I've been using
| Copilot for over a year now, and obviously it makes stupid
| mistakes, but it sped up my general coding speed. Now, I
| don't have much experience (maybe around 10ish years of
| programming professionally) in comparison to greybeards,
| but it works. Haven't used ChatGPT much, but as long as the
| user understands its shortcomings and reviews/refines its
| outputs, it's fine.
|
| People who write code also make mistakes, yet we don't
| consider it "inherently risky practice". We just review
| others' code, tweak it, make it more appropriate for prod
| and voila. Same thing applies here.
| dylan604 wrote:
| >but as long as the user understands its shortcomings and
| reviews/refines its outputs, it's fine.
|
| nice caveat doing a heckuvallot of heavy lifting. i
| understand that we're talking about coders and sort have
| this inferred impression that coders will have this
| understanding, but...that's an awfully broad brush you've
| used to paint over the simple fact that most people using
| LLMs (in general) are not understanding this.
| MetaWhirledPeas wrote:
| > the simple fact that most people using LLMs (in
| general) are not understanding this
|
| How do you know most people using LLMs are not
| understanding this?
| dylan604 wrote:
| Because ChatGPT has been opened to the public
| inopinatus wrote:
| PHP also lowered the bar to programming, and we got over
| the consequences of that. Eventually.
| inopinatus wrote:
| forty years behind the keyboard or elbow-deep in a rack,
| beard not actually grey yet, but still, yes; those who do
| not adapt will be left behind.
| mrdatawolf wrote:
| My current suggestion is to consider it the work of a just
| on-boarded intern. It will save you some time but you still
| need to walk thru the code to make sure it will work as
| intended.
| TechBro8615 wrote:
| First, it's worth noting the code in the blog post is not
| "production code," but rather one-off or periodically
| used scripts for accelerating manual business processes,
| with results that are easy to manually check.
|
| But in regards to production code, I agree. When code is
| committed to a codebase, a human should review it.
| Assuming you trust your review process, it shouldn't
| matter whether the code submitted for review was written
| by a human or a language model. If it does make a
| difference, then your review process is already broken.
| It should catch bad code regardless of whether it was
| created by human or machine.
|
| It's still worth knowing the source of commits, but only
| for context in understanding how it was generated. You
| know humans are likely to make certain classes of error,
| and you can learn to watch out for the blind spots of
| your teammates, just like you can learn the
| idiosyncrasies and weak points of GPT generated code.
|
| Personally, I don't think we're quite at "ask GPT to
| commit directly to the repo," but we're getting close.
| The constant refrain of "try GPT-4" has become a trope,
| but the difference is immediately noticeable. Whereas
| GPT-3.5 will make a mistake or two in every 50 line file,
| GPT-4 is capable of producing fully correct code that you
| can immediately run successfully. At the moment it works
| best for isolated prompts like "create a component to do
| X," or "write a script to do Y," but if you can provide
| it with the interface to call an external function, then
| suddenly that isolated code is just another part of an
| existing system.
|
| As tooling improves for working collaboratively with
| large language models and providing them with realtime
| contextual feedback of code correctness (especially for
| statically analyzeble or type-checked languages), they
| will become increasingly indispensable to the workflow of
| productive developers. If you haven't used co-pilot yet,
| I encourage you to try it for at least a month. You'll
| develop an intuition for what it's capable of and will
| eventually wonder how you ever coded without it. Also
| make sure to try prompting GPT-4 to create functions,
| components or scripts. The results are truly surprising
| and exciting.
| bbarnett wrote:
| My experience has been it's faster to write code
| yourself, than via a just on boarded intern + review +
| fixes.
| climb_stealth wrote:
| Yes, but part of that time is an investment into the
| intern's professional development. Everyone started there
| at some point.
|
| It can be hard to remember though when there are
| unrealistic deadlines and helping someone inexperienced
| to do the work is twice the effort.
| [deleted]
| i_am_jl wrote:
| The time savings isn't down to quality, the difference is
| that an LLM does in seconds what an intern does in hours
| or days.
| AussieWog93 wrote:
| I've used ChatGPT (GPT-4) to write production code.
|
| As long as you keep the scope small ("Write some example
| code that calls $API in Python", "Make it asynchronous; so
| I can queue up n calls and execute them in parallel"), it
| generates perfectly good code that is easy to understand
| too.
| Pxtl wrote:
| Realistically chatgpt isn't writing the financial code.
| Stripe did that already. Chatgpt is just reading snippets
| of Stripe's API examples for you and applying the code for
| a common use-case.
| inopinatus wrote:
| The latter, I'd have to suggest. GPT-4 generates code that
| is slightly better than the average junior programmer,
| which is to say, it is often confidently incorrect and
| needs review before committing, but either option remains a
| net productivity gain than no assistant at all.
|
| "Your job will not be taken by an AI. Your job will be
| taken by someone assisted by an AI."
|
| The process touched on in the article, with thorough review
| before commit by a human with in-depth experience of the
| language and APIs and the domain in question, is exactly
| how AI-generated code should be incorporated into a
| workflow. The earlier slander against the author's
| technical ability seems misguided and unsupportable.
| linuxftw wrote:
| I use ChatGPT to write code for work constantly. The
| quality is quite high, it saves me lots of time, on the
| order of hours typically.
|
| If a company prevents me from using ChatGPT, I will use it
| clandestinely unless they offer an equivalent. There's no
| going back.
| fxleach wrote:
| This is outright false. I have used ChatGPT many times
| over the last couple months and I have caught it give me
| un-working code, unfinished code, and terribly buggy
| code. When you point this out it will say Oh sorry about
| that here is an updated version, and I've caught it give
| another bug, and another after that. If you are telling
| me the quality of code that ChatGPT gives you is high
| then it pains me to say but you must not provide high
| quality code yourself.
| brookst wrote:
| Have you ever hired a junior dev? How is their quality?
| Does that mean we should never use junior devs?
|
| The problem with chatGPT usage is not imperfect code. The
| problem, when there is one, is not treating its code the
| way one would treat a human's.
| rimunroe wrote:
| > Does that mean we should never use junior devs?
|
| No, because junior devs usually improve over time.
|
| I've tried Copilot and a few other AI codegen tools.
| Aside from producing overall low quality/nonworking code,
| the only times they seem to get better long-term are when
| a new update to the model comes out.
| linuxftw wrote:
| copilot is straight trash compared to ChatGPT 4. It's not
| even a contest.
| rimunroe wrote:
| I should have been clear but ChatGPT was one of the
| "other AI codegen tools" I mentioned, especially as it's
| the one I used most recently. I tried it for a month or
| so but then canceled my subscription. I got some use out
| of it for answering questions for friends who were
| learning CS for the first time in languages I didn't
| know, but I didn't get much else from it which felt like
| it was high enough quality that it really saved me time
| or effort.
|
| Edit:
|
| And to contrast with junior developers: I find pairing
| with them something that makes me not only help me figure
| out the requirements of the things we're working on--
| which admittedly ChatGPT does do, but I think that's
| mostly by virtue of rubber ducking--but it helps me
| figure out approaches I wouldn't have thought of before,
| or encourages me to write more maintainable code by
| seeing when another person's eyes start glazing over.
| conductr wrote:
| When you used google previous to chatgpt, did you force
| yourself to only allow yourself to use the "I'm feeling
| lucky" way of search along with having to use the result
| as your unadjusted production code. Did you never modify
| the code you came across?
|
| Of course not, that's ridiculous. You probably searched,
| read a few stackoverflow comments, found a relevant
| GitHub repo, a library for python/language of choice, and
| probably also a SAAS offering solely focused on the 3
| lines of code you need. You quickly parsed all that and
| decided to modify some code in one of the SO comments for
| your needs. Next time, you looked passed half the junk
| and went straight to the first SO result and was able to
| tweak and use the result. The next time, it didn't help
| but did help you write some inspired custom code for the
| problem, at least you knew what not to try.
|
| My point being ai is useful. It's not meant to be first
| result is final answer type solution, if that's how you
| use it you will have issues.
| rokizero wrote:
| How can you say that something is outright false if there
| is not fact/claim you can disprove. You're responding to
| someone you don't know and have no idea what they are
| working on.
|
| I'm (not OP!) a cloud engineer but also work on a lot of
| FE (React) code for internal tools. ChatGPT has saved me
| countless hours (literally tens a month) writing super
| simple code that I am able to easily write up myself but
| typing it out just takes time. After month of using it I
| find myself still quite excited whenever cGPT saved me
| another hour. We also use Retool, but I find myself
| writing code 'myself' more often since cGPT launched.
|
| No, I wouldn't just copy paste production code handling
| PII, but prototyping or developing simple tools is sooooo
| much faster, for me.
| linuxftw wrote:
| Sure, it doesn't nail it 100% on the first prompt 100% of
| the time. Sometimes it takes a few prompts. It's no big
| deal. If you can't get it to write effective code, either
| you're working in a very niche area, or you haven't
| figured out how to use it properly.
| runnerup wrote:
| Another reason someone can't get it to write effective
| code is if they don't know how to code or aren't a very
| good programmer.
|
| I use it a ton. Most of the time it's very helpful,
| sometimes I can't get it to write effective code. If the
| code it outputs doesn't meet my standards, I just don't
| use it. But I know what I'm looking for, and when ChatGPT
| generates it, if not only saves me a shitload of time,
| but more importantly it saves me a ton of mental energy
| that I can spend elsewhere. The biggest thing for me is
| that using ChatGPT helps my brain do fewer "context
| switches" between focus on high level business logic and
| low level implementation logic. By staying "high level"
| I'm able to accomplish more each day because I don't get
| lost in the sauce as often.
|
| I often have to "upgrade" the code myself with tests,
| better comments, modify the data structures a bit.
| Sometimes I tell ChatGPT to do this, sometimes I do it
| myself. But it's been very helpful overall.
|
| The big takeaway is that your output will only be as good
| as your own programming skill, regardless if you use
| ChatGPT or write it yourself.
| linuxftw wrote:
| I concur. It's just like any other tool, it's only as
| good as the person using it. I just can't understand the
| resistance of people in this field. I was a naysayer on a
| number of things like Docker when it first came out
| because it didn't solve any of my problems at the time.
| Then, k8s came out and Docker was a pivotal part of that
| solution, and k8s solves many problems.
|
| ChatGPT writing code so you don't have to, I just can't
| conceptualize how that's not an instant win for just
| about everyone.
| Vicinity9635 wrote:
| Is it 'outright false'? The code it creates is can only
| as good as the prompt. It's just GIGO all over again...
|
| I got it to write _exactly_ the test I wanted for a
| snippet of code on the third prompt attempt by specifying
| exactly the two specific technologies I wanted it to use
| and one keyword that describes an idiom that I needed. It
| would have been _slightly_ faster than doing it myself.
|
| Technically it was test code, not production code, but
| had it been my code rather than just some code I was
| looking at I would have committed the test code it wrote
| to the repo with zero reservations.
| TechBro8615 wrote:
| This guy is operating a profitable business, creating value for
| customers, shipping features, and openly publishing details and
| learnings about the threats he mitigated. He used ChatGPT to
| generate scripts to help him throughout this process. I don't
| know if he's non-technical or if he just wanted to save some
| time, but frankly he should be commended for his hustle and
| get-shit-done attitude. These scripts were not determining life
| or death, or even making business critical decisions - they
| were filtering bulk data and making his life easier by
| producing results that are easily manually checkable, but save
| tons of time either coding the scripts or hiring a programmer
| to write them.
|
| To me it reads like a great example of where ChatGPT is most
| useful: as a force multiplier for time-constrained
| entrepreneurs who have a specific goal and need specialized
| knowledge for short periods of time (e.g. to write a script).
| It's now basically free and instant to produce what would
| previously require a multi-week process of sourcing, hiring and
| communicating with contractors to write a script that leads to
| the same end result.
|
| The kneejerk reaction to call this "surprising" or
| irresponsible, while understandable, gives major "get off my
| lawn" energy. This is the future and as coders we should
| support the increased self-sufficiency of non-technical people.
| If you want to adapt to the change then maybe think about how
| to improve the process for entrepreneurs of asking ChatGPT to
| write a script.
| hn_throwaway_99 wrote:
| I don't know why I see this type of invalid speculation so
| often. The author already responded that they reviewed the
| script and didn't post any sensitive data, so won't add more to
| that.
|
| I'd just state that tons of us use ChatGPT effectively and
| never blindly trust the outputs - for me ChatGPT is a starting
| point, not the final product. We're not all so daft as that
| lawyer who cut and pasted hallucinated case references into a
| legal brief without verifying them first.
| pimpl wrote:
| 100% agreed, this is how I always treat it and working on the
| problem from the article was not an exception from this rule.
| I share minimum input, and never trust the output blindly.
|
| It gets 50-60% of work done, and a really good basis for me
| to work on it. Especially when working with one-off, end-to-
| end relatively short scripts.
| hn_throwaway_99 wrote:
| This has been my primary use case as well (usually for
| writing some scripts or where I need to solve an
| operational task quickly), and ChatGPT has saved me a ton
| of time with those tasks.
| chankstein38 wrote:
| They really wanted us to know they used ChatGPT too. It felt
| unnecessary how often they mentioned "I got ChatGPT to write a
| script that did this" like.. ok?
| headsupftw wrote:
| What are you even talking about? Read the blog post one more
| time, please.
| wpietri wrote:
| I'm a huge LLM skeptic, but I'd disagree with you here.
|
| I think using ChatGPT to write long-lived code for a serious
| application is a bad idea. But I think it's fine for somebody
| knowledgeable to use it for throwaway and first-draft stuff in
| areas that aren't their daily work.
|
| Here's the author in question: [edit: wrong Piotr Mierzejewski
| in tech, see below]
|
| He looks perfectly competent to me to evaluate the effects of
| some one-shot scripting code, so I think "giving away trust and
| hoping for the best" is a wild exaggeration of what actually
| went on.
| pimpl wrote:
| Appreciate the comment! Just a quick note that this is my LI
| profile: https://www.linkedin.com/in/pmierzejewski/
| wpietri wrote:
| Oops! Thanks for the correction. And even more able to
| evaluate the code.
| itscodingtime wrote:
| I find it odd Chatgpt was mentioned at all. It was almost like
| an advertisement.
|
| I have read post linked here similar to this one, but I can't
| recall another instance in which the author abruptly said they
| relied on stackoverflow to code something unless the content
| was a meta commentary on coding and debugging itself.
| pimpl wrote:
| Author here. My intention was to show that you can use it to
| help you get going quickly for a very practical, one-off, and
| self-contained use cases. As I mentioned in other comments
| already, I did not trust it blindly and did not share any
| sensitive data with it. Definitely not an ad!
| TechBro8615 wrote:
| I can empathize with the author. The first time you write
| some code collaboratively with GPT and it actually works, you
| feel a burning need to shout about it. Because it's one of
| those moments where something "clicks" and you suddenly feel
| like you've discovered fire. Once you figure out how to work
| with them, it makes you excited for the future and you can
| clearly see where LLMs will fit permanently into your
| toolbelt. They're far from perfect now, and sometimes the
| time savings is a wash - you get instant specialized
| expertise that can produce code like a senior engineer, but
| you need to goad and coax it like it's a high maintenance
| intern. But the thinking power expended is still somehow
| lower - it's a new way of working with technology and
| deferring some of the grueling parts to the machine. This
| becomes especially obvious when the code requirements depend
| on an esoteric API or conventions that you'd normally need to
| spend time researching and manually enumerating.
| pimpl wrote:
| Article author here. I carefully reviewed and tested the
| ChatGPT scripts before executing them. It helped me save a lot
| of time manually writing these scripts!
|
| I wouldn't say I lack technical expertise in this area, I'm
| just trying to use my time as efficiently as possible.
| appplication wrote:
| Glad to see you active here in the comments. Apologies if my
| comment comes off harshly, my intent is not to tear you down.
| I think there is a lot of gray space when it comes to using
| LLMs for generating code. Your usage here is certainly
| interesting, and I appreciate the additional context and
| discussion you've been providing.
| pimpl wrote:
| No worries at all! I agree that there's probably lots of
| people blindly copying and running code from LLMs without
| any reflection. Just like it often happened with
| StackOverflow snippets before ChatGPT (to the point it
| became a meme). I'm definitely not one of them.
| BaseballPhysics wrote:
| Genuinely curious: How much time would you say you saved
| prompting for and then carefully reviewing and testing those
| scripts for bugs, versus writing them yourself?
|
| And for context what's the average line count we're talking
| about here? Tens of lines? Hundreds?
| pimpl wrote:
| I'd estimate it that it saved me a couple of hours tops.
| They were simple, self-contained scripts with at most 150
| LOC.
| BaseballPhysics wrote:
| Interesting! Thanks for the insight!
| kykeonaut wrote:
| > I created a restricted key in Stripe with lowest possible
| permissions, and prompted ChatGPT to create a script to accept
| the chargebacks.
|
| From my understanding, it also seems that the author submitted
| a Stripe API key alongside the prompt to create the scripts.
| This is pretty much a big security no no regardless of the
| permissions of the key.
| pimpl wrote:
| Author here. GPT only got minimal context it needed to run
| the prompt. No customer data, no IDs, definitely no API keys
| were passed as a prompt.
| kykeonaut wrote:
| Ahhh ok, that sounds much more logical. I got the wrong
| impression :)
| freed0mdox wrote:
| Usually these transactions are automated with the checkers. Some
| are as simple as a PHP script replaying a request, some are more
| sophisticated that use residential proxies, some are parts of
| huge enterprises like try2check. If you have a list of IPs, you
| can scan them for 80/443 open and sometimes catch simple checkers
| in action.
| 90K_MRR_Hacker wrote:
| I've been using a platform called Chargeblast.io and it's been
| doing wonders; literally saved my business from closing down. I
| haven't found another platform like it - best price, best value
| myself248 wrote:
| Why does the US still accept hand-typed cards?
|
| My friend had a USB smartcard reader in like 2001. He'd dip his
| AmEx to perform a transaction on his PC. It's twenty years later
| and the industry still hasn't caught up?
|
| What's different about Europe that they seem to have figured this
| out decades ago?
| chpatrick wrote:
| I've lived in Europe my whole life and I've never made an
| online payment with a card reader (even though my ThinkPad has
| one), or know anyone who has.
| TacticalCoder wrote:
| But you do use 2FA when paying with your credit card online.
| What kind of 2FA does the bank providing your credit card
| mandate you to use?
| aliceryhl wrote:
| In Denmark, there's a national system for authentication
| used for government sites and banks. I have a small device
| with a single button on it that shows a 6-digit code when
| you press it. I enter that code along with a password any
| time I make a purchase online.
|
| (There's also an app that most people use. But I like the
| hardware thingy better.)
| LelouBil wrote:
| For me (in France) it's the bank app's 2FA or sms 2FA if
| not available.
| chpatrick wrote:
| My bank's app.
| [deleted]
| [deleted]
| platelminto wrote:
| As someone whose lived in multiple European countries since I
| was born, I also don't understand this comment. I don't know
| anyone who uses these smartcard readers at home. I don't think
| it's common at all.
| TacticalCoder wrote:
| > As someone whose lived in multiple European countries since
| I was born, I also don't understand this comment. I don't
| know anyone who uses these smartcard readers at home. I don't
| think it's common at all.
|
| Which EU countries? Bank card readers are super common in .nl
| (ING for sure) and .be (just about every single bank there)
| for example.
|
| Nowadays banks often allow to use either that or, say, an app
| on your phone or a dedicated physical token. For example you
| can confirm transactions you make on your computer by
| unlocking an app and confirming with your fingerprint from
| your smartphone. But that's semi- recent. Before that kind of
| 2FA became a thing, it was all done with card readers.
|
| Some countries still live in the past like, I shit you not,
| Societe Generale in France still has a "2FA" where it shows
| digits randomly on the screen and you have to click you PIN
| (some people still have an account like that): that is
| however quite pathetic and not the norm.
|
| If I want to buy anything online using any one of my credit
| card, I must put it in a physical reader and reply correctly
| to a challenge/response.
|
| These readers are different from the electronic ID card
| readers, which are also used in many EU countries (for
| example to fill my taxes online).
| deevolution wrote:
| Probably helps maintain dollar hedgemony by allowing a wider
| swath of the global population (criminals, poor people) to use
| the system unencumbered.
| gjvc wrote:
| "hegemony" n. leadership or dominance, especially by one
| state or social group over others.
|
| "Hedgemony" is a war game focused on connecting policy and
| strategy. https://www.usmcu.edu/Outreach/Marine-Corps-
| University-Press...
| mnd999 wrote:
| We do get `Verified by Visa` or Amex SafeKey on most
| transactions though.
| somewhereoutth wrote:
| Europe is better organized, simply. People are tightly crammed
| together compared to the US, and historically were fighting
| each other for 'living space' instead of progressively
| occupying almost a whole continent. Things just have to work
| better - and by and large they do.
| [deleted]
| xyst wrote:
| In the United States, there is minimal incentive to do so. It
| took many years to transition away from magnetic stripe cards
| to pin+chip. IIRC, the regulators kept pushing back the date
| for banks to re-issue pin+chip cards and for merchants to begin
| accepting them. I think it was only when the processors began
| to threaten merchants with 100% liability for fraudulent
| transactions processed with mag stripe is when it started to
| hit critical mass (2015-2016?).
| criddell wrote:
| If the cost of preventing fraud exceeds potential losses from
| fraud, maybe it makes more sense to let the fraud go through.
| mattnewton wrote:
| If you don't you significantly increase the friction in using
| your service and will lose business to those who do accept the
| hand typed card where the user doesn't have to adopt new
| hardware or software.
|
| Everyone would need to mandate the security feature while have
| a short term incentive to not.
| Veserv wrote:
| Because the banks and vendors are liable for unauthorized
| charges in the US [1], not the user. The banks/vendors handle
| the fraud in aggregate on the backend. They could roll out
| fraud prevention at the end-user level, but they choose not to;
| which means it is probably not worth it for the issuer relative
| to the extra user convenience (and extra charges).
|
| In contrast, in many places in Europe the user is responsible
| for unauthorized charges. Regular people care a great deal
| about not being wrongfully charged as that is almost always
| proportionally worse, so they demand robust end-user protection
| so they will not be wrongfully charged.
|
| This is kind of a case of, "everybody would drive safer if
| instead of a airbag you had a bunch of knives that shoot out
| and kill you if you get in a crash".
|
| [1]
| https://www.law.cornell.edu/wex/fair_credit_billing_act_(fcb...
| lotsofpulp wrote:
| Not even banks, only vendors are responsible if they do not
| upgrade their POS systems since sometime in the late 2010s I
| think.
|
| See EMV fraud liability shift.
|
| https://www.mastercard.us/content/dam/mccom/en-
| us/documents/...
| Detrytus wrote:
| Fuck smartcard readers. Also: fuck 3d secure. The nice thing
| about old, "insecure" card payments was: I just needed to
| memorize my credit card number, expiry date and CCV and I could
| pay online for everything. No need to always carry a phone for
| SMS/app authentication.
| mschuster91 wrote:
| > What's different about Europe that they seem to have figured
| this out decades ago?
|
| Our governments actually care about monopolies and security.
| The PSD2 directive was an utter pain to deal with, but at least
| it stopped a lot of common scams and thefts in its tracks, and
| it forced banks and other payment actors to open up their
| system.
| TacticalCoder wrote:
| > The PSD2 directive was an utter pain to deal with, but at
| least it stopped a lot of common scams and thefts in its
| tracks
|
| Inded. More specifically SCA (Strong Customer Authentication)
| which is required by PSD2. VISA says the "SYH" (Something You
| Have) is either _" a mobile phone, a card reader or other
| device evidenced by a one-time passcode"_.
|
| Note however that I cannot log nowadays to any of my bank in
| the EU without having a big banner saying something like
| (paraphrasing): _" WARNING: scammers are trying to steal your
| funds. Neither the bank nor the police nor anyone else shall
| ask you your PIN or to confirm anything on your card
| reader."_
|
| Basically: life is harder for scammers so they try to trick
| (mostly old) people into validating transactions over the
| phone.
| paxys wrote:
| Not sure I understand. Does everyone outside the US have a card
| reader attached to their PC and phone?
| gpvos wrote:
| No. Until I read the comment above, I had no idea that that
| even was something people actually use to make payments from
| home.
| jon-wood wrote:
| They're less common in the UK now mobile apps have taken
| over, but in the early 2000s banks would issue a standalone
| device to every customer. When making payments via online
| banking you'd put your card in the device, hit a button, and
| give it a code that the online banking page provided. The
| device then did some magic via the chip on your card to
| provide a code that you'd give back to the online banking
| site to validate that you were in possession of your card.
|
| Some banks may have used this for 3D Secure during online
| card payments as well, but I've never encountered one.
| Validation for that in my case evolved from setting a
| password on my account, which they'd ask for some characters
| from, to tokens sent via SMS to my registered phone number,
| to a push notification from my bank followed by FaceID to
| authorise payment.
|
| In person Chip & PIN, and more recently contactless, is
| ubiquitous. Magstripe payments are so rare I have to
| explicitly enable them in my bank's app for the card, and
| it'll turn itself off again 7 days later. I never encountered
| chip & signature until going to the US, where everyone in the
| group I was with looked at it like some sort of joke (and
| indeed it is, because there's no signature recorded against
| my card for validation).
| drdaeman wrote:
| I have never ever seen an online payment processor that was
| capable of using a card reader to perform a transaction from
| a webpage (on a non-specialized device). I don't think there
| is even any established standard for using a smartcard from a
| website. WebUSB/WebNFC may work (although browsers have
| blacklists of vendor IDs to disallow access to e.g. Yubikeys,
| so at least some smartcards may not be accessible this way),
| but that's all experimental and questionable stuff.
|
| It might've been possible someone had something like that in
| ol' good '00s with ActiveX, but that must've been surely an
| exception (and a security nightmare).
| dahwolf wrote:
| A card reader is a stand-alone device and has nothing to do
| with any web tech.
|
| You put your ATM card in the device, enter your PIN code,
| and then the device has a tiny camera that scans the QR
| code on the web page. Next, you can see the transaction
| details on the device and confirm. It will then output a
| signing code which you enter on the web page.
|
| It is what was commonly used in some EU countries before we
| switched to mobile banking apps. Most banks still supply
| them for when you do very large online transactions.
| fireflash38 wrote:
| Most people have an NFC reader at least built into their
| phone.
| TacticalCoder wrote:
| Not everyone and it's not necessarily connected to the PC.
| Some card readers are, some aren't.
|
| And there are two things that are not to be confused:
| electronic ID card readers (used for stuff like VAT tax
| filings, income tax filings, etc.) and debit/credit card
| readers (which may or may not be connected to the PC) used as
| 2FA (with a challenge/response). The ones that aren't
| connected to the PC generate a number which you then enter to
| confirm you login/order.
|
| Many banks in the EU enforce at least one type of 2FA. The
| shittiest, most pathetic ones, still do it by SMS (but it's
| still 2FA and still better than nothing). Others use a card
| reader (in which you literally plug your bank card, which
| signs orders / challenge/response style and never leak the
| card's secret). Other give a physical RSA-like token with
| codes changing every _x_ second. Others allow the use of an
| app on a smartphone to confirm transactions.
|
| When I log to at least one of my bank I've got a _list_
| asking me which type of 2FA I 'll use to log in and confirm
| payments. Card readers (two different types) are on the list.
|
| I use that to log in, confirm wire transfer and buy stocks
| too.
| __MatrixMan__ wrote:
| The rest of the world has to put up with the US banking system
| because when all you have is an overfunded military, everything
| looks like a target.
|
| That logic doesn't quite translate internally, so it's
| important to maintain the perception that the banking system is
| all that stands between the little people and a hungry mob of
| scammers. If the scam problem were demonstrably easy to solve
| at the POS, it would be harder to justify the merchant fees and
| other bank-related overreach.
| snarf21 wrote:
| It is just lobbying preventing good policy. If we moved to chip
| + pin, we'd get rid of almost 100% of CC fraud. But retailers
| don't want the friction so instead the consumer pays for the
| fraud instead.
| pxx wrote:
| Why do you think this requires a government mandate? What
| evidence do you have of counter-lobbying as opposed to simple
| consumer and retailer preference?
| alberth wrote:
| Off topic: Why don't more non-European merchants use 3DS?
|
| Entirely classes of liability and fraud is shifted to the issuer
| and no longer on the merchant.
| jon_adler wrote:
| I imagine that the fraud rate in Europe is lower since the
| introduction of PSD2. This legislation required a combination of
| 2-factor authentication (3DS2) and transaction analysis to
| achieve low overall fraud rates.
| thedangler wrote:
| I worked at a company who's server was hacked and they stole the
| API keys and did carding on it from the server. Paypal tried to
| tell us we owned them $100,000.00 in fees. We were only running
| $4500.00 payments at most 5 times a day for course registrations.
| The hacker ran auths on random CC number for $1 every second.
|
| We didn't have to pay the fees for carding but they don't care.
|
| They do not care because they make money off fraud.
|
| We had settings stating we only have orders between $2500 and
| $6000. But they do not check auths lol
|
| Crazy.
|
| This was back around 2010 and stripe was not available in Canada
| at the time.
| mndgs wrote:
| The contents of the article do not match with the title. Article
| is how they experienced and fought chargebacks. Simple, nothing
| spectacular.
|
| Stop whining, have the US adopt PSD2 (SCA in particular) and your
| problems will go (most of them)..
| chasebank wrote:
| Re: Chargeback fees - Visa acquired a company called Verifi a few
| years back. Their new products are Rapid Dispute Resolution (RDR)
| and Order Insight. RDR effectively lets you automatically refund
| a transaction before it gets turned into a chargeback and Visa
| charges a $4 fee (Assuming your MCC code is not high risk). Order
| insight lets you provide certain data about a questioned charge
| immediately and if the customer has had 3 previous charges with
| you, a chargeback CANNOT be issued.
|
| It was a really easy decision for our business based on win rate,
| avg order size and chargeback fees. Plus now we don't have to
| constantly worry about Visa's or the merchant bank's 1%
| chargeback rule. This only applies to Visa charges but it
| represented about 50% of our total volume.
|
| One last note - Visa is basically taking away a massive revenue
| source for the processors. If your processor is TSYS, they are
| trying to charge a RDR fee of $10.
| pimpl wrote:
| Article author here. Really valuable stuff, thanks for sharing!
|
| Do you handle this for Mastercard in any way? I've heard of
| Ethoca (they are really good at SEO), it seems quite similar to
| Verifi.
| chasebank wrote:
| Ya, for Mastercard we use their Ethoca network. They are much
| more expensive, like $25 per resolved charge but now our
| chargeback rate is near 0% for Visa / MC and get incredible
| rates on the front end from such clean processing. Plus we
| never have to worry about chargebacks threatening our
| merchant account again.
| spetteruti wrote:
| What do you do for Amex/Discover?
| chasebank wrote:
| Just standard cb dispute process. We outsource this.
| codermike1 wrote:
| [dead]
| kareemc wrote:
| [dead]
___________________________________________________________________
(page generated 2023-08-02 23:00 UTC)