[HN Gopher] The underground world of credit card network exploit... ___________________________________________________________________ The underground world of credit card network exploitation Author : pimpl Score : 347 points Date : 2023-08-02 15:05 UTC (7 hours ago) (HTM) web link (chargebackstop.com) (TXT) w3m dump (chargebackstop.com) | tamimio wrote: | Credit cards payments are exactly just like SMS 2FA, both are | insecure by design and served the purpose before the internet, | trying to shove old tech into new one and expecting it to work | well is just naive. Instead of spending time and resources by big | corporations to create such "web environment integrity", how | about creating a better more secure, fraudulent proof system | instead? | kareemc wrote: | In my experience, Stripe used to be a lot better at catching this | stuff - but I've noticed it's seem to have been getting worse and | worse. | | Has Stripe Radar improvements slowed down or have fraudsters | gotten better? | bze12 wrote: | Some advice I got a while ago about detecting fraud through | stripe is you should probably train your own fraud detection | model if you're serious about limiting it and have enough volume. | Even something like a simple logistic classifier would work. | Stripe radar isn't tuned to the specifics of your business, and | there are other signals you can account for (like which products | they're buying, how long it takes them to buy after opening your | site, etc). Custom Radar rules work to an extent. | | I get that a lot of indie businesses probably don't have the | resources/want to do this, so there are solutions you can buy, | but they're expensive and mostly targeted at high volume | merchants anyway. Maybe stripe launches a fine-tunable radar | product someday? | codedokode wrote: | It is ridiculous that you can simply enter somebody's card number | and buy something without confirming a purchase via SMS code. | nickdothutton wrote: | I've always found it incredible that US banks often require only | the card number to perform a transaction. All those "card | generators" I used to see uploaded to BBS in the late 80s and | early 90s make sense. | deathanatos wrote: | That part of the article was news to me. Like, why do I have to | deal with CVVs, expiration dates, zip codes, (not to mention | the resulting work from the fallout from the fraud) ... if it | doesn't even matter? How many person years of human life per | year could pursue something ... worthwhile ... if we checked | the CVV? | zaroth wrote: | I don't understand not checking CVV and Expiration Date at | all... | | But for the other info, they could be carding for prepaid | cards which have no name, address, or ZIP code to verify | against? | deathanatos wrote: | Do prepaids not have ZIPs? So many things demand this info | (heck, even some gas pumps...) ... what do people enter at | those prompts? | | (I left out name; I assume name isn't matched against, | given how fuzzy of a field it is. Most sites don't even | prompt for the information accurately enough to make a | match anyways.) | cesarb wrote: | It makes sense to me that zip codes don't matter (or might be | a weak signal), since some countries might not have postal | codes, or might have a different postal code format. But I | agree with you that it doesn't make sense to not check the | CVV and expiration date; both are printed directly in the | card, and should match exactly (unlike the card owner name, | which is also printed in the card, but the user might type it | differently, for instance typing in full their middle name | when it's abbreviated in the card). | jaywalk wrote: | I recently discovered, after almost a year, that I had put the | wrong expiration date of a new card into my password manager. | It was the correct year but the wrong month. Not a _single_ | transaction had failed with the wrong expiration date. | zitterbewegung wrote: | Candyjapan has a good write up on mitigating this | https://www.candyjapan.com/behind-the-scenes/how-i-got-credi... | pimpl wrote: | Really interesting, thanks for sharing! | pard68 wrote: | Worked as the catch-all systems/CI/infrastructure/software | engineer for an ecommerce company last year. This sort of stuff | was so common. I'd spend at least one day a week trying to | determine the newest pattern and prevent it. They were using our | system to validate credit cards. | | Eventually I stopped more or less all attacks on our | cart/checkout. But the requests were still coming. Eventually | while trolling logs for an unrelated PHP problem one of the | software engineers mentioned there was a huge amount of traffic | hitting our page to save a payment for later. The platform would | issue a $1.00 charge to verify that the CC was real and they'd | moved to using that to "churn" cards. | | These CC thieves are very resourceful. | bigbacaloa wrote: | As an end _user_ of banks in both the US and EU, the banks in the | US seem way, way behind technically and in terms of online | usability. Both less secure and more cumbersome to use. | xyst wrote: | Yet another reason why the credit card industry needs to go. | Security protocols non-existent or haven't been upgraded since | the turn of the 21st century. The amount of middleman abuses is | innumerable as well. The costs of dealing with these nuisances is | passed on to the merchant (via higher transaction fees, charge | back fees, ...), and inevitably passed on to the consumer. | | Let's not forget that the CC industry encourages the worst | spending habits for consumers thus perpetuating the never ending | cycle of slaves to debt. | nerdawson wrote: | Why does the US seem so far behind when it comes to banking? | | - Chip and PIN has been in the UK since 2004 and mandatory since | 2006. It wasn't until a decade later that the US caught up. | | - Faster Payments allow for instant bank transfers (usually) | between any bank account for free. Receiving transfers from | clients in US (even with a US Wise bank account) was always a | nightmare. | | - Since the EU introduced Strong Customer Authentication, most | new payments have to be authorised in your mobile banking app or | by some other means of 2FA. | | - Even before SCA, you'd have to get the Postcode (often digits | that mattered) and CVV correct at the very least. | | These measures seem like a way of banks shifting the | responsibility for fraud onto the customer. In either case | though, it's the customer who loses out. In a culture that | accepts widespread card fraud, costs increase to offset it. | tlogan wrote: | In my view, the U.S. is leading the way in this area. | | Europe seems to be shifting the burden of fraud prevention onto | customers with methods like SMS notifications and pins. In | contrast, in the U.S., banks and businesses are primarily | responsible for dealing with fraud. | dahwolf wrote: | I'm sorry but using strong authentication to make my payment | is not a burden, it's a bloody feature. | | Here's how much of a "burden" that is: you hold your ATM card | next to the terminal. Done. Paid. Every once in a while | (based on a configurable max per week) it will prompt for a | PIN. Which you enter in 5 secs. That would be 1 in 10 | payments. | | Online payment: scan payment QR with phone, which takes me to | my banking app. Authentication is FaceID, TouchID or PIN. | Then you click "Yes". Done. | | Both methods are highly secure, require no or minimal input | and are extremely fast. | mndgs wrote: | Oh, please. You're grossly misinformed. If anything, US is | lagging lightyears behind Europe in terms of fighting fraud | and fighting card schemes, which are stripping everyone | equally in US, banks and customers alike. | | PSD2 directive intruduced a lot of novelties, which no one at | the time had (and very few do, not even US). For instance, | specific to this situation - remote payments above 30 eur | must be SCA (strong customer authentication, similar to 2FA, | but more elaborate) verified (small value exception from PSD2 | RTS). Also, banks must have both real time and post-time | transaction monitoring in place, i.e. they must have systems | to detect and prevent such fraudulent attemtps. There | literally tens if not hundreds of fraud fighting measures in | PSD2, which all banks (both acquirer and issuer) must come | mply with. I could go on and on (not the place and format). | | Frankly, it's utterly unbelievable that this kind of thing | could happen without anyone (either acquirer or issuer) | intervenining. Not what could (should) happen here in Europe. | daveoc64 wrote: | It's more the case that US Consumers are indirectly funding | crime by banks turning a blind eye to fraud. | tlogan wrote: | It's curious that the same product isn't cheaper in Europe | compared to the U.S., despite Europeans not funding fraud. | I can't help but wonder where those extra savings go. | ArnoVW wrote: | Products are more expensive in Europe because we have (on | average) ~20% sales tax. And because the _general_ tax | pressure is higher because we have more state services. | | In terms of PPP someone should look it up (on mobile) | i_am_jl wrote: | On the other hand, the EU caps credit card fees at 0.5% by | law while in the US merchants will pay 3 times that at a | minimum. | | I suspect that in the US CC processors are incentivized to | increase their processing fees to cover the cost of fraud | instead of building features to prevent it because they can | and it's easier than building features. Businesses are | incentivized to increase prices to cover the cost of fraud | (and CC processing costs) since processors offer such poor | tooling to prevent it. | | In the US the burden of fraud prevention is squarely on the | honest consumer's wallet. | Dma54rhs wrote: | It's not leading the way technically but for the end consumer | it might be better. If I get charged unfairly my bank will | tell me to go to the police. Americans can easily just refuse | it. | toyg wrote: | Not if you use a credit card; a quick call to Visa/MC/Amex | will get your money back instantly in Europe too. | | The main difference is that, in Europe, _debit_ cards are | often used in the same way as a CC - except they are just a | direct pipe to one 's bank, and once the money comes down | the pipe there is no easy way to push it back up. | mnw21cam wrote: | Chip and PIN isn't mandatory in the UK - it's just the default. | My debit card is not Chip and PIN, because I asked the bank | very nicely. | | The problem isn't the Chip and PIN itself, although it has been | implemented less securely than it could be. The problem, as you | point out, is that the liability for fraud has been shifted in | law to the card holder, and that is what I objected to. See | https://www.chipandspin.co.uk/ for more. | 0xbadcafebee wrote: | > These measures seem like a way of banks shifting the | responsibility for fraud onto the customer. | | Onto the vendor, not the customer. The customer can chargeback | anything instantly, and the vendor is on the hook for the | fraud. | | It's intentional, so the banks and payment processors can make | more profits. By making it easier for customers to chargeback, | they incentivize customers to buy more stuff, by getting the | customer to feel more comfortable charging everywhere. Charging | more stuff makes payment processors more money. | mistrial9 wrote: | > US seem so far behind when it comes to banking | | "ahead" and "behind" halt thinking, and turn the entire topic | into some kind of number-line position. It is not. This is | complex and actors on both sides of the Atlantic are playing in | bad faith to exploit changes. Second you ignore the roles | involved. Mid-20s person with steady job is a smaller and | smaller part of the system-in-fact, for many reasons. Some | people say that working 20-somethings are abused and | disenfranchised, including in the EU and elsewhere. | np- wrote: | > In a culture that accepts widespread card fraud, costs | increase to offset it. | | Maybe, maybe not, but this is a very simplistic way of looking | at it. If credit card fraud is responsible for X% of total | charges, they can spend effort to deal with it, OR they can | simply not deal with it and keeping the transactions going | while eating the cost, they may be able to serve Y% more | customers where Y > X and thus end up with more profit in the | long run. | | This works for a lot of businesses in America because the sheer | scale is massive (take McDonalds for example, they would | probably be better off processing their lunch rush quickly due | to the margins they are making rather than take even 1 second | to verify there is no fraud). This may not work in Europe, but | IMO you're missing an entire dimension when analyzing the true | costs. | | If the fraud/benefit scale ever tipped away from favoring the | companies, I think we would see all these major fraud | prevention mechanisms kick in almost immediately in the US. | ActivePattern wrote: | As a Canadian, it does feel like stepping out of a time machine | when you pay at restaurants in the USA. Instead of using a | terminal at the table to pay yourself, you need to give the | server your card and wait for them to manually process it | somewhere. Maybe things have progressed in recent years. But we | haven't done it that way in Canada since the early 2000's. | danudey wrote: | I was visiting Seattle (from Vancouver) a few years ago, and | they didn't want me to use my chip card as a chip card | because if they did then I couldn't tip. What the heck is | that all about? | | Also, we're _still_ hearing stories about merchants in the US | starting to accept Apple Pay, whereas it worked fine in | almost every retailer in Canada the day it was available - | even though it wasn 't available in Canada for a long time, | American visitors (or Canadians with American credit cards) | could use Apple Pay on launch day at any retailer that | supported tap-to-pay, which was easily most of them. | bmicraft wrote: | > What the heck is that all about? | | Tax fraud? I've never seen a card reader in a restaurant | (here in europe) where they couldn't either enter a | completely arbitrary amount to pay, or add a tip. | kasey_junk wrote: | It was probably an issue with that particular merchants | POS. Merchants have very little incentive to update their | POS systems so technology changes are very hard to get | rolled out. Especially for smaller merchants which many | restaurants are. | | It's a network effect thing. Because tap to pay wasn't | supported by the POS vendors US consumers did not get much | improvement in experience because of it, so there wasn't | demand from merchants. With Apple Pay there is a huge | improvement for consumers (not having to carry the credit | card) it has finally forced merchants and their supporting | POS vendors to support it. | | Between that and the disruption in the POS market the iPad | (and similar devices) brought, POS vendors have had to | become more flexible. | tptacek wrote: | That's not a thing. Americans universally pay for | restaurant meals on cards. | wpietri wrote: | Things have definitely changed here recently. At least in San | Francisco, at-table terminals are now the norm in sit-down | restaurants. Staff generally use the same device for order- | taking and payment. | baby_souffle wrote: | > Things have definitely changed here recently. At least in | San Francisco, at-table terminals are now the norm in sit- | down restaurants. Staff generally use the same device for | order-taking and payment. | | I used to work in PoS industry. | | This tech is new-ish to the US but not to the rest of the | first-world. 15 years ago, paying with a CC @ the table was | common in Europe, but the terminal could ONLY do payments. | The devices that have been rolling out to the US are more | like android tablets in that they can run the order taking | half of it, too. Selling hardware to a restaurant is tricky | and "oh, no, this only allows you to move the payment | portion to the table; staff still have to go to central | spot to find a table that can accommodate guests and place | their order" was basically a non-starter. The sales pitch | is a lot easier now that everything can be done table-side. | wpietri wrote: | For sure. "Bring the card to the device" and "bring the | device to the card" seem about equivalent to me in | convenience unless the device is something that the | waitstaff is going to carry all the time anyhow. | pests wrote: | I've started to see more and more servers using a mobile POS | with built in credit reader and receipt printer. They hand it | to you for tip and signature and you don't have to hand your | card to anyone. | tlogan wrote: | Definetly not a better experience for all consumers. Or | waiter. | | I do know that some restaurant owners are removing these | things. They do not want to look like Olive Garden :) | | But it really depends on a restaurant: is it high end, type | of food / drinks, it is a date place, etc. | | Majority of restaurant is all about experience and event | payment system should match that experience. | sigwinch28 wrote: | > Majority of restaurant is all about experience and | event payment system should match that experience. | | I'm in the UK. I go to many high-end restaurants, | cocktail bars, etc. Portable card terminals are | essentially universal in these places. The fact it's the | same everywhere is a feature, not a bug. | | It's quick. Your card never leaves your sight. No pen is | required. Payments up to PS100 can be done using | contactless on a physical card. Even higher amounts with | smartphones/smart watches. Tipping is often integrated | into the terminal where tipping is common. It's rare to | have to put the card into the terminal. | | I don't think it detracts from the experience. On the | contrary, I think it streamlines the bit between being | finished and wanting to leave: | | "Please can I have the bill and a card machine, please". | WirelessGigabit wrote: | But now they get to see how much you're tipping them! Like | they literally have to wait while you punch it in, | increasing the social pressure to make up for a broken | system. | | I don't go to restaurants anymore. Too much pressure. | DiggyJohnson wrote: | Respectfully, this seems like social anxiety or | hyperbole. You don't go to restaurants because of the | stress of the cultural norm of tipping? Seems more | accurate to say you don't like eating out in general or | because of the price of eating out once you factor in a | tip... | creeble wrote: | None of these comments seem relevant to TFA, which is | specifically about card-not-present fraud. | | Chip and PIN doesn't work for internet payment. | | Bank transfers don't work well internationally. | | It is trivial to turn on AVS (address verification) and CVV, | but it can result in more declined-yet-legitimate transactions. | Sometimes that outweighs the fraud risk that these catch. | | The responsibility for fraud is pushed to the merchant, not the | customer. Yes, customers pay higher prices because merchant | fraud gets passed on eventually, but only in the sense that | _all_ fraud costs get passed on to consumers eventually. | pas wrote: | Lack of initial (mobile app push notification based) | verification for saving the card data is the issue, no? | DarkGauss wrote: | We still do not use chip-and-pin on credit cards in the US. We | use chip-and-signature for most credit cards. I'm not saying | there aren't credit cards with chip-and-PIN, there are a some. | | We do use chip-and-PIN on most debit cards, but even that can | be bypassed on 99% of terminals to fall back to chip-and- | signature. | ggregoire wrote: | What's super interesting to me, lot of countries that you would | expect to be behind the US on that topic actually have state- | of-the-art banking techs. Even the EU is behind some of the | stuff I've seen in LATAM. | mndgs wrote: | Please, name an example. Particularly, EU being behind LATAM. | As an expert, I'm honestly interested. | arjvik wrote: | We have 3D Secure, but it's almost never implemented on sites! | _puk wrote: | Define "We". | | With a UK card pretty much any transaction I do online | requires me to Auth it in app. | | I even found I had to do it recently for things like car | hire, and those websites are generally just wrappers around | local company searches (though higher sums overall). | BaseballPhysics wrote: | A massively diverse and deregulated banking sector. | | The US has literally _thousands_ of small regional banks across | 50 fairly independent states. | | Rolling out major new technologies in that environment is far | far harder. | cubefox wrote: | The number of banks in the US seems perfectly normal. Germany | has ~1500 for 80 million inhabitants, the US has ~4800 for | 300 million. | toomuchtodo wrote: | https://www.npr.org/2023/05/16/1176513695/does-the-u-s- | have-... | | https://www.marketplace.org/2023/05/05/heres-why-the-u-s- | has... | TrackerFF wrote: | If Germany is anything like the Scandinavian countries, | those banks will just be branches of a handful of different | banks. | | We really don't have any microbanks that need to roll out | their own tech for everything - most are just part of the | larger banks, and get all the infrastructure provided for | them. | tptacek wrote: | The US is 50 related but different regulatory regimes, not | 1. | cubefox wrote: | Germany also has states, although they aren't as | independent as US states. In an case the EU is much less | unified than the US. | BaseballPhysics wrote: | First, compared to the rest of the EU, Germany is a weird | outlier with the number of banks they have (which, by the | way, has been declining steadily for 15 years). | | Setting that aside, you missed the "deregulated" part. | | As I understand it (and I grant my understanding is pretty | cursory) Germany has a much stronger central regulating | body, and is subject to overall EU regulations as well. | | The US has multiple regional banking authorities and a ton | of responsibility is delegated to the states, and in | general government intervention is seen as a last resort. | | So it's both structural and cultural. | cubefox wrote: | > First, compared to the rest of the EU, Germany is a | weird outlier with the number of banks they have (which, | by the way, has been declining steadily for 15 years). | | Still, the absolute number itself seems to be not really | the issue here. (I assume the number of US banks has | similarly declined in the US, as fusions reduce cost.) | | > Setting that aside, you missed the "deregulated" part. | | Yeah, that part I don't object to. | [deleted] | asmor wrote: | And also, a lot of german banks are actually federated | with centralized IT departments (like Finanz Informatik) | providing the entire bank as "blueprint". Yes, even if | they aren't called Volksbank or Sparkasse. For instance, | if you get an EC/GiroCard from DKB, the letter is | suspiciously typeset in Sparkasse's corporate font. | Scoundreller wrote: | > We learnt that 15% of the successful fraudulent charges | resulted in chargebacks. | | I Hope the other 85% are just recent transactions that haven't | been scrutinized yet. | | Or did the fraudsters target a bank with high net worth clients | that don't scrutinize smaller billings??? | | I can see a lot of people not really scrutinizing a random | Spotify transaction or something. Especially vendors that let you | store multiple cards and then you don't always keep it straight | which transaction went to which card anyway. | mrguyorama wrote: | Stripe is god awful at fraud prevention and it's intentional. | They are explicitly outsourcing the cost of risk management to | their clients. It's obscene. I work in the credit card fraud | prevention field, and I'm not even that good at my job, but our | team of like 3.5 people easily built and maintained a system that | prevents this exact kind of carding attack. | | The primary way for a business to prevent carding attacks is to | just be slightly more annoying to attack than the next guy. As | far as I can tell, Stripe is happy to be the easiest large | network to attack because they outsource the pain and cost of any | attack to you, their users. They could easily, and for very | little cost, prevent this from hurting you. | | Stripe is choosing to let you suffer to save a few bucks. | KRAKRISMOTT wrote: | They want to nickel and dime you and make you pay for Radar. | It's the exact same strategy with Stripe Taxes and their | terrible currency conversions. Provide no service up front and | eventually you realize your stripe transaction hits two digit | percentage of your overall price. | thierryzoller wrote: | What strikes me is the comment on 3DS challenges that passed. By | law in Europe, once 3DS challenge is completed the Bank owns the | risk and cost of the chargeback NOT the Online Shop. Can someone | tell me how this is implemented in common processors ? Any | experience? | paxys wrote: | If you are a foreign company accepting payments from the USA, you | should simply expect this as a cost of doing business. | | Credit card fraud here is socialized. The end consumer is never | liable, and so we don't bother with chip and pin, 2FA, 3D secure | or whatever else. If we notice a suspicious transaction we simply | tap a button in the bank's app and the charge is reversed in | minutes. | | Banks and payments processors are themselves incentivized to push | through transactions as quickly and easily as possible so people | spend more (yay consumerism!), and like the author said you | mostly don't even need to input the right expiry date, billing | address or zip code. | | The drawback of course is that all of the liability is pushed on | to the business, and so they have to raise prices for everyone to | make up for it. | skybrian wrote: | I expect it's path-dependent legacy practices more than | anything else. Credit cards were invented in the US, so the | tech is old and upgrades take a long time. | | For manual payments, UPI in India sounds pretty great. | Apparently the customer approves each payment on their phone | before it goes through? | delusional wrote: | Your causality chain doesn't track for me. Here in Denmark we | have the same consumer protections, the ability to do | chargebacks and the (government funded) guarantee that the | consumer does not lose any money if their bank account is | drained. Yet we still have very strong protections at the time | of purchase with mandatory chip-and-pin as well as 3D secure | (which replaced Verified by Visa). | | I don't really think there's a rational reason for why you | don't have better card security in the US. You just seemingly | don't want it. | tobi1449 wrote: | My guess is the difference lies in the fact that the EU | limits credit card fees to something around 0.5% That means | the CC companies can't offload the financial burden of this | onto the vendors (and they in turn onto their customers), | which leads to them having an actual incentive to improve | security. | dheera wrote: | > That means the CC companies can't offload the financial | burden of this | | Most CC company (CCC) revenue comes from charging the poor | people who can't pay their bills ("interest"). Merchant | fees are only a small portion of revenue for most cards | [1]. In the case of Discover for example it's less than 10% | of their revenue, and in the case of Amex it's less than | 33%. Other cards fall in-between. | | [1] https://www.valuepenguin.com/how-do-credit-card- | companies-ma... | trompetenaccoun wrote: | Your link explains that the issuing banks charge | interest, not the credit card companies - which are | merely the payment processors. I don't know all of the | companies listed, it's possible that some are two in one | and have their own bank as well. Some payment processors | are partly owned by major banks too. But take the largest | CC company, Visa: They don't extend credit at all, they | don't even issue their own cards iirc. All their profit | comes from fees, because the fees are too damn high(tm). | | They've successfully convinced the public of the opposite | though. It's a very common misconception that only | "suckers" who buy on credit pay for it and that everyone | else is getting a free service as long as they pay off | their cards in time. In reality everyone pays because the | merchants have to pay those fees and they pass the cost | on to the consumer. | dheera wrote: | I used CC companies loosely as in {issuing banks + credit | card companies} and their collective profit model. | | > In reality everyone pays | | Not really, credit card companies give you cash back if | you pay on time, which is percentage-wise similar to | merchant fees. | Sebguer wrote: | There's a recurring myth, very prevalent in the US, that | credit card companies would prefer people who pay off | their bills every month as cheap margin versus being | predatory. It's bizarre, and as you've pointed out, | completely unsupported by how they actually make their | money. | Jon_Lowtek wrote: | The incentive for payment providers to improve their | security is a regulation called PSD2 which directly | requires strong customer authentication. | trompetenaccoun wrote: | And that is in addition to the outrageous fees CC companies | charge merchants. In the US it's typically around 2% of the | transaction! The EU caps it at 0.3% maximum, which still seems | like a lot when you consider how much money they move. That's | another cost that gets socialized and passed on to the consumer | of course, even shoppers who pay cash have to pay for this | through higher prices. | | People should know btw that with 3D secure the card owner can | be held liable for fraudulent charges, because some banks have | that in their terms for 3D secure. With phone 2FA all that | needs to happen is you have your phone and wallet stolen. I've | seen cases in the news where people lost thousands. | carlosjobim wrote: | > The EU caps it at 0.3% maximum | | That's completely untrue. Most European businesses pay much | more than that. | pas wrote: | You're mixing up total cost of processing the card (which | is what Stripe and other gateways charge) with the Visa/MC | rent. | | https://ec.europa.eu/commission/presscorner/detail/fr/MEMO_ | 1... | | "Therefore, the Regulation caps interchange fees for | consumer debit cards to 0.2 % and consumer credit cards to | 0.3 % of the value of the transaction." | toomuchtodo wrote: | > With phone 2FA all that needs to happen is you have your | phone and wallet stolen. | | Are device passcode and app biometrics insufficient security | measures in the event of device theft? | joncrocks wrote: | If you have your phone set to wake-up/show notifications on | new messages, and your bank simply sends an SMS code as | verification, then the thief can just read the message(s) | when they come in and input them. | dkjaudyeqooe wrote: | You have the option to hide the actual message, at least | on Android. | l__l wrote: | Last I checked this was opt-in on Android; it's been | default on iOS since I think 2017ish? | J_Shelby_J wrote: | If they have your device pin code and your device, they | have control of your entire digital life. | | We've never been more vulnerable to petty crime. | treadmill wrote: | Wild idea: What if secure digital payment was a public | service. | cubefox wrote: | FedNow: | | https://www.federalreserve.gov/newsevents/pressreleases/oth | e... | | Unfortunately not many banks support it yet. | Brystephor wrote: | I think "secure" is the key part that's missing here. | There's no incentive for a consumer to use a payment | method such as this when paying with a bank. The reason | is that credit cards come with consumer protection that | this just doesn't offer. | cubefox wrote: | I don't think customer protection is necessary unless you | are dealing with unusually small or shady companies. I | live in Germany and do not own a credit card, they are | uncommon here. Mostly we pay per bank transfer or debit | card. Even with the possibility of fraud, this is | probably significantly cheaper in expectation than paying | a 2% credit card fee each time just to have the | possibility of chargeback. | notyourwork wrote: | I'm not sure how much extra I pay but the hassle free peace of | mind I have seems worth it. | vladms wrote: | "Hassle free peace of mind" meaning you do not need to | remember a 4 digit code (or clicking "yes" in a phone app), | while you need to check your credit card transaction list | regularly to reject fraudulent transactions? | | I find the effort of remembering the 4 digit code/having the | phone much smaller than the alternative ... | Invictus0 wrote: | I think OP is talking about never being liable for fraud | acdha wrote: | I've never had a card stolen where either of those would | have helped - they're stopgaps trying to avoid upgrading | the banking system to use public-key encryption with reuse | protection. | | A couple of times, merchants with my card on file were | compromised. The thief could make charges because the | merchant had to be able to as well. What would have stopped | that would have been having a way to restrict a charge to a | particular merchant so the attacker couldn't have been able | to get the money out. | | Once, my supermarket had skimmers. A code wouldn't have | been effective unless you were very good at spotting where | the thieves planted cameras, too. An active MFA prompt | would help against attacks at a substantially later time | but it'd have to include the merchant name in an | unspoofable form to prevent real-time attacks so I wouldn't | be asked to approve charges from SAFEWAY_, and that old- | fashioned style of MFA is painful: it'd always make | checkout slower and you'd have some fraction of people who | don't have phones with them or just ran out of battery. | | What completely solved this problem for me was the modern | tap systems (ApplePay). It requires more smarts on the | client but means that I have to approve each transaction | and the value the card reader gets can't be used anywhere | else. | notyourwork wrote: | I think you misunderstood me. Peace of mind is in not | having to worry about fraud being my responsibility to | fight or dispute. I can call CC company or through mobile | app, flag transaction, get my money back and never spend | another minute on the issue. | fsociety wrote: | The last link the in the chain of payment processors pay for | it. | delfinom wrote: | Hah, I found the focus on American banks funny because, the one | telegram photo said to use the address of Paris France. | | Let me tell you, on two different organizations I am part of, I | have ran in the last 2 years, both got hit by automated credit | card checking bots using French banks and alot of those cards | succeeded. | | (Of course there's a whole story about how both these orgs have | resisted my previous warnings about hardening the payment | sites...one of them even was still using Magento 1) | | Anecdotal but meh, the real problem is credit cards are just as | much as kludged relics as ACH that nobody wants to really fix | meaningfully | topato wrote: | Was it at least one of the hardened forks of Magento 1?! | xyst wrote: | Americans (yes both Canadians and people from the states) are | shielded from the chaos that happens to process a single | transaction. They only see the paltry rewards in the form of | 1-2 (maybe 5) cents per dollar charged, which is translated | into "points" (1 cent == 100 points is what I have seen with | some "premium" cards) and makes it seem worthwhile. | | What they don't see is: the 3-5% or more markup of goods across | the board (doesn't matter if you pay cash or card, especially | for big box stores), the number of charge backs and the costs | of dealing with it, fraudulent charges, poor security (places | still accept mag stripe in the states), innumerable numbers of | middleman to process transactions (bank fees, issuing card | fees, network fees, premium card fees, ...) | | It's fucking chaos. I hate it. | | With FedNow, I am hoping that will change. Eliminate all of | these middleman that are siphoning funds from people across the | board. Eliminate the parasites. Eliminate the waste. | edwinwee wrote: | (Edwin from Stripe here.) Worth noting this is copypasta from an | older post from a month ago | (https://piotrmierzejewski.com/p/card-networks-exploitation). | We've fixed most of these issues since then. This type of card | testing has dwindled--Radar should now be catching these types of | attacks. | | On the chargeback point--we hate chargebacks too and we want to | limit them as much as possible (we're actually working on a few | things over here that we think will help with this). The banks | levy chargeback fees (in varying amounts) and an average of them | show in the form of a $20 fee--it's not a Stripe-specific fee and | we don't profit from chargebacks. | | We've just finished company planning for the rest of the year and | reducing this type of fraud is a top priority. So if you think | you're seeing something similar, please email me at | edwin@stripe.com. | Faaak wrote: | Isn't this solved with 3-D Secure ? Many websites (at least in | the EU) implement it and if mandatory, it's impossible to buy | something without 2FA (either by SMS, phone app, ...) | swarnie wrote: | We're talking about an industry who proudly announced instant | bank to bank payments last week like 2003 has just arrived in | the colonises. | | Don't expect speed or creativity in the US banking sector. | dahwolf wrote: | Enabling 3-D secure on all transactions leads to lower | conversion rates, therefore typically a hybrid model is used | where its enabled/disabled per transaction whether it is needed | based on a risk score. | alsodumb wrote: | That's not the case in US. | | It's kinda funny, but the only time Chase and Amex credit cards | asked me for 2FA (I didn't even know they had 2FA) was when I | used them to purchase some things in Indian website through | local payment provider (Razorpay). | lotsofpulp wrote: | I have seen it multiple times at BestBuy.com and | HomeDepot.com, and probably others. | bonzini wrote: | "banks (usually American ones) will happily accept transactions | that have incorrect full name, invalid CVV / CVC, wrong | expiration date, only partial billing address provided, with | incorrect ZIP code. All of the above is still not enough to | trigger a 3D secure authorisation" | | The solution indeed is to write manual rules to trigger 3D | secure. | radicality wrote: | Even more funny is that in USA, the actual amount charged to | the card is mutable. Take for example when you go to a | restaurant and give your card, it's charged, and then you | write out with a pen a tip amount, which at some future point | gets added on to your charge. | Detrytus wrote: | But there are laws about that: you authorize tip with your | signature, if they charge you more than you authorized, | they can get in trouble. Don't see the issue here. | zer0x4d wrote: | The author is wrong about this. | | Banks don't choose to accept incorrect name, invalid CVC, | invalid exp date or wrong billing address. It's up to the | user (in this case him) to enable CVC Check and AVS in his | payment processor to fail payments that don't pass this | check. It's also up to him/Stripe to implement 3D secure and | trigger it. | | https://stripe.com/docs/disputes/prevention/verification#cvc. | .. | zaroth wrote: | From your link; | | "Radar includes a rule to block any payments that fail the | CVC verification check, which you can enable or disable | within the Dashboard ( _this doesn't affect payments where | the CVC check couldn't be performed_ )." | | Also; | | "...Support for both types of AVS checks varies by country | and card issuer (for example, certain countries don't use a | postal code or some card issuers don't support street | address verification)" | | So it appears there are cases where these checks can be | enabled on your Dashboard, but skipped by Stripe or not | actually performed by the issuer, I'm thinking like for | prepaid cards? | selimthegrim wrote: | I've seen verified by visa triggered a few times for online | purchases | __MatrixMan__ wrote: | ... Which is hell if you're in a country where your sim | card doesn't work and your bank requires sms 2fa. | orangepurple wrote: | My US bank requires SMS 2FA and SMS works for free | because I am connected to Wifi. I have VoWiFi enabled. My | US phone plan is with a budget carrier I only pay $15 a | month for voice, sms, and data. | alexvoda wrote: | Then it's a good thing that many banks in the EU now have | 3DSecure validation through the phone app instead of SMS | Detrytus wrote: | What if you lose your phone? In my country banks only | allow you to use one phone for mobile authorization, so | you can't even have a backup phone. I really wish | 3DSecure was optional so I can turn it of when going to | foreign vacation. | pas wrote: | On a vacation I have my card (and can use PIN auth), the | issue is usually online transactions ("card not present", | ie. vPOS transactions). | appplication wrote: | What was most surprising about this is not the fact that there is | a group of people exploiting Stripe's payments, but that the | author had ChatGPT write a script to automatically handle | payments processing, specifically for chargebacks. And based on | the context in the article, the author sounds like they lacked | the technical skill to write or validate these scripts | themselves. | | This author is jumping out of the frying pan and into the fire. | ChatGPT is cool and all, but the fact that they're trusting it to | write critical code for handling their customers money speaks | volumes. They're incredulous at how they feel Stripe violated | their trust in it to manage fraud, but then go ahead and blindly | place it in another technology they don't understand. The problem | isn't Stripe (though, yes, they should fix this), it's the fact | that they are just giving away trust and hoping for the best. | systems_glitch wrote: | Same initial reaction when I read that part :/ Let's see what | the next level of voodoo programming looks like... | flutas wrote: | > the author had ChatGPT write a script to automatically handle | payments processing, specifically for chargebacks | | Feels like a mischaracterization tbh. | | He had it make a script to go through and accept the | chargebacks for these accounts, not handle payment processing | or do anything to the chargebacks other than click "accept" | essentially. | | > And based on the context in the article, the author sounds | like they lacked the technical skill to write or validate these | scripts themselves. | | I also don't really get where you're getting that from. | | The author even said | | > I reviewed all of the scripts carefully, and also never | shared any customer data, IDs, or API keys. I think I saved at | least a couple hours compared to hand-rolling these tools | manually! | appplication wrote: | ChatGPT is not capable of writing production quality code. | Many (most) companies have internal policies against | deploying any code written by an LLM. The point isn't to slow | devs down, but to mitigate risk. This is _especially_ | important in the customer /payments stack. This is not the | right place to "save a couple hours". Maybe if this was for | some one-off offline analysis, sure. | | The fact that it works is insufficient proof that it was the | right thing to do. Building a habit of relying on LLM | generated code is an inherently risky practice, and ChatGPT | will literally warn you against trusting its outputs. Sure, | it lets you growth hack your way through sort term problems, | but in the long term I'm not convinced this is responsible | decision making at the current levels of LLM technology. | | Or maybe I'm just a Luddite, stuck in my old ways. | pengaru wrote: | It's terrible, but not far removed from what's been already | happening with "developers" copying and pasting | StackOverflow comments into a text editor and making | uninformed compiler-error-guided-edits until it runs then | done! | | The root of the problem here is people making production | stuff who don't know wtf they're doing. If they turn to SO | posts, LLMs, or "developers" on fiverr/upwork doing the | same thing, is there really much of a difference? LLMs seem | to mostly be tightening the loop of horror that's already | been happening. | | Same downward trajectory, increased velocity. | libraryatnight wrote: | Just seems like programming will be joining the ranks of | most tools. There will always be craftsmen, there will | always be professionals, and then there will be the guy | bolting together ice chests and garbage disposals to make | margarita mixers on his patio or the kid with a duct tape | exhaust rig on his Honda Civic. | | I guess, to your point, it's only trouble if the | margarita mixer guy is put in charge of something that | matters? :D | | (might be a bad example, I've known some fine engineers | and mechanics that are absolutely margarita mixer guy, | but hopefully my point is taken lol) | pixl97 wrote: | >Just seems like programming will be joining | | I'd love to know about the nirvana you've been in up till | now, because working around code from numerous large | companies the vast majority of it is the crappest ass | crap straight from the crapper with no redeeming | qualities, and it has been this way forever. I'm not | saying their isn't good parts, there are general core | routines that sheer need for them to be performant and | non-data corrupting forced some Sr engineer to fix them. | kredd wrote: | Frankly speaking, probably the latter. I've been using | Copilot for over a year now, and obviously it makes stupid | mistakes, but it sped up my general coding speed. Now, I | don't have much experience (maybe around 10ish years of | programming professionally) in comparison to greybeards, | but it works. Haven't used ChatGPT much, but as long as the | user understands its shortcomings and reviews/refines its | outputs, it's fine. | | People who write code also make mistakes, yet we don't | consider it "inherently risky practice". We just review | others' code, tweak it, make it more appropriate for prod | and voila. Same thing applies here. | dylan604 wrote: | >but as long as the user understands its shortcomings and | reviews/refines its outputs, it's fine. | | nice caveat doing a heckuvallot of heavy lifting. i | understand that we're talking about coders and sort have | this inferred impression that coders will have this | understanding, but...that's an awfully broad brush you've | used to paint over the simple fact that most people using | LLMs (in general) are not understanding this. | MetaWhirledPeas wrote: | > the simple fact that most people using LLMs (in | general) are not understanding this | | How do you know most people using LLMs are not | understanding this? | dylan604 wrote: | Because ChatGPT has been opened to the public | inopinatus wrote: | PHP also lowered the bar to programming, and we got over | the consequences of that. Eventually. | inopinatus wrote: | forty years behind the keyboard or elbow-deep in a rack, | beard not actually grey yet, but still, yes; those who do | not adapt will be left behind. | mrdatawolf wrote: | My current suggestion is to consider it the work of a just | on-boarded intern. It will save you some time but you still | need to walk thru the code to make sure it will work as | intended. | TechBro8615 wrote: | First, it's worth noting the code in the blog post is not | "production code," but rather one-off or periodically | used scripts for accelerating manual business processes, | with results that are easy to manually check. | | But in regards to production code, I agree. When code is | committed to a codebase, a human should review it. | Assuming you trust your review process, it shouldn't | matter whether the code submitted for review was written | by a human or a language model. If it does make a | difference, then your review process is already broken. | It should catch bad code regardless of whether it was | created by human or machine. | | It's still worth knowing the source of commits, but only | for context in understanding how it was generated. You | know humans are likely to make certain classes of error, | and you can learn to watch out for the blind spots of | your teammates, just like you can learn the | idiosyncrasies and weak points of GPT generated code. | | Personally, I don't think we're quite at "ask GPT to | commit directly to the repo," but we're getting close. | The constant refrain of "try GPT-4" has become a trope, | but the difference is immediately noticeable. Whereas | GPT-3.5 will make a mistake or two in every 50 line file, | GPT-4 is capable of producing fully correct code that you | can immediately run successfully. At the moment it works | best for isolated prompts like "create a component to do | X," or "write a script to do Y," but if you can provide | it with the interface to call an external function, then | suddenly that isolated code is just another part of an | existing system. | | As tooling improves for working collaboratively with | large language models and providing them with realtime | contextual feedback of code correctness (especially for | statically analyzeble or type-checked languages), they | will become increasingly indispensable to the workflow of | productive developers. If you haven't used co-pilot yet, | I encourage you to try it for at least a month. You'll | develop an intuition for what it's capable of and will | eventually wonder how you ever coded without it. Also | make sure to try prompting GPT-4 to create functions, | components or scripts. The results are truly surprising | and exciting. | bbarnett wrote: | My experience has been it's faster to write code | yourself, than via a just on boarded intern + review + | fixes. | climb_stealth wrote: | Yes, but part of that time is an investment into the | intern's professional development. Everyone started there | at some point. | | It can be hard to remember though when there are | unrealistic deadlines and helping someone inexperienced | to do the work is twice the effort. | [deleted] | i_am_jl wrote: | The time savings isn't down to quality, the difference is | that an LLM does in seconds what an intern does in hours | or days. | AussieWog93 wrote: | I've used ChatGPT (GPT-4) to write production code. | | As long as you keep the scope small ("Write some example | code that calls $API in Python", "Make it asynchronous; so | I can queue up n calls and execute them in parallel"), it | generates perfectly good code that is easy to understand | too. | Pxtl wrote: | Realistically chatgpt isn't writing the financial code. | Stripe did that already. Chatgpt is just reading snippets | of Stripe's API examples for you and applying the code for | a common use-case. | inopinatus wrote: | The latter, I'd have to suggest. GPT-4 generates code that | is slightly better than the average junior programmer, | which is to say, it is often confidently incorrect and | needs review before committing, but either option remains a | net productivity gain than no assistant at all. | | "Your job will not be taken by an AI. Your job will be | taken by someone assisted by an AI." | | The process touched on in the article, with thorough review | before commit by a human with in-depth experience of the | language and APIs and the domain in question, is exactly | how AI-generated code should be incorporated into a | workflow. The earlier slander against the author's | technical ability seems misguided and unsupportable. | linuxftw wrote: | I use ChatGPT to write code for work constantly. The | quality is quite high, it saves me lots of time, on the | order of hours typically. | | If a company prevents me from using ChatGPT, I will use it | clandestinely unless they offer an equivalent. There's no | going back. | fxleach wrote: | This is outright false. I have used ChatGPT many times | over the last couple months and I have caught it give me | un-working code, unfinished code, and terribly buggy | code. When you point this out it will say Oh sorry about | that here is an updated version, and I've caught it give | another bug, and another after that. If you are telling | me the quality of code that ChatGPT gives you is high | then it pains me to say but you must not provide high | quality code yourself. | brookst wrote: | Have you ever hired a junior dev? How is their quality? | Does that mean we should never use junior devs? | | The problem with chatGPT usage is not imperfect code. The | problem, when there is one, is not treating its code the | way one would treat a human's. | rimunroe wrote: | > Does that mean we should never use junior devs? | | No, because junior devs usually improve over time. | | I've tried Copilot and a few other AI codegen tools. | Aside from producing overall low quality/nonworking code, | the only times they seem to get better long-term are when | a new update to the model comes out. | linuxftw wrote: | copilot is straight trash compared to ChatGPT 4. It's not | even a contest. | rimunroe wrote: | I should have been clear but ChatGPT was one of the | "other AI codegen tools" I mentioned, especially as it's | the one I used most recently. I tried it for a month or | so but then canceled my subscription. I got some use out | of it for answering questions for friends who were | learning CS for the first time in languages I didn't | know, but I didn't get much else from it which felt like | it was high enough quality that it really saved me time | or effort. | | Edit: | | And to contrast with junior developers: I find pairing | with them something that makes me not only help me figure | out the requirements of the things we're working on-- | which admittedly ChatGPT does do, but I think that's | mostly by virtue of rubber ducking--but it helps me | figure out approaches I wouldn't have thought of before, | or encourages me to write more maintainable code by | seeing when another person's eyes start glazing over. | conductr wrote: | When you used google previous to chatgpt, did you force | yourself to only allow yourself to use the "I'm feeling | lucky" way of search along with having to use the result | as your unadjusted production code. Did you never modify | the code you came across? | | Of course not, that's ridiculous. You probably searched, | read a few stackoverflow comments, found a relevant | GitHub repo, a library for python/language of choice, and | probably also a SAAS offering solely focused on the 3 | lines of code you need. You quickly parsed all that and | decided to modify some code in one of the SO comments for | your needs. Next time, you looked passed half the junk | and went straight to the first SO result and was able to | tweak and use the result. The next time, it didn't help | but did help you write some inspired custom code for the | problem, at least you knew what not to try. | | My point being ai is useful. It's not meant to be first | result is final answer type solution, if that's how you | use it you will have issues. | rokizero wrote: | How can you say that something is outright false if there | is not fact/claim you can disprove. You're responding to | someone you don't know and have no idea what they are | working on. | | I'm (not OP!) a cloud engineer but also work on a lot of | FE (React) code for internal tools. ChatGPT has saved me | countless hours (literally tens a month) writing super | simple code that I am able to easily write up myself but | typing it out just takes time. After month of using it I | find myself still quite excited whenever cGPT saved me | another hour. We also use Retool, but I find myself | writing code 'myself' more often since cGPT launched. | | No, I wouldn't just copy paste production code handling | PII, but prototyping or developing simple tools is sooooo | much faster, for me. | linuxftw wrote: | Sure, it doesn't nail it 100% on the first prompt 100% of | the time. Sometimes it takes a few prompts. It's no big | deal. If you can't get it to write effective code, either | you're working in a very niche area, or you haven't | figured out how to use it properly. | runnerup wrote: | Another reason someone can't get it to write effective | code is if they don't know how to code or aren't a very | good programmer. | | I use it a ton. Most of the time it's very helpful, | sometimes I can't get it to write effective code. If the | code it outputs doesn't meet my standards, I just don't | use it. But I know what I'm looking for, and when ChatGPT | generates it, if not only saves me a shitload of time, | but more importantly it saves me a ton of mental energy | that I can spend elsewhere. The biggest thing for me is | that using ChatGPT helps my brain do fewer "context | switches" between focus on high level business logic and | low level implementation logic. By staying "high level" | I'm able to accomplish more each day because I don't get | lost in the sauce as often. | | I often have to "upgrade" the code myself with tests, | better comments, modify the data structures a bit. | Sometimes I tell ChatGPT to do this, sometimes I do it | myself. But it's been very helpful overall. | | The big takeaway is that your output will only be as good | as your own programming skill, regardless if you use | ChatGPT or write it yourself. | linuxftw wrote: | I concur. It's just like any other tool, it's only as | good as the person using it. I just can't understand the | resistance of people in this field. I was a naysayer on a | number of things like Docker when it first came out | because it didn't solve any of my problems at the time. | Then, k8s came out and Docker was a pivotal part of that | solution, and k8s solves many problems. | | ChatGPT writing code so you don't have to, I just can't | conceptualize how that's not an instant win for just | about everyone. | Vicinity9635 wrote: | Is it 'outright false'? The code it creates is can only | as good as the prompt. It's just GIGO all over again... | | I got it to write _exactly_ the test I wanted for a | snippet of code on the third prompt attempt by specifying | exactly the two specific technologies I wanted it to use | and one keyword that describes an idiom that I needed. It | would have been _slightly_ faster than doing it myself. | | Technically it was test code, not production code, but | had it been my code rather than just some code I was | looking at I would have committed the test code it wrote | to the repo with zero reservations. | TechBro8615 wrote: | This guy is operating a profitable business, creating value for | customers, shipping features, and openly publishing details and | learnings about the threats he mitigated. He used ChatGPT to | generate scripts to help him throughout this process. I don't | know if he's non-technical or if he just wanted to save some | time, but frankly he should be commended for his hustle and | get-shit-done attitude. These scripts were not determining life | or death, or even making business critical decisions - they | were filtering bulk data and making his life easier by | producing results that are easily manually checkable, but save | tons of time either coding the scripts or hiring a programmer | to write them. | | To me it reads like a great example of where ChatGPT is most | useful: as a force multiplier for time-constrained | entrepreneurs who have a specific goal and need specialized | knowledge for short periods of time (e.g. to write a script). | It's now basically free and instant to produce what would | previously require a multi-week process of sourcing, hiring and | communicating with contractors to write a script that leads to | the same end result. | | The kneejerk reaction to call this "surprising" or | irresponsible, while understandable, gives major "get off my | lawn" energy. This is the future and as coders we should | support the increased self-sufficiency of non-technical people. | If you want to adapt to the change then maybe think about how | to improve the process for entrepreneurs of asking ChatGPT to | write a script. | hn_throwaway_99 wrote: | I don't know why I see this type of invalid speculation so | often. The author already responded that they reviewed the | script and didn't post any sensitive data, so won't add more to | that. | | I'd just state that tons of us use ChatGPT effectively and | never blindly trust the outputs - for me ChatGPT is a starting | point, not the final product. We're not all so daft as that | lawyer who cut and pasted hallucinated case references into a | legal brief without verifying them first. | pimpl wrote: | 100% agreed, this is how I always treat it and working on the | problem from the article was not an exception from this rule. | I share minimum input, and never trust the output blindly. | | It gets 50-60% of work done, and a really good basis for me | to work on it. Especially when working with one-off, end-to- | end relatively short scripts. | hn_throwaway_99 wrote: | This has been my primary use case as well (usually for | writing some scripts or where I need to solve an | operational task quickly), and ChatGPT has saved me a ton | of time with those tasks. | chankstein38 wrote: | They really wanted us to know they used ChatGPT too. It felt | unnecessary how often they mentioned "I got ChatGPT to write a | script that did this" like.. ok? | headsupftw wrote: | What are you even talking about? Read the blog post one more | time, please. | wpietri wrote: | I'm a huge LLM skeptic, but I'd disagree with you here. | | I think using ChatGPT to write long-lived code for a serious | application is a bad idea. But I think it's fine for somebody | knowledgeable to use it for throwaway and first-draft stuff in | areas that aren't their daily work. | | Here's the author in question: [edit: wrong Piotr Mierzejewski | in tech, see below] | | He looks perfectly competent to me to evaluate the effects of | some one-shot scripting code, so I think "giving away trust and | hoping for the best" is a wild exaggeration of what actually | went on. | pimpl wrote: | Appreciate the comment! Just a quick note that this is my LI | profile: https://www.linkedin.com/in/pmierzejewski/ | wpietri wrote: | Oops! Thanks for the correction. And even more able to | evaluate the code. | itscodingtime wrote: | I find it odd Chatgpt was mentioned at all. It was almost like | an advertisement. | | I have read post linked here similar to this one, but I can't | recall another instance in which the author abruptly said they | relied on stackoverflow to code something unless the content | was a meta commentary on coding and debugging itself. | pimpl wrote: | Author here. My intention was to show that you can use it to | help you get going quickly for a very practical, one-off, and | self-contained use cases. As I mentioned in other comments | already, I did not trust it blindly and did not share any | sensitive data with it. Definitely not an ad! | TechBro8615 wrote: | I can empathize with the author. The first time you write | some code collaboratively with GPT and it actually works, you | feel a burning need to shout about it. Because it's one of | those moments where something "clicks" and you suddenly feel | like you've discovered fire. Once you figure out how to work | with them, it makes you excited for the future and you can | clearly see where LLMs will fit permanently into your | toolbelt. They're far from perfect now, and sometimes the | time savings is a wash - you get instant specialized | expertise that can produce code like a senior engineer, but | you need to goad and coax it like it's a high maintenance | intern. But the thinking power expended is still somehow | lower - it's a new way of working with technology and | deferring some of the grueling parts to the machine. This | becomes especially obvious when the code requirements depend | on an esoteric API or conventions that you'd normally need to | spend time researching and manually enumerating. | pimpl wrote: | Article author here. I carefully reviewed and tested the | ChatGPT scripts before executing them. It helped me save a lot | of time manually writing these scripts! | | I wouldn't say I lack technical expertise in this area, I'm | just trying to use my time as efficiently as possible. | appplication wrote: | Glad to see you active here in the comments. Apologies if my | comment comes off harshly, my intent is not to tear you down. | I think there is a lot of gray space when it comes to using | LLMs for generating code. Your usage here is certainly | interesting, and I appreciate the additional context and | discussion you've been providing. | pimpl wrote: | No worries at all! I agree that there's probably lots of | people blindly copying and running code from LLMs without | any reflection. Just like it often happened with | StackOverflow snippets before ChatGPT (to the point it | became a meme). I'm definitely not one of them. | BaseballPhysics wrote: | Genuinely curious: How much time would you say you saved | prompting for and then carefully reviewing and testing those | scripts for bugs, versus writing them yourself? | | And for context what's the average line count we're talking | about here? Tens of lines? Hundreds? | pimpl wrote: | I'd estimate it that it saved me a couple of hours tops. | They were simple, self-contained scripts with at most 150 | LOC. | BaseballPhysics wrote: | Interesting! Thanks for the insight! | kykeonaut wrote: | > I created a restricted key in Stripe with lowest possible | permissions, and prompted ChatGPT to create a script to accept | the chargebacks. | | From my understanding, it also seems that the author submitted | a Stripe API key alongside the prompt to create the scripts. | This is pretty much a big security no no regardless of the | permissions of the key. | pimpl wrote: | Author here. GPT only got minimal context it needed to run | the prompt. No customer data, no IDs, definitely no API keys | were passed as a prompt. | kykeonaut wrote: | Ahhh ok, that sounds much more logical. I got the wrong | impression :) | freed0mdox wrote: | Usually these transactions are automated with the checkers. Some | are as simple as a PHP script replaying a request, some are more | sophisticated that use residential proxies, some are parts of | huge enterprises like try2check. If you have a list of IPs, you | can scan them for 80/443 open and sometimes catch simple checkers | in action. | 90K_MRR_Hacker wrote: | I've been using a platform called Chargeblast.io and it's been | doing wonders; literally saved my business from closing down. I | haven't found another platform like it - best price, best value | myself248 wrote: | Why does the US still accept hand-typed cards? | | My friend had a USB smartcard reader in like 2001. He'd dip his | AmEx to perform a transaction on his PC. It's twenty years later | and the industry still hasn't caught up? | | What's different about Europe that they seem to have figured this | out decades ago? | chpatrick wrote: | I've lived in Europe my whole life and I've never made an | online payment with a card reader (even though my ThinkPad has | one), or know anyone who has. | TacticalCoder wrote: | But you do use 2FA when paying with your credit card online. | What kind of 2FA does the bank providing your credit card | mandate you to use? | aliceryhl wrote: | In Denmark, there's a national system for authentication | used for government sites and banks. I have a small device | with a single button on it that shows a 6-digit code when | you press it. I enter that code along with a password any | time I make a purchase online. | | (There's also an app that most people use. But I like the | hardware thingy better.) | LelouBil wrote: | For me (in France) it's the bank app's 2FA or sms 2FA if | not available. | chpatrick wrote: | My bank's app. | [deleted] | [deleted] | platelminto wrote: | As someone whose lived in multiple European countries since I | was born, I also don't understand this comment. I don't know | anyone who uses these smartcard readers at home. I don't think | it's common at all. | TacticalCoder wrote: | > As someone whose lived in multiple European countries since | I was born, I also don't understand this comment. I don't | know anyone who uses these smartcard readers at home. I don't | think it's common at all. | | Which EU countries? Bank card readers are super common in .nl | (ING for sure) and .be (just about every single bank there) | for example. | | Nowadays banks often allow to use either that or, say, an app | on your phone or a dedicated physical token. For example you | can confirm transactions you make on your computer by | unlocking an app and confirming with your fingerprint from | your smartphone. But that's semi- recent. Before that kind of | 2FA became a thing, it was all done with card readers. | | Some countries still live in the past like, I shit you not, | Societe Generale in France still has a "2FA" where it shows | digits randomly on the screen and you have to click you PIN | (some people still have an account like that): that is | however quite pathetic and not the norm. | | If I want to buy anything online using any one of my credit | card, I must put it in a physical reader and reply correctly | to a challenge/response. | | These readers are different from the electronic ID card | readers, which are also used in many EU countries (for | example to fill my taxes online). | deevolution wrote: | Probably helps maintain dollar hedgemony by allowing a wider | swath of the global population (criminals, poor people) to use | the system unencumbered. | gjvc wrote: | "hegemony" n. leadership or dominance, especially by one | state or social group over others. | | "Hedgemony" is a war game focused on connecting policy and | strategy. https://www.usmcu.edu/Outreach/Marine-Corps- | University-Press... | mnd999 wrote: | We do get `Verified by Visa` or Amex SafeKey on most | transactions though. | somewhereoutth wrote: | Europe is better organized, simply. People are tightly crammed | together compared to the US, and historically were fighting | each other for 'living space' instead of progressively | occupying almost a whole continent. Things just have to work | better - and by and large they do. | [deleted] | xyst wrote: | In the United States, there is minimal incentive to do so. It | took many years to transition away from magnetic stripe cards | to pin+chip. IIRC, the regulators kept pushing back the date | for banks to re-issue pin+chip cards and for merchants to begin | accepting them. I think it was only when the processors began | to threaten merchants with 100% liability for fraudulent | transactions processed with mag stripe is when it started to | hit critical mass (2015-2016?). | criddell wrote: | If the cost of preventing fraud exceeds potential losses from | fraud, maybe it makes more sense to let the fraud go through. | mattnewton wrote: | If you don't you significantly increase the friction in using | your service and will lose business to those who do accept the | hand typed card where the user doesn't have to adopt new | hardware or software. | | Everyone would need to mandate the security feature while have | a short term incentive to not. | Veserv wrote: | Because the banks and vendors are liable for unauthorized | charges in the US [1], not the user. The banks/vendors handle | the fraud in aggregate on the backend. They could roll out | fraud prevention at the end-user level, but they choose not to; | which means it is probably not worth it for the issuer relative | to the extra user convenience (and extra charges). | | In contrast, in many places in Europe the user is responsible | for unauthorized charges. Regular people care a great deal | about not being wrongfully charged as that is almost always | proportionally worse, so they demand robust end-user protection | so they will not be wrongfully charged. | | This is kind of a case of, "everybody would drive safer if | instead of a airbag you had a bunch of knives that shoot out | and kill you if you get in a crash". | | [1] | https://www.law.cornell.edu/wex/fair_credit_billing_act_(fcb... | lotsofpulp wrote: | Not even banks, only vendors are responsible if they do not | upgrade their POS systems since sometime in the late 2010s I | think. | | See EMV fraud liability shift. | | https://www.mastercard.us/content/dam/mccom/en- | us/documents/... | Detrytus wrote: | Fuck smartcard readers. Also: fuck 3d secure. The nice thing | about old, "insecure" card payments was: I just needed to | memorize my credit card number, expiry date and CCV and I could | pay online for everything. No need to always carry a phone for | SMS/app authentication. | mschuster91 wrote: | > What's different about Europe that they seem to have figured | this out decades ago? | | Our governments actually care about monopolies and security. | The PSD2 directive was an utter pain to deal with, but at least | it stopped a lot of common scams and thefts in its tracks, and | it forced banks and other payment actors to open up their | system. | TacticalCoder wrote: | > The PSD2 directive was an utter pain to deal with, but at | least it stopped a lot of common scams and thefts in its | tracks | | Inded. More specifically SCA (Strong Customer Authentication) | which is required by PSD2. VISA says the "SYH" (Something You | Have) is either _" a mobile phone, a card reader or other | device evidenced by a one-time passcode"_. | | Note however that I cannot log nowadays to any of my bank in | the EU without having a big banner saying something like | (paraphrasing): _" WARNING: scammers are trying to steal your | funds. Neither the bank nor the police nor anyone else shall | ask you your PIN or to confirm anything on your card | reader."_ | | Basically: life is harder for scammers so they try to trick | (mostly old) people into validating transactions over the | phone. | paxys wrote: | Not sure I understand. Does everyone outside the US have a card | reader attached to their PC and phone? | gpvos wrote: | No. Until I read the comment above, I had no idea that that | even was something people actually use to make payments from | home. | jon-wood wrote: | They're less common in the UK now mobile apps have taken | over, but in the early 2000s banks would issue a standalone | device to every customer. When making payments via online | banking you'd put your card in the device, hit a button, and | give it a code that the online banking page provided. The | device then did some magic via the chip on your card to | provide a code that you'd give back to the online banking | site to validate that you were in possession of your card. | | Some banks may have used this for 3D Secure during online | card payments as well, but I've never encountered one. | Validation for that in my case evolved from setting a | password on my account, which they'd ask for some characters | from, to tokens sent via SMS to my registered phone number, | to a push notification from my bank followed by FaceID to | authorise payment. | | In person Chip & PIN, and more recently contactless, is | ubiquitous. Magstripe payments are so rare I have to | explicitly enable them in my bank's app for the card, and | it'll turn itself off again 7 days later. I never encountered | chip & signature until going to the US, where everyone in the | group I was with looked at it like some sort of joke (and | indeed it is, because there's no signature recorded against | my card for validation). | drdaeman wrote: | I have never ever seen an online payment processor that was | capable of using a card reader to perform a transaction from | a webpage (on a non-specialized device). I don't think there | is even any established standard for using a smartcard from a | website. WebUSB/WebNFC may work (although browsers have | blacklists of vendor IDs to disallow access to e.g. Yubikeys, | so at least some smartcards may not be accessible this way), | but that's all experimental and questionable stuff. | | It might've been possible someone had something like that in | ol' good '00s with ActiveX, but that must've been surely an | exception (and a security nightmare). | dahwolf wrote: | A card reader is a stand-alone device and has nothing to do | with any web tech. | | You put your ATM card in the device, enter your PIN code, | and then the device has a tiny camera that scans the QR | code on the web page. Next, you can see the transaction | details on the device and confirm. It will then output a | signing code which you enter on the web page. | | It is what was commonly used in some EU countries before we | switched to mobile banking apps. Most banks still supply | them for when you do very large online transactions. | fireflash38 wrote: | Most people have an NFC reader at least built into their | phone. | TacticalCoder wrote: | Not everyone and it's not necessarily connected to the PC. | Some card readers are, some aren't. | | And there are two things that are not to be confused: | electronic ID card readers (used for stuff like VAT tax | filings, income tax filings, etc.) and debit/credit card | readers (which may or may not be connected to the PC) used as | 2FA (with a challenge/response). The ones that aren't | connected to the PC generate a number which you then enter to | confirm you login/order. | | Many banks in the EU enforce at least one type of 2FA. The | shittiest, most pathetic ones, still do it by SMS (but it's | still 2FA and still better than nothing). Others use a card | reader (in which you literally plug your bank card, which | signs orders / challenge/response style and never leak the | card's secret). Other give a physical RSA-like token with | codes changing every _x_ second. Others allow the use of an | app on a smartphone to confirm transactions. | | When I log to at least one of my bank I've got a _list_ | asking me which type of 2FA I 'll use to log in and confirm | payments. Card readers (two different types) are on the list. | | I use that to log in, confirm wire transfer and buy stocks | too. | __MatrixMan__ wrote: | The rest of the world has to put up with the US banking system | because when all you have is an overfunded military, everything | looks like a target. | | That logic doesn't quite translate internally, so it's | important to maintain the perception that the banking system is | all that stands between the little people and a hungry mob of | scammers. If the scam problem were demonstrably easy to solve | at the POS, it would be harder to justify the merchant fees and | other bank-related overreach. | snarf21 wrote: | It is just lobbying preventing good policy. If we moved to chip | + pin, we'd get rid of almost 100% of CC fraud. But retailers | don't want the friction so instead the consumer pays for the | fraud instead. | pxx wrote: | Why do you think this requires a government mandate? What | evidence do you have of counter-lobbying as opposed to simple | consumer and retailer preference? | alberth wrote: | Off topic: Why don't more non-European merchants use 3DS? | | Entirely classes of liability and fraud is shifted to the issuer | and no longer on the merchant. | jon_adler wrote: | I imagine that the fraud rate in Europe is lower since the | introduction of PSD2. This legislation required a combination of | 2-factor authentication (3DS2) and transaction analysis to | achieve low overall fraud rates. | thedangler wrote: | I worked at a company who's server was hacked and they stole the | API keys and did carding on it from the server. Paypal tried to | tell us we owned them $100,000.00 in fees. We were only running | $4500.00 payments at most 5 times a day for course registrations. | The hacker ran auths on random CC number for $1 every second. | | We didn't have to pay the fees for carding but they don't care. | | They do not care because they make money off fraud. | | We had settings stating we only have orders between $2500 and | $6000. But they do not check auths lol | | Crazy. | | This was back around 2010 and stripe was not available in Canada | at the time. | mndgs wrote: | The contents of the article do not match with the title. Article | is how they experienced and fought chargebacks. Simple, nothing | spectacular. | | Stop whining, have the US adopt PSD2 (SCA in particular) and your | problems will go (most of them).. | chasebank wrote: | Re: Chargeback fees - Visa acquired a company called Verifi a few | years back. Their new products are Rapid Dispute Resolution (RDR) | and Order Insight. RDR effectively lets you automatically refund | a transaction before it gets turned into a chargeback and Visa | charges a $4 fee (Assuming your MCC code is not high risk). Order | insight lets you provide certain data about a questioned charge | immediately and if the customer has had 3 previous charges with | you, a chargeback CANNOT be issued. | | It was a really easy decision for our business based on win rate, | avg order size and chargeback fees. Plus now we don't have to | constantly worry about Visa's or the merchant bank's 1% | chargeback rule. This only applies to Visa charges but it | represented about 50% of our total volume. | | One last note - Visa is basically taking away a massive revenue | source for the processors. If your processor is TSYS, they are | trying to charge a RDR fee of $10. | pimpl wrote: | Article author here. Really valuable stuff, thanks for sharing! | | Do you handle this for Mastercard in any way? I've heard of | Ethoca (they are really good at SEO), it seems quite similar to | Verifi. | chasebank wrote: | Ya, for Mastercard we use their Ethoca network. They are much | more expensive, like $25 per resolved charge but now our | chargeback rate is near 0% for Visa / MC and get incredible | rates on the front end from such clean processing. Plus we | never have to worry about chargebacks threatening our | merchant account again. | spetteruti wrote: | What do you do for Amex/Discover? | chasebank wrote: | Just standard cb dispute process. We outsource this. | codermike1 wrote: | [dead] | kareemc wrote: | [dead] ___________________________________________________________________ (page generated 2023-08-02 23:00 UTC)