Discussion in 'malware problems & news' started by ronjor, Dec 20, 2019.
By Lucian Constantin CSO Senior Writer, CSO December 19, 2019
Solution: don't pay with creditcards when online shopping. I seriously don't understand why these companies don't adapt other more secure systems. In Holland we use a system called iDEAL, works like a charm and it's much more secure. Basically, when paying you are redirected to your online bank. No need to fill in any creditcard info. I believe this is also the case when you're using PayPal.
I'll pass on this concept. Attacker via MITM redirects to fake bank site and you're dead meat. Per Wikipedia:
Also no charge back protection with this service.
No correct, no charge back. But it's not about that, I was suggesting that creditcard companies could use such a system. And how on earth would hackers perform a MITM attack? They should then have control over the PC or over the webserver. I have been using this system for 14 years, I never had a problem. Just make sure you buy stuff from a reputable webshop.
Again, thanks but no thanks:
BTW - both Visa and MasterCard I believe have 2FA options. Also I believe Visa has an option where you don't even use your actual card no./info but where a one time use number is issued. It really doesn't matter with my bank issued card since it has 100% fraud protection.
I believe you're still missing the point. It's not about the "no charge back" issue! This is something related to online banks in Holland. If creditcard companies switched to such a payment system you would obviously still get 100% fraud protection. I'm talking about protection against website skimming. And if they already have 2FA and virtual account numbers, then why is this still an issue?
BTW, I was thinking about this, and MITM wouldn't work with this iDeal system. Because it's secured by a hardware token. You can only pay if you physically own the creditcard. So if you want to pay for stuff and you get redirected to a fake site, the 2FA codes wouldn't work. Because those codes are only known by the 2FA software running on the online bank's webserver and the harware token that you own.
Holland keeps their thinking cap on with full reason. Not so USA for us. Because just like Bill Gates sold the US gov. his O/S as the cream of the crop in convenience (wheres the security?) and would digitally automate services etc. Of course our gullible government is like a kid in a candy shop. Oh it's so modern and innovative for us-NOT.
Yes, US credit card "technology" is still pretty much stuck in the 1990s, it seems. That's the previous century. I mean, modernizing and securing these things should be embraced and implemented with both arms and it's not. What extra powers do the large banks have that we don't know about?
Again, I don't see the issue here with use of major bank issued credit cards in the U.S. As long as the issuing bank offers 100% fraud protection; i.e. $0 liability, the security issue/s are a moot point. I never had an issue with my bank issued Visa card. Once or twice in 10 years, unauthorized charges occurred. They were all reversed although I did have to fill out an affidavit attesting the charges were fraudulent. In recent years, I have had zip fraudulent charges. They were all detected at the bank level prior to posting and the bank issued me a new card automatically.
This is cool and all, but this doesn't solve the problem with website skimming. Apparently, criminals can still abuse this stuff.
With iDEAL there is nothing to skim. You just shop via let's say Amazon, Best Buy or Walmart, fill in your name and address and you get redirected to your bank. You put your creditcard in the card-reader (hardware token) fill in the code you get to see on your screen, and the card reader generates another code that you need tot type on the website, and the deal is done. No more website-skimming.
And to that, I say so what?
As I see it, this IDEAL system is set up to minimize the financial loss by fraud incurred by merchants and the card issuing bank by requiring the card holder to perform additional validation steps which I consider to be a nuisance. Again, I don't have to worry about this since my bank issued credit card has zero fraud liability protection. Appears this concept is an alien one to European credit card issuing banks.
-EDIT- I do see merit in this IDEAL validation process if one was using a debit versus a credit card. For starters, many banks do not offer the same consumer protections for debit cards as that offered for credit cards.
On the other hand, one would have to be insane to use a debit card for an online purchase since the card is directly link to your checking account.
Insane? Not at all. But for the tech savy customer a most definite non starter. However with the tidal wave trend of debits being handled by a fair percentage of card holders constrained maybe perhaps to that payment method, you know as well as I do plenty of peeps will throw the dice!
Yet still offers a somewhat more reasonable higher degree of protections against such things. Debit cards I agree should also be offered the same coverages that bank issued cards Visa/MC etc provide.
I feel there's much more territory to be explored and securely implemented, and intelligently, in order to not only stave off attempts but render them all but useless. But that's years down the pipeline with the current pace of card protection technologies.
It's probably people with the same attitude like you that work at these creditcard companies LOL. It's a matter of at best 2 minutes extra for performing the 2FA stuff! To me it would be a nuisance if I would keep having to making sure that criminals don't shop on my behalf. No matter if I can get the money back, I just don't like the idea! And I don't see how it makes a difference whether debit or creditcards are being used to pay for stuff. Like I said, if you buy stuff at reputable webshops, you won't have any problems, you won't loose any money.
Here's two links that state the differences. Note that these apply to laws and procedures in the U.S.. One needs to check the same for their resident country:
The NerdWallet article sums it up best:
Addtionally in the case where debit card fraud has resulted in your linked checking account being cleaned out, expect a major hassle with your bank if the loss is sizable. You might eventually get all your funds replaced by the bank, but it might take months till the matter is resolved. In the meantime, checks are bouncing, direct deposits are failing, etc., etc., since the account is frozen.
Most financial security experts recommend that if you must use a debit card, open another checking account with the card linked to that account. Transfer funds to this account as needed maintaining the minimum balance possible in the debit card account. Another alternative is a prepaid debit card although many of those charge a one-time usage fee.
-EDIT- @mood also just posted another article about debit cards: https://www.wilderssecurity.com/thr...the-least-secure-way-to-pay-for-goods.424533/
Experienced something like this first hand in Canada. Bought something with Interac Online Payment from a reputable retailer. The site glitched. The payment never went thru and it told me it didn't go thru. I did it a second time but with a credit card this time. No problem. Until I discovered that the Interac Online Payment had been subtracted from my bank account! I had to escalate several levels before they came to their senses. They first wanted me to do all the work with the retailer and be my own investigator without any access to any information. Never again will I buy online with anything EXCEPT credit card.
I should also add that Visa and I assume MasterCard offer supposedly zero liability debit cards. With these the "devil is in the detail": https://usa.visa.com/support/consumer/debit-cards.html . Additionally and so noted in the linked article, the card issuing bank can modify these terms as they see fit. Visa corporate policy states all misappropriate funds should be replaced with 5 days. Also overall, fraud activity time reporting for debit cards is critical. Most will disallow any reimbursement activity unless reported with 60 days.
Yes exactly, I always have a minimum balance. I have never had any problems with my debitcard. But this debit vs creditcard discussion isn't relevant when it comes to solving the website-skimming problem. The point is that creditcard companies can switch to this iDEAL system, while still providing 100% fraud protection. We need to fix this stupid way of online payment processing.
The web site skimming issue is just that; a web site security issue that needs to be resolved by the web site owner. Use a good security solution that is proactive in detection of web sire malware and/or blocking access to compromised web sites.
That's another way to solve the problem. But apparently it's either hard to block this stuff, or not all webshops can or want to invest in these security systems. Creditcard companies could easily solve this by using a system like iDEAL. But perhaps there are ulterior motives for not wanting to do this, who knows.
The biggest reason is cost. Remember that the credit card issuers charge merchants a per transaction fee + authorization fee. Now add to that the cost of using IDEAL:
Now it is possible IDEAL use would eliminate the card issuer authorization fee but the transaction fee would remain.
Also I suspect that IDEAL's authorization fees are higher than those charged by the card issuers.
@Rasheed187 , one final comment about this IDEAL system you think so highly of.
It was created not to protect consumers; i.e. cardholders, but to protect merchants primarily, and card issuing banks secondarily against revenue loss. When an IDEAL transaction is successfully completed, the merchant is protected not only against fraudulent card use charge backs, but all charge backs from the card issuing bank for any reason. All transaction resolution must be performed between the card holder and the merchant with the card issuing bank totally out of the resolution loop.
In regards to the elaborate security mechanisms IDEAL employs, those are in place to thwart any legal actions that might be initiated over transaction resolution and possibly to satisfy any Dutch legislative concerns.
Bottom line - use a major credit card w/ zero or minimum liability with full charge back rights for online purchases.
Yes, but what you fail to understand is that it's about the tech behind it. You keep talking about stuff that's not tech related. I'm sure it's all true what you said, but we're trying to solve the website skimming problem. A system like iDEAL would solve it.
Like I said, if companies like American Express, Visa and Mastercard adopted such a system, then other rules would apply, so you would still get 100% fraud protection in case you get scammed or something. And if they have already beefed up security with 2FA and virtual account numbers then why are criminals still skimming websites and even brick and mortar stores?
They already have it w/o the hassle involved with the IDEAL implementation:
Additionally, my bank offers this for its Visa card holders:
I'm sorry but I'm not impressed at first sight. It seems a bit vague to me. And I don't see how this would solve the problem of website skimming. For strong security, you need a system like iDEAL that will always forces you to enter your PIN and/or 2FA code generated by software or hardware token. It depends on whether you're using your PC or smartphone. There is no hassle involved and both consumers and online webshops don't have to worry about website skimming anymore.
Separate names with a comma.