Sign in with
Sign up | Sign in
Your question

How You Are About To Become Responsible For Credit Card Fraud?

Last response: in Toms Network
Share
May 4, 2006 10:48:07 AM

3D Secure is the new protocol being developed by the main players in the credit card payments business to try to combat credit card fraud. The kicker, however, is that it shifts responsibility for the cost of fraud from the acquirers (merchants and their banks) to us - consumers and our banks. Pat McKenna shows you just what 3DS is all about.
May 4, 2006 6:12:31 PM

I agree on most points that was made in the article. However a bit of advice from a former network securtiy cheif, "You can hide only one thing on the internet...nothing". Taking into context with 3D Secure we face one fact, all the pins will be stored on the Banks/Credit Cards databases. And if someone hacks it this databases, it will seem almost impossable to trace because there is no longer a need for investagation because YOU made the purchase. So good hunting.
May 4, 2006 8:16:05 PM

So, if I understand this correctly...

*hypothetically*
I get a keylogger on someone's machine, capture their credit card information, go on a shopping spree overnight, and they are liable for it?
What am I thinking...the average user is much too smart to get a virus or trojan or their machine, right? lol

I don't like the sound of this system at all.
Related resources
May 4, 2006 9:31:12 PM

Credit card companies can only do so much in protecting the card holder via the use of encryption and verification process. It really boils down the fact the card holders are responsible for making sure the PC is secure PRIOR to making an online purchase. So if you leave your credit card on the table at some resturant and forgot about it then you're responsible. Hopefully you realize it early and notified the bank to cancel the card. I did this once when I went to the drive through at Burger King and I was in a hurry I forgot to get my check card back. The next morning when I went to Home Depot to make a purchase I noticed the card is not in my wallet so least to say I called the bank to have the card cancelled.

If some hacker do break into the bank's database then it's their problem.

I think lately with stupid things like Iron Mountian losing client back up tapes I have to wonder when will they finally step up the plate and fix it? It's not the first time this happened. How much of this stolen / lost data are in use to commit fraud? I can only wonder.

Darkk
May 4, 2006 9:31:33 PM

I get the sneaking suspicion that over time, the banks will find a way to stiff us with purchases that we might not have made, all because of some jerk in a foreign country thought its ok to rip us off.

Why haven't they designed a better system - aka, one where if we DO make an online purchase, we call up said cc company, speak to a live agent of some sort and verify that yes, we DID make that purchase via a passphrase. I'm sure on their end they could employ a some kind of voice analyser to verify that it is the card holder that has allowed or made said purchase.

When these companies make billions in profit, they can at least spend some of that money to better protect us and their bottom line.
May 4, 2006 11:04:47 PM

Yes, you are absolutely spot on. If 2 Factor Authentication is not used, then security of a static PIN or pass phrase wont last long. Next step to occur will be a challenge from someone who has been genuinely defrauded in the courts, and the usefulness of 3DS will diminnish overnight.

Pat McKenna
May 4, 2006 11:08:19 PM

Hi,

the real problem is the fact that the banks do not really care about credit card fraud as they are well insulated against it. The pig fight always falls to the merchant and the card holder.

Pat MK
May 4, 2006 11:12:36 PM

Hi,

keylogger would do the job nicely. This requires a 2 Factor solution generating one time PIN's for each login. Banks that are going to employ this for online banking will probably enable it for 3DS as well - we hope!

Pat MK
May 5, 2006 4:19:40 PM

Quote:
Hi,

keylogger would do the job nicely. This requires a 2 Factor solution generating one time PIN's for each login. Banks that are going to employ this for online banking will probably enable it for 3DS as well - we hope!

Pat MK


One time numbers could be generated by the credit card itself, if the will to do this was there. The token I have for remote login for my work generates random strings of 6 characters, new every 60 seconds. I need to enter the current string when I log-in, meaning I must have possession of the token. The token is small already, and I'm sure credit cards could be designed or redesigned to generate and display the one-time strings.

Since the numbers that are generated are specific to the token that is registered to me, that means I hold the actual device. Then add-on the need to enter a pass-phrase (PIN) (in other words, something I know) and you have true security, other than scenarios of coercion where someone literally forces me to act under threat.

The phase-in of a system like this could be done as well, although the scale and complexity will cost real money.

I think the will to do this can arrive in time if the financial pain continues - the solution discussed in the article doesn't look like a very solid answer.
May 5, 2006 7:29:01 PM

This article is ridiculous. This change will not suddenly make it impossible for someone to contest charges on their CC bill, and it will not create some Orwellian nightmare for online merchants.

Chargebacks will still be automatic, just as they always have been for online and offline merchants. Now, however, it is a little easier for a merchant to argue against those chargebacks and harder for a criminal to fake a transaction.

The software development costs are the same as implementing AVS, a single additional required field, labelled PIN or passcode. If that's going to break an online merchant they should stop using Accenture for their web development.

The scary 12 step process really only adds 1 possible branch and step to the user or the coder. First, a good web app should allow users to enter info in a single step instead of prompting for each input, so there will be a new textbox by the credit card input for passcode or pin and a note saying "If your credit card is secured with a SecureCode passcode enter it here:". On processing, there will be an additional branch in the logic, if the CCresult says this is transaction requires a passcode, send what the user entered. If the user left it blank, do what you always do on a required field, prompt the user. Is that so hard? If you want to see a really scary financial process, examine how checks are cleared.

The RSA key generator is cool and all, but if you want to talk about a headache for merchants and customers imagine there being a $20 fee every time you lose your credit card or leave it in a hot car, or run it through the washing mashine, or expose it to static shock. If you want to see panic, accidentally leave the key generator on a plane. Some flight attendant finds it and, "When the right combination appears the bomb goes off!" Panic!

The PINs won't be stored on the bank's side, a hash value will be stored. Same as an ATM PIN or your password in any secure software system.

And forget a keyboard logger and trying to figure out when in the last 27,000 keystrokes someone entered their CC and PIN, if you have access to the inside of their house, just empty the contents. Or watch them very closely at the ATM machine then hit them in the head with something hard. That way you'll be able to get cash, and not just iTunes.
May 8, 2006 11:46:35 AM

<Hi>
Quote:
This article is ridiculous. This change will not suddenly make it impossible for someone to contest charges on their CC bill

<the facts presented by the sponsors of 3DS are at odds with your understanding - any claims to fraudulant transaction are the responsibility of the issuing domain, namely the card holder and issuing bank, where all parties in the transaction are participants in 3DS.

A really good site to look at: http://www.cardwatch.org.uk/ In there you will find a matrix describing the current standing of 3DS and how it applies to the current partial compliance situation>

, and it will not create some Orwellian nightmare for online merchants.

<This will make it easier for online merchants to do business and encourage them to expand their products range - noone in the industry is complaining about that.>

Chargebacks will still be automatic, just as they always have been for online and offline merchants. Now, however, it is a little easier for a merchant to argue against those chargebacks and harder for a criminal to fake a transaction.

< ... a lot easier as I mention above, where all participants are signed up for 3DS, the fraud is the responsibility of the issuing domain. That is the one piece of this jigsaw that is not up for interpretation>

The software development costs are the same as implementing AVS, a single additional required field, labelled PIN or passcode. If that's going to break an online merchant they should stop using Accenture for their web development.

<... I take the point but the facts speak for themselves - not all gateways, merchants and banks have implemented solutions. The reasons are primarily technical, although some suggestion fly around regarding the implications of certain forms of online entertainment not being able to repudiate identity, such as gambling and porn. In reality, virtually all gambling sites in the US are signed up according to Master Card. >

The scary 12 step process really only adds 1 possible branch and step to the user or the coder. First, a good web app should allow users to enter info in a single step instead of prompting for each input, so there will be a new textbox by the credit card input for passcode or pin and a note saying "If your credit card is secured with a SecureCode passcode enter it here:". On processing, there will be an additional branch in the logic, if the CCresult says this is transaction requires a passcode, send what the user entered. If the user left it blank, do what you always do on a required field, prompt the user. Is that so hard? If you want to see a really scary financial process, examine how checks are cleared.

<.. again I agree with you. But the facts still remain - many gateways say that the are 3DS compliant but do not include Merchant Plug In code in their XML - why? >

The RSA key generator is cool and all, but if you want to talk about a headache for merchants and customers imagine there being a $20 fee every time you lose your credit card or leave it in a hot car, or run it through the washing mashine, or expose it to static shock. If you want to see panic, accidentally leave the key generator on a plane. Some flight attendant finds it and, "When the right combination appears the bomb goes off!" Panic!

<.. again I agree with you, the use of electronic tokens is not a runner for a mass distribution scenario. There are a number of options and initiatives coming into play, and the introduction of FFIEC guidelines on authentication whould help things along>

The PINs won't be stored on the bank's side, a hash value will be stored. Same as an ATM PIN or your password in any secure software system.

<...A hash value is only as stong as the distribution of the keys>

And forget a keyboard logger and trying to figure out when in the last 27,000 keystrokes someone entered their CC and PIN, if you have access to the inside of their house, just empty the contents. Or watch them very closely at the ATM machine then hit them in the head with something hard. That way you'll be able to get cash, and not just iTunes.


<...here I disagree with you. Key loggers are quite intelligent in their build. I can configure a key logger that will only screen scrape and record keystrokes on certain urls etc - it is that fine grained >
May 9, 2006 3:16:43 AM

Hi,
3D secure is absolutely not new. The specs have been out for a couple of years already. They were designed by Visa and later endorsed by Mastercard. Many Issuers and Acquirers around the world have implemented this service some years ago but the adoption rate is actually very low from the customer standpoint. You can forget about the figures given by either Mastercard or Visa because it is totally biased. Visa and MC which btw are for non profit organizations 8O basically forced their members (banks) to invest several hundred of thousands of dollars in the 3D secure infrastructure which at the end is a real pain for the customer in their online purchase experience. I would also add the yearly fee charged to the participating banks to use the Visa/MC infrastructure during the transaction process (i.e. fee for use of Directory Server)
Worst thing is: merchants are losing transactions because most of the customers are unaware of the 3Dsecure service itself and don't want to be bothered with this kind of complicated process. As a merchant I would prefer keep the liablity and have let's say 10% of fraud on my store rather than losing half of my transactions because of 3Dsecure discouraging my potential customers. And that is what is happening with several merchants not willing to support 3dsecure anymore. Just go to verified by visa website and have a look of the merchant list supporting this service. It is quite meager and most of them have stopped promoting this service.
Finally, there is also a great lack of defined specifications on the Payment Gateway on the Acquirer side (used for authorization process after authentication has taken place). As stated earlier by 2factor_login some Gateways are stated to be 3dsecure compliant but are actually not due to the lack of clearly defined specifications by the MC and Visa. This leads to unclear results on the real transaction liability itself.

Cheers,

LMA.
May 9, 2006 5:25:54 AM

[the consumer] will be instructed to comply with whatever policy is adopted by their card issuing banks, and won't have much of a say in the matter.

If history is a guide, the consumer will indeed have a say. In USA the Consumer Protection Act, limiting cardholder liability for fraudulent use to $50, was prompted by consumer pressure on lawmakers. The same can happen here. If merchants and banks try to stick it to the consumer, the consumer can stick it right it back via Congress. They've done it before, and they can do it again.

Of course bogus chargebacks should be prosecuted, but when consumers are hit with charges they didn't make and find themselves without recourse, as your glib headline implies, then you can rest assured that, regardless other merits, this 3DS scheme will be drawn and quartered.
May 9, 2006 9:10:29 AM

Hi JM,

hmmmm - MC and VISA will tell you that 3DS has progressed further in the US than anywhere else. I know that in the UK and Ireland, card holders are being informed that they will require compliance - or else. Now I'm not sure what the 'or else' is as I believe that it falls to the individual banks to implement the protocol to consumers in what ever way they see fit.

Bit of a mess, eh?

Pat MK
May 9, 2006 9:30:09 AM

Hi LMA,

I think that they took their eye off the ball and underestimated the difficulty and cost of rolling out Chip&PIN, which has got completely in the way of 3DS.

Also there is a lot of politics and in-fighting here. The owners of payments gateways will tell you that the banks, particularly 'high street' banks really don't care all that much about credit card transactions - period. This is not true of the offline banks who have more of a stake in the process. But if you look at the activities of a bank, and its various means of making money from customers, then it isn't difficult to see why online credit card transactions are not a big deal.

One guy who is responsible for the overnight running of batch updates recently joked with me that the overnight automated process had failed for a less than obvious reason on two consequtive nights and no-one at all noticed, either in the bank or the gateway.

Many of the gateways don't even check the details of a transaction beyond the card number and expiry date. Try your valid credit card number, valid expiry date, any security number, name of Michael Mouse, and address in Epcot and you'll be amazed just how many gateways will record that information in their client trx management browser, but not actually test it.

And if you think that is fun - if you have had your card upgraded (but not cancelled) you will find that your old card number plus your new expiry date, and the above crazy details will be validated and passed by some gateways.

My point is that for all their short comings, VISA and MC are looking at an appalling mess in online credit card transactions and are trying to do something about it before an organisation with the clout of FFIEC (see online banking regulaltion) comes knocking on their door.

Pat MK
May 12, 2006 4:12:13 PM

MK, I use a number of MC/Visa cards in a major market area and so far I've heard nothing from any of them, nor has anyone I know. However, in Europe you've had pin numbers for credit cards (not just ATM cards) for years, so I guess the idea of 3DS wouldn't be foreign to cardholders there.

What LMA says about banks' not caring that much about credit card/online transactions may be true in UK/Ireland, but not in USA. Online business is a huge industry in USA, and with the exception of PayPal, virtually all online vending is by credit card. The margins for credit cards are also huge, with rates that can only be described as usurious. I doubt if you could get an American banker to tell you honestly that credit card transactions are not very important indeed to his bottom line.

There are two kinds of frauds here: one is card use by unauthorized persons, the other is fraudulent chargeback by the cardholder. The headline and story imply that, in order to eliminate the latter, 3DS will eliminate recourse for the former. Under common law, given reasonable due diligence, we cannot be held liable for the acts of an impersonator. I'm not familiar with consumer protection laws in UK/Ireland, so I can't gauge how responsive lawmakers are to consumers over there, but you can be sure that Stateside any scheme to defeat this principle will be met with furious resistance through litigation and legislation.
May 16, 2006 2:54:08 AM

Sorry for the late reply.
I think I have been misunderstood on some of the points I wanted to raise. Maybe it is because of my poor english, lol.
Anyways, I just wanted to say that I definitely agree on the fact that 3DS infrastructure has been quite massively rolled out by Issuers and Acquirers regardless of the market (US, Europe, Asia Pacific...) because of the big pressure from the Associations. But all in all this does not imply it is a successfull service. Driving adoption of the service is something else than deploying expensive and complicated infrastructure. It is about customer education, providing tangible incentives for them to use the service in an easy and secure way (applicable for both shoppers and merchants).
Mass enrollment, ADS (Activation During Shopping) schemes have been added to the regular features of 3DS with time and have been implemented in order to drive the adoption of the service which was extremely low. Usage has increased but it is still far from the Associations/Banks expectations.
At the end users/merchant are still the parties who will decide to perform/accept 3DS vs "regular" e-commerce transactions and not the Banks or the Associations.
!