Posted on: 17-06-09 16:42:40
Quote:Interesting you bring this up, because....
Originally posted by web2000
I thought the card holder is forced to pay through collection agency if there is any fraud.
Up until sometime ago (maybe as recent as last year), card holders who were subject to credit card fraud were NOT required to pay the fradulent charges.
If they report the fraud as early as possible and the credit card company agrees that it is fraud then they are not liable.
For example, say someone lives in Toronto and the credit card gets used in Manila (just as an example) for $5,000 and the person can prove that they didn't travel, then it's a case of fraud.
However, if someone buys stuff at a grocery store every week and there is a $100 charge from that store, it may be hard to prove that it was fraud.
So anyway, until recently (and maybe even now) card holders are not liable for fraudulent charges.
However....
a lot of people in online communities (Use Net and BBSes) are reporting that since last year, their credit card issuers have added clauses in their card contracts that the consumer is liable for any and all charges (whether authorized or unauthorized) if the CC company determines that the charge occured "as a result of the card holder's actions, practices or habits".
This means that if someone uses their cards online a lot and the card gets hacked and used for fraudulent charges, guess what - it occured because of the card holder's action.
If someone leaves their wallet in the car and it gets stolen - guess what, again it's their action.
This trend started in the US early last year and is now spreading.
Recently someone in one of the Canadian BBSes reported they received a modified contract from their CC company containing this clause.
It looks like CC companies are losing their patience with fraud and are basically saying "hey, it's not our problem. You are using the card, it's your problem - go figure".
Quote:Technically, it's rather easy to configure firewalls at the financial institutions to only allow certain ranges of IP addresses and block others.
I wish if there is any way in online banking where I can control which IP zone should be allowed to do transaction, then all third world IP can be blocked to reduce the attack surface. I don't know if banks do allow to connect through open proxies which most of the hackers do.
However, I don't see that happening.
What happens when you visit India (or any other "third world" country) and want to check your account, or make a bill payment.
They can't block out people like that - it will cripple the Internet.
There are so many people (esp. retired folks) who live in one country and manage their finances across 3 other countries, or people who travel most of the year and manage all their finances online.
-----------------------------------------------------------------
"Mah deah, there is much more money to be made in the destruction of civilization than in building it up."
-- Rhett Butler in "Gone with the Wind"
Quote:
Originally posted by web2000
Quote:
Originally posted by pratickm
Quote:Well, they do - when they lose their money.
Originally posted by web2000
only the victim is held responsible then why would creditor will take any chance to verify the identity of the person before issuing any credit.
All these problems are just because creditors do no suffer from the fraud.
If someone steals a credit card and buys thousands of $$ of stuff and then disappears, both the real card holder and the creditor suffers.
If the card holder is absolved of all responsibility, then only the creditor will suffer because all that money is a loss for them.
If the card holder is held liable and they can't/won't pay-up, then his/her credit is trashed for many years to come but the creditor also doesn't get the money back.
Quote:There is no guaranteed fool-proof protection for sure.
Moral of the story is that you are not protected no matter what precaution u take.
There are always avenues and loop holes for the fraudsters.
And the more complex the protection gets, the more bureaucracy it creates for the common man, and the smarter the fraudsters get.
I read a news story recently that a lot of high-tech fraudsters are exploiting the loopholes in the PCI standards for payment processing and are hacking into the networks of smaller merchants and unmanned kiosks and siphoning off credit card numbers between the merchant and the bank's network.
Once they setup the hack, within a few days, they end up getting hundreds if not thousands of credit card numbers.
The real criminals are often doing this from third-world or remote countries where it is next to impossible to track them down and bring them to justice.
I thought the card holder is forced to pay through collection agency if there is any fraud.
I also read about PCI standards and its loopholes.
I wish if there is any way in online banking where I can control which IP zone should be allowed to do transaction, then all third world IP can be blocked to reduce the attack surface. I don't know if banks do allow to connect through open proxies which most of the hackers do.
Chase bank in the US uses the mac address (a unique number to identify the hardware, specially the network card) of a machine to allow or deny access. For instance, if you are trying to login from a PC for the first time, it will send you a code, either via the email or as a text message to your phone. You will have to use this code to login for the first time from that machine. Next time you can login without the code as they associate the mac address of the machine to your account.
Not a 100% sure, but TD does a similar thing. It will ask you a security question when you try to login through a new mac address.
They can't use the IP address as a filter because most of the IP addresses assigned to consumers trying to login from home are dynamic and not static.
I had a similar experience with CIBC online banking. When I tried to use my new laptop to log in to the bank, it prompted me to enter a verification code (which I had selected during sign up). After successful validation of the verification code, it let me in.
thanks
Using a mac address for online banking is a good security step. At least it guarantees that log in will be allowed from that machine only and even if your pwd is stolen (Not possible when the data is on the wire unless someone breaks the SSL encryption) by the key logger spyware, u still be safe.
But the credit card security is still weak. Anybody having your card no and expiry date could be dangerous (I doubt that not all merchants support verified by visa authentication where u have to provide a password while online shopping).
I heard that in TD bank, u have to visit to the bank to do wire transfer. Is it true?
Quote:Correct, however, most of the large scale, bulk security breaches have happened at the merchant back-ends, rather than over the Internet wire between the customer and the payment gateway (which is protected by SSL).
Originally posted by web2000
Using a mac address for online banking is a good security step. At least it guarantees that log in will be allowed from that machine only and even if your pwd is stolen (Not possible when the data is on the wire unless someone breaks the SSL encryption) by the key logger spyware, u still be safe.
But the credit card security is still weak. Anybody having your card no and expiry date could be dangerous (I doubt that not all merchants support verified by visa authentication where u have to provide a password while online shopping).
So the mac-key or IP addressed based login is a good feature to have, but it doesn't address the bulk of the breaches, which occur at the merchant's end.
This is when hundreds of credit card numbers get stolen out of backend databases of retailers, often by offshore hackers.
The hackers don't use these for themselves - they simply sell these to other fraud companies, who re-sell these multiple times.
-----------------------------------------------------------------
"Mah deah, there is much more money to be made in the destruction of civilization than in building it up."
-- Rhett Butler in "Gone with the Wind"
Quote:
Originally posted by pratickm
Quote:Correct, however, most of the large scale, bulk security breaches have happened at the merchant back-ends, rather than over the Internet wire between the customer and the payment gateway (which is protected by SSL).
Originally posted by web2000
Using a mac address for online banking is a good security step. At least it guarantees that log in will be allowed from that machine only and even if your pwd is stolen (Not possible when the data is on the wire unless someone breaks the SSL encryption) by the key logger spyware, u still be safe.
But the credit card security is still weak. Anybody having your card no and expiry date could be dangerous (I doubt that not all merchants support verified by visa authentication where u have to provide a password while online shopping).
So the mac-key or IP addressed based login is a good feature to have, but it doesn't address the bulk of the breaches, which occur at the merchant's end.
This is when hundreds of credit card numbers get stolen out of backend databases of retailers, often by offshore hackers.
The hackers don't use these for themselves - they simply sell these to other fraud companies, who re-sell these multiple times.
I think customer should be given some kind of control so that he can control how the card to be used. The following comes into my mind:
-I should have choice to register with my card issuing authority so as to stop any transaction outside of the country. e.g. I have a card and I want to use it only within Canada it should be authenticated only as long as it is being used within the country.
-I should also have a choice to block card usage on internet. e.g. I mostly use card at retail stores and chances of misusing the card get reduced because fraudsters at least will need a plastic copy of my card. So just knowing the card no. and its expiry will not be as dangerous as it is now. I know that they can make plastic copy also. But if credit card carries the password feature also like PIN in debit card then it will be less vulnerable because PWDs are always hashed in merchant's DB.
I don't know if above level of control is easy to implement. If customer does not want this type of control he can continue using it the way it is now at his own risk.
This will not totally stop the fraud but will reduce it significantly.
These days many new credit cards come with a security chips. If the merchant has latest terminal which accepts such cards, you place it in the terminal and it asks you for your security PIN (like Debit card). For now not many merchants have these terminals and costumers end up using these high-tech cards as a regular card.
There might be secure ways coming in future for online shopping with these high-tech cards. Also I remember with TD VISA you can configure in such way that it asks for a password whenever you shop online. Not sure how I configured it but remember it asked for such option when I used the card for first time online shopping.
