This sounds scarier than it really is. Why? Because credit card companies focus on identifying fraudulent transactions rather than verifying your id.
From Bruce Scheier's blog[1]:
"But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the transaction, not the person, is the way to proceed.
"Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone or Internet, where no one verifies the signature or even that you have possession of the card.
"Even worse, no credit card company mandates secure storage requirements for credit cards. They don't demand that cardholders secure their wallets in any particular way. Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction."
Strong disagree. In reality, and especially for small-ish transactions, card companies are terrible at detecting fraud and customers are terrible at noticing it. Criminals can make second-order money off innocuous transactions through affiliate scams.
The only reason this isn't a big deal is that it remains incredibly easy for attackers to get CC#'s without capturing packets off the wire.
Don't know, obviously you know a lot more about this than me, but in my experience as a consumer, at least my bank (HSBC UK) has been pretty good at identifying fraudalent transactions on my account. They actually spot them before I do and call me right away.
My credit card companies are so good at identifying fraud they've caught 17 of my last 0 fraudulent transactions.
(OK, I sympathize: buying a thousand bucks of stuff in four transactions from central Japan at 2 in the morning is not exactly typical behavior for a Bank of America customer.)
btw, as a fellow B of A customer who has had to deal with their crappy fraud algorithm as recently as last week, apparently you can go into the branch and have the 'fraud protection' removed.
Yes, but for the most part those will be swipe transactions, not online transactions. And they keep an eye out starting at $100 or so because that's when it starts to add up if you fail to spot a fraudulent charge. The majority of online transactions is pretty small though, and falls right in the gap between 'don't care' and 'card issuer spots fraud'.
Interesting. Mine (Barclay's) is overly aggressive: it calls me every two weeks, and blocks my cards about 4 times a year.
I have pre-paid phone, buy small items from Google checkout, and travel frequently. Barclay's knows this, but still keeps calling to confirm my (quite regular, very normal) transactions and blocking my cards.
But doesn't this attitude screw the merchants? If an online merchant accepts a payment from a stolen CC they have to foot the bill for the product they sent out. Thats how I thought it worked?
And the problem is? Users love this policy. Banks love this policy. Merchants don't, because they get screwed. And it's even worse. Not only are they out the product, but they also get charged, even if they provided a CVV in the transaction. So, you lose the cost of the product, the time involved, AND you get fined.
> credit card companies focus on identifying fraudulent transactions
That had me laughing, you really clearly have not dealt with large numbers of $10 to $50 transactions.
Card companies don't care at all about such charges, if you have a valid card number, expiry in the future and a cvv that matches the charge will be accepted.
VBV and its sister programs has been designed to combat this and passes most of the responsibility back to the consumer or their bank in five-way handshake between the consumer, the merchant, the IPSP, the bank and the issuer.
Disclosing ID and verifying it are completely separate issues. Also, the information leak here causes problems for more than just the credit card company; the data transferred in plain opens up the possibility of more than plain credit card fraud (although that is the most obvious exploit).
I seriously doubt that Schneier would consider this information disclosure OK based on this loose interpretation of his blog post.
That's pretty terrible, but I'd say it's still more secure than most of the ways I transfer my credit card number. Twice I've needed a tow truck, and both times would you like to know how they charged my card? By picking up their radio and reading off all my info to the main office. All I'd need is a scanner to get dozens of valid credit card numbers a day.
A waiter stealing credit card numbers has a good chance of being caught eventually. I assume the credit card companies do some basic data mining on their stolen card database, and if card numbers start getting stolen shortly after dining at a particular establishment then they'll track this down.
I googled "waiter stealing credit card numbers" and here's an example from today's news of some folks who got caught:
On the other hand if you have a radio scanner and are picking up numbers going over the air from tow truck companies there's no traceable link between you and anything in the database.
No, but there'd be a link to tow-truck companies in your area, and perhaps their not-exactly-PCI-compliant handling of credit-card numbers would be exposed.
My practice is to give my card to anyone who asks for it when I'm in a frame of mind to expect someone to do so (after I finish eating at a restaurant, for instance). Observation suggests basically everyone follows the same policy.
Maybe. But their fraud detection is pretty good. I've seen some unauthorized charges before, and Amex has called me before I had any idea. I've also had unauthorized charges show up on a Citi card -- their customer support didn't care and refused to help me. I just paid the $60 (for some scam software, apparently) and canceled the card. So Citi may protect their numbers better, but Amex actually helps you when someone gets your number.
(I also had a Paypal debit card canceled for authorized charges. Needless to say, I just buy everything with the Amex. Good customer service, good interest rate, cash back.)
American Express also limits password for their online banking functions to less than 8 purely alphanumeric characters (no spaces, no special characters). If this alone wasn't bad enough, this almost certainly means that somewhere deep in the bowels of AmEx's software stack there's an ancient system where the password field is in plain-text.
AMEX isn't the only one with arcane password restrictions. Most banks limit the characters to an alphanumeric subset of ASCII with a few characters like _, and -. It makes no sense.
If that wasn't bad enough, look at how services like Mint have to interface with these institutions? When will something like OAuth come into play at banks?
I'd love to charter a bank on the premise of superior online service.
I wonder about this, same for my bank. My theory is alphanumeric plus one, maybe two symbols means there is a lower probability of some sort of SQL injection. Perhaps a greater risk for exposing one account, but lower risk for exposing many.
There are ways around legacy systems not storing certain characters to database field sizes that range from running delegate password serves to hashing passwords into something that an be stored on the legacy system. The one thing this thread does get at is the money involved. To Amex the costs and risks of their "weak" password requirements don't outweigh those of implementing a more secure password system.
I'd dare say that if a financial institution ever had a situation where an attacker could see any part of their database, they'd have far bigger problems to deal with.
I can't speak for most financial systems (I only am familiar with one, but it's a big one), but I know plain text passwords happen. Lets call the system IET.
IET doesn't encrypt the passwords used for internet banking. To obscure the passwords, they're stored in the DB using EBCDIC. No joke.
Sure, in theory, encryption of data at rest doesn't matter if the system is secure; however, with a security posture like this, the data is bound to leak.
In this case, I found out about the unencrypted passwords because they were in the files going to the "print & statement" vendor: there is a default letter in the system that says "Hey your password changed to foo99!". Despite suppressing this letter, the data was still transmitted to the vendor: it is simply ignored.
I feel like this gets brought up every week here, but I'll post it again: If your password is going to be the same for the phone as it is for the internet, it can't have special characters.
Just out of curiosity, what is the actual penalty to American Express for saying their page is secure while transmitting credit card numbers in plaintext?
The card issuer has two parties they can stick the charge to, one is the merchant, the other their customer.
The merchant is the easy way out, they're not going to cancel their connection with the card issuer because that's their bottom line. Sticking the charge to the customer is harder because the customer will cancel.
Follow the path of the least resistance: stick it to the merchant.
Now if they did the right thing, they'd fix their acceptance rules and a bunch of security issues and eat the remainder of the charges.
This is actually sensible, since it shifts the responsibility for verifying the customer's identity onto the merchant, and lets merchants figure out exactly how much trouble they want to go to in order to do this. Some places will demand a photo ID to go along with your credit card transaction. On the other hand, some places like Starbucks don't even make you sign the receipt -- they figure the small number of coffees which get charged to stolen credit cards are well worth the ability to keep the line moving.
Per the merchant agreements, they cannot deny you the sale if you don't want to show your ID. Also, the credit card companies no longer require signatures for purchases under $20 (possibly $25?) which is why Starbucks doesn't require you to sign any more.
This is sensible, until you realize it sucks for internet sites. Listen, the banks don't care. You can have the card holder call up, and tell the bank to cancel the chargeback, and they won't do it. I know, I've heard the conference call with my support staff try and do it. The customer was really apologetic, too.
In the USA, by law, they are not allowed to stick it to the customer for more than $50.
If they ate the charges, they are afraid that a lot of merchants would deliberately ring up fraudulent purchases for the guaranteed profit.
Those two facts force them to the current system. And the fact that merchants are not allowed to charge customers different rates for different cards gets rid of incentives for merchants to charge customers for the poor security practice that the credit cards have.
There clearly are merchants who do that today. Last time we have a card stolen, we got tons of random bullshit merchandise in the mail (weird cosmetics and such), presumably for the affiliate money.
You are clearly arguing from the perspective of a 'good' consumer.
But think about it for a second, those charges were inflicted on good merchants, the affiliates are not the merchants, they're in the same boat that you are in, except they lost their goods, the affiliate pay-out and a chargeback fine on top of that.
Fraudulent and colluding merchants are a huge part of the fraud problem. You mean to suggest that in a perfect world, Amex wouldn't stick it to good-faith merchants. But for the most part, there are only good-faith customers, so they clearly aren't eating charges, and having Amex eat charges raises price for everyone.
The only party that has access to the information required to do proper scrubbing are the issuers and the banks.
The bona-fide merchants have to make decisions about charges being fraudulent or not in the absence of this information.
If they guess wrong they end up paying or lose a sale.
Malafide merchants don't care one bit, they'll be up and running under a new identity next week, so they never get stuck with these charges, the simply fold and play it again, and in that case the card issuers do eat the chargebacks.
A bona-fide merchant is a sitting duck, and trust me, this comes to a lot of money on an annual basis. Consumer fraud exists and it is a serious problem.
Yup, merchants don't just end up paying for the actual credit card fraud via chargebacks, they often lose tons of money on fraudulent chargebacks. In those cases the merchant will win the dispute and get the money they were owed, but will be out various non refundable fees ($20 per instance with the last dozen accounts I've worked with).
Amex's lack of security is no less interesting if it's discovered by a competitor. It's a pretty serious mistake by an organization you would expect to be more careful and knowledgeable about these things.
True, but read the comments. The organization reporting this is little better. ("Encrypted on the client" - which means they would be horribly exposed to man-in-the-middle attacks...)
What's wrong with it is that it is about as relevant as Microsoft analyzing security problems in OS/X and posting them on their website or Apple evaluating Windows.
It's just an attack on a competitor and a veiled ad.
As for the butthurt, and this comment: http://news.ycombinator.com/reply?id=1379577 I think you're missing the tone of the conversation around you and it makes you stand out in a negative way.
I canceled Identity Protect service at AMX after it routinely lagged (sometimes months) in notifying me of credit changes to my fico or whatever. It is sad to see people pay $14/month for that service which, best case scenario, notifies you after somebody jacked your card and has long since moved away to a foreign country. Then I canceled my card too!
Really identity thievery is an issue b/c of the banks + loan companies. They're perfectly willing to roll accounts with very little scrutiny and I don't understand why there are not class action lawsuits etc. to nail the lender not the jacked identity. Search on the "credit freeze" if you want the real solution.
Why would you even need the entire credit card number to sign up for a service likes this? That's what boggles my mind the most. Amex really only need enough data to identify one of their cardholderes in such a way that noone can sign up for someone else.
Name + billing address + four last digits should be enough? Or eight last. Or four last + CVC. Asking for everything that's required for a purchase is beyond dumb. To me, it's like giving out your password while talking to customer representatives, that's also something you don't do.
Unfortunately, most of today's "security" with regards to credit cards are merely there to deter the easy grabs. Any determined person could easily get anyone's details through a number of means.
While I don't know enough to refute the main fact, my gut feeling is that while that may be true, any company doing this time of work on the web needs to at least take care of the base amount of security (using HTTPS where applicable, not storing plain text passwords, etc.)
From Bruce Scheier's blog[1]:
"But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the transaction, not the person, is the way to proceed.
"Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone or Internet, where no one verifies the signature or even that you have possession of the card.
"Even worse, no credit card company mandates secure storage requirements for credit cards. They don't demand that cardholders secure their wallets in any particular way. Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction."
[1]:http://www.schneier.com/essay-153.html