Hacker News new | past | comments | ask | show | jobs | submit login
The Problems With Debit And Credit Cards Are Deeper Than We Thought (readwrite.com)
94 points by Cbasedlifeform on Jan 1, 2014 | hide | past | favorite | 91 comments



This is why I use credit card instead of debit cards. With a debit card the funds are drawn directly out of our account. With a credit card, there's a third party in between. The funds are initially paid by the bank, and only when I approve the purchase do I forward my funds.

For unauthorized transactions, credit cards are a piece of cake. I have several options - dispute or flat out not pay. The right to dispute is protected by law (in the US). Debit cards are a different story. When funds are fraudulently withdrawn, they are already gone. Now the burden is on me to convince the bank to reimburse me. I have to make my case to the bank and hope they side with me.

I really don't see what all the uproar with CC fraud is about. Use CC instead of debit cards, review your statement before making payment, dispute all fraudulent charges and stop worry about fraud - that's the bank's job.

Also, -1 for disabling pinchzoom on mobile devices. What valid could this possibly add?


I switched to credit cards a few years back for the same reason. My debit card got compromised and about $4k was missing from my account right around the time I was supposed to pay tuition. It was a giant pain in the butt, but eventually the bank got it all sorted and the university let me pay a few days late.

With a credit card, that money isn't gone until I pay the bill, so disputing fraudulent charges is much easier. Also, cash back is nice.


>With a credit card, there's a third party in between.

Not always. My Visa plat credit card is directly linked to my bank account. Seems to be some weird hybrid - not really a debit card and not really a credit card.


If the funds come out of a bank account, and you have no line of credit, it's not a credit card. Visa and MasterCard both issue third-party (as in, not your bank) debit cards with their branding on them, as well as a value-added set of protections as part of their ToS.

Target's Red Card program is one of the most common, and it's a big reason that the Target security breech was such big news. When you're issued a Red Card, Target has the option of extending you a line of credit, or simply issuing you a debit card that is linked to your account. This gives them the ability to issue cards to people who would otherwise be non-credit-worthy.

Note: I don't mean to imply you're a non-credit-worthy individual. There are many reasons a person might have a Visa/MasterCard backed debit card. I have one, and my credit score is >780.


I live in EU, and it seems our systems are better protected against fraud.

I have MasterCard dual debit/credit card with electronic chip (EMV), but no NFC (radio payment). At the POS, I can select between the debit/credit function. I normally use debit for small purchases. It's immediately billed from my bank account.

Every transaction is authorized by my PIN, that I understand is required to extract the cryptographic authorization from the on-card EMV chip. Since two years, almost every POS now has an EMV reader. If you can't remember your PIN, the card still has the magnetic stripe and signature function, but you must show an ID for every purchase.

I understand that EMV + PIN systems are now mandated by the credit card issuers in that the retailers are covered by an insurance against fraudulent transactions only if they have an EMV reader. That is, in case a stolen card was used, the retailer will get its money if and only if they had an EMV system and/or asked to see ID if the buyer couldn't give a PIN.

There's also an online database of stolen card numbers against which larger purchases (>150€) must be always validated, and a 24/7 phone service for both reporting stolen cards and checking if a card is stolen. If the retailer can't access the database electronically, they must manually call in and validate the card using good-old telephone for those large purchases.


Lets see you categorize this card then:

- Pin & Chip EMV Visa Platinum

- Comes with a "Visa Facility", meaning it can go into the red

- Referred to as a "credit card" in the marketing brochures

- ATMs list it as a "credit card"

- 30 days interest free & does the whole minimum payment thing

- Money goes directly off the bank account

- One account...no moving money between credit card and bank account

- Fully banking functionality

- Has a credit component but doesn't show on my credit record at all

- Card keeps working after you hit the supposed facility limit

- Fraud dispute mechanism is similar to debit cards

I'd love to hear how the bank managed the above.

>I don't mean to imply you're a non-credit-worthy individual.

Haha. No worries. Its actually the most prestigious card issued in my country. (Until Amex brings their Black Centurion anyway).


In the US, such a card is known as a "check card".

A check card is a debit card linked to a bank account but sporting a credit card logo and having an account number falling within the range allocated to the credit card brand. Charges made go against the bank account directly (and any line of credit which may be attached thereto).

You can use it in either debit or credit mode. In debit mode, you swipe and input your PIN, and the charge request, including the encrypted PIN, goes over the debit network to your bank, which debits your account in real time more or less. In credit mode, you merely swipe and sign, and the charge goes over the credit network, reaching your bank somewhat later. In neither case is it really a credit card, unless you have and use an attached line of credit. Most check cards don't have lines of credit.

Some years ago, my bank switched their ATM cards to check cards. When I got my new card and saw the Visa logo and read the brochure, I called the bank and asked if the card could be used to make payments without entering the PIN. When they said yes, I said I didn't want it. A couple of days later, a new card without the credit card feature arrived in my mail.

ATM cards are ATM cards. I use them to get folding money. I use credit cards only to buy stuff.


Cheque card sounds about right. Though the process seems to be entirely different for EMV cards.

e.g. Pin + Chip transactions can be stored offline and uploaded later so they don't necessarily go through in real time. Also, Swipe + PIN doesn't seem possible under EMV. It seems to be limited to Pin + Chip or Swipe + Signature or if you're down under Chip + Signature.


> if you're down under Chip + Signature.

Signatures are being phased out for all face-to-face transactions within 6 months http://www.pinwise.com.au/


It seems to me that if a card can directly debit funds from your bank account, it is by definition a "debit card."

The value of a credit card is that I get to choose to pay the bill each month. If something goes wrong, the card issuer has to sort it out before they get my money.


One reason for disabling pinch zoom on mobile is that it allows click events (taps) to be registered immediately. When zoom is enabled, there is a 300ms delay to see if it was a double tap: if a second tap happens during that 300ms, then the browser zooms the page instead of firing a click event.

(Unfortunately, there is no way to disable "double-tap to zoom" while keeping "pinch to zoom" enabled. It's all or nothing.)

Some people don't notice it, but I do and I find that sites do feel more responsive when zoom is disabled.


Can't say it was a bad experience for me with the debit card. I've been charged ~10 times for the same plane ticket once (most likely charged until the bank refused more overdraft). Got a message about an overdraft straight-away on my mobile, called the bank, said only "that's a mistake, there should be only one" and the transactions were reverted immediately. (then the airline refunded them on their end again and reverted the refund when they realised the bank was faster, but in the end the balance was ok)

So yeah, in theory it's easier to get the credit card charge disputed. In practice, it probably depends on your bank a lot. This happened in the UK btw.


I think one should be able to easily see the difference in your situation to every fraudulent situation, namely that the balance was OK in the end.


The balance was not ok when I reported it. The bank reverted the transactions immediately, without contacting the merchant. It was while I was still ~2k below.


Which bank are you with? I'm on Lloyd's Bank (what used to be Lloyd's TSB), and they won't send me a text message or email when I go into overdraft, only snail mail.


Lloyds TSB. You can turn the notification yourself after logging into your account online.

Right-hand side, "Your account tools" -> "Mobile Banking" -> "Low Balance Alerts"


> ATM cards with their current security are too dangerous to use... We no longer use ours. They stay in a secure place in our home.

Um... how does he get cash out of the bank then? Does he wait 10 min in line and write himself a check at the cashier's every time? Can you even do that anymore, without using your ATM card and PIN to verify your identity?

And are people ever on the hook for fraud? I get that debit/credit cards have problems, but I don't see why any individual person would stop using them. Is anyone ever not reimbursed for fraud?

Occasional fraud is like the occasional car accident -- sometimes somebody will hit your car, and you'll have to file an insurance claim, and it might take a few weeks to resolve. Sure it's annoying, but that doesn't mean you decide never to drive a car again.


I don't have an ATM card either, and it's not that bad. Yes, there's maybe a 5 minute wait to speak to a teller on occasion, but all it takes is a photo ID (and sometimes my bank issued credit card, depending on what I'm doing with the funds) to access my money. And I go to the bank to get cash maybe a few times a year, pull out a grand or two, and keep it in a safe at home until I need it (going every week or two would be lame).

You're right that fraud is going to happen, it's part of life. The difference is, when you use a credit card, your money hasn't gone anywhere. If it's a debit card, that money is no longer in your account until (if?) the fraud gets resolved. I know first hand how much of a pain it can be to lose thousands of dollars for a few weeks while things get sorted out, which is why I switched to credit cards. That, and the free money they pay me. Mmmm, delicious free money...


> Um... how does he get cash out of the bank then? Does he wait 10 min in line and write himself a check at the cashier's every time? Can you even do that anymore, without using your ATM card and PIN to verify your identity?

I go to the credit union around the corner from my office, most of the time is spent walking to and from the CU. The line never takes more than 3 minutes. Usually there's no one in line.


My bank is essentially only online, no offices, certainly not just around the corner (I think the closest is >100 miles away). What then?


Many options:

1) Paypal check (can be used directly at Walmart and other places).

2) Pay-online-&-pick-in-store services.

3) Online buying; Amazon, ebay, etc.

4) Online groceries: Safeway, Walmart and others have this service.

5) You can buy a prepaid credit card so they can't steal more than the amount you charge in it but still can use it in ATMs and stores.


Get a new bank? Only transfer money into the debit account when you're going to withdraw that amount right then? Or don't use cash if you can avoid it?


I can't speak for him, but I haven't had to take cash out of an ATM in years. The last time I used an ATM, a few months ago, was merely to ensure that my card still worked. It turned out that it had expired a year before and I hadn't noticed.

I just don't spend cash that often. I used cards for almost everything. A little bit goes a long way like that.


I use CC whenever I can or iPhone Passbook for Starbucks, etc. but many places will not take CC for purchases less than $10, eg to buy a coffee or a muffin in the morning at some smaller non-chain shop. Often I get cash at grocery store debit with cash back and don't use the ATMs.


Requiring a minimum charge is barred by the merchant's contract with the credit card company. By that contract, they are not permitted to do so.


No longer true in the US: http://www.business.ftc.gov/documents/bus78-new-rules-electr...

"A PCN cannot stop you from setting a minimum dollar amount for accepting credit cards for payment as long as the minimum is the same for all credit card issuers and PCNs, and isn't more than $10.

What's new about that? PCNs sometimes prohibited merchants from refusing to accept a credit card as payment if the customer's purchase didn't exceed a certain amount. For example, if you accepted credit cards at all, the PCNs or banks might have said you had to accept a credit card for even the most minimal purchases"


Most people don't know this. I usually just leave the items I was going to buy on the counter if they tell me there's a minimum. Most of the time they'll change their mind and take my card, after first trying to slap me with a $0.50 surcharge that I decline.


> Um... how does he get cash out of the bank then?

Perhaps he meant "random" ATM machines at gas stations, in the mall, or wherever and instead only uses the ATM at his bank's branch. Which hopefully is more closely monitored since they are attached to or inside the building

That being said, I withdraw cash maybe twice a year. If you aren't getting credit card rewards, you are doing it wrong :)


Almost all the banks in my area have drive-thru lanes. You can drive in, write a check made out to "Cash", send it through the pneumatic tube with your ID, and get your cash. It's nearly as fast as an ATM.


I use cashback on discover card. Lets you take extra cash when you checkout at participating stores (grocery). No extra charges. I rarely use my ATM card.


Yea, I use cash whenever possible.


Damn it I want the same two way verification option Google provides that allows me to approve or deny a charge over X amount either via a phone call or text message.

The X amount would be set by myself, but the amount set would have to be something like $300 & over.

The cost and time to implement this option for US bank customers would be nil compared to implementing Europe's chip and pin system.

US banks have no current incentive to implement the European system as it's too costly comparative to the fraud that's happening. Thus we need a less costly & quick solution. This is one anyone have others?


EMV (known as Chip and PIN in the UK) is coming to the US in 2015: http://www.bankinfosecurity.com/interviews/visa-on-emv-in-us...


> the European system [is] too costly comparative to the fraud that's happening

Citation needed


FWIW, I've been with 5 european banks and never had a single instance of fraud.


FWIW, I've been with three US banks and have had zero instances of fraud. :)


The industry just needs a kick in the pants to move to one time generated cc numbers. There are companies making such cards that are physically compatible with existing card readers. I had read about it, but cannot find the company name, I believe they had some sort of patent but were struggling.

The company said they had a credit card which provided one time numbers when swiped so was immune to skimming. I think the industry should move to such smart cards and there are different methods to secure transactions online.


I will also comment that they don't have the kick in the pants because they mostly shift the risk. If a merchant accepts a stolen credit card, they simply reverse the charge and the merchant is left holding the bag. They just ship out a new card and reverse charges. They do not have a financial incentive to fix this problem because it doesn't affect them much. If it does they will probably just collude with each and raise rates across the board. It may take outside incentive (regulations) to make them fix it.


How are chip and pin cards "completely unsuitable for ecommerce and mobile payments"? I can manage both of these fine in the UK.


Yeah, Chip and PIN (EMV) in the UK is much better for security, we have a lot lower rates of card fraud here than in the US. In fact most of the world has now switched to EMV, the US is the only major country that I can think of which is still on swipe payments.

The problem goes further than the cards themselves though, I think the big problem with them is that you have to give companies all of the details needed to make a charge when you buy things online, and those details are stored. Other comments here are right, the main way to deal with this is single use card numbers that can be revoked individually.

I think a good way would be to implement something similar to what OAuth does. When you want to make a payment to Amazon for example, you tell your bank who you are and after authenticating you, they would provide a token to Amazon who can store that to use for purchases. If at some point in the future Amazon were 'hacked', the bank could revoke charging authorization for all tokens given to Amazon, immediately protecting all of their customers.


Chip and PIN should be better, except they fucked up the crypto such that anyone who stole your card could use it without knowing your PIN but still make it look like a PIN transaction - so you'd be liable for the fraudulent transaction since obviously you didn't take sufficient care to keep your PIN secret.


Isn't that kind of what Verified By Visa/MasterCard SecureCode tries to do (but implemented amazingly badly)


Although there are some problems with the implementation, I've come to like it for a couple of reasons:

(1) It authenticates features of your browser (like user-agent, IP address) to score the transaction. These are somewhat hard for an attacker to duplicate.

(2) With some UK banks, it is combined with a hardware one-time password generator to form a reasonably robust two-factor authentication.

Now there are certainly problems, such as it appearing in a frame, and not appearing as a subdomain of your bank, and those should be fixed.


The main problem with Verified By Visa (and whatever MasterCard calls it) is that in using it, you agree to be liable for it as if it were a card-present transaction, which is ludicrous for online purchases. Whenever I'm stopped to sign my card up for "Verified By Visa," I immediately switch to a different card because of the reduced protection I would have to agree to with "Verified" transactions. It's simply a way to shift responsibility onto the purchaser with no additional protection.


I used to run into the VBV screen when ordering from NewwEgg. It's been a while so I don't know if things are the same. I refused to consent to the terms for the reasons you gave. Instead, I just closed the browser. The funny part is that my purchase would still go through.


MasterCard SecureCode / "3D Secure" or whatever they call it, has been active on my card for many years and I never had any problems whatsoever. Always worked like a charm.. And the upside, nowadays I don't worry anymore about anyone storing my CC number on their unsecured servers.


I think 3D Secure only prevents doing transactions without double auth in "3D Secure enabled" online shops. In the shops that don't have that implemented, the transactions can go through (though probably those shops pay higher provisions).


Correct. The payment gateway usually has a setting to enable/disable 3D secure as a feature.

You also get a failed transaction report, some people can have 4-5 goes before giving up on their purchase. Sometimes to countries somewhere abroad the customer gets a form to fill in to apply for having this extra check on their account (because there is no 3D secure in the country where they have their card registered or it is not customary to use it).

It would be nice to use 3D secure as an extra feature, and, as a retailer, set it on a case by case basis, e.g. to an order that is for somewhere overseas or over a certain value.

In the UK a fraudulent order is a fraudulent order, as a retailer you are on your own dealing with it. Putting someone's card address in Google Street View and seeing how big their house is often turns out to be a good way of deciding whether to 'ship' or not.

Address verification is a 'soft fail' if you want it to be. It will compare the address by numbers, so someone entering 'Flat 2' in the primary address line will fail the system if the address is actually 'Flat 2, 34 Church Street' as '34' is expected for the match.

There is no system guaranteed to work, except Paypal, that you pay for in fees.

These matters aside, the system of swipe only in the US just gives most people in the UK scary feelings.


> In the UK [..] putting someone's card address in Google Street View and seeing how big their house is often turns out to be a good way of deciding whether to 'ship' or not.

Having lived in the UK for 3 years, I'm not sure anyone's "house size" over there is a good indicator for, well, pretty much anything ;D


> implemented amazingly badly

The implementation I can live with. That fact that its opt-in is entirely fatal though. Criminals just need to find a website without it. So the only person inconvenienced by it is me.


Verified by Visa and Mastercard 3D Secure were an attempt to implement something similar to this, but were a disaster. I recommend the paper "Veri ed by Visa and MasterCard SecureCode: or, How Not to Design Authentication" by Steven Murdoch and Ross Anderson, who have been involved in quite a lot of the security research surrounding EMV.

http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

EMV has it's problems. I've worked with a few researchers who have targeted the security of it in several ways and found some quite serious issues, so I'm quite aware of the security implications. However in terms of practical criminal use, having the challenge and response mechanism with the card is a significant improvement over the static data of a magstripe.

That said, an interesting piece of British law is the fact that a signature forgery is never the responsibility of the victim. This means that if someone fraudulently signs for a payment, you are not responsible for the charges at all, whereas if someone watches you enter your PIN, or you tell it to someone and they subsequently use it to make payments, this is your responsibility. The grey area for a while was that the companies behind EMV said it was 'uncrackable' (never a good idea) and refused to take responsibility of charges that some users claimed had been made without their PINs being revealed by them. Anderson, and the Cambridge security researchers demonstrated a proof of concept a few years ago that showed how it could be used without knowing disclosure of the PIN, and since then card companies and banks have been a little more receptive to taking on the responsibility.


Prepaid cards are another option. It seems that carrying an ATM card that can clean out all your cash is a bit crazy. The problem with prepaid credit cards is that as with anything else in your financial world, it costs you money. As they become more popular they also get more competitive on their costs though. I believe my Paypal card also has an option to set daily limits. I imagine other cards can do the same. Just set a limit based on your daily budget and then maybe carry another prepaid card as a backup.


Interesting, but regarding ChipNPin cards, the assertion that they are "unsuitable for e-commerce " is not correct, I've used mine quite a lot.


there is another system for e-commerce, where the card generates a new credit card number on the fly for each transaction (I know Visa Electron is this kind of system).

edit: I got it wrong. Visa Electron is a systematic checking card (the shop has to call the bank to get the authorization every time), the short validity disposable card numbers has another name.


The chip and pin system would help. Credit Card issues in the US haven't gotten on board yet because the amount of losses prevented by chip and pin aren't high enough to offset the cost of a rollout. Using a debit card is just asking for trouble...ATM's should be used in rare circumstances at reputable banks etc.. I can remember hearing about ATM skimming scams over 7 years ago in the US. This is nothing new.

Consumer advocates such as Clark Howard http://www.clarkhoward.com/news/clark-howard/personal-financ... have been talking about this for years. I won't even get into the security risks or using a check to pay for something....and the sad thing is that I know people who will carry around their checkbook and still use them way too often. Once someone has your checking account number it is really easy to do all sorts of bad things. That is why I prefer online bill pay services etc..


"because the amount of losses prevented by chip and pin aren't high enough to offset the cost of a rollout"

Over what time period? Sure, there's a high cost over a short rollout (6-12 months?) The savings in prevented losses go on for years.


If it was bad enough now, I'm sure they would be pushing for it sooner rather than later. With that being said if this article is to be believed then it will be coming in the next few years.

http://www.creditcards.com/credit-card-news/us-slowly-rolls-...


Been living in a couple of European countries in last few years, luckily I never fell prey to any fraudulent operations (I pay online sparingly, mostly for air tickets; paying by card and using ATMs quite often).

There are multiple ways to minimize the risks in very simple ways, and it's strange the banks/card companies do not care about it.

1. Have separate cards for ATM+payments and separate for just online transactions. As simple as that. In Poland many banks offer "virtual cards" i.e. just CC number + CVV for internet-only transactions. But it's usually extra paid (though rather cheap).

2. Suppose 1. is impossible, then why on earth CVV is printed on the back of the CC?

3. Being a geek, I'd love to have a superuser panel in my online banking interface where there would be on/off switches like: enable this card for particular regions/countries, enable for internet transactions, etc etc. I'd turn them on if I plan to go to Indonesia or Colombia; for 90% of people random transaction in a remote country is a fraud.

4. In one of my banks I can't change PIN to my debit card in the ATM. WTF? Well maybe it's a security feature, otherwise people will put 1111 and be happy [1]

5. In one of my online banks, my login is publicly known (part of account number) and password is max 6 digits (0-9) <sigh>

IMO the best always-available precautions are to

1) keep just a bare minimum on the primary account and put the rest on a savings account, which can't be accessed via card outside the issuer bank's ATMs,

2) monitor transactions via online bank at least weekly.

[1] http://www.datagenetics.com/blog/september32012/index.html


Deutsche Bank online banking allows authorizing bank card use in foreign countries. The feature is only available on the German version of their website. I can also set daily / weekly limits for my bank card. For online transactions, I think 2 factor authorization is used. (e.g. enter a TAN)

For my bank account in US, I am not aware of any option for authorizing foreign transactions online (only calling the bank), nor setting usage limits. I can set alerts to be notified for transactions, but only $100+ transactions.

The one time I did get "hacked", it was with another card where I got notified immediately by email each time it was used. So found out quickly when thousands of dollars were being spent on iTunes! I think those were in a rapid series of smaller transactions (can't remember, less than $100 or more, but maybe less). The notifications allowed me to promptly get my card cancelled to at least limit the damage and then was able to get my money back. Lesson is for stuff like iTunes (well, I don't like to use them anymore), but generally to buy gift cards, when possible, for online shopping/services and put the credit onto my account. For more popular places like Amazon or iTunes, gift cards can be bought in many brick and mortar places with cash. Then I don't have to give them my credit card or bank info.


The issue with transaction limits (while they're good in general) is exactly what you've mentioned, lots of small transactions quickly after each other do not get blocked.

Actually this is now one of the most popular card frauds in Poland right now: majority of newly issues cards are paypass/paywave-enabled and moreover, offline (not checking the balance while paying, and usually there's also no limit imposed on number of consecutive operations without PIN - though technically it would be trivial to implement).

I.e. you can even make someone a negative balance on his account with a series of rapid small (<12€) touch transactions, and many people are not aware of this, while banks keep telling people that everything's super secured.


well, I can set a limit of say 500 euros (or whatever I need) per day. So even with a lot of smaller transactions, there is a point where they would stop.

Damage can still be done, though and I'm not aware if/how I can get alerts for transactions. So I need to remember to check my account often.


In Portugal there is a centralized system that allows people with cards from almost any bank in the country to generate virtual credit cards with any limit you desire for free.

It feels a lot safer to shop online in that way.


What's the name of this system? I'd like to read more about it.


http://en.wikipedia.org/wiki/Multibanco#MB_NET


One of the challenges of not having debit cards is you can't get cash "for free" with a credit card, basically if they don't charge a cash advance fee, they do charge finance charges from the moment of the advance to the payment landing.

One strategy might be to use a 'pay as you go' debit card where you can put money on it using a banking service, but leave it normally with less than a $20 balance. Then using your smart device you add cash and then get it, in the event you need cash, but if the card is compromised you don't put any additional cash at risk.

It is pretty broken. I'm really surprised the banks are willingly eating those losses.


How much are the finance charges? Many ATMs charge anywhere from a buck to three dollars for a withdrawal, unless you go to your "home bank".


By finance charges, he means interest, not a fee. In the US, cash advances on a credit card typically incur interest immediately rather than after the billing cycle ends (barring some sort of promo).


Sure, but how much is the instant-interest on the amount withdrawn compared to a $3 ATM fee?


Cash advance APR by whatever you withdrew by however long it takes for you to pay it.

There's no single answer to that question.


I find it odd that in a world where people can configure two-factor authentication for their email, we're not doing it universally for money.

My Australian debit card requires a PIN for anything over AUD 100 at a store, and if I'm buying online I get an SMS from my bank to provide a confirmation code. Seems sensible.

Additionally, even though it's a debit card, transactions are generally left pending for 4-or-so days during which I can call the bank and have them blocked.


The banking system took the easy way out at every step of the process that lead to our current electronic money system. No surprises there, banks are immoral corporations. The emergent system is utterly insecure. Again, no surprises, people have been saying that the credit card system is totally compromised for years.

So, we have to look at the root causes of this insecure emergent system:

1. Almost completely unencrypted. The USA's (also possibly emergent) policy on cryptography is to keep it out of general use. Clearly, the NSA knew enough about cryptography in the 70s and 80s that they could have guided the US banking system in a more secure direction. But they didn't, apparently for fear of giving away secrets. Or something.

2. Letting corporations develop de facto electronic money. Crappy security is just one aspect of this problem, others are ridiculously high interest rates, and the fact that it's cheaper for corporations to take checks than than to take credit card payments, as the US Fededral Government runs the check clearing houses for free or almost free.


Mag stripe fingerprinting, if widely implemented, can prevent a lot of offline fraud. It seems all the fraudulent transactions cited in the article were of the off line variety.

http://blogs.creditcards.com/2013/04/cards-mag-stripe-finger...


I don't understand people who use debit cards to purchase things, it just doesn't make much sense to provide anyone, with a direct line to your bank account...

Not to mention using your CC will build your credit score making it easier to buy a house/car/big purchase.


He keeps saying "ATM card" but is he really talking about a debit card? They are different. But he never makes it clear he gets the distinction. They are both vulnerable, but this lack of clarity throws his credibility into question for me.


I don't see how credit card fraud is the customers' problem. Max exposure is $50. When you file a chargeback, you get the money credited back on CNP transactions. Merchants are the ones who get nailed. Not only for the lost product but also the fees associated with chargebacks. As an e-commerce merchant, i would love to have more protections against fraud especially the increase in friendly fraud(customer defrauding us by use of chargebacks). As customer, i would fear burden of proof shifted to me instead of the merchant when dealing fraud. This is why i don't use 3-D Secure(verified by visa) online or PIN based transactions at stores.


The problem as I see it is very simple. When you hand over cash, that's it, that's the end of the transaction. The 'seller' can't use this cash to access any more of your money. On the other hand, using any of these systems, you don't hand over a fixed amount of money, you hand over the keys to your account, and allow them to take out as much money as you want.

I don't know why the system hasn't been designed in a way where you only authorise 1 payment at a time, and the combination of information provided goes stale after that transaction so it can't be used again.


Credit cards are more secure than Debit cards, but they lack one important feature: protection from overdrawing more than the amount in the account (overspending). Why don't banks offer this type of credit cards?


Most credit cards let you set the spending limit as low as you like (I don't know if there's a floor, but I would bet you could set it to $100. )


I could have sworn credit cards will be rejected if you hit your credit limit.


If you try to get some "unreasonable" amount of money from them - probably. Anything that you're remotely likely to pay off in penalty charges is unlikely to get blocked. That means an unauthorized overdraft of $1k that you don't have is a good deal for the bank.


Hmm. I guess I don't really know for sure, my credit limits have always been much, much higher than my spending.


Reading the comments, I feel like I'm the only one more worried about someone physically stealing the money from me than about a dispute I cannot complete. In the first case I can't do anything about it. In the second I have good experience with reverting debit card transactions without any problems...


Working on fixing this - http://www.youtube.com/watch?v=QR5UTLxe5zA&feature=youtu.be


The part where you have to give your banking user/pass to PaidEZ kinda makes me nervous. I really wish banks would start picking up the trendy features of today like oauth, API keys, user-defined daily limits & callback URLs like webhooks in github(this would be awesome).

At least my Patelco Credit Union doesn't have any of this =/

The bank that starts doing this kind of power-user/geeky stuff will be very successful. Maybe some start-up should play as the middle-man to your bank and add all these features. Like say you give PaidEZ your routing/acct info so it can ACH withdraw and deposit, then you carry around a PaidEZ debit/credit card with all the cool features.


First of all, that comment is very exciting to me: you totally get what we're doing, you just didn't know you got it. That's awesome. Two things I'd like to clarify:

1. We DO oAuth (or whatever protocol they provide us) into your bank - we don't ever "know" your username or password, the system just goes into your online banking and gets the info it needs to make the payment. We're Regulation E compliant, so we can't do anything you didn't authorize us to do and if you have a disputed payment, we can reverse it.

2. The "middle man" thing you're talking about is what we are. The demo you're seeing is of our consumer facing payments brand, but at our core we're building this as a bank neutral OS/API for good-funds ACH payments. This means merchants or apps won't have to do all this integration with banks, they won't have to pay fees on payments (we don't charge fees on payments), and they won't have to deal with Credit Card BS.


Follow-up on the question I asked in a recent thread (thanks for answering): looking at your video, it seems I have to type the username/password for my bank account into your website. That would qualify as "knowing" them? I realize that doesn't give you full access since most banks now require a card reader and/or 2nd password for any transaction, but it does worry me about additional vulnerabilities.


Great question - and as a side note, sorry to the people on HN I'm going to be bothering about this for the next 6 months. We're building this for Hackers and this is where they live - should be a mutually beneficial relationship though.

Anyway, you don't have to put your username/password into PaidEZ's site - the API can be integrated anywhere. But that said, I don't think that was your point - you're right that the client (browser, app, whatever) KNOWS the username and password while it's oAuthing into the bank, but that's always the case when you login to your online banking. Short of that, we do not know it.

But you're right, that is another layer of vulnerability. No two ways around that, and one that we take very seriously. It's not, however, an added layer of vulnerability compared to entering a Credit Card number - that has the exact same problem, and it's a larger problem because canceling or changing a Credit Card when it's stolen is a BITCH of a process. Changing your password and reversing payments with PaidEZ and your online banking is a breeze.

I should add, nobody has ever had a security issue with PaidEZ up to this point, and we've processed thousands of transactions. I understand that doesn't mean much right now (if it means anything at all), but I don't want to give the impression we've had any security breaches up to this point. We have not.


Wow, well PaidEZ is awesome then!


Haha well there we go! We'll be launching our APIs at least publicly around late February, so stay tuned! Also going to change the name FYI, but haven't settled on what.


the relevant technical solutions have all been deployed in Europe for decades, the problem is not technical.


Agreed, but they are technical in that right now they're really hard to use. We're fixing that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: