What was most surprising about this is not the fact that there is a group of people exploiting Stripe’s payments, but that the author had ChatGPT write a script to automatically handle payments processing, specifically for chargebacks. And based on the context in the article, the author sounds like they lacked the technical skill to write or validate these scripts themselves.
This author is jumping out of the frying pan and into the fire. ChatGPT is cool and all, but the fact that they’re trusting it to write critical code for handling their customers money speaks volumes. They’re incredulous at how they feel Stripe violated their trust in it to manage fraud, but then go ahead and blindly place it in another technology they don’t understand. The problem isn’t Stripe (though, yes, they should fix this), it’s the fact that they are just giving away trust and hoping for the best.
> the author had ChatGPT write a script to automatically handle payments processing, specifically for chargebacks
Feels like a mischaracterization tbh.
He had it make a script to go through and accept the chargebacks for these accounts, not handle payment processing or do anything to the chargebacks other than click "accept" essentially.
> And based on the context in the article, the author sounds like they lacked the technical skill to write or validate these scripts themselves.
I also don't really get where you're getting that from.
The author even said
> I reviewed all of the scripts carefully, and also never shared any customer data, IDs, or API keys. I think I saved at least a couple hours compared to hand-rolling these tools manually!
ChatGPT is not capable of writing production quality code. Many (most) companies have internal policies against deploying any code written by an LLM. The point isn’t to slow devs down, but to mitigate risk. This is especially important in the customer/payments stack. This is not the right place to “save a couple hours”. Maybe if this was for some one-off offline analysis, sure.
The fact that it works is insufficient proof that it was the right thing to do. Building a habit of relying on LLM generated code is an inherently risky practice, and ChatGPT will literally warn you against trusting its outputs. Sure, it lets you growth hack your way through sort term problems, but in the long term I’m not convinced this is responsible decision making at the current levels of LLM technology.
Or maybe I’m just a Luddite, stuck in my old ways.
Frankly speaking, probably the latter. I've been using Copilot for over a year now, and obviously it makes stupid mistakes, but it sped up my general coding speed. Now, I don't have much experience (maybe around 10ish years of programming professionally) in comparison to greybeards, but it works. Haven't used ChatGPT much, but as long as the user understands its shortcomings and reviews/refines its outputs, it's fine.
People who write code also make mistakes, yet we don't consider it "inherently risky practice". We just review others' code, tweak it, make it more appropriate for prod and voila. Same thing applies here.
>but as long as the user understands its shortcomings and reviews/refines its outputs, it's fine.
nice caveat doing a heckuvallot of heavy lifting. i understand that we're talking about coders and sort have this inferred impression that coders will have this understanding, but...that's an awfully broad brush you've used to paint over the simple fact that most people using LLMs (in general) are not understanding this.
Can we please get back to the actual topic is hand. The author clearly says that they took measures that’d seem to imply that they have an understanding of the shortcomings of ChatGPT.
You’re using this as a soapbox to cast holier than thou elitist aspersions on an imagined Everyone Else that isn’t as enlightened as you.
This exact “LLMs bad and here’s why!” thread of conversation is getting so old. The fact that it always has the same few talking points is evidence enough that those indulging themselves in it have been party to these conversations before. They know how it goes. And now it’s their turn to say the same old tired and in this case largely irrelevant things to sound smart and to pat themselves on the back.
> simple fact that most people using LLMs (in general) are not understanding this.
And why does that matter? Plenty of people "use JavaScript without fundamental understanding of the language's inner workings" but things are fine (not). My point is, people have always misunderstood the TOOLS that they use, but I don't see the same kinds of rejection before? Yes, people use LLMs thinking it is the end of programming but you can become way, way more productive as a programmer if you use it as a TOOL. The other day I used it to create a simple Python function to generate N distinct colors. It works, it seems to work, it even suggested using hue instead of rgb since its better or whatever (so I looked it up and it is for the eye) so I just used it. Should I spent a week going on a deep dive into the human eye perception and reading up articles on this?
Tons of production code, even in flows directly related to money (banks, payment portals etc) are hacked together from various stack overflow posts, not always with full understanding of the shortcomings, corner cases etc. Typical is some complex regex.
The latter, I'd have to suggest. GPT-4 generates code that is slightly better than the average junior programmer, which is to say, it is often confidently incorrect and needs review before committing, but either option remains a net productivity gain than no assistant at all.
"Your job will not be taken by an AI. Your job will be taken by someone assisted by an AI."
The process touched on in the article, with thorough review before commit by a human with in-depth experience of the language and APIs and the domain in question, is exactly how AI-generated code should be incorporated into a workflow. The earlier slander against the author's technical ability seems misguided and unsupportable.
I've used ChatGPT (GPT-4) to write production code.
As long as you keep the scope small ("Write some example code that calls $API in Python", "Make it asynchronous; so I can queue up n calls and execute them in parallel"), it generates perfectly good code that is easy to understand too.
This is outright false. I have used ChatGPT many times over the last couple months and I have caught it give me un-working code, unfinished code, and terribly buggy code. When you point this out it will say Oh sorry about that here is an updated version, and I've caught it give another bug, and another after that. If you are telling me the quality of code that ChatGPT gives you is high then it pains me to say but you must not provide high quality code yourself.
When you used google previous to chatgpt, did you force yourself to only allow yourself to use the “I’m feeling lucky” way of search along with having to use the result as your unadjusted production code. Did you never modify the code you came across?
Of course not, that’s ridiculous. You probably searched, read a few stackoverflow comments, found a relevant GitHub repo, a library for python/language of choice, and probably also a SAAS offering solely focused on the 3 lines of code you need. You quickly parsed all that and decided to modify some code in one of the SO comments for your needs. Next time, you looked passed half the junk and went straight to the first SO result and was able to tweak and use the result. The next time, it didn’t help but did help you write some inspired custom code for the problem, at least you knew what not to try.
My point being ai is useful. It’s not meant to be first result is final answer type solution, if that’s how you use it you will have issues.
How can you say that something is outright false if there is not fact/claim you can disprove. You’re responding to someone you don’t know and have no idea what they are working on.
I’m (not OP!) a cloud engineer but also work on a lot of FE (React) code for internal tools. ChatGPT has saved me countless hours (literally tens a month) writing super simple code that I am able to easily write up myself but typing it out just takes time. After month of using it I find myself still quite excited whenever cGPT saved me another hour. We also use Retool, but I find myself writing code ‘myself’ more often since cGPT launched.
No, I wouldn’t just copy paste production code handling PII, but prototyping or developing simple tools is sooooo much faster, for me.
Sure, it doesn't nail it 100% on the first prompt 100% of the time. Sometimes it takes a few prompts. It's no big deal. If you can't get it to write effective code, either you're working in a very niche area, or you haven't figured out how to use it properly.
Another reason someone can’t get it to write effective code is if they don’t know how to code or aren’t a very good programmer.
I use it a ton. Most of the time it’s very helpful, sometimes I can’t get it to write effective code. If the code it outputs doesn’t meet my standards, I just don’t use it. But I know what I’m looking for, and when ChatGPT generates it, if not only saves me a shitload of time, but more importantly it saves me a ton of mental energy that I can spend elsewhere. The biggest thing for me is that using ChatGPT helps my brain do fewer “context switches” between focus on high level business logic and low level implementation logic. By staying “high level” I’m able to accomplish more each day because I don’t get lost in the sauce as often.
I often have to “upgrade” the code myself with tests, better comments, modify the data structures a bit. Sometimes I tell ChatGPT to do this, sometimes I do it myself. But it’s been very helpful overall.
The big takeaway is that your output will only be as good as your own programming skill, regardless if you use ChatGPT or write it yourself.
I concur. It's just like any other tool, it's only as good as the person using it. I just can't understand the resistance of people in this field. I was a naysayer on a number of things like Docker when it first came out because it didn't solve any of my problems at the time. Then, k8s came out and Docker was a pivotal part of that solution, and k8s solves many problems.
ChatGPT writing code so you don't have to, I just can't conceptualize how that's not an instant win for just about everyone.
Is it 'outright false'? The code it creates is can only as good as the prompt. It's just GIGO all over again...
I got it to write exactly the test I wanted for a snippet of code on the third prompt attempt by specifying exactly the two specific technologies I wanted it to use and one keyword that describes an idiom that I needed. It would have been slightly faster than doing it myself.
Technically it was test code, not production code, but had it been my code rather than just some code I was looking at I would have committed the test code it wrote to the repo with zero reservations.
No, because junior devs usually improve over time.
I've tried Copilot and a few other AI codegen tools. Aside from producing overall low quality/nonworking code, the only times they seem to get better long-term are when a new update to the model comes out.
I should have been clear but ChatGPT was one of the "other AI codegen tools" I mentioned, especially as it's the one I used most recently. I tried it for a month or so but then canceled my subscription. I got some use out of it for answering questions for friends who were learning CS for the first time in languages I didn't know, but I didn't get much else from it which felt like it was high enough quality that it really saved me time or effort.
Edit:
And to contrast with junior developers: I find pairing with them something that makes me not only help me figure out the requirements of the things we're working on--which admittedly ChatGPT does do, but I think that's mostly by virtue of rubber ducking--but it helps me figure out approaches I wouldn't have thought of before, or encourages me to write more maintainable code by seeing when another person's eyes start glazing over.
Trying to claim that someone else’s personal experience is factually wrong? The internet teaches everyone great arguing quips, sure. But “outright false” actually MEANS something. Your comment is all emotion.
My current suggestion is to consider it the work of a just on-boarded intern. It will save you some time but you still need to walk thru the code to make sure it will work as intended.
First, it's worth noting the code in the blog post is not "production code," but rather one-off or periodically used scripts for accelerating manual business processes, with results that are easy to manually check.
But in regards to production code, I agree. When code is committed to a codebase, a human should review it. Assuming you trust your review process, it shouldn't matter whether the code submitted for review was written by a human or a language model. If it does make a difference, then your review process is already broken. It should catch bad code regardless of whether it was created by human or machine.
It's still worth knowing the source of commits, but only for context in understanding how it was generated. You know humans are likely to make certain classes of error, and you can learn to watch out for the blind spots of your teammates, just like you can learn the idiosyncrasies and weak points of GPT generated code.
Personally, I don't think we're quite at "ask GPT to commit directly to the repo," but we're getting close. The constant refrain of "try GPT-4" has become a trope, but the difference is immediately
noticeable. Whereas GPT-3.5 will make a mistake or two in every 50 line file, GPT-4 is capable of producing fully correct code that you can immediately run successfully. At the moment it works best for isolated prompts like "create a component to do X," or "write a script to do Y," but if you can provide it with the interface to call an external function, then suddenly that isolated code is just another part of an existing system.
As tooling improves for working collaboratively with large language models and providing them with realtime contextual feedback of code correctness (especially for statically analyzeble or type-checked languages), they will become increasingly indispensable to the workflow of productive developers. If you haven't used co-pilot yet, I encourage you to try it for at least a month. You'll develop an intuition for what it's capable of and will eventually wonder how you ever coded without it. Also make sure to try prompting GPT-4 to create functions, components or scripts. The results are truly surprising and exciting.
That's slow corporate thinking. I'm familiar with it but disagree because the efficiency gains are undeniable and it puts a business on a noncompetitive stance if they fail to change with the times.
ChatGPT and Copilot are like intern software devs who can produce code in seconds. They generate code that's usually close, but not always correct, at the savings of a great deal of your time of typing the whole thing vs. verifying correctness.
For critical and complex algorithms, it's not worth using ML coding assistants right now, but they will be in the future. It's obvious that that's where it's headed: massive efficiency gains for non-technical and barely technical people, and the decline in demand for software engineers, and with it, also a decline in software engineering salaries.
The main reason that the infosec folks have paused the use of LLM's to generate code is copyright concerns: who "owns" the code that's generated, the LLM, or, the company?
Realistically chatgpt isn't writing the financial code. Stripe did that already. Chatgpt is just reading snippets of Stripe's API examples for you and applying the code for a common use-case.
It's terrible, but not far removed from what's been already happening with "developers" copying and pasting StackOverflow comments into a text editor and making uninformed compiler-error-guided-edits until it runs then done!
The root of the problem here is people making production stuff who don't know wtf they're doing. If they turn to SO posts, LLMs, or "developers" on fiverr/upwork doing the same thing, is there really much of a difference? LLMs seem to mostly be tightening the loop of horror that's already been happening.
Just seems like programming will be joining the ranks of most tools. There will always be craftsmen, there will always be professionals, and then there will be the guy bolting together ice chests and garbage disposals to make margarita mixers on his patio or the kid with a duct tape exhaust rig on his Honda Civic.
I guess, to your point, it's only trouble if the margarita mixer guy is put in charge of something that matters? :D
(might be a bad example, I've known some fine engineers and mechanics that are absolutely margarita mixer guy, but hopefully my point is taken lol)
I'd love to know about the nirvana you've been in up till now, because working around code from numerous large companies the vast majority of it is the crappest ass crap straight from the crapper with no redeeming qualities, and it has been this way forever. I'm not saying their isn't good parts, there are general core routines that sheer need for them to be performant and non-data corrupting forced some Sr engineer to fix them.
This guy is operating a profitable business, creating value for customers, shipping features, and openly publishing details and learnings about the threats he mitigated. He used ChatGPT to generate scripts to help him throughout this process. I don't know if he's non-technical or if he just wanted to save some time, but frankly he should be commended for his hustle and get-shit-done attitude. These scripts were not determining life or death, or even making business critical decisions - they were filtering bulk data and making his life easier by producing results that are easily manually checkable, but save tons of time either coding the scripts or hiring a programmer to write them.
To me it reads like a great example of where ChatGPT is most useful: as a force multiplier for time-constrained entrepreneurs who have a specific goal and need specialized knowledge for short periods of time (e.g. to write a script). It's now basically free and instant to produce what would previously require a multi-week process of sourcing, hiring and communicating with contractors to write a script that leads to the same end result.
The kneejerk reaction to call this "surprising" or irresponsible, while understandable, gives major "get off my lawn" energy. This is the future and as coders we should support the increased self-sufficiency of non-technical people. If you want to adapt to the change then maybe think about how to improve the process for entrepreneurs of asking ChatGPT to write a script.
Article author here. I carefully reviewed and tested the ChatGPT scripts before executing them. It helped me save a lot of time manually writing these scripts!
I wouldn't say I lack technical expertise in this area, I'm just trying to use my time as efficiently as possible.
Genuinely curious: How much time would you say you saved prompting for and then carefully reviewing and testing those scripts for bugs, versus writing them yourself?
And for context what's the average line count we're talking about here? Tens of lines? Hundreds?
Glad to see you active here in the comments. Apologies if my comment comes off harshly, my intent is not to tear you down. I think there is a lot of gray space when it comes to using LLMs for generating code. Your usage here is certainly interesting, and I appreciate the additional context and discussion you’ve been providing.
No worries at all! I agree that there's probably lots of people blindly copying and running code from LLMs without any reflection. Just like it often happened with StackOverflow snippets before ChatGPT (to the point it became a meme). I'm definitely not one of them.
I don't know why I see this type of invalid speculation so often. The author already responded that they reviewed the script and didn't post any sensitive data, so won't add more to that.
I'd just state that tons of us use ChatGPT effectively and never blindly trust the outputs - for me ChatGPT is a starting point, not the final product. We're not all so daft as that lawyer who cut and pasted hallucinated case references into a legal brief without verifying them first.
100% agreed, this is how I always treat it and working on the problem from the article was not an exception from this rule. I share minimum input, and never trust the output blindly.
It gets 50-60% of work done, and a really good basis for me to work on it. Especially when working with one-off, end-to-end relatively short scripts.
This has been my primary use case as well (usually for writing some scripts or where I need to solve an operational task quickly), and ChatGPT has saved me a ton of time with those tasks.
I find it odd Chatgpt was mentioned at all. It was almost like an advertisement.
I have read post linked here similar to this one, but I can’t recall another instance in which the author abruptly said they relied on stackoverflow to code something unless the content was a meta commentary on coding and debugging itself.
I can empathize with the author. The first time you write some code collaboratively with GPT and it actually works, you feel a burning need to shout about it. Because it's one of those moments where something "clicks" and you suddenly feel like you've discovered fire. Once you figure out how to work with them, it makes you excited for the future and you can clearly see where LLMs will fit permanently
into your toolbelt. They're far from perfect now, and sometimes the time savings is a wash - you get instant specialized expertise that can produce code like a senior engineer, but you need to goad and coax it like it's a high maintenance intern. But the thinking power expended is still somehow lower - it's a new way of working with technology and deferring some of the grueling parts to the machine. This becomes especially obvious when the code requirements depend on an esoteric API or conventions that you'd normally need to spend time researching and manually enumerating.
Author here. My intention was to show that you can use it to help you get going quickly for a very practical, one-off, and self-contained use cases. As I mentioned in other comments already, I did not trust it blindly and did not share any sensitive data with it. Definitely not an ad!
I'm a huge LLM skeptic, but I'd disagree with you here.
I think using ChatGPT to write long-lived code for a serious application is a bad idea. But I think it's fine for somebody knowledgeable to use it for throwaway and first-draft stuff in areas that aren't their daily work.
Here's the author in question: [edit: wrong Piotr Mierzejewski in tech, see below]
He looks perfectly competent to me to evaluate the effects of some one-shot scripting code, so I think "giving away trust and hoping for the best" is a wild exaggeration of what actually went on.
They really wanted us to know they used ChatGPT too. It felt unnecessary how often they mentioned "I got ChatGPT to write a script that did this" like.. ok?
> I created a restricted key in Stripe with lowest possible permissions, and prompted ChatGPT to create a script to accept the chargebacks.
From my understanding, it also seems that the author submitted a Stripe API key alongside the prompt to create the scripts. This is pretty much a big security no no regardless of the permissions of the key.
If you are a foreign company accepting payments from the USA, you should simply expect this as a cost of doing business.
Credit card fraud here is socialized. The end consumer is never liable, and so we don't bother with chip and pin, 2FA, 3D secure or whatever else. If we notice a suspicious transaction we simply tap a button in the bank's app and the charge is reversed in minutes.
Banks and payments processors are themselves incentivized to push through transactions as quickly and easily as possible so people spend more (yay consumerism!), and like the author said you mostly don't even need to input the right expiry date, billing address or zip code.
The drawback of course is that all of the liability is pushed on to the business, and so they have to raise prices for everyone to make up for it.
Your causality chain doesn't track for me. Here in Denmark we have the same consumer protections, the ability to do chargebacks and the (government funded) guarantee that the consumer does not lose any money if their bank account is drained. Yet we still have very strong protections at the time of purchase with mandatory chip-and-pin as well as 3D secure (which replaced Verified by Visa).
I don't really think there's a rational reason for why you don't have better card security in the US. You just seemingly don't want it.
My guess is the difference lies in the fact that the EU limits credit card fees to something around 0.5%
That means the CC companies can't offload the financial burden of this onto the vendors (and they in turn onto their customers), which leads to them having an actual incentive to improve security.
> That means the CC companies can't offload the financial burden of this
Most CC company (CCC) revenue comes from charging the poor people who can't pay their bills ("interest"). Merchant fees are only a small portion of revenue for most cards [1]. In the case of Discover for example it's less than 10% of their revenue, and in the case of Amex it's less than 33%. Other cards fall in-between.
Your link explains that the issuing banks charge interest, not the credit card companies - which are merely the payment processors. I don't know all of the companies listed, it's possible that some are two in one and have their own bank as well. Some payment processors are partly owned by major banks too. But take the largest CC company, Visa: They don't extend credit at all, they don't even issue their own cards iirc. All their profit comes from fees, because the fees are too damn high™.
They've successfully convinced the public of the opposite though. It's a very common misconception that only "suckers" who buy on credit pay for it and that everyone else is getting a free service as long as they pay off their cards in time. In reality everyone pays because the merchants have to pay those fees and they pass the cost on to the consumer.
There's a recurring myth, very prevalent in the US, that credit card companies would prefer people who pay off their bills every month as cheap margin versus being predatory. It's bizarre, and as you've pointed out, completely unsupported by how they actually make their money.
This seems to ignore losses and credit risk entirely. Someone who pays off their bill every month has no credit risk and the fees earned are unimputed revenues. I’m not saying their analysis is entirely wrong, but I would expect unsecured credit losses to be fairly high in the consumer credit market.
Did you ever try a chargeback? With EU banks, it’s a bureaucratic process in my experience, filling forms, dealing with humans, waiting for merchant response, proving contact with them etc. US banks seem to operate on a magic word “chargeback”: you utter it, the charge is reversed, done.
As is often the case, the answer to the European asked question of "Why don't you just _____" is not "We seemingly don't want it", it's "America has a population 66 times that of Denmark."
Systematic change is slow and difficult. FedNow (secure, instant payments directly between accounts) was released 12 days ago, after nearly a decade in preparation.
Pretending that Americans just "don't want" more secure payments is just ignorant, in my opinion, and really screams that the author should spend more time with folks of other cultures.
That argument goes both ways: each country in Europe might be smaller individually, but at the same time I can pay with my debit/credit card all across Europe, and the same is true for each other EU country. And I still enjoy all of the aforementioned protections and services.
So despite the EU consisting of 27 separate member states, with their own banking systems, we still managed to standardize those banking systems enough to offer all of these services across the continent.
And that is in addition to the outrageous fees CC companies charge merchants. In the US it's typically around 2% of the transaction! The EU caps it at 0.3% maximum, which still seems like a lot when you consider how much money they move. That's another cost that gets socialized and passed on to the consumer of course, even shoppers who pay cash have to pay for this through higher prices.
People should know btw that with 3D secure the card owner can be held liable for fraudulent charges, because some banks have that in their terms for 3D secure. With phone 2FA all that needs to happen is you have your phone and wallet stolen. I've seen cases in the news where people lost thousands.
If you have your phone set to wake-up/show notifications on new messages, and your bank simply sends an SMS code as verification, then the thief can just read the message(s) when they come in and input them.
I think "secure" is the key part that's missing here. There's no incentive for a consumer to use a payment method such as this when paying with a bank. The reason is that credit cards come with consumer protection that this just doesn't offer.
I don't think customer protection is necessary unless you are dealing with unusually small or shady companies. I live in Germany and do not own a credit card, they are uncommon here. Mostly we pay per bank transfer or debit card. Even with the possibility of fraud, this is probably significantly cheaper in expectation than paying a 2% credit card fee each time just to have the possibility of chargeback.
"Therefore, the Regulation caps interchange fees for consumer debit cards to 0.2 % and consumer credit cards to 0.3 % of the value of the transaction."
The (now called) interchange fees go to the card issuing banks, not the card networks. Both network/scheme fees and processor fees come on top of that.
Americans (yes both Canadians and people from the states) are shielded from the chaos that happens to process a single transaction. They only see the paltry rewards in the form of 1-2 (maybe 5) cents per dollar charged, which is translated into "points" (1 cent == 100 points is what I have seen with some "premium" cards) and makes it seem worthwhile.
What they don't see is: the 3-5% or more markup of goods across the board (doesn't matter if you pay cash or card, especially for big box stores), the number of charge backs and the costs of dealing with it, fraudulent charges, poor security (places still accept mag stripe in the states), innumerable numbers of middleman to process transactions (bank fees, issuing card fees, network fees, premium card fees, ...)
It's fucking chaos. I hate it.
With FedNow, I am hoping that will change. Eliminate all of these middleman that are siphoning funds from people across the board. Eliminate the parasites. Eliminate the waste.
Hah, I found the focus on American banks funny because, the one telegram photo said to use the address of Paris France.
Let me tell you, on two different organizations I am part of, I have ran in the last 2 years, both got hit by automated credit card checking bots using French banks and alot of those cards succeeded.
(Of course there's a whole story about how both these orgs have resisted my previous warnings about hardening the payment sites...one of them even was still using Magento 1)
Anecdotal but meh, the real problem is credit cards are just as much as kludged relics as ACH that nobody wants to really fix meaningfully
I expect it’s path-dependent legacy practices more than anything else. Credit cards were invented in the US, so the tech is old and upgrades take a long time.
For manual payments, UPI in India sounds pretty great. Apparently the customer approves each payment on their phone before it goes through?
Credit card networks are already quasi-governmental agencies who block payments the government doesn't like (see e.g. operation choke point) - but without any of the accountability of an actual government agency. Having the processor be the actual government subject to FOIA, equal protection clause etc. would be a step up.
It may be a terrible thing but it has brought such a big change to the Indian economy. Imagine doing that in US which is a much smaller population and all you get is "choice" aka "freedom" to pay 3-5% credit card fee per transaction.
I'll take 3% over having a single payment processor I can't swap out.
The change to the Indian economy was going to come through private investment anyway but the government blocked that. So saying the change came because of UPI is disingenuous at best because it never had to compete with any other offerings. No other entity was even allowed to compete.
"Hassle free peace of mind" meaning you do not need to remember a 4 digit code (or clicking "yes" in a phone app), while you need to check your credit card transaction list regularly to reject fraudulent transactions?
I find the effort of remembering the 4 digit code/having the phone much smaller than the alternative ...
I’ve never had a card stolen where either of those would have helped - they’re stopgaps trying to avoid upgrading the banking system to use public-key encryption with reuse protection.
A couple of times, merchants with my card on file were compromised. The thief could make charges because the merchant had to be able to as well. What would have stopped that would have been having a way to restrict a charge to a particular merchant so the attacker couldn’t have been able to get the money out.
Once, my supermarket had skimmers. A code wouldn’t have been effective unless you were very good at spotting where the thieves planted cameras, too. An active MFA prompt would help against attacks at a substantially later time but it’d have to include the merchant name in an unspoofable form to prevent real-time attacks so I wouldn’t be asked to approve charges from SAFEWAY_, and that old-fashioned style of MFA is painful: it’d always make checkout slower and you’d have some fraction of people who don’t have phones with them or just ran out of battery.
What completely solved this problem for me was the modern tap systems (ApplePay). It requires more smarts on the client but means that I have to approve each transaction and the value the card reader gets can’t be used anywhere else.
>What would have stopped that would have been having a way to restrict a charge to a particular merchant so the attacker couldn’t have been able to get the money out.
This is one of the primary use cases for privacy.com (if you are in the US). The virtual cards are either single-use only or they are merchant locked, plus you can set spending limits on the card. I use these for 100% of my online and recurring payment transactions now. The only downside is that it's linked to your bank account so it's debt transactions only, but that's not necessarily a downside to me.
> upgrading the banking system to use public-key encryption with reuse protection.
This is exactly what chip and PIN does. The chip is a smart card holding keys; the PIN authorizes its use. Online, there is 3DS which can be used similarly.
We’ve had both of these tools for over 20 years now. It’s just a question of how much the industry is choosing to cater to convenience and backwards compatibility, i.e. a security/availability trade off.
In Europe, the regulator has made the choice for the industry instead.
> We’ve had both of these tools for over 20 years now. It’s just a question of how much the industry is choosing to cater to convenience and backwards compatibility, i.e. a security/availability trade off.
Exactly: it’s not like this was a technological breakthrough but that companies were trying to avoid breaking backwards compatibility - not just things like the readers but backend payment systems using something like fixed length records, but also restaurants needing to stop having a single terminal used for every table (this is why they went chip and no PIN).
Going back to the original comment, that’s the peace of mind benefit I see: those businesses can slack on security without me getting stuck with a potentially massive bill.
> that’s the peace of mind benefit I see: those businesses can slack on security without me getting stuck with a potentially massive bill.
That's a false dichotomy, though: Regulators can mandate merchants and issuers to make fraud less likely without allowing the liability for any remaining fraud to be pushed onto cardholders.
Sure, and maybe I'm misunderstanding you, but your point is that changing that model might make things worse for consumers by pushing more liability onto them, right?
I'm just saying that this isn't necessarily a consequence of improving fraud rates, although it's definitely important to keep an eye on issuers – I've heard about attempts to use it as an opportunity to limit liability in the past.
I think you misunderstood me. Peace of mind is in not having to worry about fraud being my responsibility to fight or dispute. I can call CC company or through mobile app, flag transaction, get my money back and never spend another minute on the issue.
Ok, but you have to worry about detecting fraud. Without a PIN/MFA attackers have it much easier time doing fraudulent transactions from the start => more time spent by everybody checking transactions.
And even if you have peace of mind, I wonder who pays for the cost of the fraud. I would imagine the bank will just pass it over to the consumer in some fees. So a system that reduce fraud (even if can't eliminate it completely) is still better in my opinion.
Re: Chargeback fees - Visa acquired a company called Verifi a few years back. Their new products are Rapid Dispute Resolution (RDR) and Order Insight. RDR effectively lets you automatically refund a transaction before it gets turned into a chargeback and Visa charges a $4 fee (Assuming your MCC code is not high risk). Order insight lets you provide certain data about a questioned charge immediately and if the customer has had 3 previous charges with you, a chargeback CANNOT be issued.
It was a really easy decision for our business based on win rate, avg order size and chargeback fees. Plus now we don't have to constantly worry about Visa's or the merchant bank's 1% chargeback rule. This only applies to Visa charges but it represented about 50% of our total volume.
One last note - Visa is basically taking away a massive revenue source for the processors. If your processor is TSYS, they are trying to charge a RDR fee of $10.
Ya, for Mastercard we use their Ethoca network. They are much more expensive, like $25 per resolved charge but now our chargeback rate is near 0% for Visa / MC and get incredible rates on the front end from such clean processing. Plus we never have to worry about chargebacks threatening our merchant account again.
Why does the US seem so far behind when it comes to banking?
- Chip and PIN has been in the UK since 2004 and mandatory since 2006. It wasn't until a decade later that the US caught up.
- Faster Payments allow for instant bank transfers (usually) between any bank account for free. Receiving transfers from clients in US (even with a US Wise bank account) was always a nightmare.
- Since the EU introduced Strong Customer Authentication, most new payments have to be authorised in your mobile banking app or by some other means of 2FA.
- Even before SCA, you'd have to get the Postcode (often digits that mattered) and CVV correct at the very least.
These measures seem like a way of banks shifting the responsibility for fraud onto the customer. In either case though, it's the customer who loses out. In a culture that accepts widespread card fraud, costs increase to offset it.
As a Canadian, it does feel like stepping out of a time machine when you pay at restaurants in the USA. Instead of using a terminal at the table to pay yourself, you need to give the server your card and wait for them to manually process it somewhere. Maybe things have progressed in recent years. But we haven't done it that way in Canada since the early 2000's.
I was visiting Seattle (from Vancouver) a few years ago, and they didn't want me to use my chip card as a chip card because if they did then I couldn't tip. What the heck is that all about?
Also, we're still hearing stories about merchants in the US starting to accept Apple Pay, whereas it worked fine in almost every retailer in Canada the day it was available - even though it wasn't available in Canada for a long time, American visitors (or Canadians with American credit cards) could use Apple Pay on launch day at any retailer that supported tap-to-pay, which was easily most of them.
It was probably an issue with that particular merchants POS. Merchants have very little incentive to update their POS systems so technology changes are very hard to get rolled out. Especially for smaller merchants which many restaurants are.
It’s a network effect thing. Because tap to pay wasn’t supported by the POS vendors US consumers did not get much improvement in experience because of it, so there wasn’t demand from merchants. With Apple Pay there is a huge improvement for consumers (not having to carry the credit card) it has finally forced merchants and their supporting POS vendors to support it.
Between that and the disruption in the POS market the iPad (and similar devices) brought, POS vendors have had to become more flexible.
Tax fraud? I've never seen a card reader in a restaurant (here in europe) where they couldn't either enter a completely arbitrary amount to pay, or add a tip.
Re: Apple Pay acceptance, some of the big chains took the chance to push hard for their own payment solutions ("Walmart Pay") in the hopes of not having to pay card processing fees anymore. Obviously the market has spoken and one by one they've been giving up.
I've started to see more and more servers using a mobile POS with built in credit reader and receipt printer. They hand it to you for tip and signature and you don't have to hand your card to anyone.
> Majority of restaurant is all about experience and event payment system should match that experience.
I'm in the UK. I go to many high-end restaurants, cocktail bars, etc. Portable card terminals are essentially universal in these places. The fact it's the same everywhere is a feature, not a bug.
It's quick. Your card never leaves your sight. No pen is required. Payments up to £100 can be done using contactless on a physical card. Even higher amounts with smartphones/smart watches. Tipping is often integrated into the terminal where tipping is common. It's rare to have to put the card into the terminal.
I don't think it detracts from the experience. On the contrary, I think it streamlines the bit between being finished and wanting to leave:
"Please can I have the bill and a card machine, please".
I've lived in Japan for so long now that paying at restaurants in other countries where it's done at the table seems so awkward.
In Japan, you don't pay at the table, you get up when leaving and pay at the exit. If you're at a high-end establishment entertaining guests, this also leaves you the opportunity to "go to the restroom" late in the dinner and pay ahead of time so that the "mess" of payments is completely forgotten.
It also means waiters don't need to run around the place with cards/readers/cash, you don't need to fumble when you left your wallet in your coat that's been hung up, don't need to squint to read receipts in the dim mood lighting in the eating area, etc etc.
But now they get to see how much you're tipping them! Like they literally have to wait while you punch it in, increasing the social pressure to make up for a broken system.
I don't go to restaurants anymore. Too much pressure.
Respectfully, this seems like social anxiety or hyperbole. You don't go to restaurants because of the stress of the cultural norm of tipping? Seems more accurate to say you don't like eating out in general or because of the price of eating out once you factor in a tip...
Things have definitely changed here recently. At least in San Francisco, at-table terminals are now the norm in sit-down restaurants. Staff generally use the same device for order-taking and payment.
> Things have definitely changed here recently. At least in San Francisco, at-table terminals are now the norm in sit-down restaurants. Staff generally use the same device for order-taking and payment.
I used to work in PoS industry.
This tech is new-ish to the US but not to the rest of the first-world. 15 years ago, paying with a CC @ the table was common in Europe, but the terminal could ONLY do payments. The devices that have been rolling out to the US are more like android tablets in that they can run the order taking half of it, too. Selling hardware to a restaurant is tricky and "oh, no, this only allows you to move the payment portion to the table; staff still have to go to central spot to find a table that can accommodate guests and place their order" was basically a non-starter. The sales pitch is a lot easier now that everything can be done table-side.
For sure. "Bring the card to the device" and "bring the device to the card" seem about equivalent to me in convenience unless the device is something that the waitstaff is going to carry all the time anyhow.
> In a culture that accepts widespread card fraud, costs increase to offset it.
Maybe, maybe not, but this is a very simplistic way of looking at it. If credit card fraud is responsible for X% of total charges, they can spend effort to deal with it, OR they can simply not deal with it and keeping the transactions going while eating the cost, they may be able to serve Y% more customers where Y > X and thus end up with more profit in the long run.
This works for a lot of businesses in America because the sheer scale is massive (take McDonalds for example, they would probably be better off processing their lunch rush quickly due to the margins they are making rather than take even 1 second to verify there is no fraud). This may not work in Europe, but IMO you're missing an entire dimension when analyzing the true costs.
If the fraud/benefit scale ever tipped away from favoring the companies, I think we would see all these major fraud prevention mechanisms kick in almost immediately in the US.
> serve Y% more customers where Y > X and thus end up with more profit in the long run.
That’s the micro/local view, and any rational company in the US will do something close to that. There is no local incentive to set the “fraud/friction” to anything other than their competitors.
On the macro level though, if the dial is moved for everyone (i.e. by regulation; the card schemes have tried to make this happen via incentives in the form of the liability shift, but it still wasn’t enough), there’s a chance for increased total efficiency.
The cool thing is that Europe is running this experiment currently – let’s see how it goes.
First, compared to the rest of the EU, Germany is a weird outlier with the number of banks they have (which, by the way, has been declining steadily for 15 years).
Setting that aside, you missed the "deregulated" part.
As I understand it (and I grant my understanding is pretty cursory) Germany has a much stronger central regulating body, and is subject to overall EU regulations as well.
The US has multiple regional banking authorities and a ton of responsibility is delegated to the states, and in general government intervention is seen as a last resort.
And also, a lot of german banks are actually federated with centralized IT departments (like Finanz Informatik) providing the entire bank as "blueprint". Yes, even if they aren't called Volksbank or Sparkasse. For instance, if you get an EC/GiroCard from DKB, the letter is suspiciously typeset in Sparkasse's corporate font.
> First, compared to the rest of the EU, Germany is a weird outlier with the number of banks they have (which, by the way, has been declining steadily for 15 years).
Still, the absolute number itself seems to be not really the issue here. (I assume the number of US banks has similarly declined in the US, as fusions reduce cost.)
> Setting that aside, you missed the "deregulated" part.
If Germany is anything like the Scandinavian countries, those banks will just be branches of a handful of different banks.
We really don't have any microbanks that need to roll out their own tech for everything - most are just part of the larger banks, and get all the infrastructure provided for them.
None of these comments seem relevant to TFA, which is specifically about card-not-present fraud.
Chip and PIN doesn't work for internet payment.
Bank transfers don't work well internationally.
It is trivial to turn on AVS (address verification) and CVV, but it can result in more declined-yet-legitimate transactions. Sometimes that outweighs the fraud risk that these catch.
The responsibility for fraud is pushed to the merchant, not the customer. Yes, customers pay higher prices because merchant fraud gets passed on eventually, but only in the sense that all fraud costs get passed on to consumers eventually.
I mean the "real thing" is 3D Secure, which isn't exactly 2FA and card issuer dependent, but makes things a hell of a lot more of a PITA to execute for fraudsters.
"ahead" and "behind" halt thinking, and turn the entire topic into some kind of number-line position. It is not. This is complex and actors on both sides of the Atlantic are playing in bad faith to exploit changes. Second you ignore the roles involved. Mid-20s person with steady job is a smaller and smaller part of the system-in-fact, for many reasons. Some people say that working 20-somethings are abused and disenfranchised, including in the EU and elsewhere.
In my view, the U.S. is leading the way in this area.
Europe seems to be shifting the burden of fraud prevention onto customers with methods like SMS notifications and pins. In contrast, in the U.S., banks and businesses are primarily responsible for dealing with fraud.
It's not leading the way technically but for the end consumer it might be better. If I get charged unfairly my bank will tell me to go to the police. Americans can easily just refuse it.
Not if you use a credit card; a quick call to Visa/MC/Amex will get your money back instantly in Europe too.
The main difference is that, in Europe, debit cards are often used in the same way as a CC - except they are just a direct pipe to one's bank, and once the money comes down the pipe there is no easy way to push it back up.
I'm sorry but using strong authentication to make my payment is not a burden, it's a bloody feature.
Here's how much of a "burden" that is: you hold your ATM card next to the terminal. Done. Paid. Every once in a while (based on a configurable max per week) it will prompt for a PIN. Which you enter in 5 secs. That would be 1 in 10 payments.
Online payment: scan payment QR with phone, which takes me to my banking app. Authentication is FaceID, TouchID or PIN. Then you click "Yes". Done.
Both methods are highly secure, require no or minimal input and are extremely fast.
On the other hand, the EU caps credit card fees at 0.5% by law while in the US merchants will pay 3 times that at a minimum.
I suspect that in the US CC processors are incentivized to increase their processing fees to cover the cost of fraud instead of building features to prevent it because they can and it's easier than building features. Businesses are incentivized to increase prices to cover the cost of fraud (and CC processing costs) since processors offer such poor tooling to prevent it.
In the US the burden of fraud prevention is squarely on the honest consumer's wallet.
It's curious that the same product isn't cheaper in Europe compared to the U.S., despite Europeans not funding fraud. I can't help but wonder where those extra savings go.
Products are more expensive in Europe because we have (on average) ~20% sales tax. And because the general tax pressure is higher because we have more state services.
In terms of PPP someone should look it up (on mobile)
Oh, please. You're grossly misinformed. If anything, US is lagging lightyears behind Europe in terms of fighting fraud and fighting card schemes, which are stripping everyone equally in US, banks and customers alike.
PSD2 directive intruduced a lot of novelties, which no one at the time had (and very few do, not even US). For instance, specific to this situation - remote payments above 30 eur must be SCA (strong customer authentication, similar to 2FA, but more elaborate) verified (small value exception from PSD2 RTS). Also, banks must have both real time and post-time transaction monitoring in place, i.e. they must have systems to detect and prevent such fraudulent attemtps. There literally tens if not hundreds of fraud fighting measures in PSD2, which all banks (both acquirer and issuer) must come mply with. I could go on and on (not the place and format).
Frankly, it's utterly unbelievable that this kind of thing could happen without anyone (either acquirer or issuer) intervenining. Not what could (should) happen here in Europe.
Chip and PIN isn't mandatory in the UK - it's just the default. My debit card is not Chip and PIN, because I asked the bank very nicely.
The problem isn't the Chip and PIN itself, although it has been implemented less securely than it could be. The problem, as you point out, is that the liability for fraud has been shifted in law to the card holder, and that is what I objected to. See https://www.chipandspin.co.uk/ for more.
> These measures seem like a way of banks shifting the responsibility for fraud onto the customer.
Onto the vendor, not the customer. The customer can chargeback anything instantly, and the vendor is on the hook for the fraud.
It's intentional, so the banks and payment processors can make more profits. By making it easier for customers to chargeback, they incentivize customers to buy more stuff, by getting the customer to feel more comfortable charging everywhere. Charging more stuff makes payment processors more money.
A lot of it has to do with legacy POS support and a strong disinclination on the merchants part to upgrade. Terminals are costly and configuration non trivial. Plus a strong “if it ain’t broke don’t fix it” culture and resistance to any change. Add to it a relatively weak consumer protection regulatory regime and you’ve got the US.
I would say it’s not worse than most of the world though. Much of the world is rampant with fraud borne entirely by the consumer. For instance QR based bank transfers are popular in much of the world outside the western developed world. Fraud is insanely rampant but the ease and utility vs cash makes it acceptable. Transactions costs are near or actually zero and there’s no POS infrastructure. But people meticulously check their transactions because theft is so rampant. The banks and governments seem unconcerned though.
As such I put the US somewhere in the midpoint globally for this space. There are some smaller economies with strong regulatory regimes that do better for sure. There are many more that do much worse. Obviously the goal is the better not the worse, but I think it’s cherry picking to lump the US into being the worst.
We still do not use chip-and-pin on credit cards in the US. We use chip-and-signature for most credit cards.
I'm not saying there aren't credit cards with chip-and-PIN, there are a some.
We do use chip-and-PIN on most debit cards, but even that can be bypassed on 99% of terminals to fall back to chip-and-signature.
What's super interesting to me, lot of countries that you would expect to be behind the US on that topic actually have state-of-the-art banking techs. Even the EU is behind some of the stuff I've seen in LATAM.
With a UK card pretty much any transaction I do online requires me to Auth it in app.
I even found I had to do it recently for things like car hire, and those websites are generally just wrappers around local company searches (though higher sums overall).
I worked at a company who's server was hacked and they stole the API keys and did carding on it from the server. Paypal tried to tell us we owned them $100,000.00 in fees. We were only running $4500.00 payments at most 5 times a day for course registrations.
The hacker ran auths on random CC number for $1 every second.
We didn't have to pay the fees for carding but they don't care.
They do not care because they make money off fraud.
We had settings stating we only have orders between $2500 and $6000. But they do not check auths lol
Crazy.
This was back around 2010 and stripe was not available in Canada at the time.
Stripe is god awful at fraud prevention and it's intentional. They are explicitly outsourcing the cost of risk management to their clients. It's obscene. I work in the credit card fraud prevention field, and I'm not even that good at my job, but our team of like 3.5 people easily built and maintained a system that prevents this exact kind of carding attack.
The primary way for a business to prevent carding attacks is to just be slightly more annoying to attack than the next guy. As far as I can tell, Stripe is happy to be the easiest large network to attack because they outsource the pain and cost of any attack to you, their users. They could easily, and for very little cost, prevent this from hurting you.
Stripe is choosing to let you suffer to save a few bucks.
They want to nickel and dime you and make you pay for Radar. It's the exact same strategy with Stripe Taxes and their terrible currency conversions. Provide no service up front and eventually you realize your stripe transaction hits two digit percentage of your overall price.
(Edwin from Stripe here.) Worth noting this is copypasta from an older post from a month ago (https://piotrmierzejewski.com/p/card-networks-exploitation). We've fixed most of these issues since then. This type of card testing has dwindled—Radar should now be catching these types of attacks.
On the chargeback point—we hate chargebacks too and we want to limit them as much as possible (we're actually working on a few things over here that we think will help with this). The banks levy chargeback fees (in varying amounts) and an average of them show in the form of a $20 fee—it's not a Stripe-specific fee and we don't profit from chargebacks.
We've just finished company planning for the rest of the year and reducing this type of fraud is a top priority. So if you think you're seeing something similar, please email me at edwin@stripe.com.
Worked as the catch-all systems/CI/infrastructure/software engineer for an ecommerce company last year. This sort of stuff was so common. I'd spend at least one day a week trying to determine the newest pattern and prevent it. They were using our system to validate credit cards.
Eventually I stopped more or less all attacks on our cart/checkout. But the requests were still coming. Eventually while trolling logs for an unrelated PHP problem one of the software engineers mentioned there was a huge amount of traffic hitting our page to save a payment for later. The platform would issue a $1.00 charge to verify that the CC was real and they'd moved to using that to "churn" cards.
Some advice I got a while ago about detecting fraud through stripe is you should probably train your own fraud detection model if you’re serious about limiting it and have enough volume. Even something like a simple logistic classifier would work. Stripe radar isn’t tuned to the specifics of your business, and there are other signals you can account for (like which products they’re buying, how long it takes them to buy after opening your site, etc). Custom Radar rules work to an extent.
I get that a lot of indie businesses probably don’t have the resources/want to do this, so there are solutions you can buy, but they’re expensive and mostly targeted at high volume merchants anyway. Maybe stripe launches a fine-tunable radar product someday?
Yet another reason why the credit card industry needs to go. Security protocols non-existent or haven't been upgraded since the turn of the 21st century. The amount of middleman abuses is innumerable as well. The costs of dealing with these nuisances is passed on to the merchant (via higher transaction fees, charge back fees, ...), and inevitably passed on to the consumer.
Let's not forget that the CC industry encourages the worst spending habits for consumers thus perpetuating the never ending cycle of slaves to debt.
I’ve always found it incredible that US banks often require only the card number to perform a transaction. All those “card generators” I used to see uploaded to BBS in the late 80s and early 90s make sense.
That part of the article was news to me. Like, why do I have to deal with CVVs, expiration dates, zip codes, (not to mention the resulting work from the fallout from the fraud) … if it doesn't even matter? How many person years of human life per year could pursue something … worthwhile … if we checked the CVV?
It makes sense to me that zip codes don't matter (or might be a weak signal), since some countries might not have postal codes, or might have a different postal code format. But I agree with you that it doesn't make sense to not check the CVV and expiration date; both are printed directly in the card, and should match exactly (unlike the card owner name, which is also printed in the card, but the user might type it differently, for instance typing in full their middle name when it's abbreviated in the card).
Haven't dealt with credit cards, but people often have the zip code wrong on their address. The mail gets delivered if the rest of the information is correct.
I assume that makes it hard to be strict about zip code.
Do prepaids not have ZIPs? So many things demand this info (heck, even some gas pumps…) … what do people enter at those prompts?
(I left out name; I assume name isn't matched against, given how fuzzy of a field it is. Most sites don't even prompt for the information accurately enough to make a match anyways.)
I recently discovered, after almost a year, that I had put the wrong expiration date of a new card into my password manager. It was the correct year but the wrong month. Not a single transaction had failed with the wrong expiration date.
What strikes me is the comment on 3DS challenges that passed.
By law in Europe, once 3DS challenge is completed the Bank owns the risk and cost of the chargeback NOT the Online Shop. Can someone tell me how this is implemented in common processors ? Any experience?
Isn't this solved with 3-D Secure ? Many websites (at least in the EU) implement it and if mandatory, it's impossible to buy something without 2FA (either by SMS, phone app, ...)
"banks (usually American ones) will happily accept transactions that have incorrect full name, invalid CVV / CVC, wrong expiration date, only partial billing address provided, with incorrect ZIP code.
All of the above is still not enough to trigger a 3D secure authorisation"
The solution indeed is to write manual rules to trigger 3D secure.
Banks don't choose to accept incorrect name, invalid CVC, invalid exp date or wrong billing address. It's up to the user (in this case him) to enable CVC Check and AVS in his payment processor to fail payments that don't pass this check. It's also up to him/Stripe to implement 3D secure and trigger it.
“Radar includes a rule to block any payments that fail the CVC verification check, which you can enable or disable within the Dashboard (this doesn’t affect payments where the CVC check couldn’t be performed).”
Also;
“…Support for both types of AVS checks varies by country and card issuer (for example, certain countries don’t use a postal code or some card issuers don’t support street address verification)”
So it appears there are cases where these checks can be enabled on your Dashboard, but skipped by Stripe or not actually performed by the issuer, I’m thinking like for prepaid cards?
Even more funny is that in USA, the actual amount charged to the card is mutable. Take for example when you go to a restaurant and give your card, it's charged, and then you write out with a pen a tip amount, which at some future point gets added on to your charge.
But there are laws about that: you authorize tip with your signature, if they charge you more than you authorized, they can get in trouble. Don't see the issue here.
What if you lose your phone? In my country banks only allow you to use one phone for mobile authorization, so you can't even have a backup phone. I really wish 3DSecure was optional so I can turn it of when going to foreign vacation.
My US bank requires SMS 2FA and SMS works for free because I am connected to Wifi. I have VoWiFi enabled. My US phone plan is with a budget carrier I only pay $15 a month for voice, sms, and data.
It’s kinda funny, but the only time Chase and Amex credit cards asked me for 2FA (I didn’t even know they had 2FA) was when I used them to purchase some things in Indian website through local payment provider (Razorpay).
Enabling 3-D secure on all transactions leads to lower conversion rates, therefore typically a hybrid model is used where its enabled/disabled per transaction whether it is needed based on a risk score.
My friend had a USB smartcard reader in like 2001. He'd dip his AmEx to perform a transaction on his PC. It's twenty years later and the industry still hasn't caught up?
What's different about Europe that they seem to have figured this out decades ago?
Because the banks and vendors are liable for unauthorized charges in the US [1], not the user. The banks/vendors handle the fraud in aggregate on the backend. They could roll out fraud prevention at the end-user level, but they choose not to; which means it is probably not worth it for the issuer relative to the extra user convenience (and extra charges).
In contrast, in many places in Europe the user is responsible for unauthorized charges. Regular people care a great deal about not being wrongfully charged as that is almost always proportionally worse, so they demand robust end-user protection so they will not be wrongfully charged.
This is kind of a case of, “everybody would drive safer if instead of a airbag you had a bunch of knives that shoot out and kill you if you get in a crash”.
As someone whose lived in multiple European countries since I was born, I also don't understand this comment. I don't know anyone who uses these smartcard readers at home. I don't think it's common at all.
> As someone whose lived in multiple European countries since I was born, I also don't understand this comment. I don't know anyone who uses these smartcard readers at home. I don't think it's common at all.
Which EU countries? Bank card readers are super common in .nl (ING for sure) and .be (just about every single bank there) for example.
Nowadays banks often allow to use either that or, say, an app on your phone or a dedicated physical token. For example you can confirm transactions you make on your computer by unlocking an app and confirming with your fingerprint from your smartphone. But that's semi- recent. Before that kind of 2FA became a thing, it was all done with card readers.
Some countries still live in the past like, I shit you not, Societe Generale in France still has a "2FA" where it shows digits randomly on the screen and you have to click you PIN (some people still have an account like that): that is however quite pathetic and not the norm.
If I want to buy anything online using any one of my credit card, I must put it in a physical reader and reply correctly to a challenge/response.
These readers are different from the electronic ID card readers, which are also used in many EU countries (for example to fill my taxes online).
> What's different about Europe that they seem to have figured this out decades ago?
Our governments actually care about monopolies and security. The PSD2 directive was an utter pain to deal with, but at least it stopped a lot of common scams and thefts in its tracks, and it forced banks and other payment actors to open up their system.
> The PSD2 directive was an utter pain to deal with, but at least it stopped a lot of common scams and thefts in its tracks
Inded. More specifically SCA (Strong Customer Authentication) which is required by PSD2. VISA says the "SYH" (Something You Have) is either "a mobile phone, a card reader or other device evidenced by a one-time passcode".
Note however that I cannot log nowadays to any of my bank in the EU without having a big banner saying something like (paraphrasing): "WARNING: scammers are trying to steal your funds. Neither the bank nor the police nor anyone else shall ask you your PIN or to confirm anything on your card reader."
Basically: life is harder for scammers so they try to trick (mostly old) people into validating transactions over the phone.
In Denmark, there's a national system for authentication used for government sites and banks. I have a small device with a single button on it that shows a 6-digit code when you press it. I enter that code along with a password any time I make a purchase online.
(There's also an app that most people use. But I like the hardware thingy better.)
It is just lobbying preventing good policy. If we moved to chip + pin, we'd get rid of almost 100% of CC fraud. But retailers don't want the friction so instead the consumer pays for the fraud instead.
Why do you think this requires a government mandate? What evidence do you have of counter-lobbying as opposed to simple consumer and retailer preference?
> Why do you think this requires a government mandate?
It's a classic tragedy of the commons situation (inverted, like the economics textbook example of a lighthouse), to which government intervention is the classic solution. Fraud prevention benefits everyone, but any individual actor is better off skipping the fraud checks.
I have never ever seen an online payment processor that was capable of using a card reader to perform a transaction from a webpage (on a non-specialized device). I don't think there is even any established standard for using a smartcard from a website. WebUSB/WebNFC may work (although browsers have blacklists of vendor IDs to disallow access to e.g. Yubikeys, so at least some smartcards may not be accessible this way), but that's all experimental and questionable stuff.
It might've been possible someone had something like that in ol' good '00s with ActiveX, but that must've been surely an exception (and a security nightmare).
A card reader is a stand-alone device and has nothing to do with any web tech.
You put your ATM card in the device, enter your PIN code, and then the device has a tiny camera that scans the QR code on the web page. Next, you can see the transaction details on the device and confirm. It will then output a signing code which you enter on the web page.
It is what was commonly used in some EU countries before we switched to mobile banking apps. Most banks still supply them for when you do very large online transactions.
No it's much simpler than that. You either confirm the transaction on your phone with pin or FaceID, without the card involved. Or if the amount is too high (50k+ at my bank) or you don't have your phone, you use a small device provided by the bank.
The device reads your card, asks for the pin and then spits out a 2FA code to enter on the website or app. The old ones only did this code thing (usually with SMS as a backup way to get the code, but most banks have moved away from sms now). Some more advanced ones have a digital signing capability by taking a photo from a QR-like code on the computer screen and then displaying the signing code for you to enter.
These advanced ones are a bit out of use now that everyone uses the mobile app, except for business accounts and larger amounts like my bank's 50k limit on mobile app confirmation. But I don't regularly transfer more than 50k in one transaction anyway.
They're less common in the UK now mobile apps have taken over, but in the early 2000s banks would issue a standalone device to every customer. When making payments via online banking you'd put your card in the device, hit a button, and give it a code that the online banking page provided. The device then did some magic via the chip on your card to provide a code that you'd give back to the online banking site to validate that you were in possession of your card.
Some banks may have used this for 3D Secure during online card payments as well, but I've never encountered one. Validation for that in my case evolved from setting a password on my account, which they'd ask for some characters from, to tokens sent via SMS to my registered phone number, to a push notification from my bank followed by FaceID to authorise payment.
In person Chip & PIN, and more recently contactless, is ubiquitous. Magstripe payments are so rare I have to explicitly enable them in my bank's app for the card, and it'll turn itself off again 7 days later. I never encountered chip & signature until going to the US, where everyone in the group I was with looked at it like some sort of joke (and indeed it is, because there's no signature recorded against my card for validation).
Not everyone and it's not necessarily connected to the PC. Some card readers are, some aren't.
And there are two things that are not to be confused: electronic ID card readers (used for stuff like VAT tax filings, income tax filings, etc.) and debit/credit card readers (which may or may not be connected to the PC) used as 2FA (with a challenge/response). The ones that aren't connected to the PC generate a number which you then enter to confirm you login/order.
Many banks in the EU enforce at least one type of 2FA. The shittiest, most pathetic ones, still do it by SMS (but it's still 2FA and still better than nothing). Others use a card reader (in which you literally plug your bank card, which signs orders / challenge/response style and never leak the card's secret). Other give a physical RSA-like token with codes changing every x second. Others allow the use of an app on a smartphone to confirm transactions.
When I log to at least one of my bank I've got a list asking me which type of 2FA I'll use to log in and confirm payments. Card readers (two different types) are on the list.
I use that to log in, confirm wire transfer and buy stocks too.
The rest of the world has to put up with the US banking system because when all you have is an overfunded military, everything looks like a target.
That logic doesn't quite translate internally, so it's important to maintain the perception that the banking system is all that stands between the little people and a hungry mob of scammers. If the scam problem were demonstrably easy to solve at the POS, it would be harder to justify the merchant fees and other bank-related overreach.
In the United States, there is minimal incentive to do so. It took many years to transition away from magnetic stripe cards to pin+chip. IIRC, the regulators kept pushing back the date for banks to re-issue pin+chip cards and for merchants to begin accepting them. I think it was only when the processors began to threaten merchants with 100% liability for fraudulent transactions processed with mag stripe is when it started to hit critical mass (2015-2016?).
Europe is better organized, simply. People are tightly crammed together compared to the US, and historically were fighting each other for 'living space' instead of progressively occupying almost a whole continent. Things just have to work better - and by and large they do.
If you don’t you significantly increase the friction in using your service and will lose business to those who do accept the hand typed card where the user doesn’t have to adopt new hardware or software.
Everyone would need to mandate the security feature while have a short term incentive to not.
Fuck smartcard readers. Also: fuck 3d secure. The nice thing about old, "insecure" card payments was: I just needed to memorize my credit card number, expiry date and CCV and I could pay online for everything. No need to always carry a phone for SMS/app authentication.
Credit cards payments are exactly just like SMS 2FA, both are insecure by design and served the purpose before the internet, trying to shove old tech into new one and expecting it to work well is just naive. Instead of spending time and resources by big corporations to create such “web environment integrity”, how about creating a better more secure, fraudulent proof system instead?
are you using cloudflare workers for this? i don't see any tool for form submission and rate limiting in cf. Can you elaborate what tool are you using?
I imagine that the fraud rate in Europe is lower since the introduction of PSD2. This legislation required a combination of 2-factor authentication (3DS2) and transaction analysis to achieve low overall fraud rates.
> We learnt that 15% of the successful fraudulent charges resulted in chargebacks.
I Hope the other 85% are just recent transactions that haven’t been scrutinized yet.
Or did the fraudsters target a bank with high net worth clients that don’t scrutinize smaller billings???
I can see a lot of people not really scrutinizing a random Spotify transaction or something. Especially vendors that let you store multiple cards and then you don’t always keep it straight which transaction went to which card anyway.
Usually these transactions are automated with the checkers. Some are as simple as a PHP script replaying a request, some are more sophisticated that use residential proxies, some are parts of huge enterprises like try2check. If you have a list of IPs, you can scan them for 80/443 open and sometimes catch simple checkers in action.
I worked at a credit card network company some years ago and thought the article mentioned an exploit on the actual network.
It is instead a showcase on how mediocre issuers can be when authorizing transactions, and how non-sensical the system has become that the merchant ends up paying the price for chargebacks.
I've been using a platform called Chargeblast.io and it's been doing wonders; literally saved my business from closing down. I haven't found another platform like it - best price, best value
As an end user of banks in both the US and EU, the banks in the US seem way, way behind technically and in terms of online usability. Both less secure and more cumbersome to use.
Customer friction at checkout. The more difficult a merchant makes the checkout process the more likely customers are to abandon the checkout. Some of those abandoned checkouts are fraudsters, but other are legitimate customers who don't want to deal with the hassle. It is up to the merchant to decide how to weigh fraud against lost sales.
This author is jumping out of the frying pan and into the fire. ChatGPT is cool and all, but the fact that they’re trusting it to write critical code for handling their customers money speaks volumes. They’re incredulous at how they feel Stripe violated their trust in it to manage fraud, but then go ahead and blindly place it in another technology they don’t understand. The problem isn’t Stripe (though, yes, they should fix this), it’s the fact that they are just giving away trust and hoping for the best.