GoFuckYourself.com - Adult Webmaster Forum - View Single Post

rnicey · 05-30-2003, 10:29 PM

I've kinda been waiting for this. Look at the email scams for Paypal and C2it going around. "We need to confirm your membership, please enter your credit card and social security number on the attached form" kind of thing.

Here is Visa's dilemma. What if YOU found $1000 worth of fraudulent charges on your credit card today, and when you phoned the bank up they said, "Sorry, PIN number was used, too bad.". The first thing you're going to do is not pay the bill, the second, tell them to shove it.

Imagine an email virus that compromised 20,000 cards and their VBV passwords (because we all know customers do silly things). No bank or system can absorb that or pin it on the customer. The result is that once again the merchant gets it in the neck.

The promise of VBV was that the merchant never collects the PIN, it goes via a 3rd party (Visa controlled). This eliminates database leak problems like what happened with CVV. Trouble is it just makes those PIN numbers more valuable on the black market. I've seen them going for $15 a pop already. It's a mess.

In addition to that, if you have a dishonest merchant, they can pop up their own VBV PIN entry screen. How many customers would know the difference. Sure there's a test question/phrase so you know it's the bank, but if I put up a page with a pretty bank logo asking for a PIN I can either bank on most people forgetting to look for it, or post a little message saying that feature is unavailable and to continue anyway. That merchant can then run the card as many times as they like with chargeback protection if they're clever about how they do it.

---

Here's the way it's going to go. Either:
a) High risk will only be allowed to process via a licensed Visa gateway where they control the order pages and customer service. Merchant's will pay silly money for this or course and it will be insanely regulated.

b) Someone has to come up with a hardware style authentication system which has one time disposable ids. This is a long way off and would be expensive/nasty for the consumer.

c) Visa will stick their head in the sand, destroy high risk processing with fines and sly moves and the problem will starve itself away.

I'm betting on the last one.

ps. Kimmy. Many banks in their popup window allow instant enrollment. All you need is some personal info. like mothers name/social etc. Just gets better for the hackers, doesn't it?

Robert

05-30-2003, 10:29 PM
rnicey Registered User Join Date: Sep 2002 Location: Hollywood, FL Posts: 37	I've kinda been waiting for this. Look at the email scams for Paypal and C2it going around. "We need to confirm your membership, please enter your credit card and social security number on the attached form" kind of thing. Here is Visa's dilemma. What if YOU found $1000 worth of fraudulent charges on your credit card today, and when you phoned the bank up they said, "Sorry, PIN number was used, too bad.". The first thing you're going to do is not pay the bill, the second, tell them to shove it. Imagine an email virus that compromised 20,000 cards and their VBV passwords (because we all know customers do silly things). No bank or system can absorb that or pin it on the customer. The result is that once again the merchant gets it in the neck. The promise of VBV was that the merchant never collects the PIN, it goes via a 3rd party (Visa controlled). This eliminates database leak problems like what happened with CVV. Trouble is it just makes those PIN numbers more valuable on the black market. I've seen them going for $15 a pop already. It's a mess. In addition to that, if you have a dishonest merchant, they can pop up their own VBV PIN entry screen. How many customers would know the difference. Sure there's a test question/phrase so you know it's the bank, but if I put up a page with a pretty bank logo asking for a PIN I can either bank on most people forgetting to look for it, or post a little message saying that feature is unavailable and to continue anyway. That merchant can then run the card as many times as they like with chargeback protection if they're clever about how they do it. --- Here's the way it's going to go. Either: a) High risk will only be allowed to process via a licensed Visa gateway where they control the order pages and customer service. Merchant's will pay silly money for this or course and it will be insanely regulated. b) Someone has to come up with a hardware style authentication system which has one time disposable ids. This is a long way off and would be expensive/nasty for the consumer. c) Visa will stick their head in the sand, destroy high risk processing with fines and sly moves and the problem will starve itself away. I'm betting on the last one. ps. Kimmy. Many banks in their popup window allow instant enrollment. All you need is some personal info. like mothers name/social etc. Just gets better for the hackers, doesn't it? Robert