The Underscore Archives

I always thought the point of the security systems offered by the card
issuers (3D Secure, Verified by Visa et al) was because it was a
system which bypassed the retailer.  So in the grand scheme
(admittedly not as its currently implemented) the retailer doesn't
have enough information themselves to authorise a new (potentially
bogus) transaction.

That's the reason why it has to take you off the retailer's site - its
not supposed to be for them.

That said, the current system is shocking, opens the door to phishers
as has been said, and generally needs a good kick up the arse.

And I also hate the chip and pin system.  When it was first touted I
was working for a retailer and was loosely in charge of that kind of
thing.  It was CLEARLY a huge scale blame shifter for the banks (there
is now pretty much no way a fraudulent transaction is their fault) and
I'm amazed more retailers weren't up in arms about it.

For instance, can anyone explain to me why the pin number checking
wasn't added IN ADDITION to the signature??  And why only 4 digits?
All phone numbers these days are 11 and I can remember plenty of them.
 And why not a 6 digit pin and a terminal which prompts you for 3 of
them at random?

And where is the pin stored?  I always thought it was stored on the
card, and the bank didn't know it, but having got some re-issued cards
recently for my wife's change of name, they came and worked instantly
with her existing pin.  How does that work?  Its a bit like them
sending you the damn thing with your signature pre-printed on it!!

Was anyone actually interested in security when they designed this system?

> I'm not an eCommerce or financial security expert, but I'm sure Visa
> and Mastercard could come up with something a little more secure.

Absolutely.  I remember having this chat when I worked in retail (and
some of our stuff was high ticket).  In this age of online banking,
why can I not (optionally) log in to my credit card account and tell
it that under no circumstances are they to authorise a transaction
over a limit I set (say, £100) without me having pre-authorised it.
If I know I want to spend a large amount (and again, "large" should be
for me to decide) I will log in and set up the transaction using the
retailers merchant ID (which is trivial for them to provide) so when
the 'real' transaction comes in they know to let it through.

The nearest I saw to this was one bank (was it Smile?  I forget...)
who played around with one-shot card numbers.  You logged in, set up a
particular transaction and they generated a valid card number which,
once used, became invalid.  Not a bad idea for online purchases, I
thought, dunno what happened to it.

But why don't they do this?  Because card issuers get all their money
(pretty much) from the retailers and the retailers want you to
impulse-buy loads of stuff.  Its got nothing to do with customer (i.e.
consumers) service and all to do with fleecing us all.

Hey there's a great view from on top of this soap box... :-)

Simon