Does 3DS make debit card fraud a thing of the past?

[horizonverizon]

I remember I was with an American friend last summer in the States and worried that the waiter took my card with her to the back. He said I shouldn't worry because two-factor authentication as well as push notifications have made it impossible for someone to make purchases even if they steal your details.

Is it really true? I know whenever I buy things from eBay or Amazon, they always ask me to verify the purchase with verified by Visa or push notifications but I get no nothing when topping up my Leap Card.

 

[Gushering]

Card based payment fraud has definitely declined owing to strong customer authentication rules. However fraudsters are innovative and now focus on scams which trick individuals to authorise payments to the fraudster instead. There are lots of threads on here about authorised push payment fraud.

 

[tomdublin]

However fraudsters are innovative and now focus on scams which trick individuals to authorise payments to the fraudster instead

Almost all of these scams start out with a call, text or email. If all banks agreed to never ever contact anyone via text, call or email and widely publicised this the problem would be solved.

 

[thedaddyman]

3DS makes transactions more secure but does not eliminate the risk of fraud entirely. For example, if the card has been used and accepted on a website previously then potentially it will get approved without the need for MFA to kick in. Not every transaction generates a push. I've literally in the last 30 minutes both 2 concert tickets online and got neither a push or a request to approve my transaction in the app. (BoI)

 

[thedaddyman]

Almost all of these scams start out with a call, text or email. If all banks agreed to never ever contact anyone via text, call or email and widely publicised this the problem would be solved.

so how would they contact you?

 

[tomdublin]

so how would they contact you?

Through the app or once you are logged into the website. Regular letter otherwise.

 

[DublinHead54]

I remember I was with an American friend last summer in the States and worried that the waiter took my card with her to the back. He said I shouldn't worry because two-factor authentication as well as push notifications have made it impossible for someone to make purchases even if they steal your details.

Is it really true? I know whenever I buy things from eBay or Amazon, they always ask me to verify the purchase with verified by Visa or push notifications but I get no nothing when topping up my Leap Card.

There are thresholds, exemptions, issuer risk levels etc. In the EU transactions under 30 EUR do not require strong customer authentication so probably why your leap card topup doesn't ask for it. Similarly there are other exemptions up to 500 EUR if certain fraud rate conditions are met.

Ultimately your card details can still be stolen and for example used to buy something online in Asia which doesn't require 3DS. Your bank or payment processor may or may not identify the fraudulent behaviour and block it or they may not.

Ultimately you as the consumer are protected and the liability shifts to the banks / payment processor.

 

[Dr Strangelove]

Card providers can receive exemptions from the obligation to use two-factor authentication in certain circumstances.

AFAIK it can depend on the merchant and transaction level.

 

[thedaddyman]

Through the app or once you are logged into the website. Regular letter otherwise.

So in the event of a fraudulent or possible fraudulent transaction being identified on your account, you'd have to wait 3 to 5 days for the bank to write out to you via snail mail?

Not every one in Ireland has easy online access, large chunks of the country are black holes so internet banking is not an option for a lot of people

FBI issued a warning before Christmas on a growing threat of malware accessing banking apps. Also it would not be rocket science to design a text message with a link and logo to make it look like an alert from your app.

Remember fraudsters dont need 99 people out of a hundred to fall for scams, they just need 1

 

[thedaddyman]

There are thresholds, exemptions, issuer risk levels etc. In the EU transactions under 30 EUR do not require strong customer authentication so probably why your leap card topup doesn't ask for it. Similarly there are other exemptions up to 500 EUR if certain fraud rate conditions are met.

Ultimately your card details can still be stolen and for example used to buy something online in Asia which doesn't require 3DS. Your bank or payment processor may or may not identify the fraudulent behaviour and block it or they may not.

Ultimately you as the consumer are protected and the liability shifts to the banks / payment processor.

You don't even need the full card details, if you have partial card details and use a number generator and the algorithms for deciding if a card or account number is valid or not, then it's not difficult to guess the rest. I've seen a list of transactions in the past where it was clear a bot was targetting a website and you could see all the failed transactions coming in with one or 2 digits changing and then one was eventually accepted. We never saw that card again, the fraudsters probably went off to a higher end website and used it there.

 

[tomdublin]

So in the event of a fraudulent or possible fraudulent transaction being identified on your account, you'd have to wait 3 to 5 days for the bank to write out to you via snail mail?

Not every one in Ireland has easy online access, large chunks of the country are black holes so internet banking is not an option for a lot of people.

Almost everyone in Ireland lives in a area with at least basic 4G coverage, but there's a cohort that stubbornly refuses to go online for anything. That's fair enough, but it shouldn't prevent measures that would make the remaining 95% of the population safer. Those who refuse to go online would just have to wait for the letter (or call the bank) if their card gets blocked.

 

[thedaddyman]

Almost everyone in Ireland lives in a area with at least basic 4G coverage, but there's a cohort that stubbornly refuses to go online for anything. That's fair enough, but it shouldn't prevent measures that would make the remaining 95% of the population safer. Those who refuse to go online would just have to wait for the letter (or call the bank) if their card gets blocked.

Clearly you've never tried to get a mobile signal between Midleton and Fermoy then.

I really don't understand how restricting a business from contacting their customers would in anyway make things safer. The real issue here is education. All of the banks state they will never ask for your card details, PIN etc yet people still fall for this.

 

[tomdublin]

I really don't understand how restricting a business from contacting their customers would in anyway make things safe

Because the message "Your bank will never call, text or email you under any circumstances" is less ambiguous than "Your bank might legitimately call you for this or for that but not for this or for that."

 

[thedaddyman]

It's naive to think that stopping emails, phone calls etc from banks would eliminate fraud. Post interception fraud has been a major issue in the UK over the years. And now we have the bizarre sliotar scam going on down in Cork. Fake invoices in the post have been an issue for years (ask Meath county council)

 

[tomdublin]

It wouldn't eliminate all fraud but a lot. Intercepting letters wouldn't enable criminals to get their hands on the account (since they also needed the app & PIN/password). There's the potential for fake banking apps but I don't think that's the main method of fraud at the moment. Almost all fraud starts with a text, call or email.