Comment by tough
2 years ago
CC in europe require a 2fa confirmation where you recieve usually a notice of the amount you're approving
2 years ago
CC in europe require a 2fa confirmation where you recieve usually a notice of the amount you're approving
This is not mandatory by law though and mostly it's up to merchant to decide whatever they require 2FA or not. AFAIK payment processors like Stripe actually let you make 3DS (and whatever it called for MasterCard / AMEX) mandatory.
I guess problem is that in US you'll lose a lot of customers by declining payments without 2FA. Also likes of AMEX use 2FA via email so I guess there could be fraud too.
It is required by law (the PSD regulation, specifically) in many circumstances.
CC in europe require a 2fa confirmation where you recieve usually a notice of the amount you're approving
How does that work when you buy things in places where you don't have cell service?
Yes, they exist. Even in Europe.
The SMS (or more likely, bank app) confirmation thing only happens for online payments – and if you don't have internet, how are you shopping online?
For payments involving the physical card, the chip on the card and your PIN are the two authentication factors required. (Credit and debit cards are PIN-based in the EU; signatures aren't a thing anymore there.)
I guess in those cases, something offline like google authenticator (or similar) would be better.
And how does the PoS machine work then?
In the edge case where there is no cell service yet the PoS device has connectivity (e.g. WiFi or other cellular service) they might set up a WiFi access point for users to get push notifications (assuming the 2FA method is not archaic insecure SMS).
Personally, I am substantially more suspicious of whatever random wifi network I’d need to connect to in this scenario than I’ve ever been with payment terminals out in the wild. There so, so much more attack surface on my phone than there is with my credit card - and resolving fraud on the credit card is as easy as a phone call to the issuer (at least in the US). No such luxury if my device gets pwned or networks are MITM’d or I’m associate to suspicious activity originating from this network.
2 replies →
PoS can do offline transactions and sync them later, if the merchant is willing to accept the risk.
Card present and card not present transactions are differentiated.
It does work, though I am not 100% certain of how.
Something to do with having a “next authentication token” on your device already with a 24hr expiry.
You 2FA trough your bank app, SMS is too insecure for this purpose.
It’s not really a security concern, but SMS is only one factor (and EU regulations require banks to ask for two).
SMS fees outside the US are also orders of magnitudes higher – paying a few cents for that can make the entire transaction uneconomical for banks, since interchange rates are also heavily capped in Europe.
I have had too many phones land in water, then get bricked, then be unrecoverable. Then find that 2FA locked me out of key stuff. Like my Apple account.
I know that SMS is insecure. But I can get it back after a predictable disaster.
2 replies →
> Yes, they exist. Even in Europe.
You mean you have wi-fi, but don't have cell service?
That is like... super rare.
It's not rare at all where I'm at.
I mean actually, I frequent a business where you cannot get a cell signal, but they offer free wifi. Metal building blocks the signal. This could happen anywhere.
1 reply →
Not rare at all. I grew up in such a place (well, before WiFi, but now it has WiFi and still doesn’t have cell service), and have lived in two other houses like this. On holidays I have stayed in hundreds of places like this.
I remember in Berlin going to a bar where there was no cell service (some combination of poorly sited base stations and thick walls made of something dense). They of course offered free WiFi considering this.
Where I am now, there’s a section of beach full of cafes that has no cell service. If you walk 100m north or south it’s fine, but that bit is a dead zone. All the cafes have free WiFi.
There's Wi-Fi calling, but unfortunately at least in Germany, many operators don't support receiving SMS over that, unlike the US carries I've tried it with.
However, most banks/issuers have since switched to using their app as the second factor, so all you need is Wi-Fi, practically.
A few even support displaying an offline code in the app that you can enter during checkout, but that's becoming less common since it doesn't support displaying the amount and payee given how it works.
I live in Edinburgh - buildings here are thick stone walls with lath and plaster on the internal surfaces. It's very common to have little to no cell signal indoors