Comment by reaperducer
2 years ago
CC in europe require a 2fa confirmation where you recieve usually a notice of the amount you're approving
How does that work when you buy things in places where you don't have cell service?
Yes, they exist. Even in Europe.
The SMS (or more likely, bank app) confirmation thing only happens for online payments – and if you don't have internet, how are you shopping online?
For payments involving the physical card, the chip on the card and your PIN are the two authentication factors required. (Credit and debit cards are PIN-based in the EU; signatures aren't a thing anymore there.)
I guess in those cases, something offline like google authenticator (or similar) would be better.
And how does the PoS machine work then?
In the edge case where there is no cell service yet the PoS device has connectivity (e.g. WiFi or other cellular service) they might set up a WiFi access point for users to get push notifications (assuming the 2FA method is not archaic insecure SMS).
Personally, I am substantially more suspicious of whatever random wifi network I’d need to connect to in this scenario than I’ve ever been with payment terminals out in the wild. There so, so much more attack surface on my phone than there is with my credit card - and resolving fraud on the credit card is as easy as a phone call to the issuer (at least in the US). No such luxury if my device gets pwned or networks are MITM’d or I’m associate to suspicious activity originating from this network.
While a random WiFi network isn't what I'd love to join too, at least it's an option for receiving a code through an encrypted channel (push notifications).
If that encryption can be MITMed, then there is a much bigger problem as any traffic can be MITMed at cellular network level anyway, voiding out any WiFi-MITM concerns.
The PoS asks for the pin in sales > 50e for 99% of population, you can change your personal limits but still
this is not sms 2fa/based but a physical/android based pos to charge the bank lends you
PoS can do offline transactions and sync them later, if the merchant is willing to accept the risk.
Card present and card not present transactions are differentiated.
It does work, though I am not 100% certain of how.
Something to do with having a “next authentication token” on your device already with a 24hr expiry.
You 2FA trough your bank app, SMS is too insecure for this purpose.
It’s not really a security concern, but SMS is only one factor (and EU regulations require banks to ask for two).
SMS fees outside the US are also orders of magnitudes higher – paying a few cents for that can make the entire transaction uneconomical for banks, since interchange rates are also heavily capped in Europe.
I have had too many phones land in water, then get bricked, then be unrecoverable. Then find that 2FA locked me out of key stuff. Like my Apple account.
I know that SMS is insecure. But I can get it back after a predictable disaster.
most 2fa codes you can store the qr seed you get into your authenticator app as backup code.
sms is trash yeah, 2fa just works if you care enough to know how (in most sites)
1 reply →
> Yes, they exist. Even in Europe.
You mean you have wi-fi, but don't have cell service?
That is like... super rare.
It's not rare at all where I'm at.
I mean actually, I frequent a business where you cannot get a cell signal, but they offer free wifi. Metal building blocks the signal. This could happen anywhere.
Right but then you just connect your phone to the wifi? The following methods I have had for the 3DS card payments are (ultimately depends on the bank):
- Bank sends you a tiny card reader that you enter your PIN and it gives you a one time code. If you want to make payments that require 3DS (online only ofc) you have to have this card reader on you but it doesn't actually require an app or internet connectivity.
- You have an app on your phone, you drag a code from a notification onto another area of the app itself which does something (somehow - no idea the purpose) and verifies the transaction. Certificate is stored on device only.
- You open an app and it'l notify of the purchase amount, location, merchant and you just tap allow
- You receive a code in the mail that is renewed once a year which is then combined with a SMS message (or app notification). The payment flow asks you for some characters from both codes.
You do not require cell service for any that I have used and wifi is enough.
Further Edit: Just to clarify though, all of these are ONLY for online purchases. Purchases in shops you just use your pin if it requires authorisation.
Not rare at all. I grew up in such a place (well, before WiFi, but now it has WiFi and still doesn’t have cell service), and have lived in two other houses like this. On holidays I have stayed in hundreds of places like this.
I remember in Berlin going to a bar where there was no cell service (some combination of poorly sited base stations and thick walls made of something dense). They of course offered free WiFi considering this.
Where I am now, there’s a section of beach full of cafes that has no cell service. If you walk 100m north or south it’s fine, but that bit is a dead zone. All the cafes have free WiFi.
There's Wi-Fi calling, but unfortunately at least in Germany, many operators don't support receiving SMS over that, unlike the US carries I've tried it with.
However, most banks/issuers have since switched to using their app as the second factor, so all you need is Wi-Fi, practically.
A few even support displaying an offline code in the app that you can enter during checkout, but that's becoming less common since it doesn't support displaying the amount and payee given how it works.
I live in Edinburgh - buildings here are thick stone walls with lath and plaster on the internal surfaces. It's very common to have little to no cell signal indoors