Comment by kccqzy
4 hours ago
There is a 3DSecure system for existing Visa, Mastercard, and American Express. After typing your card numbers, the transaction doesn’t immediately go through but you are also redirected to the bank’s system. Banks can ask you to use a hardware token, an app, or any other second factor to approve the transaction.
It’s a shame that this system isn’t ubiquitous for the rest of us not in EU.
> After typing your card numbers
Yes, but the whole point of Wero is that you don't have to type in a bunch of info that can be easily stolen. With Wero (and many other international solutions), you just scan a code with your phone, and your banking app handles the transactions. The existing legacy solutions are just duct tape on an existing system.
If 3DS and chip + PIN card usage were ubiquitous, the value of a stolen card number and even card would be zero, and this entire problem would go away.
Unfortunately, legacy deployments have just proven too pervasive to effect real change, even with substantial incentives, especially in early card adopting markets such as the US.
Aren't they ubiquitous and required at least for 5-10 years now?
1 reply →
But what's the value of stolen card data? It always requires 2FA to be used. It's just routing information to your bank.
Are there still cards that work without 2FA?
So you have to use a phone or does it work without one?
Does it handle credit card payments?
The QR code just contains a URL to a website, so you can also just use that link and a web browser. That website will let you choose which bank you use, and then redirect to your bank's website which will use your bank account directly. I don't think it works with cards at all.
1 reply →
Does it mean that instead of depending on the Visa/Mastercard duopoly you now depend on the Google/Apple duopoly?
If using a phone, yes, but then you probably already did.
Of course not, since you can just install the Android app on your free software aftermarket OS. Surely banks wouldn't require hardware attestation or monitor your device for being rooted, would they? /s
Irony aside, yeah, this is a significant downside compared to hardware-based standards. Not so much for Android, as Google Pay and most competitors are implemented in software, but on a hypothetical iPhone or Garmin device running an open OS (don't laugh, it's a thought experiment), payment data security would be not much of a concern since all payment keys live in a secure and completely separate chip.
If this system is ubiquitous stealing your card number would be useless. Your card number becomes a user name like jonkoops that you would have no qualms sharing.
> you just scan a code with your phone,
And authorize yourself with the banking app, and, and...
It's not less complicated than auto filling credit/debit card details with your finger print on your phone or laptop.
For consumers, Wero, Pix, and similar systems only have down sides for online use. The most important down side is that you can't reclaim your funds if you've been the victim of fraud. Which you can when paying by card.
Has nothing to do with the steps
The problem with 3D Secure is that the merchant can unilaterally decide not to use it, which defeats the whole purpose of 3D Secure.
> the merchant can unilaterally decide not to use it
If they do so, they are telling the card issuer that they are happy to be on the hook for chargebacks/fraud. It's not an decision without consequences
Comparing to fraud 3DS reduces sales turn over by a lot, and this is the reason why for the most part it is not required in the US, too much friction during check out hurts business.
I tend to associate ignoring 3D Secure with Stripe. In the name of "less friction" of course.
non-3DS payments are trivial to chargeback, at least in the EU
In America all payments are trivial to chargeback anyways.
We ought to have liability shifting. A long time ago there was a liability shift where if a merchant uses the magnetic stripe on a card equipped with a chip, then the merchant is unconditionally liable in case of a chargeback. We just needed merchants to be liable when the bank supported 3DSecure but the merchant chose not to use it.
They are everywhere. Default liability for online payments is and has always been with the merchant; only 3DS and some wallets can shift it to the issuer.
The problem is that these are all US systems.
This is pretty much every payment I do in Finland works. Always have to go and verify it using my online banking credentials after I've entered the numbers. Does make me wonder why I need to bother with the whole number, expiry and CVV bullshit anyway.