heise PlusAbo

Opinion: Why credit card payments without a second factor are yesterday's news

All banks require customers to set up Visa Secure, MasterCard Identity Check, Amex SafeKey & Co. So why don't merchants enforce them?

listen Print view
A stack of plastic cards lies on a keyboard; the top one, a credit card, hangs on a fishhook

Credit card numbers are quickly stolen and used.

(Image: wk1003mike/Shutterstock.com)

6 min. read
By
Contents

Online credit card payments were once a convenient, albeit surprisingly insecure, way of doing business: all you needed was your card number, expiration date and card verification code (CVV/CVC) and you could go shopping online. The industry initially accepted the fact that this could not work in the long term and that credit card data became a popular commodity for criminals. Finally, in 1999, the 3D Secure procedure (3DS) was developed, which made a second factor necessary for a payment. The procedures known today as "Visa Secure", "American Express SafeKey" or "MasterCard Identity Check", depending on the provider, were initially based on the – unfortunately insecure – SMS.

This meant that when you made a credit card payment, a text message code was sent to your phone, which you had to enter to ensure that you were the actual owner of the card. The services have since been simplified. In most cases, banking or credit card apps for Android and iOS take over the task: you then only authorize bookings using biometrics (face scan or fingerprint), occasionally also with a code provided in the app. The problem, however, is that these secure procedures are still not enforced by default. It's a bit like having a security guard on your doorstep who only really takes action every few days.

An opinion by Ben Schwan
Ein Kommentar von Ben Schwan

Ben Schwan is a journalist and author based in Berlin. He has been writing about technology, research and science topics for 25 years and does not allow his enthusiasm for new things to be dampened by repetitive hype cycles, security politicians running amok or technical inadequacies.

Amazon can't help

It is therefore purely a matter of chance and depends on the retailer in question as to whether a query is made or not – and this is also how very large providers handle it. The honest customer may be pleased that the seemingly annoying additional step was not necessary and that the payment was completed quickly. But it also means that criminals can use the lack of a query to happily continue ordering with just three simple details at the expense of others. And credit card data disappears quickly.

I myself have just experienced this with the world's largest e-commerce provider, Amazon, when a debit of almost 85 euros appeared on a family member's card account without being able to be assigned to it. The confusing thing was that the card had never been used or deposited with Amazon and had never actually been used online. Prior to the transaction, there was neither a purchase confirmation from Amazon nor a security query via the bank's secure procedure. In addition, a 0-euro transaction was requested, which is typical when a card is used for the first time at an online retailer and/or criminals want to try it out. Obviously a successful scam.

Amazon itself is not really helpful in such cases, at least that was the case in this instance. Ultimately, Amazon only advised us to complain to the bank about the payment, which we then did. The amount was initially transferred back, but the bank is still investigating. The card also had to be blocked and replaced.

Videos by heise

It can happen to anyone

So all's well that ends well? Unfortunately not. The fact that it is even possible to make card payments without having the second factor available is no longer in keeping with the times. You now have to enter a code for every bank transfer, and two-factor authentication is also becoming widespread in banking. But in retail, the motto seems to be "anything goes". The defrauded customer is also at a loss because they simply cannot trace where the card data has gone.

The incident is a classic example of the fact that we have long had modern security procedures at our disposal, but do not use them or only use them to a limited extent. If the second factor is not queried for customer-friendliness or other reasons, the whole system collapses and you can go shopping with just three data points, just like in the 1990s. Most of the cards that banks issue are also physical plastic and have to be physically exchanged, as in our case, which can take weeks if you're unlucky.

It could be easier. Providers such as Revolut or Bunq, for example, work with virtual cards that can be easily blocked and even temporarily frozen, and the card number can be exchanged in seconds. Token payment methods such as Apple Pay or Google Pay, where the real card data is not transmitted, make it more difficult to withdraw money.

Customer remains the weakest link in the chain

The problem remains borderline and legacy cases: Token payment methods require working contactless payment terminals and secure methods, as in our case, rely on merchants to use them. Credit card companies and banks could enforce this if they wanted to, but so far they have not done so. And complaints about credit card payments do not always run smoothly: it is not uncommon for banks to refuse to accept complaints. Incidentally, when asked why Amazon, as the market leader, does not permanently enforce the secure procedure and how often purchases with stolen credit card data occur there, the company did not want to reveal. Too bad.

(mho)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten