6

As a person who is going to get my first credit or debit card, I began researching a bit about security of them and a couple of questions came up about why the system is designed the way it is.

  1. I read about large leaks of credit card data from websites, sometimes it was millions of credit card data hacked which would later be sold and used for fraud. Couldn't such leaks be avoided if the merchants didn't keep the details of online transactions? In other words, why payment processor like Visa or Mastercard can't act as a middleman? Before buying a product online, a shopper would be redirected to the payment processor's website and it would be there where the card details are entered. If the payment processor accepted it (the data would be correct and the fraud detection mechanism wouldn't be triggered), Visa/Mastercard would take the money away from the buyer account and send it to the merchant. That way the merchant can ship the product and, as the middleman is a trusted third party, it can expect to receive the money later. The difference is that the merchant doesn't have to know the details of the card that was used in the transaction, so it cannot be leaked in the future. Why doesn't it work that way?

  2. Is a CSC (card security code, a 3 or 4 digit code printed on the card) always required when buying online and if not, what does it depend upon if it's required - is it up to merchant whether to ask for it? If they are always required, why is it such a big deal when millions of credit card details leak due to a hack? A fraudster would still need the CSC code to buy anything online, right? Or are the CSC codes always included in the leaks because online stores didn't remove them after transactions (I read the law says that they shouldn't be stored after a transaction is completed).

  3. Why the CSC number is only 3 or 4 digits? Couldn't fraudsters try all the possibilities? Or is there a maximmum number of attempts before a card is blocked?

  4. Why is the CSC number even printed on card? If the card is stolen or somebody writes down or memorizes the number, the card holder is compromised. As far as I know, online transactions use CSC and offline transaction use PIN which you type in the terminal (like in a restaurant). Wouldn't it be better if there was just one password not written on the card that is used to authenticate both types of transactions?

  5. When I read headings like "10 millions of credit card numbers leaked" do they actually mean only the numbers? Isn't the numbers alone useless without data like expiration date, name of the card holder, which as far as I know are also used to authenticate a transaction?

George
  • 271
  • 2
  • 6
  • Credit cards and debit cards are secure. It's mainly because you store your CC information on remote server and therefore you are putting yourself at risk. Another factor is that you make transaction with the website and not bank directly. One more risk is using made-up ATMs. And also using scam websites and giving CC number over the phone to companies other than hotels. And finally getting infected with malware. Another thing is that cards also expire so if you have doubts that you have used your card wrongly you can always replace it. – Aria Aug 21 '16 at 22:36
  • You can never store card info on the remote server. You can see how the payment works if it's with the bank or with the website before entering details. To see if the ATM is OK and not on the street with active ATM gangs (recently I've seen there were guys trying to scare people during transaction). Never give the details to anyone at any occasion because such system doesn't exist except for hotels. And run decent antivirus, on Windows it's easy on Linux it's more expensive. – Aria Aug 21 '16 at 22:44
  • 9
    I disagree with nearly everything Aria saya here. – symcbean Aug 21 '16 at 23:02
  • 5
    @Aria - It's not fair to say "you are putting yourself at risk" when you're following the normal procedure to use your card. – paj28 Aug 22 '16 at 06:02

2 Answers2

5

All very good questions. There is a lot of nuance and history here that short answers have to elide that is worth the research if one is interested.

Couldn't such leaks be avoided if the merchants didn't keep the details of online transactions? In other words, why payment processor like Visa or Mastercard can't act as a middleman?

Merchants are not supposed to store payment details following a transaction- except in rare cases where users are engaging with merchants to create a recurring transaction, e.g. a subscription- but some nevertheless do, in contravention of requirements they have to follow for taking card payments, colloquially called PCI after the organization that administers them (which is sponsored by the payment brands, Visa and Mastercard). These improper storage points have of course been compromised leading to significant fines and costs for the merchants involved.

However, storage, whether proper or improper, is far from the only attack point. There has to be machinery to capture the card details from the cardholder at the point of sale and communicate that with the various banks involved- at minimum the acquiring bank, the bank with whom the merchant has a relationship allowing them to collect cardholder payments- and cardholder banks, the banks responsible for approving the use of credit or confirming the availability of funds for debit. This communication is often logistically brokered by payment processor middlemen, which operate in various layers, specializations, and relationship shapes, depending on industry and so forth.

All players in the communication flow have to adhere to PCI requirements around "cardholder-data-in-transit" but as one might imagine they all do better or worse at this and all have been subject to compromise as well.

At any rate- the answer is that attackers go where the weak points are. There are many weak points in the overall payment machinery, so many that the Federal Reserve last year started a national program to systematically improve both security and latency in all payment systems (see https://fedpaymentsimprovement.org/).

That certain weak points have been exploited and there has been a recent history of public shaming is not an indication that there are not other weak points lurking in the system.

Why doesn't it work that way?

The mere presence of a middleman does not provide better security, though it can reduce the attack surface- or simplify the attacker's problem, depending on how well they do their job.

However, what you are really referring to is a better protocol- which can provide better security- and that's what we are seeing with the rise both of chip-based payments (called EMV in the US) and its online cousin tokenization. Both of which work by using cryptography to create single-use payment credentials at the point of sale, rather than always distributing a reusable payment credential. Lots to google there if interested.

Is a CSC (card security code, a 3 or 4 digit code printed on the card) always required when buying online and if not, what does it depend upon if it's required - is it up to merchant whether to ask for it?

It is not always required when buying online. The decision is usually the merchant's, which can experimentally weigh:

  • reduction in sales due to consumers having to enter more data to complete a transaction
  • reduction in fraud due to what might be loosely called an additional factor that is slightly less available to fraudsters
  • reduction in fees from acquiring banks on transactions that use the CSC vs those that don't.

If they are always required, why is it such a big deal when millions of credit card details leak due to a hack?

It's a big deal from a news perspective because, for various reasons, more consumers pay attention to issues of this kind now. Largescale leaks from several years ago that were far more damaging in absolute terms received far less media attention.

It can also be a big deal for the retailers involved from a business perspective because the rules- called PCI, as mentioned earlier- have gotten tighter, and fines and penalties for violating the rules have gotten larger. So when retailers violate the rules, like storing cards when they should not have, the impact can now be materially significant to their business.

It's less of a big deal from an operational or fraud perspective, because all the parties are accustomed to the remediation- send consumers new cards, invalidate the old ones, rinse and repeat. Expiration dates have gotten shorter on newly issued cards, so loss of a large number of cards is to some extent just an extension of normal workflow for card providers.

Why the CSC number is only 3 or 4 digits? Couldn't fraudsters try all the possibilities? Or is there a maximum number of attempts before a card is blocked?

The code that performs system of record transaction processing checks for various indicators of real or attempted fraud, including multiple attempts against the same payment instrument within a particular time frame.

There is also a lot of geographical rationalization- use of the same card number in two physical Point of Sale systems in different geographical areas in the same day will get heightened scrutiny.

But there are many other signals here- payment fraud is a very interesting and active application area for machine learning.

Why is the CSC number even printed on card? Wouldn't it be better if there was just one password not written on the card that is used to authenticate both types of transactions?

Convenience, all around.

It is absolutely fair to say that the CSC number does not rise to the level of being a second factor, but it is also absolutely fair to say that a second factor is still infeasible in the real world when it comes to usability and convenience. Even security people still struggle with second factors, much less ordinary consumers.

A more common "second factor", so to speak, is required use of cardholder zip code, which is much more common than required use of a CSC.

My sense is that on balance, CSC is attributed with a relatively modest reduction in fraud at relatively modest infrastructure expense, but that it has not been considered a success. Chip payments and tokenization are much bigger impact.

When I read headings like "10 millions of credit card numbers leaked" do they actually mean only the numbers? Isn't the numbers alone useless without data like expiration date, name of the card holder, which as far as I know are also used to authenticate a transaction?

A reported compromise will be of whatever the compromised party considered to be sufficient data to capture payments. Card number and expiration date are the only data points that are always required by payment processors and other downstream systems. Other data points like name, address, zip code, phone number, CSC, email may or may not be, depending on the particular details of the merchant, the business, their provider relationships, and so forth.

Most of the use cases around additional data collected at payment time are for marketing rather than strictly for payment verification.

Jonah Benton
  • 3,439
  • 12
  • 20
  • Does the zipcode count as a second factor if it, just like the card number and CVC, is still just "something you know"? – user1686 May 11 '17 at 15:01
4

Before buying a product online, a shopper would be redirected to the payment processor's website and it would be there where the card details are entered.

That sounds a lot like 3-D Secure (Verified by Visa, MasterCard SecureCode, American Express SafeKey). Most customers do not use it and most sites do not support it.

Is a CSC always required when buying online and if not, what does it depend upon if it's required - is it up to merchant whether to ask for it?

Some merchants (Most notably, Amazon) don't require a CSC, but most do.

Why is the CSC number even printed on card?

Note that there are two CVC numbers: CVC1 is not printed on the card and is only present on the magnetic stripe. CVC1 can not be used to make purchases online.
The CVC2 code is printed on the card (not present on the stripe) and can not be used in-person where you have to swipe the card.

Lastly, cardholders in the US do not have a significant incentive to use more secure technology (even when it is available) because they don't lose money when their card number is stolen: If your card is stolen online, your bank will issue a chargeback and the money will be returned from the merchant. If your card is stolen in-person, your bank is on the hook for compensating you.

Navin
  • 466
  • 5
  • 10