As an old saying goes, "Just because you're paranoid doesn't mean they
aren't after you."
Although full-blown paranoids see danger /everywhere/, I have been called called paranoid for pointing the above out.
In the EU, even knowing the bank account data of someone doesn't allow
anyone to extract money from it.
As an old saying goes, "Just because you're paranoid doesn't mean they
aren't after you."
Although full-blown paranoids see danger /everywhere/, I have been called
called paranoid for pointing the above out.
To your point, Rudy Weiser, Carlos didn't define "where" the paranoia
lies.
Intelligent people would guard against the threat that seems most
sensible.
To your point, Rudy Weiser, Carlos didn't define "where" the paranoia
lies.
And neither did I.
"R.Wieser" <address@is.invalid> wrote
| Although full-blown paranoids see danger /everywhere/, I have been called
| called paranoid for pointing the above out.
That's basic ostrich strategy. If you warn them a
lion is coming they'll see it as raining on their parade.
When privacy and security first began to get focus,
mentioning any preventive measures would immediately
illicit "tinfoil hat" namecalling.
"R.Wieser" <address@is.invalid> wrote
Auto-payment is increasingly popular here. I prefer
to write checks. The only company accessing my bank
account is the US Treasury. If I wanted to change the
account that they access I'd have to file a form in person
at the bank. The UST requires a password and then sends
me a temporary email key. No cellphone or device ID
required. I think the cellphone authorization is primarily
a Google idea. It adds significantly to their tracking ability
to have clear, frequent confirmation that you're connected
with a particular cellphone that they're tracking. And it's
being used as security for email, which has virtually no
security by design!
Carlos,
In the EU, even knowing the bank account data of someone doesn't allow anyone to extract money from it.
Yeah, you need to have proof that you are a company to be able to do that. And registering yourself as a company is quite hard here, you only have to pay a nominal fee and you're one (been there, done that).
... which is exactly what happened a number of years ago. People who noticed unknown companies dipping into their accounts, and had to act themselves to get that money back.
As for a smartphone for authentication ? I always found that odd. You have exactly *zero* control over what is going on on it, and if you make sure you can (rooting it) you are flagged as "insecure".
Besides that, its a *non-secure* chain, in the sense that pretty-much any helpdesk employee can transfer your phone number to another physical phone (social engeneering).
As for using a smartphone to order *and* do MFA ? Thats like having your (four-digit?) bank code writen on the card itself. IMHO thats just /asking/ for it...
| Although full-blown paranoids see danger /everywhere/, I have been
| called paranoid for pointing the above out.
That's basic ostrich strategy. If you warn them a
lion is coming they'll see it as raining on their parade.
Notice that Carlos didn't say his chief concern is
convenience. He just labelled any other approach as
a "very limited life".
Yes, but can you then actually extract money from people's
(Dutch) bank accounts?
AFAIK, they can only do an 'incasso' ('collection' in English?)
and you can reverse that and then they have to prove that it's legit.
In most cases, the *phone* is the second factor (in 2FA), not the
phone *number*.
It can be done quite safely. The question is what percentage of
Joe Average Users *know how* to do it safely.
"Carlos E. R." <robin_listas@es.invalid> wrote
| I don't recall Google T&C saying they track bank apps, so I doubt they
| do it. Even with SMS there are limits to what they do.
I don't mean that Google records your banking
transactions, though nothing would surprise me.
What I meant was that the very idea
of a cellphone for authentication is a way for Google's
gmail, or other services, to connect your cellphone
to a confirmed personal ID and location tracker. That means
that their tracking collar data from your phone can be
confidently linked to you personally. The idea that 2FA with
a cellphone is necessary for email is absurd. Google's
rifling through most email. Most people are leaving their
email on a server and reading/composing in an insecure
webmail UI. And even encrypted email is decrypted with
each handoff on its way to the destination. It's only
protected from man-in-the-middle attacks. In short, email
is not private communication. So Google's demand of
cellphone 2FA never made sense, except for tracking
purposes.
You seem to be enitrely in the dark about even
standard tracking.
"Carlos E. R." <robin_listas@es.invalid> wrote
| I don't recall Google T&C saying they track bank apps, so I doubt they
| do it. Even with SMS there are limits to what they do.
|
I don't mean that Google records your banking
transactions, though nothing would surprise me.
What I meant was that the very idea
of a cellphone for authentication is a way for Google's
gmail, or other services, to connect your cellphone
to a confirmed personal ID and location tracker. That means
that their tracking collar data from your phone can be
confidently linked to you personally. The idea that 2FA with
a cellphone is necessary for email is absurd. Google's
rifling through most email. Most people are leaving their
email on a server and reading/composing in an insecure
webmail UI. And even encrypted email is decrypted with
each handoff on its way to the destination. It's only
protected from man-in-the-middle attacks. In short, email
is not private communication. So Google's demand of
cellphone 2FA never made sense, except for tracking
purposes.
You seem to be enitrely in the dark about even
standard tracking. This is what I was talking about
with the links, such as the Kochava story. Kochava is
just one dataminer, buying spy data from "free"
cellphone app makers and other sources to create a full
record of you: your religion, politics, shopping, and your
exact location in real time, all the time. Google does
similar. They also share data with credit card companies.
https://www.washingtonpost.com/news/the-switch/wp/2017/05/23/google-now-knows-when-you-are-at-a-cash-register-and-how-much-you-are-spending/
All of these snoops are selling data and exploiting data.
Forcing you to have and use a cellphone connected to
your email is esentially making you tie on a tracking collar.
But Google are very clever. All of their products and
spying are so convenient and seamless and functional
that once you're in the Google zoo it's far too much
hassle to consider leaving.
Frank,[...]
In most cases, the *phone* is the second factor (in 2FA), not the
phone *number*.
If you send an verification SMS to a phone number, it gets received on whatever phone that that number is linked to.
It can be done quite safely. The question is what percentage of
Joe Average Users *know how* to do it safely.
It can ? Try me.
And no, combining other another number with what is written on the card doesn't count. Although it is a method to have a single master-"password" for a heap of cards (how many do you have ?), in that case its also another security risk. :-\
So can you STFU with this nonsense!
In the snipped part you talked about "a smartphone for authentication".
*That* was what I was referring to.
It can be done quite safely. The question is what percentage
of Joe Average Users *know how* to do it safely.
It can ? Try me.
Lock your phone *and* the 'dangerous' apps, preferably with biometrics
(I use fingerprints) and preferably auto-locking.
Huh? You lost me. In the snipped part you were talking about "As for
using a smartphone to order *and* do MFA ?"
No offense, but you snip - IMO too much - context and then you
seem to lose track of even your own (con)text.
Frank,
"Carlos E. R." <robin_listas@es.invalid> wrote
| Because the context is using something on the phone as second factor to
| authorize banking operations.
|
I was talking about the privacy problem of 2FA through
a phone for anything.
The service that wants me to identify already knows that I'm going to identify through the phone *and it is me*.
There is no privacy leaked.
Sorry, but my elective root canal procedure has priority.
Better luck next time.
Frank,
Sorry, but my elective root canal procedure has priority.
Better luck next time.
Yeah, same here. I don't quite like hypocrites.
Carlos,
The service that wants me to identify already knows that I'm going to
identify through the phone *and it is me*.
How ? By them calling your number and asking if the person answering is
you ? Yeah, that'll certainly work ... Number hijacking isn't a thing. Nosirree.
Also most, if not all 2FA is computerised. Besides the user, no actual persons involved..
And so you have a smartphone which sends a request for transfer of funds,
and the same smartphone receiving a request to allow that transfer. If you get malware on your phone which can initiate (or manipulate!) the transfer, what do you think is the chance that the same malware can intercept and answer that 2FA request and handle it (either by replay, thru manipulating the 2FA app or just by social engeneering the user itself) ?
There is no privacy leaked.
I think you're the only one here bothered by that. Somehow I think that most, if not all others are more concerned by the possibility of seeing
their bank accounts being drained.
I just looked up "hypocrite" in the dictionary, but I'm afraid
it does not say: Someone who doesn't play along with dishonest snip-and-distort games.
Sorry for trying to have a normal conversation with you on some
points you raised, I should have known better.
But anyone who wants - and that - theoretically - includes you -,
can check who said/snipped what, in which sequence, who misinterpreted/ misrepresented what and who dodged which questions.
As I said: Better luck next time.
The service that wants me to identify already knows that I'm going to
identify through the phone *and it is me*.
How ? By them calling your number and asking if the person answering
is you ? Yeah, that'll certainly work ... Number hijacking isn't a
thing.
Nosirree.
You are being ridiculous.
This is some concern I already mentioned.
Frank,
I just looked up "hypocrite" in the dictionary, but I'm afraid
it does not say: Someone who doesn't play along with dishonest snip-and-distort games.
Indeed it doesn't.
But it however /does/ say that its someone who demands others to (not) do something, while doing the opposite themselves.
Sorry for trying to have a normal conversation with you on some
points you raised, I should have known better.
Same here, as we had a similar clash not too long ago.
But anyone who wants - and that - theoretically - includes you -,
can check who said/snipped what, in which sequence, who misinterpreted/ misrepresented what and who dodged which questions.
:-) You must have totally missed where I did spell exactly that out to you two posts back.
But no, you have not missed that at all. You've just choosen to ignore it, instead trying to play your "I don't understand" game.
As I said: Better luck next time.
Same back to you. But don't get your hopes up.
Carlos,
The service that wants me to identify already knows that I'm going to
identify through the phone *and it is me*.
How ? By them calling your number and asking if the person answering
is you ? Yeah, that'll certainly work ... Number hijacking isn't a
thing.
Nosirree.
You are being ridiculous.
You noticed ! :-)
And why do you think I was acting that way ? Perhaps because I thought the same about what you penned down ? Could it be ?
Good, now we got that outof the way, explain how someone at the bank calling "you" is supposed to know its /you/, and not someone who took over your
phone number (and knows a thing or two about you).
And than the (to me) obvious problem : How do you know that the one who is calling you "from the bank": is actually /from the bank/ ? IOW, the "are
you who you say you are" works *two* ways, not just one.
This is some concern I already mentioned.
You did ? Where ? (date/time of the post will probably be enough, though a short "start here" quote will be appreciated) I want to read what your conclusion was. Thats assuming that you came to one, and not just left it dangling ...
The point of two factor authentication is to add a _second_ layer of security so that if your account/password is stolen - which happens a lot
in data breaches - there must be a second 'token' - something you _have_. With SIM swap fraud the malefactors effectively have your phone and can
get the code.
You have a habit of *implying* these alleged wrongdoings, but
never actually *point out* (i.e. quote) where these are supposed
to have taken place.
So, you can still backup your above veiled allegation(s)
with specifics, instead of vague insinuations, but I doubt
you will.
As to "You've just choosen to ignore it", what's *your* excuse
for (snipping and) not answering my specific questions? (Clue-by-four:
"BTW, ...")
:-) You must have totally missed where I did spell exactly that out to
you two posts back.
If you mean the "the chickens and the fox" thing:
Yes, it's probably best to try to avoid eachother.
"R.Wieser" <address@is.invalid> wrote
| > There is no privacy leaked.
|
| I think you're the only one here bothered by that. Somehow I think that
| most, if not all others are more concerned by the possibility of seeing
| their bank accounts being drained.
Actually, this subthread started with Carlos attacking
Arlen for caring about privacy. Then I chimed in to detail
how 2FA with cellphones for email is specifically a Google
tracking method and has no relevance in terms of security
for email.
I'm thinking that maybe we're just all getting
too old for this. The bicker factor is becoming most of the
discussions. Frank used to be good natured. Carlos used to
be the most gracious among us. Now both just argue all day,
seemingly without thinking about what they're saying.
Actually, this subthread started with Carlos attacking
Arlen for caring about privacy.
Newyana2 <Newyana2@invalid.nospam> wrote:
"R.Wieser" <address@is.invalid> wrote
| > There is no privacy leaked.
|
| I think you're the only one here bothered by that. Somehow I think that >> | most, if not all others are more concerned by the possibility of seeing
| their bank accounts being drained.
Actually, this subthread started with Carlos attacking
Arlen for caring about privacy. Then I chimed in to detail
how 2FA with cellphones for email is specifically a Google
tracking method and has no relevance in terms of security
for email.
Which - needing 2FA (actually 2SV) for Gmail or/and needing a cellphone for (Google) 2SV - are falsehoods, which you keep repeating and when
they're debunked for the umpteenth time, you silently ignore that.
Keeping silent in the face of evidence, doesn't make that evidence go
away.
[...]
I'm thinking that maybe we're just all getting
too old for this. The bicker factor is becoming most of the
discussions. Frank used to be good natured. Carlos used to
be the most gracious among us. Now both just argue all day,
I "argue all day", because you keep spreading known falsehoods and you present them in such a way that it amounts to FUD.
There are enough *real* privacy or/and security risks, that the world
can do well without you spreading FUD and urban legends.
seemingly without thinking about what they're saying.
<firmly sitting on hands>
FYI, I'm *still* "good natured" (as is evidenced in plenty of other posts). I'm just not "good natured" with people who use dishonest or
even malicious tactics. Your choice whether you're in that set of people
or not.
If you want to keep people "good natured", you should refrain from implying that people here are ignorant/cluess/stupid/<whatever> for not realizing privacy/security risks. Many of us *do* realize the risks,
because we actually use and research/investigate the stuff, instead of
just talking - mostly FUD and urban legends - about it.
[Rewind/repeat:]
Actually, this subthread started with Carlos attacking
Arlen for caring about privacy.
Carlos didn't "attack" Arlen. He doesn't take Arlen seriously (who
does?), especially not on issues of alleged 'privacy' risks. The
example, paying NIN subscription, was yet another of such imaginary
privacy risks.
Yes, Arlen of course has a right to privacy, but how he goes (on)
about it, is totally unrealistic, to put it mildly.
Have a lovely day! :-)
[...]
Frank,
You have a habit of *implying* these alleged wrongdoings, but
never actually *point out* (i.e. quote) where these are supposed
to have taken place.
Lol.
Re-read my post five post above yours (11-11 21:52) where I did so. I
didn't 'imply' anything, I *told* you that you dropped the important part of what I said part.
No frank, you can deny and ignore it all you want, but its still there for everyone to read.
And by the way : nice going by demanding from me that point out where I 'implied' that you did wrong, but than "forget" to support *your* accusation with a quote that shows that I did such implying.
Hypocritical ? Yeah, abvsolutily. Rather transparant ? That too. :-)
So, you can still backup your above veiled allegation(s)
with specifics, instead of vague insinuations, but I doubt
you will.
You only need to leaf back a few posts. 'but I doubt you will.'
As for a smartphone for authentication ? I always found that odd. You have exactly *zero* control over what is going on on it, and if you make sure you can (rooting it) you are flagged as "insecure".</FS>
As to "You've just choosen to ignore it", what's *your* excuse
for (snipping and) not answering my specific questions? (Clue-by-four: "BTW, ...")
Where you asked which model phone I had ? How was that of any importance to this thread ?
Besides that you lost my trust by your "interresting" quoting
there.
:-) You must have totally missed where I did spell exactly that out to
you two posts back.
If you mean the "the chickens and the fox" thing:
Lol, no. You *really* have a problem of understanding what you're reading, don't you ?
But granted, that "the chickens and the fox" comparision didn't quite come out as clear as I would have liked. I realized that a bit later. :-\
Yes, it's probably best to try to avoid eachother.
Agreed.
And to make sure I'm not too easily tempted to do otherwise I'm going to put you into my "ignore" list.
Goodbye.
First, my comment was regarding privacy, not security. You are moving the goalposts.
Then it is not a phone call, it is an encrypted message sent to the bank application, so seeing the message requires one or two passwords.
....You did ? Where ?
Date: Thu, 9 Nov 2023 20:20:58 +0100
So imagine I use the app in the phone to connect to the bank. The bank
sends a code by SMS to the *same* phone, the app reads automatically the message and logins.
Now suppose my phone is stolen...
That got gradually converted to an argument about
Carlos and his 2FA when he banks online.
I'm thinking that maybe we're just all getting
too old for this.
Now both just argue all day, seemingly without thinking about
what they're saying.
I never blocked anyone on Usenet for maybe
20 years. I now have several people blocked.
This morning at Slashdot I came across an interesting,
apropos article. It referred to a piece last year:
https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/
To my mind, the overall lesson here is that pure automation
just doesn't work, and it's getting worse.
I wanted to block the ability to have an online account.
My bank says they can't do that.
... That isn't new, but automation is making is worse.
The idea of a stolen identity should be absurd, but all it takes
now is a few changes in computerized recordkeeping.
Creditworthiness used to be a factor of personal reputation.
Now the personal part is removed!
Carlos,
In the EU, even knowing the bank account data of someone doesn't allow
anyone to extract money from it.
Yeah, you need to have proof that you are a company to be able to do that. And registering yourself as a company is quite hard here, you only have to pay a nominal fee and you're one (been there, done that).
... which is exactly what happened a number of years ago. People who noticed unknown companies dipping into their accounts, and had to act themselves to get that money back.
As for a smartphone for authentication ? I always found that odd. You have exactly *zero* control over what is going on on it, and if you make sure you can (rooting it) you are flagged as "insecure".
Besides that, its a *non-secure* chain, in the sense that pretty-much any helpdesk employee can transfer your phone number to another physical phone (social engeneering).
As for using a smartphone to order *and* do MFA ? Thats like having your (four-digit?) bank code writen on the card itself. IMHO thats just /asking/ for it...
Yes, I do think most people with smartphones are stupid.
Besides the
"smartphone zombie" problem (darwin award contestants) I mean. Most all of them have no clue what that mobile 'puter runs/is doing and/or playing the "that won't ever happen to me" gamble, but all praise it into high heavens. While installing all kinds of malware-free - because of "walled garden" - apps on it. Yeah, right.
When I was younger I was taught that running random executables on a 'puter was taking a risk of getting malware.
Nowerdays you're regarded a weirdo if
you do *not* allow random executables (ranging from apps thru active-content documents thru JS on browsers) on it. Go figure.
As an old saying goes, "Just because you're paranoid doesn't mean they
aren't after you."
Although full-blown paranoids see danger /everywhere/, I have been called called paranoid for pointing the above out.
Regards,
Rudy Wieser
"R.Wieser" <address@is.invalid> wrote
As an old saying goes, "Just because you're paranoid doesn't mean they
aren't after you."
Although full-blown paranoids see danger /everywhere/, I have been called
called paranoid for pointing the above out.
To your point, Rudy Weiser, Carlos didn't define "where" the paranoia lies. And, more importantly when talking about faraday hats, is the threat mode.
What's the threat?
a. Is your biggest threat your own wife and children at home?
b. Or is your biggest threat some ransom hacker on the Internet?
My argument, sensible as it is, is that logically your friends aren't the
big threat - so why do people spend so much energy "securing" their phone?
R.Wieser wrote:
People who noticed unknown companies dipping into their accounts,
and had to act themselves to get that money back.
Not possible in the UK. Your bank details can only used to pay into the account. There's no way to *pull* money without your knowledge.
Not possible in the UK. Your bank details can only used to pay into
the account. There's no way to *pull* money without your knowledge.
To pay a company directly from your account is only possible with a
Standing Order or Direct Debit or a one-off transaction authorised
by you over the phone/in the app.
As for a smartphone for authentication ? I always found that odd. You
have
exactly *zero* control over what is going on on it, and if you make sure
you
can (rooting it) you are flagged as "insecure".
What "control" do you want by rooting?
Besides that, its a *non-secure* chain, in the sense that pretty-much any
helpdesk employee can transfer your phone number to another physical
phone
(social engeneering).
That's illegal without your knowledge.
As for using a smartphone to order *and* do MFA ? Thats like having
your
(four-digit?) bank code writen on the card itself. IMHO thats just
/asking/
for it...
I mean, the CVV is literally printed on cards for security so not sure
what
point you're trying to make.
Yes, I do think most people with smartphones are stupid.
That's nothing to do with smartphones. Most people don't care about tech
and just do what's simplest.
When I was younger I was taught that running random executables on
a 'puter was taking a risk of getting malware.
That's because it was.
Nowerdays you're regarded a weirdo if you do *not* allow random
executables (ranging from apps thru active-content documents thru
JS on browsers) on it. Go figure.
App Stores are not sourced of random executables.
R.Wieser <address@is.invalid> wrote:
Carlos,
In the EU, even knowing the bank account data of someone doesn't allow
anyone to extract money from it.
Yeah, you need to have proof that you are a company to be able to do that. And registering yourself as a company is quite hard here, you only have to pay a nominal fee and you're one (been there, done that).
... which is exactly what happened a number of years ago. People who noticed unknown companies dipping into their accounts, and had to act themselves to get that money back.
Not possible in the UK. Your bank details can only used to pay into the account. There's no way to *pull* money without your knowledge. To pay a company directly from your account is only possible with a Standing Order
or Direct Debit or a one-off transaction authorised by you over the
phone/in the app.
R.Wieser <address@is.invalid> wrote:[...]
As for a smartphone for authentication ? I always found that odd.
You have exactly *zero* control over what is going on on it, and if
you make sure you can (rooting it) you are flagged as "insecure".
What "control" do you want by rooting?
Besides that, its a *non-secure* chain, in the sense that pretty-much any helpdesk employee can transfer your phone number to another physical phone (social engeneering).
That's illegal without your knowledge.
As for using a smartphone to order *and* do MFA ? Thats like
having your (four-digit?) bank code writen on the card itself. IMHO
thats just /asking/ for it...
I mean, the CVV is literally printed on cards for security so not sure what point you're trying to make.
Yes, I do think most people with smartphones are stupid.
That's nothing to do with smartphones. Most people don't care about tech
and just do what's simplest.
"Carlos E. R." <robin_listas@es.invalid> wrote
| I don't recall Google T&C saying they track bank apps, so I doubt they
| do it. Even with SMS there are limits to what they do.
|
I don't mean that Google records your banking
transactions, though nothing would surprise me.
What I meant was that the very idea
of a cellphone for authentication is a way for Google's
gmail, or other services, to connect your cellphone
to a confirmed personal ID and location tracker.
You seem to be enitrely in the dark about even
standard tracking. This is what I was talking about
with the links, such as the Kochava story. Kochava is
just one dataminer, buying spy data from "free"
cellphone app makers and other sources to create a full
record of you: your religion, politics, shopping, and your
exact location in real time, all the time. Google does
similar. They also share data with credit card companies.
https://www.washingtonpost.com/news/the-switch/wp/2017/05/23/google-now-knows-when-you-are-at-a-cash-register-and-how-much-you-are-spending/
All of these snoops are selling data and exploiting data.
Forcing you to have and use a cellphone connected to
your email is esentially making you tie on a tracking collar.
But Google are very clever. All of their products and
spying are so convenient and seamless and functional
that once you're in the Google zoo it's far too much
hassle to consider leaving.
This is a uniquely US issue. In europe where we have proper data privacy
laws this is abhorrent to us.
This is why Carlos is "in the dark". Your scenario is strictly illegal in sensible countries.
Simple solution: don't use google.
Or if you do turn off ALL the tracking, it's not that hard and works well.
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:
Earlier, I mentioned that most 2SV/2FA does not use a phone number. It
may use the phone *itself*, but not the phone *number*. Rudy snipped and ignored those comments, which is rather telling.
As usual, the context is vague, but it is mostly about banking, the EU
and The Netherlands ("here"). I wouldn't know any reputable bank in NL
which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
probably the same in most of the rest of the EU (and the UK).
Frank Slootweg wrote:
I wouldn't know any reputable bank in NL
which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
probably the same in most of the rest of the EU (and the UK).
Banco de Santander.
Carlos E. R. wrote:
Frank Slootweg wrote:
I wouldn't know any reputable bank in NL
which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
probably the same in most of the rest of the EU (and the UK).
Banco de Santander.
Santander UK also sends one-time codes to SMS number.
Barclays sends a confirmation question directly to their app, even when
one of their staff is dealing with you in-branch.
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:[...]
As for a smartphone for authentication ? I always found that odd.
You have exactly *zero* control over what is going on on it, and if
you make sure you can (rooting it) you are flagged as "insecure".
What "control" do you want by rooting?
Besides that, its a *non-secure* chain, in the sense that pretty-much any >>> helpdesk employee can transfer your phone number to another physical phone >>> (social engeneering).
That's illegal without your knowledge.
This time Rudy more or less dismissed your argument.
Earlier, I mentioned that most 2SV/2FA does not use a phone number. It
may use the phone *itself*, but not the phone *number*. Rudy snipped and ignored those comments, which is rather telling.
As usual, the context is vague, but it is mostly about banking, the EU
and The Netherlands ("here"). I wouldn't know any reputable bank in NL
which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
probably the same in most of the rest of the EU (and the UK).
Carlos,
The service that wants me to identify already knows that I'm going to
identify through the phone *and it is me*.
How ? By them calling your number and asking if the person answering is
you ? Yeah, that'll certainly work ... Number hijacking isn't a thing. Nosirree.
Also most, if not all 2FA is computerised. Besides the user, no actual persons involved..
And so you have a smartphone which sends a request for transfer of funds,
and the same smartphone receiving a request to allow that transfer. If you get malware on your phone which can initiate (or manipulate!) the transfer, what do you think is the chance that the same malware can intercept and answer that 2FA request and handle it (either by replay, thru manipulating the 2FA app or just by social engeneering the user itself) ?
Chris wrote:
R.Wieser wrote:
People who noticed unknown companies dipping into their accounts,
and had to act themselves to get that money back.
Not possible in the UK. Your bank details can only used to pay into the
account. There's no way to *pull* money without your knowledge.
You might want to check that with Jeremy Clarkson
<http://news.bbc.co.uk/1/hi/7174760.stm>
Of course the person who set-up the direct debit didn't get their hands
on his money, but the charity did and JC would have been entitled to a refund, but as I understand he didn't ask for one as it wouldn't exactly
be a good look ...
R.Wieser <address@is.invalid> wrote:
Carlos,
The service that wants me to identify already knows that I'm going to
identify through the phone *and it is me*.
How ? By them calling your number and asking if the person answering is
you ? Yeah, that'll certainly work ... Number hijacking isn't a thing. >> Nosirree.
Number jacking isn't enough to get through security verification with the bank. They ask you for specific information you set up with them and/or something only known by you.
If you're smart you create pretend answers to the "memorable questions".
"Carlos E. R." <robin_listas@es.invalid> wrote
| Because the context is using something on the phone as second
| factor to authorize banking operations.
|
I was talking about the privacy problem of 2FA through
a phone for anything.
Chris,
Not possible in the UK. Your bank details can only used to pay into
the account. There's no way to *pull* money without your knowledge.
To pay a company directly from your account is only possible with a
Standing Order or Direct Debit or a one-off transaction authorised
by you over the phone/in the app.
Thats quite the diffence with how it works here. To create a "standing order" I have give the *company* a permission slip, and they use that to prove (when asked!) that they are allowed to take money from me.
Worse, when you want to stop such a permission You have to *ask* the company to stop billing you - and the bank is pretty-much refusing to be a party in it, even when stopping the permission is due to bad behaviour (the only
thing you can do is to block that company).
And oh yeah, there is no way here to limit what a company using such a "standard order" is allowed to take per month. IOW, if they (by accident) bill you twice the second will go thru just like the first. Very funny when larger sums of money are involved. :-\
The only thing you could do is to tell the bank to send a fixed sum to that company, which (ofcourse)doesn't work all that well when small fluctuations or yeary adjustments are involved.
As for a smartphone for authentication ? I always found that odd. You
have
exactly *zero* control over what is going on on it, and if you make sure >>> you
can (rooting it) you are flagged as "insecure".
What "control" do you want by rooting?
Take a wild guess. But I'll give you a hint : I allready mentioned it in
this thread.
Besides that, its a *non-secure* chain, in the sense that pretty-much any >>> helpdesk employee can transfer your phone number to another physical
phone
(social engeneering).
That's illegal without your knowledge.
Yes, and crooks are known to be lawfull citizens. /s
As for using a smartphone to order *and* do MFA ? Thats like having
your
(four-digit?) bank code writen on the card itself. IMHO thats just
/asking/
for it...
I mean, the CVV is literally printed on cards for security so not sure
what
point you're trying to make.
Lol ? So anyone who finds a lost card can just pay with it ? Fantastic. :-(
No, the "bank code" here is something that isn't on the card and is regarded the users "password", to be guearded with its life.
I had no idea what a CVV was, so I looked it up and got this :
https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number
The most humorous part (in a very sad way) of it was this :
"When you provide this number for an online or phone purchase, the merchant will submit the CVV when it authorizes the transaction. It's an attempt to verify that you have the physical card in your possession and that you're
not just using stolen card information."
I cannot imagine how the merchant, on the other side of an online or phone connection, will be able to see that you have the bank card in your hands, and are infact "not just using stolen card information".
As that website doesn't seem to have a clue to how the protection-by-CVV is supposed to work, can you explain ?
Yes, I do think most people with smartphones are stupid.
That's nothing to do with smartphones. Most people don't care about tech
and just do what's simplest.
Thats pretty-much what I said. They have *no* idea what their phone is capable of, but they trust their whole lives to it.
When I was younger I was taught that running random executables on
a 'puter was taking a risk of getting malware.
That's because it was.
Yep. But the thing you overlooked is that it still is.
Nowerdays you're regarded a weirdo if you do *not* allow random
executables (ranging from apps thru active-content documents thru
JS on browsers) on it. Go figure.
App Stores are not sourced of random executables.
As far as I'm concerned, they are.
As long as you pay for a "developer license" you can dump anything you want in it. And yes, "App stores" (walled gardens) have been known to have
quite a bunch malicious apps in them, particulary pretty-much copies of popular ones.
And thats apart from the well-working non-malicious apps that get sold to some other "developer", who than make use of the automatic updating
mechanism of an established app to replace it with their own malicious version of it.
Regards,
Rudy Wieser
R.Wieser <address@is.invalid> wrote:
Chris,
I had no idea what a CVV was, so I looked it up and got this :
https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number >>
The most humorous part (in a very sad way) of it was this :
"When you provide this number for an online or phone purchase, the merchant >> will submit the CVV when it authorizes the transaction. It's an attempt to >> verify that you have the physical card in your possession and that you're
not just using stolen card information."
I cannot imagine how the merchant, on the other side of an online or phone >> connection, will be able to see that you have the bank card in your hands, >> and are infact "not just using stolen card information".
CVV codes are by definition not stored anywhere so cannot be stolen.
On 2023-11-14 22:54, Chris wrote:
R.Wieser <address@is.invalid> wrote:
Carlos,
The service that wants me to identify already knows that I'm going to
identify through the phone *and it is me*.
How ? By them calling your number and asking if the person answering is >>> you ? Yeah, that'll certainly work ... Number hijacking isn't a thing. >>> Nosirree.
Number jacking isn't enough to get through security verification with the
bank. They ask you for specific information you set up with them and/or
something only known by you.
If you're smart you create pretend answers to the "memorable questions".
The context of the conversation was loss of privacy, not security.
Chris wrote:
CVV codes are by definition not stored anywhere so cannot be stolen.
When I make a purchase with Amazon, for instance, they ask for *all* the
data on the card, including the CVV, and they do store it, so that from
that day on I can make purchases with only a click. They just resubmit
my card data to my bank and get paid, with my permission. But if they
are bad guys, they could get money from any client, they have millions
of cards stored including their cvv numbers.
Andy Burns wrote:
You might want to check that with Jeremy Clarkson
<http://news.bbc.co.uk/1/hi/7174760.stm>
That was 15 years ago.
Chris wrote:
Andy Burns wrote:
You might want to check that with Jeremy Clarkson
<http://news.bbc.co.uk/1/hi/7174760.stm>
That was 15 years ago.
So, what has changed about setting-up direct debits since then?
On 2023-11-15 01:44, Chris wrote:
R.Wieser <address@is.invalid> wrote:
Chris,
[...]
I had no idea what a CVV was, so I looked it up and got this :
https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number >>>
The most humorous part (in a very sad way) of it was this :
"When you provide this number for an online or phone purchase, the merchant >>> will submit the CVV when it authorizes the transaction. It's an attempt to >>> verify that you have the physical card in your possession and that you're >>> not just using stolen card information."
I cannot imagine how the merchant, on the other side of an online or phone >>> connection, will be able to see that you have the bank card in your hands, >>> and are infact "not just using stolen card information".
CVV codes are by definition not stored anywhere so cannot be stolen.
Huh.
When I make a purchase with Amazon, for instance, they ask for *all* the
data on the card, including the CVV, and they do store it, so that from
that day on I can make purchases with only a click.
They just resubmit
my card data to my bank and get paid, with my permission. But if they
are bad guys, they could get money from any client, they have millions
of cards stored including their cvv numbers.
I can cancel any direct debit or standing order purely from my banking
app.
Mistakes happen, but it's easy to rectify.
That's what direct debits allow say for paying off the minimum payment required on a credit card. It varies a lot month by month. That's a useful feature.
Take a wild guess. But I'll give you a hint : I allready mentioned it
in this thread.
But not prepared to mention again?
That's illegal without your knowledge.
Yes, and crooks are known to be lawfull citizens. /s
Everything has to be foolproof to be useful, right?
Lol ? So anyone who finds a lost card can just pay with it ?
Fantastic. :-(
That's always been true.
Nowadays it's easy to block a lost card.
No, the "bank code" here is something that isn't on the card and is
regarded the users "password", to be guearded with its life.
No idea what that is.
CVV codes are by definition not stored anywhere so cannot be stolen.
When I was younger I was taught that running random executables
on a 'puter was taking a risk of getting malware.
That's because it was.
Yep. But the thing you overlooked is that it still is.
No it isn't.
More or less than "random executables"?
And thats apart from the well-working non-malicious apps that get sold to
some other "developer", who than make use of the automatic updating
mechanism of an established app to replace it with their own malicious
version of it.
Sounds very theoretical and unrealistic.
Any real examples?
Number jacking isn't enough to get through security verification with the bank.
They ask you for specific information you set up with them and/or
something only known by you.
If you're smart you create pretend answers to the "memorable questions".
I mean, all that is quite a reach even if it were feasible. Much, much
easier to phish someone to give you their information willingly and
directly.
Chris,
Take a wild guess. But I'll give you a hint : I allready mentioned it
in this thread.
But not prepared to mention again?
Nope. Not before you tried to find it yourself first.
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-15 10:23, R.Wieser wrote:
Chris,
...
Take a wild guess. But I'll give you a hint : I allready mentioned it >>>>> in this thread.
But not prepared to mention again?
Nope. Not before you tried to find it yourself first.
My Thunderbird fails to find any string whatsoever in Usenet messages
bodies.
Nitpick! The thread is just 104 articles, so you just have to re-read
them all.
You'll need to do that, because in Rudy's world it's perfectly fine to snip any and all context, so when reading his articles, you might have
no idea what he's talking about. That's alright, because he's suffering
from the same problem.
Have fun. I think I'll schedule my next elective root canal procedure, because sitting on my hands here, is also quite a challenge.
On 2023-11-15 10:23, R.Wieser wrote:
Chris,
...
Take a wild guess. But I'll give you a hint : I allready mentioned it
in this thread.
But not prepared to mention again?
Nope. Not before you tried to find it yourself first.
My Thunderbird fails to find any string whatsoever in Usenet messages
bodies.
But not prepared to mention again?
Nope. Not before you tried to find it yourself first.
My Thunderbird fails to find any string whatsoever in Usenet messages
bodies.
Chris,
I can cancel any direct debit or standing order purely from my banking
app.
Good for you. But thats, as mentioned, not how it works here (or worked, it was some time ago).
Mistakes happen, but it's easy to rectify.
Ah yes, you only have to notice that you can't pay your groceries anymore, figure out why your account is empty, contact the bank to reverse the incorrect charge, and wait for the money to come back into your account - which, for some reason, could take a few days. And all the while you're scrambling to find the money needed to pay for your groceries and incurring "administrative costs" coming from the companies you have a direct-debit agreement with which failed to go thru in the mean time. "administrative costs" which you never get back ofcourse, even if it wasn't your fault.
That's what direct debits allow say for paying off the minimum payment
required on a credit card. It varies a lot month by month. That's a useful >> feature.
Agreed, its a usefull feature. But as said, the banks here do not offer anything of the kind.
Take a wild guess. But I'll give you a hint : I allready mentioned it
in this thread.
But not prepared to mention again?
Nope. Not before you tried to find it yourself first.
That's illegal without your knowledge.
Yes, and crooks are known to be lawfull citizens. /s
Everything has to be foolproof to be useful, right?
Nope. But only a fool would try to make the case that because something works most of the time we should therefore ignore when it doesn't.
Are you
such a fool ?
Lol ? So anyone who finds a lost card can just pay with it ?
Fantastic. :-(
That's always been true.
Nope. At least not here.
And you could have known that, as I just
described that we have a (four digit) "password" here that we are not supposed to share with anyone. You even quoted i.
Nowadays it's easy to block a lost card.
Do read up on which part of the loss due to losing a card wil be absorbed by the bank, and which part of it will be yours. You might be surprised to
find that any money that went gone before you called the bank is your problem. So, keep checking that you stil have that card on you, otherwise you could be in for a sad surprise.
No, the "bank code" here is something that isn't on the card and is
regarded the users "password", to be guearded with its life.
No idea what that is.
You have no idea what a password is or what its used for ? How quaint
....
The bottom line is that here you can find someones bank card, but without
its password its useless to you.
CVV codes are by definition not stored anywhere so cannot be stolen.
I seem to remember you saying that they where printed on the bank cards themselfs. So, what is it ? Some 'Schrodinger's Cat' kind of thing perhaps ?
I also seem to remeber that those numbers wher provided, over the internet
or in a phone conversation, to the merchant on the other side. That sounds to me it can /very easily/ be stolen.
And by the way, I have not seen you respond to when I, effectivily, made fun of the uselesness of such a mechanism. How come ?
When I was younger I was taught that running random executables
on a 'puter was taking a risk of getting malware.
That's because it was.
Yep. But the thing you overlooked is that it still is.
No it isn't.
Just keep sticking your head in the sand, its no skin off of my back. Good luck with that though.
Though is there any reason why you think that, in the below, you can ask me for examples of something have happened, but at the same time do not even /try/ explain the above, let alone substanciate it ?
More or less than "random executables"?
*All* apps in that context are "random executables" to me. It just so happens that, in what I described, a bunch of them are /purposely/ malicious too.
And yes, that means that of the non-purposely malicious ones there are still quite a number that, unintended by the developer, are also malicious (due to them using other peoples libraries).
And thats apart from the well-working non-malicious apps that get sold to >>> some other "developer", who than make use of the automatic updating
mechanism of an established app to replace it with their own malicious
version of it.
Sounds very theoretical and unrealistic.
:-) The updating mechanism for apps is quite well known, and even
complained about by users who see their app change "under their hands"..
Any real examples?
You mean something like https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485 ?
And I'm sure that a little bit of googling will return more stuff like it.
Consider yourself informed.
Nice story.
Get better banks.
Everything has to be foolproof to be useful, right?
Nope. But only a fool would try to make the case that because something
works most of the time we should therefore ignore when it doesn't.
No-one is ignoring anything.
Turning the world upside down because someone somewhere did a bad
thing once is hardly proportionate.
living in fear is a choice you've made.
Pretty sure I'm communicating with one.
Lol ? So anyone who finds a lost card can just pay with it ?
Fantastic. :-(
That's always been true.
Nope. At least not here.
Of course it has. In the old days ppl would forge signatures from the back
of cards, or used them over the phone (just like you gave an example) and
now you can just tap to pay up to £100.
Nowadays it's easy to block a lost card.
Do read up on which part of the loss due to losing a card wil be absorbed
by the bank, and which part of it will be yours. You might be surprised
to
find that any money that went gone before you called the bank is your
problem. So, keep checking that you stil have that card on you,
otherwise
you could be in for a sad surprise.
Unlikely.
No, the "bank code" here is something that isn't on the card and
is regarded the users "password", to be guearded with its life.
No idea what that is.
You have no idea what a password is or what its used for ? How
quaint ....
The "bank code". Cards don't have passwords.
CVV codes are by definition not stored anywhere so cannot be stolen.
I seem to remember you saying that they where printed on the bank
cards themselfs. So, what is it ? Some 'Schrodinger's Cat' kind of
thing
perhaps ?
Go back and read the context.
And by the way, I have not seen you respond to when I, effectivily, made
fun
of the uselesness of such a mechanism. How come ?
You're not as funny as you think you are?
And yes, that means that of the non-purposely malicious ones there are
still
quite a number that, unintended by the developer, are also malicious (due
to
them using other peoples libraries).
"quite a number"? like 6? lol
Any real examples?
You mean something like
https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485 ?
That's just noise.
And I'm sure that a little bit of googling will return more stuff like
it.
Consider yourself informed.
I will when you actually share some information. Vague hand waving and
FUD is not information.
Nitpick! The thread is just 104 articles, so you just have to re-read
them all.
X'-D
As for a smartphone for authentication ? I always found that odd. YouWhat "control" do you want by rooting?
have exactly *zero* control over what is going on on it, and if you make >>> sure you can (rooting it) you are flagged as "insecure".
Take a wild guess. But I'll give you a hint : I allready mentioned it in
this thread.
Carlos,
Nitpick! The thread is just 104 articles, so you just have to re-read >>> them all.
X'-D
I see you smiling at him, but I do hope you notice he's feeding you a line.
He's mentioning the total number of messages in this thread, but somehow, wonderously, seems to forget that he would only need to look at /my/ posts. And thats, in total, 17 (18 with this one). - though just 12 at the moment
he posted his question ...
If you think thats too much work for you (both of you), than why do you
think you may expect me to do it ? Yes, I would need to do the same, to re-read what I said in context and answer it in that same context.
As for that question ?
As for a smartphone for authentication ? I always found that odd. You >>>> have exactly *zero* control over what is going on on it, and if you make >>>> sure you can (rooting it) you are flagged as "insecure".What "control" do you want by rooting?
Take a wild guess. But I'll give you a hint : I allready mentioned it in
this thread.
I'll spell it out for you (and Frank) :
The "Take a wild guess" showed my annoyance, as I've pretty much been repeating it thru this thread : you have /no/ idea what apps are doing on your smartphone. The hint was a bit of a joke - as the "*zero* control" is directly followed by the reason for wanting it : "over whats going on on
it".
As in : being able to monitor if a program/app is obeying its permissions
and what he's doing online (if that permission was granted). And from
there being able to block any unwanted behaviour. Duh.
There is a difference:
- Thunderbird search on the Sent folder does work.
- I know what I wrote and thus what to search for.
Huh, no, if an app doesn't have some permission it simply can not do it,
no matter how hard it tries.
Carlos,
There is a difference:
- Thunderbird search on the Sent folder does work.
I gave you two ways to deal with that. Besides the 'check if your version has a bug' suggestion.
- I know what I wrote and thus what to search for.
Franks quote contained the phrase you could have looked for.
Though I hope you do agree that there is quite a difference between "104 articles" and just 12 to work your way thru.
Huh, no, if an app doesn't have some permission it simply can not do it,
no matter how hard it tries.
1) Do you know which permissions you actually gave ? I seem to remember a change where a fine-grained permission granting was replaced by a much coarser one, putting "similar" permissions together ...
IOW, you might have given a permission you are not even aware of.
2) Tell that to all the malware which makes use of bugs in the OS.
... as a search (for for example "android zero day") will show you. Like this :
https://www.bleepingcomputer.com/news/security/september-android-updates-fix-zero-day-exploited-in-attacks/
Yes, thats september *this* year.
But lets stop this. You're making it quite clear that you do not know and
do not *want* to know about it.
Goodbye.
Regards,
Rudy Wieser
Carlos,
Nitpick! The thread is just 104 articles, so you just have to re-read >> them all.
X'-D
I see you smiling at him, but I do hope you notice he's feeding you a line.
He's mentioning the total number of messages in this thread, but somehow, wonderously, seems to forget that he would only need to look at /my/ posts. And thats, in total, 17 (18 with this one). - though just 12 at the moment
he posted his question ...
R.Wieser <address@is.invalid> wrote:[...]
Chris,
I can cancel any direct debit or standing order purely from my banking
app.
Good for you. But thats, as mentioned, not how it works here (or worked, it was some time ago).
That's what direct debits allow say for paying off the minimum payment
required on a credit card. It varies a lot month by month. That's a useful >> feature.
Agreed, its a usefull feature. But as said, the banks here do not offer anything of the kind.
Get better banks.
Lol ? So anyone who finds a lost card can just pay with it ?
Fantastic. :-(
That's always been true.
Nope. At least not here.
Of course it has. In the old days ppl would forge signatures from the back
of cards, or used them over the phone (just like you gave an example) and
now you can just tap to pay up to £100.
And you could have known that, as I just
described that we have a (four digit) "password" here that we are not supposed to share with anyone. You even quoted i.
Nowadays it's easy to block a lost card.
Do read up on which part of the loss due to losing a card wil be absorbed by
the bank, and which part of it will be yours. You might be surprised to find that any money that went gone before you called the bank is your problem. So, keep checking that you stil have that card on you, otherwise
you could be in for a sad surprise.
Unlikely.
No, the "bank code" here is something that isn't on the card and is
regarded the users "password", to be guearded with its life.
No idea what that is.
You have no idea what a password is or what its used for ? How quaint ....
The "bank code". Cards don't have passwords.
The bottom line is that here you can find someones bank card, but without its password its useless to you.
Chris,
Nice story.
Not so nice, but I recognise refusal when I see it.
Get better banks.
Funny thing that, they all gave the same answer - "we don't offer that"
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:[...]
Chris,
I can cancel any direct debit or standing order purely from my banking >>>> app.
Good for you. But thats, as mentioned, not how it works here (or worked, it >>> was some time ago).
That's what direct debits allow say for paying off the minimum payment >>>> required on a credit card. It varies a lot month by month. That's a useful >>>> feature.
Agreed, its a usefull feature. But as said, the banks here do not offer >>> anything of the kind.
Get better banks.
Because of his constantly silently snipping context, it's hard to be
sure what he's referring to, but assuming the most logical, cancel any
direct debit or standing order from one's bank app or website, then one
*can* do so "here" (in The Netherlands).
Lol ? So anyone who finds a lost card can just pay with it ?
Fantastic. :-(
That's always been true.
Nope. At least not here.
Of course it has. In the old days ppl would forge signatures from the back >> of cards, or used them over the phone (just like you gave an example) and
now you can just tap to pay up to £100.
And you could have known that, as I just
described that we have a (four digit) "password" here that we are not
supposed to share with anyone. You even quoted i.
Nowadays it's easy to block a lost card.
Do read up on which part of the loss due to losing a card wil be absorbed by
the bank, and which part of it will be yours. You might be surprised to >>> find that any money that went gone before you called the bank is your
problem. So, keep checking that you stil have that card on you, otherwise
you could be in for a sad surprise.
Unlikely.
No, the "bank code" here is something that isn't on the card and is
regarded the users "password", to be guearded with its life.
No idea what that is.
You have no idea what a password is or what its used for ? How quaint >>> ....
The "bank code". Cards don't have passwords.
The bottom line is that here you can find someones bank card, but without >>> its password its useless to you.
You're obviously talking about credit cards, but, without saying so,
he's talking about debit cards. Debit cards - at least 'here' (NL) - do
have a (4-digit) PIN code. His use of "password" (with and without
quotes) and "bank code" (in quotes) is just confusing things, because everybody knows what a PIN code is, so he should just have used the
correct term and there wouldn't have been any - or at least less -
confusion.
Without the PIN code, the debit card is useless, so therefor he
implied - with another illconceived 'joke' - someone who finds a lost
debit card (or steals a debit card) cannot do anything with it. (Unless
it's set up for contactless payments, in which case there normally is a
low - 50 Euro or so - maximum risk. When the limit is reached, the PIN
code is again required.)
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:
Chris,
Lol ? So anyone who finds a lost card can just pay with it ?
Fantastic. :-(
That's always been true.
Nope. At least not here.
Of course it has. In the old days ppl would forge signatures from the back >> of cards, or used them over the phone (just like you gave an example) and >> now you can just tap to pay up to £100.
And you could have known that, as I just
described that we have a (four digit) "password" here that we are not
supposed to share with anyone. You even quoted i.
Nowadays it's easy to block a lost card.
Do read up on which part of the loss due to losing a card wil be absorbed by
the bank, and which part of it will be yours. You might be surprised to >>> find that any money that went gone before you called the bank is your
problem. So, keep checking that you stil have that card on you, otherwise
you could be in for a sad surprise.
Unlikely.
No, the "bank code" here is something that isn't on the card and is >>>>> regarded the users "password", to be guearded with its life.
No idea what that is.
You have no idea what a password is or what its used for ? How quaint >>> ....
The "bank code". Cards don't have passwords.
The bottom line is that here you can find someones bank card, but without >>> its password its useless to you.
You're obviously talking about credit cards, but, without saying so,
he's talking about debit cards. Debit cards - at least 'here' (NL) - do have a (4-digit) PIN code. His use of "password" (with and without
quotes) and "bank code" (in quotes) is just confusing things, because everybody knows what a PIN code is, so he should just have used the
correct term and there wouldn't have been any - or at least less - confusion.
Without the PIN code, the debit card is useless, so therefor he
implied - with another illconceived 'joke' - someone who finds a lost
debit card (or steals a debit card) cannot do anything with it. (Unless it's set up for contactless payments, in which case there normally is a
low - 50 Euro or so - maximum risk. When the limit is reached, the PIN
code is again required.)
Credit/debit card doesn't matter. To the merchant they work the same so are prone to the same risks.
They both have CVVs which are never stored and have contactless
capabilities that can be used to pay for things without the owner's
knowledge if stolen.
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:
Chris,
[...]
Lol ? So anyone who finds a lost card can just pay with it ?
Fantastic. :-(
That's always been true.
Nope. At least not here.
Of course it has. In the old days ppl would forge signatures from the back >>>> of cards, or used them over the phone (just like you gave an example) and >>>> now you can just tap to pay up to £100.
And you could have known that, as I just
described that we have a (four digit) "password" here that we are not >>>>> supposed to share with anyone. You even quoted i.
Nowadays it's easy to block a lost card.
Do read up on which part of the loss due to losing a card wil be absorbed by
the bank, and which part of it will be yours. You might be surprised to >>>>> find that any money that went gone before you called the bank is your >>>>> problem. So, keep checking that you stil have that card on you, otherwise
you could be in for a sad surprise.
Unlikely.
No, the "bank code" here is something that isn't on the card and is >>>>>>> regarded the users "password", to be guearded with its life.
No idea what that is.
You have no idea what a password is or what its used for ? How quaint >>>>> ....
The "bank code". Cards don't have passwords.
The bottom line is that here you can find someones bank card, but without >>>>> its password its useless to you.
You're obviously talking about credit cards, but, without saying so,
he's talking about debit cards. Debit cards - at least 'here' (NL) - do
have a (4-digit) PIN code. His use of "password" (with and without
quotes) and "bank code" (in quotes) is just confusing things, because
everybody knows what a PIN code is, so he should just have used the
correct term and there wouldn't have been any - or at least less -
confusion.
Without the PIN code, the debit card is useless, so therefor he
implied - with another illconceived 'joke' - someone who finds a lost
debit card (or steals a debit card) cannot do anything with it. (Unless
it's set up for contactless payments, in which case there normally is a
low - 50 Euro or so - maximum risk. When the limit is reached, the PIN
code is again required.)
Credit/debit card doesn't matter. To the merchant they work the same so are >> prone to the same risks.
They both have CVVs which are never stored and have contactless
capabilities that can be used to pay for things without the owner's
knowledge if stolen.
Perhaps I'm not using the correct term, but our debit cards - cards directly associated with one's bank account
- do not have a CVC
and are
much, much less risky - basically riskless - compared to a credit card.
If you find/steal a credit card, you can do quite a lot with it (until
it's blocked).
Probably it's clear what I mean, by describing the logo on the card.
Our debit cards carry a Maestro ('meastro') logo,
not a Mastercard or
Visa logo.
This Wikipedia seems to indicate that you don't have such cards in the
UK. If so, that may explain the confusion.
'Maestro (debit card)'
<https://en.wikipedia.org/wiki/Maestro_(debit_card)>
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:
Chris,
[...]
Lol ? So anyone who finds a lost card can just pay with it ? >>>>>>> Fantastic. :-(
That's always been true.
Nope. At least not here.
Of course it has. In the old days ppl would forge signatures from
the back of cards, or used them over the phone (just like you
gave an example) and now you can just tap to pay up to £100.
And you could have known that, as I just
described that we have a (four digit) "password" here that we are not >>>>> supposed to share with anyone. You even quoted i.
Nowadays it's easy to block a lost card.
Do read up on which part of the loss due to losing a card wil be
absorbed by the bank, and which part of it will be yours. You
might be surprised to find that any money that went gone before
you called the bank is your problem. So, keep checking that
you stil have that card on you, otherwise you could be in for a
sad surprise.
Unlikely.
No, the "bank code" here is something that isn't on the card and is >>>>>>> regarded the users "password", to be guearded with its life.
No idea what that is.
You have no idea what a password is or what its used for ? How quaint
....
The "bank code". Cards don't have passwords.
The bottom line is that here you can find someones bank card,
but without its password its useless to you.
You're obviously talking about credit cards, but, without saying so,
he's talking about debit cards. Debit cards - at least 'here' (NL) - do >>> have a (4-digit) PIN code. His use of "password" (with and without
quotes) and "bank code" (in quotes) is just confusing things, because
everybody knows what a PIN code is, so he should just have used the
correct term and there wouldn't have been any - or at least less -
confusion.
Without the PIN code, the debit card is useless, so therefor he
implied - with another illconceived 'joke' - someone who finds a lost
debit card (or steals a debit card) cannot do anything with it. (Unless >>> it's set up for contactless payments, in which case there normally is a >>> low - 50 Euro or so - maximum risk. When the limit is reached, the PIN >>> code is again required.)
Credit/debit card doesn't matter. To the merchant they work the same so are
prone to the same risks.
They both have CVVs which are never stored and have contactless
capabilities that can be used to pay for things without the owner's
knowledge if stolen.
Perhaps I'm not using the correct term, but our debit cards - cards directly associated with one's bank account
That's the same here.
- do not have a CVC
If there's no CVV how do you use your debit cards for online/phone transactions?
and are
much, much less risky - basically riskless - compared to a credit card.
Credit cards are less risky because no money leaves your bank account. If a there's a fraudulent transaction it's easy to cancel.
If you find/steal a credit card, you can do quite a lot with it (until
it's blocked).
No more than a debit card, but it's far easier to get transactions
reversed.
Probably it's clear what I mean, by describing the logo on the card.
Our debit cards carry a Maestro ('meastro') logo,
We used to have those too. They were phased out here a few years ago.
Maestro is owned by Mastercard.
not a Mastercard or
Visa logo.
Visa/Mastercard both do debit cards also.
This Wikipedia seems to indicate that you don't have such cards in the UK. If so, that may explain the confusion.
'Maestro (debit card)'
<https://en.wikipedia.org/wiki/Maestro_(debit_card)>
The article says Maestro was phased out this summer. If you still have Maestro they will be replaced soon.
Frank Slootweg <this@ddress.is.invalid> wrote:[...]
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:
Chris,
[...]
You're obviously talking about credit cards, but, without saying so, >>>>> he's talking about debit cards. Debit cards - at least 'here' (NL) - do >>>>> have a (4-digit) PIN code. His use of "password" (with and without >>>>> quotes) and "bank code" (in quotes) is just confusing things, because >>>>> everybody knows what a PIN code is, so he should just have used the >>>>> correct term and there wouldn't have been any - or at least less - >>>>> confusion.
Without the PIN code, the debit card is useless, so therefor he
implied - with another illconceived 'joke' - someone who finds a lost >>>>> debit card (or steals a debit card) cannot do anything with it. (Unless >>>>> it's set up for contactless payments, in which case there normally is a >>>>> low - 50 Euro or so - maximum risk. When the limit is reached, the PIN >>>>> code is again required.)
Credit/debit card doesn't matter. To the merchant they work the
same so are prone to the same risks.
They both have CVVs which are never stored and have contactless
capabilities that can be used to pay for things without the owner's
knowledge if stolen.
Perhaps I'm not using the correct term, but our debit cards - cards
directly associated with one's bank account
That's the same here.
- do not have a CVC
If there's no CVV how do you use your debit cards for online/phone
transactions?
You can 'only' use them for online transactions with websites which accept the payment system, which is all companies which do business
here. The (online) payment system is called 'iDEAL':
'iDEAL'
<https://en.wikipedia.org/wiki/IDEAL>
Apparently the system is quite unique and planned to be a European standard.
Nice. The person to person functionality is the one thing that's currently missing. I wonder if it'll come to the UK?
From 'References' 2. of the Wikipedia article:
'Dutch payment processor iDeal to become European standard'
(25 April 2023) <https://nltimes.nl/2023/04/25/dutch-payment-processor-ideal-become-european-standard>
BTW, the debit card is the same card as used to pay in shops, restaurants, etc., etc., get money from an ATM, etc..
Yep. Same.
and areCredit cards are less risky because no money leaves your bank account. If a
much, much less risky - basically riskless - compared to a credit card. >>
there's a fraudulent transaction it's easy to cancel.
Yes, but you have to 'prove' that the transaction is fraudulent.
Not really. You ring them up challenge the transaction and they remove it. It's only happened once to me, but it was that easy.
With
our debit card there can't be a transaction without the PIN.
Don't your credit cards have PINs?
But of course both credit cards and (our) debit cards have advantages
and disadvantages.
In our country, if (our) debit card can be used, it's often the
preferred option, lower fees (for the merchant (and hence for the customer)) and less risk.
Credit cards are much less used, except by 'posh' people or/and in
'posh' shops. Of course you can use a credit card in most - if not all - places, but you don't have to.
Credit/debit cards are functionally identical here. The advantage of credit cards is that you can get a small percentage as cashback and there's additional consumer protections when buying things over £100. Downside is
not everyone can get them.
[snip]
The article says Maestro was phased out this summer. If you still have
Maestro they will be replaced soon.
Interesting! Thanks! I haven't heard about this before. We'll see when they will be replaced (could be up to 4 years for my wife's).
Might be sooner if they're unsupported.
I wonder
if it'll carry a CVC on the card, because that would make our current security/safety go down the drain.
Why? CVV adds security.
The referenced Mastercard article says/implies that the new/
replacement cards will only have "a lot more capabilities to make your shopping and travel experience seamless". We'll see.
'Blog from Valerie Nowak: Why this Maestro is retiring after 30 years' <https://www.mastercard.com/news/europe/en/perspectives/en/2021/blog-from-valerie-nowak-why-this-maestro-is-retiring-after-30-years/>
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:
Chris,
[...]
Lol ? So anyone who finds a lost card can just pay with it ? >>>>>>>>> Fantastic. :-(
That's always been true.
Nope. At least not here.
Of course it has. In the old days ppl would forge signatures from
the back of cards, or used them over the phone (just like you
gave an example) and now you can just tap to pay up to £100.
And you could have known that, as I just
described that we have a (four digit) "password" here that we are not >>>>>>> supposed to share with anyone. You even quoted i.
Nowadays it's easy to block a lost card.
Do read up on which part of the loss due to losing a card wil be >>>>>>> absorbed by the bank, and which part of it will be yours. You
might be surprised to find that any money that went gone before
you called the bank is your problem. So, keep checking that
you stil have that card on you, otherwise you could be in for a
sad surprise.
Unlikely.
No, the "bank code" here is something that isn't on the card and is >>>>>>>>> regarded the users "password", to be guearded with its life.
No idea what that is.
You have no idea what a password is or what its used for ? How quaint
....
The "bank code". Cards don't have passwords.
The bottom line is that here you can find someones bank card,
but without its password its useless to you.
You're obviously talking about credit cards, but, without saying so, >>>>> he's talking about debit cards. Debit cards - at least 'here' (NL) - do >>>>> have a (4-digit) PIN code. His use of "password" (with and without
quotes) and "bank code" (in quotes) is just confusing things, because >>>>> everybody knows what a PIN code is, so he should just have used the
correct term and there wouldn't have been any - or at least less -
confusion.
Without the PIN code, the debit card is useless, so therefor he
implied - with another illconceived 'joke' - someone who finds a lost >>>>> debit card (or steals a debit card) cannot do anything with it. (Unless >>>>> it's set up for contactless payments, in which case there normally is a >>>>> low - 50 Euro or so - maximum risk. When the limit is reached, the PIN >>>>> code is again required.)
Credit/debit card doesn't matter. To the merchant they work the same so are
prone to the same risks.
They both have CVVs which are never stored and have contactless
capabilities that can be used to pay for things without the owner's
knowledge if stolen.
Perhaps I'm not using the correct term, but our debit cards - cards
directly associated with one's bank account
That's the same here.
- do not have a CVC
If there's no CVV how do you use your debit cards for online/phone
transactions?
You can 'only' use them for online transactions with websites which
accept the payment system, which is all companies which do business
here. The (online) payment system is called 'iDEAL':
'iDEAL'
<https://en.wikipedia.org/wiki/IDEAL>
Apparently the system is quite unique and planned to be a European standard.
From 'References' 2. of the Wikipedia article:
'Dutch payment processor iDeal to become European standard'
(25 April 2023) <https://nltimes.nl/2023/04/25/dutch-payment-processor-ideal-become-european-standard>
BTW, the debit card is the same card as used to pay in shops,
restaurants, etc., etc., get money from an ATM, etc..
and are
much, much less risky - basically riskless - compared to a credit card.
Credit cards are less risky because no money leaves your bank account. If a >> there's a fraudulent transaction it's easy to cancel.
Yes, but you have to 'prove' that the transaction is fraudulent.
With
our debit card there can't be a transaction without the PIN.
But of course both credit cards and (our) debit cards have advantages
and disadvantages.
In our country, if (our) debit card can be used, it's often the
preferred option, lower fees (for the merchant (and hence for the
customer)) and less risk.
Credit cards are much less used, except by 'posh' people or/and in
'posh' shops. Of course you can use a credit card in most - if not all - places, but you don't have to.
The article says Maestro was phased out this summer. If you still have
Maestro they will be replaced soon.
Interesting! Thanks! I haven't heard about this before. We'll see when
they will be replaced (could be up to 4 years for my wife's).
I wonder
if it'll carry a CVC on the card, because that would make our current security/safety go down the drain.
The referenced Mastercard article says/implies that the new/
replacement cards will only have "a lot more capabilities to make your shopping and travel experience seamless". We'll see.
'Blog from Valerie Nowak: Why this Maestro is retiring after 30 years' <https://www.mastercard.com/news/europe/en/perspectives/en/2021/blog-from-valerie-nowak-why-this-maestro-is-retiring-after-30-years/>
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:[...]
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:
Chris,
[...]
You're obviously talking about credit cards, but, without saying so, >>>>>>> he's talking about debit cards. Debit cards - at least 'here' (NL) - do >>>>>>> have a (4-digit) PIN code. His use of "password" (with and without >>>>>>> quotes) and "bank code" (in quotes) is just confusing things, because >>>>>>> everybody knows what a PIN code is, so he should just have used the >>>>>>> correct term and there wouldn't have been any - or at least less - >>>>>>> confusion.
Without the PIN code, the debit card is useless, so therefor he
implied - with another illconceived 'joke' - someone who finds a lost >>>>>>> debit card (or steals a debit card) cannot do anything with it. (Unless >>>>>>> it's set up for contactless payments, in which case there normally is a >>>>>>> low - 50 Euro or so - maximum risk. When the limit is reached, the PIN >>>>>>> code is again required.)
Credit/debit card doesn't matter. To the merchant they work the
same so are prone to the same risks.
They both have CVVs which are never stored and have contactless
capabilities that can be used to pay for things without the owner's >>>>>> knowledge if stolen.
Perhaps I'm not using the correct term, but our debit cards - cards
directly associated with one's bank account
That's the same here.
- do not have a CVC
If there's no CVV how do you use your debit cards for online/phone
transactions?
You can 'only' use them for online transactions with websites which
accept the payment system, which is all companies which do business
here. The (online) payment system is called 'iDEAL':
'iDEAL'
<https://en.wikipedia.org/wiki/IDEAL>
Apparently the system is quite unique and planned to be a European
standard.
Nice. The person to person functionality is the one thing that's currently >> missing. I wonder if it'll come to the UK?
From 'References' 2. of the Wikipedia article:
'Dutch payment processor iDeal to become European standard'
(25 April 2023)
<https://nltimes.nl/2023/04/25/dutch-payment-processor-ideal-become-european-standard>
BTW, the debit card is the same card as used to pay in shops,
restaurants, etc., etc., get money from an ATM, etc..
Yep. Same.
and areCredit cards are less risky because no money leaves your bank account. If a
much, much less risky - basically riskless - compared to a credit card. >>>>
there's a fraudulent transaction it's easy to cancel.
Yes, but you have to 'prove' that the transaction is fraudulent.
Not really. You ring them up challenge the transaction and they remove it. >> It's only happened once to me, but it was that easy.
With
our debit card there can't be a transaction without the PIN.
Don't your credit cards have PINs?
Yes, they do, but the point is that a bad actor - someone who has stolen/found the card - can use the credit card for many purposes,
including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
With our debit card, the PIN code is always required (except for the mentioned contactless payments upto a total of 50 Euro).
So a stolen/found credit card can be abused. Our debit card can not be abused if stolen/found.
But of course both credit cards and (our) debit cards have advantages
and disadvantages.
In our country, if (our) debit card can be used, it's often the
preferred option, lower fees (for the merchant (and hence for the
customer)) and less risk.
Credit cards are much less used, except by 'posh' people or/and in
'posh' shops. Of course you can use a credit card in most - if not all - >>> places, but you don't have to.
Credit/debit cards are functionally identical here. The advantage of credit >> cards is that you can get a small percentage as cashback and there's
additional consumer protections when buying things over £100. Downside is >> not everyone can get them.
[snip]
The article says Maestro was phased out this summer. If you still have >>>> Maestro they will be replaced soon.
Interesting! Thanks! I haven't heard about this before. We'll see when
they will be replaced (could be up to 4 years for my wife's).
Might be sooner if they're unsupported.
I did a search on the site of one of our banks. No information (to be found)! Strange, but we'll see. We always have our credit cards as a
backup! :-)
I wonder
if it'll carry a CVC on the card, because that would make our current
security/safety go down the drain.
Why? CVV adds security.
No, as I described, a credit card can be abused if lost/found. If
there's a CVC printed *on* the card, which is the case for our credit
cards, it's *less* safe, because then it can also be abused in cases
where the CVC code is required.
For a debit cards it would be even worse, because - as you say - for a credit card a fraudulent transaction can relatively easily be reversed,
but not for 'your type' of debit card.
Let me turn the situation around: Does your type of debit cards have a
CVC printed *on* the card?
If so, what's preventing someone who
stole/found the card to pay with that card?
And if (s)he can pay with
the card, how can you reverse the transaction?
for larger transactions: I could book our multi-thousand
Euro plane tickets with Singapore Airlines with just the information on
the credit card (card number, full/correct name, expiry month/year and CVC). No
PIN code or any other form of 2SV/2FA.
Frank Slootweg <this@ddress.is.invalid> wrote:[...]
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:[...]
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
R.Wieser <address@is.invalid> wrote:
Chris,
[...]
Credit cards are less risky because no money leaves your bank
account. If a there's a fraudulent transaction it's easy to
cancel.
Yes, but you have to 'prove' that the transaction is fraudulent.
Not really. You ring them up challenge the transaction and they remove it. >> It's only happened once to me, but it was that easy.
With
our debit card there can't be a transaction without the PIN.
Don't your credit cards have PINs?
Yes, they do, but the point is that a bad actor - someone who has stolen/found the card - can use the credit card for many purposes, including online transactions, *without* having/knowing the PIN code. In many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also
require the cardholder's address and for larger/random transactions 2FA.
With our debit card, the PIN code is always required (except for the mentioned contactless payments upto a total of 50 Euro).
So a stolen/found credit card can be abused. Our debit card can not be abused if stolen/found.
Several 50? transactions can be annoying, although I get your point that a
NL debit card only be used in-person which limits the scope for fraud.
I wonder
if it'll carry a CVC on the card, because that would make our current
security/safety go down the drain.
Why? CVV adds security.
No, as I described, a credit card can be abused if lost/found. If
there's a CVC printed *on* the card, which is the case for our credit cards, it's *less* safe, because then it can also be abused in cases
where the CVC code is required.
For a debit cards it would be even worse, because - as you say - for a credit card a fraudulent transaction can relatively easily be reversed,
but not for 'your type' of debit card.
Let me turn the situation around: Does your type of debit cards have a CVC printed *on* the card?
Yes.
If so, what's preventing someone who
stole/found the card to pay with that card?
Online; same controls as for a credit card transaction.
Offline; no different to normal.
And if (s)he can pay with
the card, how can you reverse the transaction?
Ring the bank. They will refund you. They may need to investigate if it's a large amount or if happens frequently.
Frank Slootweg wrote:
for larger transactions: I could book our multi-thousand
Euro plane tickets with Singapore Airlines with just the information on
the credit card (card number, full/correct name, expiry month/year and
CVC). No
PIN code or any other form of 2SV/2FA.
Don't you get a "VerifiedByVisa" interstitial page between checkout page
and confirmation screen?
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has
stolen/found the card - can use the credit card for many purposes,
including online transactions, *without* having/knowing the PIN code. In >>> many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also
require the cardholder's address and for larger/random transactions 2FA.
Hmm!? Not sure about the requirement for the cardholder's address, but
I don't have data to dispute your argument.
As for 2FA for larger transactions: I could book our multi-thousand
Euro plane tickets with Singapore Airlines with just the information on
the credit card (card number, full/correct name, expiry month/year and CVC). No
PIN code or any other form of 2SV/2FA. But indeed, they have my
residential address on file.
And if (s)he can pay with
the card, how can you reverse the transaction?
Ring the bank. They will refund you. They may need to investigate if it's a >> large amount or if happens frequently.
Thanks.
I think we've covered everything including all loose ends.
Thanks for the pleasant and informative exchange.
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has
stolen/found the card - can use the credit card for many purposes,
including online transactions, *without* having/knowing the PIN code. In >>>> many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also
require the cardholder's address and for larger/random transactions 2FA.
Hmm!? Not sure about the requirement for the cardholder's address, but
I don't have data to dispute your argument.
Admittedly from memory, that's been my experience.
Frank Slootweg wrote:
for larger transactions: I could book our multi-thousand Euro plane
tickets with Singapore Airlines with just the information on the
credit card (card number, full/correct name, expiry month/year and
CVC). No PIN code or any other form of 2SV/2FA.
Don't you get a "VerifiedByVisa" interstitial page between checkout page
and confirmation screen?
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:Admittedly from memory, that's been my experience.
Frank Slootweg <this@ddress.is.invalid> wrote:Hmm!? Not sure about the requirement for the cardholder's address, but >>> I don't have data to dispute your argument.
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has
stolen/found the card - can use the credit card for many purposes,
including online transactions, *without* having/knowing the PIN code. In >>>>> many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also
require the cardholder's address and for larger/random transactions 2FA. >>>
I don't remember any merchant requiring my address when paying online.
Of course, some of them do, for deliveries. But others don't, like a
cinema. A request for the address could be contested under data
protection laws.
In message <ks6666Fc3tjU1@mid.individual.net>, Carlos E. R. <robin_listas@es.invalid> writes
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:Â Admittedly from memory, that's been my experience.
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has
stolen/found the card - can use the credit card for many purposes, >>>>>> including online transactions, *without* having/knowing the PIN
code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>> require the cardholder's address and for larger/random transactions
2FA.
  Hmm!? Not sure about the requirement for the cardholder's
address, but
I don't have data to dispute your argument.
I don't remember any merchant requiring my address when paying online.
Of course, some of them do, for deliveries. But others don't, like a
cinema. A request for the address could be contested under data
protection laws.
It's normal - possibly universal - to ask for the billing address (ie
the address of the cardholder) here in the UK, which is a welcome
safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (I'm assuming that if you enter
the wrong address then the attempt to use the card will be rejected by
the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from
the billing address.
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:Hmm!? Not sure about the requirement for the cardholder's address, but
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has
stolen/found the card - can use the credit card for many purposes,
including online transactions, *without* having/knowing the PIN code. In >>>>> many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also
require the cardholder's address and for larger/random transactions 2FA. >>>
I don't have data to dispute your argument.
Admittedly from memory, that's been my experience.
I don't remember any merchant requiring my address when paying online.
Of course, some of them do, for deliveries. But others don't, like a
cinema. A request for the address could be contested under data
protection laws.
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:Hmm!? Not sure about the requirement for the cardholder's address, but >>>> I don't have data to dispute your argument.
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has
stolen/found the card - can use the credit card for many purposes, >>>>>> including online transactions, *without* having/knowing the PIN code. In >>>>>> many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>> require the cardholder's address and for larger/random transactions 2FA. >>>>
Admittedly from memory, that's been my experience.
I don't remember any merchant requiring my address when paying online.
Of course, some of them do, for deliveries. But others don't, like a
cinema. A request for the address could be contested under data
protection laws.
How? Asking for additional personal information is common for verification purposes.
In message <ks6666Fc3tjU1@mid.individual.net>, Carlos E. R. <robin_listas@es.invalid> writesm assuming that if you enter the wrong address then the attempt to use the card will be rejected by the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from the
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:Â Admittedly from memory, that's been my experience.
Frank Slootweg <this@ddress.is.invalid> wrote:Â Â Hmm!? Not sure about the requirement for the cardholder's address, but
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has
stolen/found the card - can use the credit card for many purposes, >>>>>> including online transactions, *without* having/knowing the PIN code. In >>>>>> many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>> require the cardholder's address and for larger/random transactions 2FA. >>>>
I don't have data to dispute your argument.
I don't remember any merchant requiring my address when paying online.
Of course, some of them do, for deliveries. But others don't, like a cinema. A request for the address could be contested under data protection laws.
It's normal - possibly universal - to ask for the billing address (ie the address of the cardholder) here in the UK, which is a welcome safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (I'
John Hall wrote:m assuming that if you enter the wrong address then the attempt to use the card will be rejected by the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from the
It's normal - possibly universal - to ask for the billing address (ie the address of the cardholder) here in the UK, which is a welcome safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (I'
We're asked for a billing address and a shipping address here.
And of course, if the two don't match exactly, "it ain't going".
They don't accept orders where the two addresses are different.
We're asked for a billing address and a shipping address here.
And of course, if the two don't match exactly, "it ain't going". They
don't accept orders where the two addresses are different.
In message <ks6666Fc3tjU1@mid.individual.net>, Carlos E. R. <robin_listas@es.invalid> writes
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:Admittedly from memory, that's been my experience.
Frank Slootweg <this@ddress.is.invalid> wrote:Hmm!? Not sure about the requirement for the cardholder's address, but >>> I don't have data to dispute your argument.
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has
stolen/found the card - can use the credit card for many purposes, >>>>> including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>> require the cardholder's address and for larger/random transactions 2FA. >>>
I don't remember any merchant requiring my address when paying online.
Of course, some of them do, for deliveries. But others don't, like a >cinema. A request for the address could be contested under data
protection laws.
It's normal - possibly universal - to ask for the billing address (ie
the address of the cardholder) here in the UK, which is a welcome
safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (I'm assuming that if you enter
the wrong address then the attempt to use the card will be rejected by
the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from
the billing address.
some vendors might be more strict than e.g. amazon, but I've had "high
value" orders via amazon which said you need to provide this code or
the driver won't leave the item, I'd memorised the code, got the
delivery and had to say to the driver "don't you need this code?" as he >disappeared back to his truck ...
Andy Burns writes
I've had "high value" orders via amazon which said you need to
provide this code or the driver won't leave the item, I'd memorised
the code, got the delivery and had to say to the driver "don't you
need this code?" as he disappeared back to his truck ...
In my experience, those delivery firms
that allow the customer to specify on their website instructions
regarding their delivery are wasting their time, as the delivery
drivers never seem to take the slightest notice. They usually just
dump the item on the front doorstep, knock on the door and then
rapidly depart. Given the number of deliveries they are supposed to
make during the day, I suspect that if they did anything else they
wouldn't finish their round till about 10 PM.
On 2023-11-22 19:32, Chris wrote:
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:Hmm!? Not sure about the requirement for the cardholder's address, but >>>>> I don't have data to dispute your argument.
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has >>>>>>> stolen/found the card - can use the credit card for many purposes, >>>>>>> including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>>> require the cardholder's address and for larger/random transactions 2FA. >>>>>
Admittedly from memory, that's been my experience.
I don't remember any merchant requiring my address when paying online.
Of course, some of them do, for deliveries. But others don't, like a
cinema. A request for the address could be contested under data
protection laws.
How? Asking for additional personal information is common for verification >> purposes.
If justified.
And they have to prove that they keep that information secure.
Merchants are fined here for asking for too much information, that's a fact.
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-22 19:32, Chris wrote:
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has >>>>>>>> stolen/found the card - can use the credit card for many purposes, >>>>>>>> including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>>>> require the cardholder's address and for larger/random transactions 2FA.
Hmm!? Not sure about the requirement for the cardholder's address, but >>>>>> I don't have data to dispute your argument.
Admittedly from memory, that's been my experience.
I don't remember any merchant requiring my address when paying online. >>>>
Of course, some of them do, for deliveries. But others don't, like a
cinema. A request for the address could be contested under data
protection laws.
How? Asking for additional personal information is common for verification >>> purposes.
If justified.
Verifying your identity is justifying.
And they have to prove that they keep that information secure.
Well yeah. That's basic GDPR.
Merchants are fined here for asking for too much information, that's a fact.
How much is too much, for example?
On 11/22/2023 11:37 AM, John Hall wrote:m assuming that if you enter the wrong address then the attempt to use the card will be rejected by the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from the
In message <ks6666Fc3tjU1@mid.individual.net>, Carlos E. R. <robin_listas@es.invalid> writes
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:Â Admittedly from memory, that's been my experience.
Frank Slootweg <this@ddress.is.invalid> wrote:Â Â Hmm!? Not sure about the requirement for the cardholder's address, but
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has >>>>>>> stolen/found the card - can use the credit card for many purposes, >>>>>>> including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>>> require the cardholder's address and for larger/random transactions 2FA. >>>>>
I don't have data to dispute your argument.
I don't remember any merchant requiring my address when paying online.
Of course, some of them do, for deliveries. But others don't, like a cinema. A request for the address could be contested under data protection laws.
It's normal - possibly universal - to ask for the billing address (ie the address of the cardholder) here in the UK, which is a welcome safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (I'
We're asked for a billing address and a shipping address here.
And of course, if the two don't match exactly, "it ain't going".
They don't accept orders where the two addresses are different.
Everyone appreciates a little humor.
I ordered something this afternoon, and they pulled a little
2FA ceremony on me. A robot phoned the number I gave them, and
had me "enter a code" into the computer screen. Well, my phone number
is VOIP and completely useless for proving anything about my
physical location. But if it makes them feel better, why not.
Actually, this subthread started with Carlos attacking
Arlen for caring about privacy.
On 2023-11-23 03:40, Paul wrote:I'm assuming that if you enter the wrong address then the attempt to use the card will be rejected by the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from the
On 11/22/2023 11:37 AM, John Hall wrote:
In message <ks6666Fc3tjU1@mid.individual.net>, Carlos E. R. <robin_listas@es.invalid> writes
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:Admittedly from memory, that's been my experience.
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has >>>>>>>> stolen/found the card - can use the credit card for many purposes, >>>>>>>> including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>>>> require the cardholder's address and for larger/random transactions 2FA.
Hmm!? Not sure about the requirement for the cardholder's address, but
I don't have data to dispute your argument.
I don't remember any merchant requiring my address when paying online. >>>>
Of course, some of them do, for deliveries. But others don't, like a cinema. A request for the address could be contested under data protection laws.
It's normal - possibly universal - to ask for the billing address (ie the address of the cardholder) here in the UK, which is a welcome safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (
We're asked for a billing address and a shipping address here.
And of course, if the two don't match exactly, "it ain't going".
They don't accept orders where the two addresses are different.
Right now, they don't match for me, yet Amazon delivers, no problem. I
had Amazon do deliveries for me on three different cities, not a problem.
I didn't try to use it during my stay in Canada, I should have, for
kicks. :-)
Newyana2 <Newyana2@invalid.nospam> wrote
Actually, this subthread started with Carlos attacking
Arlen for caring about privacy.
One of my degrees is in microbiology - where I happen to do minor kitchen things that most people might think absurd, e.g., whenever I have extra boiling water, I immerse the kitchen sponge or cutting boards in it, as
just one example of simple common daily kitchen hygiene activities.
Is that being paranoid?
Or is that simply understanding basic bacterial hygiene?
I also refrigerate cooked pasta and rice within an hour or two.
Instead of leaving it out for days, as many other people have done.
(Some of whom are now dead as a direct result, by the way.)
Why do I do those things when _they_ wouldn't even think of doing them.
a. One is rather minor (almost daily) kitchen hygiene, while
b. the other could be extremely deadly.
That's the range of kitchen hygiene - from minor to serious.
Would (or even could) anyone completely uneducated like Carlos is ever
have any understanding given his lack of background in bacteriology, virology, mycology, parasitology, immunology, physiology, organic
chemistry, biochemistry, inorganic chemistry, physics, etc.?
To ignorant people, even the simplest of cautions, is "paranoid".
As it is with privacy and security.
Yet... they lock their phone with pins and fingerprints and faces.
WTF?
What's the threat model?
Is everyone out to get them who lives in their home & neighborhood?
Do they live in the slums of New York (ala 'da Bronx) such that every
person in close proximity is their biggest threat to their data?
Or is it something else?
Something on the Internet instead of in your own kitchen?
People who are both well educated & intelligent enjoy the luxury of
deciding what threats are minor and which are quite serious.
Those, like Carlos, who lack both, can never make that judgment call.
And yet, they do.
As with many to the left of the first D-K quartile, folks like Carlos have extremely strong opinions based on absolutely no facts whatsoever.
On Fri, 24 Nov 2023 11:54:51 +0100, "Carlos E. R." <robin_listas@es.invalid> wrote:I'm assuming that if you enter the wrong address then the attempt to use the card will be rejected by the verification process, though I can't say for sure as I've never done that.) You also have to specify the delivery address if different from the
On 2023-11-23 03:40, Paul wrote:
On 11/22/2023 11:37 AM, John Hall wrote:
In message <ks6666Fc3tjU1@mid.individual.net>, Carlos E. R. <robin_listas@es.invalid> writes
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:Â Admittedly from memory, that's been my experience.
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has >>>>>>>>> stolen/found the card - can use the credit card for many purposes, >>>>>>>>> including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>>>>> require the cardholder's address and for larger/random transactions 2FA.
  Hmm!? Not sure about the requirement for the cardholder's address, but
I don't have data to dispute your argument.
I don't remember any merchant requiring my address when paying online. >>>>>
Of course, some of them do, for deliveries. But others don't, like a cinema. A request for the address could be contested under data protection laws.
It's normal - possibly universal - to ask for the billing address (ie the address of the cardholder) here in the UK, which is a welcome safeguard, as it prevents someone who has stolen your card from using it online if they don't know your address. (
We're asked for a billing address and a shipping address here.
And of course, if the two don't match exactly, "it ain't going".
They don't accept orders where the two addresses are different.
Right now, they don't match for me, yet Amazon delivers, no problem. I
had Amazon do deliveries for me on three different cities, not a problem.
I didn't try to use it during my stay in Canada, I should have, for
kicks. :-)
I don't think Paul was referring to Amazon. They couldn't care less whether the
Bill To and Ship To names and addresses match.
Come to think of it, I don't know of an online vendor that does care. There must
be one, somewhere.
On 2023-11-23 19:45, Chris wrote:
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-22 19:32, Chris wrote:
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has >>>>>>>>> stolen/found the card - can use the credit card for many purposes, >>>>>>>>> including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>>>>> require the cardholder's address and for larger/random transactions 2FA.
Hmm!? Not sure about the requirement for the cardholder's address, but >>>>>>> I don't have data to dispute your argument.
Admittedly from memory, that's been my experience.
I don't remember any merchant requiring my address when paying online. >>>>>
Of course, some of them do, for deliveries. But others don't, like a >>>>> cinema. A request for the address could be contested under data
protection laws.
How? Asking for additional personal information is common for verification >>>> purposes.
If justified.
Verifying your identity is justifying.
And they have to prove that they keep that information secure.
Well yeah. That's basic GDPR.
Merchants are fined here for asking for too much information, that's a fact.
How much is too much, for example?
Making a photo of the ID card.
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-23 19:45, Chris wrote:
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-22 19:32, Chris wrote:
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-22 09:30, Chris wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
Chris <ithinkiam@gmail.com> wrote:
Yes, they do, but the point is that a bad actor - someone who has >>>>>>>>>> stolen/found the card - can use the credit card for many purposes, >>>>>>>>>> including online transactions, *without* having/knowing the PIN code. In
many situations, the PIN code is not needed.
Not sure what you mean by many purposes? All online transactions also >>>>>>>>> require the cardholder's address and for larger/random transactions 2FA.
Hmm!? Not sure about the requirement for the cardholder's address, but >>>>>>>> I don't have data to dispute your argument.
Admittedly from memory, that's been my experience.
I don't remember any merchant requiring my address when paying online. >>>>>>
Of course, some of them do, for deliveries. But others don't, like a >>>>>> cinema. A request for the address could be contested under data
protection laws.
How? Asking for additional personal information is common for verification
purposes.
If justified.
Verifying your identity is justifying.
And they have to prove that they keep that information secure.
Well yeah. That's basic GDPR.
Merchants are fined here for asking for too much information, that's a fact.
How much is too much, for example?
Making a photo of the ID card.
Wow. Really?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 09:12:43 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,264 |