Credit cards - how does it make sense?

[Erel]

A few days ago, I've ordered food from a restaurant. As usual, I gave my card number with all details through the phone.
Several hours later I received a call from the credit card company, telling me that there was a strange transaction and asked me to verify it. It wasn't my order so I declined. The card was blocked
and now I need to wait for the new card to arrive. I'm waiting for almost a week now. This also broke all kinds of automatic payments that I had.
The fraudulent order amount was relatively high. I have no doubt that if it was of a lower amount, the thief could have used my card for a long period.

The fact that you give the full details when you make a purchase doesn't make sense. It is like giving your email account password to anyone who asks it and trust him to keep it for himself.
Why don't we have a temporary and unique key that we can give to each vendor, maybe time limited??? Same as oauth which is implemented by millions of web sites.

It is a bit disturbing that the forum authentication is more powerful and sophisticated than the credit cards authentication.

 

[josejad]

I think my bank app is quite good with this kind of things, and it has always double factor security for this operations.
If someone try to make an operation with my data, I get an notification and I have to approve with the app in order the transaction can be finished.
Anyway... there are always methods to get tricked.

And here in Spain there's another good thing called Bizum (a startup unified a lot of banks with this method). If you bank supports Bizum, then you can send (or receive) money just with your phone number. For example, if the restaurant accept Bizum, then they can ask the money through Bizum, or you can send the payment with Bizum just knowing the phone number.

 

[jahswant]

Why don't we have a temporary and unique key that we can give to each vendor, maybe time limited??? Same as oauth which is implemented by millions of web sites.

Here in Cameroon my bank will always send a TOKEN valid for 15 mins to validate every single transaction. But I pay 5 USD per month for that service sent through SMS. But you can bypass that service and go for FULL CONTACT.

 

[Cableguy]

Here in France we have Credit Card with dynamic crypthograms ( those 3 numbers in the back)
There is even one bank that is developing fingerprint authenticated CreditCards

 

[Star-Dust]

The credit card was created precisely to avoid this. Many takeaway restaurants here in Italy allow payment only online. Others have a mobile PSO (payment device) and you can enter your code upon delivery by typing the code into the mobile POS.

But we often use JustEat, Glovo or other systems to order and pay remotely.

I find this restaurant's system strange that asks you for your credentials over the phone.

I compare it to those who use a sophisticated PC to print a squared sheet and then do the accounts in pen on that sheet.
Or as if you had a car and push it to go.

PS: However, in your place I would change restaurant or rather I would buy for cash

 

[Sandman]

As usual, I gave my card number with all details through the phone.

What you're describing is a very old solution that some parts of the world have left behind long ago. So long ago that if you even tried to give somebody your card number, they wouldn't accept it, or know what to do with it.

To me that sounds typical of how things work in the US, which doesn't surprise me considering how far behind the world they are in many areas. It's surprising that Israel use this system, I always thought you guys were quite modern when it came to IT. (*) Perhaps this is one area lagging behind and is ripe for a revolution?

* If I hear about a new technology or bleeding edge solution, there's a good chance Israel is mentioned as its origin. I've been surprised more than once by how fertile the IT community seem there.

Why don't we have a temporary and unique key that we can give to each vendor, maybe time limited???

I've read about virtual credit cards for this exact purpose. Might be something out there that you can use. In any case I would never, ever use a single credit card for all things in your shoes. Keep one private for all your sensitive automatic payments, and another one - with barely no money on it - as the one you use when you order pizza.

 

[josejad]

I've ordered food from a restaurant.

Did you get the food? Maybe there was a 'man-in-the-middle'

 

[NikB4x]

A few days ago, I've ordered food from a restaurant. As usual, I gave my card number with all details through the phone.
Several hours later I received a call from the credit card company, telling me that there was a strange transaction and asked me to verify it. It wasn't my order so I declined. The card was blocked
and now I need to wait for the new card to arrive. I'm waiting for almost a week now. This also broke all kinds of automatic payments that I had.
The fraudulent order amount was relatively high. I have no doubt that if it was of a lower amount, the thief could have used my card for a long period.

The fact that you give the full details when you make a purchase doesn't make sense. It is like giving your email account password to anyone who asks it and trust him to keep it for himself.
Why don't we have a temporary and unique key that we can give to each vendor, maybe time limited??? Same as oauth which is implemented by millions of web sites.

It is a bit disturbing that the forum authentication is more powerful and sophisticated than the credit cards authentication.

Hi Erel, I don't know if it's the same in other countries, but here, in Italy, Mastercard has a (rechargeable) credit card that has single use numbers, it's called Epipoli and it's used just for what you are looking for

 

[JordiCP]

Did you get the food? Maybe there was a 'man-in-the-middle'

Do you mean that the man in the middle ate the food? ?

A few days ago, I've ordered food from a restaurant. As usual, I gave my card number with all details through the phone.

If 'through the phone' you mean a voice call, I suspect that the person on the other side has been at least investigated. If it was through a web or app, more difficult to follow. Anyhow, there's plenty of alternatives for (at least more) secure payments.


Many years ago (20?) I went to Chile for work, but prolonged my stay for a short vacation. During these additional days I used my own credit card everywhere. After arriving back home, I started to receive SMS's (no Android, no apps yet) every 5 minutes reporting charges to my credit card for several amounts of money. At the beginning I thought it was due to expenses made there (the sms's just said the amount and an abbreviation of the commerce where the supposed purchase had been made) , and just then they were being charged to the bank. But when I kept receiving more and more sms's and I saw that one of the purchases corresponded to a pair of expensive sport shoes in Russia and the amounts started to grow and grow, I started sweating a lot. In total, more that 3000€ and growing. Luckily, I called my bank, explained the problem and all the money was given back to me after some days... I had never had problems to sleep but believe me those days I didn't nearly sleep at all until the problem was solved.

 

[Erel]

Did you get the food?

Yes. Maybe the "man in the middle" also prepared the meal

I suspected that there are better and more modern solutions. I live in the peripheral area of Israel and it is quite common here to give the credit card numbers when you make a phone order.

 

[agraham]

it is quite common here to give the credit card numbers when you make a phone order.

Do you have Chip and PIN cards? It's not uncommon here in the UK for small sellers to take payment details over the phone - our agricultural engineer during lockdown for example. Most Chip and PIN card terminals have a "card holder not present" capability to bypass the need for a PIN entry so you don't need to give the PIN over the phone.

 

[Erel]

capability to bypass the need for a PIN entry so you don't need to give the PIN over the phone

PIN is almost never required in Israel. It is only used when withdrawing money from ATMs.
This is part of the problem. Any vendor who got your credit card number + date + CVV can easily use your card.

 

[agraham]

PIN is almost never required in Israel. It is only used when withdrawing money from ATMs.

Looks like you have American style dumb cards and the ATM checks the PIN with the bank. European cards are smart and know their own PIN which is needed whenever you use a terminal make a purchase in person.

 

[KMatle]

I'm "online" since the early 90ies (so it's >30 years by now). I've seen sooo many things happen to data. And (just my point of view) it is getting worse. So many "big" companies beeing hacked (do you remember Sony some years ago ?). Even countries are big players in hacking now (not that nerds anymore). So it's no wonder. Problem here: There is NO security you can trust but you need to use these systems to order & pay.

PS: I'm using 2-factor auth's if possible or other "safe" methods my banks offer. Only one time I had issues. Some guy booked a flight with my card. Very funny as his full name was registered ???

 

[udg]

Any vendor who got your credit card number + date + CVV can easily use your card.

And they can "sell" those data to anybody too. That's the faulty aspect of using the CVV as way to close a transaction over the phone. Well, untrusty sites and apps are the same..

Some guy booked a flight with my card. Very funny as his full name was registered

A genius ?

@Erel : next time insist on paying cash when the food is delivered (and taste it, if you can)

 

[Erel]

next time insist on paying cash

Somehow, the cash in my wallet quickly finds its way to wallets of other family members ?

 

[AnandGupta]

I have been reading about credit card and online frauds even before I had my 'debit' card. It was like reading all message in our B4X forum before making an app.

Well I prepared myself thus:

1. Accepted only 'debit' card from my bank
2. Polietly refused 'credit' card from smooth talking bank girls.
3. Opened a new bank a/c
4. Installed PayTM (a wallet app in India)
5. Opened PayPal

Now I,

1. transfer a 'small' amount to the new bank a/c.
2. transfer even smaller amount from this bank to PayTM
3. use mostly PayTM to pay online
4. use this bank UPI to pay online
5. linked this bank to PayPal and use for international ones

Still I keep my eyes on all sms I received and check all my bank a/c every month.

And one more thing, I use different physical phone to make online purchases, so that the otp from my bank comes in another phone.

So reading the Forum does help, I think.

Regards,

Anand

 

[Jeffrey Cameron]

A few days ago, I've ordered food from a restaurant. As usual, I gave my card number with all details through the phone.

The flaw may have been in the methodology. If you gave your card number information over the phone, and the (perfectly legitimate order-taker) repeated the information _back_ to you, another unsavory patron may have been within earshot of the server and simply wrote down what they read back to you. Or, if they keep notes they may have jotted the info down "temporarily" and someone found that note they made with your information.

It doesn't have to be a "high-tech" attack. Humans are, inevitably, the weakest link in any security system.

 

[JohnC]

Many times, even in the US, my bank will reject a charge just because it was the first time I used that store - so it was classified as "suspicious"!

But, some cards have started to offer the ability to use temporary "virtual" credit card numbers:

More card issuers offering virtual card numbers to cut fraud risk - CreditCards.com

Virtual account numbers have been around for years, but they're being used more now in the wake of the massive Equifax hack.

www.creditcards.com

 

[aeric]

In my country, we never make credit card payment through phone. We order food through online food service via mobile apps. GrabFood and Food Panda are the 2 biggest players. Even though payment by e-Wallet is getting more popular, we still use credit card with paywave and chip for offline payment. Online debit/credit card payment is made using FPX or online bank transfer.