Belial6 wrote:
The US banks are definitely making money of of fraud somewhere. All you have to do to know that is look at how heavily they push the "Check Cards". Check cards are basically credit cards that automatically withdraw the money every charge immediately after use.
Here in the US, they even run ads that show how difficult it is to use a check when you don't have any ID, and that with a Check Card, you can just swipe the card and and go. They are even advertising how you don't even need to sign a receipt now.
It amazes me how many people that I would have thought were mentally capable, happily accept these cards from their banks.
The banks don't make money off fraud, but Visa and MasterCard make money off merchant fees (or at least flat merchant terminal fees) for accepting debit and credit transactions. Shifting more transactions to plastic from cash makes the service more valuable -- imagine running a cash-only restaurant these days -- and encourages more merchants to sign on.
As to the (in)security of direct transfers, my understanding of the problem is that the system which has become commonplace originated as a 'hack' to get around exorbitant wire fees by using the ACH (automated clearinghouse) network built for clearing checks between banks bidirectionally.
The security is via "limited" access to the ACH network, meaning PayPal and its predecessor services (payroll direct-deposit providers, etc) had to somehow get authorized to participate. Presumably you have to be 'sort of a bank.' But when any 'sort of a bank' lets anyone plug in any account details and start making transfers...
The safeguards on the new RFID credit and debit cards (PayPass, etc) are apparently the same: "limited" access to the merchant network, meaning a fair chunk of the safety is in authentication of the merchant terminal and crypto between the merchant terminal and the bank. As far as I can tell, they are trying to confuse matters by talking about the TLS-type crypto between the terminal and the bank as if it applies to the terminal<->tag communication; apparently some of the cards are just using a dumb transponder with the equivalent of magstripe information.
Of course, now you don't need to sign a slip for credit-network purchases under $25, either.
Further, in the US we apparently have a new federal statute that might as well be called the Phishing Enablement Act -- one of my banks now requires me to enter my full card and PIN number (along with username and password) to obtain a cookie 'authenticating' the machine I'm connecting from; another opts for a slightly more sane challenge/response "Security Questions" scheme, but with fixed questions that entail static personal information: "What is your grandfather's name?" "Where were you born?" "What was your first car?"
The problems here are so awful that I don't even know where to begin. I need to find the actual law and see what it actually requires, but these systems seem to benefit:
- Advertisers, who benefit when more users are forced to accept cookies; and
- Banks, who don't benefit from phishing, but do benefit in fees every time an inconvenienced user doesn't check his balance because of the new hoops and overdraws his account.
Apparently overdraft fees compensate the risk of fraud, especially since they *are* lucrative for the banks and the banks' insurers probably cover the costs of fraud (or the banks' own profits do, giving them the complacency to whine about the problem without doing anything concrete about it).
