Credit card security: over the top or just right?

[Pollywaffle]

I have started serious itinerary building in the last couple of days for my next jaunt and as a result have been buying airfares, train tickets, theatre tickets etc.

While most transactions have gone off without a hitch, there are always a couple that trip me up:
- the need to match billing addresses. My billing address is a PO Box. Some websites don't want a bar of this and continue to tell me my address/postcode is an error. Well, no, it's not. It's the bleeping system that can't recognise the same address I have had for years!
- that stupid Visa or M/C security where they send you a code on your mobile. It's all well and good while I am sitting at home, but what if I was buying the ticket while overseas? By that time my travel SIM would be in the phone and I would need to change back to my home SIM just to get the bleeping code.
- phone calls from the bank. OK, if anything, I will tolerate these the most. However, I have just received such a call to confirm my transactions - after I have entered in the code sent to me by SMS!

I must be living a charmed life because I have never been the victim of credit card fraud yet these procedures put into place by banks seems to be getting tighter each time I start planning a trip.

If someone has insight into card fraud, I would love to know if it's really that rampant that such nannying is necessary.

(rant over)

pw

 

[moa999]

Fraud exists.
These procedures are more protecting the banks, rather than you, given the ability to deny transactions and do charge backs.

There is a reason for dual sim phones!.

 

[drewbles]

Fraud exists.
These procedures are more protecting the banks, rather than you, given the ability to deny transactions and do charge backs.

There is a reason for dual sim phones!.

Dual SIM phones are not the answer. A mobile app like Google Authenticator (or any of the 'high security' companies like Norton/Symantec or RSA who also offer OTP Auth solutions) would be more appropriate. ING and Rabo will offer you a 'token' that you can use, as does HSBC (for corporates) and other banks are doing similarly, but not for 'everyday' users.

The faster the industry catches up to the world of technology, the less fraud there will be. Speaking as someone that's had to deal with processors of credit cards 'online' I can only say they are stuck in 2000 (as in Windows 2000). It's shocking. Up until as recently as 18-24 months ago, NAB was still making us use a modem to send files!

 

[markis10]

(or any of the 'high security' companies like Norton/Symantec or RSA who also offer OTP Auth solutions)

Both subject to vulnerabilities, specifically banking designed malaware like SilentBanker, Mebroot, and Trojan Anserin.

 

[cgichard]

Father of a friend of mine has just gone overseas for his first trip in 12 years. He took card to inform the bank that issued his credit card where and when he was travelling. Nevertheless, his card was declined the first time he used it overseas, causing him considerable embarrassment and inconvenience. His daughter back in Australia tried to sort it out for him and was initially knocked back for privacy reasons. However, as she has a card associated with his, she was eventually able to get the bank to look at the file, where the absence overseas of the main cardholder was indeed clearly recorded. Only the most cursory of apologies was given.

 

[drewbles]

Both subject to vulnerabilities, specifically banking designed malaware like SilentBanker, Mebroot, and Trojan Anserin.

SilentBanker is from 2009, as is Mebroot and Trojan Anserin is from 2007.

If you're not running patches for that by now you should be. OTP can be used at any stage, and is actually more secure than SMS authentication. OTP tokens are rarely valid for more than 60 seconds, and providing your auth server is secure, it's a non-issue.

Norton/Symantec and RSA are just two. RSA had an issue several years ago that was very public, and as you say, Symantec has had the same, but it's like anything on the internet, 'user beware' and keep your firewall on

 

[harvyk]

Needing to match billing address but then not accepting a PO box is simply non well thought out programming, although not a huge surprise.
Things such as SMS codes are actually a very effective way of preventing unauthorised logins, considering most people use the same password across multiple systems, and use typically very simple passwords, and SMS code means that you need to have a physical thing which only you have access to (for the most part). The problem with RSA OTP is the fact it only lasts for 60 seconds. Whilst I understand the reason why the algorithm does that, having a code which is valid for an hour does not really reduce the security of a system in any appreciable way, especially if other appropriate account lockout measures are in place.

All that said, do not feel for a second that any of these measures are there to actually protect you. The banks don't actually care if your account gets drained, except for the fact that they could need to reverse transactions which adds costs to them.

 

[markis10]

SilentBanker is from 2009, as is Mebroot and Trojan Anserin is from 2007.

If you're not running patches for that by now you should be. OTP can be used at any stage, and is actually more secure than SMS authentication. OTP tokens are rarely valid for more than 60 seconds, and providing your auth server is secure, it's a non-issue.

Norton/Symantec and RSA are just two. RSA had an issue several years ago that was very public, and as you say, Symantec has had the same, but it's like anything on the internet, 'user beware' and keep your firewall on

There are more recent issues as well, ie : SecurityFocus You would be surprised how many people install and forget, with auto update turned off for obvious reasons!

I sell tokens for a living amongst other things, RSA and Symantec products are not ones I touch. Interestingly the technology for many of them was developed in Brisbane, such as Vasco and Safeword!

 

[Fifa]

I am also in the midst of making lots of os bookings - flights, accommodation, trains, buses.
My friend in the US has given me her details so I can book her things on her card at the same time.
Her Visa was declined on a GBP23 bus booking but mine was ok! (Her bank contacted her to ask if it was legit).

 

[coles525]

Fraud exists.
These procedures are more protecting the banks, rather than you, given the ability to deny transactions and do charge backs.

There is a reason for dual sim phones!.

Can anyone tell me if any smartphones (android) have duel sim? I only ask for overseas travel reasons to hopefully save on costs.

 

[markis10]

Can anyone tell me if any smartphones (android) have duel sim? I only ask for overseas travel reasons to hopefully save on costs.

Many, I use a Samsung Galaxy S Duos, and love it, bought it online from Kogan for $170 (think its closer to $200 now) where as locally its over $300.

Edit - Yikes, $209 now http://www.kogan.com/au/buy/samsung-galaxy-s-duos-white/

 

[drewbles]

Drop me a message if you want a cheaper one (we sell them too but I won't push them on the public forum). They ship from Melbourne. They won't be Samsung, but they are dual active SIM (ie, both can be on a network at the same time) and run Android.

 

[Joshua]

And alternatively take an old Nokia or similar for the Aus SIM and as an emergency backup handset + service. Personally I take last years iPhone which is completely excessive, a 3 SIM card with some free roaming and Telstra as my main Aus number and never have any troubles with banking security overseas, even when having to phone. I gather after a while the computer just accepts your history of random purchases across the globe and doesn't block them.

 

[DeKa]

Can anyone tell me if any smartphones (android) have duel sim? I only ask for overseas travel reasons to hopefully save on costs.

Some of the major brands (including Samsung) have Chinese market versions of mainstream phones with Dual SIM - eg Galaxy S4: Dual-SIM Samsung Galaxy S4 goes official, Exynos 5 Octa in tow - GSMArena.com news
I am fairly sure the dual SIM models forego 4G/LTE though.

 

[drewbles]

Some of the major brands (including Samsung) have Chinese market versions of mainstream phones with Dual SIM - eg Galaxy S4: Dual-SIM Samsung Galaxy S4 goes official, Exynos 5 Octa in tow - GSMArena.com news
I am fairly sure the dual SIM models forego 4G/LTE though.

LTE is a bit of a moot point ATM when it comes to roaming. There are *very* few roaming agreements in place, largely due to the disparity of frequencies in use. Telstra AU works with LTE in Hong Kong on Reach (Which is a JV they half own). Forget AU to US for quite some time though. Until Quad Band GSM handsets came into existence, you had to specifically buy tri band phones to work, and they were not brilliant.

It'll come in time, but LTE is still fledgling in comparison to 2G and 3G.

 

[erkpod]

Last night I booked 4 domestic US flights using my VM Visa card.

I made 3, got declined on the 4th.

I had my phone in flight mode.

When I woke up this afternoon, I had a voicemail from VM last night & another this morning.

Needless to say, they were asking about the flights. Who would have thought that a VM Visa card linked to my VA VFF account would be used to book flights with VA codeshare partners DL & VX?

The operator thanked me for calling back & noted my transactions. She said she'd unhold the card.

4 hours later, I was on my way to my Place of Employment. I got another call from VM querying the same transactions. According to lady #2, there was no note from lady #1 saying that I'd called & said the transactions were legit.