Friday Facts #303 - Under 100 bugs (but still not stable)

[Sander_Bouwhuis]

How is it possible that tens or even hundreds of thousands of cards are being stolen to be used? Are there millions of burglars and pick pockets around?!? Also, wouldn't people notice their wallet was stolen within probably at most 1 or 2 days? Also, how do they get the PIN/secret code or the crypto device to generate the one-time number for each transaction?

It's all so weird. I've never heard of this kind of wide-scale fraud in The Netherlands (maybe the media doesn't report on it).

[Light]

How is it possible that tens or even hundreds of thousands of cards are being stolen to be used? Are there millions of burglars and pick pockets around?!?

You've never heard of data breaches before?

Just last year there was a data breach involving Desjardin's which is a credit union, having 2.7 million people with their names, addresses, birth dates, social insurance numbers, email addresses, and information about transaction habits, all leaked outside their institution due to a single employee sharing it with an unauthorized third party.

Things like this can happen with companies storing credit data, which when breached is a treasure trove for criminals to delve into. This is how the aforementioned group who bankrupted the company I worked for obtained their massive list of credit information. It was stolen by them hacking into a poorly secured Brazilian company server that stored customer credit data in plaintext (Yes, I'm serious), which they naturally abused at the cost of both the corporations and the victims.

Also, wouldn't people notice their wallet was stolen within probably at most 1 or 2 days?

Their wallet? Sure. Their bank account or credit account? Not really.

Do you check your accounts on a daily basis, or do you only know what's in it when you make a withdrawal or deposit? Usually that's when someone could notice a problem when the account seems smaller than it should, or if the bank notifies the owner of suspicious activity with their account.

In Canada your debit card also acts like a credit card, though we have individual credit accounts for higher denominations. This means that withdrawals come directly from your personal funds first, then it starts to stack on the credit once your account is empty. With daily withdrawal limits in place this provides a slight window to discover the theft before it clears you out, but usually the banks here are good at freezing accounts the moment anything seems unusual. It has actually saved a few friends and family from losing more than a few hundred (which was refunded) as they'd get calls saying their card was used in a different country.

[Sander_Bouwhuis]

Their wallet? Sure. Their bank account or credit account? Not really.

That still doesn't explain how they can get hold of the 2FA crypto device you have to use for each transaction. Is there a workaround for that?
Can you make a payment without the card itself? I.e., without the crypto keys inside the card?

I just asked a friend of mine who does have a credit card. He says he needs to supply his PIN/secret code on a payment terminal whenever he uses it in a restaurant.
He MUST have the card AND the secret code or the payment fails.

[Light]

@Light
That still doesn't explain how they can get hold of the 2FA crypto device you have to use for each transaction. Is there a workaround for that?

You're assuming such a thing is used by all institutions. They are not.

[Koub]

@Light
That still doesn't explain how they can get hold of the 2FA crypto device you have to use for each transaction. Is there a workaround for that?

I just asked a friend of mine who does have a credit card. He says he needs to supply his PIN/secret code on a payment terminal whenever he uses it in a restaurant.

Do you have to type the 3 digit crypto-thing every time you buy something, say on Steam ? I have noticed that sometimes I'm asked to type it, sometimes I'm not (and I don't know why).

[BlueTemplar]

As already posted here, 2FA will only become mandatory this September, only in EU/Maastricht(?), and only for sums larger than 30€.
Note that in the US at least, they took a LONG time for their "physical" credit card transactions to be secured by PINs (I'm not even sure if those are even mandatory yet ?).

[Sander_Bouwhuis]

@Light
That still doesn't explain how they can get hold of the 2FA crypto device you have to use for each transaction. Is there a workaround for that?

I just asked a friend of mine who does have a credit card. He says he needs to supply his PIN/secret code on a payment terminal whenever he uses it in a restaurant.

Do you have to type the 3 digit crypto-thing every time you buy something, say on Steam ? I have noticed that sometimes I'm asked to type it, sometimes I'm not (and I don't know why).

I don't have a credit card, so I don't know. He told me he has to have the card because it contains the crypto keys in it. He ALSO has to supply his secret code (like debit cards).

As already posted here, 2FA will only become mandatory this September, only in EU/Maastricht(?), and only for sums larger than 30€.
Note that in the US at least, they took a LONG time for their "physical" credit card transactions to be secured by PINs (I'm not even sure if those are even mandatory yet ?).

The idea that someone can do a payment WITHOUT providing any key challenge sounds absolutely absurd. Who would possibly want that?!?

[Unclebod]

@Light
That still doesn't explain how they can get hold of the 2FA crypto device you have to use for each transaction. Is there a workaround for that?

You're assuming such a thing is used by all institutions. They are not.

The pin is not used when buying online. The 3-digit code on the back is used. If they have obtained the card information through a badly coded site (there are quite a lot around) they have all the information they need.

"Stolen cards" when you talk about internet purchases are, as pointed out earlier in the tread, not a question about physical stolen cards in most cases. It is information about the card stolen through internet.

[BlueTemplar]

Because the PIN chip is much more expensive than the magnetic stripe / pen to sign I guess, (WAY before anyone would even consider to buy anything through the Internet) and they were probably patented at first, thus even more expensive ?

The 3-digit, back on the card confirmation number is barely secure, as a thief has only to have a look to the back of the card (or find what algorithm was used to generate it, not sure how hard is that... not sure how it helps with online transactions if the code can be stolen at the same time as the card number itself?). There are these days Li-ion battery-powered cards with a reflective LCD back code that changes every hour though...

[Light]

As already posted here, 2FA will only become mandatory this September, only in EU/Maastricht(?), and only for sums larger than 30€.
Note that in the US at least, they took a LONG time for their "physical" credit card transactions to be secured by PINs (I'm not even sure if those are even mandatory yet ?).

Digital purchases in North America don't require any PIN. I never knew anyone who even knows what their PIN even is, assuming they even added one to their CC. It's not mandated to my knowledge, and most don't even bother with one if given the option. After adding one to mine it only prompts when used physically.

Also, if we're talking physical cards here, the debit cards with tap features don't ask for anything. If the purchase is under $100, you can simply tap the card on the terminal and walk away with the goods in hand. A thief can abuse that until reaching the daily withdrawal limit, though people can freeze their own cards if it's missing and unfreeze it when found. There's no penalty for doing so.

There are these days Li-ion battery-powered cards with a back code that changes every hour though...

Neat. I hope these arrive here soon.

[BlueTemplar]

Well, the guy that I know that has one said it was fairly expensive... but worth it for him as he travels a lot, and gets his card numbers stolen regularly.

Ah, the contactless payment option is relatively new, and is limited here to 20€/purchase (30€ now), and generally up to 100€ per day.
It's still fairly unsecure, like most short-radio communications of this kind, as, unless you have a Faraday-cage wallet, information can be read up to a few meters away, which is pretty easy to achieve in situations like public transport... (though in the case of payment systems, they generally have server-side verification to prevent fraud)

[BlueTemplar]

So, what is the difference between Humble Widget and G2A that is leading to such radically different results ?
That G2A only works through Steam (/Origin/Microsoft) keys ?
(Also, I hear that GoG has implemented their own key system recently ?)

Ok, looks like that I misunderstood that - for some reason I thought that Wube was using some "G2A's widget" or such.
From the "So long 2016" FFF :

After some research, we switched from processing payments through braintree and paypal, and instead implemented the incredible Humble widget. Specifically Humble widget has a built in fraud prevention, which completely stopped all the chargebacks we were seeing. I highly recommend the Humble widget for anybody looking to process payments on their own website.

(emphasis mine - Braintree is a division of Paypal)

[Sander_Bouwhuis]

Online payments in The Netherlands (and hopefully most countries) is as follows:
1. You order something and proceed to check out on the website.
2. You are then automatically redirected to the website OF YOUR BANK.
3. You are asked to do a random key challenge with a 2FA device that changes EVERY transaction.
4. You are automatically redirected to the website/store you came from.

At no point does the store have ANY sensitive data from your card. There is literally nothing to steal.

It is strange that the USA is often ahead technologically, but here they are clearly like a third world country.
It's good to hear it's going to change in September (someone mentioned this a few posts back I think).

[mmmPI]

It is a bit off topic, but i see many people surprised that the credit card seems unsecure. I want to point out a few examples, in highway toll, people wants to go fast, and don't want to type in a code everytime. We also have "no-contact" payment, it's the default option on every credit card nowaydays in my bank, you cannot refuse to have it, there is a partnership between my bank and a CC company, all of the new CC have that "no -contact" payment for sums under a given amount which is unfortunately broken on mine since it seems a needle happen tu have punctured the exact spot needed for that particular use. The bankster told me " well we can't force you to replace your card every week, so you gonna have to keep it this way". " Why can't I have a default one where it's disabled ?". " We don't those anymore ...".


Another time I received my tax papers for a tax based on the flat i live in, from administration, with incorrect account numbers. New to the practice I didn't bother double checking and send back the papers will signatures and stuff. Only to later discover that the money was not taken from my account but from on of my relatives who helped me pay the rent at the time who called me for explanation. I went to administration for same reasons they told me " You didn't double check, it's your fault". "What if I did it on purpose ?" "You shouldn't do that that's illegal". Absolutly no f... given about sending me in plain text other people numbers that they assume were to pay the tax. Absolutly no shame about still receiving funds without the proper name on the authorization. No excuse no dysfunctionnement. Then i went to the bank (my relatives and I having the same). Where they clearly explain to me that they proceed to the transaction because it was the administration, they don't check the name/ authorization before proceeding, " you know there are way too many transactions nowadays, we can't check them all, it's automatic now, if there is a problem you need to take it to court immediatly, also we sell an insurance to prevent that "( getting paid to follow their legal obligation that they would also follow if you don't take the insurance and not even trying to make a safe algorithm for at least getting the name correct !);

I agreed to give money to my relative, but nor the bank ( his and mine) nor the administration ever filed anything official against me or did anything about the mistake. If my relative didn't notice I paid my tax with his account, nothing would have ever happened, needless to say my trust in the bank greatly reduce after that. To the point where i did took the time to read the law text called " monetary and financial code".

There are blatant example where it is not respected, I once worked in a major company selling phone and phone contract. (+/- 40 million customer accross europe/northen africa). Well not directly for them, i was in a 3rd party call center, where you'd land after you call the number they show in the ads on TV. The average time per customer was to be under 5 minutes, that was the goal. During that time you are required to try and sell a phone/internet box/ whatever. For this you need to ask for the customer for his bank account number and store them in the software provided by major company to 3rd party call center. And ask him to give vocal conscent to the automatic money transfer.

You are also given the possibility to read any file on any client (including physical address and banking coordinate), in case one call and wants an upgrade, you need to check that its coordinate are up to date. The turnover of the call center is 50% employee per year, but it hides the fact that they do 5 days contract, that they renew only when you meet the commercial objective so during a year many more person are given the access and then not re-hired. I quit after 3 month, i let you imagine how many people across the world do have access to quantities of banking datas.

Even if fraud is relatively " common and easy " it doesn't explain why it seems to only come from one place from the devs past experiences. My own little explanation is that a platform like steam is (we like it or not) a monopoly, if you abuse the refund consumer protection, you will end up being flagged by them and then there's nowhere to go. G2A is a new challenger that adds a layer, you can get games sell them on G2A, abuse the refund on original purchase place but keep the second hand buyers money, get ban on G2A for that, create a new account. It works/ it doesn't works , if the game is 300 € ( calling you out EU4) you can try do it every day 10 time a day, you'd still make more money than looking for a real job in many places even in rich countries.

I think and hope it will change over time as I think G2A itself is victims of that, and tries to hide it.

[BlueTemplar]

Online payments in The Netherlands (and hopefully most countries) is as follows:
1. You order something and proceed to check out on the website.
2. You are then automatically redirected to the website OF YOUR BANK.
3. You are asked to do a random key challenge with a 2FA device that changes EVERY transaction.
4. You are automatically redirected to the website/store you came from.

At no point does the store have ANY sensitive data from your card. There is literally nothing to steal.

It is strange that the USA is often ahead technologically, but here they are clearly like a third world country.
It's good to hear it's going to change in September (someone mentioned this a few posts back I think).

As already mentioned, this is not mandatory (unless specifically, in Netherlands - which I doubt, considering them being part of a larger economic area...), and still won't be, except from September, only in EU, only for transactions over 30€.
(Though a lot of companies went ahead to implement these systems already, which obviously makes them look good when they don't charge too much for it.)

The PIN system, which is completely different, because requiring a dedicated device (2G/3G connected these days?), which I'm not even sure that non-professionals can even buy, requires(?) a specific integrated circuit, which is not a US, but a French invention.

[BlueTemplar]

Even if fraud is relatively " common and easy " it doesn't explain why it seems to only come from one place from the devs past experiences. My own little explanation is that a platform like steam is (we like it or not) a monopoly, if you abuse the refund consumer protection, you will end up being flagged by them and then there's nowhere to go. G2A is a new challenger that adds a layer, you can get games sell them on G2A, abuse the refund on original purchase place but keep the second hand buyers money, get ban on G2A for that, create a new account. It works/ it doesn't works , if the game is 300 € ( calling you out EU4) you can try do it every day 10 time a day, you'd still make more money than looking for a real job in many places even in rich countries.

I think and hope it will change over time as I think G2A itself is victims of that, and tries to hide it.

Steam is technically a monopsony :
https://medium.com/@KingFrostFive/steam ... .f1i0acdn8
As can be seen from this article, G2A is not their competition since they gave up on being a retailer (due to developers not being interested by selling games to poor polish gamers ?) and switched to being a marketplace (and renamed themselves from Go2Arena), a marketplace that only sells keys for other stores (except the only* competition to Steam on PC : GoG?)

*EDIT : there's Discord and Epic Store too now, are they selling Steam keys yet ?

[mmmPI]

Steam is technically a monopsony :
https://medium.com/@KingFrostFive/steam ... .f1i0acdn8

quoted from the article : "Steam, in its capacity as holders of the Steamworks DRM, has arguably monopolized the PC market. It is a dominant seller with enough clout that there all but one major third party store sells games using Steamworks. The greatest evidence to suggest that this is a monopoly is that competition has proven multiple times to be incapable of existing without games that demand Steam. There is one current exception to this rule. Though you do have a dozen sellers of PC out there it almost always comes back to Steamworks, making Steam the ultimate seller in the transaction as it is a necessary component to play the game. "

Steam has tried to kill the second hand market, it is a seller, we players are the customers, we can't sell a game we purchased on steam because we don't play it anymore. The worst being I buy a game on my steam account let say factorio, my brother if i had one wants to play the game he can't because i play another game on my account. How stupid is that ? It's worse than with the CD where my brother could have used the key, while i'm playing another game.
The fact that there is 1 seller that imposes its conditions to the whole market is a monopoly as explained in detail in the article.

Valve is ALSO a monopsony, when it comes to its relation with developpers, where Steam is the only retailer for many dev to sell their product.

[life]

Добрый день жители Factorio.
Прошу извинить если мои мысли немного не связны или не относятся к теме.

Я ленив и поэтому редко пишу сюда, ведь надо каждый раз вспоминать пароль, но при этом я читаю каждую новость моего любимого разработчика, пожалуй это единственный разработчик (factorio), которого приятно почитать на тему подхода к разработке игры...
Я ленив и поэтому мне проще спиратить игру пощупать и если понравится я куплю ее при первой же возможности. Проще чем потом разбираться с правилами возврата. Мне не хотелось бы покупать кота в мешке или того же кота но в красивом мешке и неоновыми надписями. Когда я первый раз увидел игру в магазине Steam мне бы не пришла мысль ее купить. Но именно возможность спиратить мне дала уникальный шанс оценить игру. Да вы может быть скажете "но ведь есть же Demo версия", опыт показал, что и демо бывает весьма обманчивы, это как трейлер к фильму, где все самое интересное есть в трейлере, а когда смотришь фильм, то он не вызывает уже ни каких положительных эмоций, кроме чувства зря потраченных денег. 2 часа на возврат в Steam смешно, одни игры можно пройти за это время, а в других не успеваешь и разобраться что к чему... Там еще какие то ограничения но я их не помню...
Я ленив поэтому не буду дальше о пиратстве...

И я только сейчас узнал про наличие 28 дней на возврат у вас! Ребята вы молодцы, спасибо что дочитали до этого момента!

И я снова ленив, и мне лень будет проверять, как перевел переводчик, извините...


English version:

Good day to the people of Factorio.
Immediately I apologize for my weak English and I use the translator in mind of a large text.
I apologize if my thoughts are a bit unrelated or not relevant to the topic.

I am lazy and therefore rarely write here, because you need to remember the password every time, but at the same time I read every news of my favorite developer, perhaps this is the only developer (factorio) who is nice to read about the approach to game development ...
I am lazy and therefore it is easier for me to pirate the game to feel and if I like it I will buy it at the first opportunity. Easier than later to deal with the rules of return. I would not want to buy a cat in a bag or the same cat but in a beautiful bag and neon inscriptions. When I first saw the game in the Steam store, I would not have thought to buy it. But it was the opportunity to pirate that gave me a unique chance to appreciate the game. Yes, you can say "but there is a Demo version," experience has shown that the demo can be very deceptive, it's like a trailer for a film where the most interesting things are in the trailer, and when you watch a movie, it doesn’t cause any positive emotions, except for the feeling of wasted money. 2 hours to return to Steam is ridiculous, some games can be completed during this time, while others do not have time to figure out what's what ... There are some other restrictions, but I don’t remember them ...
I am lazy so I will not go further on piracy ...

And I just found out about the availability of 28 days for a refund with you! You guys are great, thanks for reading to this point!

And I'm lazy again, and I'm too lazy to check how the translator translated, sorry ...

[FuryoftheStars]

{...}

I don’t know if yours or other people’s experiences differ from mine, but the couple of times I bought a game off Steam that turned out to be no fun for me, I just contacted Steam asking for a refund, citing that the game was not enjoyable to me. They gave me the refund no questions asked. Of course, I rarely ask for a refund and when I do, I’ve barely played the game any, so I don’t know how much that factors in.

[BlueTemplar]

Yeah, for a while there was a rumor that Valve would to that... but only once (1), after which, if you had any issues with another game you were out of luck, since customer support was practically non-existent, and Steam had (on paper) a strict no-refunds policy at the time.