[TriLUG] OT: lack of security at BofA

matt at noway2.thruhere.net matt at noway2.thruhere.net
Mon Dec 22 09:13:49 EST 2014 

> Don't forget that a solid portion of the fraud costs get pushed onto the
> merchant, rather than the bank.  If you wish to learn more, read about
> "chargebacks".  One view is that it's reasonable if you consider that the
> merchant has the best chance of evaluating the person in the store for
> fraud, and putting a large portion of the liability at their feet
> encourages them to be vigilant, such as requiring the card to  be present,
> asking for ID, comparing signatures, considering if you appear nervous or
> shady.. all the things you'd expect if they were taking a paper IOU.

This becomes a double whammy for the merchant.  The processing agreements
that the merchants are required to capitulate to, and let's be honest the
contract is not a negotiation or any real agreement, state that the
processing agency, not the merchant, retains the sole responsibility for
determining if the transaction is valid or not.  In other words, the
merchant is not allowed to refuse the transaction because of a customer
not showing ID, signatures not matching, etc but the merchant is still
going to be on the hook for the fraudulent transactions.  The net result
is that we all pay higher prices to cover these losses.

As far as notification of fraud alerts go, the bank should not even
attempt to ask for information or discuss the issue if they initiate a
phone call.  Instead they should only say there is a potential issue,
please contact our customer service / fraud department.

When it comes to authentication, my bank, SECU, has you fill out a set of
six security questions and answers from a whole list of them.  In order to
authenticate yourself you need to be able to answer several of them.  Of
course, there is no real way for you to be sure that you're speaking to an
authenticated person other than for you to initiate the contact to a known
good number.

I agree that the whole CC processing and authentication system has become
a farce in terms of security.  It still relies upon a 16 digit number,
half of which are used to identify the institution and the card system and
then check values, etc.  Then to add a few significant digits via the code
on the back and a date, well, suffice it to say that anyone with an
understanding of password security would realize that this is nonsense.

Until such time as the BANKS are losing enough money that it is more
profitable to fully fix the system, they won't even attempt it.  As long
as it is YOUR money and the merchant's money that are hanging in the wind,
nothing will be done.

More information about the TriLUG mailing list