> If we start to imagine adding steps to the interview process to protect against an imposter job candidate, the “solutions” we come up with are quite aggressive. We could ask candidates on video (or in person) to see a photo ID and match the ID against the resume. But this would seem very weird. It starts an interview off in a hostile manner, and send the a strong message of distrust.
> Computers don’t have emotions; I don’t need to worry insulting the vast majority of S3 objects when I defensively check integrity every time. But humans are different; when we design a human system around uncommon cases, we do need to consider the ramifications on the majority.
That's very true. It could be called "the tragedy of security": annoying and insulting everyone just to ward off a few bad actors.
For example, in Europe, online payments are becoming annoying to a degree that would have been unthinkable ten years ago. To use a VISA card online includes typing its 16-digits number, expiration date, "security code" (which is printed on the card), then receiving a code in a text message and typing it back, and now typing yet another personal code (or in some cases, the access code to one's online account!!) And after all that, it may still fail. It's insane.
I'm sure there are good reasons from the banks or regulators POV to act like this, but the consequences are incredibly painful for the vast majority of people, and probably economically detrimental as well (I sometimes give up from buying something online when the system doesn't accept a simpler payment method than VISA).
> then receiving a code in a text message and typing it back, and now typing yet another personal code
Really? In my experience aside from typing the card numbers, all I have to do is approve the transaction with 3D secure which is one tap in my bank's app. It has never failed in my experience.
Surely the bank's website offers the same security features, so that accounts may be accessed without a specific phone with a specific app. If not, then that bank should be avoided.
It depends on how the payment is integrated, i guess.
Is some relatively local stores it's along the lines of:
- check out an item in the cart
- you're taken to a payment processor's page (gateway)
- there you pick your payment method, e.g. which of the supported banks you use
- then you enter your bank's user ID and personal identifier
- then a prompt pops up on your phone (though you can also use a "code calculator") with a reference ID
- you enter your PIN code to confirm the prompt on your phone, granting the gateway access to your bank account
- it then lists your payment accounts, from which you pick one that you'd like to pay with
- then you get yet another prompt on your phone, this time you have a separate longer PIN to enter for confirming the payment
- you do so, the payment is processed and you're taken back to the store page, with your order placed
Note: that app (SmartID) that's used for the codes and confirmations isn't actually maintained by the bank, but is a separate entity, so to make a payment you might have to rely on the shop being up, the payment gateway being up, the confirmation solution being up and the bank also being up. Despite all of those vectors for failure, i've actually had a pretty good track record with this solution (i've only seen the bank's service crash once and the occasional store have issues).
Oh, and the app can also be used to confirm authentication for online banking: you enter your bank user ID and personal identifier, which makes a prompt pop up on your phone, so you also get 2FA there out of the box!
Of course, the bank also has its own app where you can make payments to specific people, or request payments, as well as view your account balance and see how your investments are doing, which is pretty nice, though you cannot use it for confirming those purchases.
On global stores (e.g. the likes of Amazon, eBay, AliExpress etc.), however, the process is generally far less involved, you just check out an item that you want, shortly afterwards the money shows up as "reserved" on your account. If you don't recognize that order, you can dispute the charge. Of course, if you don't have card details saved, you would need to enter that information first (card number, name, expiration date, code), but the end result is the same there.
That said, despite the seemingly more cumbersome approach of integrating with the bank directly for payment processing instead of going with just the card approach, i'd say that it has some security advantages for sure! With this approach, even if my bank account is compromised, no one can make payments without having direct access to my phone AND knowing the codes (as long as the system works). Of course, many still choose to pay with their cards instead.
Ah that makes sense. I respect you not wanting to use an app, but most likely >90% of the people who make online purchases also have their bank's app so it makes sense that the flow is optimized for that.
I use Wise too, but they also support 3D secure and it is generally required on European merchants... Works great in the app, but it's probably clunky without it too :/
So there are a couple of issues at play here. First, a merchant can charge your account with only your card number, date and CVV. If you call up and pay someone, say an insurance company, that’s all they need. Now your bank might automatically reject that charge if it seems suspicious, but that’s their call. This is why fraud is/was so rife in the US, because anyone who imprints your card can pay with it. Adding a chip and 3D secure mitigates that somewhat. If someone steals your card, usually it’s just an inconvenience because the bank will freeze your card, issue a new one and refund fraudulent transactions.
Typically the reason you see 3D secure is for chargeback protection. Chargebacks from fraudulent cards are both common and expensive for retailers and they want to minimise it - so they check your address etc. Ever notice that the checks sometimes make no difference? For example sometimes the billing address gets checked and fails if you put in the wrong one, other times it doesn’t seem to matter. I believe this is a merchant decision (some places just use it to generate invoices for tax purposes).
I don’t know of any regulation for using apps, but 2FA may be required? With Wise I can respond either via SMS or the app. I also have another fintech card which gives the option of sending the OTP over email which is useful when the app isn’t available. Also as an expat I have two phones with different sims, so I need solutions that aren’t device locked (at least one bank only allows me to have one mobile device registered).
> So there are a couple of issues at play here. First, a merchant can charge your account with only your card number, date and CVV
But the 2FA authentication of 3D secure with an SMS was fine(-ish) for me. I'd prefer this didn't rely on a phone (having network reception), but fine. It's better and more conforting than no verification at all.
Requiring me to validate two different forms with both an SMS and my bank account password is a bit much. But I'll adapt. I wish they turned those two forms into one directly though.
> I don't have any Android or iOS device on which I can install your app, and I would not do that anyway.
I don't think you can really complain that they aren't using convenient 2FA because you don't have a smartphone. It's a pretty reasonable thing to require these days.
You didn't complain that the online shop itself required the use of a computer.
I don't think forcing people to go to the GAFAM is fine, no.
(And yes, I have a smartphone but that should not be a requirement neither. My computer should suffice).
> You didn't complain that the online shop itself required the use of a computer.
Obviously online shopping requires a computer. It would not make sense to complain about this (though if I had to be a bit pedantic, the computer does not have to be mine. I don't need to own a computer).
At the moment the situation is workable for someone not having a smartphone, so, fine, but I hope it stays this way.
Not for 2fa. There are standards for that and they don't need smartphones. Also: I would trust the security of a computer owned by someone without a phone more than that of the average smartphone at this point.
Security codes is a special case of fraud ruining things for everyone.
I recently gave up on becoming a Hetzner customer (to set up a Minecraft server for friends). After going through all the security checks it declined to provision the server, demanding a photo of me with my ID—even though it successfully made a transaction to validate my payment method, it matches my name and address on file, etc. I blame crypto miners playing chargebacks.
Hum... I think they require it from everybody that isn't from the EU. I don't know if they have any means of validating the identity of EU citizens, or if they do that too.
I imagine Germany has some laws about identifying who you host things for.
Now, now… calling extra security steps for online purchases ‘extremely painful’ and ‘economically detrimental’ seems a bit excessive.
In fact, I think these steps may be there just to make people feel more secure about buying online (this would totally work with my mom, who after many years of visiting me in the USA is still afraid of giving her card to the waiter in a restaurant to pay for dinner).
> this would totally work with my mom, who after many years of visiting me in the USA is still afraid of giving her card to the waiter in a restaurant to pay for dinner
To be fair - her instincts aren't bad. It was always a shitty security model, it led to a lot of fraud, and it was one of the design principles of Chip and Pin to eliminate it.
> in Europe, online payments are becoming annoying to a degree that would have been unthinkable ten years ago.
I'd just like to chime in here to say that this isn't universal across Europe. The dutch iDeal payment system only requires you to scan a QR code with your phone and enter your PIN also on your phone. I believe belgium at least uses a similar system, but I'm sure iDeal is not unique.
Not to discount your experience of course, sounds like a real hassle and an unnecessary one at that.
Three European accounts I sometimes use for online payments, each from a different country, don't make me miserable like that. Apparently one of these banks was founded early in Abraham Lincoln's presidency, so it's not a matter of choosing the new coolness too.
Well, yes and no. There was a time when we could shop online without all this nonsense. It's getting worse every year, instead of better.
And also, going to the store has its own rewards. You get to talk to real people, see and touch the things you want to buy, etc.
Now we're alone behind a screen, jumping through absurd and arbitrary hoops that keep getting harder and harder (tried to solve a captcha lately) and fighting "AI" systems fed with stupid data.
> Computers don’t have emotions; I don’t need to worry insulting the vast majority of S3 objects when I defensively check integrity every time. But humans are different; when we design a human system around uncommon cases, we do need to consider the ramifications on the majority.
That's very true. It could be called "the tragedy of security": annoying and insulting everyone just to ward off a few bad actors.
For example, in Europe, online payments are becoming annoying to a degree that would have been unthinkable ten years ago. To use a VISA card online includes typing its 16-digits number, expiration date, "security code" (which is printed on the card), then receiving a code in a text message and typing it back, and now typing yet another personal code (or in some cases, the access code to one's online account!!) And after all that, it may still fail. It's insane.
I'm sure there are good reasons from the banks or regulators POV to act like this, but the consequences are incredibly painful for the vast majority of people, and probably economically detrimental as well (I sometimes give up from buying something online when the system doesn't accept a simpler payment method than VISA).
There has to be a better way.