I don't understand I have a credit card I use for online purchases and no matter how little the charge is there is 3 way verification process.
1 CVC code
2 a passphrase after the purchase has been completed
3 a phone call to verify the purchase amount and ID check.
I used the same card for ten years with the same on line vendors and still the have to go thru the 3 way verification process.
So I know credit card fraud is on going battle but how are the thefts bypassing the 3 way verification.
In a matter of fact I have loss out on some hot tickets items due to this process.
I don't understand I have a credit card I use for online purchases and no matter how little the charge is there is 3 way verification process.
1 CVC code
2 a passphrase after the purchase has been completed
3 a phone call to verify the purchase amount and ID check.
I used the same card for ten years with the same on line vendors and still the have to go thru the 3 way verification process.
So I know credit card fraud is on going battle but how are the thefts bypassing the 3 way verification.
In a matter of fact I have loss out on some hot tickets items due to this process.
Gigabyte Z370 Gaming 7 32GB Ram i9-9900K GigaByte Aorus Extreme Gaming 2080TI (single) Game Blaster Z Windows 10 X64 build #17763.195 Define R6 Blackout Case Corsair H110i GTX Sandisk 1TB (OS) SanDisk 2TB SSD (Games) Seagate EXOs 8 and 12 TB drives Samsung UN46c7000 HD TV Samsung UN55HU9000 UHD TVCurrently using ACER PASSIVE EDID override on 3D TVs LG 55
wow, the CVC code is the only thing an online retailer has asked me for zig, I don't think I have ever had the other checks. How is a passphrase even used with a credit card?
This is why, as a general rule, I try to avoid using credit cards online (well, I try and avoid credit as much as possible, it's more a rainy day thing). I use a debit card connected to a side account, or paypal connected to that account - which has a tiny overdraw limit and only ever has money in it when I'm doing an online transaction - kind of like using the banking system as a firewall (so even if my details get stolen, there is no money to spend :D). But I had to set up these little security measures with the bank myself, on request - which is why I say the banks should always be liable because they are always responsible failures in the credit system.
wow, the CVC code is the only thing an online retailer has asked me for zig, I don't think I have ever had the other checks. How is a passphrase even used with a credit card?
This is why, as a general rule, I try to avoid using credit cards online (well, I try and avoid credit as much as possible, it's more a rainy day thing). I use a debit card connected to a side account, or paypal connected to that account - which has a tiny overdraw limit and only ever has money in it when I'm doing an online transaction - kind of like using the banking system as a firewall (so even if my details get stolen, there is no money to spend :D). But I had to set up these little security measures with the bank myself, on request - which is why I say the banks should always be liable because they are always responsible failures in the credit system.
[quote="ummester"]wow, the CVC code is the only thing an online retailer has asked me for zig, I don't think I have ever had the other checks. How is a passphrase even used with a credit card?
This is why, as a general rule, I try to avoid using credit cards online (well, I try and avoid credit as much as possible, it's more a rainy day thing). I use a debit card connected to a side account, or paypal connected to that account - which has a tiny overdraw limit and only ever has money in it when I'm doing an online transaction - kind of like using the banking system as a firewall (so even if my details get stolen, there is no money to spend :D). But I had to set up these little security measures with the bank myself, on request - which is why I say the banks should always be liable because they are always responsible failures in the credit system.[/quote]
After the purchase a screen from the bank the issued the card is displayed with a review of the order and amount and passphrase field is display you type in your passphrase to complete the transit then after all that I get a call a minute later with the amount of the item purchased and I have to provide personal info to finalize the transaction and I totally agree with you the banks should be liable if they approved the transaction.
If you bank offers these extra security features I would use them.
I remember purchasing a video card and mistype the passphrase the transaction didn't go thru but I rather be safe then sorry.
I really have a hard to believe all this about grey market goods. This market was around before the internet and g2a is like EBay how are they responsible ?
ummester said:wow, the CVC code is the only thing an online retailer has asked me for zig, I don't think I have ever had the other checks. How is a passphrase even used with a credit card?
This is why, as a general rule, I try to avoid using credit cards online (well, I try and avoid credit as much as possible, it's more a rainy day thing). I use a debit card connected to a side account, or paypal connected to that account - which has a tiny overdraw limit and only ever has money in it when I'm doing an online transaction - kind of like using the banking system as a firewall (so even if my details get stolen, there is no money to spend :D). But I had to set up these little security measures with the bank myself, on request - which is why I say the banks should always be liable because they are always responsible failures in the credit system.
After the purchase a screen from the bank the issued the card is displayed with a review of the order and amount and passphrase field is display you type in your passphrase to complete the transit then after all that I get a call a minute later with the amount of the item purchased and I have to provide personal info to finalize the transaction and I totally agree with you the banks should be liable if they approved the transaction.
If you bank offers these extra security features I would use them.
I remember purchasing a video card and mistype the passphrase the transaction didn't go thru but I rather be safe then sorry.
I really have a hard to believe all this about grey market goods. This market was around before the internet and g2a is like EBay how are they responsible ?
Gigabyte Z370 Gaming 7 32GB Ram i9-9900K GigaByte Aorus Extreme Gaming 2080TI (single) Game Blaster Z Windows 10 X64 build #17763.195 Define R6 Blackout Case Corsair H110i GTX Sandisk 1TB (OS) SanDisk 2TB SSD (Games) Seagate EXOs 8 and 12 TB drives Samsung UN46c7000 HD TV Samsung UN55HU9000 UHD TVCurrently using ACER PASSIVE EDID override on 3D TVs LG 55
I can't steal fifty physical games and put them up on eBay without significant risk to myself. If I don't get caught stealing from the store (and in such large quantities), it's surely going to throw up some red flags when I list 50 copies of my stolen game on eBay, given the police/company are likely to be watching for it.
I can easily buy a cache of stolen credit cards for cheap, use them to buy large numbers of keys, and re-sell them on G2A before anyone can do anything about it - and at almost no personal risk. Therefore the responsibility to prevent fraud is something the marketplace has to take very seriously.
I can't steal fifty physical games and put them up on eBay without significant risk to myself. If I don't get caught stealing from the store (and in such large quantities), it's surely going to throw up some red flags when I list 50 copies of my stolen game on eBay, given the police/company are likely to be watching for it.
I can easily buy a cache of stolen credit cards for cheap, use them to buy large numbers of keys, and re-sell them on G2A before anyone can do anything about it - and at almost no personal risk. Therefore the responsibility to prevent fraud is something the marketplace has to take very seriously.
Again this is not G2A problem it is the bank problem for letting the transaction go thru.
I purchase for dealer on EBay in US who is always half price on Origin games.
http://www.ebay.com/itm/Mirrors-Edge-Catalyst-PC-2016-Brand-new-factory-sealed/272302454674?_trksid=p2047675.c100012.m1985&_trkparms=aid%3D222007%26algo%3DSIC.MBE%26ao%3D1%26asc%3D37472%26meid%3D1a8cc5b97973481b8b1b8552069c307a%26pid%3D100012%26rk%3D1%26rkt%3D7%26sd%3D282061707959
That article has some great detail on how the banks are actually screwing G2A. I have to agree with unmester here that the genuinely immoral actors are the banks.
Rather than take any risk for their product, they chargeback at outrageous cost to the simple original vendors, who did absolutely nothing wrong.
Maybe things changed, but I originally thought that the banks were on the hook for fraud, which is where they'd have incentive to prevent it. If they just f* over the small vendors now, then they no longer have any reason whatsoever to care about fraud, they still make money. That is genuinely immoral.
That article has some great detail on how the banks are actually screwing G2A. I have to agree with unmester here that the genuinely immoral actors are the banks.
Rather than take any risk for their product, they chargeback at outrageous cost to the simple original vendors, who did absolutely nothing wrong.
Maybe things changed, but I originally thought that the banks were on the hook for fraud, which is where they'd have incentive to prevent it. If they just f* over the small vendors now, then they no longer have any reason whatsoever to care about fraud, they still make money. That is genuinely immoral.
Acer H5360 (1280x720@120Hz) - ASUS VG248QE with GSync mod - 3D Vision 1&2 - Driver 372.54
GTX 970 - i5-4670K@4.2GHz - 12GB RAM - Win7x64+evilKB2670838 - 4 Disk X25 RAID
SAGER NP9870-S - GTX 980 - i7-6700K - Win10 Pro 1607 Latest 3Dmigoto Release Bo3b's School for ShaderHackers
I must have missed the part where the banks are screwing G2A, would you mind clarifying? I don't deny that banks in general are immoral actors (and particularly these chargeback fees), but it seems the ones being screwed are the game devs.
I must have missed the part where the banks are screwing G2A, would you mind clarifying? I don't deny that banks in general are immoral actors (and particularly these chargeback fees), but it seems the ones being screwed are the game devs.
[quote="Pirateguybrush"]I must have missed the part where the banks are screwing G2A, would you mind clarifying? I don't deny that banks in general are immoral actors (and particularly these chargeback fees), but it seems the ones being screwed are the game devs.[/quote]
They are indirectly screwing G2A, because they are making them out to the bad guys, when they also had no control over the criminals. G2A is just trying to establish a market, not necessarily trying to fence stolen goods.
It's just like eBay, there is no way for them to know that the goods are stolen or legitimate. When the stolen credit card is used to buy, no one knows the card is stolen. Maybe the pattern is suspicious of buying 50 copies, but there is no indication it's using stolen cards. Moreover, isn't that the Credit Card companies responsibility? If they see 50 copies of the same game being bought, surely the fraud protection should kick in and ask the owner if they are sure?
I'm not even convinced that what G2A is doing is immoral at this point. They've even made non-trivial efforts to put in some restrictions, and not just giving it lip service. It seems pretty clear that they are not deliberately trying to be a fence.
The real problem here is the charge-backs. It absolutely hammers the original vendor, and it makes G2A take the fall as the bad guy- when they also had no way of knowing they were illegal.
Meanwhile the bank walks away with money, regardless of the fraud. This should not be legal.
Pirateguybrush said:I must have missed the part where the banks are screwing G2A, would you mind clarifying? I don't deny that banks in general are immoral actors (and particularly these chargeback fees), but it seems the ones being screwed are the game devs.
They are indirectly screwing G2A, because they are making them out to the bad guys, when they also had no control over the criminals. G2A is just trying to establish a market, not necessarily trying to fence stolen goods.
It's just like eBay, there is no way for them to know that the goods are stolen or legitimate. When the stolen credit card is used to buy, no one knows the card is stolen. Maybe the pattern is suspicious of buying 50 copies, but there is no indication it's using stolen cards. Moreover, isn't that the Credit Card companies responsibility? If they see 50 copies of the same game being bought, surely the fraud protection should kick in and ask the owner if they are sure?
I'm not even convinced that what G2A is doing is immoral at this point. They've even made non-trivial efforts to put in some restrictions, and not just giving it lip service. It seems pretty clear that they are not deliberately trying to be a fence.
The real problem here is the charge-backs. It absolutely hammers the original vendor, and it makes G2A take the fall as the bad guy- when they also had no way of knowing they were illegal.
Meanwhile the bank walks away with money, regardless of the fraud. This should not be legal.
Acer H5360 (1280x720@120Hz) - ASUS VG248QE with GSync mod - 3D Vision 1&2 - Driver 372.54
GTX 970 - i5-4670K@4.2GHz - 12GB RAM - Win7x64+evilKB2670838 - 4 Disk X25 RAID
SAGER NP9870-S - GTX 980 - i7-6700K - Win10 Pro 1607 Latest 3Dmigoto Release Bo3b's School for ShaderHackers
[quote="bo3b"]Meanwhile the bank walks away with money, regardless of the fraud. This should not be legal.[/quote]
And, from what I understand, the accountability rolls down hill from bank to bank. So, even if a merchant proves there was nothing they could do to prevent the theft or fraud, Visa or Mastercard will never wear the cost, rather they will push it onto the smaller bank.
Think about it, if Visa and Mastercard were liable, something like paywave would never be introduced - it's just too risky to try and control. Visa and Mastercard make money out of interest, they need funds to move, credit to flow and debt to grow for profit - so they don't care who is at fault, so long as they can avoid being liable for the faults.
Meh, look at what happened in the US in 2008, when the biggest banks come undone they force accountability onto society.
Re the thread, yes, as I have agreed, G2A are probably among the most dodgy of grey sellers when it comes preventing fraud. Like Ebay, they just don't care - they make their 10% on a sale either way. But the big credit card companies care a lot less and make a lot more, whilst totally avoiding all accountability.
bo3b said:Meanwhile the bank walks away with money, regardless of the fraud. This should not be legal.
And, from what I understand, the accountability rolls down hill from bank to bank. So, even if a merchant proves there was nothing they could do to prevent the theft or fraud, Visa or Mastercard will never wear the cost, rather they will push it onto the smaller bank.
Think about it, if Visa and Mastercard were liable, something like paywave would never be introduced - it's just too risky to try and control. Visa and Mastercard make money out of interest, they need funds to move, credit to flow and debt to grow for profit - so they don't care who is at fault, so long as they can avoid being liable for the faults.
Meh, look at what happened in the US in 2008, when the biggest banks come undone they force accountability onto society.
Re the thread, yes, as I have agreed, G2A are probably among the most dodgy of grey sellers when it comes preventing fraud. Like Ebay, they just don't care - they make their 10% on a sale either way. But the big credit card companies care a lot less and make a lot more, whilst totally avoiding all accountability.
Ah, ok. I understand where you're coming from. I don't entirely disagree, but G2A surely bares some of this responsibility as well. Fraud does cost banks a lot of money, and they do put a lot of time and money into minimising it. But it's probably always going to be there. G2A should be vetting sellers much more thoroughly. How does anyone legitimately get hold of a significant number of keys, sell them below retail price, and still make a profit? Reselling keys from cheaper regions is one option, stealing them is another... I honestly can't think of any more.
In many cases, the only legitimate way to buy keys for smaller games in particular, is direct from the developer. In that case, there's no legitimate way for anyone to get keys cheaper than retail (especially if there's no physical release). Yet they still end up being scammed and having their keys flogged on G2A.
Ah, ok. I understand where you're coming from. I don't entirely disagree, but G2A surely bares some of this responsibility as well. Fraud does cost banks a lot of money, and they do put a lot of time and money into minimising it. But it's probably always going to be there. G2A should be vetting sellers much more thoroughly. How does anyone legitimately get hold of a significant number of keys, sell them below retail price, and still make a profit? Reselling keys from cheaper regions is one option, stealing them is another... I honestly can't think of any more.
In many cases, the only legitimate way to buy keys for smaller games in particular, is direct from the developer. In that case, there's no legitimate way for anyone to get keys cheaper than retail (especially if there's no physical release). Yet they still end up being scammed and having their keys flogged on G2A.
[quote="Pirateguybrush"]Ah, ok. I understand where you're coming from. I don't entirely disagree, but G2A surely bares some of this responsibility as well. Fraud does cost banks a lot of money, and they do put a lot of time and money into minimising it. But it's probably always going to be there. G2A should be vetting sellers much more thoroughly. How does anyone legitimately get hold of a significant number of keys, sell them below retail price, and still make a profit? Reselling keys from cheaper regions is one option, stealing them is another... I honestly can't think of any more.
In many cases, the only legitimate way to buy keys for smaller games in particular, is direct from the developer. In that case, there's no legitimate way for anyone to get keys cheaper than retail (especially if there's no physical release). Yet they still end up being scammed and having their keys flogged on G2A.[/quote]
I'm located in the United States
The person who I purchase Origin PC games from sells them at half price on EBay.
http://www.ebay.com/usr/510barbosa78
He has been a member since 2009 and has a rating of 4418
How do you a screen seller like this ? When he lists an new item the seller has more 20 available.
An Example of my last transaction with him was for Mirror's Edge Catalyst delivered July 7 2016 total price $32.78 at the time of shopping the price this seller was $20.00 cheaper than everyone else.
Pirateguybrush said:Ah, ok. I understand where you're coming from. I don't entirely disagree, but G2A surely bares some of this responsibility as well. Fraud does cost banks a lot of money, and they do put a lot of time and money into minimising it. But it's probably always going to be there. G2A should be vetting sellers much more thoroughly. How does anyone legitimately get hold of a significant number of keys, sell them below retail price, and still make a profit? Reselling keys from cheaper regions is one option, stealing them is another... I honestly can't think of any more.
In many cases, the only legitimate way to buy keys for smaller games in particular, is direct from the developer. In that case, there's no legitimate way for anyone to get keys cheaper than retail (especially if there's no physical release). Yet they still end up being scammed and having their keys flogged on G2A.
He has been a member since 2009 and has a rating of 4418
How do you a screen seller like this ? When he lists an new item the seller has more 20 available.
An Example of my last transaction with him was for Mirror's Edge Catalyst delivered July 7 2016 total price $32.78 at the time of shopping the price this seller was $20.00 cheaper than everyone else.
Gigabyte Z370 Gaming 7 32GB Ram i9-9900K GigaByte Aorus Extreme Gaming 2080TI (single) Game Blaster Z Windows 10 X64 build #17763.195 Define R6 Blackout Case Corsair H110i GTX Sandisk 1TB (OS) SanDisk 2TB SSD (Games) Seagate EXOs 8 and 12 TB drives Samsung UN46c7000 HD TV Samsung UN55HU9000 UHD TVCurrently using ACER PASSIVE EDID override on 3D TVs LG 55
[quote="Pirateguybrush"]Ah, ok. I understand where you're coming from. I don't entirely disagree, but G2A surely bares some of this responsibility as well. Fraud does cost banks a lot of money, and they do put a lot of time and money into minimising it. But it's probably always going to be there. G2A should be vetting sellers much more thoroughly. How does anyone legitimately get hold of a significant number of keys, sell them below retail price, and still make a profit? Reselling keys from cheaper regions is one option, stealing them is another... I honestly can't think of any more.
In many cases, the only legitimate way to buy keys for smaller games in particular, is direct from the developer. In that case, there's no legitimate way for anyone to get keys cheaper than retail (especially if there's no physical release). Yet they still end up being scammed and having their keys flogged on G2A.[/quote]
Yes, G2A bears some responsibility and, IMO, should cover the costs of failed transactions before the developer is involved. The dev should be more protected than the consumer because they are a producer. Producers and consumers are the primary components, everything in the middle is some kind of leech (banks, merchants, advertisers - whatever) they neither make nor use the product, they profit from other's creation or purchase. And online theft always occurs at the transaction level.
As G2A should be vetting sellers, the banks should be making it harder for theft to occur - not easier. As that article you posted stated, the thief did it for giggles because it was easy and risk free.
It's like with paywave - if you dropped your credit card without knowing and I picked it up straight after and went and brought myself a video game, there is no risk to me whatsoever. Even if you cancelled the card before I got to the store, I just say "shit, that's embarrassing" and walk out. The sole aim of paywave is to make it easier for everyone to spend, at the total expense of security.
So, back to online, there is no way to really catch the thief. Want to try and track their IP address? All they have to do is make the transactions in a public library.
But there is something that can be done about the transactions and the card issuers are responsible for this. Cards that need a thumbprint to work, for instance - cards that only show the CVC if the owners thumb is pressed on them, for online transactions. Some form of foolproof check and balance system needs to be developed by the credit card companies and if it makes transactions more time consuming or cumbersome, so be it. The transactions need to be re-designed with security first and ease of use a distant second.
I linked an article earlier that listed some of the many ways keys are legitimately acquired. People buy heaps on special then sell them later to make a profit. People sell all the humble bundle games they don't want. People run around in poorer countries opening boxes and selling the keys online (I love to imagine the wait with some grey sellers is some little dude running from shop to shop in local markets trying to find me a copy of the game :D ).
The onus for ensuring all online transactions are above board, as I see it, is in the following order
1 - always the credit card manufacturer and supplier - it is their service to maintain.
2 - the original seller/merchant/enabling bank acting as agent for the dev etc (whoever a thief buys the keys from has more onus than the re seller)
3 - the re seller (grey sellers like G2A)
4 - the consumer (yes, even more than the dev, the consumer has a responsibility to themselves).
5 - the producer (game developer), unless the developer sells keys directly in which case they are number 2.
Pirateguybrush said:Ah, ok. I understand where you're coming from. I don't entirely disagree, but G2A surely bares some of this responsibility as well. Fraud does cost banks a lot of money, and they do put a lot of time and money into minimising it. But it's probably always going to be there. G2A should be vetting sellers much more thoroughly. How does anyone legitimately get hold of a significant number of keys, sell them below retail price, and still make a profit? Reselling keys from cheaper regions is one option, stealing them is another... I honestly can't think of any more.
In many cases, the only legitimate way to buy keys for smaller games in particular, is direct from the developer. In that case, there's no legitimate way for anyone to get keys cheaper than retail (especially if there's no physical release). Yet they still end up being scammed and having their keys flogged on G2A.
Yes, G2A bears some responsibility and, IMO, should cover the costs of failed transactions before the developer is involved. The dev should be more protected than the consumer because they are a producer. Producers and consumers are the primary components, everything in the middle is some kind of leech (banks, merchants, advertisers - whatever) they neither make nor use the product, they profit from other's creation or purchase. And online theft always occurs at the transaction level.
As G2A should be vetting sellers, the banks should be making it harder for theft to occur - not easier. As that article you posted stated, the thief did it for giggles because it was easy and risk free.
It's like with paywave - if you dropped your credit card without knowing and I picked it up straight after and went and brought myself a video game, there is no risk to me whatsoever. Even if you cancelled the card before I got to the store, I just say "shit, that's embarrassing" and walk out. The sole aim of paywave is to make it easier for everyone to spend, at the total expense of security.
So, back to online, there is no way to really catch the thief. Want to try and track their IP address? All they have to do is make the transactions in a public library.
But there is something that can be done about the transactions and the card issuers are responsible for this. Cards that need a thumbprint to work, for instance - cards that only show the CVC if the owners thumb is pressed on them, for online transactions. Some form of foolproof check and balance system needs to be developed by the credit card companies and if it makes transactions more time consuming or cumbersome, so be it. The transactions need to be re-designed with security first and ease of use a distant second.
I linked an article earlier that listed some of the many ways keys are legitimately acquired. People buy heaps on special then sell them later to make a profit. People sell all the humble bundle games they don't want. People run around in poorer countries opening boxes and selling the keys online (I love to imagine the wait with some grey sellers is some little dude running from shop to shop in local markets trying to find me a copy of the game :D ).
The onus for ensuring all online transactions are above board, as I see it, is in the following order
1 - always the credit card manufacturer and supplier - it is their service to maintain.
2 - the original seller/merchant/enabling bank acting as agent for the dev etc (whoever a thief buys the keys from has more onus than the re seller)
3 - the re seller (grey sellers like G2A)
4 - the consumer (yes, even more than the dev, the consumer has a responsibility to themselves).
5 - the producer (game developer), unless the developer sells keys directly in which case they are number 2.
No matter how much effort banks do to try and make credit card payments more secure, the system still has an Achilles heel : backwards compatibility.
Your brand new top of the line super secure credit card which is equipped with the latest secure chip, unique number generator, on-card finger print lock, with automatic sms 2FA trigger via the bank networks etc... is also compatible with very old and insecure "copy the fixed number/expiracy date on the front of the card" (by hand or via the magnetic strip) in order to make sure the card won't by rejected by the majority of merchant who did not upgrade their systems.
The card networks (via the banks) always tell the card holders that the system as secure on the whole, which is as far away from the truth (simple card number vie hand copy or via the magstrip has almost no security compared with chip based unique number with 2FA), and allows (and encourages) their users to spend their money at any store no matter what amount of security level they are equipped with.
The card networks put the responsibility of using secure methods of transaction on the shoulders of the merchants. The way they do it is by promising card holders to get their money back in case of fraud (although it may take a while). And by making the merchant pay a higher insurance premium and higher charge back fee in case of fraud in his store.
This has proven effective in retail stores as it has significantly sped up the rate of system upgrades at stores around the world. As soon as banks decided to massively deploy a card upgrade in a specific country, the store owners upgraded their terminals within a few years or faced huge penalties.
But the internet has resisted this trend, mainly for 2 reasons :
- the global aspect of the internet meant the largest market with a very insecure system (the USA) would hinder progress in the rest of the world
- the fact that most online transactions are performed from the card holder's computer, and not from an expensive merchant's terminal
The card networks have always resisted the idea of making cheap enough transaction terminals to distribute to their individual card holders. They barely allow information readers, not transaction terminals, and they advertize them so little that many people have been surprised that you can even read any information from the chip (oh my god, I thought the credit card's chip was an unbreakable fortress).
The only way to generate that unique single use transaction number is with an expensive merchant terminal and verified transaction service supplier (expensive monthly contract).
As a result : the way almost every online merchant works is using the oldest and least secure method : copying your fixed credit card number and expiracy date by hand and giving it to the merchant in clear text so that the merchant can use it though the credit card network, who is then responsible of doing the security stuff.
Now in the wake of the huge surge in internet fraud. Banks have upgraded the security of their online payment systems but upgrading millions of web merchants (many use custom code they don't want to redo) is difficult to upgrade. So banks have opted for an optional security upgrade as a service : have you noticed that on many small merchant sites, you do not pay directly on the site but you are temporarily redirected to a banking site ?
It's usually when using these systems that you get the extra info requirement or the 2FA via sms etc...
However, in order not to break backwards compatibility, the older system is still in place and works perfectly.
Most of the biggest websites have not upgraded, in fact many of the biggest sites don't want to, and negociate ways to circumvent these restrictions with the credit card networks.
I've just bought expensive stuff on Amazon, It had stored my credit card details, I didn't receive any sms for 2FA, it all went straight through. Many of these big sites do it in order to provide 1-click purchases, and so on... (Does ebay still not require the CVV or have they finally upgraded ?)
There are many websites that still accept very insecure credit card payment methods, and as long as the credit card networks don't reject these transactions, your card will still be vulnerable.
No matter how much effort banks do to try and make credit card payments more secure, the system still has an Achilles heel : backwards compatibility.
Your brand new top of the line super secure credit card which is equipped with the latest secure chip, unique number generator, on-card finger print lock, with automatic sms 2FA trigger via the bank networks etc... is also compatible with very old and insecure "copy the fixed number/expiracy date on the front of the card" (by hand or via the magnetic strip) in order to make sure the card won't by rejected by the majority of merchant who did not upgrade their systems.
The card networks (via the banks) always tell the card holders that the system as secure on the whole, which is as far away from the truth (simple card number vie hand copy or via the magstrip has almost no security compared with chip based unique number with 2FA), and allows (and encourages) their users to spend their money at any store no matter what amount of security level they are equipped with.
The card networks put the responsibility of using secure methods of transaction on the shoulders of the merchants. The way they do it is by promising card holders to get their money back in case of fraud (although it may take a while). And by making the merchant pay a higher insurance premium and higher charge back fee in case of fraud in his store.
This has proven effective in retail stores as it has significantly sped up the rate of system upgrades at stores around the world. As soon as banks decided to massively deploy a card upgrade in a specific country, the store owners upgraded their terminals within a few years or faced huge penalties.
But the internet has resisted this trend, mainly for 2 reasons :
- the global aspect of the internet meant the largest market with a very insecure system (the USA) would hinder progress in the rest of the world
- the fact that most online transactions are performed from the card holder's computer, and not from an expensive merchant's terminal
The card networks have always resisted the idea of making cheap enough transaction terminals to distribute to their individual card holders. They barely allow information readers, not transaction terminals, and they advertize them so little that many people have been surprised that you can even read any information from the chip (oh my god, I thought the credit card's chip was an unbreakable fortress).
The only way to generate that unique single use transaction number is with an expensive merchant terminal and verified transaction service supplier (expensive monthly contract).
As a result : the way almost every online merchant works is using the oldest and least secure method : copying your fixed credit card number and expiracy date by hand and giving it to the merchant in clear text so that the merchant can use it though the credit card network, who is then responsible of doing the security stuff.
Now in the wake of the huge surge in internet fraud. Banks have upgraded the security of their online payment systems but upgrading millions of web merchants (many use custom code they don't want to redo) is difficult to upgrade. So banks have opted for an optional security upgrade as a service : have you noticed that on many small merchant sites, you do not pay directly on the site but you are temporarily redirected to a banking site ?
It's usually when using these systems that you get the extra info requirement or the 2FA via sms etc...
However, in order not to break backwards compatibility, the older system is still in place and works perfectly.
Most of the biggest websites have not upgraded, in fact many of the biggest sites don't want to, and negociate ways to circumvent these restrictions with the credit card networks.
I've just bought expensive stuff on Amazon, It had stored my credit card details, I didn't receive any sms for 2FA, it all went straight through. Many of these big sites do it in order to provide 1-click purchases, and so on... (Does ebay still not require the CVV or have they finally upgraded ?)
There are many websites that still accept very insecure credit card payment methods, and as long as the credit card networks don't reject these transactions, your card will still be vulnerable.
Passive 3D forever
110" DIY dual-projection system
2x Epson EH-TW3500 (1080p) + Linear Polarizers (SPAR)
XtremScreen Daylight 2.0
VNS Geobox501 signal converter
Linking a phone/SMS to the transaction isn't really the answer, IMO. You are just making one piece of fallible tech dependant on another piece of fallible tech - you increase problems without really increasing security. What if the CC user doesn't have a mobile phone, or has lost their mobile phone? (I, personally have never owned a mobile phone, I just use whatever work supplies me with) Only way to make it secure is link the transaction to the CC user as an individual, not another piece of the user's tech.
But yes, I know Amazon's payment is insecure - all you need is another persons credit card details and you are set, you can buy a new GPU or whatever. Of course, the physical item can be tracked to your address and you get charged with fraud, so it isn't as risk free as trading game keys.
There is another totally full proof solution to all of this - make all games come on physical media, with keys also on the physical media. Game key theft is only so easy to get away with because there is no physical manifestation of the product.
How many people copied Guitar Hero? You needed the plastic ukulele to play, so copying was pointless. Even back in the 80s/90s, I remember code keys coming with games that made the game basically un-copyable without distributing the code key to every player. And, if the code key is black on red, it cant even be photocopied.
It's the curse of the digital age - it's impossible to fully stop duplication, re appropriation and so on. It's the price of digital convenience. Analogue FTW :D
Linking a phone/SMS to the transaction isn't really the answer, IMO. You are just making one piece of fallible tech dependant on another piece of fallible tech - you increase problems without really increasing security. What if the CC user doesn't have a mobile phone, or has lost their mobile phone? (I, personally have never owned a mobile phone, I just use whatever work supplies me with) Only way to make it secure is link the transaction to the CC user as an individual, not another piece of the user's tech.
But yes, I know Amazon's payment is insecure - all you need is another persons credit card details and you are set, you can buy a new GPU or whatever. Of course, the physical item can be tracked to your address and you get charged with fraud, so it isn't as risk free as trading game keys.
There is another totally full proof solution to all of this - make all games come on physical media, with keys also on the physical media. Game key theft is only so easy to get away with because there is no physical manifestation of the product.
How many people copied Guitar Hero? You needed the plastic ukulele to play, so copying was pointless. Even back in the 80s/90s, I remember code keys coming with games that made the game basically un-copyable without distributing the code key to every player. And, if the code key is black on red, it cant even be photocopied.
It's the curse of the digital age - it's impossible to fully stop duplication, re appropriation and so on. It's the price of digital convenience. Analogue FTW :D
I preordered Deus Ex from them 6 months ago and decided I really didnt want to deal with G2A for like $5.00 savings.
So I cancelled a month ago.
I have still not got the money. They keep saying they refunded it and since paypal will only protect for like 3 months there was little I could do. I literally had 10 conversations with them and like 2 with paypal.
G2A employees cant even look at there paypal system cause of "reasons".
They just keep saying we cancelled it on our end.
They said a few days ago that they will have the IT SPECIALISTS look into it -_-
Ironically paypal refunded the money out of there own pocket since I am a good customer and they see that I did not get the money and that game is literally not out.
I even paid for that G2A shield BS. NOR was this from a reseller. This was directly from G2A.
I preordered Deus Ex from them 6 months ago and decided I really didnt want to deal with G2A for like $5.00 savings.
So I cancelled a month ago.
I have still not got the money. They keep saying they refunded it and since paypal will only protect for like 3 months there was little I could do. I literally had 10 conversations with them and like 2 with paypal.
G2A employees cant even look at there paypal system cause of "reasons".
They just keep saying we cancelled it on our end.
They said a few days ago that they will have the IT SPECIALISTS look into it -_-
Ironically paypal refunded the money out of there own pocket since I am a good customer and they see that I did not get the money and that game is literally not out.
I even paid for that G2A shield BS. NOR was this from a reseller. This was directly from G2A.
Co-founder of helixmod.blog.com
If you like one of my helixmod patches and want to donate. Can send to me through paypal - eqzitara@yahoo.com
1 CVC code
2 a passphrase after the purchase has been completed
3 a phone call to verify the purchase amount and ID check.
I used the same card for ten years with the same on line vendors and still the have to go thru the 3 way verification process.
So I know credit card fraud is on going battle but how are the thefts bypassing the 3 way verification.
In a matter of fact I have loss out on some hot tickets items due to this process.
Gigabyte Z370 Gaming 7 32GB Ram i9-9900K GigaByte Aorus Extreme Gaming 2080TI (single) Game Blaster Z Windows 10 X64 build #17763.195 Define R6 Blackout Case Corsair H110i GTX Sandisk 1TB (OS) SanDisk 2TB SSD (Games) Seagate EXOs 8 and 12 TB drives Samsung UN46c7000 HD TV Samsung UN55HU9000 UHD TVCurrently using ACER PASSIVE EDID override on 3D TVs LG 55
This is why, as a general rule, I try to avoid using credit cards online (well, I try and avoid credit as much as possible, it's more a rainy day thing). I use a debit card connected to a side account, or paypal connected to that account - which has a tiny overdraw limit and only ever has money in it when I'm doing an online transaction - kind of like using the banking system as a firewall (so even if my details get stolen, there is no money to spend :D). But I had to set up these little security measures with the bank myself, on request - which is why I say the banks should always be liable because they are always responsible failures in the credit system.
After the purchase a screen from the bank the issued the card is displayed with a review of the order and amount and passphrase field is display you type in your passphrase to complete the transit then after all that I get a call a minute later with the amount of the item purchased and I have to provide personal info to finalize the transaction and I totally agree with you the banks should be liable if they approved the transaction.
If you bank offers these extra security features I would use them.
I remember purchasing a video card and mistype the passphrase the transaction didn't go thru but I rather be safe then sorry.
I really have a hard to believe all this about grey market goods. This market was around before the internet and g2a is like EBay how are they responsible ?
Gigabyte Z370 Gaming 7 32GB Ram i9-9900K GigaByte Aorus Extreme Gaming 2080TI (single) Game Blaster Z Windows 10 X64 build #17763.195 Define R6 Blackout Case Corsair H110i GTX Sandisk 1TB (OS) SanDisk 2TB SSD (Games) Seagate EXOs 8 and 12 TB drives Samsung UN46c7000 HD TV Samsung UN55HU9000 UHD TVCurrently using ACER PASSIVE EDID override on 3D TVs LG 55
I can easily buy a cache of stolen credit cards for cheap, use them to buy large numbers of keys, and re-sell them on G2A before anyone can do anything about it - and at almost no personal risk. Therefore the responsibility to prevent fraud is something the marketplace has to take very seriously.
I purchase for dealer on EBay in US who is always half price on Origin games.
http://www.ebay.com/itm/Mirrors-Edge-Catalyst-PC-2016-Brand-new-factory-sealed/272302454674?_trksid=p2047675.c100012.m1985&_trkparms=aid%3D222007%26algo%3DSIC.MBE%26ao%3D1%26asc%3D37472%26meid%3D1a8cc5b97973481b8b1b8552069c307a%26pid%3D100012%26rk%3D1%26rkt%3D7%26sd%3D282061707959
Gigabyte Z370 Gaming 7 32GB Ram i9-9900K GigaByte Aorus Extreme Gaming 2080TI (single) Game Blaster Z Windows 10 X64 build #17763.195 Define R6 Blackout Case Corsair H110i GTX Sandisk 1TB (OS) SanDisk 2TB SSD (Games) Seagate EXOs 8 and 12 TB drives Samsung UN46c7000 HD TV Samsung UN55HU9000 UHD TVCurrently using ACER PASSIVE EDID override on 3D TVs LG 55
Rather than take any risk for their product, they chargeback at outrageous cost to the simple original vendors, who did absolutely nothing wrong.
Maybe things changed, but I originally thought that the banks were on the hook for fraud, which is where they'd have incentive to prevent it. If they just f* over the small vendors now, then they no longer have any reason whatsoever to care about fraud, they still make money. That is genuinely immoral.
Acer H5360 (1280x720@120Hz) - ASUS VG248QE with GSync mod - 3D Vision 1&2 - Driver 372.54
GTX 970 - i5-4670K@4.2GHz - 12GB RAM - Win7x64+evilKB2670838 - 4 Disk X25 RAID
SAGER NP9870-S - GTX 980 - i7-6700K - Win10 Pro 1607
Latest 3Dmigoto Release
Bo3b's School for ShaderHackers
They are indirectly screwing G2A, because they are making them out to the bad guys, when they also had no control over the criminals. G2A is just trying to establish a market, not necessarily trying to fence stolen goods.
It's just like eBay, there is no way for them to know that the goods are stolen or legitimate. When the stolen credit card is used to buy, no one knows the card is stolen. Maybe the pattern is suspicious of buying 50 copies, but there is no indication it's using stolen cards. Moreover, isn't that the Credit Card companies responsibility? If they see 50 copies of the same game being bought, surely the fraud protection should kick in and ask the owner if they are sure?
I'm not even convinced that what G2A is doing is immoral at this point. They've even made non-trivial efforts to put in some restrictions, and not just giving it lip service. It seems pretty clear that they are not deliberately trying to be a fence.
The real problem here is the charge-backs. It absolutely hammers the original vendor, and it makes G2A take the fall as the bad guy- when they also had no way of knowing they were illegal.
Meanwhile the bank walks away with money, regardless of the fraud. This should not be legal.
Acer H5360 (1280x720@120Hz) - ASUS VG248QE with GSync mod - 3D Vision 1&2 - Driver 372.54
GTX 970 - i5-4670K@4.2GHz - 12GB RAM - Win7x64+evilKB2670838 - 4 Disk X25 RAID
SAGER NP9870-S - GTX 980 - i7-6700K - Win10 Pro 1607
Latest 3Dmigoto Release
Bo3b's School for ShaderHackers
And, from what I understand, the accountability rolls down hill from bank to bank. So, even if a merchant proves there was nothing they could do to prevent the theft or fraud, Visa or Mastercard will never wear the cost, rather they will push it onto the smaller bank.
Think about it, if Visa and Mastercard were liable, something like paywave would never be introduced - it's just too risky to try and control. Visa and Mastercard make money out of interest, they need funds to move, credit to flow and debt to grow for profit - so they don't care who is at fault, so long as they can avoid being liable for the faults.
Meh, look at what happened in the US in 2008, when the biggest banks come undone they force accountability onto society.
Re the thread, yes, as I have agreed, G2A are probably among the most dodgy of grey sellers when it comes preventing fraud. Like Ebay, they just don't care - they make their 10% on a sale either way. But the big credit card companies care a lot less and make a lot more, whilst totally avoiding all accountability.
In many cases, the only legitimate way to buy keys for smaller games in particular, is direct from the developer. In that case, there's no legitimate way for anyone to get keys cheaper than retail (especially if there's no physical release). Yet they still end up being scammed and having their keys flogged on G2A.
I'm located in the United States
The person who I purchase Origin PC games from sells them at half price on EBay.
http://www.ebay.com/usr/510barbosa78
He has been a member since 2009 and has a rating of 4418
How do you a screen seller like this ? When he lists an new item the seller has more 20 available.
An Example of my last transaction with him was for Mirror's Edge Catalyst delivered July 7 2016 total price $32.78 at the time of shopping the price this seller was $20.00 cheaper than everyone else.
Gigabyte Z370 Gaming 7 32GB Ram i9-9900K GigaByte Aorus Extreme Gaming 2080TI (single) Game Blaster Z Windows 10 X64 build #17763.195 Define R6 Blackout Case Corsair H110i GTX Sandisk 1TB (OS) SanDisk 2TB SSD (Games) Seagate EXOs 8 and 12 TB drives Samsung UN46c7000 HD TV Samsung UN55HU9000 UHD TVCurrently using ACER PASSIVE EDID override on 3D TVs LG 55
Yes, G2A bears some responsibility and, IMO, should cover the costs of failed transactions before the developer is involved. The dev should be more protected than the consumer because they are a producer. Producers and consumers are the primary components, everything in the middle is some kind of leech (banks, merchants, advertisers - whatever) they neither make nor use the product, they profit from other's creation or purchase. And online theft always occurs at the transaction level.
As G2A should be vetting sellers, the banks should be making it harder for theft to occur - not easier. As that article you posted stated, the thief did it for giggles because it was easy and risk free.
It's like with paywave - if you dropped your credit card without knowing and I picked it up straight after and went and brought myself a video game, there is no risk to me whatsoever. Even if you cancelled the card before I got to the store, I just say "shit, that's embarrassing" and walk out. The sole aim of paywave is to make it easier for everyone to spend, at the total expense of security.
So, back to online, there is no way to really catch the thief. Want to try and track their IP address? All they have to do is make the transactions in a public library.
But there is something that can be done about the transactions and the card issuers are responsible for this. Cards that need a thumbprint to work, for instance - cards that only show the CVC if the owners thumb is pressed on them, for online transactions. Some form of foolproof check and balance system needs to be developed by the credit card companies and if it makes transactions more time consuming or cumbersome, so be it. The transactions need to be re-designed with security first and ease of use a distant second.
I linked an article earlier that listed some of the many ways keys are legitimately acquired. People buy heaps on special then sell them later to make a profit. People sell all the humble bundle games they don't want. People run around in poorer countries opening boxes and selling the keys online (I love to imagine the wait with some grey sellers is some little dude running from shop to shop in local markets trying to find me a copy of the game :D ).
The onus for ensuring all online transactions are above board, as I see it, is in the following order
1 - always the credit card manufacturer and supplier - it is their service to maintain.
2 - the original seller/merchant/enabling bank acting as agent for the dev etc (whoever a thief buys the keys from has more onus than the re seller)
3 - the re seller (grey sellers like G2A)
4 - the consumer (yes, even more than the dev, the consumer has a responsibility to themselves).
5 - the producer (game developer), unless the developer sells keys directly in which case they are number 2.
Your brand new top of the line super secure credit card which is equipped with the latest secure chip, unique number generator, on-card finger print lock, with automatic sms 2FA trigger via the bank networks etc... is also compatible with very old and insecure "copy the fixed number/expiracy date on the front of the card" (by hand or via the magnetic strip) in order to make sure the card won't by rejected by the majority of merchant who did not upgrade their systems.
The card networks (via the banks) always tell the card holders that the system as secure on the whole, which is as far away from the truth (simple card number vie hand copy or via the magstrip has almost no security compared with chip based unique number with 2FA), and allows (and encourages) their users to spend their money at any store no matter what amount of security level they are equipped with.
The card networks put the responsibility of using secure methods of transaction on the shoulders of the merchants. The way they do it is by promising card holders to get their money back in case of fraud (although it may take a while). And by making the merchant pay a higher insurance premium and higher charge back fee in case of fraud in his store.
This has proven effective in retail stores as it has significantly sped up the rate of system upgrades at stores around the world. As soon as banks decided to massively deploy a card upgrade in a specific country, the store owners upgraded their terminals within a few years or faced huge penalties.
But the internet has resisted this trend, mainly for 2 reasons :
- the global aspect of the internet meant the largest market with a very insecure system (the USA) would hinder progress in the rest of the world
- the fact that most online transactions are performed from the card holder's computer, and not from an expensive merchant's terminal
The card networks have always resisted the idea of making cheap enough transaction terminals to distribute to their individual card holders. They barely allow information readers, not transaction terminals, and they advertize them so little that many people have been surprised that you can even read any information from the chip (oh my god, I thought the credit card's chip was an unbreakable fortress).
The only way to generate that unique single use transaction number is with an expensive merchant terminal and verified transaction service supplier (expensive monthly contract).
As a result : the way almost every online merchant works is using the oldest and least secure method : copying your fixed credit card number and expiracy date by hand and giving it to the merchant in clear text so that the merchant can use it though the credit card network, who is then responsible of doing the security stuff.
Now in the wake of the huge surge in internet fraud. Banks have upgraded the security of their online payment systems but upgrading millions of web merchants (many use custom code they don't want to redo) is difficult to upgrade. So banks have opted for an optional security upgrade as a service : have you noticed that on many small merchant sites, you do not pay directly on the site but you are temporarily redirected to a banking site ?
It's usually when using these systems that you get the extra info requirement or the 2FA via sms etc...
However, in order not to break backwards compatibility, the older system is still in place and works perfectly.
Most of the biggest websites have not upgraded, in fact many of the biggest sites don't want to, and negociate ways to circumvent these restrictions with the credit card networks.
I've just bought expensive stuff on Amazon, It had stored my credit card details, I didn't receive any sms for 2FA, it all went straight through. Many of these big sites do it in order to provide 1-click purchases, and so on... (Does ebay still not require the CVV or have they finally upgraded ?)
There are many websites that still accept very insecure credit card payment methods, and as long as the credit card networks don't reject these transactions, your card will still be vulnerable.
Passive 3D forever
110" DIY dual-projection system
2x Epson EH-TW3500 (1080p) + Linear Polarizers (SPAR)
XtremScreen Daylight 2.0
VNS Geobox501 signal converter
But yes, I know Amazon's payment is insecure - all you need is another persons credit card details and you are set, you can buy a new GPU or whatever. Of course, the physical item can be tracked to your address and you get charged with fraud, so it isn't as risk free as trading game keys.
There is another totally full proof solution to all of this - make all games come on physical media, with keys also on the physical media. Game key theft is only so easy to get away with because there is no physical manifestation of the product.
How many people copied Guitar Hero? You needed the plastic ukulele to play, so copying was pointless. Even back in the 80s/90s, I remember code keys coming with games that made the game basically un-copyable without distributing the code key to every player. And, if the code key is black on red, it cant even be photocopied.
It's the curse of the digital age - it's impossible to fully stop duplication, re appropriation and so on. It's the price of digital convenience. Analogue FTW :D
So I cancelled a month ago.
I have still not got the money. They keep saying they refunded it and since paypal will only protect for like 3 months there was little I could do. I literally had 10 conversations with them and like 2 with paypal.
G2A employees cant even look at there paypal system cause of "reasons".
They just keep saying we cancelled it on our end.
They said a few days ago that they will have the IT SPECIALISTS look into it -_-
Ironically paypal refunded the money out of there own pocket since I am a good customer and they see that I did not get the money and that game is literally not out.
I even paid for that G2A shield BS. NOR was this from a reseller. This was directly from G2A.
Co-founder of helixmod.blog.com
If you like one of my helixmod patches and want to donate. Can send to me through paypal - eqzitara@yahoo.com