Archive for the ‘Credit Cards’ Category

So, Ericsson is pushing their new payment security service that uses your phone to validate credit card transactions.

The deal is this: you register your phone with your bank so that your bank can get information about what country you’re in. Your bank validates the country of origin for transactions made by you – so if you decide to buy stuff your bank will look to see if you’re actually in that country or not before authorizing the transaction. So if somebody attempts a transaction in Romania – and I’m currently in the US – it’ll decline it. Whereas if I’m actually in Romania, it’ll allow it.

Now, call me cynical, but I’m not sure this is a good idea. First, I don’t like the idea of anyone (least of all “Goliath Bank”) keeping tabs on my whereabouts for any purpose. I don’t care if it’s just country of origin. I don’t care if they promise to throw it away every time after they “peek in” on where I am. I just don’t like it. I also don’t want them knowing my cell number – because sooner or later it’ll occur to someone over there that they should send my statements to it… or a few “hey you should use our credit protection for 50 bucks a year” calls… or maybe the occasional SMS about why I should transfer balances to their card.

Second, how often do we really expect this to work? It can’t be just me that turns off their phone when they’re out of the country to keep from paying extra bucks for out-of-country usage charges. And it doesn’t matter that the phone only has to be on briefly for it to work; how many people are going to turn on their phone (but not use it) for the sole purpose of authorizing credit card purposes? It seems to me doubtful that people are going to remember to do this.

Lastly, keep in mind that there’s another equation in play here. Namely, the problem of the “PAN + CVV as authentication vehicle” problem that we’ve all had to learn to deal with over the years. Here’s what I mean. If there’s so much fraud going on that banks are paying Ericsson a fee to play “Where in the world is Carmen Sandiego’s VISA card?” or “Where’s Waldo’s iPhone?” – and the only alternative to this is to lock out any transaction originating from a particular country – isn’t the real answer to fix the transaction validation problem? Bolting on location-awareness to fix the underlying broken validation doesn’t seem like the right fix.

But then again, efforts to address the transaction validation piece (like Verified by Visa, SPA/UCAF, and SET) all failed… the one advantage this has that those efforts didn’t is that this doesn’t require the merchants or cardholders to do anything (huge plus), so maybe it’s a better idea than it looks like to me at first blush…

As you probably know, I was a little ticked off that Visa issued a warning about a breach at a payment processor, but with all kinds of mystery and vagueness about who it was who was actually impacted.

Interestingly, it turns out now that that’s not exactly the situation. It’s not the “clever disguise” and misdirection on the part of Visa that I thought it was. Instead, it’s more like procrastination – or maybe incompetence depending on what specifically is going on over there (which we still don’t entirely know). Apparently, they’re not trying to sweep all the breach-related pain under the rug (the up side), but are causing a bunch of confusion due to the fact that it actually occurred even before heartland but they’re just now getting around to it. Um… alrighty then.

Which begs the question – why is it that we still don’t know what company was impacted? Is Visa waiting to determine for sure and for true whether a breach occured before making public who this is? That might be a good idea, but in that case I would question why they’re just doing it with this company and haven’t done it in the past. Are they waiting for whatever company it is to divulge of their own accord? Wouldn’t that be nice of them… But is that responsible and good for the rest of us? I happen not to think so.

Whatever it is they’re up to, I’m sure they have their reasons – although my suspicion is that we’ll never get clarity on what they are. Maybe we will… I guess we’ll have to wait and see. In the meantime, enjoy a news story about an ugly cat.

Everybody’s all worked into a lather about the newest “big mystery”. Apparently, in “payment processing blind shenanigan news” (sort of like a celebrity blind except involving your money), some unnamed payment processor got hacked and it’s a whopper.

You know what irritates me about this? The fact that everybody knows it happened, but there are no answers forthcoming about who it might be.

Why all the mystery? Why is there no official word on who’s the responsible party?

To put it another way: some jackass – most likely due to their own callous disregard for our data – has once again laid an egg… but we, those directly impacted, don’t rate high enough to even know who it might be? Maybe I want to write a letter… Maybe I’d like to publicly mock them… Who exactly are they trying to protect. If the answer is anything but “us, the cardholder”, then all the secrecy is bullsh*t.

Anyway, sorry about the rant. It’s just that all the buzz finally capped my “I can’t take it anymore” threshold.