I do see why OP is upset though. I think in the States, using a credit card, it would be refundable. That said, I also feel like consumer protections are a lot higher in the States. This case does seem like one where the store should be able to get you footage and the police/bank should work a little harder. Stuff like this hurts all of us.
1 Like
Same as my wife when she lost her cc and it was used to purchase something online. Esun too. She normally gets texts but didn’t that time.
Is there a way to disallow 3D authentication? It might shut you out of some online purchase… but it’s safer.
Nah, it is way less safe.
3DS enrollment is done at card programme level, can’t really opt out on a singular PAN.
A great excuse to go to your bank and chat up those cute bank tellers! Get their numbers this time!
5 Likes
How? You can’t even be reimbursed if someone steals the password, that qualifies as unsafe.
If someone steals the card number and ccv you would be reimbursed for it.
3DS is a dynamic authentication system, you receive either SMS/Email OTPs or push notification to the banking app to approve the transaction. Hence, the fraudster must have access to: your full card details, your unlocked phone/computer. There must be a level of cooperation in order to get all the keys, the rules are the rules, 3DS shifts liability to consumer. It is the safest system out now (especially with the new 2.2 standard), but nothing is 100% safe.
You want total safety? don’t get a card. Then you will have cash related issues.
Nothing is totally safe.
3 Likes
Yes but the card was swiped at a “physical department store.” (According to the OP.)
I am really curious as to how this happened from a simple online transaction. 
Also if I started making such purchases I would usually get calls from the bank before any are allowed
1 Like
I know it’s pretty easy to clone cards once you have the information, it only takes minutes, but I’m not sure if the fill information would be available from an online transaction.
This part I know. Pretty much anything you have physically you can make a copy of. My Australian credit card got skimmed at a gas station in the US. The lady told me not to worry and extended me a line of credit to my debit card as a backup because they needed to cancel my card.
That’s the part I’m not sure about… I’m pretty sure it isn’t @Mataiou
Internet says yes, but i’m no expert, the criminals probably are.
There are three different questions embedded in your post so let’s deal with each of them separately:
- Can some create a physical copy of a credit card using the information that you submit online for a purchase? As Mr. Chiang has already stated, this is a definite yes but please read on for a bit more information on this subject.
- Are there any information stored on the magnetic stripe beyond the credit card number, name, billing address info, expiration date and security code? First, your billing address isn’t encoded in the magnetic stripe. Second, yes, there’s a bit more information but not anything that is terribly important for the sake of card counterfeiting. The important stuff is everything else you listed and most websites require you to provide all of that data in order to pay for a purchase using a credit card. The data is encoded in a format defined by an international standard and which is readily available via the internet so its not difficult for someone with a little knowledge about magnetic stripe encoding and the (inexpensive) tools required to create a counterfeit that would look real to any merchant point of sale terminal.
- Is the information (encoded in the magnetic stripe) encrypted in any way? Nope. The data has to be in a form that can be easily read by merchant terminals and those terminals don’t have the means to decipher encrypted data.
As you may have read very recently, this is one of the problems faced by issuers that are supporting Apple Pay. Specifically, fraudsters are using card data stolen from websites and manually entering that information into their iPhones to set up the card for use (fraudulently) on Apple Pay. The fraudsters have also obtained the last four digits of the real cardholders social security number and are using that information to convince the issuer that they are the real cardholder, thus fooling the issuer into approving the addition of the card into the Apple Pay app. Voila, we have the equivalent of a magnetic stripe card using only the card data stolen from a website.
Everytime I set up my card on apple pay I have to get an OTP.
I also tried setting up a card of mine on my partners apple pay. However, because the number didn’t link with the number they had on file I had to call the bank who asked me to come to the branch to update my new phone number
This isn’t what the OP experienced.
If the card was illegally cloned along with the CCV and all that, and the transaction went through online or whatever, then the card holder isn’t liable. The SOP is cancel the card and a new one is issued.
The OP said his wife somehow clicked on a link, it took her somewhere she had to enter card info (why would you enter your card info in a random site??) and then approved a 3D authentication (or somehow the info was stolen? I think 3D authentication uses a OTP).
In that case yea, you’re pretty much screwed.
Also Apple/Google/Samsung pay is safer than giving them your physical card, because all information is encrypted when transmitted, meaning the merchant never knows your card info (some employees could somehow copy the card info and then use it fraudulently).
I don’t know about US banks (security seems to be much less than in Taiwan, magnetic stripe is still a thing there), but in Taiwan there’s a lot of hoops to jump through to put a card on Apple Pay and all that.
Using physical card is secure if you use NFC / contactless to pay. Just refuse to have them swipe or type in card numbers.
I had my wife load my CTBC China Airlines card to her Samsung phone using Samsung Pay. On my phone it’s linked to Line Pay.
If she makes a purchase that requires an sms that sms goes to my phone number. So if at home that’s fine she will tell me she wants to make a purchase and have my phone handy. If outside she will call me first and let me know she will make a purchase and after I get the sms I will tell her that by voice phone call.
Her Fubon card is soley used for Coscto purchases only.
1 Like
we are discussing this part here of how the card was used in a physical store with just online information and if it is possible to use the online information to create a clone card.
I always thought google/Apple Pay was pretty secure, but the last card I set up I literally just scaned the front and back of the card filled in some details and it was loaded.
but I will say I don’t know what check etc where going on in the background.
The bloke replying on Quora probably has not run into the wonderful world of Taiwan banks.
Yeah in USA, you’d just sign an afadavit (spelling) and be done with it. My wife reported it within 24hrs.
Yeah it seems dumb to force her to pay since they uses it at a physical location, a dept store at that. Some dumb patsy sent to spend it.
But… How does she even get access to the cams? Can she really just go to the front desk and be like… Here’s the timestamp and amount for a really large obvious purchase. Find it for me and waste your time to do it.
I can’t compel them, but the police can. But… Will they? I mean lol. How can we compel the police to compel them? They said they’ll “look into it” vaguely. Whatever that means. No idea how low effort that’ll be.
Yep, physical. If shown as digital, it was maybe line pay or something if I were to guess, maybe they added it to their digital wallet?
And yes, normally she’d be contacted. This time, she wasn’t. Why was the only time she not contacted from the scam? Maybe because it was the type of swipe (eg digital wallet style).
Did you go back through the text messages and see exactly what she had authorised?
1 Like
Well this one’s weird. I secured her laptop and forced her to use password managers (god that took a lot of convincing) so every password is long and unique. Her email and social media has 2fa (another tough convince lol). She’s been secure on this side for years now.
Fraudster only had access to full card info. Unless she had to enter her password to enter the phishing site? I’ll circle back.