This is a solved problem. Credit cards work great.
The issue is that lots of merchants (particularly in the EU) simply don't want to deal with the fees associated with credit cards so come of up with lots of creative ways to externalize the cost of fraud to consumers.
No, they don't. They are completely insane aswell. They are like smart cards, but with the secret printed on them, visible for the world. If you want to clone them you don't need a highly advanced lab, you can just remember the number. You also share said "secret" with everybody you do business with.
Of course you constantly get your money stolen. You just don't notice because the loss is distributed evenly. That's why they are so expensive.
I'm suprised people use such a low tech system. I wouldn't even accept such authentication system for my throw-away reddit accounts, let alone for money.
Sure, I don't dispute that credit cards are technically very simplistic and basically don't have any security.
The huge benefit of them is that almost all those security risks are externalized. If someone uses my credit card fraudulently, I don't pay any of the costs. Basically every alternative (Verified by Visa, etc.) is about shifting those liabilities back to the consumer.
Which is vastly superior to the alternative, which is taking on the liability myself and facing the possibility of being financially devastated by fraud and/or theft.
The best alternative is a system where the bank still carries the liability but the system is harder to defraud (i.e. because it does push instead of shared secrets authorizing pull).
Yes, but if your credit card gets stolen, it is not your money that is getting stolen. Credit card companies are okay with that. If a CC is convenient, a lot of people will use it. These companies don't care if they have to reimburse let's say 10% of all transactions. In this case convenience > security.
In the UK at least, all our payments in store above £20 require a PIN to be used (payments below £20 you can use the fairly recently introduced touch pay which just requires you to touch the card to the payment machine).
If you are purchasing online, all my credit and debit card payments require me to enter 3 random characters from my (previously set up) password.
Not sure what the system is like elsewhere in Europe/worldwide.
> In the UK at least, all our payments in store above £20 require a PIN to be used...
Not true (notwithstanding that it increased to £30). Some people (myself included) have opted for a chip-and-signature card instead of chip-and-pin, because it is harder for the bank to push the cost of fraud onto me that way.
It's been only seven years (I think?) since chip-and-pin was introduced. It's amazing how quickly all the checkout staff have forgotten what to do when their till tells them to check the card signature. Also almost none of them actually have a pen to hand.
Did not know the limit had been increased, and agree about checkout staff having no clue when the pin does not work (happens a fair amount with foreign cards).
I've seen a lot of people in the US not sign their card and instead write "ask for ID", which seems like a much smarter move!
This works great, but some international merchants (some airlines in my case) don't support it yet. I've gotten my card declined with a relevant error message but no redirect to my bank's 2FA login page.
If they don't want to pay the fees why don't they just develop some open payment protocol any bank and merchant could use? It would also solve the privacy problem with sending customer data to USA (Visa and MasterCard are both american companies).
The issue is that lots of merchants (particularly in the EU) simply don't want to deal with the fees associated with credit cards so come of up with lots of creative ways to externalize the cost of fraud to consumers.