>As a consumer, I thought I was safe; when saving my credit card to a billion dollar valued european merchant, or when i purchase something from supermarket and ignore the receipt, but the reality is slightly different from that.
>I got the money back via chargeback in short time.
So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.
Quite often, the merchant is unfortunately the one eating the fraud, which is creating a bit of a principal-agent problem (in that the issuing bank earns interchange on every transaction, so if they aren't liable for fraud, their default incentive would be to just approve as much as feasible and figure everything out later via chargebacks).
3DS changes that calculus quite a bit, though, and in-person payments are usually the issuing bank's liability as well.
Banks don’t really eat the loss, instead they ensure all their services have enough of a markup to cover the cost of fraud.
All consumers collectively pay for all the fraud, it’s just that we don’t tend to realize it as it’s not a specific line item on any of our bills, instead we all pay just a little more than we should for everything we buy.
yes, obviously all of the bank's money comes from consumers. what other scenario do you see where a bank(etc) "eats the loss" but the money somehow comes from somewhere else
While it may be obvious to you that your fees include covering all the banks losses to fraud, I think that most people assume the bank makes less profit or something due to such incidents, when the truth is they just raise their prices to maintain profits.
It never ceases to amaze me how many people don't even look at their bank/credit card statements and just let their credit cards auto-pay.
Back when I was poor, I was logging into my bank and credit card accounts at least twice/week. I always knew within $20 how much money I had.
As a well-paid tech worker, I'm still checking at each paycheck (2x/month) and paying the credit card card off every time, but I'm still scanning the statements for any unexpected charges and to keep a pulse on my spending.
Fun anecdote, my wife started talking to me while I was scanning my statement once and she noticed there was a $20 charge from a business named "Your Side Chick" that she questioned in a joking way. It was from a food cart that specializes in chicken strips.
FWIW, I find looking at my statement and trying to remember if I actually made a random purchase of $8.63 to some unrecognizable name three weeks ago to be a much more difficult workflow than just enabling email notifications for every transaction so I can triage them quickly / at my convenience.
The foot cart scene in the Portland metro area is really good. Those chicken strips were amazing and the sauce was superb. And despite hating both kale and cole slaw, their kale cole slaw was delicious.
It's my experience that the bank will give up against a motivated chargeback counterparty.
My experience with ebay (stolen credit card) in particular was that things were going well until e-bay sent their stack of paperwork to my bank. Then my chargeback was reversed and shortly after that even my bank account was closed.
So you're not in the clear once you get your chargeback back. That is done initially while they give the other party time to respond. I think it took 30 days or so for ebay to bury me in paperwork, get the chargeback unwound again, and their schpeel was so effective that my bank themselves then accused me of being the fraudster.
As for
> The bank ate the loss for the fraud
I'm not 100% that's true. The entire reason why the chargebackee wants to contest it is because either the chargebackee or the chargebacker is eating the loss. The bank isn't eating that loss. There is no way E-bay would have bothered contesting my chargeback and paying their white collar workers for professional time researching if the bank was just going to eat it.
USA. In USA your chargeback initially is usually taken on face. They'll usually reverse the charge within a week or so. But after that they let the merchant appeal it.
Most merchants won't. But if they do, your bank isn't going to bat for you. If it looks like it's going to take them much time or effort to deal with it they're liable to just throw up their hands and let you duke it out in small claims court.
In my case they had a megacorp ready to fight it on one side, and little old me on the other. So some lady on the phone just insinuated I was a lying scammer and told me my case had been reversed. There was some sort of appeal process I tossed my hat into but it went straight to radio silence and I've not heard from them in years. I would have taken them to court but I moved cross country around the same time and it would cost me $2000 or so for airfare and hotel rooms to show up to the right courts to get $1000 in judgements.
I am a bit confused about your situation. Did you have a stolen card used to make a purchase at ebay that was not under your account? Or did you make a purchase at ebay and have an issue with the product you received?
Scammer created two e-bay accounts. One with my name but e-mail address "pirate" something. A second one, a scammer merchant account to wash the money.
They stole my credit card and used the bogus "me" ebay account to generate invoices (to my real address) and payments for goods from the second scammer merchant account. Then they found tracking numbers to my zip code. They bought the (fake) items from their scammer merchant account using their scammer "me" account. They used those tracking numbers to show the items were shipped and received to someone in my zip code (which is the only publicly available data from the tracking number). Of course, at no point were any of the goods "purchased" by "me" even real, but rather just ways to wash the credit card returns.
When I discovered what happened, I requested ebay refund it. Ebay claimed that since the accounts weren't actually mine (only in my name) I had no right to request a refund. So I could claim they were mine and then be ineligible for a refund because the underlying reason would be vaporized, or not claim them as mine and then be unable to ask for a refund because it's not actually my account -- a catch 22. The tracking numbers, again, since they weren't actually to me, the shipping companies refused to reveal the underlying data to me and I couldn't get any of the evidence showing it wasn't me.
At that point, I had my bank do a chargeback. Which they initially granted. I thought it was a done deal at that point.
Ebay sent all these invoices matching my name, with tracking numbers to my zip code, with my credit card being billed, etc to my bank along with a bunch of pages of banking mumbo jumbo about how the chargeback was wrong. At that point my bank turned face, called me a liar, and reinstated the charges. Not long after this, I noticed e-bay shut down the scammer account but they never refunded me the money. I assume the scammer had sucked out the money faster than e-bay could act to claw it back and when e-bay realized they'd be holding the bag they decided to dump it on the fraud victims.
You didn't provide any evidence that the charge was fraudulent. If they have a tracking number you gotta provide something, at least a police report.
Also you likely filed "merchandise/services not received" when you should have filed "unauthorized transaction". Even if you really did get the item, you don't have to pay for it if it was ordered by someone else using your card.
Honestly the only thing I had was one tracking number was generated an entire day before the supposed purchase, the 'pirate' email address (they were taunting me), that the religious items purchased were not of my religion, and that ebay had closed the scammer account. But my bank was not interested in taking on ebay. To the scammers credit, by creating both the buyer and seller account they made their scam a lot more resistant.
Also it was charged back as fraud. I had other fraud transactions that day and my bank reversed them. They were too scared to fight ebay or something.
I've learned proving a negative of "prove you didnt buy this" is pretty hard and thus fraud protection is more of a facade that only kind of works.
> If it looks like it's going to take them much time or effort to deal with it they're liable to just throw up their hands and let you duke it out in small claims court.
In the US, couldn't you just make it their problem by not paying the disputed portion of your bill? (I haven't tried this myself and don't know how hard it is to dispute a negative credit report without going to small claims court in the end.)
In theory yes, Reg Z forces them to prove that it was you that borrowed the money. In practice this is a weird situation to be in since chargebacks almost always favor the buyer so I have no idea how this shakes out and if it's worth temporarily screwing up your credit score
The company I work for (consulting) upended the entire strategy to basically use pentests to sell managed services (XDR, NDR, SOC, vuln scanning, "continuous pentest") that does nothing to meaningfully move the needle on security. Which of course the market will buy, but it is incredibly demoralizing to see expertise sacrificed to the alter of recurring revenue.
And every time some company got hacked and embarrassed, the same refrain is played out in the comments: "Those cheapskates, they invest too little in security!".
Spend all you want. Buy the most advanced products, and then most expensive services to manage them. I have never seen a company that improved their security by buying it.
Whoa, that’s a bit far. I’m a former pentester. I meaningfully improved security at quite a few places. The standout was Citadel, where a product was set to launch within a few weeks. When I first got there, typing ‘ into their search fields resulted in SQL injection right away. They had never thought to defend against it. Over the next week, I fed them a steady list of bugs and vulns (there were many) until by the end of it that product was watertight. I was particularly proud of that one.
In my experience pentests were just a box ticking exercise. I consider it a cultural thing. If you're having to run a pentest right before release and it uncovers a vast amount of issues then you never cared about the quality of your software to begin with and it would show up not just as insecure software. Running automated test suites periodically should be a part of software building practices. That and deep code reviews and so on. All of that to feed into the quality of what you're building.
The problem is getting the decision makers to care. And/or changing the process to at least consider quality as an important factor even if velocity is preferred(and featuritis has taken over).
Story time. In one gig I had, a couple of weeks into it I discovered that AWS keys to the production data in the S3 buckets were being exposed on the client side(an SPA). Those keys would give you access to the data for all the clients on that platform. So I figured I'd do "the right thing" and told my manager(the CTO) who said something along the lines of "yeah that sounds serious" and asked me to talk to the CEO who wrote that code. At this point, I was still expecting that I might be wrong or at least being told that it was written in a rush or something and thank me for pointing it out. The CEO just dismissed it as being "temporary production keys" and closed down the conversation. Suffice it to say that I was not the CEO's favorite person moving forward.
Pentests work to secure the product under test at the point in time of the test (if the company cares to fix the bugs...). The real solution is to design in security throughout the software lifecycle, not play pentest wack-a-mole game at the end of the cycle. If a pentester is finding trivial SQL injection in an app, then it is clear that the company never considered security. And unless the pentest makes them care, the cycle will just continue.
Precisely, the industry needs to empower the engineers to shift left and integrate security as a part of the SDLC. this is the only way to provide continuous assurance in the age of AI.
They had a product that interpolated untrusted data into trusted SQL strings, but being told about it (and many other vulnerabilities!) was all that was required to make them watertight.
I would be very happy if you right about this.
Whitelisting is usually easier than blacklisting, and not devloping brittle features where errors have security implications is usually easier than spending money on security after the fact. However not developing features is not something we as an industry is good at. Github Actions perhaps being the most recent example of this.
"Improved" is a useless word. Is their security now adequate? Is it secure against the run-of-the-mill financially motivated threat actors we see regularly and orchestrating thousands of profitable attacks annually?
We regularly see attacks extorting tens of millions of dollars from major multinationals like Citadel. Is the cost of breaching their systems in excess of ten million dollars (which would net you a nice fat profit against multiple tens of millions extorted)? You get a team of 10 professionals for 1-3 years and you can not breach their systems?
That is the minimum standard of adequate against commonplace, prevailing threats for large multinationals. Even that ignores the fact that major corporations are frequently attacked by state actors, so really the minimum standard for protection against expected threats should include those as well, but I will leave that aside for now since the overwhelming sentiment is that protection against state actors is so utterly hopeless it is not even worth mentioning.
For that matter, can you point to literally any system in the entire world that is positively demonstrated (absence of evidence is not evidence of absence) to have reached that standard?
>Even that ignores the fact that major corporations are frequently attacked by state actors, so really the minimum standard for protection against expected threats should include those as well, but I will leave that aside for now since the overwhelming sentiment is that protection against state actors is so utterly hopeless it is not even worth mentioning.
It always has been, it's just now the state actors are more and more active (and visibly so).
You do realize you're actually supporting the point that you are replying to. No amount of pentests, no amount of security products are going to solve the problem that a product was built that had a search field that was trivially injectable.
It is an investment problem, they need to invest in security expertise, not security products and services. And that is the sad part, absent the company really caring to spend that money or an external demand (regulatory or customers) it just isn't going to happen. They'll just layer on more products and services and call it a day.
Whenever I tell people I work in computer security, their first question is "are you worried about AI taking your job"? To which I just laugh and respond "AI is job security"
It really is! AI will only help you if anything, you aren't worried about AI giving you bad code, just bad answers, which you would validate anyway. I think the other area where AI could be interesting, and I don't hear much buzz about it is, during outages, if it can query all online systems and logs in your cloud, it could probably triage it faster than an entire outage team could in theory anyway. Surprised nobodys built such a system yet. ;)
I mean it in the sense that AI security hype and the larger geopolitical environment has woken up a lot of people to the reality that they need to consider security. And the ones that haven't woken up yet will get a wakeup call when they are breached. It also increases the demand for real security expertise, which is already scarce.
Also, in my niche (hardware and embedded product security), AI doesn't a have a functional impact to the work except in code analysis, but even that is difficult given the level of abstraction these systems are built at.
That's fair, though even that could just be a matter of time, as people build tools that interface LLMs to the physical world. I wonder how something like Bus Pirate could be used with an LLM (maybe a more powerful version of it?) to grok and poke hardware all over the place.
I forsee issues with really getting use out of any commodity language model in the hardware security context, because hardware systems notoriously lack standardization. And often times, the technical knowledge (datasheets, app notes) is locked behind vendor NDAs, or straight up not documented, only existing in the minds of engineers. The implementations of said designs are similarly highly proprietary, with little public "real" systems to train models on.
So the issue is two-fold:
* The knowledge must be documented and accessible for training.
* A bespoke model must be trained this documentation.
It is unlikely that both of these things happen in the general model context. Perhaps individual chip vendors will eventually pursue this, but I suspect it is just not a priority for them.
Yeah, I thought it was Starliner on top. I dont know anything about Orion then.
SLS is very crappy and disappointing, its using shitty old space shuttle tech, + its ridiculously expensive in terms of payload to orbit, but it will probably work.
I didnt know, cus I just dont give a shit about this stupid project.
What you're describing is already well known in the aviation industry. Promotion of a positive safety culture is a key element if the Safety Management System (SMS) framework
>I got the money back via chargeback in short time.
So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.