[Matthias1]

I found those links slightly difficult to understand. Am I correct in summarizing these definitions as follows?

PSD2—The EU law requiring your bank/card issuer to establish SCA for online purchases.

SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.

3DS—3-Domain secure, the protocol used by online merchants to communicate with the bank in order to establish SCA. This seems to be complicated by the fact that most banks aren't implementing this protocol themselves, but using a third party. So you get redirected to the website of that third party in order to authenticate a transaction.

[Aerroon]

>SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.

I've run into this a few times and it has made me very hesitant. You're effectively being asked to log into your own bank account from a link on a third party website or, even worse, an app.

It makes me uneasy, because I feel like a malicious site or app could intercept this and access the account directly. Or do some other kind of trickery that I cannot foresee.

[chrischen]

With the way it currently works people can just charge your credit card with the account number only, more or less (everything publicly printed on your credit card). So by default they can already take money from your account which is probably one of the main bad things that could happen anyways.

[Aerroon]

I was under the impression that this new system changed where the liability lies. With a credit card I can dispute fraudulent charges. My bank's and my interests don't conflict. With the new system it seems like there's a conflict between my interests and the bank's when fraudulent charges happen.

[gumby]

The size and locus of liability varies by the country of card issue. The US is particularly "generous" in shifting most of the liability onto credit card issuers; few (or any?) other countries do so.

BTW the origin of this legal regime is the card issuers themselves back in the 1960s as people were reluctant to use the cards. It's also good law in the sense that the card companies can modulate the line between reducing friction vs their fraud detection abilities & tolerance for fraud.

Of course one of the downsides is they do this via mass surveillance. That's why I put the quotes around "generous" -- it wasn't out of good will towards customers. Another was pushing quite a bit of responsibility onto merchants.

[chrischen]

For online transactions almost all liability is with merchants. Seems like unless chip is used then offline transaction fraud liability is also on the merchant (otherwise that shady convenience store wouldn't have any reason to check your signature/ID all the time).

[_0w8t]

The article pointed out that with the new system the online transactions liability shifts to the banks. Thus the article claims banks may reject a payment request if they consider the merchant suspicious.

[chrischen]

I suppose if the authentication is strong enough then they can claim any fraud that happens to be user-responsible.

[lxgr]

> something in addition to a credit card number

Two things, actually. The credit card number doesn't count as a "thing" anymore.

This is why SMS-OTP alone is not sufficient (representing only possession), but mobile phone app based solutions are (they represent possession of a linked device and usually ask for biometrics or a PIN code).

[jameshart]

This is an accurate summary, yes.