Hacker News new | ask | show | jobs
by Aerroon 1873 days ago
>SCA—Strong Customer Authentication: something in addition to a credit card number, e.g. your bank account password, a mobile push notification, a SMS code.

I've run into this a few times and it has made me very hesitant. You're effectively being asked to log into your own bank account from a link on a third party website or, even worse, an app.

It makes me uneasy, because I feel like a malicious site or app could intercept this and access the account directly. Or do some other kind of trickery that I cannot foresee.
1 comments
chrischen 1873 days ago
With the way it currently works people can just charge your credit card with the account number only, more or less (everything publicly printed on your credit card). So by default they can already take money from your account which is probably one of the main bad things that could happen anyways.
link
Aerroon 1873 days ago
I was under the impression that this new system changed where the liability lies. With a credit card I can dispute fraudulent charges. My bank's and my interests don't conflict. With the new system it seems like there's a conflict between my interests and the bank's when fraudulent charges happen.
link
gumby 1873 days ago
The size and locus of liability varies by the country of card issue. The US is particularly "generous" in shifting most of the liability onto credit card issuers; few (or any?) other countries do so.

BTW the origin of this legal regime is the card issuers themselves back in the 1960s as people were reluctant to use the cards. It's also good law in the sense that the card companies can modulate the line between reducing friction vs their fraud detection abilities & tolerance for fraud.

Of course one of the downsides is they do this via mass surveillance. That's why I put the quotes around "generous" -- it wasn't out of good will towards customers. Another was pushing quite a bit of responsibility onto merchants.

link
chrischen 1872 days ago
For online transactions almost all liability is with merchants. Seems like unless chip is used then offline transaction fraud liability is also on the merchant (otherwise that shady convenience store wouldn't have any reason to check your signature/ID all the time).
link
_0w8t 1872 days ago
The article pointed out that with the new system the online transactions liability shifts to the banks. Thus the article claims banks may reject a payment request if they consider the merchant suspicious.
link
chrischen 1873 days ago
I suppose if the authentication is strong enough then they can claim any fraud that happens to be user-responsible.
link