[SXX]

If X or Twitter or whatever accept payments via Apple Pay or Google Pay then there is absolutely no way to track anything. It's those services simply dont provide any information back to ex-Twitter.

Also there is number of services like privacy.com that allow to hide real card details. And even if person is using real card then payment process have absolutely no way of knowing anything except those few last numbers of the card.

Bypassing credit card checks for botting as easy as any other protections.

[johncolanduoni]

When performing this kind of verification, you can easily (and usually do) block cards from services like privacy.com by looking at BIN codes. I also don’t think spammers can get large numbers of unique DPANs from Apple and Google Pay since that involves a cryptographic exchange between your device and Apple/Google with involvement from your issuing bank.

Also most payment processors provide some sort of key that lets you identify if two users entered the same credit card number, for example Stripe[1]. So you’re not limited to last four digits for checking if two cards are the same.

[1]: https://stripe.com/docs/api/cards/object#card_object-fingerp...

[SXX]

Yes you can block everything, but with every specific service blocked you limit your ability to accept new users. There also legitimate banks that let you have 5-10 virtual cards or generate unique card each time you pay.

Spammers do have large number of unique phones in their farms as well as budget to have undetectible rooting and hardware ID faking. And Google Pay / Apple Pay as well as majority of banks actually do nothing to prevent you from adding your cards to 10 different phones.

Of course it's all makes lives harder for everyone who want to get a new account, but nothing including literal ID / passport and face verification make is impossible to bypass.

[freeone3000]

You can get a ton of DPANS from Google Pay simply by logging in with a different Google account.

[axelthegerman]

> payment process have absolutely no way of knowing anything except those few last numbers of the card

This is just plain wrong.

1. Payment processors know everything because they process the payment

2. Application developers don't know anything besides the last 4 is closer to reality because they're probably not PCI compliant to access the remaining information. BUT some processors such as Adyen will try to provide a unique identifier for each card (that has no further information except linking multiple purchases across vendors and channels).

Now with this unique identifier X still wouldn't know WHO you are but they could provide that information to advertisers that might know or at least use it to track you online and in person

[SXX]

> 1. Payment processors know everything because they process the payment

They know all the information you given, but in practice they can't even verify "name on the card" that you entered in most of countries. In some countries they can check your billing address ZIP code, but that's all about it.

And there absolutely no way for them to find out if you are unique user with one card or you just have 10 cards for the same credit account or created 10 supplimentary cards for all your family and the dog.

[prepend]

Apple and Google and Stripe do not allow the same card on multiple accounts.

Also, having a fraudulent Apple Pay account is pretty rare and requires an entire apple account. That can be shut down if shenanigans.

My original point is that having a credit card greatly reduces the anonymity of accounts and allows for greater ability to trace back to the user. Both for uniqueness (ie, does prepend front 500 twitter accounts?) and for legal reasons (eg, prepend just did a crime, let’s find out who prepend is).

This doesn’t mean people can’t get around it. It means most people can get around it.

[prepend]

Apple and Google absolutely have fraud capability and will cooperate with merchants and law enforcement.