Re: Payment Providers
On 2 Oct 2009, at 22:16, Ovid wrote: - Original Message From: Peter Corlett It's not *quite* so clear-cut. The costs due to fraud might be less than the costs of losing sales due to VBV/3DSecure, in which case the retailer might be happy to risk the fraud, especially if they have other fraud-avoidance mechanisms in place. This has to be one of the most important comments about all of this. When I originally went to uni to be an economist, I was amazed to discover in research how much in-house accounting dealt with "which costs us less" rather than "which is right". It's rather sad. Yes, but you have to balance both viewpoints here. Personally, I'm on the side of people not being forced to use 3dsecure (I want to be fully opted out). I don't want to be lumbered with the costs of fraud because I know how to take care of my end and if my details get out, it's not me that did it. I don't think it's reasonable I get charged because the bank or retailer messes up. On the other hand, the retailer wants to not be liable when there's any fraud because they shouldn't have to lose out on the goods. They don't think it's reasonable they lose out on the goods because the bank or customer messes up. Which side wins? Well, the retailer gets to choose. And it'll come down to a strict profit sum, whether costs of lost revenue is greater than costs of potential fraud. If you don't like it, there are other retailers waiting to take your money. --James
Re: Payment Providers
- Original Message > From: Peter Corlett > > It's not *quite* so clear-cut. > > The costs due to fraud might be less than the costs of losing sales due to > VBV/3DSecure, in which case the retailer might be happy to risk the fraud, > especially if they have other fraud-avoidance mechanisms in place. This has to be one of the most important comments about all of this. When I originally went to uni to be an economist, I was amazed to discover in research how much in-house accounting dealt with "which costs us less" rather than "which is right". It's rather sad. Cheers, Ovid (the hippie) -- Buy the book - http://www.oreilly.com/catalog/perlhks/ Tech blog- http://use.perl.org/~Ovid/journal/ Twitter - http://twitter.com/OvidPerl Official Perl 6 Wiki - http://www.perlfoundation.org/perl6
Re: Last Straw. Camel's Back. Etc.
On Thu, Oct 01, 2009 at 12:07:53PM +0100, Roger Burton West wrote: > On Thu, Oct 01, 2009 at 11:30:10AM +0100, Peter Corlett wrote: > >The only thing that WebTapestry lacks that Zen has is a Usenet > >service. This has done wonders for my productivity :) > Leaving Demon meant I lost their USENET feed. Now I'm running my own > node. Such is the way of the world... I've been using news.individual.net for years, and consider it good enough to be worth paying for. -- David Cantrell | top google result for "internet beard fetish club" Vegetarian: n: a person who, due to malnutrition caused by poor lifestyle choices, is eight times more likely to catch TB than a normal person
Re: Payment Providers
On 2 Oct 2009, at 16:28, Bob Walker wrote: On Fri, 2 Oct 2009, James Laver wrote: Banks usually don't care, but they will give liability to the retailer in case of fraud on non-3ds transactions. Like I said forcing them. It's not *quite* so clear-cut. The costs due to fraud might be less than the costs of losing sales due to VBV/3DSecure, in which case the retailer might be happy to risk the fraud, especially if they have other fraud-avoidance mechanisms in place.
Re: Payment Providers
On Fri, 2 Oct 2009, James Laver wrote: Banks usually don't care, but they will give liability to the retailer in case of fraud on non-3ds transactions. Like I said forcing them. -- bob walker buses should be purple and bendy
Re: Payment Providers
On 2 Oct 2009, at 14:18, Bob Walker wrote: In my experience sites are forced to by their bank. That's unusual. Banks usually don't care, but they will give liability to the retailer in case of fraud on non-3ds transactions. --James
Re: Payment Providers
On Fri, 2 Oct 2009, James Laver wrote: 6%? I know of sites with much larger dropouts than that. And one day some of them will finally realise it's stupid and stop taking 3dsecure at all. In my experience sites are forced to by their bank. -- bob walker buses should be purple and bendy
Re: Payment Providers
On 2 Oct 2009, at 13:40, Nicholas Clark wrote: Yes, that's the old stuff. That's, um, not exactly something to be proud of/ not exactly a good advertisement of what we now can do. Ah, well at least that's changed :) We had a chat at lunch, and (IIRC) Tom said that he thinks that Amazon are now not taking Maestro. We're inferring that Amazon have said "We don't do 3D. We aren't prepared to loose 6% of our business from it", Mastercard have said "But to take Maestro, you must do 3D", and Amazon said "OK, we won't take Maestro then"* 6%? I know of sites with much larger dropouts than that. And one day some of them will finally realise it's stupid and stop taking 3dsecure at all. If enough big sites take this attitude, then it will get the fate it deserves, whatever the banks think or want, because customers won't use those cards any more, because they aren't useful. I'm hoping that'll happen too. HSBC ditched maestro in favour of visa debit a few months ago. I've found maestro to be shocking actually. Like the DVLA take Solo (which noone takes) but not Maestro (what's with that?). My natwest maestro card needed replacing about once a month because the chip kept rubbing off too (though I don't know if they have some centralised manufacture or what). But then again, it's all about the liability shift. Smaller retailers rightfully look at the risk and say 'fuck it', not realising that the liability ends up with the customers (and probably not caring). Chip and pin did the same and the only bank I know of that instantly refunds you with a crime reference number is Barclays (in fact I had a rather long discussion with a Barclays manager about it after HSBC wouldn't let me take out cash in branch with my chip and signature card that they issued to me). I hope 3dinsecure goes to hell. --James
Re: Payment Providers
On Fri, Oct 02, 2009 at 01:40:55PM +0100, Nicholas Clark wrote: > We had a chat at lunch, and (IIRC) Tom said that he thinks that > Amazon are now not taking Maestro. You remember correctly, but I'm wrong. I managed to end up looking at the list of card types accepted on amazon.com and somehow convinced myself I was on the UK site. I probably need a holiday. Tom
Re: Payment Providers
On Fri, Oct 02, 2009 at 01:11:36PM +0100, James Laver wrote: > On 2 Oct 2009, at 10:26, Nicholas Clark wrote: > > > >The new "Unified Payment Pages" now work just fine without JavaScript. > >If we have documentation saying otherwise, could you point it out so > >that > >I can ask for it to be corrected? > > Ah no, my experience was as a customer of the companies house website, > where it ships in an iframe laden with javascript. Yes, that's the old stuff. That's, um, not exactly something to be proud of/ not exactly a good advertisement of what we now can do. > >However, one can't take payments from Maestro unless one has 3D > >insecure. > >(And it seems that even easyJet are no longer large enough to wiggle > >out > >of that one) > > If the card company mandates it, not a lot I can do about that, so be > it. We had a chat at lunch, and (IIRC) Tom said that he thinks that Amazon are now not taking Maestro. We're inferring that Amazon have said "We don't do 3D. We aren't prepared to loose 6% of our business from it", Mastercard have said "But to take Maestro, you must do 3D", and Amazon said "OK, we won't take Maestro then"* If enough big sites take this attitude, then it will get the fate it deserves, whatever the banks think or want, because customers won't use those cards any more, because they aren't useful. Nicholas Clark * Well, really I'm hoping that they said "Screw you hippy"
Re: Payment Providers
On 2 Oct 2009, at 10:26, Nicholas Clark wrote: The new "Unified Payment Pages" now work just fine without JavaScript. If we have documentation saying otherwise, could you point it out so that I can ask for it to be corrected? Ah no, my experience was as a customer of the companies house website, where it ships in an iframe laden with javascript. And badly implemented by quite a few providers. (There's XML, and a DTD. If the XML validates against the DTD, that means that it's *VALID*, dammit, so don't reject it) The spec is ridiculous, but nothing is more ridiculous than programmers reading a spec and getting it wrong. However, one can't take payments from Maestro unless one has 3D insecure. (And it seems that even easyJet are no longer large enough to wiggle out of that one) If the card company mandates it, not a lot I can do about that, so be it. Point 4 would imply point 3 is met. You don't say, whether you have a merchant account with a bank, or whether you want the payment service provider to deal with that part. Point 4 implies that you'd like them to deal with it, and "just make money appear in my account". Doing this might restrict your options on 3D insecure/ Phished by Visa. This was part of my concern. I know paypal just do CVC checking and to hell with 3dsecure (very sensible). I don't have an account with a merchant bank, I'd like all of that taken care of.1 Paypal probably meets most of your criteria too :-) I'd thought about paypal, but no. It would be nice to have it as an option though (which Datacash offer for example). Cheers, --James
Re: Payment Providers
On 2 Oct 2009, at 12:07, David Precious wrote: It's a poor attempt towards three-factor authentication, but relying upon entering a password - which will be picked up by the same keylogging/ sniffing techniques they'd use to grab the rest of your details if you're entering them on a compromised machine. However, now, the bank has shifted liability to the customer, claiming that since the transaction was authorised with their "secret password", they have no right to repudiate the transaction. Yes, those lovely three factors: - Something you know - Something you know - Something you know Clever, huh. Firstly, they shift liability to the bank, which is why retailers like it. Unfortunately the bank shifts liability to the customer with the defence "but noone else knows your 3dsecure password, it was you, there was no fraud". HSBC revealed to me that they've had 'zero fraud' since the introduction of the scheme, which means they're pinning this, exactly like they've all been pinning chip and pin fraud on the bank customer, because of the same defence (and they got away with that one in court, somehow). Because of this, banks are loathe to let you opt out. I've been unable to do so with HSBC. I've been writing a paper about attacks on the 3dinsecure system and it's all remarkably easy: 1. I steal your card (or memorise your details while you're paying with it), you haven't registered yet, I register for you, thus choosing the password I want 2. I steal your card (or memorise your details while you're paying with it) and go through a simple reset procedure, which generally only requires information I could extract from you during an hour at the pub without you realising 3. I set up a fake page that looks like a 3dsecure page on my site and cream off the details before submitting them myself so the payment goes through. Since it's all handled by third parties, you'd never know what's legitimate and what isn't. And many, many more, wait for the paper to be released :) It doesn't take an evil genius to see gigantic holes in the system, it's shaped like a swiss cheese. --James
Re: Payment Providers
On Friday 02 October 2009 11:13:35 Ovid wrote: > OK, I give. That's two references to how insecure 3D secure is. Given that > I know nothing about it other than the annoying fact that I've forgotten my > password for it, could someone explain why its broken? Well, there's the fact that, for years, we've been trying to educate Internet users not to enter details into untrusted websites, and now all of a sudden they're expected to trust some random page that appears in a popup/iframe from some domain entirely unrelated to the one they're in the middle of trying to give their card details to? Like, for instance, securesuite.co.uk - would you trust that random domain? (Incidentally, that's the domain that RSA forgot to renew at one point...!) See, for instance, http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam It's a poor attempt towards three-factor authentication, but relying upon entering a password - which will be picked up by the same keylogging/sniffing techniques they'd use to grab the rest of your details if you're entering them on a compromised machine. However, now, the bank has shifted liability to the customer, claiming that since the transaction was authorised with their "secret password", they have no right to repudiate the transaction. Cheers Dave P
Re: Payment Providers
2009/10/2 Nicholas Clark : > > (And annoyance, as a UK taxpayer, at all the various > stupidities involved, that I'm paying for, because of incompetence from > people who are not just still employ*able*, but employ*ed*) Direct also your ire to the employees of the DWP, because most of those staff members in the JobCentre are just as institutionalized as their "customers". Dominic
Re: Payment Providers
On Fri, Oct 02, 2009 at 11:34:15AM +0100, Nicholas Clark wrote: > (Rather than having DNS delegated, so that 3dinsecure.rbs.gov.uk is a CNAME > pointing to an IP owned and hosted by the outsourcer) Oh yes. If anyone knows anyone who might know someone at the registrar who might cause rbs.gov.uk to come into existence, and then have it so that everything served by it over HTTP is a 302 to rbs.co.uk, that would appeal to my sense of irony. (And annoyance, as a UK taxpayer, at all the various stupidities involved, that I'm paying for, because of incompetence from people who are not just still employ*able*, but employ*ed*) Nicholas Clark
Re: Payment Providers
On Fri, Oct 02, 2009 at 03:13:35AM -0700, Ovid wrote: > --- On Fri, 2/10/09, Nicholas Clark wrote: > > > From: Nicholas Clark > > > 2. No insistence on 3dsecure (because really, it's > > horrifically > > > insecure). > > > > And badly implemented by quite a few providers. > > (There's XML, and a DTD. If the XML validates against the > > DTD, that means > > that it's *VALID*, dammit, so don't reject it) > > > > However, one can't take payments from Maestro unless one > > has 3D insecure. > > (And it seems that even easyJet are no longer large enough > > to wiggle out > > of that one) > > OK, I give. That's two references to how insecure 3D secure is. Given that I > know nothing about it other than the annoying fact that I've forgotten my > password for it, could someone explain why its broken? There's a description about how little it takes to reset the password in the link Tom gave: http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro Ben Laurie explains it here: http://www.links.org/?p=591 It's indistinguishable from a phising scam. Even better, which Ben doesn't cover, is that some banks have implemented it by outsourcing it to a third party, which then serves the pages from *its* domain. (Rather than having DNS delegated, so that 3dinsecure.rbs.gov.uk is a CNAME pointing to an IP owned and hosted by the outsourcer) So you get a popup saying "I'm from your bank; tell me your secrets" popping up in new window (believe it or not, originally with branding guidelines that were "don't show a URL bar etc"), served from a domain which is nothing to do with your bank. And often this is the first time that you, the card holder, have encountered the thing. Because your bank didn't bother to tell you about it in a communication from them that you trust is from them. It's almost like some enterprising chap in Nigeria wrote the specs for the banks, to save the the costs of having to do it themselves. Nicholas Clark
Re: Payment Providers
On Fri, Oct 02, 2009 at 10:49:04AM +0100, Tom Hukins wrote: > On Fri, Oct 02, 2009 at 10:26:06AM +0100, Nicholas Clark wrote: > > However, one can't take payments from Maestro unless one has 3D insecure. > > (And it seems that even easyJet are no longer large enough to wiggle out > > of that one) > > Nor are Google: > http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro Then again, Maestro screwed up and is screwed. Switch was "if you see a Switch logo, you can use your Switch card" Maestro is, well, printed A4 sheets in shop windows with "Austrian Maestro Only" It's one logo applied to 15 or so different debit card schemes, without guaranteeing any sort of interoperability. Which destroys any sort of brand value it might have had. There's a technical term for this, but apparently I'm not supposed to use it in front of small children*. Maestro is being replaced by Mastercard Debit, which is not tainted with this incompetence. In the UK, at least HSBC and RBS are replacing Maestro. With *Visa* Debit. Oh yes, and Switch was screwed because not all Switch cards pass the Luhn check. Card length limit is 19 digits, and HSBC used to issue Switch cards that were $BIN . $sort_code . $account_number, which used up all 19 digits, so they had no ability to make the card meet the spec about the checksum. Various *merchant acquirers* seem not to know this, as they reject them rather than trying to auth. Then again, a certain large UK bank not owned by the government will happily auth *anything*, then refuse to settle it, and then complain that one is sending it bogus data. *You* bloody *authed* it. "Oh well, if we can't get through to the issuing bank in time, we just auth it anyway" Yeah right. And nearly all of them have test auth systems that differ from their live systems. Some of which you can DOS by accident, some with data files that meet the specs. Nicholas Clark * even if she throws up on me.
Re: Payment Providers
Ovid wrote: > > OK, I give. That's two references to how insecure 3D secure is. > Given that I know nothing about it other than the annoying fact that > I've forgotten my password for it, could someone explain why its > broken? Well firstly you, I and *everyone* forgets their password. And then it just lets you generate a new one. Which makes it meaningless even if 90% of users didn't end up using "PAZZWORD" anyway. Secondly - who's providing that 3d-secure form? How do you know it's your bank and not someone collecting PAZZWORDs? -- Richard Huxton Archonet Ltd
Re: Payment Providers
--- On Fri, 2/10/09, Nicholas Clark wrote: > From: Nicholas Clark > > 2. No insistence on 3dsecure (because really, it's > horrifically > > insecure). > > And badly implemented by quite a few providers. > (There's XML, and a DTD. If the XML validates against the > DTD, that means > that it's *VALID*, dammit, so don't reject it) > > However, one can't take payments from Maestro unless one > has 3D insecure. > (And it seems that even easyJet are no longer large enough > to wiggle out > of that one) OK, I give. That's two references to how insecure 3D secure is. Given that I know nothing about it other than the annoying fact that I've forgotten my password for it, could someone explain why its broken? Cheers, Ovid -- Buy the book - http://www.oreilly.com/catalog/perlhks/ Tech blog- http://use.perl.org/~Ovid/journal/ Twitter - http://twitter.com/OvidPerl Official Perl 6 Wiki - http://www.perlfoundation.org/perl6
Re: Payment Providers
On Fri, Oct 2, 2009 at 10:49 AM, Tom Hukins wrote: > Nor are Google: > http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro > >> Paypal probably meets most of your criteria too :-) > > They meet all of them. What do you all think of Google Checkout? https://checkout.google.com/seller/developers.html?hl=en&gl=GB James has just saved me asking this question for myself. -d. -- Damon Allen Davison http://allolex.net http://musicindustryrules.com http://thegannet.net
Re: Payment Providers
On Fri, Oct 02, 2009 at 10:26:06AM +0100, Nicholas Clark wrote: > However, one can't take payments from Maestro unless one has 3D insecure. > (And it seems that even easyJet are no longer large enough to wiggle out > of that one) Nor are Google: http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro > Paypal probably meets most of your criteria too :-) They meet all of them. Tom
Re: Payment Providers
2009/10/1 James Laver : > I'm looking for a card processing service to take payments with. > > Essential features: > 1. No javascript required to make a payment (that means you, NetBanx). > 2. No insistence on 3dsecure (because really, it's horrifically insecure). > 3. I don't have to store any credit card details at all. > 4. They deal with as many of the legal issues as possible so I don't have > to. Particularly PCI DSS. > 5. Established, tested cpan modules for dealing with them > > My initial inclinations were the big guns like Datacash and Paypoint, but of > some concern was datacash's website being hosted on IIS, and the fact that > neither of them have modules on cpan (and frankly, the perl examples for > datacash were more than a little embarrassing for them). > > So, recommendations? Horror Stories? Legal guidance? Okay, I've been quiet on this so far, and I admit I can't actually address most of your points. Also, the disclaimer here is going to be *very* obvious. At my $employer , the CEO is also running another company, whose primary business is handling credit card transactions. I'm moderately sure that they don't have a CPAN module, but they are a perl shop, so it shouldn't be outside their skills to make one. In the interests of not spamming the whole list I'll not mention them directly here - just say that they've got their office on one of the main canals in Amsterdam, and leave it to James to email me offlist if he wants details. Disclaimer: I'm not actually employed by said company, but as far as I know they may well be providing the profit that the boss is using to keep us afloat (if we need that, I'm not exposed to the numbers that much) -- Better to remain silent and be thought a fool than to speak out and remove all doubt. -- Abraham Lincoln
Re: Last Straw. Camel's Back. Etc.
Gareth Harper wrote: It's cable of course, so it's not something you can migrate towards, but I have to admit Virgin Medias tech support has gotten a LOT better recently. Hmm last time I called NThell they investigated and told me there was a problem with "the lines" and assigned a call out. Afew days after the appointed day the engineer turned up (he showed me the paperwork that gave him which day he was supposed to visit) and explained what the problem really was (the modem was really, really old and dead) and how support are always talking complete and utter shite to try and get people off the line as quickly as possible. He was also very pissed of when I showed him the email confirming my appointment some three days before. He had had a lot of jobs where no one was in and was not a happy bunny. About two or three years ago Virgin moved to a premium support service. Shortly after this our NThell line started getting cut off about once per month. Spoke to a number of people I know on the estate (different streets/cabs) and they all had the same experience. Outages were always aroudn one hour long. From talking to someone techy who works for them, it appears that these outages were planned. I can only assume they were trying to get people to phone the 1UKP/min support line as they desperately needed the dosh about then. From recent experience NThell support is just as bad as it always has been. They only way to get support is to call the contracts desk and ask to have the line turned off. They ask why and you explain it no longer works. They ask if you have called support and I say "No, I just want is turned off as it is always failing". They have an engineer out that day... Jacqui
Re: Payment Providers
On Thu, Oct 01, 2009 at 09:02:07PM +0100, James Laver wrote: > I'm looking for a card processing service to take payments with. > > Essential features: > 1. No javascript required to make a payment (that means you, NetBanx). The new "Unified Payment Pages" now work just fine without JavaScript. If we have documentation saying otherwise, could you point it out so that I can ask for it to be corrected? > 2. No insistence on 3dsecure (because really, it's horrifically > insecure). And badly implemented by quite a few providers. (There's XML, and a DTD. If the XML validates against the DTD, that means that it's *VALID*, dammit, so don't reject it) However, one can't take payments from Maestro unless one has 3D insecure. (And it seems that even easyJet are no longer large enough to wiggle out of that one) > 3. I don't have to store any credit card details at all. > 4. They deal with as many of the legal issues as possible so I don't > have to. Particularly PCI DSS. Point 4 would imply point 3 is met. You don't say, whether you have a merchant account with a bank, or whether you want the payment service provider to deal with that part. Point 4 implies that you'd like them to deal with it, and "just make money appear in my account". Doing this might restrict your options on 3D insecure/ Phished by Visa. > 5. Established, tested cpan modules for dealing with them I don't know about that for *any* providers. > My initial inclinations were the big guns like Datacash and Paypoint, > but of some concern was datacash's website being hosted on IIS, and > the fact that neither of them have modules on cpan (and frankly, the > perl examples for datacash were more than a little embarrassing for > them). Paypal probably meets most of your criteria too :-) Nicholas Clark