Long ago I did some contract coding for a company that processed donations via credit card. To my amazement, we had to watch out for people trying to donate small amounts to the Red Cross. Why? Because people with a list of possibly-valid credit card numbers would use small donations to brand-name charities as a way of validating credit cards.
It made me long for some sort of professional association that kept track of naughty uses of technology. It's easy to think only about the happy path. But there are all sorts of unsavory people out there: abusers, mobsters, thieves, authoritarian governments. Once I know how they think, I can defend against them. But keeping up with how they think has always been a challenge for me.
Should that have really been your concern? If every company that processes cards has to be fraud detecting experts, then they CC system is totally broken.
>If every company that processes cards has to be fraud detecting experts, then they CC system is totally broken.
That is 100% the case, at least in the US, for card-not-present (online, phone, etc) transactions.
The credit card companies have zero liability for fraud in those cases...the liability is 100% on the merchant seller. In fact, the CC companies collect a non-trivial chargeback fee, so they arguably profit from the fraud.
Predictably, since they have zero risk, they provide almost zero fraud protection for sellers. For example, if they changed the system to accept data like "shipping address vs just billing" or "ip address", they could use their aggregate view to squash A LOT of fraud.
It sounds like you've stumbled upon the next great way for credit card networks to make money! Charge for fraud detection, and if a customer doesn't want fraud detection, then do the chargebacks. I'm kind of surprised they don't do this already (or maybe they do?).
It's win-win either way for the credit card network.
Which is why it pisses me off when a company deploys insecure software or hardware, claiming that network security is the customer's responsibility.
So my home network should be reasonably secure, so that it doesn't become part of a bot net. Which means that I have to, or should, become at least knowledgeable enough to know what to buy, what to do, and what not to do. Which means that my router vendor better step up and sell me something secure.
Is it the responsibility of end users to submit bug tickets? I think it is.
Is it the responsibility of end users, or the vendors receiving reports, to publish discoveries of exploits in the wild? I think it is.
Is it the responsibility of a pedestrian who notices a skateboard on the sidewalk to move it aside and upside down so no one does a splat fall? I think it is.
This is why I get angry at people who say things like "mind your own business" or "that's not your job." It is, and it is. Anyone who doesn't like that can take their own advice.
I get that, but the problem is we all accepted the system into our lives before it was ready and now the key players have, by their own design, no incentive to improve. Who do we submit bugs to in this scenario?
It made me long for some sort of professional association that kept track of naughty uses of technology. It's easy to think only about the happy path. But there are all sorts of unsavory people out there: abusers, mobsters, thieves, authoritarian governments. Once I know how they think, I can defend against them. But keeping up with how they think has always been a challenge for me.