I’ve never had a card stolen where either of those would have helped - they’re stopgaps trying to avoid upgrading the banking system to use public-key encryption with reuse protection.
A couple of times, merchants with my card on file were compromised. The thief could make charges because the merchant had to be able to as well. What would have stopped that would have been having a way to restrict a charge to a particular merchant so the attacker couldn’t have been able to get the money out.
Once, my supermarket had skimmers. A code wouldn’t have been effective unless you were very good at spotting where the thieves planted cameras, too. An active MFA prompt would help against attacks at a substantially later time but it’d have to include the merchant name in an unspoofable form to prevent real-time attacks so I wouldn’t be asked to approve charges from SAFEWAY_, and that old-fashioned style of MFA is painful: it’d always make checkout slower and you’d have some fraction of people who don’t have phones with them or just ran out of battery.
What completely solved this problem for me was the modern tap systems (ApplePay). It requires more smarts on the client but means that I have to approve each transaction and the value the card reader gets can’t be used anywhere else.
>What would have stopped that would have been having a way to restrict a charge to a particular merchant so the attacker couldn’t have been able to get the money out.
This is one of the primary use cases for privacy.com (if you are in the US). The virtual cards are either single-use only or they are merchant locked, plus you can set spending limits on the card. I use these for 100% of my online and recurring payment transactions now. The only downside is that it's linked to your bank account so it's debt transactions only, but that's not necessarily a downside to me.
> upgrading the banking system to use public-key encryption with reuse protection.
This is exactly what chip and PIN does. The chip is a smart card holding keys; the PIN authorizes its use. Online, there is 3DS which can be used similarly.
We’ve had both of these tools for over 20 years now. It’s just a question of how much the industry is choosing to cater to convenience and backwards compatibility, i.e. a security/availability trade off.
In Europe, the regulator has made the choice for the industry instead.
> We’ve had both of these tools for over 20 years now. It’s just a question of how much the industry is choosing to cater to convenience and backwards compatibility, i.e. a security/availability trade off.
Exactly: it’s not like this was a technological breakthrough but that companies were trying to avoid breaking backwards compatibility - not just things like the readers but backend payment systems using something like fixed length records, but also restaurants needing to stop having a single terminal used for every table (this is why they went chip and no PIN).
Going back to the original comment, that’s the peace of mind benefit I see: those businesses can slack on security without me getting stuck with a potentially massive bill.
> that’s the peace of mind benefit I see: those businesses can slack on security without me getting stuck with a potentially massive bill.
That's a false dichotomy, though: Regulators can mandate merchants and issuers to make fraud less likely without allowing the liability for any remaining fraud to be pushed onto cardholders.
Sure, and maybe I'm misunderstanding you, but your point is that changing that model might make things worse for consumers by pushing more liability onto them, right?
I'm just saying that this isn't necessarily a consequence of improving fraud rates, although it's definitely important to keep an eye on issuers – I've heard about attempts to use it as an opportunity to limit liability in the past.
A couple of times, merchants with my card on file were compromised. The thief could make charges because the merchant had to be able to as well. What would have stopped that would have been having a way to restrict a charge to a particular merchant so the attacker couldn’t have been able to get the money out.
Once, my supermarket had skimmers. A code wouldn’t have been effective unless you were very good at spotting where the thieves planted cameras, too. An active MFA prompt would help against attacks at a substantially later time but it’d have to include the merchant name in an unspoofable form to prevent real-time attacks so I wouldn’t be asked to approve charges from SAFEWAY_, and that old-fashioned style of MFA is painful: it’d always make checkout slower and you’d have some fraction of people who don’t have phones with them or just ran out of battery.
What completely solved this problem for me was the modern tap systems (ApplePay). It requires more smarts on the client but means that I have to approve each transaction and the value the card reader gets can’t be used anywhere else.