The Order of the Stick - Kickstarter CC Woes

[Diadem]

I decided to join the kickstarter, but they only accept credit cards.

Why, why, why, did everybody collectively decide to adopt as the universal standard the very worst system available out of every single payment system in the world. Seriously, I doubt I could design a worse payment system than credit cards if I tried.

I've been told kickstarter accepts debit cards, but only some. I'm wondering, does anyone know of online credit / debit card services that can be used for online payments, without all the hassle of having an actual card? Sounds like a perfect service for something like paypal, who already have your bank account details anyway. I'm almost surprised they offer nothing like that.

edit: Looks like this topic was split from the original one by the mods. Probably a good thing

[Jorpho]

I'm not sure why you're so down on credit cards, but Visa/Mastercard/Amex all offer prepaid cards that are just like credit cards as far as merchants are concerned.

[Diadem]

Hmm, I'm based in The Netherlands. Doing business with a European bank would be preferable. My own bank would be preferable, but they don't seem to offer anything like what I want.

Also, as to why I dislike credit cards. Well for a start no one here in The Netherlands uses them. Well that's not quite true, some people have credit cards, but generally only people who either purchase things online a lot, or travel to the US a lot. There's absolutely no reason to get one as long as you stay within Europe. Credit cards are expensive, very vulnerable to fraud, and just generally inconvenient. I'd rather pay for what I buy immediately, and keep a clear overview of my balance, instead of potentially facing nasty surprises every month.

Being able to pay everywhere in the world is nice, of course. But the only reason you can do that with a credit card and not other methods is because it's become the default. It's not an inherent feature of credit cards. Specifically, I can not think of a single advantage credit cards have over debit cards. Not for the buyer, not for the seller.


edit: I don't think such cards as I'm looking for (debit cards used in a similar way as credit cards) exist. Mastercard doesn't even do business with individual customers, they just redirect me to my bank. Visa only seems to offer credit cards, not debit ones. I found a few dubious looking sites that offered "100% guarantee instant approval credit cards" in very large fonts, but I'm willing to bet those are run by Nigerians.

Seems a very reasonable request. A debit card that can be used as a credit card for online payments. I'm extremely surprised nothing like that exists. I guess I must be the only person in the world who doesn't like racking up debt. Huh.

[phlip]

Mastercard and Visa don't provide cards directly... rather, they sell their services to the banks, and then the banks provide the cards. So the bank is the one handling the money (and providing the credit and collecting the interest, for credit cards), while MC/Visa just handles the EFT infrastructure. As I understand it, AMEX is different, and provides cards directly.

Visa Debit and Debit Mastercard work similarly... the bank issues them, and then when you use them the money comes out of your account. But they still behave identically to other Visa/Mastercard cards, at the merchant's end (they're still processed as "credit cards", and suchlike). Note that Debit Mastercard is a separate system to Maestro, which Wikipedia tells me is what the Netherlands mostly uses for debit cards... our EFTPOS cards here also use Maestro, and they definitely don't work as a Mastercard... however, I've used my Debit Mastercard without problems with plenty of US sites that insist on being paid via credit card.

Anyway, Wikipedia tells me that Debit Mastercard isn't available in Europe (just USA, UK and Aus), but Visa Debit is. So that might be worth a shot.

[Jorpho]

Credit cards are expensive, very vulnerable to fraud, and just generally inconvenient.

This is baffling. I could have a no-fee credit card if I wanted; I have one with a small fee that offers "rewards" that more than offset the annual fee. It is also paid off in full automatically from my bank account every month, so it does not inconvenience me. Fraud? I guess everything is vulnerable to fraud.

I'd rather pay for what I buy immediately, and keep a clear overview of my balance, instead of potentially facing nasty surprises every month.

"Nasty surprises"? I guess that depends on your spending habits. Actually, the neatly itemized statement I get in the mail every month would make tracking my purchases considerably easier than a bank record full of unnamed debits. (I say "would" because I'm kind of obsessive about manually tracking my receipts anyway.)

But the only reason you can do that with a credit card and not other methods is because it's become the default.

Actually, some debit cards work internationally. They also ding you with transaction fees when you do so.

Specifically, I can not think of a single advantage credit cards have over debit cards. Not for the buyer, not for the seller.

A debit card runs right off your bank account. The potential for disaster if that falls into the wrong hands is considerably more troubling. And in theory, money that stays in one's bank account for a month will earn interest, but for the amounts of money concerned and the interest rates on a typical savings account, that's probably not a consideration.

I suppose if a merchant tried to do me wrong, it would be much easier to dispute the credit card charge than it would be to dispute a debit transaction that already happened – but I've only had to do that once in the last ten years.

[phlip]

And in theory, money that stays in one's bank account for a month will earn interest, but for the amounts of money concerned and the interest rates on a typical savings account, that's probably not a consideration.

I'd be interested to know what kind of savings account you have where the interest rate is higher than the rate on a credit card...

[Jorpho]

And in theory, money that stays in one's bank account for a month will earn interest, but for the amounts of money concerned and the interest rates on a typical savings account, that's probably not a consideration.

I'd be interested to know what kind of savings account you have where the interest rate is higher than the rate on a credit card...

The rate on every credit card I know of is zero as long as it is paid off in full every month. (As it should be, unless you're in serious financial difficulties or something. In which case a credit card can in some ways be quite detrimental.)

[Diadem]

Visa Debit and Debit Mastercard work similarly... the bank issues them, and then when you use them the money comes out of your account. But they still behave identically to other Visa/Mastercard cards, at the merchant's end (they're still processed as "credit cards", and suchlike). Note that Debit Mastercard is a separate system to Maestro, which Wikipedia tells me is what the Netherlands mostly uses for debit cards...

Yeah that is actually the problem. My normal bank card actually is a maestro card. I think almost all bank cards are. Not that as a consumer you even notice that. You pay by PIN (99.99% of payments in NL are probably either cash, PIN or 'chip' which I'm not sure how to translate, but basically digital money stored physically on your card), and, it appears, outside NL but inside Europe this is handled by Maestro instead of your bank. I didn't know that either until 5 minutes ago. It turns out you can actually use Maestro cards as debit cards for online payments, but not without the card code, which Dutch banks don't hand out. Not sure why not.

My bank offers credit cards of course, but I can't find anything about debit cards. Guess I'll call them tomorrow. I generally use paypal for online transactions, but it's nice to have options when sites don't accept it.

Credit cards are expensive, very vulnerable to fraud, and just generally inconvenient.

This is baffling. I could have a no-fee credit card if I wanted; I have one with a small fee that offers "rewards" that more than offset the annual fee. It is also paid off in full automatically from my bank account every month, so it does not inconvenience me. Fraud? I guess everything is vulnerable to fraud.

Well I'm only speaking about my own situations of course. So about The Netherlands. Most banks seem to charge around 25 euros for a credit card. Perhaps not much in absolute terms, but still quite a lot for something you use perhaps twice a year. Then there's fees and fines. No doubt it's a personal thing, but I dislike making debts. I'm terribly good at forgetting to pay bills too, so that's another reason to avoid getting them.

Also, my bank at least requires a minimum net income of €1150,-. As a student, I don't make that much. Another good reason to get a debit card (if they existed).

I'd rather pay for what I buy immediately, and keep a clear overview of my balance, instead of potentially facing nasty surprises every month.

"Nasty surprises"? I guess that depends on your spending habits. Actually, the neatly itemized statement I get in the mail every month would make tracking my purchases considerably easier than a bank record full of unnamed debits. (I say "would" because I'm kind of obsessive about manually tracking my receipts anyway.)

What's the difference between getting a list of what you paid via your credit card company instead of your bank? Seems more convenient to have all your financial transactions in one place.

Specifically, I can not think of a single advantage credit cards have over debit cards. Not for the buyer, not for the seller.

A debit card runs right off your bank account. The potential for disaster if that falls into the wrong hands is considerably more troubling.

That's why you can't use them without a passcode.

Which, admittedly, wouldn't work well online. But it seems to me that for online payments you don't need a physical card at all. For the purpose of online payments, all a credit card really is, is a set of numbers you enter at a website. I see no reason why banks or other institutions couldn't send me a set of numbers I can use to make online payments that charges immediately from my account, instead of waiting a month. You can still have a monthly spending limit if you wish.

[Jorpho]

What's the difference between getting a list of what you paid via your credit card company instead of your bank? Seems more convenient to have all your financial transactions in one place.

My credit card statement provides a merchant's name alongside each charge. For debit transactions, my bank statement just lists the charge. Is your bank statement different? (Actually, checking again just now, my online bank statement does list merchant names.)

Specifically, I can not think of a single advantage credit cards have over debit cards. Not for the buyer, not for the seller.

A debit card runs right off your bank account. The potential for disaster if that falls into the wrong hands is considerably more troubling.

That's why you can't use them without a passcode.

My credit card transactions also generally require a PIN these days. I'll admit that signature authorization is quite ridiculous.

[Yakk]

Specifically, I can not think of a single advantage credit cards have over debit cards. Not for the buyer, not for the seller.

A debit card runs right off your bank account. The potential for disaster if that falls into the wrong hands is considerably more troubling.

That's why you can't use them without a passcode.

My credit card transactions also generally require a PIN these days. I'll admit that signature authorization is quite ridiculous.

The signature is both for your security and that of the merchant. A false signature at the merchant means that the merchant (or CC company) is liable, not you.

PIN numbers means that anyone who knows your PIN (which is easier to pull off than convincingly forging your signature, really) now can use your CC/debit card. And now the liability is on you, not the merchant or CC company.

The PIN EULAs that they push on you to use a PIN card are basically about making you responsible for CC fraud. They do not significantly make your CC safer.

Or, another way of looking at it, you are still entering your PIN number in an unsecured room on a terminal you only have the merchant's promise is secure device. Intercepting your PIN is a pretty easy problem, that thieves have worked out how to do via ABM card-skimming practice. And unless you have seriously thought about it, there are really easy ways to get your PIN despite whatever precautions you choose (cover your hand when you type -- did you remember to rub every other number, so that a thermal camera won't give the 4 digits out-of-order with high reliability?)

Now, the chip is marginally harder to duplicate, which makes this a double point of failure system, which is nice. (They have to hack your PIN and your actual card) -- except, they can still charge your card using the magnetic strip! In effect, you haven't gained any security as a PIN card owner: all of the old attacks remain (based off of the number or strip), and new attacks (chip and PIN) exist against which the CC company has made you say "if they pull off these new attacks, well, you are screwed, haha" when you use the PIN card.

[elminster]

Cards are inherently insecure, but maybe as phone payments progress it might be a little bit better (Yeah, I know about the google wallet debacle). At least on a phone you can have any number of security measures, so even if it's stolen the actual security information may never be recovered by anyone else.

I'm sure they'll find better ways in time (Hey look... cheap human dna sequencing just became available) but there's still a way to go to cheaply prove that you're who you say you are. Social engineering is, after all, one of the biggest security threats; the machines might not be so fallible, but humans are.

[Yakk]

Except PIN moves the liability from your CC company/the merchant to you. While adding negative security (old methods still work, plus new methods added).

[You, sir, name?]

My bank offers electronic one-time cards for internet purchases. You just log in to their website, select an amount, and get the credit card information to use for the purchase. The card acts like a debit card with a limit and a one month expiry time, and this service is free.

The only downside is that in order to create such a card, you need to log in with a pin that's impossible to set to something long enough to be secure (even though they do use an authenticator for the rest of their services).

[Diadem]

My bank offers electronic one-time cards for internet purchases. You just log in to their website, select an amount, and get the credit card information to use for the purchase. The card acts like a debit card with a limit and a one month expiry time, and this service is free.

That's exactly the kind of service I would love to have. Though it wouldn't necessarily have to be one-time for me. Unfortunately I don't think my bank offers something like that.

The only downside is that in order to create such a card, you need to log in with a pin that's impossible to set to something long enough to be secure (even though they do use an authenticator for the rest of their services).

To log in to my internet banking system I need both my pin and my physical card. Makes it impossible to hack even if someone had complete control over my pc, so that's a pretty nice system.

I'm not sure why people dislike PIN. Sure it's only 4 numbers, so 10K possibilities, but a brute force attack is still impossible since your pass gets blocked after 3 failed attempts. At least over here to they do, but I assume that's similar everywhere. And 4 numbers are very easy to memorize. For all real-world payments, you need both the physical card and the code to do anything, so stealing just one of those doesn't help you at all. I guess that's different though for credit /debit cards with a pin for online payments. But that still beats having no passcode at all for online payments.

[amorya]

Yeah that is actually the problem. My normal bank card actually is a maestro card. I think almost all bank cards are. Not that as a consumer you even notice that. You pay by PIN (99.99% of payments in NL are probably either cash, PIN or 'chip' which I'm not sure how to translate, but basically digital money stored physically on your card), and, it appears, outside NL but inside Europe this is handled by Maestro instead of your bank. I didn't know that either until 5 minutes ago. It turns out you can actually use Maestro cards as debit cards for online payments, but not without the card code, which Dutch banks don't hand out. Not sure why not.

In the UK, about half of bank cards are Maestro, half are Visa Debit. When I was choosing banks, I specifically went for one that is Visa, because I knew that American websites are rubbish about taking Maestro.

For Kickstarter, though, doesn't it all go through Amazon? I just logged in with my Amazon-UK account. Amazon (at least in the UK) do accept Maestro, so I'd expect it to work with Kickstarter.

[Yakk]

To log in to my internet banking system I need both my pin and my physical card. Makes it impossible to hack even if someone had complete control over my pc, so that's a pretty nice system.

Wait, how do they verify you have a physical card when you are doing internet banking? (There are ways to do it, like having a card that generates challenge-response keys, but I'm not aware of many companies that issue these for bank accounts).

I'm not sure why people dislike PIN. Sure it's only 4 numbers, so 10K possibilities, but a brute force attack is still impossible since your pass gets blocked after 3 failed attempts.

Thus, all you need to do is make ~3K attacks against distinct accounts, and you get into one of them (at random). Do so over ~3K IP addresses, and nothing shows up. With 3 failed attempts, you can just do an attack every month or two, and people who use their account will nicely reset their attempt timer (and those that don't, well, you just stop using them).

There are defences against such above attacks, but they aren't because of the 3 failed attempts block.

At least over here to they do, but I assume that's similar everywhere. And 4 numbers are very easy to memorize. For all real-world payments, you need both the physical card and the code to do anything, so stealing just one of those doesn't help you at all.

Yes, that is what is called two factor identification.

However, your CC still has that magnetic strip, so it can still be compromised in every way it could be before you got the chip+PIN. Adding an alternative way to use your CC does not increase the security of the CC, it actually decreases it (because it opens up another attack surface).

On top of that, man-in-the-middle attacks make bypassing the PIN requirement possible, with a backpack, some wires, and holding the terminal such that you can introduce some electronics between your card and the terminal (and merchants often leave you alone with the terminal, so that's easy). Your belief that they need a PIN isn't true -- the card turns out to be enough to use the chip at a terminal, fooling the terminal into thinking it got a PIN, and fooling the chip into thinking it was a signature based transaction.

Annoyingly, I already mentioned much of the above in my previous post (not the man-in-the-middle attack, but the point that adding new access methods decreases security). So you could have found out why some people dislike PIN, had you cared. :p

I guess that's different though for credit /debit cards with a pin for online payments. But that still beats having no passcode at all for online payments.

Except that it transitions from a "if your card is used fraudulently, you are not responsible" to a "if your card is used fraudulently, you are responsible" mode of security.

Plus, as each time you make a transaction you hand over your PIN, it isn't as if the PIN is all that secure. Do you know enough about 'net security that you are absolutely certain nobody has pulled off a man-in-the-middle, phishing or keylogger attack on you? (Hint: no you don't)

So now you have significantly increased your liability without a similar increase in your level of security.

This is a great deal for CC companies, as they get to shove more of the costs of card fraud down on the users. Which is why they love pushing it.

[Belial]

Seriously, I doubt I could design a worse payment system than credit cards if I tried.

......

paypal

The answer was looking you in the face the whole time.

[lucrezaborgia]

I don't carry cash on me ever as my propensity to loose it is way too high. If I loose my check card (what I call my Visa debit card) I can recover the money. While some people consider Bank of America to be the devil, I've had nothing but good service from them and anytime I had an issue with a transaction it was immediately reversed.

Paypal is of the devil tho. Disputes with them take forever to clear up and more often than not you will likely be screwed out of money. Their holding policy is insane and completely arbitrary.

[Yakk]

I suspect you need to wear more clothing with functioning pockets.

[lucrezaborgia]

I suspect you need to wear more clothing with functioning pockets.

More like constantly misplacing my wallet or forgetting to put it back in my pocket.

[Diadem]

To log in to my internet banking system I need both my pin and my physical card. Makes it impossible to hack even if someone had complete control over my pc, so that's a pretty nice system.

Wait, how do they verify you have a physical card when you are doing internet banking? (There are ways to do it, like having a card that generates challenge-response keys, but I'm not aware of many companies that issue these for bank accounts).

When you sign up with my bank, they send you a little card reader for just that purpose. You log in to their website and it gives you a code. You put your card in the card reader, enter your PIN, then enter the code, and it gives you a new code that you enter in the website. The code is one-time use, and you need to authenticate yourself this way when logging in, and once again when finalizing payments.
So to get access to my account you need my account number, a card reader, my PIN and my physical card. The card reader is generic, all customers get the same one, and my bank account number is semi-public (you give it to others when they need to make payments to you). But the PIN and physical card is still a very solid 2-layer security. And hacking my pc will do absolutely nothing.

Other banks use different systems. One other major bank in The Netherlands uses an ordinary username/password for logging in, and TAN codes to finalize payments. Not nearly as secure if you ask me, and a constant hassle to keep your codes up to date. But still beats credit cards

I'm not sure why people dislike PIN. Sure it's only 4 numbers, so 10K possibilities, but a brute force attack is still impossible since your pass gets blocked after 3 failed attempts.

Thus, all you need to do is make ~3K attacks against distinct accounts, and you get into one of them (at random). Do so over ~3K IP addresses, and nothing shows up. With 3 failed attempts, you can just do an attack every month or two, and people who use their account will nicely reset their attempt timer (and those that don't, well, you just stop using them).

You need to steal 3k passes then. If you can do that without getting caught it's probably easier to just steal money directly.

I'm starting to think though we are not quite on the same plane here. You seem to use PIN exclusively for online transactions. Here in The Netherlands PIN is exclusively used for off-line transactions. No one would enter their PIN online. No bank requires it, and giving your PIN to a third party is unthinkable.

Annoyingly, I already mentioned much of the above in my previous post (not the man-in-the-middle attack, but the point that adding new access methods decreases security). So you could have found out why some people dislike PIN, had you cared. :p

But what you mention are not really inherent problems with PIN, but problems with the specific implementation that your credit card company chose, and their updated TOS. I assure you no such problems exist over here. But I concede your point that adding a PIN is not an improvement if it's done the way you describe.

Which is kinda strange, to be honest. There have been good, secure implementations for off-line payments for all over the world for decades now. It shouldn't be hard to just copy one of those wholesale. And the same is true for online payments, albeit for a slightly shorter timespan.

Seriously, I doubt I could design a worse payment system than credit cards if I tried.
......
paypal

The answer was looking you in the face the whole time.

Is paypal such a bad system? I've heard some pretty bad stories about the company, which can be a good reason to avoid using it. But the system itself seems to work pretty well. Not very secure, it's still a normal username/password challenge that is vulnerable to hacking or phishing. But compared to credit cards at least you don't have to hand over personal information to other websites, and the authentication process is more than "None at all". Not that I'd recommend the world adopt paypal. Certainly not.


Here in The Netherlands we have a very good system called iDEAL. Apart from the fact that noone else in the world uses it, it seems to be the perfect system. When paying online, you select 'iDEAL' as a payment option, then select which bank you are using, and it redirects you to a website of your own bank where you can pay using whatever security system your bank uses for internet banking (the aforementioned card reader in my case). Payment is instantaneous, and after you've finalized it you're redirected back to the website you were paying on, and they immediately confirm getting your payment.

The system is very secure, it uses the full security of your own bank. You don't need to give out personal information to anyone, not even a third party. Payment is instantaneous. It is risk free for the payee as well, since they get their money immediately, nothing can bounce. Also very simple to implement from their end, it's basically a redirect link, that's all. I guess your bank needs to implement it, but they should be used to handling large amounts of money securely.

It's a perfect system. I can't think of a single downside. I honestly don't understand why similar systems aren't used worldwide.

[Jorpho]

Things sure do sound different where you are.

Don't you still get phishing scams in your E-mail purporting to be from your bank?

[Belial]

Is paypal such a bad system? I've heard some pretty bad stories about the company, which can be a good reason to avoid using it. But the system itself seems to work pretty well.

The system is bad because it allows the company to behave the way it does.