Comments on: (In)secure payment with credit cards

By: Swapnil Pathare

Swapnil Pathare — Mon, 19 Jan 2009 06:07:15 +0000

@Kiran: The 2-factor authentication I talk about is for Internet Banking, not for card payment, so the authentication is something-you-know (password) and something-you-have (debit card). How is this an illusion of security?

By: Kiran Kashalkar

Kiran Kashalkar — Sat, 17 Jan 2009 14:46:14 +0000

2 factor authentication cannot be based on numbers on the very same card that can be stolen.

It has to be with another device that generates OTP’s.

ICICI gives an illusion of security, but it actually is only an extra annoying step on the way to authentication.

By: Swapnil Pathare

Swapnil Pathare — Fri, 16 Jan 2009 08:30:40 +0000

@Vimal: Very true, but for expenses greater than a few hundreds (which you will begin to incur after marrying ) you start relying on cards instead of cash

By: Swapnil Pathare

Swapnil Pathare — Fri, 16 Jan 2009 08:29:18 +0000

@Dev: As you have mentioned within your post, one needs to check his CC statement daily to ensure that he catches a fraudulent expense. However, as long as its “in the pipeline” (CC company has not transferred the amount to merchant) it can be stopped. If not, you lose. No insurance in India against such payments, as far as I know.

By: Swapnil Pathare

Swapnil Pathare — Fri, 16 Jan 2009 08:27:15 +0000

@Swapnil: You can remove the CVV number, I believe. I will post any link if I find, but I do not think erasing or scratching out your CVV affects the card operation in any way.

By: Vimal Kumar Gupta

Vimal Kumar Gupta — Thu, 15 Jan 2009 15:30:37 +0000

The only thing you can do to save yourselves from getting cheated is not to use credit card. I used credit card only on reputed company’s websites. And hardly use it at any shop.

By: Dev

Dev — Thu, 15 Jan 2009 15:22:02 +0000

Hey Swap,

Until CC companies themselves bear the brunt of fraudulent expenses, you can be assured that your CC experience will never be secure.

Most CC companies in the USA, just required you to make a phone call to them (wait endlessly for the operator) and report the fraudulent transaction. They wont charge you for the fraudulent expense, and the only other inconvenience to you would be not using that CC till you get a replacement card (With a new number).

This means that you have to continuously monitor your CC statements regularly and look out for unrecognizable expenses.

By: Swapnil

Swapnil — Thu, 15 Jan 2009 13:44:19 +0000

Nice read Swapz.

I endorse the Netsafe virtual card provided by HDFC.
It basically generates a virtual credit card that can be used only once.

Securecode is useless though, since you get the securecode password screen only after you have entered all the CC details on a site.
So securecode only tells you that the site was safe/unsafe after you have given out your details (including CVV)

Regarding offline uses by CC, never let it slip out of sight. (Not always practical in restaurants/ petrol pumps)
One option is to get a CC with very small credit limit and use it for all offline purchases.

Swapz,
I was wondering if one can delete the CVV number with indelible ink?
That would make offline usage a bit safer.
But would doing so render my CC invalid? Can you find out the answer to that?

By: Guru

Guru — Thu, 15 Jan 2009 12:57:39 +0000

Regarding your comment to the additional “Security” measures while settig the secure password, the birth date also needs to be inserted before setting the new password. I guess HDFC has also cone up with some picture related security. I had to selet three picture out of a available set of pictures and they will prompt me the images to select, before allowing me inside.

By: Swapnil Pathare

Swapnil Pathare — Thu, 15 Jan 2009 10:10:52 +0000

@Anil: The answer is to have the user decide what password he wants, and how long he wants it. Security can’t override the very service which is provided. More on this in my next posts