Quarter Life Crisis

The world according to Sven-S. Porst

« Rue Royale LiveMainBerlin Weekend / Das Pop Live »

MasterCard® SecureCode™

909 words

I’ve got a cheap and cheerful credit card which is called MasterCard. I mainly use it for shopping abroad as we have a reasonably working system of money transfers in Germany - and even in the whole Euro-zone thanks to regulators.

For a while now, sites at which I tried to shop wanted to bully me into the MasterCard® SecureCode™ system. I don’t know much about banking, but as far as I can tell the situation is as follows: By and large credit cards are an anti-social way of paying for goods because some credit card company gets to keep a few per cent of the price for a service that may have been worth that kind of money in the 1960s or 1970s but which should be much cheaper today: assuring the person selling something to me that they’ll receive their money without forcing me to carry it around in cash. In particular, the system is based on the credit card company paying the money for you and you having to pay them back, hence the ‘credit’ in the name. Somehow retailers are not supposed (which probably means ‘forbidden by some legal junk’) to surcharge those fees to the person wanting to use a credit card and instead raise their prices for all customers to cover those charges. Yikes.

If you’re in a country which is technically reasonably advanced it’s feasible these days to just skip the whole credit crap and use a debit card which means that swiping the card should just cause a money transfer from your existing money to the retailer’s account. Much lower risks and, hopefully (well, just look at PayPal for a royal FAIL of that hope), lower fees. That seems like a reasonable thing to do when cash isn’t convenient enough.

One rather curious fact about credit cards is that you can use them without any sort of authentication. Go to a railway ticket vending machine, insert the card, pay for the ticket, done. Go to a store, swipe the card, scribble on the sheet of paper they hand you for ‘signing’ and you bought something. Type the card number and that extremely secret other three digit number from the back of the card into a website and you can order the most interesting goods! This system just seems idiotic and begs to be abused. Which it apparently is.

So far, credit card companies pay for most of that damage. It even seems that they have become quite good at doing statistic analyses of payments and knowing where numbers are likely to be stolen and how they will be used. Two of my friends received calls from their credit card company after returning from their holidays asking whether they just bought a kitchen (say) in Japan. Of course they didn’t and the credit card people suspected that. Yet, the damage caused by this has to be paid with our money at the end of the day, so perhaps simply having a less idiotic system would be helpful.

Of course ‘less idiotic’ is a concept that is alien to the banking sector. It seems that for what they call ‘better security’ they now want to force us to sign up for a ‘secret code’ of our own choice to ‘authenticate’ payments for online orders. It’s a code you can pick yourself, so it’s likely to be easy to remember or just the same as all your other codes. Perhaps convenient for you but also risky, particularly as the conditions read as if it’s your responsibility to keep that code secret. It sounds like the banks want to ‘improve’ their broken system by shifting the risk of its bad design to the users.

To add insult to injury, the SecureCode™ system looks particularly fishy. Not only do the terms and conditions state that data are processed in a data protection rogue state (U.S.A) rather than locally, it also seems to inject iframes into the payment web pages of the web sites you are using which connect to that SecureCode™ system. If I’m not mistaken, the concept of using frames on payment pages was developed by scammers. As modern browsers may warn about frames pointing to other servers inside an encrypted page, it seems that the query is redirected over the hosting server.

For example when trying to buy something at thalia.de, they ruin their user experience (and the chance of me actually clicking the ‘pay’ button) by injecting a frame from the URL: https://ssl.thalia.de/shop/buch_startseite_thalia/cciframe/?ACSURL=https%3A%2F%2Fsecure5.arcot.com%2Facs… which looks pretty much like their server is just forwarding the request to https://secure5.arcot.com/acspage/cap? with parameters RID, PaReq and TermURL. I have no idea about hacking websites, but why shouldn’t enterprising hackers consider this an interesting thing to fuck with? It looks like an invitation to fool around a bit.

And why do retailers agree to this? It makes interaction with their sites worse and removes a crucial part of it from their control (frames! unexpected scroll bars! language and looks they cannot control!), thus creating a massive potential for failure in completing the transaction.

I won’t deny that getting authentication right is hard. Making it safe and convenient may even be impossible. But it seems that they’re not even trying to fail at any of the real challenges but they simply put on some show which may save them extra money. That’s probably what you learn in MBA 101, but it doesn’t humour me as a customer.

February 20, 2010, 10:12

Tagged as bank, inconvenience, mastercard, security.


Comment by R.: User icon

Retailers agree because it makes the transaction count as cardholder present, which reduces their liability. http://www.cl.cam.ac.uk/~sjm217/papers/fc10vbvsecurecode.pdf

February 20, 2010, 15:07

Comment by ssp: User icon

Thanks a bunch for the link. Sounds like things may be even a little worse than I imagined.

Wondering whether it’s worth bugging my bank about this nonsense. But I suppose their global business interests are more profitable/important than my well-being…

February 20, 2010, 23:27

Add your comment

« Rue Royale LiveMainBerlin Weekend / Das Pop Live »

Comments on




This page

Out & About

pinboard Links


Received data seems to be invalid. The wanted file does probably not exist or the guys at last.fm changed something.