16

An online company from which I regularly buy goods apparently recently upgraded their security policy.

Let's say I bought something for 73,31€. As usual this company uses 3D-Secure for the checkout process and will actually process the payment only upon shipment a few days later.

The shipment confirmation email contained a strange notice I could translate as follow:

  • Amount ordered: 73,31 €

Within the framework of the reassurance of the online payments we proceeded to the following operations:

  • Amount charged on your credit-card: 73,41 €
  • Amount credited on your credit-card: 0,10 €

The amount additionally charged appears to be random and varies from a few cents to a few euros.

I'm wondering what threat are they protecting against?

  • They received the payment, so they got the money.
  • They used 3D-Secure for a relatively low amount, so the transaction is largely covered by the bank in case of fraud.
  • It seems they are checking that the card used for the payment can also process credit, maybe a way to detect prepaid or onetime payment cards, but again: what's the point since they got the money? By the way they also had to create a new page for the users of such cards a few weeks after deploying this system, "Due to technical restrictions" as they stated it.

I just do not understand the threat they are trying to avoid, or maybe is it just some security theater made to impress customers with some crappy but unique security measure?

Eric G
  • 9,691
  • 4
  • 31
  • 58
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • 5
    I would not be very happy with a company that does bookings like that. Now my bookkeeper can't find the 73.31 payment in my records, and has to handle *two* transactions for each payment. And the tax auditor will ask me what all those 0.10 micropayments are doing in my transactions. –  Oct 26 '15 at 11:00
  • BTW *Within the framework of the reassurance of the online payments we proceeded to the following operations* Weird language. What country is that company based in? –  Oct 26 '15 at 11:03
  • @JanDoggen I'm probably the culprit for the weird translation ;), even if the original French text sounds very pompous too: "*Dans le cadre de la sécurisation des règlements bancaires en ligne nous avons procédé aux opérations suivantes*". – WhiteWinterWolf Oct 26 '15 at 11:12
  • Mmmm. No Google results for that French phrase either... –  Oct 26 '15 at 11:20
  • I'm wondering if they did a 0.10 auth with 3DS to verify your card, then did a repeat payment for the full amount when the item shipped. IIRC the only way they can take the full payment with 3DS in this scenario is to place a hold on the funds and collect it once they ship (much like swiping your card in a hotel, they don't charge you but it's authed in case they need to), or by taking 0.10 to verify 3DS, then a repeat payment for the full amount later. Though that doesn't explain why they didn't charge the full amount less 0.10. – Jay Oct 26 '15 at 12:13
  • 1
    @Jay It always used to be as you describe: they take the full payment through 3DS to place a hold on the funds, and collect them once they ship. If it weren't their "explanation", I would just think of some issue with the total amount causing a 0.10 refund, but since they clearly state this is for security reasons, I cannot keep myself of wondering which security they are talking about... – WhiteWinterWolf Oct 26 '15 at 13:34
  • @WhiteWinterWolf: what is this French e-commerce site? – WoJ Nov 01 '15 at 12:15
  • Amazon does the same thing - if I buy something for £30 then I find Amazon takes one amount of £30, and then another of £1 separately. They do refund the £1 though. I too would like to know what security this could possibly offer. – k1308517 Mar 30 '16 at 10:11
  • @WhiteWinterWolf is it always the same 0.10 credit amount, or a varying percentage of the total? Have you tried sending their support an email to ask them? – Wadih M. Feb 01 '17 at 02:16
  • 1
    @WadihM.: The amount is variable (from 0.10 to 2.00), and it is not to prevent the use of prepaid or single-use card number as they had to create a dedicated page for people using them (*"Due to technical restrictions"*...). I wrote to their support but never had any reply on this subject (while I used to have quick reply for common order issues, so they clearly chose to ignore my question). I strongly think this is just some kind of very poor security theater, and I cannot tell if they are still using it since I now stopped using their services. – WhiteWinterWolf Feb 02 '17 at 14:27
  • "I'm wondering if they did a 0.10 auth with 3DS to verify your card"- That's very possible, but against the rules. – B2Bpayments Expert Aug 24 '17 at 15:01
  • I am not sure if this applies, but just recently needed to authenticate a bank account I had with one bank, with another bank account that I desire to trade funds between. The authentication process can take a couple days and consists of the future transfer from bank sending a few very small transfers to the receiving bank account. Then after I verify the receipt separately, the authentication is complete and I will be allowed to transfer between the two accounts of disparate banks. This looks like that process, just faster, and oddly, in reverse order (large before small). – Brinky Oct 18 '17 at 20:50
  • 1
    If the amount is variable from 0.10 to 2.00 they could use the actual amount charged as a way of confirming they are speaking to the correct person and not an impostor in a customer service situation. For example they charge Alice 73,51 and credit her ,20 whereas they charge Bob 73,61 and credit him ,30. In a customer service situation the operator could ask Alice to specify the amount charged on her bill and if "she" says "73,61" they would know they are not talking to Alice. Similarly, a completely naive impostor would guess the charge would be 73,31 not 73,51. – hft Oct 27 '17 at 00:34
  • @WhiteWinterWolf, if the amount is variable you need to edit the question and indicate that. If the amount is random and hard to guess, that could be a very important element of the security they think they are doing. Also, how much of the transaction did they use 3D-Secure for? – NH. Jan 10 '18 at 16:52
  • @NH: Question updated, I didn't have the occasion to order from for a long time now but I strongly thinks it was the complete debited amount as otherwise I think I would have noticed (I always double-ckeck the amount, and already noticed a travel company using 3D-Secure for a one-way ticket while ordering a round trip for instance...). – WhiteWinterWolf Jan 13 '18 at 11:00

2 Answers2

6

Answering my own question to be able to flag it as answered and prevent it from popping up from time to time: this measure appears as a plain example of security theater.

Here are the elements leading me to this conclusion:

  • I asked their support teams then reason behind this change: while they were usually quick to answer more usual questions I never received any answer to this one.

  • The change was apparently clunky and not well thought: they had to add a special functionality to allow onetime and prepaid cards to bypass this measure a few weeks after enabling this system as, obviously, a section of their customers weren't able to proceed with the payment step anymore.

  • This process is exclusive to this website: this a good thing to impress their customers but, from a technical point-of-view, this does also mean that no one else ever wanted or felt the need of such a system. It never takes long for new and genuinely efficient security-related ideas to spread, under one form or another.

  • This process is directly noticeable by the end user, which is required for an effective security theater measure.

  • I never saw any advantage to this measure, neither did any of the other Security.SE contributors for the two last years.

If anyone has some knowledge which could change this conclusion, feel free to add your own answer, but after two years I think I can safely put this one in the security theater bin, alongside with other ideas resulting from "pseudo-security as a marketing argument", "you hired a too zealous security intern/company" and "we need to justify our budget".

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Your 5th point "directly noticeable" is a bit convoluted (note that is also cyclic). A visible real security measure would be a good selling point to. –  Jan 16 '18 at 19:52
  • @JanDoggen: My point here was more how security theater implies visibility (that's the whole point of it). As you say this doesn't work the other way around.: visibility doesn't imply security theater. But the lack of visible signs is usually a good indication that the measure is not there for theatrics. – WhiteWinterWolf Jan 28 '18 at 16:51
-1

I think I might throw some light on this matter. Some countries have strict laws for money laundering. By crediting back, they are making it sure that the card is not a onetime payment card/giftcard/prepaid card, as this cannot be traced back to the user, who is purchasing the item. Moreover, it can also be used to make sure, that in case the card is stolen, the authorities can trace back the user.

John Doe
  • 1