2

Several sites require me to input far too many personal details in order to register. This now includes phone numbers, which they have zero legitimate uses for - they are never used after the initial validation step - but when their database is leaked we're the ones getting smished.

The current next trend is to require a credit card to create an account, even a free one. What used to be an obvious smell to detect scams is quickly becoming the norm.

Unlike phone numbers, websites are not supposed to store credit card information, but it is not clear what they are allowed to do with any information they receive from a credit card transaction.

This leads me to the question: when I provide credit card details to a website and they make a USD 1.00 or USD 0.00 transaction, what exactly is going on? Just how much information are they getting from me?

I'm okay with providing Visa or Mastercard with my details - I'm sure they already have them all so they only need to double-check them - but I'm not comfortable providing details like my full name, home address, phone number and payment e-mail address to online merchants that are simply providing me with digital services (say, Dropbox, HumbleBundle, Packt or Pluralsight, to name a few who recently had access to my credit card information).

The reason for this question is that I found out that my personal phone number was included in the recent linkedin leak, and scam attempts (smishing and fake support calls) have increased drastically in the past few months and they often pretend to be coming from my previous workplace - the one listed as "current" on the linkedin leak, even though my linkedin page is already updated. I directly attribute these recent calls to this leak.

I never provided linkedin with my phone number, not even for 2FA (especially since twitter's notorious abuse of 2FA information for ads), or installed any linkedin app. I did subscribe for the 30 day trial, in which they required me to add my credit card, on which a 1 USD transaction was made and reverted. I can only assume this to be the vector they used to obtain my phone number.

user269261
  • 21
  • 2
  • I am afraid I missed the point here. But for the question I could understand, merchant site receive exactly the information that you gave them, neither more, nor less. – Serge Ballesta Oct 29 '21 at 08:56
  • I may have ranted a bit. The core question is "how much information about me do payment platforms provide to the merchants?". I don't think merchants make a USD 1.00 transaction to ensure I have funds. They do it to validate identity. So, how much information is revealed in this process? – user269261 Oct 29 '21 at 10:51
  • The only valid information returned by the operation is that you provided a valid bank account and that you are likely to own it because the operation was possible and was not cancelled. The goal of the operation is just to make sure that you provided valid information. Merchant sites are really afraid for rogue customers that would provide an invalid account or an account belonging someone else... – Serge Ballesta Oct 29 '21 at 11:50
  • ... The reason is that if they cannot prove that they use *serious* protocols to control the identity of the client they will lose their money. The bank will cancel the transaction if the real owner of the account can plausably pretend that they did not command anything unless the merchant can **prove** that they did. Said differently **they** have to provide a proof. – Serge Ballesta Oct 29 '21 at 11:52

1 Answers1

2

When you perform a card transaction online, the merchant will be able to tell if you have a valid card account with an issuer somewhere, and if that account has a balance that's more than the amount charged (usually ~$1.00).

No further information is gleaned other that what you explicitly provided the merchant. The merchant would be able to tell if the card is Visa/Master and may also know the issuing bank, and perhaps even the type of card. But this is from the Card number and not the transaction itself.

When the transaction occurs, the request is sent from the merchants system to the acquiring bank (this is the bank that has a relationship with the merchant -- or some intermediary like Paypal etc). The Acquiring bank then forwards that request to the network (VISA/Master), and it finally reaches the issuing bank (the bank that issued the card the customer). The Issuing bank, as the final holder of the risk, will either approve/reject the transaction. It does not provide any further information of the customer in the response -- mostly because it doesn't need to, neither the merchant, network or acquiring bank need anything more than a accept or reject.

keithRozario
  • 3,571
  • 2
  • 12
  • 24
  • Sometimes there can be a few extra indicators in the reply, such as one for "this is a commercial card", in case the merchant needs to treat it differently. But it's all about the _card_, not the _cardholder_, and there's not very much of it (when it exists at all). – Bobson Oct 31 '21 at 00:00
  • At least in the case of PayPal, the buyer's e-mail address is also disclosed to the merchant. I have a dedicated address for PayPal, which I intended to keep private, but one of the places I shopped (with PayPal) started sending their newsletter to both addresses - the one registered in my account, and the PayPal address. – user269261 Oct 31 '21 at 03:09
  • As for the card transactions: is this a standard, or bigger merchants may obtain special privileges with more information? In most online transactions, I'm not placing my card information in the merchant's website, I'm placing it on an iframe from a payment network. In these cases, I'm not sure the merchant is even able to see the card number - I don't think that's supposed to happen. But in some cases, the merchant is able to find out that a card number was reused (happened when I created a second Microsoft Azure account, and the free trial was denied because they detected the repeated card). – user269261 Oct 31 '21 at 03:18
  • @user269261 - Yes, Paypal gives the merchant your email address, physical address, and other information about you. I think it says that on the payment window. For Microsoft, you probably ran into [PAR](https://www.securetechalliance.org/secure/events/20160404/CORAL-SEA-1-2_WED_1045_SRIVASTAVA_SCA-Payment-Summit-Tokenization-PAR-presentation-April-6-Chandra-Srivastava-Visa.pdf) or an equivalent. It's a unique number that _represents_ your card number, but can't be used for anything other than matching to other transactions. It can be returned when doing a transaction, if requested. – Bobson Oct 31 '21 at 14:36
  • Plus, if the merchant is big enough, they may just take the card data themselves, rather than using a third party to collect it. PCI doesn't prohibit merchants from seeing card data - it just puts very expensive restrictions on how it can be done, that most merchants don't want to bother with, and puts the liability on them if there's a breach. – Bobson Oct 31 '21 at 14:38
  • Indeed, PAR explains perfectly the situation. I was not aware of it. That's the kind of information I'm looking for. Where bigger merchants (which take the card information themselves) ask my physical address in the credit card page, they may require it to validate the card? HumbleBundle required my physical address even though I was obtaining digital goods (so the address should be irrelevant for them, but becomes a liability for me should they ever be hacked), and they denied the transaction due to a wrong address (turns out, in 2016 I had to provide Revolut's address and not mine). – user269261 Nov 01 '21 at 03:01
  • Would you say that, even if I provide the merchant my credit card information directly, they only get information about the card but not about the cardholder? So, no phone numbers or physical addresses? Even with technologies like 3D Secure, which send SMSs to my phone number, this stays within Visa/MasterCard networks and is not disclosed to the merchants? – user269261 Nov 01 '21 at 03:08
  • I thought in USA (but not Europe and Australia) physical addresses are provided? That's part of Address Verification Services? See https://en.wikipedia.org/wiki/Address_verification_service – Darryn Brisdaz Jul 19 '22 at 22:45