Credit cards are vulnerable to brute force kind attacks

Original Article ↗ Hacker News Discussion ↗

Perceived Vulnerabilities of Credit Cards

  • Card numbers + short CVV are seen as an outdated, weak security model, essentially acting like reusable passwords.
  • Attackers can brute-force or enumerate details (card number, expiry, CVV) via multiple merchants and weak anti-automation.
  • Some report compromises where the card was never “exposed” in normal use, suggesting pure guessing or systemic leakage.

Mitigations: Separate, Virtual, and Dynamic Cards

  • Many advocate a separate/low-balance card for online use, or virtual cards per-merchant/transaction with limits.
  • Services and banks offering disposable/virtual cards (including those with dynamic CVVs) are praised but described as niche or underused.
  • Some note these features have existed for years but didn’t “take off” because it’s cheaper for issuers to eat fraud.

Credit vs Debit: Fraud, Liability, and Lived Experience

  • One camp: credit cards are safer because your own money isn’t immediately taken; disputes feel less stressful.
  • Counter-camp: debit fraud protections (in some jurisdictions) are legally strong and often functionally equivalent in practice.
  • Several report months-long battles and partial/non-refunds on debit fraud; others say their banks or credit unions handled it instantly.
  • Strong disagreement on whether credit cards’ main downside—debt traps—is worth the upside; some see them as inherently predatory, others as universally beneficial if paid in full.

Brute Forcing, Fraud Detection, and Rate Limiting

  • Payment processors claim to detect “card testing” with ML and strict monitoring; others note attackers slow down and distribute attempts to evade detection.
  • Commenters stress rate limiting, anomaly detection, and IP blocking as key defenses, but say much of fraud prevention is still reactive.

3D Secure, Regional Differences, and Regulation

  • Outside the US, 3D Secure (often mandated by regulation like PSD2) is common and significantly reduces many attack vectors.
  • In the US, 3DS is rare; reasons cited: added friction, fragmented banking system, and misaligned incentives between issuers and merchants.
  • Some argue US law already strongly protects cardholders, leading banks to invest in backend monitoring instead of more user-facing friction.
  • Others highlight coordination problems: any single bank or merchant enabling stricter flows loses conversions to those who don’t.

Digital Wallets, Tokens, and Automatic Updaters

  • “Digital wallets” and card account updaters can silently keep recurring charges alive across card reissues, including potentially fraudulent ones.
  • One user discovered dozens of active “wallets/tokens” tied to a card; canceling them required a phone call and manual intervention.
  • Network tokens and automatic billing updaters are seen as double-edged: great for frictionless subscriptions, but can perpetuate stolen credentials.

Chargebacks, Liability, and Who Pays

  • At a surface level, consumers in many cases get made whole quickly; several people report near-instant reversals.
  • Others describe chargebacks being reversed after merchant disputes, banks siding with large platforms, and even account closures.
  • Discussion emphasizes that merchants often ultimately pay for fraud through chargebacks and fees, while banks recoup fraud costs via higher prices and interchange.
  • Some note that fraud costs are socialized into overall pricing; consumers “pay” for fraud indirectly even when individually protected.

System Design and Cryptography Critiques

  • Multiple commenters complain that the system relies on static PANs instead of per-transaction cryptographic keys or signatures.
  • EMV, 3DS, tokenization, and dynamic CVVs are viewed as partial fixes; commenters wonder why public-key–style models aren’t standard given modern tech.
  • Some argue that, economically, the current system “works well enough” for banks, so there’s insufficient incentive to overhaul it.