Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> I don't understand how the imprints on websites help with scams. Could you elaborate?

In imprints there's an address that you can lookup on the Handelsregister. If the HRB matches, and the Handelsregister's Domain for the company matches, too... it's usually an indicator that the website is trustworthy (at least from a legal sue-able-in-case-of-fraud standpoint).

Example (never used the website before):

- https://www.deerberg.de/service/impressum

- Northdata.de entry checks out (public webservice of Handelsregister entries), with same domain(s)

- unternehmen24.info checks out (another public webservice of Handelsregister entries), with same domain(s)

- HRB checks out, it's in Lueneburg

- DNS records and whois point out it's locally hosted in Lueneburg, too.

- Googled Umsatzsteuer-ID, no other (unrelated, scammy looking domain) results

- Googled HRB, checks out as well

- Google Business Page on Google Maps checks out as well (which might be hijacked, so not trustworthy as indicator alone)

- Geschaeftsfuehrer check out as well

So yeah, I guess this page/company is legit. You could do this further with LinkedIn and other things like looking up phone numbers in Breaches/Leaks and match the records with the Handelsregister.

From an automation perspective this is still a lot of manual research that's necessary; and I guess that this is kind of the real issue at hand - that most people are too lazy to do this sort of background check before they buy something online.

But I guess depending on the financial value you're willing to spend some background check beforehand makes more sense if a fraud would financially burden your means of survival afterwards.



> that most people are too lazy to do this sort of background check before they buy something online

To be honest that does seem like an awful lot of detective work especially if this would be for a simple online purchase, particularly if the transaction value isn't that high.

In many countries you would typically pay online using a credit card or Paypal in which case the card issuer/bank/Paypal provides you with a degree of protection if a product doesn't turn up or isn't what you ordered.

In Germany I believe people still are used to there being the option to pay using "Vorkasse" (paying in advance, by bank transfer).

I've simply never understood why any buyer would want to assume all the risk by doing that.


Another popular payment option is to pay by invoice. Obviously this means the merchant assumes (almost) all the risk. Hence this option is not available most of the time.

As for the question why people would choose to pay in advance? From my experience it was because they didn't have a credit card and didn't trust/didn't want to have a business relationship with PayPal, leaving Vorkasse as the only available payment option.

Another point that has been brought up was the perception that the bank transfer would be more secure, as in "if they have my credit card info/PayPal account, they can just charge me at any time". The fact that bank account information also enables you to debit the account is curiously often forgotten.

Is this a particular sensible position to take? Maybe not, but not everyone acts sensibly all the time.


Lots of websites in India also offer payment via bank account, including amazon.in. The benefit from my POV was the same as you describe. I don't want random websites to have my credit card info and I don't want to deal with paypal.

Paying by bank account doesn't mean handing over bank account info. But the merchant just redirects to your bank as part of the payment flow. The bank knows how much money the merchant wants and you authorize it for that one transaction. Bank redirects back to the merchant who confirms the payment was successful.

They can't make any further charges at a later date.


> Paying by bank account doesn't mean handing over bank account info

Tell that to the people behind the "Sofortüberweisung" [ roughly: "Immediate bank transfer"] scheme - run by Sofort GmbH, now part of Klarna.

I've seen this offered several times but never (dared to) try it personally, but by all accounts* it works something like this:

At the merchant's checkout page you are offered choice of payment methods, Sofortüberweisung is on the list, you select it, then you end up on a third-party site(!) where you provide the login details to your bank account(!!) including PIN and/or one-time TAN(!!!). The third party site checks your balance, then executes a transfer to the merchant for the total of your cart, then confirms the transaction to the merchant.

When I first read about how this works, I assumed I'd understood it wrong. From a security PoV, doesn't this make one's skin crawl?

* sorry, pun intended ;)


Yep this flow is ripe for phishing. But I prefer it over just giving a card number that a merchant has the ability to store and eventually leak.

With bank payments I just have to be careful to check I am actually at the bank website when entering the login info. Makes me feel more in control.

I guess people in the west were already used to giving out their card info over the phone to make purchases so wasn't a big deal when online sites started doing it. In India credit cards were still not wide spread (still aren't) in the early 2000s.


> I prefer it over just giving a card number that a merchant has the ability to store and eventually leak

Even if you know that your card provider will refund you if the card leaks?

In the last decade I've twice had a credit card cloned, and twice I've been pleasantly surprised how quickly the card provider a) detected the issue, b) blocked the old card and re-issued a new card, and c) refunded the fraudent transactions.

Based on that, I'd trust my credit card provider far more than my bank(s).


Which cards are you using? AMEX? For the most commonly accepted schemes in Europe, i.e., Visa and MasterCard, requesting a chargeback typically goes through your card issuer which almost always is your bank.


> requesting a chargeback

Don't chargebanks typically involve a dispute between buyer and merchant? In neither of the instances where I personally experienced card fraud was the typical chargeback process involked, both times I had to confirm which recent transasctions were and weren't "mine", and after that the card provider did all the running. The second time I had many thousands of euros of fraudulent transactions refunded onto my account within 48h of the fraud being detected by the card issuer.

> your card issuer which almost always is your bank

Sorry, I wasn't very clear. I trust how credit-card-issuing-banks (in my case it was Barclaycard ie Barclays PLC) treat their card customers more than I trust current/checking/giro account banks treat _their_ customers.

It makes a lot of sense when you think about the underlying incentives to treat customers well.

Changing your current/checking/giro account can take quite a lot of work and has the potential to cause problems for a long time.

Applying for a new credit card takes a few minutes and the entire process is complete in a few days.


Well, to be frank when you provide someone your credentials you oprn yourself to a new world of pain.

But this is also the case when you allow your bank to aggregate info from other banks. At least you can hope that they protect it somehow (because of bank regulations, but this is a very thin hope)


> Paying by bank account doesn't mean handing over bank account info.

It's nice that it works that way for you, but it does in Germany. You don't need to hand over your login information or anything, but wiring money in any form means that they have your account number. The account number is sufficient to debit the account at a later point. Obviously they're not allowed to do that without your explicit consent, but a malicious actor could.


If you mean that some organization (not an individual) could Direct Debit you, then you have to hive your bank an explicit agreement for that.

If you do not, you reject the payment and it is now the bank problem.

An IBAN is never a secret.


Yes, you can have the charge reversed, but they can still make the charge initially. In that sense it is no different from a credit card: if they have your info, they can charge you again and you can have the charge reversed.


Direct Debit requires a special license - this is not something any company can dio. Making a fraudulent charge will have this license revoked.

The authorization from the person being debited is required but in practical terms it does not always happen. People request DD and then forget to make the paperwork (today this is better because more and more DD agreements is arranged electronically). The bank will the allow the DD without the paperwork to make it easier for everyone (and ask the case to be fixed). In any case this i stheir risk but in the vast majority of cases it works.


> Making a fraudulent charge will have this license revoked.

Absolutely, but the same is true for credit card charges as well. Your acquirer will terminate your contract if you make fraudulent charges against credit/debit cards.

I am not arguing that you shouldn't wire money or use direct debit. I am just pointing out that it carries much of the same risks to the consumer as using a credit or debit card. (Which is virtually none since you can have charges revoked.) This observation is, in my opinion, relevant since many people in Germany seem to think that one is much safer than the other.


The main difference is that in order to have Direct Debit capacities you must have a special, tight arrangement with the banking system. A generic company does not have this possibility.

So if I find your IBAN, the work I would need to put in place to get money from your bank would be enormous (= securing the DD arrangement with the bank).

If I know your CC number, I can easily cash it out (by making a payment out of it, or to register a PCI account (eg. with stripe).


> by making a payment out of it

I fail to see the difference here. If I have your IBAN and you haven't universally disabled direct debit on your account I can also use it to pay for something, for example by ordering anything I want from Amazon.

> eg. with stripe

Funny that you should mention Stripe specifically. You can accept SEPA direct debit payments with Stripe: https://stripe.com/docs/sources/sepa-debit

It is possible that the compliance requirements around this are slightly higher than for accepting only Credit Cards, but looking at the documentation I don't see any indication of this. Further, credit/debit card payments are subject to SCA whereas direct debit is exempt from SCA if the mandate is given directly to the payee without involvement of their PSP.


> If I have your IBAN [..]

Bank account details aren't typically regarded as (worth keeping) secret, to the extent that many businesses are happy to stick their IBAN on their website.

Credit card details, on the other hand, aren't ever published in this way.


> Bank account details aren't typically regarded as (worth keeping) secret

This is precisely my point. People are not terribly worried about others (including merchants) knowing their IBAN. They are worried about their credit card.

However, a malicious actor can cause you much of the same trouble with your IBAN as they can with your credit card number. It is therefore illogical, in my opinion, to be worried about one much more than the other.

> to the extent that many businesses are happy to stick their IBAN on their website.

These accounts almost always block direct debit, therefore they don't run these risks.


> a malicious actor can cause you much of the same trouble with your IBAN as they can with your credit card number

I disagree with this.

A malicious actor may be able to cause some trouble if they have your IBAN, but it would appear to be significantly harder to steal money _and get away with the crime_ using an IBAN compared with someone's credit card details.

In the Jeremy Clarkson story from 2008, someone set up a direct debit to a charity using bank account details.

Given the hoops you have to jump through to be able to be able to set up a direct debit - and knowing that KYC would apply to the receiving bank account - it would appear to be significantly harder to profit from money withdrawn in this way.

With a stolen credit card you can purchase something online from a merchant that isn't obliged to do any KYC checks and the fraudster is gone long before the crime is detected.


In India having somebody's bank details is not enough to debit it. Many business post their full account numbers and IFSC codes (sort of like a sort code) but with that info people can only send money into their account.


> From my experience it was because they didn't have a credit card [..]

[It's a while since I lived and worked in Germany] are there many people who have a current/checking/Giro account but where this isn't a standard payment card linked to their account which is also a Visa or Mastercard compatible card?


Your standard checking account will (almost) always come with a girocard, which is a national debit card scheme. It can be used to pay in stores, but not online. These cards are typically co-branded with either Maestro or V-Pay, so they can be used on the MC/Visa networks if you're outside of Germany. However, the latter functionality is also restricted to card present transactions. You just cannot use these cards to pay online.


> girocard [..]

I'm sure you understand this better than I do (and I don't just mean because the language!) but aren't banks like Sparkasse offering any online payment functionality with Girocard ?

eg:

https://www.sparkasse.de/unsere-loesungen/privatkunden/bezah...

"Mit giropay können Sie sicher online bezahlen" (freely translated): "you can pay safely online with giropay"


Banks are offering online payment functionality with giropay and other solutions. This is, however, a fully separate product with a similar name. It was quite late to the market and isn't universally supported by online shops. It doesn't come with your girocard, is also not supported by all banks, and requires that the customer use online banking.

I would venture that the intersection between people who prefer to wire the money in advance and people who do not use online banking is quite big.

EDIT: The old iteration of giropay (I'm not yet familiar with the new one) was quite similar to Sofort (previously Sofortüberweisung) except not run by a third party, but by your bank. It executed a normal wire transfer and confirmed to the merchant that the transfer had been ordered. In that sense it has the exact same risks as normal "Vorkasse", but did not incur the day of delay for the transfer to go through.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: