Comments on: Credit Cards Failing Open

By: Brian Utterback

Brian Utterback — Thu, 06 Nov 2008 15:13:34 +0000

Recall that originally, the credit card system didn’t use authorizations at all. The credit card was checked manually against a list of canceled cards, and then it was assumed authorized, at least for all transactions below some threshold. Above that amount, the authorization was a manual phonecall.

Given that there are thousands of legitimate transactions for each fraudulent one, and there is a high cost in good will to needlessly denying a transaction, is it any wonder that a system failure would result in “Fail open”?

By: Christopher Gilbert

Christopher Gilbert — Thu, 06 Nov 2008 13:58:57 +0000

Was the expired credit card account actually billed, or did the requested transaction succeed in response only?

Curiosity compels me to to ask if the credit card service specifies a request limit on this sort of repeated failure. I could imagine that a TOS would require that an application throttle itself for such repeated failures; if the application ignored these rules, sending an “authorized” response without carrying out the transaction may be a quick way to entice the owner to fix the code.

By: None

None — Tue, 04 Nov 2008 14:31:12 +0000

Sounds much like the Android ToS. If the system fails to communicate, it assumes it is authorized.

3.7 Optimistic Delivery. To the extent that total unpaid Market Products are not material to total Market sales, the Market may choose to deliver the Developer’s Products to users without prior payment authorization when the Market Payment Processor cannot communicate with the user’s payment provider. If payment authorization fails, Market Payment Processor will send an email to the user requesting a different billing instrument. If the user never pays, Developer will not get paid for the previously delivered Products and Payment Processor will send a message to Developer in its settlement account that download has occurred but the user was not charged due to authorization failure.

By: Larry Seltzer

Larry Seltzer — Sun, 02 Nov 2008 14:38:57 +0000

You say the Amex logs showed the successful attempts, but did they show the repeated failures? Perhaps that’s all they saw in which case the fault is probably on the merchant end or some intermediary.

By: Chris Eng

Chris Eng — Fri, 31 Oct 2008 16:35:35 +0000

@Nate: They are the merchant, so I’d guess they were submitting the approval request to a card processor. I don’t know for sure though, it was a brief convo. The comment by “me” does seem to suggest it’s a design issue though, perhaps with a lower threshold for a card-present transaction such as the Metrocard system.

By: Nate

Nate — Fri, 31 Oct 2008 16:06:22 +0000

Chris, I’m not sure where your friend was submitting the cards for verification. On a retailer website? To a card processor? There are numerous parties in the chain, and it’s unclear where your friend was accessing the system. You need more details.

By: Credit Card On Credit Speak » Blog Archive » Credit Cards Failing Open

Credit Card On Credit Speak » Blog Archive » Credit Cards Failing Open — Fri, 31 Oct 2008 06:55:26 +0000

[...] Credit Cards Failing Open Problem solved. But that credit card weirdness is nothing compared to the one I’m about to describe. Before we do that, let’s take a moment… [...]

By: Chris Eng

Chris Eng — Fri, 31 Oct 2008 05:38:17 +0000

@Wim: Good point on the door locks. Most systems I’ve encountered though, you can always exit, you only need the card key to enter. In some large buildings you have to press a button on the wall to get out, but not swipe a card. Either way, if egress is card-controlled, then clearly the “people first” rule makes sense.

@me: Interesting. The plot thickens!

By: Andy

Andy — Fri, 31 Oct 2008 02:15:21 +0000

I’ll try and dig it up if I can.

By: me

me — Thu, 30 Oct 2008 22:24:59 +0000

When you buy a metro ticket in New York with your credit card you need to enter your 5 digit postal code as some kind of security measure. I still have an Austrian credit card and of course the system rejects the 4 digit postal code to which the card is registered. If I however enter the wrong code enough times (4 times or so), the system suddenly accepts the card.