Personal Finance & Money Asked on March 29, 2021
In movies and in fiction, government agents, mom’s basement hackers, evil villains, etc. often are able in minutes to tell stuff like "twenty minutes ago she rented a boat in Snow Hill" or "he bought two chicken lettuce sandwiches in Subway at Waverley rail station".
In fact, is it even possible in real time to connect to various payment networks? Also, will not the transaction only say ‘£88.50 at McGregor Inc., Snow Hill’?
What if he has cards under different names? What is actually tracked? I have a card J Smith, another one Jane Smith, third Mrs J K Smith and amex Dr Jane Knutt Smith. The first two have the billing address at my parents.
Government agents, Mom's basement hackers, evil villains etc. have hacked into your PC/phone and so know your CC numbers, and so which banks (or AMEX, if you have a charge card) to hack into.
You're right that the transaction only say '£88.50 at McGregor Inc., Snow Hill' (technically it might just be a "hold" on your card for that amount), but -- given enough other information -- they might be able to infer that you rented a boat at McGregor Inc in Snow Hill, because that's what McGregor Inc in Snow Hill does: rent boats.
As an aside, maybe I just read and watch "better sorts" of fiction, but I don't recall things like "twenty minutes ago she rented a boat in Snow Hill" being a plot point. It's always, "his card was used at McGregor Inc. in Snow Hill; the amount was £88.50."
Answered by RonJohn on March 29, 2021
There are several questions here.
Is it possible to connect to a payment network in real time?
Well, yeah, that's pretty much part of the definition of a payment network. In a standard transaction, a merchant connects to the network in real time when it processes a purchase. That real time connection is the main value of a network to the merchant and one of the main justifications interchange: if the transaction is authorized by the issuer, the issuer generally (at least for in-person, chip transaction) has the main liability for fraudulent transactions. The merchant is free to take transactions without real-time authorization, but there's generally some loss of protection for fraud. One use case for this is on-ship commissaries; the ship might not be able to connect with the network, but fraud isn't much of a worry.
Can a hacker read transaction information?
There's no way to say for certain that there are no unknown vulnerabilities. Obviously if there were generally known methods, they would be patched. And the real-time databases have an especially large amount of security.
Do the networks know what you bought?
No, the networks know the card number, merchant, time, and amount, but the standard transaction message doesn't have field for items purchased. If the merchant is itemizing the purchase, they are either using fields that allow custom entries or communicating through a method other than standard transaction messages. And of course if the merchant has limited number of products, then someone with access to the transaction amount might be able figure out what was bought. For instance, if someone spends less than two dollars at a gas station, they likely bought something from the attached convenience store rather than buying gas, and theoretically one could get a list of all the items with that exact price.
Answered by Acccumulation on March 29, 2021
CC transactions usually have Merchant Category Codes attached; e.g. "4457 Boat Leases and Boat Rentals". A MCC is a 4-digit code that provides an approximate description of the type of expense.
Connecting to the payment networks in real-time is definitely possible; most transactions nowadays are online.
How the hacker determines which card numbers to track is up to the hacker. The hacker would not track "Dr Jane Knutt Smith" directly. Instead, the hacker would need to find card numbers, possibly of different CC companies, and then try to track those. Finding these numbers is not an exact science.
Answered by MSalters on March 29, 2021
Depending on the merchant, yes, it is possible to see what items were purchased. Credit card payments can have 3 levels of data sent from the merchant to the processor. If the merchant sends Level 3 data, it will include things like the line items on the purchase.
As far as being able to track purchases in real time, governments could get court orders for the payment processors to share any data they have on particular accounts, and larger processors would probably get enough of these requests to have infrastructure to share this data quickly.
Answered by djheini on March 29, 2021
In movies and in fiction
That's where dramatization and fiction come into action. It reminds me the scene in Ron Howard's Inferno where Mr. Langdon's rental car is tracked real time.
In the real world (the "online world" is more real than we percieve), you should be aware that everything we do leaves traces. Traces that can be "traced back" using proper software. Real time is another thing.
There are multiple traces that you have done a transaction '£88.50 at McGregor Inc., Snow Hill'
. Especially at the bank issuing the credit card. We are now discussing whether it's possible or not to link those traces real time and who could.
In the financial world, there is not a single central database of transactions, but a multitude of entities have separate databases that don't all talk with the same interface, nor with a central authority, not real time. Even if the "three sisters" VISA MC and AMEX have a single huge database of transactions, they are three databases and you should be able to link these three. They are not banks, they provide routing to issuing banks, which provide authorization and settlement for transactions.
Both ACME Bank
(issuing bank) and McGregor Inc.
(merchant, who owns a CRM software) have this record. Double linking all banks or merchants all around a country
is not possible. And let's see why.
Banks and regulators
In a number of countries, especially in EU (please add comments for US) banks are required to periodically report to Government agencies (e.g. IRS) about their customer and transactions. But 1) reports are aggregated and 2) they are periodic.
It means that there won't be a single State database where you can find J. Smith purchased £88.50 at McGregor Inc.
. And you (law enforcement) can access data only on a monthly/quarterly/yearly basis.
This because the privacy rules pose strong limits on what the self State.
The interesting part is that regulations are public and open, so before one claims "banks have a realtime link with MI-5", they would have to prove such a statement by linking appropriate regulations and practices.
About police/intelligence investigations
No law prohibits Law Enforcement and intelligence agencies to collect customer data on grounds of investigation. In EU at least, Law Enforcement can collect all information, including bank statements, on an individual basis. But that requires enquiring the Bank or the Merchant, which prevents realtime monitoring.
So that is where dramatization comes.
Oh, by the way, real world Law Enforcement require a warrant to obtain customer transactions. A warrant is issued in elapsed-seconds when watching a film, but can take much more time in the real world.
What it takes
In order to monitor one's transaction, authorities would have to establish a real time information link with all the appropriate parties. For example a web service. A common interface to inquire all financial transactions in real time.
There are so many banks all around the world that if such a direct link existed secretly, there would be too many IT people involved in holding this secret.
I mean: either it exists, and is found online, a publicly accessible technical regulation from your Government, or it's a fake news. Reminds me that if Moon landing was a conspiracy, thousands of people should have been corrupted.
About different cards
They can likely be linked to you, simply by matching a unique identifier like you social security number, or tax identifier, as issued by the Government. Banks are required to verify, record and report the identity of their customers.
Note that I have been working for years in the RegTech industry. The Government could know how many cards (and where) you own, but not their PAN code.
About hackers
Almost impossible. Impossible because banks have very sophisticated security systems, obey to strong privacy and security standards, and have plenties of people paid with a lot of money to protect their core systems.
Almost because sometimes, rarely, some bank gets hacked. But hacks don't last forever, and is for a single bank.
China apart
China is a different story. Chinese government is working hard to implement technology that allows to monitor society realtime, with obvious ethical, security and privacy implications which mark the strong cultural differences with Western society.
I have record (source: news) that Chinese government used big data from cell phone networks, face-scan cameras and AliPay payment network to track individuals suspected to have been in contact with COVID-19 patients. None of my sources mentioned real time
, though Chinese Government and technology firms are working towards that.
Answered by usr-local-ΕΨΗΕΛΩΝ on March 29, 2021
My full-time employment is writing software that processes credit card transactions, so I am familiar with this topic. I'll address the easiest part of your question first:
There is a clear difference between "government agents" and "mom's basement hackers, evil villains, etc." The former have a very simple way of getting this information: by demanding it from the card's issuing bank. The issuing bank has a record of all the transactions on the credit card and governments can generally compel them to provide information to law enforcement. Whenever a police character in a crime drama says that the suspect's credit card records were checked, this is what I have always assumed they were doing. In the fictional worlds where these stories take place, it's possible that the evil villain has sufficient leverage over the issuing bank that he could also compel them to provide the information. In real-life, this is less likely.
For a real life hacker to steal this information would be much more difficult. Once the transaction data gets from the merchant to the acquiring bank, the transaction messages are generally transmitted over dedicated fiber rather than the internet. At the very least, communicating parties are joined by a VPN with network-level encryption of data. This would make it nearly impossible for a hacker to steal this information in transit. The most vulnerable place for a hacker to compromise would be the merchant's WiFi network. Having done this, our evil villain could perform a MITM attack to steal transaction data before it gets out the door (so to speak) to the acquirer. This wouldn't allow him to see all the transactions performed by a particular credit card in a given time period, but if he has a hunch about where the protagonist is going to go, it would allow him to confirm that it happened, potentially in real time.
As for whether it's possible to know exactly what our hero purchased in the store, the answer is "likely yes". Itemization data can be provided as part of standard payment transaction messages. This, along with some other data, is typically called something like "Level III" data (although the name used for it varies). Level III data is typically not required; however, providing it can often result in lower processing fees for the transaction. Therefore, many payment transactions do have itemization data attached to them.
For someone to know which credit cards to track, they'll need more information than just your name. If they know the target's social security number, their credit report will have some basic information about their credit accounts. For a government actor, the process for getting a person's transaction information would involve looking at the subject's credit report to find with which banks they've opened credit accounts, then go to those banks and demand the information. For a normal hacker, even the list of our hero's credit card accounts from their credit report probably wouldn't be that helpful because, as I mentioned earlier, the issuing bank won't just hand over the transaction details.
Answered by Daniel on March 29, 2021
Programmer here. I work with code that integrates sites and payment terminals with payment solutions, so I know what information is sent to and from various integrators (not just between the vendor and the credit card issuer and bank). I can tell you that barring zero-day exploits, every system involved is secure enough.
People, on the other hand, are not.
mom's basement hackers, evil villains, etc. often are able in minutes to tell stuff like "twenty minutes ago she rented a boat in Snow Hill" or "he bought two chicken lettuce sandwiches in Subway at Waverley rail station".
Mom's basement hacker (henceforth MBH) may have tricked your spouse into installing some software like TeamViewer into your computer (usually as part of a refund scam). From there MBH can get a lot of data on you.
A bit more social engineering and now MBH has access to your Apple account, so they can see that you are paying for Uber Eats with your credit card through Apple Pay. They may also have stolen some site credentials while at it, so they can now log into Uber Eats and see your order history. Yep, two oven roasted chicken combos, using some specific coupon, to be delivered to your mistress's place.
In fact, is it even possible in real time to connect to various payment networks? Also, will not the transaction only say '£88.50 at McGregor Inc., Snow Hill'?
You are right that transactions will show very limited info. If all you have is the banking or credit card data, you can see when purchases are done and for what value, and who the merchant is, but you don't get specific order data.
You can infer things, though. If someone is buying from a site with a small number of products available, and if the prices for each product are very different, you can kinda figure out what the person is buying.
This is as far as MBH goes if all they have is access to your bank account and maybe some site accounts. Supposing they have the credentials for a store's admin credentials, so that they can see all order data, they can track your purchasing habits without needing to know anything about your credit cards - orders have product data, and billing and shipping addresses that are separate from credit card data.
What if he has cards under different names? What is actually tracked? I have a card J Smith, another one Jane Smith, third Mrs J K Smith and amex Dr Jane Knutt Smith. The first two have the billing address at my parents.
Supposing MBH has access to a store's internal systems, they can tell that a credit card with a given number was used to pay for an order at some specific time, with some specific products, for one or more shipping addresses, and one billing address. Some online integrators will validate that the billing address is the same as the credit card's, some won't.
Answered by Counter on March 29, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP