I use Privacy.com, which basically turns every card I use with them into a canary. The first time you charge on one of their virtual cards, they become merchant-locked. No other merchant can charge to that number, and if someone tries, I get an alert.
I have uncovered flaws in online merchants this way, and notified them. They were usually grateful, especially so since the fraudulent charges failed.
I'll give you a warning about them, they won't issue a chargeback for anything. Even blatant fraud. They'll give you a vague response about rules with their processor.
I used them for a purchase, the company then blatantly lied about everything (tweeted that "everyone's order was shipped" 2 weeks before I even got a tracking number).
They asked me for the following:
- Order receipts
- Email communication with the company
- Tracking numbers
- FedEx investigation (consumers can't open these, only the shipper)
I showed them the chat history with FedEx refusing to open a claim, and provided the other information.
They then proceeded to IMPERSONATE ME to FedEx live chat "to prove I was lying." The sent screenshots only showed them asking if a tracking number had been delivered, not any of the actual data around the tracking number.
Needless to say, I've never used them for anything again and post this everywhere I see them mentioned.
That‘s really no longer true for most debit cards these days. Issuers can process disputes for debit and credit cards in the exact same way (at least for transactions on Visa and Mastercard, i.e. practically for all online payments).
Higher tier credit cards often have additional insurance that goes beyond what the chargeback mechanism is designed for, though, but for fraud, you shouldn’t need these.
It kind of kills me how badly understood this is in /r/personalfinance.
I think something like 85%+ of banks now offer next day refund of fraudulent charges from debit card charges. But that statistic is kind of meaningless in that, if your bank offers it, there's not a lot of extra protection a CC card grants you unless there's a specific value-add to the card that is meant to retain you as a customer.
> with a debit card you don't get that spending power back during the process.
At least for consumer debit cards, that's not the case. Regulation E requires provisional credits (until the investigation and/or chargeback process is complete) in essentially all instances of fraud.
> And if it's international dispute raised after 14 days you might get no where.
Where do you get that number from?
At least in the US, federal law limits liability for lost and stolen cards to $50 (when reported within two business days) or $500 (within 60 days after receiving your statement). For non-lost/stolen cards, which covers all online fraud (due to stolen card numbers, compromised merchants etc.), there is no such time limit, as far as I know.
And these are just the legal caps on consumer liability: Most issuers go far above and beyond that, and extend zero liability for effectively all scenarios, just like for credit cards.
You know I've no idea where I got 14 days from. But I'm not US based and the last time I disputed something was in the EU at the start of the pandemic.
It's also frankly absurd that no such service exists for European customers. I've been looking the past few days for someone who does something like this and it's just not available, for what I can only assume are regulatory reasons.
Revolut has single use credit cards as part of their offering. You can either choose to create a new one for each transaction (disposable card) or a virtual credit card that you can use more than once but discard if something happens to it.
Because both types are virtual prepaid type cards, some services (e.g. car rental) will not accept such cards.
Its my understandingn that Visa does offer the service to banks, they just haven't implemented it. There is to my knowledge no regulatory red tape, it's just not seem as profitable.
The banks here in Denmark har just less competitive and more entrenched than in the US
I wouldn't say that banking is particularly competitive in the US when it comes to technological/product features such as this. Out of several of my cards, only one issuer offers virtual/one-time use card numbers themselves.
My Swedish bank (Swedbank) had this service from some time in the 00's up until 2017 when they discontinued it. So they were way ahead of the game but for some reason dropped it.
Regulations are indeed the reason that Europe does not have proxy cards, but pretty indirectly:
In the US, debit card interchange is heavily regulated for most issuers (to an extremely low rate of 0.05% plus a flat 0.24$ per transaction, which can be frustrating for microtransactions, but that's a different story).
Some issuers are exempt from this requirement, though – very likely including the one that Privacy/Lithic use. This gives them a very nice arbitrage opportunity which can pay for the product and even return a profit.
In Europe, there is no such exemption, so a proxy card can even theoretically never be profitable (you earn 0.2% but also pay 0.2% per debit transaction, and after network fees, you're in the red).
What would be possible is to offer single-used debit cards that are funded from a bank account via direct debit, which is effectively fee-free (but decidedly not risk-free). Privacy offers that option as well in the US.
But given the direction into which the EU is moving (heavily guided by regulation), which is to effectively mandate 3D Secure for almost all online transactions, it's questionable how much demand for such a product there really will be, going forward.
My understanding was that privacy.com is just a “detached service” implementation of something that many European banks offer natively as a feature of having a credit card (or even just a chequing account) with them; and that privacy.com was only viable as a business because, for some reason, American banks are (or were at the time) totally unwilling to build anything like this, so people were willing to settle for a (strictly worse from a “privacy” perspective) third-party-MITM-proxy card if it meant having this feature.
I’d suggest, rather than looking for a “detached service” that does this, look at what (probably larger) European banks besides than your own offer their customers built-in.
My Indian Bank, HDFC offers this since 2008, virtual cards with custom amount, one time use. On creation, the amount equal to limit gets set aside. If merchant charges less than max limit, the excess comes back.
Thier at-time debit cards were good only for domestic transactions, but this virtual was good for international, & used to come up as Visa Prepaid. I used it for registering domains & amazon international shopping.
Credit card shouldn’t need to be shared with all and sundry. The concept is very old fashioned. We wouldn’t share out side project github keys like this!
Quite the opposite: It should, in an ideal world, be perfectly safe to share your credit card number with everyone, because all it should be is arguably an account number.
Payment initiation or confirmation can be an entirely separate layer (such as chip + PIN or 3D Secure).
This is actually the goal of European regulators right now (with some carve-outs for low value and low-risk transactions).
At the moment you need to provide a complete "private key" to each processor, who up the ante to: CC Number + Expiry + Security Code + Name + Address. They all ask for it, so any of them could leak it, or it could be phished.
The system works because it's mostly reversible. If my card gets leaked and someone tries to use it. I just disable my card in the app, contact the bank, they refund the money and issue a new card. Perhaps sometimes the bank has to eat the loss but it works out perfect for the consumer.
What's absurd is that this is something I have to pay for or find a particular issuer of a visa/mastercard. It should be free and included with every visa and mastercard. They should demand that every issuer of their cards needs to offer virtual cards and 3d secure. If they don't then their fees should be significantly higher.
Issuers effectively do need to offer 3D secure, since they are liable for all fraud that happens on 3DS-enabled transactions. It's just their choice on whether they choose to require authentication at all, some, or no transactions.
The US has more of a free market approach here, and experience has shown that the conversion rate hit is often much more severe than the reduction in fraud. Consumers will just use the most convenient card, and that turns out to be the one that just lets them buy (almost) everything without additional challenges.
The EU is taking the approach of forcing all issuers to challenge cardholders for most (higher value/risk) transactions. Given that the rules are the same for everyone, cardholders have nowhere to "escape" to – and issuers finally were forced to invest into making their implementations more usable.
Capital One offers it on their certain credit cards. Somehow Google Chrome, when you save Capital One card in it, offers to generate virtual directly from Chrome.
How is that absurd? There is approximately zero consumer demand for stuff like this. Remember when chip cards were deployed 10 years ago and everyone was annoyed at how chip readers forced them to have the card out longer? Or how Amazon often doesn't check CVV numbers because doing do would increase attrition?
Of course a few of the largest banks find it worthwhile to add a page to their website where you can generate virtual card numbers, but it's not a huge win for them by any means even when they're liable for stolen cards.
I've only used this for the sketchiest of vendors though. Chargebacks are pretty easy for the once-a-decade event where I get billed for something incorrectly.
I wanted to use Privacy.com for virtual CC #s on a checking account, but the enrollment process requires credentials for the linked account's online banking login.
Not just ACH information from a check for the linked account, which is all they should require.
No, despite supposedly being privacy-concerned, they require credentials (or auth token, hopefully) that gain access to everything the login has visibility into. I have multiple accounts at these places, the checking account is a tiny fraction of what's available with creds in hand.
That tab was promptly closed and effort abandoned.
Bank of America used to have this feature with virtual cards and I was using it a lot. They killed that service few years ago and I was really sad they did that. Not sure if other banks are offering virtual cards for free. I might give Privacy.com a try.
I had heard of this service before and assumed it costed money, but thanks to your comment checked it out, and apparently they have a free tier allowing you to create 10 cards per month. Cool!
The only downside which stops me from using privacy.com us that I will lose the chance to earn points or Cashback, as privacy charges directly to your checking account (understandably).
I have uncovered flaws in online merchants this way, and notified them. They were usually grateful, especially so since the fraudulent charges failed.