It's just opportunistic people calling old people over the phone in hopes of tricking them into handing over some money for "an emergency" by claiming they're a relative. Really low effort scams, I'm not surprised they're using generative AIs to fake voices now, same sort of low-effort operation.
When I'm redirected to my bank, my bank shows my account name and some details (including a custom per-device avatar). Spoofing that would require gathering these small details.
Some banks have a custom device to scan a QR code, where the device generates a signing token but also shows the transaction details too. Regrettably, these are not too common, despite being the safest variant.
Not really, since in modern 3DS implementations, the redirect pretty much only shows a modal saying "check your phone for a notification and confirm this payment there".
Worst case, you'll be entering a one-time code received out of band, e.g. via SMS, and that message will mention what you are consenting to by entering it anywhere, so even MITM attacks are very hard.
The days of entering a static password in 3DS are long gone.
You'll need to fake much more than just that. Usually the bank website will ask you to confirm the transaction by opening the banking app on your mobile phone.
> Trading a dependency on MasterCard and Visa for one on Google and Apple is at best a sidegrade.
That's really not how it works. You as the user are prompted to pick the bank you want to use, and then your bank prompts you to approve the transaction.
The only scenario I can think of that might involve google or apple is if you want to use Android or iPhone for mobile payments with NFC.
Which part of "confirm the transaction by opening the banking app on your mobile phone." does not depend on a banking app installed on a Google/Apple-controlled environment?
not really, the redirect itself is happening at EMV DS level, not by the merchant himself. Merchant has no idea what bank your card belongs to, so he does not know which bank to redirect you to.
reply