[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Taler] 3d secure hack

From: Jeff Burdges
Subject: [Taler] 3d secure hack
Date: Tue, 7 Aug 2018 20:36:35 +0200

We’ve discussed wallet backup and sync scheme here at length.  I’ve argued 
against a simplistic sync with small businesses use cases being one among many 
scenarios poorly served by a simplistic sync scheme.

We could take this further and imagine organisations using Taler to manage 
employee expenses, well frequently organisations can reclaim VAT if they buy 
travel themselves, but not if they reimburse employees.  This clearly requires 
something much more complex than a simplistic sync, but actually I want to talk 
about something else..

Aside from companies reimbursing employees for travel, travel also has enormous 
privacy implications, so customers benefit enormously from buying travel with 
Taler, but..

How would you use Taler for booking travel?  Travel booking systems are 
extremely poorly maintained and update slowly and incompetently.  Renfe could 
not process non-spanish cards for decades.

We could maybe exploit Visa 3d secure to circumvent this problem:

Taler exchange could act as a Visa card processor that issued exactly one card 
in its own name.  It publishes the card details, but all transactions with this 
card are declined unless the merchant processes 3d secure redirection 
correctly, which redirects to the Taler exchange’s 3d secure page.  In that 
case, the user is sent a Taler payment page for which their Taler wallet 
prompts them and then pays.

In effect, users are making Taler payments, and they even receive Taler 
receipts, but they mut first enter the credit card details for the exchange’s 
card.. and Visa extracts some high fee.

I’d think users cannot contest payments because they did not enter their own 
credit card details, or make a credit card payment, but conceivably the taler 
exchange can act like a card issuer in a card dispute process.  Also, users 
enter any details they like during checkout, but obviously many travel services 
check ids.

If this does not work for some reason, then there is still a middle ground 
where organisations obtain one Taler credit card for all their employees, and 
manage their employees expenses with Taler balance transfer tools.


Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]