- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 4 Oct 2020 21:26:51 +0200
- To: Tom Jones <thomasclinganjones@gmail.com>
- Cc: Web Payments Working Group <public-payments-wg@w3.org>
On 2020-10-04 21:04, Tom Jones wrote: > yeah - this is the problem "you cannot get any money out of the system unless you are a legitimate merchant." > Who is it that determines "legitimate merchant"? The merchant has to enroll to a payment network which includes following certain rules. > And if it is not a "legitimate merchant" will the bank make me whole? It will just reject the transaction you authorized with a laconic "Unknown Merchant". > I guess I will prefer to deal with trusted intermediaries. You want transaction requests to be redirected to your (on-line) bank? May I ask how your bank is supposed to have any idea of who you are transacting with? > This appears to be a case where the disintermediation and frictionless payment provided by the web is a really bad idea. It would be great if you could do a write-up showing your vision. Anders > Peace ..tom > > > On Sun, Oct 4, 2020 at 11:51 AM Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > On 2020-10-04 19:07, Tom Jones wrote: > > Let me express my concern that I presented earlier to the UKOBIE. Creating a common UX between my bank and some random request for funds is likely to lead to fraud by attackers trying to confuse the user into making payments that are not intended. I strongly believe that the user MUST understand when they are securely communicating with their bank and when they are being solicited for payments. Integrating these two is not going to end well for consumers. > > Dear Tom, does this has anything to do with the integration of receipts? > > Anyway, if we stick to on-line/Web payments, I believe you are trying to solve a problem that you haven't fully analyzed. In short: you cannot get any money out of the system unless you are a legitimate merchant. If a legitimate merchant tries to fool users there's nothing your bank can do about it up-front. In fact, it probably cannot (on its own) even know if the merchant is legitimate! Isn't that a problem? No, the legitimacy of a merchant is provided by other parts of the payment infrastructure. > > Saturn is in this respect no different than for example Apple Pay. BTW, these systems do not talk (directly) to the bank; they build on user authorizations that are (indirectly) "routed" to the bank. > > However, fraud have indeed been reported for P2P payments systems like Zelle and Swish, where the identity of the recipient remains a thorny problem. If you have a silver bullet to offer here, I'm sure we are all ears! > > If you want, we could have a video-call on how Saturn deals with authorization. > > Anders > > > Peace ..tom > > > > > > On Sun, Oct 4, 2020 at 6:16 AM Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote: > > > > Hi WG, > > > > This is not yet ready for public testing, but here is the core documentation: > > https://1drv.ms/b/s!AmhUDQ0Od0GTigDejoaMj3TZ0sKs > > > > Enjoy! > > Anders > > >
Received on Sunday, 4 October 2020 19:27:09 UTC