TL;DR Techcrunch recently published an article entitled "Is NOCA the next Paypal?". The article puts NOCA in the spotlight as a more secure and cheaper alternative to Paypal. In comments, JP, a NOCA employee, claims that his payment system is more secure because it uses ACH transactions:
"On the consumer side, Noca assures security and prevention of identity theft because the transaction avoids credit cards and uses debit transactions instead, where the money goes directly from the buyer’s checking/savings account to the merchant."
NOCA Snake Oil
"If you are an online consumer, Noca offers a new way to shop online that combines complete ease of use with unparalleled security, almost eliminating identity theft."
Does NOCA know what is identity theft?
"Noca stores all production data in a physically secure offsite data center. While PCI (Payments Card Industry Standard) compliance is not necessary since Noca is not storing any credit card information Noca will strive to be at a PCI compliant data center."
This is just silly, having NOCA applications hosted at a PCI compliant data center doesn't make you magically secure.
ACH fraud is a lot more dangerous than credit card fraud.
Most credit cards come with a Zero Liability Fraud Protection, so you don't have to worry too much about fraud. If you have a problem with a charge on your credit card you just complaint to your credit card company and you won't have to pay anything. Incident closed!
That's not the same with debit or ACH fraud, your money is gone! and it might take a long time before your bank acknowledges the fraud and refunds your cash. You'll have to go through a lengthy procedure. According to the Electronic Fund Transfer Act, your maximum liability is 50$ per transaction if you give notice within 60 days or up to 500$ otherwise.
JP@NOCA replied:
"Fraud in checks/ACH is substantionally less than fraud in credit cards. The reason is simple - credit cards don’t require “two way” identification. Doing an ACH transaction requires both transacting entities to have bank level verification as opposed to credit cards. If I have somebody’s credit card info I can commit virtually unlimited fraud. Having somebody check/bank account number doesn’t give me that ability."
Again this is misleading. ACH fraud is easier than credit card fraud, the only thing you need is a checking account number and a bank routing number. ACH doesn't have any security at all.
"Zero cost payment system for Merchants has arrived "
I wouldn't recommend NOCA to merchants; whereas consumers have 60 days to return unauthorized ACH entries, businesses have only 24 hours. The potential for loss is also bigger for the merchants because higher balances are retained in their accounts.
JP@NOCA replied:
"@Kugutsumen I agree with you. Our system is for consumers for now. They get 60 days to dispute any un-authorized transactions."
It would be fun to do a proper security assessment of NOCA.
Grugq > check FTC Kills Dirty Online Check Processing Outfit, more proof that checks + online == bad :
"The Federal Trade Commission today got a US District Court to stop permanently what it called the illegal operations of an Internet-based check creation and delivery service, and to require the group to give up over half a million dollars in ill-gotten gains. According to the FTC, Qchex.com created and sent checks drawn on any bank account that a Qchex user identified, but did not verify whether the user had authority to draw checks on that account. As a result, fraudsters worldwide used the Qchex service to draw thousands of checks on bank accounts that belonged to unwitting third parties. 'The evidence shows that the launch of Qchex.com was a "dinner bell" for fraudsters and resulted in a high number of accounts frozen for fraud...' said District Court Judge Janis Sammartino."
References:
FDIC Law, Regulations, Related Acts
