Quote Originally Posted by KremlinKOA View Post
Okay, fair question, as I didn't make that part explicit.

It works in 2 parts.

1: Those RMTers who acquire their dodgy codes through hacked accounts will be stopped immediately, as OTP/2FA accounts don't get hacked readily enough for it to be practical.
2: As for those using stolen Credit Cards on their own account. Being able to track where the gifts went, means as soon as a chargeback occurs, the account gets banned. Which means to get a new account going, they need to
--A: Buy a new copy of FF14.
--B: Buy a new phone SIM card (Yeah we can link phone numbers to accounts, after all)
--C: C buy a month of Subscription time
--D: Wait 30 days before being able to send out new gifts.
These costs, and delays, are designed to move the setup from 'profitable' to 'unprofitable' and encourage the RMT CC faudsters to use another game as their laundry.

In the end, it's all about making friction to discourage people from using FF!$ as their method to clean their stolen money.

But best solutions will putr more friction on the fraudsters than on honest players.
The phishing scams exist precisely to have a way to get into accounts protected by OTP/2FA. We see players fall victim to those frequently.

I don't know if it's still required but at one time the cash shop was requiring account verification to get entered twice - once to select items to be purchased then again to make the purchase. As annoying as it is to players trying to make a purchase, it does prevent fraudulent purchases from being made on a compromised account with OTP. The thief might get in the first time but the OTP would no longer be valid by the second time it has to be entered.

Without a second verification needed, it's easy for the thief for load up a cart, move to the account verification page and wait for the dumb player to enter their information into the phsihing website to capture and enter into the purchase website.

The credit card and retail industries together need to step back and see what can be done to get compromised payment methods under control. So much gets done online today that it's hard to say if any of them are properly identifying anyone. Should all payment methods themselves now requires OTP/2FA for all online transactions? The 3 digit CVN they tend to rely on for credit card transactions is not truly a form of identification. It's merely confirmation that someone knows the number for that particular credit card number and not that they have possession of the card or are the card's actual account holder.

That brings up the question of how all these fraudulent credit card transactions are occurring in the first place (assuming it's credit card and not other payment types at the root of the problem). While databases are storing the payment information, they should not be storing the CVN. How are payments getting initially approved for online transactions if the correct CVN isn't being submitted?