question is whether authorisation was sent by acquirer/merchant to the issuer (and then your issuing bank in USA declined it)

OR
authorisation was declined (or not sent at all) by acquirer/merchant

… answering this, you know whom to blame

Since we do not read Turkish, the exact error from the reader was unknown and the waiter’s English was not sufficient to explain.

I contacted my 3 USA-based banks during the trip to resolve the issues with our credit cards being accepted there. None had a solution. None of our banks provide Chip-n-Pin cards at that time though I have requested one from each institution when available. These were MC, Visa, Amex cards.

When we ventured away from the major tourist locations in either European or Asian parts of Istanbul, our credit cards were not accepted, never. A friend who works for a Turkish bank explained that fraud concerns were the reason our cards were not accepted. It seems that liability is different in Europe and Turkey for _signature-based credit cards_ than in the USA. I don’t know if that is true, just what has been explained and what I’ve read online. The attempted transaction amounts were all under US$200 and most were under $75 at restaurants. It is embarrassing to take a friend’s family out to a nice meal, but not be able to pay over a credit card issue.

The odd thing is that these same credit cards were used in 5 different European countries outside tourist areas a few months earlier without issue. For both trips, the banks were notified of the travel plans. Since returning, each has worked without any denials in the USA too.

To clarify, the fraud concerns in Turkey appear to be for non-Chip-n-Pin credit cards, hence the reason why they are generally not accepted.

The FICO.com link provided actually shows that credit card fraud in Turkey has increased slightly between 2006 (13.29M Euros) and 2011 (13.43M Euros). It is lower in dollar amount than MOST other countries in Europe according to that link.

In an effort to create a apples to apples comparison, I looked up the populations of Spain and Turkey to normalize the data for a per capita comparison. I used the CIA factbook July 2012 population estimates. Spain had 47M people and Turkey had 79.7M people. A napkin calculation shows that Spain has much, much, much higher per-capita fraud levels than Turkey. If my calculations are correct, about 25x Euro/person fraud levels greater in Spain than Turkey. That seems like a huge difference. Someone please check the calcs.

Thank you for pointing that out that Turkey is a relatively low-fraud area in Europe.

A travel partner received a new USA-based credit card recently that does have the chip-n-pin built in. I don’t know if it followed the EMV standard, but that is likely. His older cards were also refused outside the tourist areas in Istanbul.

Anyway, I should not have said that “bank fraud is huge in Turkey” – my last statement of that post cannot be proved as fact, so it should be retracted completely.

I apologize, the error is certainly mine.

@Ian McNee: I agree with your comments, mostly.

If I understand your point correctly, I disagree that surfing virtually through a US-based computer using a VPN while overseas is in some way just as secure as surfing directly using an overseas network. It really comes down to trust in the internet provider where your traffic leaves an encrypted state.

Do I trust my USA-based business ISP more than some random hotel or wifi-hot-spot or government owned telecom ISP? YES!

I hope you will look into Convergence more though as it has the potential to cover the vast majority of secure traffic (assuming that some of the large players like Google resource it as it scales). In the case you cite, users travelling the world will probably have local and regional contacts through whom they can locate sources of trust (“Notaries” in Convergence’s terminoligy). Naturally this will not happen overnight but the beauty of Convergence is that as it develops early adopters can use it alongside the current CA system.

A lot of people request DNS-SEC which is what I was warning against in that comment.

Yes, it’s true that a certificate which trust but shouldn’t totally voids your safety until the situation is corrected.

But while Perspectives can help certain use cases, there are many UCs and attacks where it won’t help. It won’t help if you’re in a territory where you can’t reach any Perspective servers (I’ve been in such situations). It won’t help if the server you’re visiting is close to the right server and has never had a good certificate – many people start their browsing with insecure pages, so if your start page being insecure has its content tampered such that the link for the secure site you wish to visit is slightly different from the proper secure domain, but leads to a secure domain w/ a bogus, then Perspectives hasn’t helped you (the CA system may or may not have helped you, depending on how good the validation system is and whether you insist on EV — TURKTRUST had its EV bits revoked because of this incident).

You can check to see when Apple released the DigiNotar update for comparison:
http://threatpost.com/en_us/blogs/apple-removes-diginotar-certificates-safari-090911

I personally just paid to update a computer from 10.6.8 to 10.8.2, so I look forward to actually getting a security update for this when Apple gets around to it…

The reason that TURKTRUST is trusted is because it would be impossible for a US based entity to establish any reasonable level of assurance that an entity is who it says when certificates are created (you can of course replace US with EU or NAm – it wouldn’t change anything). Thus entities are certified to establish trust within areas or regions.

Similarly, browser vendors really don’t want to be in the business of managing trust down to the server level / per legal entity level. And if they were in that business people would complain about a Cabal…

No process is perfect, everybody makes mistakes. The number of mistakes by Registrars and Hosting entities far exceeds the countably few made by CAs. Indeed, the CAs aren’t perfect, but if we have 1 a year, that’s really minor when compared to all of the mistakes and failings of Registrars, DNS and hosting entities.

I personally have my email address attached to a random domain as an administrative contact. I have absolutely nothing to do with the domain, but I can’t get the incompetent Registrar to do anything about it.

The absolute *last* thing I want is for Registrars to be responsible for Trust.

Plus, the error message for hosts-changed-keys is absolutely incomprehensible. If you think that the SSL bad Cert for self signed case has a bad message, you haven’t seen anything, just try dealing with key changes for ssh-hosts where someone has to rebuild their systems (like FreeBSD?) for normal users.

Pretty much all of the big names in the CA system have had breaches leading to forged/stolen certificates of varying significance at one time or another, and that’s just the ones that we know about. Peter Eckersley from the EFF published some interesting research about this: https://www.eff.org/deeplinks/2011/10/how-secure-https-today.

What we urgently need to do is find a secure alternative that offers some “trust agility”, whereby we can choose to revoke our trust in a particular source of authenticity without a huge chunk of the internet vanishing, as it would at the moment if, for example, we chose not to trust Comodo (not an unreasonable thing to do, some might say). Something like Moxie Marlinspike’s Convergence system would fit the bill but it has effectively been blocked by the likes of Google and the vested interests of the major CAs. His talk about this Blackhat 2011 is required listening (and also both interesting and entertaining): https://www.youtube.com/watch?v=Z7Wl2FW2TcA.

As for those here stating that this or that browser offers protection or keeping your system up to date with certificate revocations makes you safe that is essentially nonsense. These things offer only partial protection and when a CA or a reseller is hacked or controlled by a malicious party and that is not known publicly we are all vulnerable.