Slashdot Mirror
Disposable Credit Card Numbers
nihilvt sent us news that disposable credit card numbers are actually being deployed by several credit card issuers. The technology sounds like it involves a silly Windows plug-in of some sort, but I'd think there's a lot of potential for growth here. Has anyone actually used these systems? Do they work well? (We ran a story on this a few months ago.)
So is the next generation of credit cards going to have a built in mini screen displaying the current disposable number?
This also doesn't exactly solve the problem... if I have a one-retailer use card set up for Amazon.com, someone can still steal that and buy stuff in my name from Amazon...
This could be avoided with the way the system is supposedly set up. In order to use this permanent one use card, the thief would still need to have access to your password from the credit card company - not Amazon.com.
"If hackers broke in, they couldn't use the virtual number without your password -- which the merchant doesn't have -- and it couldn't be circulated to other sites."
mmm...physics...
I use the MBNA system as well. (And it works from a Mac; a Control Strip module tells the web browser to open a small window on their flash page...) My understanding is that the temporary account is tied to the first web-based merchant that uses it; even if a cracker were to get the number, if he attempted to use that account it would be denied because he's not that company, not just because of the time or credit limits.
Mashed potatoes can be your friends!
...for a research project at CSU Chico.
/that/ much like this... but it still seems relevant enough to post. :)
:)
Okay, not
The general idea is that a user is issued a transaction generator (for lack of a better word). This is a small device (with a keypad and LED screen) which maintains a counter with the number of times it's been used, and contains unique public and private numbers. When the user wishes to perform a transaction, he/she enters the amount of the transaction and his/her PIN number. The public number and amount (perhaps obfuscated) are output as cleartext; the private number, amount (again), PIN and counter are sent through a one-way hash. This hash is appended to the card's output.
The verifying agency keeps track of not only the private number but also recently used counter values. When a transaction comes in for verification, it attempts the hash with the last [INSERT CONSTANT HERE] unused counter values (up to a limit of [INSERT CONSTANT HERE]), as well as the next [INSERT CONSTANT HERE] counter values. If one matches, the transaction is approved and the database of used counter values is updated.
The end result is that: a PIN is required for each transaction. Each transaction value may not be reused. The most data which can be had from reverse-engineering a card is the private number, which is still useless without the PIN; hence, stealing the generator does no good. Stealing the in-transit data will get you the public number, but (thanks to the one-way hash) no private number or PIN. Even watching someone perform data entry and stealing their stream (taking both the PIN and public number) does no good, as the private number is still unrecoverable.
The bad news is that the number has to be fairly long to include an acceptable amount of hash data -- I determined 26 alphanumerics to be more than sufficient, but providing this means replacing a lot of equipment. This much data is needed in part because the multiple hashes done in verification increase the chances of collisions significantly. Furthermore, it means that software and equipment that performs a Luhn check (as with CC#s) will need to be replaced.
I still consider it a nifty idea.
In my post i mention such an 'operating system': the calculator that's not part of your computer but a very simple piece of electronics made in taiwan. And after they capture your keystrokes of the one time number it generated it'll be useless anyway.
Disposable credit cards are not really credit cards, they are monetary transaction tokens which happen to fit inside a field designed for a credit card number. This lets you build a completely new electronic payment system that is still compatible with online merchants desgined for the credit card system.
These tokens can use any existing billing system as a backend. It can be billed to a real credit card like the systems described in the article. It can also be debited directly from your bank account. It can even be billed through a prepayed card you can buy at the store just like a phone card. I would really like to see a system with a Paypal account as its backend (anyone at paypal listening?)
-
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
What happens if you try to return the item??? How can they charge it back if the card number has expired??
--Garion
Slashdot is like Playboy: I read it for the articles
Signing up for free email accounts every time you need something is annoyng at best. Mabey it could be valid for 24 hours or something. It may even cut down on spam, if the spambots knew that #1 the email would never get read and #2 there is a 90% chance that an email would get returned undeliverable. *grin*
"Everything that can be invented has been invented."
--I assume full responsibility for my actions, except the ones that are someone else's fault.
As others have pointed out, Discover currently offers disposable numbers. Although I applaud their efforts, their current offering leaves much to be desired.
To use it, you have to download a Windows app (NOT a browser plugin) called Deskshop. This program activates itself automatically when I boot up and puts an orange dot on my taskbar. It has a setting to disable automatic startup but it doesn't work. Everyone once in a while, ZoneAlarm will catch it trying to access the internet secretly. I'm sure it is spyware and was trying to upload my browsing/shopping/etc. habits. I would prefer not to use this app but rather just go to Discover's web page to get a disposable number. But I can't do that.
The number is the usual 16 digits and the first 4 digits are the same as for regular Discover numbers. Apparently merchants are not able to tell whether it is a disposable number or not. When I request a number (via Deskshop), I specify whether it is recurring or one-time. As the names indicate, one-time numbers can be used for one charge only, while recurring numbers can be used again and again (for example, to pay a monthly subscription). I can cancel the recurring number but I have to call Discover customer service. I wish I could use their web page instead. I also wish I could specify a maximum dollar amount for each number I generate. But I can't do that either.
As for Amazon one-click, I don't see why a recurring number would not work, but I haven't tried it.
This is a great idea, and I'm glad it works for you. But the problem is that such a solution, because it is not sheep simple (i.e. easy enough for 22 million AOL users), it won't catch on. Until you have something that's invisible to the user, it won't become popular even if it is a Good Thing(tm). Witness how many people don't use encryption on e-mail even through it's free and relatively easy to do. But make something transparent, like SSL protected web sites, and people will not only use it but demand it. (Most people think they're 'safe' on-line when they see the little gold key thingy.) Because the web site automatically puts the https:// instead of http://, the user doesn't get involved. Sad, but probably true...
I've been using one-time credit cards for almost 6 months now, and my experience has been positive. I've always been a pretty active on-line shopper, but I've never trusted my CC # to any sites, especially after hearing the horror stories (egghead comes inmediately to mind). As soon as I heard my local bank was offering a Visa card with a one-time number generator, I got it, and started using it. The system works great, you get a program, enter your password, the amount you're gonna charge the card, and it spits out a number, after checking with the issuing bank that you have enough credit. So far, I haven't had any problems with sites rejecting the cards, my only quibble is that the program is windows-only, and I'm a major Linux user, so now I have to boot up windows to play and shop. So, I think these cards are a fantastic idea. I'd rather have to issue a new CC # for every payment and know that my information is secure. Plus, it invalidates Amazon.com's moronic one-click shopping patent... :)
The way the numbers are generated, you would need the person's password to have a number generated, which means that if you broke into someone's email, pc, etc., to gather information on em, chances are you could figure out their password and then generate the number.
Its a bad idea for credit card companies to go the route of having a user generate a random number based on a password, as history shows us people are simple, and will often rely on choosing simple passwords.
Again, a simple fix for this would be to have the credit card company pre-determine a block of numbers via mail or fax to the person, then afterwards have the person verify them when they intend to use them by phone if possible where caller ID can be used to ensure its the correct person.
Upon verifying the information, the credit card co., can then activate the numbers for use.
Just my two cents.
Where in the world is my wife
360 degrees of Karma
Wouldn't it be simpler if you could just confirm every transaction with a secret only the cardholder knows? What I mean is, If I find a card, or preferably someones whole wallet, lying on the street, I can use it on the net, no problem.
Unless I had to put in a PIN that wasn't written on the card. I'm amazed that all the information you need to use a card is contained ON the card.
The way I see it, you would have some kind of instant messaging account set up beforehand, and the CC company would have it on file. So every time you entered your card info to make a sale, the merchant would send the request to the CC co. for approval. Before giving that approval, the CC co. would IM you and ask for your PIN. Hopefully the PIN request would be by some out-of-band method (i.e. not via the merchant) pre-agreed on by you and the CC co.
That way, the merchant would never get your secret (PIN, mother's maiden name, whatever) and couldn't record it in a database. And a criminal wouldn't KNOW the secret, and couldn't use your card.
How this would work in a physical STORE, away from home, would take someone smarter than me to figure out. :)
Just a thought.
Obviously this is a short term solution. There are only so many credit card numbers if the string is only 16 digits long. Soon numbers will be repeated, which could make for some strange things if companies keep records on file.
The real solution is to ditch this insane credit card system. It plain makes no sense. Instead of giving the money to the merchant, you are giving him a key to your safe and telling him to "take only what you need." Sure, we have banks to protect overcharging, etc. The consumer actually does have a lot of protection when using a credit card. But think about the hassle that the credit card companies must go through because of this deranged system. What we need is a system that allows the consumer to authorize a payment. Perhaps when you go to the store, there would be a "vendor ID" at the counter and you would just whip out your cellphone and authorize a transaction.
It's funny, because all of us can talk all day about security and huge bit keys and networking, yet we give our login and password to the waitress every time we eat out.
-Justin
There is even a Perl module that can verify checksums for you.
"I believe that the cult of the particular brings only death - for it bases order on likeness." St.-Exupery
> access-list 102 deny tcp any any established
you don't need the "established"...
Si
I thought the first 4 was the bank code and the last 4 was the checksum, thus giving only 8 numbers to work with. (Maybe each bank has a range of numbers, e.g. 4000-5000 for one bank, 6000-7000 for another, thus giving 12 numbers?) When getting ATM receipts, for personal tracking purposes (did I charge with this card, or that card?) they show only the checksum number (the rest are XXX'ed out), since it is theoretically impossible to reconstruct an 8 digit number from a 4 digit checksum, right?
I'd MUCH rather see credit cards that work like phone cards. You buy a card a wal-mart, where you don't have to identify yourself to anyone. You pay $10, $20, $50, $00 or whatever for the card, get it activated at purchase time (or call an 800 number), then you can buy stuff online and have it sent wherever you want.
I'd love to use a 'one-time-only' credit card number system. I can't count the times that I've purchased what I thought was a limited-period service and discovered that the merchant automatically charges me at renewal time. It's a bloody nuisance to have to call them to remove the charge and take me off the auto-renewal list. Some of them have been so hard to reach that I've just cancelled the card to end the problem (my early AOL experience was one of those times).
The 1st 6 digits are assigned in blocks.
Credit card numbers can have 19 digits, not just 16. This is going to burn lots of people who assume that the cards are only 16.
There is nothing keeping letters out of the credit card numbers. The mod 10 checksum even allows for it.
Large amounts of the number space have been taken by some of the visa 12 digit cards.
I'm not sure smart cards are going to work in the real world. I've got a card from an early pilot project a few years ago and now the card won't work. Did I lose the value on the card? Is that money just gone? I know people who refuse to use phone smart cards because they have lost money when they die.
I now two women who can't wear electronic watches because they end up zapped. They just seem to have strange static field that tends to wipe out stuff. One used to wipe out computers constantly until she went with full anti-static precautions (floor mat, wrist strap, even anti-static chair). Will these people ever be able to use smart cards?
Oh boy... where to start?
The 1st 6 digits are assigned in blocks.
Actually, the first digit indicates the card type (Amex is 3, Visa is 4, MC is 5). The remaining three to five digits are assigned to issuing institutions (banks). No big deal here in Canada where there might be 100 issuing banks in total (since independent banks are virtually unheard of), but in the USA (where every podunk town has an independent bank) that pool would be exhausted pretty quickly.
Credit card numbers can have 19 digits, not just 16. This is going to burn lots of people who assume that the cards are only 16.
Can you name one card type in use today with more than 16 digit card numbers? I sure don't know of any... Where did you get that figure from?
There is nothing keeping letters out of the credit card numbers. The mod 10 checksum even allows for it.
The ISO 7810 standard which governs almost all magstripe cards in use today contains provisions for three different types of information recording, referenced as Track 1, Track 2, and Track 3. Track 1 can contain up to 79 alphanumeric characters. Track 2 can contain up to 40 characters of numeric information. Track 3 can contain up to 107 characters.
Track 2 is where the card number is stored. Thus, card numbers could theoretically be up to 38 digits in length (40 minus the start and stop "sentinel" characters), but cannot contain non-numeric characters. Ergo, letters are out. I have no clue where you got the idea they were possible.
Even if that weren't the case, I would imagine a VERY good number (>95%) of POS (point-of-sale, not piece-of-shit) cardswipe terminals would freak out if they read a card number off a stripe as "4512A8F7B7A2C88F". Also, how the fsck do you enter that on the terminal's keypad if the stripe gets demagnetized? You don't.
Large amounts of the number space have been taken by some of the visa 12 digit cards.
The old Visa cards were 13-digit. All Visa cards now issued have 16 digits. (Amex cards are 15-digit.)
Speak not from whence you know not.
--
I want to know what is being done for merchants. I really like this idea of a disposible credit card myself, but there's still a pretty huge problem with online sales and that is the chargeback. We online store folks have something like 0 methods of contesting a chargeback. They want documentation? Well, I just print something out from a database. Problem is, that's not enough. What they really want is a physical indication of the presence of the card itself. Well, that's a bit hard over the Internet.
So, in short, there's not much of anything we online merchants can do when a chargeback comes our way. I would love to see a nice solution to this problem.
Hexy - a strategy game for iPhone/iPod Touch
Ahh, but we're talking about entering these things into a computer form, eh? Since they don't have to worry about swiping a non-existant one-time-use card, then no worries as to if the number can be entered into a keypad.
Also, since [presumably] the verification and deactivation are real-time, the numbers are instantly recyclable, since, as they're used they can become immediately available again.
---
So what happens if the item you order is backordered? I've had products ship over a month after I've ordered them before. An example would be a preorder of a product that has a delayed release. Does Amex offer a workaround for this?
I've used a similar system in the states. Bank of America offers this serice where you can put X amount of money on a card (from your checking account) and it can then be used as a regular Visa credit card anywhere. Works good for relatives who you regularly send cash to for birthday, christmas, etc...
My source is a friend who works in AIB...just let me say he isn't an important cog, just one of the underlings. It just came up in idle conversation one day. He's one of us - a geek/slashdotter - and his main concern was that his bosses(not in IT dept.) didn't even know about the program in any detail - they were doing well to even know it existed. If somebody asked they'd just fob them off with whatever answer they could come up with.
My friend seemed convinced there would be other versions. My information, however, is older than yours...probably around July. Plus it's less offical. Overall, in my opinion, I'd say your line is more likely.
8)
Concrete analysis...
So, the only danger is actually using up all the numbers. No problem there either . . . if we say there are 6 billion people in the world, the current 16-digit system still gives each of them somewhere on the order of 2 million numbers to use.
Concept should go one more step further. It allow you to buy a Pre Paid card. And shop with that I believe that will be a alot more convient than the throw away numbers.
I'm sorry! I should have made that statement clearer! I know the debit cards are less secure than credit cards. Credit Cards have better protection. I meant that I'm not too fond of Credit Card use. I prefer my Debit Card because it's more like a check. I can only spend what I have. I've gotten in trouble with my credit card debt and now that I've taken care of it, I feel better using my debit card. And your reply states my point that Debit Cards need better security so that if a merchant were to take the funds from my bank I could easily do something about it.
You can also access your account online in this way and do other things, like download coupons to the card to be used at retail stores. For example, you can go to http://www.fakecoffeestore.com, download a discount to the card, then go to the mall to FakeCoffeeStore and use your card there for a discount. Pretty neat...
Of course the problem with this setup is people have to support it.
Info on the card I have, the FusionCard, is at http://www.fusioncard.com. I haven't gotten my reader yet, should be a neat toy though.
Well, the card has an expiration date just like any other. If, after a delay, the company tries to charge the expired card... Duh. The better question is if the company will ask you for a new one or just boot you to the end of the line because of the expiration, but that has nothing to do with the Private Payments service that AmEx offers.
Yeah, I know 3 and 5 are shared. I think JCB has some 3's, and Discover etc. also use 5.
I didn't know about the Aussie cards. Neat!
As far as entering CC numbers, I was talking about point-of-sale terminals, not mobile phones. They simply can't handle non-numeric card numbers, period. Thus, letters are out of the question.
--
Disposable credit card numbers? That's nothing new; just go to a 'cardz' site and grab a few. Am I missing something? ;-)
--
Slashdot monitor for your Mozilla sidebar or Active Desktop.
Just give it time. The automated services you had trouble with are simply too immature to rely on from every Tom, Dick & Harry company you deal with. While I'm not an expert in all experiences of this type (in fact, I've had both good and bad), I expect that problems such as yours will correct themselves in time.
How long that will be depends, of course. If it means enough to someone, I'm sure they'll fix it.
Nah, it's not that much of a difference. Think of it in database terms: if they currently identify your account by your CC#, they will just have to change that to some other general ID. They'll have to keep a relationship table going between the real ID and the disposable CC#'s, along with valid vendor and timeframe information, but it won't really change the way they do business that much. The conversion to the new system will cost a pretty penny, but believe me, they can afford it.
Same concept with the one-use cards, it seems like they'd exhaust the card # space a lot quicker if each person can use 500 card numbers in a year as opposed to 1 every 5 years...
The system has room for each of 6 billion people to have almost 2 million numbers. Not a problem.
You can be sure the credit card companies have considered all of these issues. They don't screw around. Due diligence is a way of life for these people; their line of business leaves no room for error.
That's absolutely priceless. Here you are, pimping sneakemail as an ideal spam-free, disposable, confidential e-mail provider...
...and then you print your e-mail address right along with it, without so much as a "REMOVEME" to stand in the way of spammers. Brilliant move, Einstein.
For more information, click here.
You've just described SET.
I am big on not giving money to the chain store. This includes people like Amazon.com and others. I buy my books at locally owned book stores, I shop at locally owned grocery stores (the few there are), and so on.
I have avoided places like Amazon because I like people like Joe at the small bookstore down the street.
There are exceptions, however. I have yet to find a good way to buy airline tickets except online. I also tend to buy computer equipment online (http://www.smalldog.com/ - a small Mac online Mac store).
Before buying, however, I make sure of several security concerns - do they save my credit card number? Do they have well-written Privacy policies? Do they send unsolicited Spam?
Still, I would use one-time credit card numbers if they were made available to me.
- (c) 2018 Hank Zimmerman
And no, email isn't secure, but when you think about how most people get CC#'s, they usualy don't have access to personal email accounts. So how would they know what address to enter when it asks for one? And to take that even further, perhaps require a PIN number to be entered in the reply mail somewhere. The more the criminal needs to know, the harder it will be for them to succede. And the bigger trail they will leave too.
"Everything that can be invented has been invented."
--I assume full responsibility for my actions, except the ones that are someone else's fault.
Only thing is, in solving the problem, they also make credit card generators viable again. I mean, you can get registration code generators for at least half of the commercial software ever released. I can't see this being much different.
Bow before my sig, for it is good.
If the person sees the charge, then the credit card company will reverse the charge back to the merchant -- unless the merchant can show a valid signature and card swipe.
The only times when the credit card company loses money, is:
Fight Spammers!
This, once again, is not news. This was news last september, when it was originally ran. Apparently Michael Sims has a penchant for re-running stories, as he did it last night in a story about projectile robots, a 'news' story that's 11 months old.. This is ridiculous... andover's failing quickly, and they're wasting 100k/year on Michael Sims to post shit that happened months ago, that /. has already covered...
I hope you nerds enjoy reading about stuff that's already happened... its this kind of nonsense that's killing this site.
Mooniacs for iOS and Android
I was about to post the same thing...it's been in Ireland - AIB at least - for quite a while now.
For those of you interested, it actually works pretty well. I installed the software a while ago because there was at least one website I sent my credit card details to that never got back to me(and that makes me worried even though it's over a year ago and the card expires in three weeks 8).
What I wanted to question was who told you there wouldn't be a Linux version? Was it some minor bank offical, because as far as I could gather, the plans are to press ahead with both Mac and Linux versions. But you know how Irish banks are with truth. (You put down Dublin as place of residence and nationality as Irish on your account application...so do you want a resident or non-resident account?)
Not intended as a slur against AIB who has only ever practiced good, lawful business practices...as far as I know.
8)
Concrete analysis...
There are plenty of CC providers that currently offer a feature like this. Discover currently has a system where you login via their web site and they will generate a number for you that "links" back your real account number. The online store you purchased from never has the real number, only Discover. So a hacker would have to get into Discover's database to get your number, and if they do that...well...you are all ready screwed :)
Unstable Apps: Our Android Apps Don't Suck
Well, there goes Visa. You can still use your MasterCard until someone uses 5 . . . aw crap.
American Express has been doing this for a while. And while the silly plugin makes it easier, you don't need to use it. I've been using their service (sans plugin) for about 5 months. I think it's great.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
A much better way:
:(
Give your customers a way to authorize credit card payments. Instead of using their normal 16 digit cc number for buying a single-month-membership at www.sexyteens.com (and not knowing shit about both the trustworthiness of the webmaster and of their security/antihacking measures), enable them to go to your website (https://www.mastercard.com/) and create a temporary one.
The users can then e.g. select that he wants this temporary number to carry $30. Some script (hopefully not visual basic...) can then encrypt the data and Base64 it, giving the user the number "KBVjSOEgraG3bp7WIkbMWKPRB" to pass on to the shady website owner.
This protects him from excessive fraud (having the website charge him $500 instead of $30) as well as from cc theft (the stolen number will be completely worthless as soon as it has been billed for its allowed charge) and identity theft (since a number like that would not be legally allowed as proof of identity)
But since we're going to have to wait for banks to implement this scheme, I don't believe we'll see a possibility like that before 2050
--------------------------------------
So how many people have lost all their money due to this lack of "huge bit keys"? Of course the figures usually are impressive if a credit card company announces losses by credit card fraud had been so-and-so many billions last year. But think a minute, or better an hour, about who is losing how much, i.e., how risks are distributed among the customer, the merchant, and the credit card company.
This is mostly a non-technical problem, and "huge bit keys" can actually make your situation, as a customer, worse. There have been reported cases of European banks accusing their customers of fraud when they complained about phantom withdrawals via ATMs. After all, the bank had strong encryption, so the customer must have done it herself or at least have helped by giving away her secret PIN. So "huge bit keys" did not save the customer's money, but the public prosecutor's job.
Besides, I haven't seen in years a "more secure" payment system which is as convenient and easy to use (by the honest owner of the money who would like to spend it online or offline) as an old-style credit card. It's universal, it's small, it's something I never leave in the office when I go home, and it does not force me to pay in advance before even knowing what I might want to buy some day. I'm not going to bury my money on smartcards or on my harddisk, and I'm not going to do anything less convenient than fetching my card and typing in what is printed on it, just to buy something on the net. Put a chip onto my credit card and give me two card readers (for home and office use) for free, if that helps to increase security, but don't try to add complexity to my everyday life. If I need something really complex, I'll install IBM DB2. :-)
Recommended reading:
Ross J Anderson: Liability and Computer Security: Nine Principles. (PDF)
http://erichsieht.wordpress.com/category/english/
I refuse to use a credit card in general not just online. I do have one, but I stopped using it a year ago. It's too dangerous! So now all I use is my debit card. Unfortunately there's NO security for debit cards. I'd be responsible for all of the charges. How about the banks get special debit numbers for online use? Thanks for allowing the vent!
This can be extremely secure if absed on a smartcard. Basicly its public/private key encryption. Thec ard holds a private key which it uses to generate a token that can be public-key verified on the far end. In various ways it can be ensured that a number once used cannot be used again so in fact it is extra-secure against kiddies grabbing card numbers.
Keep in midn that vanilla credit cards have a 20% fraud rate. Thats a ALOT of money to pay for infrastructure if you can significantly reduce that percentage.
>Credit card numbers can have 19 digits, not just 16. This is going to burn lots of people who assume that the cards are only 16.
I think the extra three digits in question is a security code frequently found on the back of the card in the signature area; I don't know if they really qualify as part of the card number. (MBNA's ShopSafe system, one of the systems this whole article is about (and the one with which I have personal experience), generates these codes...)
Mashed potatoes can be your friends!
This is the CVV (Card Verification Value). It is not present on the stripe.
--
Like 4. I just used it. Throw it away now.
Won't this make it that much easier for kiddies to find the algorithm that is used to verify these numbers? Or are they maintaining a database of them, which could be stolen, etc?
Doesn't this seem like a lot of overhead for the card companies? Now, not only do they have to keep track of millions of cards and billions of dollars spent through them, but they also have to ensure that the right cards are being used by the right retailers. Yes it's convienent, but how much is it going to cost?
This also doesn't exactly solve the problem... if I have a one-retailer use card set up for Amazon.com, someone can still steal that and buy stuff in my name from Amazon...
Same concept with the one-use cards, it seems like they'd exhaust the card # space a lot quicker if each person can use 500 card numbers in a year as opposed to 1 every 5 years...
Sorry if that was incoherent
I have never used AOL. Should I suddenly feel the desire to do so, I would have no problem encrypting e-mail. But I never have. Why? First, because the person on the other end might have problems reading it -- far from all clients support encryption, and some support different kinds. Second... ooh, someone's gonna read my e-mail, I'm scared. Just send me your address, I'll forward my gossip to you, too! The assumption that everyone must be a privacy freak is quite annoying.
I have a phylosophy in life. Know your limitations, and work your life around them instead of trying to work through them.
For example. When I first went to university, I was slightly overweight. I know I don't have the willpower for working out regularly, I've tried too many times and failed. So instead, I found an apartment five miles away from the university, with a nice bike path that went almost all the where I lived. There was no way I would pay for a monthly bus pass (money better spent on games) so for the next three years I was biking at least 10 miles a day, five days a week. Sure it's a little extra work, but it's worth it. Problem solved.
This solution reminds me of that. Instead of trying to make encryption better and better, a process everyon knows will always have problems and flaws, either in security or convenience, they worked their way around it by making the numbers a one-shot deal. Sure it's a little extra work, but the rewards are worth it. Problem solved.
Fuzzy Knights: New RPG Strips Tuesday and Friday!:
http://www.fuzzyknights.com
You're absolutely right. The software to recognize the situation and extract the password(s) needed for getting single-use card numbers is more complicated than that needed to recognize a valid card number, but the same basic approach of would work.
Gotta love this quote "They can't be used on one-click shopping sites such as Amazon, where permanent card numbers must be stored. "
Seems to me you could enter the credit card number when making a purchase, click "Buy", and still come in at one click..
The sad thing is that the way it's written, it's like the author really thinks that Amazon _must_ keep credit card numbers on file...
MBNA offers them. They use either an HTTPS/HTML solution or a flash plugin to do it. It's nice, because you can basicaly set an arbitrary credit limit and expiration date for the card number. Then if a cracker breaks into the e-commerce site, they can't use the credit card at all, because (hopefully) the thing you bought with the card maxed out the credit card (or at least come close). The way I use it is to get everything ready to go at the e-business and get a total price. Then I go create a credit card number with a limit close to the total and make it expire in a month. I can be pretty sure that no one will be able to steal the card and make big purchases.
The 16-digit limit is indeed artificial. But it's going to be hard to overcome. Sure, 17, 18, and 19 digit cards are going to work just fine at POS terminals that have been implemented carefully with the specification in mind. But it's likely many of them will fail in other places due to artificial limitations added by people who didn't quite understand the big picture.
Many online ordering forms have a text box for the credit card number that's capped at 16 digits. Worse still, some won't even accept older style 15 digit and shorter AMEX and VISA cards. People who have been cardmembers for a long time (and thus have these lower numbers) have been experiencing this problem for some time and many have requested new cards be issued with 16 digit numbers. New cardmembers that get 17, 18, and 19 digit cards are going to be unable to use them at similarly ill-designed sites and will probably try to gripe at the card issuer for a shorter number.
Forgive the spelling and gramatical errors. I hang my head in shame.
Fuzzy Knights: New RPG Strips Tuesday and Friday!:
http://www.fuzzyknights.com
A better solution would be a system similair to what my local bank gave me: a device that looks like a calculator protected by a pincode that allows you to digitaly sign things. A few modifications and a device like this could generate your one time credit card numbers. Now that would be a secure solution!
With some thought this device could do away with passwords etc as well. Now we only have to hope they'll opensource the technology...
This is a really good idea! Think about it more carefully:
Let's say that I go to a store on the 'Net that I don't know or trust too well. I see a t-shirt or mug or something I want to buy for $12 but don't really want THEM to have access to all my credit on one of my cards.
So... I generate a credit card number with a fixed limit of $17 and give that number to them, and I don't have to worry about my number being stolen: it's only good for 17 bucks!
So you see? This allows you to have more control over your credit cards and relieves the worry that your card will be charged more than you wanted it to be.
Another application are those damn Time-Life CD's they sell on TV. Ever bought one? Of course not! Cause you're not gonna just buy one! They keep sending you CD after CD - the whole set, as long as it will fit on the card you gave them!
So, just give them a disposable card number for the amount they need, and be done. When they run the card again next month, it'll deny and they won't send you any more crap.
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
Don't forget that not all 16 digit numbers are valid for use as credit card numbers. In order to be valid, a number must first pass a rudimentary checksum test called LUHN-10. This checksum is intended to prevent unnecessary online verification of numbers that were entered in error. In short, the sum of odd numbered digits (numbering starts at the right, not the left) must be evenly divisible by 10, and the totals of the other digits each individually multiplied by two must also be evenly divisible by 10. As a result, there's far fewer than 10000000000000000 sixteen digit credit card numbers available.
Don't forget, sneakemail.com is the perfect complement to disposible cc numbers. If you dont trust a e-commerce company with your cc number, why would you trust them with your email address?
Sneakemail is to spam filters what an ounce of prevention is to a pound of cure.
Actually, the first four digits are (theoretically) bank-specific, so you've really only got 12 to work with. But that's still going to make a pretty good-sized range of valid numbers to go through before they have to start recycling.
All the world's an analog stage, and digital circuits play only bit parts.
Quite a few data thefts occur straight out of a company's database. Take Macy's or any other retailer as an example. When you make a purchase at a B&M store your credit card # and other info is most likely stored in the same database as the online purchases. Why have different systems? And even at B&M stores the card number is still sent over the Internet. The card has to be verified somehow. One time credit cards aren't the answer. I don't see American consumers carrying 20 cards at a time. This problem isn't going to go away until security is taken seriously.
Just my $.02
Help save the critically endangered Blue Iguana
Unfortunately there are still stores that use the old swipers. My store being one of them. We own a greenhouse and in the spring we can't get all the wiring outside where the register is so we swipe the cards then put them though our machine later. Not to mention when you call someplace it would be much easier just to read your card instead of taking the time to generate a new number. Just my opinion.
I have the blue card from amex (the one with the microchip) and use this payment numbers. I insert my card in its reader, enter my pin to authenticate and generate a card number. I have now used it for quite a few online purchases without problems. Personally I think it is one of the best things they have done.
Of course, I can also generate the random numbers by login into their site using my username and pw but hopefully they will add a restriction so i can limit login to my smart card.
Also, I just took a survey they sent out to gather feedback. In it they asked what of the additional features listed you found most interesting. They included several listed in the article, including generating a long term number you could put on file with someone like Amazon but if was stolen could not be used by someone else (only accepted charges from Amazon) and putting limits on generated numbers (ie. you can know a site cannot overcharge you, you can give the number to a child without worrying etc.) once they have these I will be using Amex for all my online purchases.
Now I am just waiting for them to get rid of the number on the card itself so I can use it in a store without worrying. There is no reason at all to have a fixed number.
This, in turn, will save them billions in fraud that they do not recover (so long as the merchant follow the authorization procedure today they are not responsible for fraud charges). We can only hope that they will pass this saving on to us.
American Express offfers disposable card numbers to all card holders (as far as i can tell).
By simply signing in and selecting a card (for those of you with more than one :-) a normal looking card number will be generated along with an expiration date in a small window that pops up.
It's very cool, plus since it relies on Java/Javascript, so nearly all of us can use it (no doofy Window plugin req'd!)
What's stupid is the Discover Card method. They have a "disposable card number" feature, but it requires a really heinous install procedure, plus it does annoying things like create a bookmark for their site in every browser user's bookmarks file (thanks guys!). But wait, theres more! If you want to use this feature, you have to shop within a small number of stores (and i mean small, like ~50 the last time i checked).
Bottom line, disposable credit card technology is great - i've used these disposable numbers for over 6 months, and i'm totally sold on the idea. Now when i purchase something on the web, my Amex number can only be used that one time, after which it is completely invalid for charges. I'll be glad to see all Visa and MC companies follow this someday.
Seen the amihotornot All Your Base site yet?
Moderators need an additional choice: "Karma Whore" for people who cut-and-paste articles as their comments!
Here is a great site that has the algorithm and info necessary to validate any type of credit card. This is VERY useful info! http://www.beachnet.com/~hstiles/cardtype.html
I'd rather have a full bottle in front of me than a full frontal lobotomy.
The LinuxFund/MBNA one-use card numbers work with Netscape/Linux as well. It launches a Java applet which works quite spiffily. I authorized a friend of mine for a $2 number on my card the other day. (Don't ask.)
There is one glory of the sun, and another glory of the moon, and another glory of the stars; for one star differeth fro
Why can't the credit/debit card companies do this on their own for non-auction site purchases? If I want something from www.everythingforcomputers.com (or whoever), and they already are set up to take Discover or VISA or Diner's Club or whoever, instead of giving them my credit card number (or a stolen one if I were trying to defraud them), why can't I tell them to bill my name at the card company, go to the card company's site and authorize the payment, and they transfer payment to the merchant? With all the money the credit card companies can save by preventing fraudulent use they should be able to more than afford the people and equipment for this and plenty of incentive for security because they'll be the ones who have to suffer the losses.
Are the credit card companies avoiding shouldering this burden on purpose? If one of them went ahead with it, would the rest have to follow suit for competitive reasons?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
A minor issue? The author must be on some super drugs. The reasoning for these new advances in credit card protection schemes is for these minor issues else they wouldn't worry about it altogether.
A nitpick, but I believe the author's point is that consumers don't need to worry about the cost of someone stealing their card. Banks, on the other hand, are worried about it since they pick up the tab. They push for any technology that can cut down on fraud, thereby saving them money.
Ahhhhhhhhhhhhhhhhhhhhhhh. There isn't a database where a bunch of plaintext debit card numbers are stored. Look up RSA encryption so I don't have to explain it to you please.
I'm a loner Dottie, a Rebel.
I'd buy software online or a book that I knew I wanted, or cdroms, but even cdroms I can go to tower and hear some of them to see if I want the cd in the first place.
I think that this will satisfy some people, but not everyone, and not for everything. I like to buy my groceries in the store, so I know that my bnananas are fresh.
I don't want a lot, I just want it all!
Flame away, I have a hose!
Only 'flamers' flame!
By having one, you're essentially protected from people capturing your CC# and reusing it later. There are some drawbacks though. With the system I used, once you authorized the purchase you couldn't adjust the amount on the temporary credit card. So there wasn't a way to change an existing order because you had to go and get another credit card number for the additional amount.
I know merchants weren't overly fond of it either. One of the most effective ways of keeping out customers they didn't want was to block by number. With anonymous number systems like this they have to block by name/address which is much less of a hassle to get around because the automated filtering isn't as good. This also affects all of those discounts for "first time" customers which are usually tracked by CC#.
Is it going to be the standard 16 digits?
I know that as it stands, the range of numbers available is so ridiculously wide that you can't realistically guess a credit card number, but will that stay the same if the average person maybe chews through 40-50 CCN's a year?
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
I've read about this before, and what makes me nervous about it is that these disposable numbers are just one more thing to keep track of. I have a handful of credit cards as it is, and I find it hard to keep track. Somehow I doubt this catches on very well in its current implementation, but maybe its just me.
AGREED! I hate automatic payments. I always want the option of not paying my bills, for whatever reason. I'm 31 and have not been late on a payment since college, but if I decide to quit paying everyone, I should be able to. I typically pay extra and early on my mortgage, as well as early on my car payments and such (I send the check when I get my paycheck, not when their stupid invoice is due).
See where my friends are at and where they are going! http://www.ScottAndAbby.com
YES, there is a McDonald's in Hanoi Square.
They said that it can't be used for automatic payments, things like cell-phone bills every month, because the number can only be used once.
I think this is a good thing. I've given up on automatic payments because my cell phone provider (name not mentioned to protect the guilty) double-charged me last January, and it took nearly 2 months and about 10 support calls to get the darned thing fixed.
I now believe that any "automatic" payment makes it too easy for a company to screw you over, either intentionally or through a glitch (which my case apparently was). No thanks - send me the invoice and I'll pay it manually from now on. Having the credit card number being one-time only would enforce that much better, because now they can't even have a working number for me on file.
I couldn't believe that they had the gall to ask me several times if I wanted to re-enable the automated payments again.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
A minor issue? The author must be on some super drugs. The reasoning for these new advances in credit card protection schemes is for these minor issues else they wouldn't worry about it altogether.
Regardless if they have to pay any fees at all, someone has still gotten ahold of their information, and depending on the criminal intelligence behind the person who has gotten ahold of the credit card number, they can escalate to identity theft, which has a big market. Even with thieves stealing information from insecure websites, its an unheard of issue of credit card companies going after the website which was breached. Little is done to sites who don't secure their systems from the possibility of a breach, and they should be held somewhat responsible for the integrity of their data.
This is still a problem as if a "cracker" has somehow gotten ahold of any kind of information on a person, they can leverage this to enter their own username and password to get a "one time" number". What would be nice, is if some of the credit card companies would pre-issue about 20 numbers per month with a 30 day period before their deleted. This was nothing is transferred over the wire and even a temp number can't be generated.
Well what about the crackers who go the full route to get all of a person's information including the password? I guess all these concepts go right down the drain.
Anyways...
The Big Breach -- Richard Tomlinson (ex MI6 agent)
360 degrees of Karma
Of course, the back-end (credit card companies) are still responsible for the true security implementation, but they're very very good at that. An example of how paranoid they are: when consultants for my company go on-site at our credit-card vendor customers, they literally have to stand behind the certified operator and tell them what keys to press. No one touches their machines without passing internal security certification procedures.
Another idea, would be to have a hardware device that reads your card (prevents your kids from one-clicking) and then handles the encryption algorithm in hardware. The idea here being that there is no trace of your credit-card info on your computer. Maybe we should call it 1-swipe shopping. Oh, this thing would connect via the USB port.
Jumpstart the tartan drive.
You download a strange little Flash program, which sits in the task bar. This program lets you create new credit card accounts. You determine how much the limit on those accounts is, and how long they will last (expiration date). The Flash applet then keeps track of those numbers.
This solves a number of problems talked about here - it keeps track of the numbers for you, and they will last as long as you want (for recurring billing). And, if someone grabs the number, there is a very low limit on how much they can charge from it. You can even drag and drop the number from the applet.
The number is a standard CC#, 16 digits, with check digits. My experience so far has been that the numbers do not authorize very well (that is, I created a number, tried to charge something on it, and it came back as a bad number).
Anyhow, it would be nice if it worked right, because it doesn't need any special new card or other junk, just a computer.
I'm sure you've seen commercials for American Express' "Blue" card with the smart chip and boasting of enhanced security features. I recieved mine a few months ago and this is my experience with it:
A heavy package arrived on my doorstep, containing a suspicious item wrapped in lead. After peeling back the lead, I realized it was the new Blue Amex card! I figured that I may as well test out theses enhanced security features, so I went to a porn site to sign up for a trial memberhip using a disposable card number.
You may be wondering how you get the card number, and I wondered this myself, until I ran my thumb over the smart chip, and magicly it sprung to life! It scaned my thumbprint, and then out came a holographic image of a terminal, displaying the creation of the random credit card number! Apparently, it checks the position of the moon in it's orbit to form a 32-bit variable. After determining the variable, it checks the temperature of the room, distance above sea level, and speed of sound in the current atmosphere, and calculates a string that is multiplied by the old variable. The resulting number is then plotted according to y=sin(x), and numbers are chosen from 16 points on the graph. The sines are then inverted and strung together to finally form the elusive random credit card number!
Or something like that.
--
--
#nohup cat
Snap-in! Microsoft wanted to sidestep Netscape's patent, so they called them "snap-ins".
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
AdultCheck, here I come!
Another proud carrier of the $rtbl flag
I have two checking accounts, one tied to a debit card, one not.
When a credit card number is stolen, the cardholder is only responsible for the first $50.00 of fraudulent charges.
When a debit card number is stolen, the thief can drain the account (whatever the balance is) and you have little hope of getting any of it back.
Sounds like a credit card is the way to go, right? Well, generally I would say yes, but how about those whose credit is poor or don't want to pay interest charges and fees?
Here's how I work it. I know that my checking account tied to the debit card is vulnerable so I don't keep very much in it - only what I can afford to lose if I am defrauded. When I need to make a purchase online, I first go to my online banking site and transfer the amount I need for the online purchase and then use the debit card for the purchase. Money goes in, money goes out, the balance stays low.
If someone compromises the database containing my debit card number they will only get $100.00 or less and I can close that checking account and start a new one tied to a new debit card number. No fighting with the bank or a vendor about unauthorized charges, I take my licks and get out. Sure, I might lose a little more than the $50.00, but to avoid the hassles it's worth it. I can only lose what's in that account so I keep it low and keep my exposure low.
The two accounts are completely separate. I have no checks to use with the debit card account and no debit card tied to the account I use to write checks. This doesn't fully protect me from identity theft, but makes it tougher on the thief.
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
One of the major national banks apparently charged a couple of their IT guys to write a program that would steal card numbers. Their response was a Windows virus that grabbed the keyboard interrupt and captured all character sequences that were entered that looked like a legitimate card number. Key strokes were passed on to the regular code, so it didn't ever "feel" like anything odd was going on. At some point in the future, the code would send any collected numbers in an IP packet to a listening server. And of course, it would try to spread itself to other machines. IIRC, the mechanism for spreading was an e-mail attachment with pictures of famous people naked.
No attempts to break encryption. No attempts to sniff packets on the network. Just exploit the obvious weakest link -- millions and millions of machines that run an OS with serious security problems... One-time-use card numbers clearly defeat this kind of approach.
So, since I used a one-time number from AMEX, I logged into their web site and canceled that number. This means if that site decided to try again or use it, they couldn't and it would be denied for real this time.
AIB Bank has offered its internet customers this service for about 9 months now, partnered with orbiscom.com.
When the service launched (Windows only), there was a statement on their website saying that a linux version would follow within weeks. When it didn't show up after about a month I phoned them. They then told me that there were 'no plans' for a Linux version...
That's the extent of my experience with disposable cc numbers anyway.
Not sure I like the idea of installing software on my machine from a bank that doesn't have a privacy policy anyway.
I use this feature all the time through American Express. They call it "Private Payments" and it's completely free to all cardholders. All you have to do is log in to their site, click on "Request new number" and plug it in to the vendor's checkout form. The number expires in about a month and can only be used by one vendor (although multiple charges can be made to the account, since places like Buy.com will charge you as each item ships). You don't have to run any software, and the charges show up like normal on your statement. You can view all your past generated numbers and the vendor that used them. I think it's a great idea.
-Entropy [think outside the system]