Slashdot Mirror
Disposable Credit Card Numbers
nihilvt sent us news that disposable credit card numbers are actually being deployed by several credit card issuers. The technology sounds like it involves a silly Windows plug-in of some sort, but I'd think there's a lot of potential for growth here. Has anyone actually used these systems? Do they work well? (We ran a story on this a few months ago.)
So is the next generation of credit cards going to have a built in mini screen displaying the current disposable number?
This also doesn't exactly solve the problem... if I have a one-retailer use card set up for Amazon.com, someone can still steal that and buy stuff in my name from Amazon...
This could be avoided with the way the system is supposedly set up. In order to use this permanent one use card, the thief would still need to have access to your password from the credit card company - not Amazon.com.
"If hackers broke in, they couldn't use the virtual number without your password -- which the merchant doesn't have -- and it couldn't be circulated to other sites."
mmm...physics...
...for a research project at CSU Chico.
/that/ much like this... but it still seems relevant enough to post. :)
:)
Okay, not
The general idea is that a user is issued a transaction generator (for lack of a better word). This is a small device (with a keypad and LED screen) which maintains a counter with the number of times it's been used, and contains unique public and private numbers. When the user wishes to perform a transaction, he/she enters the amount of the transaction and his/her PIN number. The public number and amount (perhaps obfuscated) are output as cleartext; the private number, amount (again), PIN and counter are sent through a one-way hash. This hash is appended to the card's output.
The verifying agency keeps track of not only the private number but also recently used counter values. When a transaction comes in for verification, it attempts the hash with the last [INSERT CONSTANT HERE] unused counter values (up to a limit of [INSERT CONSTANT HERE]), as well as the next [INSERT CONSTANT HERE] counter values. If one matches, the transaction is approved and the database of used counter values is updated.
The end result is that: a PIN is required for each transaction. Each transaction value may not be reused. The most data which can be had from reverse-engineering a card is the private number, which is still useless without the PIN; hence, stealing the generator does no good. Stealing the in-transit data will get you the public number, but (thanks to the one-way hash) no private number or PIN. Even watching someone perform data entry and stealing their stream (taking both the PIN and public number) does no good, as the private number is still unrecoverable.
The bad news is that the number has to be fairly long to include an acceptable amount of hash data -- I determined 26 alphanumerics to be more than sufficient, but providing this means replacing a lot of equipment. This much data is needed in part because the multiple hashes done in verification increase the chances of collisions significantly. Furthermore, it means that software and equipment that performs a Luhn check (as with CC#s) will need to be replaced.
I still consider it a nifty idea.
Disposable credit cards are not really credit cards, they are monetary transaction tokens which happen to fit inside a field designed for a credit card number. This lets you build a completely new electronic payment system that is still compatible with online merchants desgined for the credit card system.
These tokens can use any existing billing system as a backend. It can be billed to a real credit card like the systems described in the article. It can also be debited directly from your bank account. It can even be billed through a prepayed card you can buy at the store just like a phone card. I would really like to see a system with a Paypal account as its backend (anyone at paypal listening?)
-
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
As others have pointed out, Discover currently offers disposable numbers. Although I applaud their efforts, their current offering leaves much to be desired.
To use it, you have to download a Windows app (NOT a browser plugin) called Deskshop. This program activates itself automatically when I boot up and puts an orange dot on my taskbar. It has a setting to disable automatic startup but it doesn't work. Everyone once in a while, ZoneAlarm will catch it trying to access the internet secretly. I'm sure it is spyware and was trying to upload my browsing/shopping/etc. habits. I would prefer not to use this app but rather just go to Discover's web page to get a disposable number. But I can't do that.
The number is the usual 16 digits and the first 4 digits are the same as for regular Discover numbers. Apparently merchants are not able to tell whether it is a disposable number or not. When I request a number (via Deskshop), I specify whether it is recurring or one-time. As the names indicate, one-time numbers can be used for one charge only, while recurring numbers can be used again and again (for example, to pay a monthly subscription). I can cancel the recurring number but I have to call Discover customer service. I wish I could use their web page instead. I also wish I could specify a maximum dollar amount for each number I generate. But I can't do that either.
As for Amazon one-click, I don't see why a recurring number would not work, but I haven't tried it.
This is a great idea, and I'm glad it works for you. But the problem is that such a solution, because it is not sheep simple (i.e. easy enough for 22 million AOL users), it won't catch on. Until you have something that's invisible to the user, it won't become popular even if it is a Good Thing(tm). Witness how many people don't use encryption on e-mail even through it's free and relatively easy to do. But make something transparent, like SSL protected web sites, and people will not only use it but demand it. (Most people think they're 'safe' on-line when they see the little gold key thingy.) Because the web site automatically puts the https:// instead of http://, the user doesn't get involved. Sad, but probably true...
The way the numbers are generated, you would need the person's password to have a number generated, which means that if you broke into someone's email, pc, etc., to gather information on em, chances are you could figure out their password and then generate the number.
Its a bad idea for credit card companies to go the route of having a user generate a random number based on a password, as history shows us people are simple, and will often rely on choosing simple passwords.
Again, a simple fix for this would be to have the credit card company pre-determine a block of numbers via mail or fax to the person, then afterwards have the person verify them when they intend to use them by phone if possible where caller ID can be used to ensure its the correct person.
Upon verifying the information, the credit card co., can then activate the numbers for use.
Just my two cents.
Where in the world is my wife
360 degrees of Karma
Obviously this is a short term solution. There are only so many credit card numbers if the string is only 16 digits long. Soon numbers will be repeated, which could make for some strange things if companies keep records on file.
The real solution is to ditch this insane credit card system. It plain makes no sense. Instead of giving the money to the merchant, you are giving him a key to your safe and telling him to "take only what you need." Sure, we have banks to protect overcharging, etc. The consumer actually does have a lot of protection when using a credit card. But think about the hassle that the credit card companies must go through because of this deranged system. What we need is a system that allows the consumer to authorize a payment. Perhaps when you go to the store, there would be a "vendor ID" at the counter and you would just whip out your cellphone and authorize a transaction.
It's funny, because all of us can talk all day about security and huge bit keys and networking, yet we give our login and password to the waitress every time we eat out.
-Justin
One time use Email address,
Why do you need an actual email address? Just use some random crap so long as it has an @ and . in it.
If you do need an actual address, make one on hotmail and use it for everything. But never go there to pick up your mail.
Or most isps will let you have multiple accounts. Make one for junk, pick up the mail and send it directly to trash via filters.
No need for temp accounts.
MOVE 'ZIG'.
I'd love to use a 'one-time-only' credit card number system. I can't count the times that I've purchased what I thought was a limited-period service and discovered that the merchant automatically charges me at renewal time. It's a bloody nuisance to have to call them to remove the charge and take me off the auto-renewal list. Some of them have been so hard to reach that I've just cancelled the card to end the problem (my early AOL experience was one of those times).
The 1st 6 digits are assigned in blocks.
Credit card numbers can have 19 digits, not just 16. This is going to burn lots of people who assume that the cards are only 16.
There is nothing keeping letters out of the credit card numbers. The mod 10 checksum even allows for it.
Large amounts of the number space have been taken by some of the visa 12 digit cards.
Oh boy... where to start?
The 1st 6 digits are assigned in blocks.
Actually, the first digit indicates the card type (Amex is 3, Visa is 4, MC is 5). The remaining three to five digits are assigned to issuing institutions (banks). No big deal here in Canada where there might be 100 issuing banks in total (since independent banks are virtually unheard of), but in the USA (where every podunk town has an independent bank) that pool would be exhausted pretty quickly.
Credit card numbers can have 19 digits, not just 16. This is going to burn lots of people who assume that the cards are only 16.
Can you name one card type in use today with more than 16 digit card numbers? I sure don't know of any... Where did you get that figure from?
There is nothing keeping letters out of the credit card numbers. The mod 10 checksum even allows for it.
The ISO 7810 standard which governs almost all magstripe cards in use today contains provisions for three different types of information recording, referenced as Track 1, Track 2, and Track 3. Track 1 can contain up to 79 alphanumeric characters. Track 2 can contain up to 40 characters of numeric information. Track 3 can contain up to 107 characters.
Track 2 is where the card number is stored. Thus, card numbers could theoretically be up to 38 digits in length (40 minus the start and stop "sentinel" characters), but cannot contain non-numeric characters. Ergo, letters are out. I have no clue where you got the idea they were possible.
Even if that weren't the case, I would imagine a VERY good number (>95%) of POS (point-of-sale, not piece-of-shit) cardswipe terminals would freak out if they read a card number off a stripe as "4512A8F7B7A2C88F". Also, how the fsck do you enter that on the terminal's keypad if the stripe gets demagnetized? You don't.
Large amounts of the number space have been taken by some of the visa 12 digit cards.
The old Visa cards were 13-digit. All Visa cards now issued have 16 digits. (Amex cards are 15-digit.)
Speak not from whence you know not.
--
Ahh, but we're talking about entering these things into a computer form, eh? Since they don't have to worry about swiping a non-existant one-time-use card, then no worries as to if the number can be entered into a keypad.
Also, since [presumably] the verification and deactivation are real-time, the numbers are instantly recyclable, since, as they're used they can become immediately available again.
---
So, the only danger is actually using up all the numbers. No problem there either . . . if we say there are 6 billion people in the world, the current 16-digit system still gives each of them somewhere on the order of 2 million numbers to use.
Concept should go one more step further. It allow you to buy a Pre Paid card. And shop with that I believe that will be a alot more convient than the throw away numbers.
You can also access your account online in this way and do other things, like download coupons to the card to be used at retail stores. For example, you can go to http://www.fakecoffeestore.com, download a discount to the card, then go to the mall to FakeCoffeeStore and use your card there for a discount. Pretty neat...
Of course the problem with this setup is people have to support it.
Info on the card I have, the FusionCard, is at http://www.fusioncard.com. I haven't gotten my reader yet, should be a neat toy though.
Disposable credit card numbers? That's nothing new; just go to a 'cardz' site and grab a few. Am I missing something? ;-)
--
Slashdot monitor for your Mozilla sidebar or Active Desktop.
Nah, it's not that much of a difference. Think of it in database terms: if they currently identify your account by your CC#, they will just have to change that to some other general ID. They'll have to keep a relationship table going between the real ID and the disposable CC#'s, along with valid vendor and timeframe information, but it won't really change the way they do business that much. The conversion to the new system will cost a pretty penny, but believe me, they can afford it.
Same concept with the one-use cards, it seems like they'd exhaust the card # space a lot quicker if each person can use 500 card numbers in a year as opposed to 1 every 5 years...
The system has room for each of 6 billion people to have almost 2 million numbers. Not a problem.
You can be sure the credit card companies have considered all of these issues. They don't screw around. Due diligence is a way of life for these people; their line of business leaves no room for error.
And no, email isn't secure, but when you think about how most people get CC#'s, they usualy don't have access to personal email accounts. So how would they know what address to enter when it asks for one? And to take that even further, perhaps require a PIN number to be entered in the reply mail somewhere. The more the criminal needs to know, the harder it will be for them to succede. And the bigger trail they will leave too.
"Everything that can be invented has been invented."
--I assume full responsibility for my actions, except the ones that are someone else's fault.
Only thing is, in solving the problem, they also make credit card generators viable again. I mean, you can get registration code generators for at least half of the commercial software ever released. I can't see this being much different.
Bow before my sig, for it is good.
If the person sees the charge, then the credit card company will reverse the charge back to the merchant -- unless the merchant can show a valid signature and card swipe.
The only times when the credit card company loses money, is:
Fight Spammers!
Well, there goes Visa. You can still use your MasterCard until someone uses 5 . . . aw crap.
American Express has been doing this for a while. And while the silly plugin makes it easier, you don't need to use it. I've been using their service (sans plugin) for about 5 months. I think it's great.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I refuse to use a credit card in general not just online. I do have one, but I stopped using it a year ago. It's too dangerous! So now all I use is my debit card. Unfortunately there's NO security for debit cards. I'd be responsible for all of the charges. How about the banks get special debit numbers for online use? Thanks for allowing the vent!
This can be extremely secure if absed on a smartcard. Basicly its public/private key encryption. Thec ard holds a private key which it uses to generate a token that can be public-key verified on the far end. In various ways it can be ensured that a number once used cannot be used again so in fact it is extra-secure against kiddies grabbing card numbers.
Keep in midn that vanilla credit cards have a 20% fraud rate. Thats a ALOT of money to pay for infrastructure if you can significantly reduce that percentage.
Doesn't this seem like a lot of overhead for the card companies? Now, not only do they have to keep track of millions of cards and billions of dollars spent through them, but they also have to ensure that the right cards are being used by the right retailers. Yes it's convienent, but how much is it going to cost?
This also doesn't exactly solve the problem... if I have a one-retailer use card set up for Amazon.com, someone can still steal that and buy stuff in my name from Amazon...
Same concept with the one-use cards, it seems like they'd exhaust the card # space a lot quicker if each person can use 500 card numbers in a year as opposed to 1 every 5 years...
Sorry if that was incoherent
I have a phylosophy in life. Know your limitations, and work your life around them instead of trying to work through them.
For example. When I first went to university, I was slightly overweight. I know I don't have the willpower for working out regularly, I've tried too many times and failed. So instead, I found an apartment five miles away from the university, with a nice bike path that went almost all the where I lived. There was no way I would pay for a monthly bus pass (money better spent on games) so for the next three years I was biking at least 10 miles a day, five days a week. Sure it's a little extra work, but it's worth it. Problem solved.
This solution reminds me of that. Instead of trying to make encryption better and better, a process everyon knows will always have problems and flaws, either in security or convenience, they worked their way around it by making the numbers a one-shot deal. Sure it's a little extra work, but the rewards are worth it. Problem solved.
Fuzzy Knights: New RPG Strips Tuesday and Friday!:
http://www.fuzzyknights.com
Gotta love this quote "They can't be used on one-click shopping sites such as Amazon, where permanent card numbers must be stored. "
Seems to me you could enter the credit card number when making a purchase, click "Buy", and still come in at one click..
The sad thing is that the way it's written, it's like the author really thinks that Amazon _must_ keep credit card numbers on file...
MBNA offers them. They use either an HTTPS/HTML solution or a flash plugin to do it. It's nice, because you can basicaly set an arbitrary credit limit and expiration date for the card number. Then if a cracker breaks into the e-commerce site, they can't use the credit card at all, because (hopefully) the thing you bought with the card maxed out the credit card (or at least come close). The way I use it is to get everything ready to go at the e-business and get a total price. Then I go create a credit card number with a limit close to the total and make it expire in a month. I can be pretty sure that no one will be able to steal the card and make big purchases.
The 16-digit limit is indeed artificial. But it's going to be hard to overcome. Sure, 17, 18, and 19 digit cards are going to work just fine at POS terminals that have been implemented carefully with the specification in mind. But it's likely many of them will fail in other places due to artificial limitations added by people who didn't quite understand the big picture.
Many online ordering forms have a text box for the credit card number that's capped at 16 digits. Worse still, some won't even accept older style 15 digit and shorter AMEX and VISA cards. People who have been cardmembers for a long time (and thus have these lower numbers) have been experiencing this problem for some time and many have requested new cards be issued with 16 digit numbers. New cardmembers that get 17, 18, and 19 digit cards are going to be unable to use them at similarly ill-designed sites and will probably try to gripe at the card issuer for a shorter number.
A better solution would be a system similair to what my local bank gave me: a device that looks like a calculator protected by a pincode that allows you to digitaly sign things. A few modifications and a device like this could generate your one time credit card numbers. Now that would be a secure solution!
With some thought this device could do away with passwords etc as well. Now we only have to hope they'll opensource the technology...
This is a really good idea! Think about it more carefully:
Let's say that I go to a store on the 'Net that I don't know or trust too well. I see a t-shirt or mug or something I want to buy for $12 but don't really want THEM to have access to all my credit on one of my cards.
So... I generate a credit card number with a fixed limit of $17 and give that number to them, and I don't have to worry about my number being stolen: it's only good for 17 bucks!
So you see? This allows you to have more control over your credit cards and relieves the worry that your card will be charged more than you wanted it to be.
Another application are those damn Time-Life CD's they sell on TV. Ever bought one? Of course not! Cause you're not gonna just buy one! They keep sending you CD after CD - the whole set, as long as it will fit on the card you gave them!
So, just give them a disposable card number for the amount they need, and be done. When they run the card again next month, it'll deny and they won't send you any more crap.
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
Don't forget that not all 16 digit numbers are valid for use as credit card numbers. In order to be valid, a number must first pass a rudimentary checksum test called LUHN-10. This checksum is intended to prevent unnecessary online verification of numbers that were entered in error. In short, the sum of odd numbered digits (numbering starts at the right, not the left) must be evenly divisible by 10, and the totals of the other digits each individually multiplied by two must also be evenly divisible by 10. As a result, there's far fewer than 10000000000000000 sixteen digit credit card numbers available.
Don't forget, sneakemail.com is the perfect complement to disposible cc numbers. If you dont trust a e-commerce company with your cc number, why would you trust them with your email address?
Sneakemail is to spam filters what an ounce of prevention is to a pound of cure.
Quite a few data thefts occur straight out of a company's database. Take Macy's or any other retailer as an example. When you make a purchase at a B&M store your credit card # and other info is most likely stored in the same database as the online purchases. Why have different systems? And even at B&M stores the card number is still sent over the Internet. The card has to be verified somehow. One time credit cards aren't the answer. I don't see American consumers carrying 20 cards at a time. This problem isn't going to go away until security is taken seriously.
I have the blue card from amex (the one with the microchip) and use this payment numbers. I insert my card in its reader, enter my pin to authenticate and generate a card number. I have now used it for quite a few online purchases without problems. Personally I think it is one of the best things they have done.
Of course, I can also generate the random numbers by login into their site using my username and pw but hopefully they will add a restriction so i can limit login to my smart card.
Also, I just took a survey they sent out to gather feedback. In it they asked what of the additional features listed you found most interesting. They included several listed in the article, including generating a long term number you could put on file with someone like Amazon but if was stolen could not be used by someone else (only accepted charges from Amazon) and putting limits on generated numbers (ie. you can know a site cannot overcharge you, you can give the number to a child without worrying etc.) once they have these I will be using Amex for all my online purchases.
Now I am just waiting for them to get rid of the number on the card itself so I can use it in a store without worrying. There is no reason at all to have a fixed number.
This, in turn, will save them billions in fraud that they do not recover (so long as the merchant follow the authorization procedure today they are not responsible for fraud charges). We can only hope that they will pass this saving on to us.
American Express offfers disposable card numbers to all card holders (as far as i can tell).
By simply signing in and selecting a card (for those of you with more than one :-) a normal looking card number will be generated along with an expiration date in a small window that pops up.
It's very cool, plus since it relies on Java/Javascript, so nearly all of us can use it (no doofy Window plugin req'd!)
What's stupid is the Discover Card method. They have a "disposable card number" feature, but it requires a really heinous install procedure, plus it does annoying things like create a bookmark for their site in every browser user's bookmarks file (thanks guys!). But wait, theres more! If you want to use this feature, you have to shop within a small number of stores (and i mean small, like ~50 the last time i checked).
Bottom line, disposable credit card technology is great - i've used these disposable numbers for over 6 months, and i'm totally sold on the idea. Now when i purchase something on the web, my Amex number can only be used that one time, after which it is completely invalid for charges. I'll be glad to see all Visa and MC companies follow this someday.
Seen the amihotornot All Your Base site yet?
Moderators need an additional choice: "Karma Whore" for people who cut-and-paste articles as their comments!
Why can't the credit/debit card companies do this on their own for non-auction site purchases? If I want something from www.everythingforcomputers.com (or whoever), and they already are set up to take Discover or VISA or Diner's Club or whoever, instead of giving them my credit card number (or a stolen one if I were trying to defraud them), why can't I tell them to bill my name at the card company, go to the card company's site and authorize the payment, and they transfer payment to the merchant? With all the money the credit card companies can save by preventing fraudulent use they should be able to more than afford the people and equipment for this and plenty of incentive for security because they'll be the ones who have to suffer the losses.
Are the credit card companies avoiding shouldering this burden on purpose? If one of them went ahead with it, would the rest have to follow suit for competitive reasons?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
A minor issue? The author must be on some super drugs. The reasoning for these new advances in credit card protection schemes is for these minor issues else they wouldn't worry about it altogether.
A nitpick, but I believe the author's point is that consumers don't need to worry about the cost of someone stealing their card. Banks, on the other hand, are worried about it since they pick up the tab. They push for any technology that can cut down on fraud, thereby saving them money.
Ahhhhhhhhhhhhhhhhhhhhhhh. There isn't a database where a bunch of plaintext debit card numbers are stored. Look up RSA encryption so I don't have to explain it to you please.
I'm a loner Dottie, a Rebel.
I'd buy software online or a book that I knew I wanted, or cdroms, but even cdroms I can go to tower and hear some of them to see if I want the cd in the first place.
I think that this will satisfy some people, but not everyone, and not for everything. I like to buy my groceries in the store, so I know that my bnananas are fresh.
I don't want a lot, I just want it all!
Flame away, I have a hose!
Only 'flamers' flame!
By having one, you're essentially protected from people capturing your CC# and reusing it later. There are some drawbacks though. With the system I used, once you authorized the purchase you couldn't adjust the amount on the temporary credit card. So there wasn't a way to change an existing order because you had to go and get another credit card number for the additional amount.
I know merchants weren't overly fond of it either. One of the most effective ways of keeping out customers they didn't want was to block by number. With anonymous number systems like this they have to block by name/address which is much less of a hassle to get around because the automated filtering isn't as good. This also affects all of those discounts for "first time" customers which are usually tracked by CC#.
Is it going to be the standard 16 digits?
I know that as it stands, the range of numbers available is so ridiculously wide that you can't realistically guess a credit card number, but will that stay the same if the average person maybe chews through 40-50 CCN's a year?
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
Won't this make it that much easier for kiddies to find the algorithm that is used to verify these numbers?
The algorithm for credit card numbers is not a secret. You can determine if a card number is potentially correct yourself, but you need to contact the credit card company to ensure that a number is correct (and that they have enough money to cover their charge).
They said that it can't be used for automatic payments, things like cell-phone bills every month, because the number can only be used once.
I think this is a good thing. I've given up on automatic payments because my cell phone provider (name not mentioned to protect the guilty) double-charged me last January, and it took nearly 2 months and about 10 support calls to get the darned thing fixed.
I now believe that any "automatic" payment makes it too easy for a company to screw you over, either intentionally or through a glitch (which my case apparently was). No thanks - send me the invoice and I'll pay it manually from now on. Having the credit card number being one-time only would enforce that much better, because now they can't even have a working number for me on file.
I couldn't believe that they had the gall to ask me several times if I wanted to re-enable the automated payments again.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
A minor issue? The author must be on some super drugs. The reasoning for these new advances in credit card protection schemes is for these minor issues else they wouldn't worry about it altogether.
Regardless if they have to pay any fees at all, someone has still gotten ahold of their information, and depending on the criminal intelligence behind the person who has gotten ahold of the credit card number, they can escalate to identity theft, which has a big market. Even with thieves stealing information from insecure websites, its an unheard of issue of credit card companies going after the website which was breached. Little is done to sites who don't secure their systems from the possibility of a breach, and they should be held somewhat responsible for the integrity of their data.
This is still a problem as if a "cracker" has somehow gotten ahold of any kind of information on a person, they can leverage this to enter their own username and password to get a "one time" number". What would be nice, is if some of the credit card companies would pre-issue about 20 numbers per month with a 30 day period before their deleted. This was nothing is transferred over the wire and even a temp number can't be generated.
Well what about the crackers who go the full route to get all of a person's information including the password? I guess all these concepts go right down the drain.
Anyways...
The Big Breach -- Richard Tomlinson (ex MI6 agent)
360 degrees of Karma
Of course, the back-end (credit card companies) are still responsible for the true security implementation, but they're very very good at that. An example of how paranoid they are: when consultants for my company go on-site at our credit-card vendor customers, they literally have to stand behind the certified operator and tell them what keys to press. No one touches their machines without passing internal security certification procedures.
Another idea, would be to have a hardware device that reads your card (prevents your kids from one-clicking) and then handles the encryption algorithm in hardware. The idea here being that there is no trace of your credit-card info on your computer. Maybe we should call it 1-swipe shopping. Oh, this thing would connect via the USB port.
Jumpstart the tartan drive.
You download a strange little Flash program, which sits in the task bar. This program lets you create new credit card accounts. You determine how much the limit on those accounts is, and how long they will last (expiration date). The Flash applet then keeps track of those numbers.
This solves a number of problems talked about here - it keeps track of the numbers for you, and they will last as long as you want (for recurring billing). And, if someone grabs the number, there is a very low limit on how much they can charge from it. You can even drag and drop the number from the applet.
The number is a standard CC#, 16 digits, with check digits. My experience so far has been that the numbers do not authorize very well (that is, I created a number, tried to charge something on it, and it came back as a bad number).
Anyhow, it would be nice if it worked right, because it doesn't need any special new card or other junk, just a computer.
I'm sure you've seen commercials for American Express' "Blue" card with the smart chip and boasting of enhanced security features. I recieved mine a few months ago and this is my experience with it:
A heavy package arrived on my doorstep, containing a suspicious item wrapped in lead. After peeling back the lead, I realized it was the new Blue Amex card! I figured that I may as well test out theses enhanced security features, so I went to a porn site to sign up for a trial memberhip using a disposable card number.
You may be wondering how you get the card number, and I wondered this myself, until I ran my thumb over the smart chip, and magicly it sprung to life! It scaned my thumbprint, and then out came a holographic image of a terminal, displaying the creation of the random credit card number! Apparently, it checks the position of the moon in it's orbit to form a 32-bit variable. After determining the variable, it checks the temperature of the room, distance above sea level, and speed of sound in the current atmosphere, and calculates a string that is multiplied by the old variable. The resulting number is then plotted according to y=sin(x), and numbers are chosen from 16 points on the graph. The sines are then inverted and strung together to finally form the elusive random credit card number!
Or something like that.
--
--
#nohup cat
I have two checking accounts, one tied to a debit card, one not.
When a credit card number is stolen, the cardholder is only responsible for the first $50.00 of fraudulent charges.
When a debit card number is stolen, the thief can drain the account (whatever the balance is) and you have little hope of getting any of it back.
Sounds like a credit card is the way to go, right? Well, generally I would say yes, but how about those whose credit is poor or don't want to pay interest charges and fees?
Here's how I work it. I know that my checking account tied to the debit card is vulnerable so I don't keep very much in it - only what I can afford to lose if I am defrauded. When I need to make a purchase online, I first go to my online banking site and transfer the amount I need for the online purchase and then use the debit card for the purchase. Money goes in, money goes out, the balance stays low.
If someone compromises the database containing my debit card number they will only get $100.00 or less and I can close that checking account and start a new one tied to a new debit card number. No fighting with the bank or a vendor about unauthorized charges, I take my licks and get out. Sure, I might lose a little more than the $50.00, but to avoid the hassles it's worth it. I can only lose what's in that account so I keep it low and keep my exposure low.
The two accounts are completely separate. I have no checks to use with the debit card account and no debit card tied to the account I use to write checks. This doesn't fully protect me from identity theft, but makes it tougher on the thief.
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
So, since I used a one-time number from AMEX, I logged into their web site and canceled that number. This means if that site decided to try again or use it, they couldn't and it would be denied for real this time.
I use this feature all the time through American Express. They call it "Private Payments" and it's completely free to all cardholders. All you have to do is log in to their site, click on "Request new number" and plug it in to the vendor's checkout form. The number expires in about a month and can only be used by one vendor (although multiple charges can be made to the account, since places like Buy.com will charge you as each item ships). You don't have to run any software, and the charges show up like normal on your statement. You can view all your past generated numbers and the vendor that used them. I think it's a great idea.
-Entropy [think outside the system]