Slashdot Mirror
Disposable Credit Card Numbers
nihilvt sent us news that disposable credit card numbers are actually being deployed by several credit card issuers. The technology sounds like it involves a silly Windows plug-in of some sort, but I'd think there's a lot of potential for growth here. Has anyone actually used these systems? Do they work well? (We ran a story on this a few months ago.)
So is the next generation of credit cards going to have a built in mini screen displaying the current disposable number?
...for a research project at CSU Chico.
/that/ much like this... but it still seems relevant enough to post. :)
:)
Okay, not
The general idea is that a user is issued a transaction generator (for lack of a better word). This is a small device (with a keypad and LED screen) which maintains a counter with the number of times it's been used, and contains unique public and private numbers. When the user wishes to perform a transaction, he/she enters the amount of the transaction and his/her PIN number. The public number and amount (perhaps obfuscated) are output as cleartext; the private number, amount (again), PIN and counter are sent through a one-way hash. This hash is appended to the card's output.
The verifying agency keeps track of not only the private number but also recently used counter values. When a transaction comes in for verification, it attempts the hash with the last [INSERT CONSTANT HERE] unused counter values (up to a limit of [INSERT CONSTANT HERE]), as well as the next [INSERT CONSTANT HERE] counter values. If one matches, the transaction is approved and the database of used counter values is updated.
The end result is that: a PIN is required for each transaction. Each transaction value may not be reused. The most data which can be had from reverse-engineering a card is the private number, which is still useless without the PIN; hence, stealing the generator does no good. Stealing the in-transit data will get you the public number, but (thanks to the one-way hash) no private number or PIN. Even watching someone perform data entry and stealing their stream (taking both the PIN and public number) does no good, as the private number is still unrecoverable.
The bad news is that the number has to be fairly long to include an acceptable amount of hash data -- I determined 26 alphanumerics to be more than sufficient, but providing this means replacing a lot of equipment. This much data is needed in part because the multiple hashes done in verification increase the chances of collisions significantly. Furthermore, it means that software and equipment that performs a Luhn check (as with CC#s) will need to be replaced.
I still consider it a nifty idea.
Disposable credit cards are not really credit cards, they are monetary transaction tokens which happen to fit inside a field designed for a credit card number. This lets you build a completely new electronic payment system that is still compatible with online merchants desgined for the credit card system.
These tokens can use any existing billing system as a backend. It can be billed to a real credit card like the systems described in the article. It can also be debited directly from your bank account. It can even be billed through a prepayed card you can buy at the store just like a phone card. I would really like to see a system with a Paypal account as its backend (anyone at paypal listening?)
-
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
As others have pointed out, Discover currently offers disposable numbers. Although I applaud their efforts, their current offering leaves much to be desired.
To use it, you have to download a Windows app (NOT a browser plugin) called Deskshop. This program activates itself automatically when I boot up and puts an orange dot on my taskbar. It has a setting to disable automatic startup but it doesn't work. Everyone once in a while, ZoneAlarm will catch it trying to access the internet secretly. I'm sure it is spyware and was trying to upload my browsing/shopping/etc. habits. I would prefer not to use this app but rather just go to Discover's web page to get a disposable number. But I can't do that.
The number is the usual 16 digits and the first 4 digits are the same as for regular Discover numbers. Apparently merchants are not able to tell whether it is a disposable number or not. When I request a number (via Deskshop), I specify whether it is recurring or one-time. As the names indicate, one-time numbers can be used for one charge only, while recurring numbers can be used again and again (for example, to pay a monthly subscription). I can cancel the recurring number but I have to call Discover customer service. I wish I could use their web page instead. I also wish I could specify a maximum dollar amount for each number I generate. But I can't do that either.
As for Amazon one-click, I don't see why a recurring number would not work, but I haven't tried it.
Ahh, but we're talking about entering these things into a computer form, eh? Since they don't have to worry about swiping a non-existant one-time-use card, then no worries as to if the number can be entered into a keypad.
Also, since [presumably] the verification and deactivation are real-time, the numbers are instantly recyclable, since, as they're used they can become immediately available again.
---
You can also access your account online in this way and do other things, like download coupons to the card to be used at retail stores. For example, you can go to http://www.fakecoffeestore.com, download a discount to the card, then go to the mall to FakeCoffeeStore and use your card there for a discount. Pretty neat...
Of course the problem with this setup is people have to support it.
Info on the card I have, the FusionCard, is at http://www.fusioncard.com. I haven't gotten my reader yet, should be a neat toy though.
Disposable credit card numbers? That's nothing new; just go to a 'cardz' site and grab a few. Am I missing something? ;-)
--
Slashdot monitor for your Mozilla sidebar or Active Desktop.
Nah, it's not that much of a difference. Think of it in database terms: if they currently identify your account by your CC#, they will just have to change that to some other general ID. They'll have to keep a relationship table going between the real ID and the disposable CC#'s, along with valid vendor and timeframe information, but it won't really change the way they do business that much. The conversion to the new system will cost a pretty penny, but believe me, they can afford it.
Same concept with the one-use cards, it seems like they'd exhaust the card # space a lot quicker if each person can use 500 card numbers in a year as opposed to 1 every 5 years...
The system has room for each of 6 billion people to have almost 2 million numbers. Not a problem.
You can be sure the credit card companies have considered all of these issues. They don't screw around. Due diligence is a way of life for these people; their line of business leaves no room for error.
Well, there goes Visa. You can still use your MasterCard until someone uses 5 . . . aw crap.
Doesn't this seem like a lot of overhead for the card companies? Now, not only do they have to keep track of millions of cards and billions of dollars spent through them, but they also have to ensure that the right cards are being used by the right retailers. Yes it's convienent, but how much is it going to cost?
This also doesn't exactly solve the problem... if I have a one-retailer use card set up for Amazon.com, someone can still steal that and buy stuff in my name from Amazon...
Same concept with the one-use cards, it seems like they'd exhaust the card # space a lot quicker if each person can use 500 card numbers in a year as opposed to 1 every 5 years...
Sorry if that was incoherent
I have a phylosophy in life. Know your limitations, and work your life around them instead of trying to work through them.
For example. When I first went to university, I was slightly overweight. I know I don't have the willpower for working out regularly, I've tried too many times and failed. So instead, I found an apartment five miles away from the university, with a nice bike path that went almost all the where I lived. There was no way I would pay for a monthly bus pass (money better spent on games) so for the next three years I was biking at least 10 miles a day, five days a week. Sure it's a little extra work, but it's worth it. Problem solved.
This solution reminds me of that. Instead of trying to make encryption better and better, a process everyon knows will always have problems and flaws, either in security or convenience, they worked their way around it by making the numbers a one-shot deal. Sure it's a little extra work, but the rewards are worth it. Problem solved.
Fuzzy Knights: New RPG Strips Tuesday and Friday!:
http://www.fuzzyknights.com
Gotta love this quote "They can't be used on one-click shopping sites such as Amazon, where permanent card numbers must be stored. "
Seems to me you could enter the credit card number when making a purchase, click "Buy", and still come in at one click..
The sad thing is that the way it's written, it's like the author really thinks that Amazon _must_ keep credit card numbers on file...
Don't forget that not all 16 digit numbers are valid for use as credit card numbers. In order to be valid, a number must first pass a rudimentary checksum test called LUHN-10. This checksum is intended to prevent unnecessary online verification of numbers that were entered in error. In short, the sum of odd numbered digits (numbering starts at the right, not the left) must be evenly divisible by 10, and the totals of the other digits each individually multiplied by two must also be evenly divisible by 10. As a result, there's far fewer than 10000000000000000 sixteen digit credit card numbers available.
They said that it can't be used for automatic payments, things like cell-phone bills every month, because the number can only be used once.
I think this is a good thing. I've given up on automatic payments because my cell phone provider (name not mentioned to protect the guilty) double-charged me last January, and it took nearly 2 months and about 10 support calls to get the darned thing fixed.
I now believe that any "automatic" payment makes it too easy for a company to screw you over, either intentionally or through a glitch (which my case apparently was). No thanks - send me the invoice and I'll pay it manually from now on. Having the credit card number being one-time only would enforce that much better, because now they can't even have a working number for me on file.
I couldn't believe that they had the gall to ask me several times if I wanted to re-enable the automated payments again.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
A minor issue? The author must be on some super drugs. The reasoning for these new advances in credit card protection schemes is for these minor issues else they wouldn't worry about it altogether.
Regardless if they have to pay any fees at all, someone has still gotten ahold of their information, and depending on the criminal intelligence behind the person who has gotten ahold of the credit card number, they can escalate to identity theft, which has a big market. Even with thieves stealing information from insecure websites, its an unheard of issue of credit card companies going after the website which was breached. Little is done to sites who don't secure their systems from the possibility of a breach, and they should be held somewhat responsible for the integrity of their data.
This is still a problem as if a "cracker" has somehow gotten ahold of any kind of information on a person, they can leverage this to enter their own username and password to get a "one time" number". What would be nice, is if some of the credit card companies would pre-issue about 20 numbers per month with a 30 day period before their deleted. This was nothing is transferred over the wire and even a temp number can't be generated.
Well what about the crackers who go the full route to get all of a person's information including the password? I guess all these concepts go right down the drain.
Anyways...
The Big Breach -- Richard Tomlinson (ex MI6 agent)
360 degrees of Karma
Of course, the back-end (credit card companies) are still responsible for the true security implementation, but they're very very good at that. An example of how paranoid they are: when consultants for my company go on-site at our credit-card vendor customers, they literally have to stand behind the certified operator and tell them what keys to press. No one touches their machines without passing internal security certification procedures.
I'm sure you've seen commercials for American Express' "Blue" card with the smart chip and boasting of enhanced security features. I recieved mine a few months ago and this is my experience with it:
A heavy package arrived on my doorstep, containing a suspicious item wrapped in lead. After peeling back the lead, I realized it was the new Blue Amex card! I figured that I may as well test out theses enhanced security features, so I went to a porn site to sign up for a trial memberhip using a disposable card number.
You may be wondering how you get the card number, and I wondered this myself, until I ran my thumb over the smart chip, and magicly it sprung to life! It scaned my thumbprint, and then out came a holographic image of a terminal, displaying the creation of the random credit card number! Apparently, it checks the position of the moon in it's orbit to form a 32-bit variable. After determining the variable, it checks the temperature of the room, distance above sea level, and speed of sound in the current atmosphere, and calculates a string that is multiplied by the old variable. The resulting number is then plotted according to y=sin(x), and numbers are chosen from 16 points on the graph. The sines are then inverted and strung together to finally form the elusive random credit card number!
Or something like that.
--
--
#nohup cat
I use this feature all the time through American Express. They call it "Private Payments" and it's completely free to all cardholders. All you have to do is log in to their site, click on "Request new number" and plug it in to the vendor's checkout form. The number expires in about a month and can only be used by one vendor (although multiple charges can be made to the account, since places like Buy.com will charge you as each item ships). You don't have to run any software, and the charges show up like normal on your statement. You can view all your past generated numbers and the vendor that used them. I think it's a great idea.
-Entropy [think outside the system]