American Express Seeks To Swap Card Numbers For Secure Tokens

jfruh writes: One of the fundamental problems of the electronic payment business is that it's by and large based on the fundamentally insecure infrastructure of the credit card system, where anyone who has your 16-digit card number can make purchases on your account. American Express is trying to improve its security by moving towards the use of unique tokens for online purchases.

Finally..

[Midnight_Falcon]

With OTP and related two-factor authentication technology becoming so widely available, one would have hoped that credit cards would implement some type of solution either using OTPs instead of cards, or augmenting them with OTPs. Millions of dollars in fraud prevention, "credit monitoring" and other such services would be saved by simply using solid cryptographic systems for the payment networks.

PCI compliance would probably be a lot less of a headache as well...

Re:Finally..

[sexconker]

With OTP and related two-factor authentication technology becoming so widely available, one would have hoped that credit cards would implement some type of solution either using OTPs instead of cards, or augmenting them with OTPs. Millions of dollars in fraud prevention, "credit monitoring" and other such services would be saved by simply using solid cryptographic systems for the payment networks.

PCI compliance would probably be a lot less of a headache as well...

What are you saying? Do you even know?
A one-time pad isn't going to help SHIT - you have to somehow securely distribute the pads before hand and expect the users to keep them secure.
Strong crypto isn't going to help SHIT - the problem isn't securing the connection from the POS to the creditor, it's verifying the authenticity of the transaction itself, be it online or offline.
"Two-factor" schemes like a code sent to a phone, an RSA clock, some dongle, whatever are effective against non-realtime attacks. (They're not actually two-factor, though, since you're using a single communication pipe and no one verifies the presence of the actual phone, RSA clock, dongle, or whatever, so it's just another part of "something you know".) Chip-and-pin style transactions cover the same bases at physical POS and is trivial to implement online. We had

Verified by VISA and similar programs for online shit that did everything we needed but there was one critical flaw - no one used it because they didn't have to. The only site I've ever used that actually implemented it was Newegg. And when I accidentally closed the Verified by VISA popup (I assumed it was a shitty 3rd party offer popup and closed it before it loaded), I discovered that failing the Verified by VISA challenge still let my transaction go through because the merchant never wants to miss out on the sale.

PCI compliance will be more of a headache with your OTP fantasy because you have to securely manage the OTPs.

Re:Finally..

[oodaloop]

I'm pretty sure he thinks that every time his fob displays a new number, that's a one time pad.

Re:Finally..

[ArcadeMan]

PCI is long dead, everyone has moved to PCIe by now.

Re:Finally..

[sexconker]

LOL
Everytime my watch shows a new time, that's a one-time pad too!

Re:Finally..

[Midnight_Falcon]

If you're going to troll at least you give the benefit of the doubt on acronyms. OTP = One Time Password ...NOT one time pad.

Here's a reference so you can avoid further confusion and undeserved insult: http://en.wikipedia.org/wiki/O...

Re:Finally..

[TheCarp]

Pretty sure from context OP is confusing OTP with sequence based tokens, especially since OTP is not two factor without layering something else with it.

Clearly, you are right about OTP and its for those reasons that nobody (or as close to nobody as matters) actually uses OTP for anything anymore; which really makes it more likely OP was confused about terminology than actually suggesting someone actually use OTP operationally in this day and age.

Also, I asked a co-worker about this, he took longer than wikipedia to respond but I think his response was more appropriate and one I have heard before... "One time password".

Kind of makes sense to reclaim "OTP" since we hardly need a TLA for something nobody actually uses seriously.

Re:Finally..

What about EMV / Chip+PIN? My British cards support generation of single-use tokens using one of these handheld chip card readers.

But, it's only used for verification by my bank's website for transferring money (etc), not for purchases. Using it for purchases could possibly allow for confusing users into real-time attacks from fake websites.

Re:Finally..

[Midnight_Falcon]

What am I saying? I think I have some idea.

I've done plenty of PCI compliance audits, CISA certified, yadda yadda.. so you would hope I have some insight here.

What do you know about crpytography? For example, if AMEX cards had a smart card in them that also had a OTP functionality -- like YubiKey, meaning a public key, an OTP (one time password, not pad), and a counter -- they could be made much more secure.

How so, you ask?

• Merchant validation service would validate based on OTP, this could be API-based with only AMEX etc storing shared secrets with the OTP devices
• Replay attacks prevented by counter -- so old OTPs could not work if re-used
• May require information on magnetic strip + RFID/NFC/OTP device, thus ensuring the card is present
• POS systems could be compromised and since the OTP/counter changes, compromise of PAN data stored at endpoints would be far less valuable

This is just the tip of the iceberg in terms of the many advantages such a system would have on making fraud a lot more difficult, and thus less profitable/worthwhile.

Re:Finally..

It's quite clear he isn't confusing OTP, but perhaps you aren't aware of the overloaded TLA? http://en.wikipedia.org/wiki/O... (most, eg RSA SecureID and Google Authenticator are TOTP - see http://en.wikipedia.org/wiki/T...).

Re:Finally..

[Midnight_Falcon]

I'm not confusing anything, One time password is the proper name for the technology.

Re:Finally..

[Russ1642]

I love it when we have comments filled with unknown TLAs. (three letter acronyms)

Re:Finally..

[TheCarp]

Interesting, amusingly I have come to hate TLAs just because of the overload factor; but this one makes a lot of sense, like I said....why would we even need a TLA for one time pads when the vast majority of all discussion around one time pads is either in the context of explaining cryptography concepts.

Pretty much the only people who have any business knowing anything about one time pads are military historians and people studying crypto academically, whereas, I know many people with one time password tokens who actually use them.

Re:Finally..

[TheCarp]

But you didn't say one time password, you said OTP. Now, its clearly an overloaded TLA and that is easy enough to verify but, using TLAs in general is actually confusing because pretty much all of them are overloaded already, though.... this one gets a somewhat rare distinction of being overloaded in the same field.

I mean, you don't see car mechanics going around referring to your coil packs as distributors.

As I said, I think it makes sense to do away with OTP=One time pad since its not actually useful, but, since its been used academically that way for so long, I think its pretty reasonable to assume that using it other ways will continue to cause confusion amongst people who are familiar enough with encryption to have studied one time pads (since they are still useful for concept teaching) but who don't do PCI audits for a living.

Re:Finally..

[Midnight_Falcon]

Sure they do. It's actually common in security parlance. When was the last time you made it to a security convention?

Here's an example in commercial marketing:

https://www.yubico.com/product...

Re:Finally..

[Midnight_Falcon]

Clearly I should've spelt out OTP to avoid confusion in this context..except, yes, I do PCI compliance audits for a living, and this acronym seems very second-nature at this point. However though, I wasn't the one confusing OTP..it was the readers applying their own cognitive bias to apply the "one time pad" meaning here, even though the context clearly pointed away from that.

Re:Finally..

Nah.

The problem is "app vs Secure Element"

An App has no secure element, HCE is a really really bad idea because if you can HCE a card, you can also HCE someone elses card.

To give an obvious example, If I have the username and password for some idiots bank site, I can download the app for that bank to any Android device, and then use that person's card through HCE with impunity.

So you might ask... wait can't I do that with Apple Pay Too? Well no, because the secure element is part of the device. If you signup someone elses card to your Apple Pay device, that secure element can then be black listed from the bank's end.

Like, the way fraud works is that it goes through the weakest part of the system. The weakest part of a bank app is the login process which lo and behold... doesn't require a biometric to login. Just one more password.

Apple Pay currently wins because the secure element is unusable unless unlocked by the biometric. Not so in the case of HCE.

Re:Finally..

[oodaloop]

So you used an acronym that means two different things in this context without spelling it out even once, then get pissy when you're misunderstood? You might not be an idiot, but you're definitely an asshole.

Re:Finally..

[Midnight_Falcon]

I'm pretty sure I'm not the "asshole" here...in that, well, you chime in on a conversation just to call someone an expletive, or insult them..without even bothering to google OTP first. Notice in all my posts in my post history I don't resort to name calling like you have done here -- it's a clear sign logic has failed, and all you have is nonsense rhetoric and insult to offer.

Re:Finally..

[cayenne8]

But my concern...

How will people see me flash my Gold or Platinum digital token???

:)

Re:Finally..

[diamondmagic]

Sure we do, it's an RFC even: http://tools.ietf.org/html/rfc...

Re:Finally..

[Goetterdaemmerung]

Verified by VISA and similar programs for online shit that did everything we needed but there was one critical flaw - no one used it because they didn't have to. The only site I've ever used that actually implemented it was Newegg. And when I accidentally closed the Verified by VISA popup (I assumed it was a shitty 3rd party offer popup and closed it before it loaded), I discovered that failing the Verified by VISA challenge still let my transaction go through because the merchant never wants to miss out on the sale.

Verified by VISA didn't succeed because:
1) It looked like a scam site complete with redirection to a 3rd party asking for personal details like portion of social security number. Nowhere does it display security credentials.
2) Real phishing scams exist using the name and similar form layouts.
3) Yet Another Password. Hopefully not the same one used to log into the shopping site.
4) If you forget your password, all you need is the card information to reset it, plus a birthday. Not exactly a big secret.
5) It never worked for me because I disable third party cookies, run ABP, disable javascript, etc. I had to use IE the one time I tried to use it.

Here is a paper that describes the flaws in Verified by Visa. Gross Domestic Product Implicit Price Deflator for State and Local Government Consumption Expenditures and Gross Investment

Re:Finally..

Dude, just ignore them. You were courteous in all your posts and they turned nasty. (Perhaps it makes them feel powerful?)

Seriously: just ignore those posts altogether.
In the scheme of things those people don't matter.

Re:Finally..

[Goetterdaemmerung]

Darn, right link, wrong text. Wish I could recall my post for a few seconds to make a quick edit.

It should be Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication

Re:Finally..

Unfortunately the security industry is based on the notion of insecurity - if security measures actually worked then that sector wouldn't exist.
There's no money to be made in things that just work flawlessly, so don't assume they'll just take your bugfixes and apply them straight away with no protest.

Re:Finally..

Yeah, sorry oodaloop.

You misunderstood what Midnight_Falcon said, jumped in to troll him because you thought he said something stupid, and then got pissy and started name calling when you found out you were actually the one who said something stupid. You're the asshole here.

Re:Finally..

[snickers]

Great post. I've had some dealings with Visa and they don't like Ross Anderson as he keeps poking holes in their security. Here's his attack on the UK Chip and PIN system (EMV).

https://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

Re:Finally..

[Euler]

nah.. it really means "one time programmable." Silly acronyms.

Re:Finally..

[3.5+stripes]

Actually, most banks make you jump through more hoops than just "some idiot's username and password", when you want to use their software to make payments on your phone.

I personally had to have my card, a small code generating device that your bank will give you free, and my PIN, to then generate a challenge/response code from my card to allow the software access to my account.

Maybe you're referring to US banks though.. they seem to regard security as an annoying waste of money.

Re:Finally..

[TheCarp]

Lol that was nasty? A little quibbling over use of TLAs is hardly nasty. I bet this thread could go 8 or 10 more posts before anyone got compared to a nazi.

Re:Finally..

Merchant validation service would validate based on OTP, this could be API-based with only AMEX etc storing shared secrets with the OTP devices

American Petroleum Institute-based??

Evolution of payments

[schneidafunk]

This is interesting news for sure, but what's the ideal setup? Working backwards, what do you think is the perfect payment method for security and flexibility?

Re:Evolution of payments

[Mordok-DestroyerOfWo]

How about just basic 2-factor authentication?

• I initiate a purchase online, Amex gives a probationary okay and sends a 5 digit code to my mobile device
• The vendor prompts me for that code
• Once I confirm that I am in possession of the device, the transaction can be completed

It may not be perfect but it seems a bit better than the honor system that we're on now.

Re:Evolution of payments

[TheCarp]

You can eliminate that secure channel to amex, or at least decouple it with some crypto tokens.

So it could be
1. I, at some point before any transactions, contact AMEX and load up on signed payment tokens.
2. At time of purchase, I attach payment info and sign the a token; I mark that token as used.
3. Merchant confims token amount and veracity with AMEX public key
4. Merchant sends token to AMEX to claim the spend.
5. AMEX verifies tokens and token uniqueness and logs it to my account.

Re:Evolution of payments

[Phreakiture]

• Merchant advises me of the total.
• I give him cash equal to or greater than the total.
• He gives me change equal to the difference between the total and what I gave him.

Now, if you want an electronic approach, how about this:

• Merchant advises me of the total.
• I take a device, could be a card, could be a phone, whatever, and authorize an amount. Optionally, this may (i.e. should) involve the entry of a passcode of some sort. This should be entered into my device, not the POS terminal.
• I connect the device to the POS terminal (could be a plug, slot, wireless, NFC, whatever - not important).
• The POS terminal assembles a transaction record consisting of time, date, merchant ID, terminal ID, amount, sequence number. It passes this to my device.
• If the POS terminal and my device agree on the amount, my device will add my account number to the transaction record, and then cryptographically sign the record.
• The signed transaction record is passed back to the POS terminal and sent to the processor.

If the amounts don't match, no signature, preventing overcharges. If the transaction is replayed, the merchant ID, terminal ID and sequence number collectively will function as a transaction ID and it will be recognized as a dupe. If any of the transaction details are altered, the signature doesn't match. If the vendor tries to do two transactions at once, the device won't sign both without me reauthorizing. If the vendor wants or needs to validate off-line, the signature can be checked using the device's certificate, the signature of which can be checked with a cached CA cert.

Now, because this approach is agnostic as to whether the device is a card, dongle, phone or whatever, and whether it plugs in, taps or even just flashes a QR code on a screen, I can see the approach being adapted to both bricks-and-mortar and on-line purchases. The only thing I can think of that we do with our credit cards now that might be tricky in this system would be recurrent payments, but those could be handled by pre-authorizing a year's worth of transactions or something similar.

Re:Evolution of payments

Your device receiving data from the POS terminal is an unnecessary risk.

Since the device is probably a smart phone it should have a data connection of it's own. So a better path would be:

Your device broadcasts a your payment ID (basally a user name) to the POS terminal.
The POS terminal sends a signed invoice with the amount and your payment ID to the payment processor. The payment processor then looks up in their database what device that ID belongs to and sends your device a signed (with your public key) request for authorization.
If you grant authorization your device sends back the signed authorization, and the payment system retunes "accepted" to the POS system. If you deny it, or the request times out, the payment processor returns "denied" to the POS system.

If you receive an invoice for a fraudulent purchase you deny it, and call up the payment processor and have them issue a new payment ID and invalidate your old one or alternatively click "report as fraud" instead of "deny" which would trigger an automatic re-issue of your payment ID. (note, this step isn't necessary for security it's juts for the connivence of not receiving "phishing" attempts though the payment system.)

Re: Evolution of payments

This is the use of an OTP - one time pad. :-)

Re:Evolution of payments

[Phreakiture]

Perhaps so, however, there was no assumption in my model that the device was a smartphone, nor any assumption that it had any kind of connectivity. Your model requires it, while mine would still allow for the payment device to be a card if that is the user's preferred option.

There is also no reason why these two approaches couldn't be implemented on the same POS system.

Now, the obvious question is why am I not requiring it to be a phone. The answers:

• You want to encourage participation from those who do not have smartphones, or even phones at all, because the magstripe cards they are currently carrying are now demonstrated to be a security disaster. Enabling them to use a smart card instead keeps the object familiar.
• You want to allow for folks (like me) who do not want to give their credit card details to Google or Apple.
• You want to prevent your carrier from dictating your options, something you can put safely out of their control if you can use a device other than your smartphone.
• You want to have options that are less hackable . . . kind of the point. A contact card sitting in your wallet is powered down. Short of dissection, you can't hack something that is powered down.

anyone who has your 16-digit card number

[xxxJonBoyxxx]

>> anyone who has your 16-digit card number can make purchases on your account

Wasn't CCV (the extra 3-digit number on the card) supposed to fix that? (https://www.dcporder.com/ccv.htm) Oh wait...intermediates started storing THAT too.

So yeah...bring it on!

Re:anyone who has your 16-digit card number

[deKernel]

Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.

Re:anyone who has your 16-digit card number

[TemporalBeing]

Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.

AMEX uses a 4 digit value printed on the front of the card.

Re:anyone who has your 16-digit card number

[peragrin]

The thing is most payment terminals require both numbers to function. Yes you aren't aupposed to enter them online. However since the terminals themselves will decline transactions without them then it proved useless.

Actually I am surprised at the limits of Apple pay. Apple has some software Apis available(planets is using them). However I thought it would make more sense to add an nfc reader to every computer and tablet sold with both a system Api and a WebKit Api available. Just wave your phone over the computer to have the token data transferred. If they are feeling generous make it generic enough to accept any nfc standard payment.

Suddenly every Mac sold expands the nfc numbers. Every iPad sold expands it. Bonus point by manually confirming orders quickly parents can purchase stuff for kids safer

Re:anyone who has your 16-digit card number

[jtownatpunk.net]

Well that fixes everything. :)

Re:anyone who has your 16-digit card number

[Mordok-DestroyerOfWo]

Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.

AMEX uses a 4 digit value printed on the front of the card.

In a few years once somebody figures out how to implement a 5 digit value on the back of a card, our worries will be over!

Re:anyone who has your 16-digit card number

Payment terminals don't require the CVV2 number (it's not in the stripe, and AFAIK it isn't used by chip&pin cards either). CVV2 is utterly flawed (as all such schemes are) but was specifically for internet transactions and it's use over the phone is an abuse (typically used to get cheaper transactions by merchants).

Re:anyone who has your 16-digit card number

[drainbramage]

Mine goes to 11.

Re:anyone who has your 16-digit card number

[swillden]

CVV1 is in the magstripe.

Re:anyone who has your 16-digit card number

[aliquis]

Verified by Visa also require a personal password to make the purchase go through.

Re:anyone who has your 16-digit card number

In Finland Verified by Visa requires that you sign into your bank account to approve the transaction. And yes, all of our online banks have been using OTPs for longer than I even know (more than 10 years), some also supported using government issued identity card (essentially a smartcard), but I think all have phased out that support.

Re:anyone who has your 16-digit card number

[DarenN]

This is a little confusing - each card has 3 Card Verification Values (which, depending on the type of card can be CVV, CID or CVC - lets use CVV)

CVV is stored on the track data.
CVV2 is the one on your card. It is transmitted as a separate field for non-card-present transactions (eCommerce, for instance).
CVV3, also known as dCVV (dynamic card verification value) is an EMV thing.

Most people use CVV to refer to CVV2.

This whole token thing is not AMEX only, Mastercard and Visa published specifications on this already and are certifying their acquirers. AMEX are late to the party :) The specifications are transitional at the moment, so the acquirer sends the token, and what's called the Token Service Provider (TSP, yay for TLA's) de-tokenizes it, then the real values are sent to the issuer for authorization.
The TSP can be the Switch (AMEX, Mastercard, Visa, etc.) or the card issuer, or a separate provider somewhere else that does only this.

Token

[Impy+the+Impiuos+Imp]

Triumph the Insult Comic Dog: "So, have you ever actually talked to a girl without giving her your secure unique token first?"

If I remember correctly

[TheCastro1689]

My Discover Card had a feature where you could be given a one time number for a transaction online, I don't know if they still do it, but I imagine they do. This doesn't seem much different than that or any more convient. So what's the big deal?

They had a one-time-use number program years ago a

[therealkevinkretz]

I think it was called "Private Purchase"? You could log in to your AmEx account and generate a number that was good for one use. It was great, I don't know why they got rid of it.

Get rid of numbers

It's 2014, why are we still getting stamped plastic cards? Can't they put a tiny microcontroller, lcd, battery, and display a unique time synchronized calculated number along with 4 exposed pads that you can read the number with synchronized serial (SPI)?

Of course, you can have a physical backup number on the card itself, but it should set off alarms if used.

Re:Get rid of numbers

[tepples]

It's 2014, why are we still getting stamped plastic cards?

Because there are still brick-and-mortar merchants that haven't bought a chip reader, though planned shifts in merchant liability for unauthorized use will likely soon change this. And because people shopping at home don't want to have to buy and carry separate chip readers for desktop computers, iOS devices, and Android devices, and for each issuing financial institution. For example, someone with three payment cards (one debit card for each of two banks, plus one credit card) might have to either buy nine devices (three cards times three platforms) or find a way to use only one card with each device. Or what am I missing?

Re:Get rid of numbers

[Andy+Dodd]

You just described EMV, which all retailers will be effectively required to accept by October 2015 in the US. (It's not completely mandated, but the fraud liability shift effectively mandates it. After Oct. 1 2015, *retailers* will be fully liable for magstripe fraud.)

EMV is widespread in Europe, it's been slowed down due to political bullshit from MCX in the USA.

Card Fraud

[NorthWestFLNative]

Considering I just had 2 fraudulent purchases made online to the total of $2850 to my American Express card I welcome anything secure and not tied to my card number. Despite never losing or having my card stolen I've had to replace my card multiple times in the past few years. After a while it starts to get old.

Re:Card Fraud

I haven't had a single fraudulent credit card transaction, ever. I've been using the same card and same bank for a decade.

Re:Card Fraud

that's just super, sparky. either 1) glad you're living in the paradise that is Europe or 2) good thing you've never had to do anything weird, like buy light bulbs at Home Depot or laundry detergent at Target.

Re:Card Fraud

So now we are to accept the idea that another super secure thing will make American Express cards secure.
The only thing I believe is the existing credit card and debit card industry is fucked and they want to provide bigger buckets to bail out the sinking ship.
Let's look at some secure history on my card from American Express that I kept just in case I needed to fix something or buy unexpected car tires or whatever.
Had one that I kept at home, never used it to purchase anything, never !
About 2 years ago a charge was posted for over three thousand from another state for shit I would never have any need for.
Took awhile to dispute this, had to send complaints to the state's AG.
American Express took the charge off and then I asked for and received a new changed account number.
Again, never used the card.
Then a few months ago, a change posted for some beauty products purchased at a store in another state.
I disputed the charges and they removed them.
Lesson learned... I canceled my not so secure American Express card.

Evolution of payments

It should work something like this:

The merchant gives me a transaction ID.
*I* contact AMEX to authorize payment using my own secure channel.
AMEX contacts the merchant to get transaction details.
AMEX has me confirm the transaction.
AMEX pays the merchant.

If I want to make a payment for someone else, they can pass the transaction ID from the merchant to me.

Make it simple

[fustakrakich]

Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

Re:Make it simple

[vux984]

Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?

Re:Make it simple

Haha fat American use credit card to buy soda! Maybe next you buy fat American hamburger with credit card! Fat money-borrower! Hahaha!

- Chairman Mao

Re:Make it simple

[stoploss]

Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?

I take it you find cash fatally flawed for those same reasons: the possibility of theft, loss, or destruction.

Of course, cash is anonymous—which you don't get with a credit card or check. Are you okay with the federal government tracking every purchase you make with plastic? Because they are.

Re:Make it simple

Help keep Slashdot censorship free - demand they remove the "flag"

I will gladly support your cause the moment they have an autofilter for APK's shitposting.

You're free to browse at -1 if you love to see his mental illness on copypasta display.

Re:Make it simple

[vux984]

I take it you find cash fatally flawed for those same reasons: the possibility of theft, loss, or destruction.

Yes. I don't wander around the streets with $100s or $1000s of dollars on me for precisely those reasons.

I do make small purchases with cash all the time, but the amount's I'd ever be faced with losing are not significant enough to matter. Last night alone I bought groceries, plus gas, plus the car battery unexpectedly needed to be replaced, and the delay caused by the latter meant we grabbed take out for dinner. All in $~400 in groceries between the farmers market, butcher, and supermarket, $170 for the battery, $80 for takeout, $60 for gas. over $700. I don't need or want to be carrying that around, because I would miss that if I lost it.

Of course, cash is anonymousâ"which you don't get with a credit card or check.

I don't really get it with cash either if the person taking my money knows who I am.

Are you okay with the federal government tracking every purchase you make with plastic?

No. I am not, "Ok with that".

Because they are. ... through a controversial data-mining program that is widely regarded as operating outside its legal authority...

So how about we just rein them in instead of playing cat and mouse with them.

But sure in the meantime, if you are buying something you don't want tracked arrange for an cash envelope drop in a park at night on Halloween or something.

Re:Make it simple

[JesseMcDonald]

Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?

The TREZOR is close to what the GP requested, or would be if 7-11s sold bitcoins. It requires a PIN to spend the funds, which protects against theft, and if it's lost or stolen or simply stops working you can recover your funds with the backup seed and any of several compatible wallet programs. Aside from the backup, which you keep in a secure place, the key never leaves the device, so you don't have to trust the USB host.

Re:Make it simple

[stoploss]

Yes. I don't wander around the streets with $100s or $1000s of dollars on me for precisely those reasons.

You're cherry-picking scenarios. Who said you have to load thousands of dollars at a time on a preloaded cash-equivalent card?

I don't really get it with cash either if the person taking my money knows who I am.

Again with the cherry-picking. Do we really want to play this game? Because an equivalent cherry picked boundary case scenario against credit cards would be where a merchant fraudulently charges your card, the credit card company decides to reject your chargeback/fraud allegation for whatever reason, and then you lost in court when you decided to sue.

What's that you say, this doesn't normally happen? Exactly. Just admit it: cash is basically anonymous, just like credit card chargebacks usually work.

... through a controversial data-mining program that is widely regarded as operating outside its legal authority... So how about we just rein them in instead of playing cat and mouse with them.

Great. I'm on board with you there. I'm sure they'll stop if we ask nicely. Or if we pass some laws. *cough* You know that wasn't the sole data collection program. Look at what the DEA has been doing with phone records... puts the NSA to shame.

So how about we just rein them in instead of playing cat and mouse with them.

Oh wait, are you talking about the violent overthrow of the US government? Because that's pretty much what it will take to get them to stop at this point.

But sure in the meantime, if you are buying something you don't want tracked arrange for an cash envelope drop in a park at night on Halloween or something.

And you're welcome to enjoy having the federal government track everything you do while paying the credit card companies for that "privilege" through interest charges and higher prices passed through to you by retailers.

Oh, look: I can misrepresent your position just as easily as you do mine.

BTW, before your jerking knee hits your chin, note that I never said I don't use credit cards. My point is that there are tradeoffs, and that you are misrepresenting stored value cards by only discussing cherry-picked boundary cases. When was the last time you were mugged/robbed, had your house burgled, lost a non-trivial amount of cash, or had cash destroyed in a fire? Yes, these things can all happen, but for most of us they are extremely rare occurrences.

Re:Make it simple

Haha fat American rule world! Chinaman buy American soda and American hamburger!

-Donald Trump

Re:Make it simple

[vux984]

Who said you have to load thousands of dollars at a time on a preloaded cash-equivalent card?

Common sense does. I gave a typical example, my evening yesterday. Just regular run of the mill stuff. $700+ in one evening. Sure not every evening is like that, but how often am I going to load the card? I figure to live on a cash or (cash equivalent card) I'm going to be loading the card with at LEAST $1000 to $1500 at a time. And that'll get me a few to a month tops. The alternative would be what? Loading it daily based on what I expect my daily expenses to be? That's a pain in the ASS and it STILL means I'm wandering around with $1000 in my pocket far more often than I'd like.

And you're welcome to enjoy having the federal government track everything you do while paying the credit card companies for that "privilege" through interest charges and higher prices passed through to you by retailers.

Oh, look: I can misrepresent your position just as easily as you do mine.

I don't think that's THAT much of a misrepresentation. I'm not sure how much personally identifying information they actually take. It sounds like the law doesn't allow them to collect personally identifiable information at all, making it somewhat less egregious than you make out. (Although I also readily concede I don't easily believe that they are within the law. I am optimistic that we could get them there.)

When was the last time you were mugged/robbed, had your house burgled, lost a non-trivial amount of cash, or had cash destroyed in a fire?

I personally have never been mugged or robbed. Although my brother's had his car stolen, and my wife's family home has been burgled several times (consoles, games, jewelry, cash, and CDs). My grandfather has been mugged.

I'm also not particularly likely to get mugged because I'm rarely out and about alone, don't use transit, practically never withdraw cash from ATMs, and never use check cashing companies. Muggers target just those sorts of people -- after all, who better to mug than the guy who you just saw pull a wad out of an ATM, and who is now walking home alone... so MY personal (lack of) mugging experiences aren't necessarily representative of everyone elses circumstances.

I've never lost a non-trivial amount of cash because I don't carry much to lose. I've lost (or have had stolen?) my wallet on at least 2 occasions. And had it found/returned on one of them, minus the cash. And its gone through the wash/dry cycle at least twice as well.

Further cash is pretty durable compared to 'stored value cards'. I've had gift cards that couldn't be read (value lost), Credit cards that wouldn't read, debit cards that wouldn't read, etc.

But you can take and old worn 20 bill, put it through the washing machine, retrieve the pieces, and as long as you have enough of it they'll give you a new 20. I've done it. (See washing machine incidents above.) When my cards stop working, they just stop working -- fortunately most of them are just proxies for the value in an account, and not store of value for the account itself.

In my experience cash is significantly more durable than cards. (Because even if damaged, its usually still recognized and accepted as cash.)

Re:Make it simple

[stoploss]

I guess it comes down to how difficult it is to load the stored value card, doesn't it? I view this as tantamount to the amount of cash I'm carrying vs the cash I have in my ATM-linked account. I'm willing to carry several hundred in cash. By the same token, I would be willing to carry several hundred in stored value. More than that and cash gets unwieldy. I blame the government for refusing to issue larger denomination bills despite inflation.

What stored value cards can give you is a way to purchase things anonymouslyespecially online purchases, which is otherwise a nigh-intractable problem. Yes, some places take money orders, but you have to go get one, mail it across the country to the merchant, wait for it to clear due to fraud paranoia, etc. Bitcoin is really a non-starter for commerce, comparatively speaking.

It's generally easier to replace a lost/stolen/destroyed stored value card than it is to try to reassemble fragments of cash. Yes, you should keep your documentation for the card, but we are comparing that to scotch tape + fragments of cash. And this is with *existing* technology, not some purpose-designed reloadable smart card stored value thing.

I think you are strongly underestimating the amount of tracking and profiling that happens when you make purchases using a credit card. I presume you're familiar with Target's "pregnancy detection" profiling that caused an uproar a few years ago. What about Facebook linking the purchases you make in brick & mortar stores to ads they have shown you while you're browsing? Yeah, that one surprised even me: directly linking in-person purchases to online browsing done elsewhere. Grocery stores/Walmart know exactly what you buy when you swipe, and they log all that... I bet a person's alcohol/tobacco purchase profile over the years would be quite valuable data for an insurance company. Furthermore, this kind of "third/fourth party" access is how the government works around a lot of 4th amendment impediments: they just buy the data from a broker when they couldn't constitutionally obtain it otherwise.

Like I said, I use credit cards. Hell, I probably use them for the majority of my purchases. I am just aware of the fact that each time I use one it is adding data to databases that are used to build profiles. And data in databases never dies; perhaps today's "creepy tracking" is fine, but I don't know what kind of innovations they will come up with in the future.

So, I protect my privacy as I deem appropriate through the judicious use of cash or stored value cards. I suppose this is also a matter of perspective: I consider the risk of database purchase profile data to have a larger potential for adverse consequences for me than the risk of losing the amount of cash/stored value I carry.

Re:Make it simple

[vux984]

I think you are strongly underestimating the amount of tracking and profiling that happens when you make purchases using a credit card. I presume you're familiar with Target's "pregnancy detection" profiling that caused an uproar a few years ago.

Quite familiar. But remember, that's just within Target's own loyalty card. That's not the federal government, and that's not Target tracking you even at other stores. As it happens I do use the loyalty card at the supermarket I use and I'm generally ok with THEM tracking / trending what I'm buying with it there.

I don't generally object to a given store knowing what I've bought AT that store. Indeed i consider it fairly inevitable. After all, I walk up to a cashier show them all my purchases, they look at my face, and then take my payment... if they wanted to keep track of people paying cash, it's all there.

What about Facebook linking the purchases you make in brick & mortar stores to ads they have shown you while you're browsing?

I don't have a facebook account. But the system allegedly isn't personally providing purchase personally identifying information. Supposedly its all hashes. Personally I'd love to see it audited to be sure but you are probably over estimating the value of the data.

I suppose this is also a matter of perspective: I consider the risk of database purchase profile data to have a larger potential for adverse consequences for me than the risk of losing the amount of cash/stored value I carry.

Fair enough.

Re:Make it simple

[stoploss]

But remember, that's just within Target's own loyalty card.

No, it's not. It's tied to your profile they build from your credit card information.

I don't generally object to a given store knowing what I've bought AT that store. Indeed i consider it fairly inevitable.

If that were the extent of it, I would agree. However, cross-linking databases has continued to grow. I bought a vehicle last year, and either the dealer or the manufacturer sold me out because I get phone calls from other dealers around the country trying to sell me extended warranties. Given our discussion so far, it probably it goes without saying I didn't sign up for or disclose any information beyond what was required to purchase the vehicle at the dealer.

After all, I walk up to a cashier show them all my purchases, they look at my face, and then take my payment... if they wanted to keep track of people paying cash, it's all there.

That's a fantasy... are you alleging a human could assign some sort of biometric identifier or do some sort of lookup to build a profile to associate with your cash purchases? If you're talking about paying cash at Jim's Bait Shop in a town with a population of 733 and Jim is your wife's cousin, then that's different because Jim knows you personally. Also, Jim's Bait Shop doesn't have a data warehouse. With credit card transactions at a computerized point-of-sale terminal, the record for a chain store is preassembled for data warehousing and profile building.

Now, given the trends, I do expect Walmart/Target to eventually do facial recognition with their CCTV cameras to associate cash purchases with profiles as well as to build meta-profiles of who you shop with. They are already trying to track you as you wander through the store in terms of in which areas you linger, to further target your profile.

But the [Facebook] system allegedly isn't personally providing purchase personally identifying information.

Of *course* it is. Both Facebook and the store are hashing the same information to create up with the customer profile identifier. The store provides the details of your transaction. At this point, Facebook has both halves of the "anonymized" data, and we are supposed to trust that they discard that rather than retaining the link between the data elements. The brick & mortar store might not have the transaction linkage, but FB does.

you are probably over estimating the value of the data.

As I said, if data in databases had an expiration date rather than being ever further cross-linked, and profile data were limited to in-store purposes only, then that might be tolerable. Instead, we have to think 4th dimensionally and anticipate what might happen if anything collected at any point in the past were made available to any other adversarial entity in the future.

Case in point: I signed a petition for a recall election. Some fuckers at a data warehousing firm (with a certain political bent) teamed up with the local newspaper (with the same bent), digitized all the data from the petitions and dumped them online, with everyone's name, address, and age. They had it indexed by google and it's still online 3 years after the fact. I didn't enjoy the semi-threatening political mailers I received from the recallee's campaign, and only the people who signed the recall petition received these.

The board of election protested, but the newspaper claimed this douchebaggery was some sort of important public access "historical record". There's a difference between a public record for someone to go examine a paper-based index in person vs. building a database for sale that anyone can trivially profile.

My point is that data gets abused, and the only protection against it is to not have potentially damaging data collected. Sometimes it's hard to predict what might be damaging (4th dimensionally speaking). Filling out ethnic

Re:Make it simple

[vux984]

My point is that data gets abused

Funny, I'm actually arguing your side of the argument in another thread on another article. So I agree with you completely on that front.

I'd like to see anonymous transactions too. But I'm still not sold on stored value cards.

a) I don't like the risk associated with having value tied to the physical card.

b) I'm not convinced the average stored value card is truly anonymous. Can the system really not track you by the use of your stored value card? Does your proposed card really not have any unique identifiers?

c) How is this stored value card protected from fraud and cloning. It sounds like doomed DRM to me to have a card that has a balance available yet prevents someone with physical access from being able to make a copy of the card, or alter the balance.

Bottom line... while I don't like being tracked. Using cash or stored value cards doesn't seem to be an overall improvement. (And even cash can be tracked, I'm surprised in a sense that its not already tracking serial number usage at the average cashiers till, ATM, and bank teller. Mainstream doing that an we'll get all kinds of interesting information from consumer profiling to identifying money laundering by watching the literally cash flow around the country. And all these 20s dispensed from all these ATMs around round the city all showing up in an out of state "laundrymats" bank deposits... or whatever other irregularities...

Amex is 15-digit

[sandytaru]

As anyone who has one knows. The CCV code is 4 digits to bring it into alignment with the other cards.

I'd sign up for this. I hope they offer it to people sooner rather than later.

Bank of America has had this for awhile

[hsmith]

While cumbersome, you'd login to your account, magically find the tab and you could generate a 1 time credit card number. You could set a one time balance, set a monthly balance for recurring charges, etc.

Fantastic for any online purchases you make. But, in reality - how many times are CC #'s getting stolen online vs in real life?

Re:Bank of America has had this for awhile

While cumbersome, you'd login to your account, magically find the tab and you could generate a 1 time credit card number. You could set a one time balance, set a monthly balance for recurring charges, etc.

Fantastic for any online purchases you make. But, in reality - how many times are CC #'s getting stolen online vs in real life?

Yep, more likely to get written down by unscrupulous wait staff while they're out of sight with your card.

Re:Bank of America has had this for awhile

c/cards are of little use as they're not stored in a usable format, they're encrypted. The US has a huge problem with card fraud because companies do not check back to the card holder's address for delivery. Europe looks this down, which can be a PITA, but at least it's safe(r).

Re:Bank of America has had this for awhile

And yet, I've had my cards replaced, in every case, because of online breaches of retailers and processors who consistently underestimated what it took to run a secure shop.

Maybe what we need to do is have these idiots stop storing our data? PCI compliance sounds nice, but having a little certificate is meaningless if your "CTO" decides to have his compromised home laptop connected to the production floor "because it's easier to get things done than running in a citrix session." And, that my friends, is a real cause of one of the larger breaches in the last 5 years.

Bring on retail tokenization for both online and offline use. Require retailers to not store the real data, just a one-time token they receive when transmitting the initial card string, hashed with their merchant key.

And fire your fucking incompetent CSOs.

Re:Bank of America has had this for awhile

[Anguirel]

They still have it (ShopSafe), at least for my card. It's about the only reason I still use them. Always interesting to say how many official account names some companies have when buying from slightly different parts of their system (each requiring a separate card).

Re:Bank of America has had this for awhile

Yep, more likely to get written down by unscrupulous wait staff while they're out of sight with your card.

Sorry, but 100 guys writing down 20 credit cards a day will die of old age before they catch up to Target.

Re:Bank of America has had this for awhile

[DerekLyons]

Fantastic for any online purchases you make. But, in reality - how many times are CC #'s getting stolen online vs in real life?

My debit card was among those believed to be compromised in both of the recent Big News breaches (Target, Home Depot) and all my purchases at both were physical stick-a-card-in-the-reader purchases, not online. So, these things do happen in real life.

Re:Bank of America has had this for awhile

[risht]

because companies do not check back to the card holder's address for delivery.

It's very, very common for a purchase to be shipped to an address that is not the billing address. There's the obvious, like holiday gifts, and the less obvious, like small business owners with a home billing address wanting items shipped to their business. Merchants are forced into a corner here, because they'll lose the sale if they decline the transaction, and the credit card companies provide no tools to assist in determining fraudulent intent.

Solution

[rossdee]

Change the system to use longer numbers, say 32 digits and make it hex, not dec

They should also have a needle number (like a pin, but longer)

Re:Solution

[rubycodez]

nonsense, the length of the number doesn't matter, a thief can steal a 32 digit number as easily as a 16 digit. Hexadecimal doesn't change matters either. The whole concept of using a fixed number is archaic, better solutions have been known (and have been in use in smarter countries for over a decade)

Re:Solution

better solutions have been known (and have been in use in smarter countries for over a decade)

Oh, how I love when people fall short from providing actual examples and just expect people to take their word for it...

Here are some words for you: [citation needed].

Re:Solution

[rubycodez]

this is a tech site, you are supposed to have familiarity with encryption and private/public key. You are supposed to realize a computer doesn't care if you copy/paste or transmit a 32 digit number vs. a 16 digit one. Here are some words for you: [trolling ignoramus with no point]

Re:They had a one-time-use number program years ag

[sunking2]

Because it's a pain and people are lazy.

Secure tokens? You mean like Bitcoin

[presidenteloco]

Hey, maybe we don't even need those credit card companies in the mix at all.

Re:Secure tokens? You mean like Bitcoin

Kind of ignores the "credit" side of the equation, don't you think? Going debt free is great individually, but eliminating personal debt entirely from your commerce stream is a little, what's the word.... simplistic?

single use credit card numbers

[silfen]

A number of companies have offered single use credit card numbers in the past. You could generate new credit card numbers online, set time and dollar limits, and then use those for purchases. That offers similar levels of protection but is backwards compatible. Unfortunately, it hasn't caught on much.

Re:single use credit card numbers

But if everyone is doing this all the time, won't they quickly run out of credit card numbers? It will be just like running out of IPv4 addresses.
What is really needed is some PayPal type of scheme where the receiver doesn't have any information that can be of use like a credit card number. It could be used online like it is now, but also offline. I could just login to my PayPal account and get an authorization code for "up to $50" or something and give that code at the store. It would be like making my own prepaid debit cards for any amount I authorize. I bet there is a lot of screaming going on at the PayPal offices because of their failure to act on payment innovations and bad reputation result in them being last in this field. Missed opportunity, also the google wallet, etc.

So now apple pay comes on the scene and will receive a perpetual income based on a percentage of 3 out of 5 purchases made. muwhahaha, megalomaniacal laughter from the grave of Steve Jobs.

Re:single use credit card numbers

Nope. Remember, there's more to a CC transaction than the number. There's the CC number, name on the card, month/year expiration, CVVCVCODE...thingy, and billing address. [Almost] all those factors are needed to complete a transaction, and the disposable CC systems that I've seen have a next-month expiration date.

Re:Amex is 15-digit - Splitting a sentence between

the title and the post is really hard to read.

And yeah, Amex cards are 15 digits:
en.wikipedia.org/wiki/Bank_card_number

what?! "they can easily be revoked?!"

[funkymonkjay]

Am I to assume form this that these token are to be reused?!?!?!? If so, they deserve to be frauded in to the ground.

Re:what?! "they can easily be revoked?!"

[Shados]

Probably for subscription purpose... Depending on how its implemented, its not so much the code itself that can be reused, but the transaction made with it that can be "replayed". By revoking the code, you revoke the ability to replay that transaction.

Subscription services often (usually? I only worked on a few online payment systems, most did it this way but not all) don't store the credit card number itself. They just replay transactions authorization.

Bootstrapping a cell phone as the second factor

[tepples]

I initiate a purchase online, Amex gives a probationary okay and sends a 5 digit code to my mobile device

Then how would you initiate a purchase of a mobile device itself or of the first month of service for your mobile device?

Re:Bootstrapping a cell phone as the second factor

[Mordok-DestroyerOfWo]

Same way Google does it I suppose. A list of single-use codes that you keep offline, and you can verify from the same device that you initiate the purchase from...in theory. It seems like the U.S., as a society, wants to completely eliminate every sort of risk in the world. What we should really be concentrating on is mitigating them to an acceptable level.

Re:Bootstrapping a cell phone as the second factor

[Atzanteol]

They call you on your land-line with a voice recording and a IVR system asks you to press 1 if you approve the purchase.

Re:Bootstrapping a cell phone as the second factor

Fine if you always have a mobile phone and a connection. My debit card company wanted to send me a pass key when i was in Brazil recently even though I told them I didn't have a phone connection there. Their response was to reset everything and send me another pass key...

Re:They had a one-time-use number program years ag

Because it's a pain and people are lazy.

And by removing that option, this has resulted in me diverting over $60,000 in personal charges online from my Amex over to Bank of America that offers ShopSafe.

There was no excuse to remove the optional feature. ShopSafe exists for BoA but it's not like they force you to use it. I would have preferred to use my Amex, but it has been relegated to point-of-sale terminal use.

If they come up with a feature-for-feature match with ShopSafe (I.e. allowing me to set charge limits, expiration dates, recurring auths, etc) then I will happily switch.

I'm giving this to the world for free

[jtownatpunk.net]

Please implement it immediately.

USB dongle with a little computer, display, fingerprint/pulse scanner, and a few buttons. Dongle plugs into a port on the POS payment terminal. You authenticate with an authenticated fingerprint from a finger with a pulse. Dongle makes its own secure connection to the payment clearinghouse and indicates to the clearinghouse that a transaction with [Merchant_ID] is imminent. [Merchant_ID]'s payment terminal makes its own connection to the clearinghouse and says [Your_Public_ID] owes $112.96. The clearinghouse sends a message to your dongle (snicker) saying [Merchant_ID_Common_Name] says you owe them $112.96. Do you want to [P]ay from Primary account, pay from [O]ther account, or [D]ecline payment. Your dongle sends your response to the clearinghouse which sends your response to the merchant. If you opted to pay from one of your linked accounts, the money is transferred to the merchant's account, confirmation of the transfer is sent to the merchant, and the transaction is concluded.

At no time is your account information shown, transmitted, stored, or even provided. You don't even have your account information to provide.

Same system can be used for online purchases, online identity verification, building access, home access, car access, and pretty much any kind of authentication where internet access is available.

Hell, I'll bet a lot of people would even pay for the device after being on their 2nd or 3rd round of replacement credit cards in the last two years. Shouldn't cost more than $25 to make a keychain-dangler.

Re:I'm giving this to the world for free

[Russ1642]

USB fingerprint reader? Seriously? That's just not needed. We've had chip and pin cards for many years now in Canada. They just need to implement a more secure alternative for online sales. And forget about being backwards compatible - lose the mag stripe and don't process payments from numbers alone.

Re:I'm giving this to the world for free

[jtownatpunk.net]

The point of my system is to stop throwing around account information. My system doesn't involve transmitting (or even having) any valuable information where it can be stolen. Not even in encrypted form. Don't process payments from numbers at all .

Virtual Account Numbers

[pisces22]

I use "virtual account numbers" for online purchases with my Citi Mastercard. It adds a few steps to the process for a merchant that you haven't used before but it's totally worth it. You're still fucked in a brick and mortar shop, of course.

How about ATM cards

[Art+Challenor]

It's really good that the security of the credit card system is being improved. I'm sure that the same thing will happen to the ATM network and operation just as soon as the banks are made liable for consumer losses through ATM fraud. (Today's election day in the US, good luck voting for a candiate that will even propose that solution).

Mod parent up.

[khasim]

Great idea. And there are many different ways of doing this.

The core concept is to generate a unique ID for each transaction that links:
a. the vendor
b. the customer
c. the customer's bank
d. (maybe also the vendor's bank)
e. a specific amount
f. a specific time.
And being unique, it will never be used again. We have a lot of different ways to do that.

With that information, the bank should be able to flag questionable transactions that get past the customer verification. Or at least warn the customer if the vendor has an unusually large number of "problems" reported.

summary fail

[ahziem]

Among popular cards, American Express uniquely has 15 digits. (VISA, Mastercard, and Discover have 16 digits.)

Re:summary fail

[ShaunC]

Wish I had mod points, I'm glad someone else noticed this.

Why would customers even care if it's more secure?

If someone steals my credit card info and makes a fraudulent charge, the cc company voids it and issues me a new card (It's happened more than once). So, honestly other than being annoyed by a minor incovenience, I don't really care that much. Do other customers actually give a shit about this? It seems like something cc cards or vendors, who are actually liable for these charges, should care more about. If they drag their feet on implementing decent authentication and it means it remains easy for the actual card holder (and anyone else) to make cc payments, by all means keep it business as usual.

Typical american problem

America (the USA, to be precise) seems to have problems no other developed country has, any more. Among them the absence of universal medical coverage and the old-fashioned credit cards. This is not USA bashing, but an expression of true amazement. For instance, codebooks, or one-time codes sent by SMS have been routinely used in Europe for quite some time now in conjunction with credit cards that are otherwise quite secure by themselves. American Express refused to upgrade and it cost them a lot of clients, both card users and places where you can use such a card (shops, cash dispensers, etc.).

Re:Why would customers even care if it's more secu

[toonces33]

Well, it can lead to identity theft for one thing which is a huge pain in the neck. It ultimately means that we all pay for it in terms of higher fees for credit cards and also fees being charged to merchants.

Not a new idea

[TJ_Phazerhacki]

Visa has a tokenization program available for 3rd parties who want to integrate it. It just so happens that the biggest vendor so far is Apple.

Re:Not a new idea

[TFlan91]

Here's a shiny powerpoint to download. Click Here. They say it works. They also say some random number (that sometimes has a letter in it?) next to a $ sign with god awful English.

Seriously, click here.

Private Payments

[sconeu]

10 years or so ago, AMEX had "Private Payments", where you could generate a single-use number for a transaction. The number was valid for a single transaction and expired in two days or so.

Then they dropped the service. I never figured out why.

It's like a car lock

[rsilvergun]

It take some fraud out of the equation by making it harder. That said, the combination of tokens, mobile payments, NFC and GPS is going to make fraud damn near impossible. Mix in some big data analytics and your Credit Auth systems will block anything that gets missed.

I know it's cool and hip to say the hackers will always find a way, but the reality is they won't. The credit card industry tolerates some fraud because the cost of eliminating it has been more than the cost of allowing it. That's changing. Big Data is cheap, and cell phones shift the cost of the user side tech to the end user. Book it, done.

The dumbest idea in online purchases ..

[lippydude]

"American Express is trying to improve its security by moving towards the use of unique tokens for online purchases."

The dumbest idea in online purchases was using Credit Card numbers in the first place ...

I think it's halarious

[AnonymousCoward1998]

folks here in the upper 1% of collective intelligence are arguing about what's the best method for the Oligarchs to track us, our purchases, and our movements. Screw accounts, numbers, tokens, plastic, binary 1's and 0's in a computer....Why not barter our time and talents? Why not use cash? Why force small retailers to pay for a transaction some financial entity has no business profiting from, much less knowing about. I pay cash for just about everything, and the things I do purchase electronically are done with prepaid cards. I don't wear a tin foil hat, but the less the banksters, Oligarchs, and hackers know about me...the better.

Secure transactions are as easy as 3C.

With 3C, you never divulge any information that can be used to generate future transactions. All transactions are controlled by the consumer.

3C can work with current point of sale devices. 3C WOPs can be pre-printed by ATMs or home printers, for example, and used like cash. Signing keys could be changed at will without having to wait for a new credit card to come in the mail.

See 3C explanation.

Some cards already have this - the virtual CC #

[ayesnymous]

Some cards let you create a virtual CC # tied to your credit card and basically set it up for one-time use by putting a dollar limit and expiration date on it. Too bad some cards like Discover actually discontinued it.

unique tokens

[l3v1]

For a long time now several banks (I'm talking EU here, I never saw this in the US, but that doesn't mean they don't have it) offer services where you can generate a temporary card number for a one-time single transaction, and the generated number becomes invalid after that single transaction. It's meant for online payments - you generate the number with a specified sum that can be spent, you make the transaction after which the number disappears. This, combined with a two-layer online banking login (password + single-use token sent by text to your phone) seems pretty solid to me. At least, I never heard anyone using it having their card data stolen.

Isn't this exactly how Apple Pay works?

[wiredog]

Generating a secure one time use token for any credit card that is stored?

Trustless Transactions

[Tokolosh]

If only there existed a solution for the problem of trustless transactions! If someone could write a white paper setting out an algorithm, what a boon it would be....

Re:Why would customers even care if it's more secu

[risht]

It seems like something cc cards or vendors, who are actually liable for these charges, should care more about.

Therein lies the rub. The merchant takes on 100% of the liability, the credit card companies and banks lose NOTHING when a fraudulent charge is made. In fact, they get to collect a chargeback fee. They have little incentive to fix the problem. Merchants, of course, have incentive to fix the problem. But they have no power (other than the really big merchants) to effect change.

Re:They had a one-time-use number program years ag

[therealkevinkretz]

I didn't know BoA had a comparable feature. My past experiences with BoA haven't been good, and literally everything else (other than canceling Private Payments) I've experienced with AmEx has been good - including their removing without question charges I wasn't responsible for the handful of times it's happened.

Re:They had a one-time-use number program years ag

Yeah, I thought that was a tremendous advantage for Amex over all the other credit cards -- I just loved it for on-line shopping. Then they stopped that service. :(

Is this news?

Tokenisation is widespread in Europe already - there are dozens of services, both tied to card brands and independent, and many of them cover the US as well. Furthermore, P2PE absolutely relies on tokenisation by the service provider. So what's the breakthrough here?

Re:They had a one-time-use number program years ag

Yes, you can tell i would much rather be using my Amex. However, ShopSafe is simply the best, and I will tolerate having to deal with BoA to get it.

I know my charges are a drop in the bucket for Amex, but I doubt I'm the only one whose business they are losing.