American Express Seeks To Swap Card Numbers For Secure Tokens

jfruh writes: One of the fundamental problems of the electronic payment business is that it's by and large based on the fundamentally insecure infrastructure of the credit card system, where anyone who has your 16-digit card number can make purchases on your account. American Express is trying to improve its security by moving towards the use of unique tokens for online purchases.

Re:Finally..

[sexconker]

With OTP and related two-factor authentication technology becoming so widely available, one would have hoped that credit cards would implement some type of solution either using OTPs instead of cards, or augmenting them with OTPs. Millions of dollars in fraud prevention, "credit monitoring" and other such services would be saved by simply using solid cryptographic systems for the payment networks.

PCI compliance would probably be a lot less of a headache as well...

What are you saying? Do you even know?
A one-time pad isn't going to help SHIT - you have to somehow securely distribute the pads before hand and expect the users to keep them secure.
Strong crypto isn't going to help SHIT - the problem isn't securing the connection from the POS to the creditor, it's verifying the authenticity of the transaction itself, be it online or offline.
"Two-factor" schemes like a code sent to a phone, an RSA clock, some dongle, whatever are effective against non-realtime attacks. (They're not actually two-factor, though, since you're using a single communication pipe and no one verifies the presence of the actual phone, RSA clock, dongle, or whatever, so it's just another part of "something you know".) Chip-and-pin style transactions cover the same bases at physical POS and is trivial to implement online. We had

Verified by VISA and similar programs for online shit that did everything we needed but there was one critical flaw - no one used it because they didn't have to. The only site I've ever used that actually implemented it was Newegg. And when I accidentally closed the Verified by VISA popup (I assumed it was a shitty 3rd party offer popup and closed it before it loaded), I discovered that failing the Verified by VISA challenge still let my transaction go through because the merchant never wants to miss out on the sale.

PCI compliance will be more of a headache with your OTP fantasy because you have to securely manage the OTPs.

Re:Finally..

[oodaloop]

So you used an acronym that means two different things in this context without spelling it out even once, then get pissy when you're misunderstood? You might not be an idiot, but you're definitely an asshole.