Slashdot Mirror
American Express Seeks To Swap Card Numbers For Secure Tokens
jfruh writes: One of the fundamental problems of the electronic payment business is that it's by and large based on the fundamentally insecure infrastructure of the credit card system, where anyone who has your 16-digit card number can make purchases on your account. American Express is trying to improve its security by moving towards the use of unique tokens for online purchases.
PCI compliance would probably be a lot less of a headache as well...
>> anyone who has your 16-digit card number can make purchases on your account
Wasn't CCV (the extra 3-digit number on the card) supposed to fix that? (https://www.dcporder.com/ccv.htm) Oh wait...intermediates started storing THAT too.
So yeah...bring it on!
Triumph the Insult Comic Dog: "So, have you ever actually talked to a girl without giving her your secure unique token first?"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
While cumbersome, you'd login to your account, magically find the tab and you could generate a 1 time credit card number. You could set a one time balance, set a monthly balance for recurring charges, etc.
Fantastic for any online purchases you make. But, in reality - how many times are CC #'s getting stolen online vs in real life?
Change the system to use longer numbers, say 32 digits and make it hex, not dec
They should also have a needle number (like a pin, but longer)
Because it's a pain and people are lazy.
Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...
And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?
Hey, maybe we don't even need those credit card companies in the mix at all.
Where are we going and why are we in a handbasket?
It may not be perfect but it seems a bit better than the honor system that we're on now.
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
You can eliminate that secure channel to amex, or at least decouple it with some crypto tokens.
So it could be
1. I, at some point before any transactions, contact AMEX and load up on signed payment tokens.
2. At time of purchase, I attach payment info and sign the a token; I mark that token as used.
3. Merchant confims token amount and veracity with AMEX public key
4. Merchant sends token to AMEX to claim the spend.
5. AMEX verifies tokens and token uniqueness and logs it to my account.
"I opened my eyes, and everything went dark again"
You just described EMV, which all retailers will be effectively required to accept by October 2015 in the US. (It's not completely mandated, but the fraud liability shift effectively mandates it. After Oct. 1 2015, *retailers* will be fully liable for magstripe fraud.)
EMV is widespread in Europe, it's been slowed down due to political bullshit from MCX in the USA.
retrorocket.o not found, launch anyway?
Now, if you want an electronic approach, how about this:
If the amounts don't match, no signature, preventing overcharges. If the transaction is replayed, the merchant ID, terminal ID and sequence number collectively will function as a transaction ID and it will be recognized as a dupe. If any of the transaction details are altered, the signature doesn't match. If the vendor tries to do two transactions at once, the device won't sign both without me reauthorizing. If the vendor wants or needs to validate off-line, the signature can be checked using the device's certificate, the signature of which can be checked with a cached CA cert.
Now, because this approach is agnostic as to whether the device is a card, dongle, phone or whatever, and whether it plugs in, taps or even just flashes a QR code on a screen, I can see the approach being adapted to both bricks-and-mortar and on-line purchases. The only thing I can think of that we do with our credit cards now that might be tricky in this system would be recurrent payments, but those could be handled by pre-authorizing a year's worth of transactions or something similar.
www.wavefront-av.com
Great idea. And there are many different ways of doing this.
The core concept is to generate a unique ID for each transaction that links:
a. the vendor
b. the customer
c. the customer's bank
d. (maybe also the vendor's bank)
e. a specific amount
f. a specific time.
And being unique, it will never be used again. We have a lot of different ways to do that.
With that information, the bank should be able to flag questionable transactions that get past the customer verification. Or at least warn the customer if the vendor has an unusually large number of "problems" reported.
Among popular cards, American Express uniquely has 15 digits. (VISA, Mastercard, and Discover have 16 digits.)
Yes. I don't wander around the streets with $100s or $1000s of dollars on me for precisely those reasons.
You're cherry-picking scenarios. Who said you have to load thousands of dollars at a time on a preloaded cash-equivalent card?
I don't really get it with cash either if the person taking my money knows who I am.
Again with the cherry-picking. Do we really want to play this game? Because an equivalent cherry picked boundary case scenario against credit cards would be where a merchant fraudulently charges your card, the credit card company decides to reject your chargeback/fraud allegation for whatever reason, and then you lost in court when you decided to sue.
What's that you say, this doesn't normally happen? Exactly. Just admit it: cash is basically anonymous, just like credit card chargebacks usually work.
Great. I'm on board with you there. I'm sure they'll stop if we ask nicely. Or if we pass some laws. *cough* You know that wasn't the sole data collection program. Look at what the DEA has been doing with phone records... puts the NSA to shame.
So how about we just rein them in instead of playing cat and mouse with them.
Oh wait, are you talking about the violent overthrow of the US government? Because that's pretty much what it will take to get them to stop at this point.
But sure in the meantime, if you are buying something you don't want tracked arrange for an cash envelope drop in a park at night on Halloween or something.
And you're welcome to enjoy having the federal government track everything you do while paying the credit card companies for that "privilege" through interest charges and higher prices passed through to you by retailers.
Oh, look: I can misrepresent your position just as easily as you do mine.
BTW, before your jerking knee hits your chin, note that I never said I don't use credit cards. My point is that there are tradeoffs, and that you are misrepresenting stored value cards by only discussing cherry-picked boundary cases. When was the last time you were mugged/robbed, had your house burgled, lost a non-trivial amount of cash, or had cash destroyed in a fire? Yes, these things can all happen, but for most of us they are extremely rare occurrences.
I guess it comes down to how difficult it is to load the stored value card, doesn't it? I view this as tantamount to the amount of cash I'm carrying vs the cash I have in my ATM-linked account. I'm willing to carry several hundred in cash. By the same token, I would be willing to carry several hundred in stored value. More than that and cash gets unwieldy. I blame the government for refusing to issue larger denomination bills despite inflation.
What stored value cards can give you is a way to purchase things anonymouslyespecially online purchases, which is otherwise a nigh-intractable problem. Yes, some places take money orders, but you have to go get one, mail it across the country to the merchant, wait for it to clear due to fraud paranoia, etc. Bitcoin is really a non-starter for commerce, comparatively speaking.
It's generally easier to replace a lost/stolen/destroyed stored value card than it is to try to reassemble fragments of cash. Yes, you should keep your documentation for the card, but we are comparing that to scotch tape + fragments of cash. And this is with *existing* technology, not some purpose-designed reloadable smart card stored value thing.
I think you are strongly underestimating the amount of tracking and profiling that happens when you make purchases using a credit card. I presume you're familiar with Target's "pregnancy detection" profiling that caused an uproar a few years ago. What about Facebook linking the purchases you make in brick & mortar stores to ads they have shown you while you're browsing? Yeah, that one surprised even me: directly linking in-person purchases to online browsing done elsewhere. Grocery stores/Walmart know exactly what you buy when you swipe, and they log all that... I bet a person's alcohol/tobacco purchase profile over the years would be quite valuable data for an insurance company. Furthermore, this kind of "third/fourth party" access is how the government works around a lot of 4th amendment impediments: they just buy the data from a broker when they couldn't constitutionally obtain it otherwise.
Like I said, I use credit cards. Hell, I probably use them for the majority of my purchases. I am just aware of the fact that each time I use one it is adding data to databases that are used to build profiles. And data in databases never dies; perhaps today's "creepy tracking" is fine, but I don't know what kind of innovations they will come up with in the future.
So, I protect my privacy as I deem appropriate through the judicious use of cash or stored value cards. I suppose this is also a matter of perspective: I consider the risk of database purchase profile data to have a larger potential for adverse consequences for me than the risk of losing the amount of cash/stored value I carry.
But remember, that's just within Target's own loyalty card.
No, it's not. It's tied to your profile they build from your credit card information.
I don't generally object to a given store knowing what I've bought AT that store. Indeed i consider it fairly inevitable.
If that were the extent of it, I would agree. However, cross-linking databases has continued to grow. I bought a vehicle last year, and either the dealer or the manufacturer sold me out because I get phone calls from other dealers around the country trying to sell me extended warranties. Given our discussion so far, it probably it goes without saying I didn't sign up for or disclose any information beyond what was required to purchase the vehicle at the dealer.
After all, I walk up to a cashier show them all my purchases, they look at my face, and then take my payment... if they wanted to keep track of people paying cash, it's all there.
That's a fantasy... are you alleging a human could assign some sort of biometric identifier or do some sort of lookup to build a profile to associate with your cash purchases? If you're talking about paying cash at Jim's Bait Shop in a town with a population of 733 and Jim is your wife's cousin, then that's different because Jim knows you personally. Also, Jim's Bait Shop doesn't have a data warehouse. With credit card transactions at a computerized point-of-sale terminal, the record for a chain store is preassembled for data warehousing and profile building.
Now, given the trends, I do expect Walmart/Target to eventually do facial recognition with their CCTV cameras to associate cash purchases with profiles as well as to build meta-profiles of who you shop with. They are already trying to track you as you wander through the store in terms of in which areas you linger, to further target your profile.
But the [Facebook] system allegedly isn't personally providing purchase personally identifying information.
Of *course* it is. Both Facebook and the store are hashing the same information to create up with the customer profile identifier. The store provides the details of your transaction. At this point, Facebook has both halves of the "anonymized" data, and we are supposed to trust that they discard that rather than retaining the link between the data elements. The brick & mortar store might not have the transaction linkage, but FB does.
you are probably over estimating the value of the data.
As I said, if data in databases had an expiration date rather than being ever further cross-linked, and profile data were limited to in-store purposes only, then that might be tolerable. Instead, we have to think 4th dimensionally and anticipate what might happen if anything collected at any point in the past were made available to any other adversarial entity in the future.
Case in point: I signed a petition for a recall election. Some fuckers at a data warehousing firm (with a certain political bent) teamed up with the local newspaper (with the same bent), digitized all the data from the petitions and dumped them online, with everyone's name, address, and age. They had it indexed by google and it's still online 3 years after the fact. I didn't enjoy the semi-threatening political mailers I received from the recallee's campaign, and only the people who signed the recall petition received these.
The board of election protested, but the newspaper claimed this douchebaggery was some sort of important public access "historical record". There's a difference between a public record for someone to go examine a paper-based index in person vs. building a database for sale that anyone can trivially profile.
My point is that data gets abused, and the only protection against it is to not have potentially damaging data collected. Sometimes it's hard to predict what might be damaging (4th dimensionally speaking). Filling out ethnic