American Express Seeks To Swap Card Numbers For Secure Tokens

jfruh writes: One of the fundamental problems of the electronic payment business is that it's by and large based on the fundamentally insecure infrastructure of the credit card system, where anyone who has your 16-digit card number can make purchases on your account. American Express is trying to improve its security by moving towards the use of unique tokens for online purchases.

Finally..

[Midnight_Falcon]

With OTP and related two-factor authentication technology becoming so widely available, one would have hoped that credit cards would implement some type of solution either using OTPs instead of cards, or augmenting them with OTPs. Millions of dollars in fraud prevention, "credit monitoring" and other such services would be saved by simply using solid cryptographic systems for the payment networks.

PCI compliance would probably be a lot less of a headache as well...

Re:Finally..

[ArcadeMan]

PCI is long dead, everyone has moved to PCIe by now.

Re:Finally..

[Midnight_Falcon]

If you're going to troll at least you give the benefit of the doubt on acronyms. OTP = One Time Password ...NOT one time pad.

Here's a reference so you can avoid further confusion and undeserved insult: http://en.wikipedia.org/wiki/O...

anyone who has your 16-digit card number

[xxxJonBoyxxx]

>> anyone who has your 16-digit card number can make purchases on your account

Wasn't CCV (the extra 3-digit number on the card) supposed to fix that? (https://www.dcporder.com/ccv.htm) Oh wait...intermediates started storing THAT too.

So yeah...bring it on!

Re:anyone who has your 16-digit card number

[jtownatpunk.net]

Well that fixes everything. :)

Re:anyone who has your 16-digit card number

[Mordok-DestroyerOfWo]

Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.

AMEX uses a 4 digit value printed on the front of the card.

In a few years once somebody figures out how to implement a 5 digit value on the back of a card, our worries will be over!

Token

[Impy+the+Impiuos+Imp]

Triumph the Insult Comic Dog: "So, have you ever actually talked to a girl without giving her your secure unique token first?"

Re:They had a one-time-use number program years ag

[sunking2]

Because it's a pain and people are lazy.

Re:Make it simple

[vux984]

Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?

Re:Get rid of numbers

[Andy+Dodd]

You just described EMV, which all retailers will be effectively required to accept by October 2015 in the US. (It's not completely mandated, but the fraud liability shift effectively mandates it. After Oct. 1 2015, *retailers* will be fully liable for magstripe fraud.)

EMV is widespread in Europe, it's been slowed down due to political bullshit from MCX in the USA.

Re:Evolution of payments

[Phreakiture]

• Merchant advises me of the total.
• I give him cash equal to or greater than the total.
• He gives me change equal to the difference between the total and what I gave him.

Now, if you want an electronic approach, how about this:

• Merchant advises me of the total.
• I take a device, could be a card, could be a phone, whatever, and authorize an amount. Optionally, this may (i.e. should) involve the entry of a passcode of some sort. This should be entered into my device, not the POS terminal.
• I connect the device to the POS terminal (could be a plug, slot, wireless, NFC, whatever - not important).
• The POS terminal assembles a transaction record consisting of time, date, merchant ID, terminal ID, amount, sequence number. It passes this to my device.
• If the POS terminal and my device agree on the amount, my device will add my account number to the transaction record, and then cryptographically sign the record.
• The signed transaction record is passed back to the POS terminal and sent to the processor.

If the amounts don't match, no signature, preventing overcharges. If the transaction is replayed, the merchant ID, terminal ID and sequence number collectively will function as a transaction ID and it will be recognized as a dupe. If any of the transaction details are altered, the signature doesn't match. If the vendor tries to do two transactions at once, the device won't sign both without me reauthorizing. If the vendor wants or needs to validate off-line, the signature can be checked using the device's certificate, the signature of which can be checked with a cached CA cert.

Now, because this approach is agnostic as to whether the device is a card, dongle, phone or whatever, and whether it plugs in, taps or even just flashes a QR code on a screen, I can see the approach being adapted to both bricks-and-mortar and on-line purchases. The only thing I can think of that we do with our credit cards now that might be tricky in this system would be recurrent payments, but those could be handled by pre-authorizing a year's worth of transactions or something similar.

summary fail

[ahziem]

Among popular cards, American Express uniquely has 15 digits. (VISA, Mastercard, and Discover have 16 digits.)