Slashdot Mirror
Browsers Will Store Credit Card Details Similar To How They Save Passwords (bleepingcomputer.com)
An anonymous reader quotes a report from Bleeping Computer: A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online. Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords. The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked. By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user. Browsers that support the Payment Request API include Google Chrome, who first added support for it in Chrome for Android 53 in August 2016, and added desktop support last month with the release of Chrome 61. Microsoft Edge also supports the Payment Request API since September 2016, but the feature requires that users register a Microsoft Wallet account before using it. Firefox and Safari are still working on supporting the API, and so are browser implementations from Facebook and Samsung, both eager to provide a simpler payment mechanism than the one in use today.
With the greatest respect:
How about no.
... just like they currently do with passwords
I don't trust any browser to store even my Slashdot login password. Why in the world would I trust it with my credit card? In fact, I don't even let merchants store my credit card if at all possible (I either choose the option not to save the card or manually delete the card after the purchase).
It seems like nobody who understands and actually values privacy and security would do this.
I don't store passwords in my browsers, and I'm not storing credit cards in them either. No way.
I use a separate browser install to make payments (and access any accounts/passwords that would matter if compromised).
No absolutely spot on.
what could possibly go wrong?
When I saw this story I had to double check that it's not April 1st. This is a bad joke in terms of security. Like a zero trust model, users should give their browser zero trust, or the next sandbox or plugin exploit means everything your saved in your browser is in the hands of criminals.
will enable its user(s) to rule the world.
Seriously, is everything in these encryption algorithms protected by hoping that the product of two large prime numbers can't be easily factored? If so, then I would assume all the world's secrets (and ability to conduct financial transactions) are theirs.
It's sad that the first network using quantum encryption was put up (literally) by the Chinese (it's using satellites).
In NO way should ANY browser store Credit Cards!
Probably backed by retailers because they won't be blamed or liable for the loss when this fails. Password managers can store more than passwords. My password is a 16 digit number...
Does this mean that browsers are going to have to be PCI DSS certified?
That would certainly be interesting, because PCI for example prohibits using anything less than TLS1.2 for secure comms, which might bleed-over into general communications. Could this be the end of non-HTTPS web traffic and SSL/TLS before v1.2? Will browser vendors have to choose between interoperability with (old, shitty) servers and providing storage and transmission of credit card info?
It would be kind of awesome if one DID imply the other, because the internet would get a lot less shitty really quickly.
very long since we have to change numbers pretty often because of fraud. With my Chase card, I think my number changed three times since I got it six years ago. With my Barclays card, I've already changed number three times just this year! Neither card has a chip, so I swipe them at a lot of places. Food trucks seem to be the worst since twice immediately after I bought something from a taco truck, I had charges from FAST STOP 1107 in Texas three different times.
Payment providers like PayPal or Amazon might not be on board with this new API since it makes them obsolete, but almost everyone else is.
Or because, in the case of something like Amazon Payments or "Pay with Amazon" they actually need to store your payment information to process transactions that occur outside the browser. If I'm using that, I don't need my browser to handle it too.
In many ways, the Payment Request API is a much secure method of handling online transactions, but it's not perfect either.
For starters, browser makers now have a full view of your finances and transactions, a situation that some people might not like, and will refuse to store any such information in their browser.
Ya think? I imagine the above will be a non-starter for many. Like I want Mozilla, Microsoft or Google accessing my CC transactions.
It must have been something you assimilated. . . .
An API means there are hooks... those same hooks can and will be exploited. I'll type in my details with every purchase. You can promise me this or that security protocol is in place, this encryption or that, but no. This will be exploited almost as soon as it goes live. More and more, locally, I use cash. Nothing is traced to me. I don't use loyalty cards, not that Aldi even uses them. I buy all my beer and cigars with cash. Ditto my eating out. Insurance companies love to get this data through debit and credit card purchases--and they do. That joke YouTube video about ordering a pizza in the future is coming.
The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.
Just great. Then any website could query your browser for available payment information.
It must have been something you assimilated. . . .
chrome/chromium already trying to save my credit card numbers quite some time... but no thanks
very long since we have to change numbers pretty often because of fraud. With my Chase card, I think my number changed three times since I got it six years ago. With my Barclays card, I've already changed number three times just this year! Neither card has a chip, so I swipe them at a lot of places. Food trucks seem to be the worst since twice immediately after I bought something from a taco truck, I had charges from FAST STOP 1107 in Texas three different times.
The government has a program in place that you can take advantage of to prevent credit card fraud at high-risk situations like taco trucks. It's a paper certificate called a "Federal Reserve Note", and it's now widely available.
The problem is idiots will
Screw that. I live in Seattle where there's a lot of homeless people, and if they see cash, you're going to get mugged (old meaning of the word where people follow you and bet, not the new meaning where you get robbed) until you can get out of the area. Last time I spent cash at a food truck in Seattle, I had six guys follow me for four block and kept begging until I finally got on the bus. No thanks. I've only used plastic since then.
No absolutely spot on.
agreed
"Lets store the payment details in the users browser, so we can end data breeches!."
It's real freggin' simple.
1: Credit card sets up a transaction authorization between the vendor and cc company on the users behalf. Your systems don't store the credit card details, you store the transaction authorization which, if the chargeback period of the last purchase they did has expired (meaning they are not a consistent customer) you delete the authorization and they need to set it up again. This is not hard to do, you use 2 database tables and a foreign key. CS101 stuff, even at scale.
2: No more "we're going to store your credit card details whether you like it, or not!". This is looking at you, Amazon. How exactly do I remove credit cards from your website? No more using the credit card details to define user accounts or track users in-between accounts. That is a scammy way to operate and you know it!
But that's hard you see, and it requires an actual effort. So instead we're going to force this down the throats of the browser standards because it's the users responsibility if they want convenience. We all know where this is going too; Cable-Co's love this idea since they can charge things to your internet bill now just like your credit card. Remember the time when you could charge stuff to someone's phone bill? Yeah.
People need to begin realizing that for every $100 they pay for their cell and internet bills, they need to give $10 to the EFF, because it's an investment in a smaller bill. EFF gets $15 million a year in funding; their funding goes up to $150 million, they become a real force to be reckoned with. You jack that up to $500 million a year, and you can buy THEIR lobbyists out from under them and then !@#!@#ck the cable co's with them. This is an investment, because your price-gouging bill will go down. E.G. Lets say it goes down 50% after 5 or so years, $600 gets paid back real quick on a $100 a month bill. I use the EFF as one example, but there are others that lobby for similar things.
Screw that. I live in Seattle where there's a lot of homeless people, and if they see cash, you're going to get mugged (old meaning of the word where people follow you and bet, not the new meaning where you get robbed) until you can get out of the area. Last time I spent cash at a food truck in Seattle, I had six guys follow me for four block and kept begging until I finally got on the bus. No thanks. I've only used plastic since then.
Damn dude, at first while naturally assuming you meant getting robbed, I felt pretty bad for you.
But once you explained they are just begging... That's just sad.
Stand up for yourself man!
Tell them to go away. If they don't, yell at them to fuck off.
If they still don't, pull a dollar out of your pocket and eat it right in front of them, scream with your best crazy man act, and if need be start picking things up off the ground to throw at them.
(Although do mind the rocks, I'm not advocating hurting anyone physically here)
Do you even need to ask that question?
The funz will really start when they extend the APIs to allow for recurring charges, one of the common billing scams - it wont be long I am sure.
'WE JUST NEED TO VERIFY YOUR CCARD WITH A $0.01 CHARGE TO VALIDATE YOU' (tinyprint hidden, we will also start charging you $39.95 per month for an email telling you our monthly lucky numbers, and it is basically impossible to cancel).
So yes, the ONLY valid answer to this if 'NO F'in WAY'
I take that back.
Okay, now multiply that by a few billion people...
This story is not news. I've stored my credit cards along with information for other important accounts in Lastpass for a long time using it's "form fills" feature. And, better than storing it in a browser, it is available across all browsers I use on all devices as well as with the standalone app.
In addition to bank accounts it's very convenient to store things like your AAA account info, insurance accounts, etc. This way it's always readily available to you on any device.
This. Work in Seattle. Never show cash. Never.
" I can find and roll back unauthorized charges (at a very real cost to the vendor)."
OK, hand over your details here and now if that's how you feel.
Being contrarian for contrarian sake doesn't make this a feature anyone wants.
AssFux tell us about your NDA lie and your dns fuckups apk tore you up on please hahahaha https://slashdot.org/comments.pl?sid=11188265&cid=55322595/
Cleanup crew to aisle nine! Spillage in aisle 9.
Personally I prefer the Kaspersky Credit Card App to store and retrieve my Credit Card Information, because Kaspersky is an Industry Leader in security applications worldwide, and I know that my payment credentials are safe in their hands.
They still need your card data, they still need a payment processor. So, now we don't have to enter our CC, it just sends it behind the scenes. So, this helps lazy people and means that a browser flaw could allow an attacker to charge my CC.
Conversion rates in the checkout flow are a key measure for ecommerce sites. 46% of e-commerce shoppers abandon the checkout process during the payment phase, signaling frustration with the complexity and redundancy of re-entering form data or tracking down payment information. Even a small increase in the success rate of checkout make a direct impact on your site’s bottom line, while improving the shopping experience for customers.
From Payment Request API
Many problems related to online purchase abandonment can be traced to checkout forms, which are user-intensive, difficult to use, slow to load and refresh, and require multiple steps to complete.
Sure, this API may make things simpler for you -- the purchaser -- but it seems the focus is on benefiting the seller. Perhaps a narrow distinction, but one that may matter if/when push comes to shove and a side must be chosen by the developers.
Another thing to consider: Since this is implemented in the browser, if you use multiple browsers to shop, then you'll have to store your information in each browser rather than once on the websites on which you shop -- unless the browser vendors can cooperate on a single, shared data storage method.
It must have been something you assimilated. . . .
The browser is the one component in my system I trust less. I mean: its job is to go around the Intratubes picking up every bit of dirt out there and *executing it*?
I don't put my banking data into that now. Much less when there's a standard with a clear label on it "BANKING DATA HERE".
"But, but" "Sandboxes". Yeah, right. Ponies. Rainbows. Farts.
No. Fucking. Way.
I'm getting into the malware industry
There is an insidious and non-obvious way that it will likely be worse than the existing system. In the current system, when your credit card number is stolen and misused, you usually are not responsible to pay because the credit card company would have to prove that it was your computer that was compromised rather than the merchant. That would require an expensive forensic investigation. But with these new systems like ShopSafe, Verified by Visa, or this new browser API, the merchant never gets your card number, and so they can't be blamed for losing your card number. That means it was either your system or the card company's system that was compromised. Of course they're sure it wasn't their system that was compromised. So that just leaves yours.
Of course in the bold print they claim there is zero dollar deductible fraud coverage on your card. However, in the fine print, the contract you agreed to, says it doesn't apply if you fail to protect your password. And if you dispute their demand that you pay, you have agreed to go before an arbitrator who the card company has probably kept track of his record for "business friendly" decisions. And when you lose the dispute, you get to pay thousands of dollars for the arbitrator's fee, and for the expensive forensic investigation of your computer as well.
It would be a great security improvement to the system to eliminate the merchants as possible leak points for payment credentials. The existing system, where you give lots of random merchants and their untrustworthy employees, all they need to take money from your account, is crazy insecure. But operating systems like Windows, Linux, Android, IOS etc. are far too complicated to ever have much hope they can be made secure for consumers. The only way I can think of for a reasonably secure system, is something to connect to your computer, with an extremely simple operating system, like a smart card, but with a display to verify who the payment will go to, and a physical button or pin to authorize the transaction. Only an extremely simple operating system, or better, no real operating system at all, has a hope of being reasonably secure. Although even smart cards have been compromised in a number of instances, they do a tolerably secure job, and much better than general purpose computer operating systems. I would feel sorry for the credit card companies taking losses from compromise of consumer computers, except they have the power to secure the system by the only known way, but they won't give us secure payment devices with a display and buttons.
All this FUD about browser storing plaintext payment credentials seems very premature. Read between the lines. Clearly this will involve PKI. Most likely it'll work similar to OAuth, except your bank is giving out the login^W payment credential, and you'll have to authorize the cert of the vendor on the bank's website.
In other words: If they have even half a clue, this will be much stronger online payment security than what you have now.
Safari already offers to store credit card details.
It's got a little popup that shows up when you use a credit card, and offers to "save the card".
Unfortunately Safari also offers an "autofill" feature, and doesn't distinguish between hidden fields and visible fields when providing data.
Automatic phishing.
Fuck yeah, That kind of thing has always been one more reason for me to avoid Apple like the plague.
Sigh. I'm already accustomed to castrate my browser. This means I gotta do more of that in the future.
Gone are the times where I could consider the browser my trusted ally.
Why are credit cards still used in 2017 anyway? It's a broken system to begin with and it is inconvenient. Bank transfers and bank-transfer-based systems (e.g. iDEAL, Sofortüberweisung, etc.) are so much safer and more convenient.
Credit card information isn't stored with the browser (on the Mac at least, I don't know about anywhere else). It's stored in the Keychain, a much safer place. Also, all of your payment history isn't stored like with this proposal. When filling in the information for a credit card there is only the name on the credit card, the card number, and the expiry date. The CCV isn't stored. Any other fields that would get filled in would be part of some other autofill. You don't start entering your name and have your credit card information filled in too. You always have to go to the credit card number field and select the card to fill in the information, even if you only have one card.
I read quite a few of the comments, and noticed that people here are well aware of the problems with having a browser store this kind of information. And yet, I have a bad, bad feeling that in a few years, it's going to be ubiquitous, perhaps even compulsory. I'm surprised they actually spelled it out so clearly:
"By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user."
That's it right there. The banks and credit card companies have been trying ever since plastic was invented to make consumers responsible for losses due to fraud and theft. This is their ticket to paradise.
So watch for deep discounts. Watch for a flood of trolls masquerading as coolest-of-the-cool tech lords explaining how everybody who isn't a doddering old fool is using it. Watch for laws drafted to force you to use it. Like when you have to renew your driver's license, you get a choice of waiting in an endless line during business hours at a single tiny government office, or bringing your smart phone and an app to a no-wait kiosk in a mall, or doing it from home...ONLY if you use the browser function. Watch for more and more stores refusing to accept bills larger than $10 for cash transactions "because counterfeit" or "because security".
I'm sure there's a dozen more ways, all based around that "well, nobody's forcing you" lie that's been used so often and so well.
Let's hope that for once people get together and shut this down before it gets started. Right now liability for fraudulent financial transactions is right where it belongs. We need to keep it that way.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Do not want, it's easier to type things in so nothing remembers and hopefully ups the security bar a bit since it isn't stored on a server or in a browser with a potential security flaw that could grant access to said storage.
"This feature is long overdue and can't come soon enough!" - Blackhats everywhere
"When information is power, privacy is freedom" - Jah-Wren Ryel
I don't let my browsers remember my passwords. I'm absolutely not going to let them remember credit card numbers.
"The browser implementation never hands over the CC info without checking with the user."
Let me fix that
"The browser implementation never hands over the CC info without checking with whatever the current user is."
To sum up, the browser will store information you don't want it to store and has no idea if the person browsing is authorized to hand that over. The CVV code aside, as if a 3 digit pin is somehow acceptable now. It removes one layer of protection from credit card transactions, the physical card number.
Centralized login systems FAILED, people DID NOT WANT THEM, this is ONE STEP WORSE. Microsoft cards FAILED, a system very similar to this one, again, nobody fooking wanted it, why would they? W3C is just repeating yet another failed idea for what purpose? Just so they can change something and try to stay relevent?? Why?
And if it is a subscription token, for instance as Network Solutions forces on you if you use PayPal, then as soon as the transaction is complete, you go to your paypal account and disable the subscription so they can't be taking your money in the future without your permission.
Beats the heck out of giving them your credit card info and getting a charge you weren't expecting at an inconvenient time.
Which moron thought this is a good idea? Please step forward so that we can beat you with a wet noodle. Seriously, who comes up with this shit??
Shows what you know.
Using DGPS, they have millimeter resolution, and can ID the individual teeth on your necklace AND the ones in your mouth, and figure out which ones are really you by the alignment to the dead RF spot your faraday cage creates. Then the black helicopters bounces an IR laser off you in case they decide to guide smart weapons in. And that, of course, is simply a matter of where and what you post. In fact, I really shouldn't be postin
*&^%#$^#$ LOST CARRIER
I've fallen off your lawn, and I can't get up.
Wouldn't it be nice if the password vaults in browsers also included password generation and the ability to easily update passwords (think Lastpass but built in)
Not on my computer...I don't store any of that in a browser...and never will. Too much at risk for theft and then dedicated hacking.
That it had to be the brainchild of Mozilla.
it seems the focus is on benefiting the seller.
The whole bit in the summary about making it so the merchant won't have to store (and protect) your CC# gave it away.
They are shifting the cost of protecting customer information on to the customer. Which is a bad idea - merchants have the resources to protect that info - they can hire experts, even smaller merchants can just outsource the entire system to dedicated card processors. Meanwhile the average user is 100% clueless about the risks and completely unprepared to defend against them.
It reminds me a lot of how chip & pin in europe turned into an excuse for the banks to stick card holders with fraudulent charges.
Even Mozilla got corrupted. Is there a browser we can trust?
Fuck that!
Right in the pussy!
Are you autistic? Are are you completely retarded?
Perhaps it's bipolar schizophrenia?
Nov 2001 howstuffworks.com threw up the idea of a 'penny per page' when visiting websites. http://computer.howstuffworks....
Looks like that day is fast approaching. Washingtonpost.com blocks me as I use a hosts file or ADblocker browser on Cell, so I ignore/avoid them. A Payment Request API will allow them to now pull from a previously setup account. Once it starts, all will be looking at it.
Credit card information isn't stored with the browser (on the Mac at least, I don't know about anywhere else). It's stored in the Keychain, a much safer place.
It doesn't matter, if Safari is willing to go into the keychain and then to provide the data to a hidden field, without a user notification.
I talked to Visa, gave them the information, and a list of about 150 sites that had the exploit being actively used. Then it was also reported to Apple.
But what if incognito is your normal way of browsing?
Then you've probably already run into a lot of demands to whitelist a site.
Private Browsing in Firefox enables tracking protection, a built-in blacklist of servers involved in tracking a user's behavior from one site to another. Numerous ad-supported websites depend on this tracking for interest-based advertising and aren't smart enough to fall back to self-hosted ads if the tracking servers can't be reached. So if tracking doesn't work, a site like TV Tropes pops up a demand to disable tracking protection. Though users can work around this on many sites by disabling JavaScript, I see room for sites to get smarter about insisting on allowing tracking by putting everything past the first paragraph in an AJAX request.
The RSA crypto used to negotiate a session's ephemeral AES key still uses semiprimes.
"Log in to see the price" is part of how sites work around "minimum advertised price" (MAP) policies imposed by manufacturers.
Browsers will store your social security number. Designed by Equifax.
We need a micro payments system built into browsers if we ever want to move away from the 'pay with your data" business model.
No. Fucking. Way.
I just wish I could afford the obviously awesome drugs the people who dreamt up this idea must be taking.
I don't store passwords in a browser, and I sure as anything NEVER store 'payment information' in a browser. I'd sooner print up 1000 copies of all my CC information and post them on lampposts and grocery store bulletin boards, with "Please feel free to spend my money for me!" printed on them.
Do you know that you can hack any ATM machine !!! We have specially programmed ATM cards that can be used to hack any ATM machine, this ATM cards can be used to withdraw cash at the ATM or swipe, stores and outlets. We sell this cards to all our customers and interested buyers worldwide, the cards has a daily withdrawal limit of $5000 in ATM and up to $100,000 spending limit in it stores. We also have credit cards for online shopping, we give the credit cards details to our interested clients worldwide including the credit card cvv.if you are in need of any other cyber hacking services, we are here for you at any time any day. Here is our price list for ATM cards: BALANCE PRICE $5,000----------------$300 $10,000 ------------- $650 $20,000 ------------- $1,200 $35,000 --------------$1,900 $50,000 ------------- $2,700 $100,000------------- $5,200 The price include shipping fees,order now: via email...braeckmansj@outlook.com