American Express Seeks To Swap Card Numbers For Secure Tokens 130
jfruh writes: One of the fundamental problems of the electronic payment business is that it's by and large based on the fundamentally insecure infrastructure of the credit card system, where anyone who has your 16-digit card number can make purchases on your account. American Express is trying to improve its security by moving towards the use of unique tokens for online purchases.
Finally.. (Score:4, Insightful)
PCI compliance would probably be a lot less of a headache as well...
Re: (Score:1, Flamebait)
With OTP and related two-factor authentication technology becoming so widely available, one would have hoped that credit cards would implement some type of solution either using OTPs instead of cards, or augmenting them with OTPs. Millions of dollars in fraud prevention, "credit monitoring" and other such services would be saved by simply using solid cryptographic systems for the payment networks.
PCI compliance would probably be a lot less of a headache as well...
What are you saying? Do you even know?
A one-time pad isn't going to help SHIT - you have to somehow securely distribute the pads before hand and expect the users to keep them secure.
Strong crypto isn't going to help SHIT - the problem isn't securing the connection from the POS to the creditor, it's verifying the authenticity of the transaction itself, be it online or offline.
"Two-factor" schemes like a code sent to a phone, an RSA clock, some dongle, whatever are effective against non-realtime attacks. (T
Re: (Score:1, Offtopic)
Re: (Score:1)
LOL
Everytime my watch shows a new time, that's a one-time pad too!
Re:Finally.. (Score:5, Informative)
Here's a reference so you can avoid further confusion and undeserved insult: [wikipedia.org]http://en.wikipedia.org/wiki/O... [wikipedia.org]
Re: (Score:2, Flamebait)
Re: (Score:1)
Re: (Score:3)
Here's an example in commercial marketing:
https://www.yubico.com/product... [yubico.com]
Re: (Score:2)
nah.. it really means "one time programmable." Silly acronyms.
Re: (Score:2)
How will people see me flash my Gold or Platinum digital token???
Re: (Score:2)
Sure we do, it's an RFC even: http://tools.ietf.org/html/rfc... [ietf.org]
Re: (Score:2)
Pretty sure from context OP is confusing OTP with sequence based tokens, especially since OTP is not two factor without layering something else with it.
Clearly, you are right about OTP and its for those reasons that nobody (or as close to nobody as matters) actually uses OTP for anything anymore; which really makes it more likely OP was confused about terminology than actually suggesting someone actually use OTP operationally in this day and age.
Also, I asked a co-worker about this, he took longer than wiki
Re: (Score:3)
Re: (Score:2)
But you didn't say one time password, you said OTP. Now, its clearly an overloaded TLA and that is easy enough to verify but, using TLAs in general is actually confusing because pretty much all of them are overloaded already, though.... this one gets a somewhat rare distinction of being overloaded in the same field.
I mean, you don't see car mechanics going around referring to your coil packs as distributors.
As I said, I think it makes sense to do away with OTP=One time pad since its not actually useful, but
Re: (Score:2)
Re: (Score:2)
Lol that was nasty? A little quibbling over use of TLAs is hardly nasty. I bet this thread could go 8 or 10 more posts before anyone got compared to a nazi.
Re: (Score:2)
Interesting, amusingly I have come to hate TLAs just because of the overload factor; but this one makes a lot of sense, like I said....why would we even need a TLA for one time pads when the vast majority of all discussion around one time pads is either in the context of explaining cryptography concepts.
Pretty much the only people who have any business knowing anything about one time pads are military historians and people studying crypto academically, whereas, I know many people with one time password toke
Re: (Score:2)
What am I saying? I think I have some idea.
I've done plenty of PCI compliance audits, CISA certified, yadda yadda.. so you would hope I have some insight here.
What do you know about crpytography? For example, if AMEX cards had a smart card in them that also had a OTP functionality -- like YubiKey, meaning a public key, an OTP (one time password, not pad), and a counter -- they could be made much more secure.
How so, you ask?
Re: (Score:3)
Verified by VISA and similar programs for online shit that did everything we needed but there was one critical flaw - no one used it because they didn't have to. The only site I've ever used that actually implemented it was Newegg. And when I accidentally closed the Verified by VISA popup (I assumed it was a shitty 3rd party offer popup and closed it before it loaded), I discovered that failing the Verified by VISA challenge still let my transaction go through because the merchant never wants to miss out on the sale.
Verified by VISA didn't succeed because:
1) It looked like a scam site complete with redirection to a 3rd party asking for personal details like portion of social security number. Nowhere does it display security credentials.
2) Real phishing scams exist using the name and similar form layouts.
3) Yet Another Password. Hopefully not the same one used to log into the shopping site.
4) If you forget your password, all you need is the card information to reset it, plus a birthday. Not exactly a big secret.
5) It
Re: (Score:3)
Darn, right link, wrong text. Wish I could recall my post for a few seconds to make a quick edit.
It should be Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication [cam.ac.uk]
Re: (Score:1)
Great post. I've had some dealings with Visa and they don't like Ross Anderson as he keeps poking holes in their security. Here's his attack on the UK Chip and PIN system (EMV).
https://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ [lightbluetouchpaper.org]
Re:Finally.. (Score:4, Funny)
PCI is long dead, everyone has moved to PCIe by now.
Re: (Score:2)
I love it when we have comments filled with unknown TLAs. (three letter acronyms)
Re: (Score:2)
Actually, most banks make you jump through more hoops than just "some idiot's username and password", when you want to use their software to make payments on your phone.
I personally had to have my card, a small code generating device that your bank will give you free, and my PIN, to then generate a challenge/response code from my card to allow the software access to my account.
Maybe you're referring to US banks though.. they seem to regard security as an annoying waste of money.
Evolution of payments (Score:2)
This is interesting news for sure, but what's the ideal setup? Working backwards, what do you think is the perfect payment method for security and flexibility?
Evolution of payments (Score:1)
It should work something like this:
The merchant gives me a transaction ID.
*I* contact AMEX to authorize payment using my own secure channel.
AMEX contacts the merchant to get transaction details.
AMEX has me confirm the transaction.
AMEX pays the merchant.
If I want to make a payment for someone else, they can pass the transaction ID from the merchant to me.
Re: (Score:3)
It may not be perfect but it seems a bit better than the honor system that we're on now.
Bootstrapping a cell phone as the second factor (Score:2)
I initiate a purchase online, Amex gives a probationary okay and sends a 5 digit code to my mobile device
Then how would you initiate a purchase of a mobile device itself or of the first month of service for your mobile device?
Re: (Score:2)
Re: (Score:2)
They call you on your land-line with a voice recording and a IVR system asks you to press 1 if you approve the purchase.
Re: (Score:3)
You can eliminate that secure channel to amex, or at least decouple it with some crypto tokens.
So it could be
1. I, at some point before any transactions, contact AMEX and load up on signed payment tokens.
2. At time of purchase, I attach payment info and sign the a token; I mark that token as used.
3. Merchant confims token amount and veracity with AMEX public key
4. Merchant sends token to AMEX to claim the spend.
5. AMEX verifies tokens and token uniqueness and logs it to my account.
Mod parent up. (Score:3)
Great idea. And there are many different ways of doing this.
The core concept is to generate a unique ID for each transaction that links:
a. the vendor
b. the customer
c. the customer's bank
d. (maybe also the vendor's bank)
e. a specific amount
f. a specific time.
And being unique, it will never be used again. We have a lot of different ways to do that.
With that information, the bank should be able to flag questionable transactions that get past the customer verification. Or at least warn the customer if the vendo
Re:Evolution of payments (Score:4, Insightful)
Now, if you want an electronic approach, how about this:
If the amounts don't match, no signature, preventing overcharges. If the transaction is replayed, the merchant ID, terminal ID and sequence number collectively will function as a transaction ID and it will be recognized as a dupe. If any of the transaction details are altered, the signature doesn't match. If the vendor tries to do two transactions at once, the device won't sign both without me reauthorizing. If the vendor wants or needs to validate off-line, the signature can be checked using the device's certificate, the signature of which can be checked with a cached CA cert.
Now, because this approach is agnostic as to whether the device is a card, dongle, phone or whatever, and whether it plugs in, taps or even just flashes a QR code on a screen, I can see the approach being adapted to both bricks-and-mortar and on-line purchases. The only thing I can think of that we do with our credit cards now that might be tricky in this system would be recurrent payments, but those could be handled by pre-authorizing a year's worth of transactions or something similar.
Re: (Score:1)
Your device receiving data from the POS terminal is an unnecessary risk.
Since the device is probably a smart phone it should have a data connection of it's own. So a better path would be:
Your device broadcasts a your payment ID (basally a user name) to the POS terminal.
The POS terminal sends a signed invoice with the amount and your payment ID to the payment processor. The payment processor then looks up in their database what device that ID belongs to and sends your device a signed (with your public key) r
Re: (Score:2)
Perhaps so, however, there was no assumption in my model that the device was a smartphone, nor any assumption that it had any kind of connectivity. Your model requires it, while mine would still allow for the payment device to be a card if that is the user's preferred option.
There is also no reason why these two approaches couldn't be implemented on the same POS system.
Now, the obvious question is why am I not requiring it to be a phone. The answers:
anyone who has your 16-digit card number (Score:5, Insightful)
>> anyone who has your 16-digit card number can make purchases on your account
Wasn't CCV (the extra 3-digit number on the card) supposed to fix that? (https://www.dcporder.com/ccv.htm) Oh wait...intermediates started storing THAT too.
So yeah...bring it on!
Re: (Score:3)
Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.
Re: (Score:2)
Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.
AMEX uses a 4 digit value printed on the front of the card.
Re:anyone who has your 16-digit card number (Score:4, Funny)
Well that fixes everything. :)
Re:anyone who has your 16-digit card number (Score:5, Funny)
Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.
AMEX uses a 4 digit value printed on the front of the card.
In a few years once somebody figures out how to implement a 5 digit value on the back of a card, our worries will be over!
Re: (Score:1)
Mine goes to 11.
Re: (Score:3)
The thing is most payment terminals require both numbers to function. Yes you aren't aupposed to enter them online. However since the terminals themselves will decline transactions without them then it proved useless.
Actually I am surprised at the limits of Apple pay. Apple has some software Apis available(planets is using them). However I thought it would make more sense to add an nfc reader to every computer and tablet sold with both a system Api and a WebKit Api available. Just wave your phone over the c
Re: (Score:1)
Verified by Visa also require a personal password to make the purchase go through.
Re: (Score:2)
Re: (Score:3)
This is a little confusing - each card has 3 Card Verification Values (which, depending on the type of card can be CVV, CID or CVC - lets use CVV)
CVV is stored on the track data.
CVV2 is the one on your card. It is transmitted as a separate field for non-card-present transactions (eCommerce, for instance).
CVV3, also known as dCVV (dynamic card verification value) is an EMV thing.
Most people use CVV to refer to CVV2.
This whole token thing is not AMEX only, Mastercard and Visa published specifications on this
It's like a car lock (Score:2)
I know it's cool and hip to say the hackers will always find a way, but the reality is they won't. The credit card industry tolerates some fraud because the cost of eliminating it has been more than the cost of allowing it. That's changing
Token (Score:4, Funny)
Triumph the Insult Comic Dog: "So, have you ever actually talked to a girl without giving her your secure unique token first?"
If I remember correctly (Score:1)
They had a one-time-use number program years ago a (Score:2)
I think it was called "Private Purchase"? You could log in to your AmEx account and generate a number that was good for one use. It was great, I don't know why they got rid of it.
Re:They had a one-time-use number program years ag (Score:4, Insightful)
Re: (Score:2)
I didn't know BoA had a comparable feature. My past experiences with BoA haven't been good, and literally everything else (other than canceling Private Payments) I've experienced with AmEx has been good - including their removing without question charges I wasn't responsible for the handful of times it's happened.
Get rid of numbers (Score:1)
It's 2014, why are we still getting stamped plastic cards? Can't they put a tiny microcontroller, lcd, battery, and display a unique time synchronized calculated number along with 4 exposed pads that you can read the number with synchronized serial (SPI)?
Of course, you can have a physical backup number on the card itself, but it should set off alarms if used.
Re: (Score:2)
It's 2014, why are we still getting stamped plastic cards?
Because there are still brick-and-mortar merchants that haven't bought a chip reader, though planned shifts in merchant liability for unauthorized use will likely soon change this. And because people shopping at home don't want to have to buy and carry separate chip readers for desktop computers, iOS devices, and Android devices, and for each issuing financial institution. For example, someone with three payment cards (one debit card for each of two banks, plus one credit card) might have to either buy nine
Re:Get rid of numbers (Score:5, Interesting)
You just described EMV, which all retailers will be effectively required to accept by October 2015 in the US. (It's not completely mandated, but the fraud liability shift effectively mandates it. After Oct. 1 2015, *retailers* will be fully liable for magstripe fraud.)
EMV is widespread in Europe, it's been slowed down due to political bullshit from MCX in the USA.
Card Fraud (Score:1)
Make it simple (Score:1)
Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...
Re:Make it simple (Score:4, Informative)
Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...
And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?
Re: (Score:2)
Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...
And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?
I take it you find cash fatally flawed for those same reasons: the possibility of theft, loss, or destruction.
Of course, cash is anonymous—which you don't get with a credit card or check. Are you okay with the federal government tracking every purchase you make with plastic? Because they are. [washingtonexaminer.com]
Re: (Score:2)
I take it you find cash fatally flawed for those same reasons: the possibility of theft, loss, or destruction.
Yes. I don't wander around the streets with $100s or $1000s of dollars on me for precisely those reasons.
I do make small purchases with cash all the time, but the amount's I'd ever be faced with losing are not significant enough to matter. Last night alone I bought groceries, plus gas, plus the car battery unexpectedly needed to be replaced, and the delay caused by the latter meant we grabbed take o
Re: (Score:3)
Yes. I don't wander around the streets with $100s or $1000s of dollars on me for precisely those reasons.
You're cherry-picking scenarios. Who said you have to load thousands of dollars at a time on a preloaded cash-equivalent card?
I don't really get it with cash either if the person taking my money knows who I am.
Again with the cherry-picking. Do we really want to play this game? Because an equivalent cherry picked boundary case scenario against credit cards would be where a merchant fraudulently charges your card, the credit card company decides to reject your chargeback/fraud allegation for whatever reason, and then you lost in court when you decided to sue.
What's that you say, this doesn't
Re: (Score:2)
Who said you have to load thousands of dollars at a time on a preloaded cash-equivalent card?
Common sense does. I gave a typical example, my evening yesterday. Just regular run of the mill stuff. $700+ in one evening. Sure not every evening is like that, but how often am I going to load the card? I figure to live on a cash or (cash equivalent card) I'm going to be loading the card with at LEAST $1000 to $1500 at a time. And that'll get me a few to a month tops. The alternative would be what? Loading it dai
Re: (Score:3)
I guess it comes down to how difficult it is to load the stored value card, doesn't it? I view this as tantamount to the amount of cash I'm carrying vs the cash I have in my ATM-linked account. I'm willing to carry several hundred in cash. By the same token, I would be willing to carry several hundred in stored value. More than that and cash gets unwieldy. I blame the government for refusing to issue larger denomination bills despite inflation.
What stored value cards can give you is a way to purchase things
Re: (Score:2)
I think you are strongly underestimating the amount of tracking and profiling that happens when you make purchases using a credit card. I presume you're familiar with Target's "pregnancy detection" profiling that caused an uproar a few years ago.
Quite familiar. But remember, that's just within Target's own loyalty card. That's not the federal government, and that's not Target tracking you even at other stores. As it happens I do use the loyalty card at the supermarket I use and I'm generally ok with THEM tr
Re: (Score:3)
But remember, that's just within Target's own loyalty card.
No, it's not. It's tied to your profile they build from your credit card information.
I don't generally object to a given store knowing what I've bought AT that store. Indeed i consider it fairly inevitable.
If that were the extent of it, I would agree. However, cross-linking databases has continued to grow. I bought a vehicle last year, and either the dealer or the manufacturer sold me out because I get phone calls from other dealers around the country trying to sell me extended warranties. Given our discussion so far, it probably it goes without saying I didn't sign up for or disclose any information beyond what was required
Re: (Score:2)
My point is that data gets abused
Funny, I'm actually arguing your side of the argument in another thread on another article. So I agree with you completely on that front.
I'd like to see anonymous transactions too. But I'm still not sold on stored value cards.
a) I don't like the risk associated with having value tied to the physical card.
b) I'm not convinced the average stored value card is truly anonymous. Can the system really not track you by the use of your stored value card? Does your proposed card real
Re: (Score:2)
Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...
And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?
The TREZOR [bitcointrezor.com] is close to what the GP requested, or would be if 7-11s sold bitcoins. It requires a PIN to spend the funds, which protects against theft, and if it's lost or stolen or simply stops working you can recover your funds with the backup seed and any of several compatible wallet programs. Aside from the backup, which you keep in a secure place, the key never leaves the device, so you don't have to trust the USB host.
Amex is 15-digit (Score:2)
I'd sign up for this. I hope they offer it to people sooner rather than later.
Bank of America has had this for awhile (Score:3)
Fantastic for any online purchases you make. But, in reality - how many times are CC #'s getting stolen online vs in real life?
Re: (Score:2)
They still have it (ShopSafe), at least for my card. It's about the only reason I still use them. Always interesting to say how many official account names some companies have when buying from slightly different parts of their system (each requiring a separate card).
Re: (Score:2)
My debit card was among those believed to be compromised in both of the recent Big News breaches (Target, Home Depot) and all my purchases at both were physical stick-a-card-in-the-reader purchases, not online. So, these things do happen in real life.
Re: (Score:1)
because companies do not check back to the card holder's address for delivery.
It's very, very common for a purchase to be shipped to an address that is not the billing address. There's the obvious, like holiday gifts, and the less obvious, like small business owners with a home billing address wanting items shipped to their business. Merchants are forced into a corner here, because they'll lose the sale if they decline the transaction, and the credit card companies provide no tools to assist in determining fraudulent intent.
Solution (Score:3, Funny)
Change the system to use longer numbers, say 32 digits and make it hex, not dec
They should also have a needle number (like a pin, but longer)
Re: (Score:3)
nonsense, the length of the number doesn't matter, a thief can steal a 32 digit number as easily as a 16 digit. Hexadecimal doesn't change matters either. The whole concept of using a fixed number is archaic, better solutions have been known (and have been in use in smarter countries for over a decade)
Re: (Score:2)
this is a tech site, you are supposed to have familiarity with encryption and private/public key. You are supposed to realize a computer doesn't care if you copy/paste or transmit a 32 digit number vs. a 16 digit one. Here are some words for you: [trolling ignoramus with no point]
Secure tokens? You mean like Bitcoin (Score:3)
Hey, maybe we don't even need those credit card companies in the mix at all.
single use credit card numbers (Score:2)
A number of companies have offered single use credit card numbers in the past. You could generate new credit card numbers online, set time and dollar limits, and then use those for purchases. That offers similar levels of protection but is backwards compatible. Unfortunately, it hasn't caught on much.
what?! "they can easily be revoked?!" (Score:1)
Re: (Score:2)
Probably for subscription purpose... Depending on how its implemented, its not so much the code itself that can be reused, but the transaction made with it that can be "replayed". By revoking the code, you revoke the ability to replay that transaction.
Subscription services often (usually? I only worked on a few online payment systems, most did it this way but not all) don't store the credit card number itself. They just replay transactions authorization.
I'm giving this to the world for free (Score:2)
Please implement it immediately.
USB dongle with a little computer, display, fingerprint/pulse scanner, and a few buttons. Dongle plugs into a port on the POS payment terminal. You authenticate with an authenticated fingerprint from a finger with a pulse. Dongle makes its own secure connection to the payment clearinghouse and indicates to the clearinghouse that a transaction with [Merchant_ID] is imminent. [Merchant_ID]'s payment terminal makes its own connection to the clearinghouse and says [Your_Publi
Re: (Score:2)
USB fingerprint reader? Seriously? That's just not needed. We've had chip and pin cards for many years now in Canada. They just need to implement a more secure alternative for online sales. And forget about being backwards compatible - lose the mag stripe and don't process payments from numbers alone.
Re: (Score:2)
The point of my system is to stop throwing around account information. My system doesn't involve transmitting (or even having) any valuable information where it can be stolen. Not even in encrypted form. Don't process payments from numbers at all .
Virtual Account Numbers (Score:1)
How about ATM cards (Score:2)
summary fail (Score:4, Informative)
Re: (Score:1)
Wish I had mod points, I'm glad someone else noticed this.
Typical american problem (Score:1)
America (the USA, to be precise) seems to have problems no other developed country has, any more. Among them the absence of universal medical coverage and the old-fashioned credit cards. This is not USA bashing, but an expression of true amazement. For instance, codebooks, or one-time codes sent by SMS have been routinely used in Europe for quite some time now in conjunction with credit cards that are otherwise quite secure by themselves. American Express refused to upgrade and it cost them a lot of clients
Not a new idea (Score:2)
Re: (Score:1)
Here's a shiny powerpoint to download. Click Here. They say it works. They also say some random number (that sometimes has a letter in it?) next to a $ sign with god awful English.
Seriously, click here [visa.com].
Private Payments (Score:2)
10 years or so ago, AMEX had "Private Payments", where you could generate a single-use number for a transaction. The number was valid for a single transaction and expired in two days or so.
Then they dropped the service. I never figured out why.
The dumbest idea in online purchases .. (Score:1)
The dumbest idea in online purchases was using Credit Card numbers in the first place
I think it's halarious (Score:1)
unique tokens (Score:2)
Isn't this exactly how Apple Pay works? (Score:2)
Generating a secure one time use token for any credit card that is stored?
Trustless Transactions (Score:2)
If only there existed a solution for the problem of trustless transactions! If someone could write a white paper setting out an algorithm, what a boon it would be....
Re: (Score:2)
Well, it can lead to identity theft for one thing which is a huge pain in the neck. It ultimately means that we all pay for it in terms of higher fees for credit cards and also fees being charged to merchants.
Re: (Score:1)
It seems like something cc cards or vendors, who are actually liable for these charges, should care more about.
Therein lies the rub. The merchant takes on 100% of the liability, the credit card companies and banks lose NOTHING when a fraudulent charge is made. In fact, they get to collect a chargeback fee. They have little incentive to fix the problem. Merchants, of course, have incentive to fix the problem. But they have no power (other than the really big merchants) to effect change.