Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Almighty Buck Security

American Express Seeks To Swap Card Numbers For Secure Tokens 130

jfruh writes: One of the fundamental problems of the electronic payment business is that it's by and large based on the fundamentally insecure infrastructure of the credit card system, where anyone who has your 16-digit card number can make purchases on your account. American Express is trying to improve its security by moving towards the use of unique tokens for online purchases.
This discussion has been archived. No new comments can be posted.

American Express Seeks To Swap Card Numbers For Secure Tokens

Comments Filter:
  • Finally.. (Score:4, Insightful)

    by Midnight_Falcon ( 2432802 ) on Tuesday November 04, 2014 @03:12PM (#48312479)
    With OTP and related two-factor authentication technology becoming so widely available, one would have hoped that credit cards would implement some type of solution either using OTPs instead of cards, or augmenting them with OTPs. Millions of dollars in fraud prevention, "credit monitoring" and other such services would be saved by simply using solid cryptographic systems for the payment networks.

    PCI compliance would probably be a lot less of a headache as well...

    • Re: (Score:1, Flamebait)

      by sexconker ( 1179573 )

      With OTP and related two-factor authentication technology becoming so widely available, one would have hoped that credit cards would implement some type of solution either using OTPs instead of cards, or augmenting them with OTPs. Millions of dollars in fraud prevention, "credit monitoring" and other such services would be saved by simply using solid cryptographic systems for the payment networks.

      PCI compliance would probably be a lot less of a headache as well...

      What are you saying? Do you even know?
      A one-time pad isn't going to help SHIT - you have to somehow securely distribute the pads before hand and expect the users to keep them secure.
      Strong crypto isn't going to help SHIT - the problem isn't securing the connection from the POS to the creditor, it's verifying the authenticity of the transaction itself, be it online or offline.
      "Two-factor" schemes like a code sent to a phone, an RSA clock, some dongle, whatever are effective against non-realtime attacks. (T

      • Re: (Score:1, Offtopic)

        by oodaloop ( 1229816 )
        I'm pretty sure he thinks that every time his fob displays a new number, that's a one time pad.
      • by TheCarp ( 96830 )

        Pretty sure from context OP is confusing OTP with sequence based tokens, especially since OTP is not two factor without layering something else with it.

        Clearly, you are right about OTP and its for those reasons that nobody (or as close to nobody as matters) actually uses OTP for anything anymore; which really makes it more likely OP was confused about terminology than actually suggesting someone actually use OTP operationally in this day and age.

        Also, I asked a co-worker about this, he took longer than wiki

        • I'm not confusing anything, One time password is the proper name for the technology.
          • by TheCarp ( 96830 )

            But you didn't say one time password, you said OTP. Now, its clearly an overloaded TLA and that is easy enough to verify but, using TLAs in general is actually confusing because pretty much all of them are overloaded already, though.... this one gets a somewhat rare distinction of being overloaded in the same field.

            I mean, you don't see car mechanics going around referring to your coil packs as distributors.

            As I said, I think it makes sense to do away with OTP=One time pad since its not actually useful, but

            • Clearly I should've spelt out OTP to avoid confusion in this context..except, yes, I do PCI compliance audits for a living, and this acronym seems very second-nature at this point. However though, I wasn't the one confusing OTP..it was the readers applying their own cognitive bias to apply the "one time pad" meaning here, even though the context clearly pointed away from that.
      • What am I saying? I think I have some idea.

        I've done plenty of PCI compliance audits, CISA certified, yadda yadda.. so you would hope I have some insight here.

        What do you know about crpytography? For example, if AMEX cards had a smart card in them that also had a OTP functionality -- like YubiKey, meaning a public key, an OTP (one time password, not pad), and a counter -- they could be made much more secure.

        How so, you ask?

        • Merchant validation service would validate based on OTP, this could be
      • Verified by VISA and similar programs for online shit that did everything we needed but there was one critical flaw - no one used it because they didn't have to. The only site I've ever used that actually implemented it was Newegg. And when I accidentally closed the Verified by VISA popup (I assumed it was a shitty 3rd party offer popup and closed it before it loaded), I discovered that failing the Verified by VISA challenge still let my transaction go through because the merchant never wants to miss out on the sale.

        Verified by VISA didn't succeed because:
        1) It looked like a scam site complete with redirection to a 3rd party asking for personal details like portion of social security number. Nowhere does it display security credentials.
        2) Real phishing scams exist using the name and similar form layouts.
        3) Yet Another Password. Hopefully not the same one used to log into the shopping site.
        4) If you forget your password, all you need is the card information to reset it, plus a birthday. Not exactly a big secret.
        5) It

    • by ArcadeMan ( 2766669 ) on Tuesday November 04, 2014 @03:43PM (#48312755)

      PCI is long dead, everyone has moved to PCIe by now.

    • I love it when we have comments filled with unknown TLAs. (three letter acronyms)

  • Comment removed based on user account deletion
    • by Anonymous Coward

      It should work something like this:

      The merchant gives me a transaction ID.
      *I* contact AMEX to authorize payment using my own secure channel.
      AMEX contacts the merchant to get transaction details.
      AMEX has me confirm the transaction.
      AMEX pays the merchant.

      If I want to make a payment for someone else, they can pass the transaction ID from the merchant to me.

      • How about just basic 2-factor authentication?
        • I initiate a purchase online, Amex gives a probationary okay and sends a 5 digit code to my mobile device
        • The vendor prompts me for that code
        • Once I confirm that I am in possession of the device, the transaction can be completed

        It may not be perfect but it seems a bit better than the honor system that we're on now.

        • I initiate a purchase online, Amex gives a probationary okay and sends a 5 digit code to my mobile device

          Then how would you initiate a purchase of a mobile device itself or of the first month of service for your mobile device?

          • Same way Google does it I suppose. A list of single-use codes that you keep offline, and you can verify from the same device that you initiate the purchase from...in theory. It seems like the U.S., as a society, wants to completely eliminate every sort of risk in the world. What we should really be concentrating on is mitigating them to an acceptable level.
          • They call you on your land-line with a voice recording and a IVR system asks you to press 1 if you approve the purchase.

      • by TheCarp ( 96830 )

        You can eliminate that secure channel to amex, or at least decouple it with some crypto tokens.

        So it could be
        1. I, at some point before any transactions, contact AMEX and load up on signed payment tokens.
        2. At time of purchase, I attach payment info and sign the a token; I mark that token as used.
        3. Merchant confims token amount and veracity with AMEX public key
        4. Merchant sends token to AMEX to claim the spend.
        5. AMEX verifies tokens and token uniqueness and logs it to my account.

      • Great idea. And there are many different ways of doing this.

        The core concept is to generate a unique ID for each transaction that links:
        a. the vendor
        b. the customer
        c. the customer's bank
        d. (maybe also the vendor's bank)
        e. a specific amount
        f. a specific time.
        And being unique, it will never be used again. We have a lot of different ways to do that.

        With that information, the bank should be able to flag questionable transactions that get past the customer verification. Or at least warn the customer if the vendo

    • by Phreakiture ( 547094 ) on Tuesday November 04, 2014 @04:17PM (#48313039) Homepage
      • Merchant advises me of the total.
      • I give him cash equal to or greater than the total.
      • He gives me change equal to the difference between the total and what I gave him.

      Now, if you want an electronic approach, how about this:

      • Merchant advises me of the total.
      • I take a device, could be a card, could be a phone, whatever, and authorize an amount. Optionally, this may (i.e. should) involve the entry of a passcode of some sort. This should be entered into my device, not the POS terminal.
      • I connect the device to the POS terminal (could be a plug, slot, wireless, NFC, whatever - not important).
      • The POS terminal assembles a transaction record consisting of time, date, merchant ID, terminal ID, amount, sequence number. It passes this to my device.
      • If the POS terminal and my device agree on the amount, my device will add my account number to the transaction record, and then cryptographically sign the record.
      • The signed transaction record is passed back to the POS terminal and sent to the processor.

      If the amounts don't match, no signature, preventing overcharges. If the transaction is replayed, the merchant ID, terminal ID and sequence number collectively will function as a transaction ID and it will be recognized as a dupe. If any of the transaction details are altered, the signature doesn't match. If the vendor tries to do two transactions at once, the device won't sign both without me reauthorizing. If the vendor wants or needs to validate off-line, the signature can be checked using the device's certificate, the signature of which can be checked with a cached CA cert.

      Now, because this approach is agnostic as to whether the device is a card, dongle, phone or whatever, and whether it plugs in, taps or even just flashes a QR code on a screen, I can see the approach being adapted to both bricks-and-mortar and on-line purchases. The only thing I can think of that we do with our credit cards now that might be tricky in this system would be recurrent payments, but those could be handled by pre-authorizing a year's worth of transactions or something similar.

      • by Anonymous Coward

        Your device receiving data from the POS terminal is an unnecessary risk.

        Since the device is probably a smart phone it should have a data connection of it's own. So a better path would be:

        Your device broadcasts a your payment ID (basally a user name) to the POS terminal.
        The POS terminal sends a signed invoice with the amount and your payment ID to the payment processor. The payment processor then looks up in their database what device that ID belongs to and sends your device a signed (with your public key) r

        • Perhaps so, however, there was no assumption in my model that the device was a smartphone, nor any assumption that it had any kind of connectivity. Your model requires it, while mine would still allow for the payment device to be a card if that is the user's preferred option.

          There is also no reason why these two approaches couldn't be implemented on the same POS system.

          Now, the obvious question is why am I not requiring it to be a phone. The answers:

          • You want to encourage participation from those who do
  • by xxxJonBoyxxx ( 565205 ) on Tuesday November 04, 2014 @03:17PM (#48312541)

    >> anyone who has your 16-digit card number can make purchases on your account

    Wasn't CCV (the extra 3-digit number on the card) supposed to fix that? (https://www.dcporder.com/ccv.htm) Oh wait...intermediates started storing THAT too.

    So yeah...bring it on!

    • by deKernel ( 65640 )

      Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.

      • Actually CVV values are located in the track data which only proves you either have a copy of the card or the original. The second "fix" was CVV2 values which are printed on the back of the cards. This was to prove the card is in the hands of the person, but if that number has been comprised (which is darn easy) then all bets are off.

        AMEX uses a 4 digit value printed on the front of the card.

      • The thing is most payment terminals require both numbers to function. Yes you aren't aupposed to enter them online. However since the terminals themselves will decline transactions without them then it proved useless.

        Actually I am surprised at the limits of Apple pay. Apple has some software Apis available(planets is using them). However I thought it would make more sense to add an nfc reader to every computer and tablet sold with both a system Api and a WebKit Api available. Just wave your phone over the c

      • by DarenN ( 411219 )

        This is a little confusing - each card has 3 Card Verification Values (which, depending on the type of card can be CVV, CID or CVC - lets use CVV)

        CVV is stored on the track data.
        CVV2 is the one on your card. It is transmitted as a separate field for non-card-present transactions (eCommerce, for instance).
        CVV3, also known as dCVV (dynamic card verification value) is an EMV thing.

        Most people use CVV to refer to CVV2.

        This whole token thing is not AMEX only, Mastercard and Visa published specifications on this

    • It take some fraud out of the equation by making it harder. That said, the combination of tokens, mobile payments, NFC and GPS is going to make fraud damn near impossible. Mix in some big data analytics and your Credit Auth systems will block anything that gets missed.

      I know it's cool and hip to say the hackers will always find a way, but the reality is they won't. The credit card industry tolerates some fraud because the cost of eliminating it has been more than the cost of allowing it. That's changing
  • Token (Score:4, Funny)

    by Impy the Impiuos Imp ( 442658 ) on Tuesday November 04, 2014 @03:18PM (#48312543) Journal

    Triumph the Insult Comic Dog: "So, have you ever actually talked to a girl without giving her your secure unique token first?"

  • My Discover Card had a feature where you could be given a one time number for a transaction online, I don't know if they still do it, but I imagine they do. This doesn't seem much different than that or any more convient. So what's the big deal?
  • I think it was called "Private Purchase"? You could log in to your AmEx account and generate a number that was good for one use. It was great, I don't know why they got rid of it.

  • by Anonymous Coward

    It's 2014, why are we still getting stamped plastic cards? Can't they put a tiny microcontroller, lcd, battery, and display a unique time synchronized calculated number along with 4 exposed pads that you can read the number with synchronized serial (SPI)?

    Of course, you can have a physical backup number on the card itself, but it should set off alarms if used.

    • by tepples ( 727027 )

      It's 2014, why are we still getting stamped plastic cards?

      Because there are still brick-and-mortar merchants that haven't bought a chip reader, though planned shifts in merchant liability for unauthorized use will likely soon change this. And because people shopping at home don't want to have to buy and carry separate chip readers for desktop computers, iOS devices, and Android devices, and for each issuing financial institution. For example, someone with three payment cards (one debit card for each of two banks, plus one credit card) might have to either buy nine

    • by Andy Dodd ( 701 ) <atd7@@@cornell...edu> on Tuesday November 04, 2014 @04:05PM (#48312943) Homepage

      You just described EMV, which all retailers will be effectively required to accept by October 2015 in the US. (It's not completely mandated, but the fraud liability shift effectively mandates it. After Oct. 1 2015, *retailers* will be fully liable for magstripe fraud.)

      EMV is widespread in Europe, it's been slowed down due to political bullshit from MCX in the USA.

  • Considering I just had 2 fraudulent purchases made online to the total of $2850 to my American Express card I welcome anything secure and not tied to my card number. Despite never losing or having my card stolen I've had to replace my card multiple times in the past few years. After a while it starts to get old.
  • Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

    • Re:Make it simple (Score:4, Informative)

      by vux984 ( 928602 ) on Tuesday November 04, 2014 @03:42PM (#48312745)

      Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

      And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?

      • Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

        And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?

        I take it you find cash fatally flawed for those same reasons: the possibility of theft, loss, or destruction.

        Of course, cash is anonymous—which you don't get with a credit card or check. Are you okay with the federal government tracking every purchase you make with plastic? Because they are. [washingtonexaminer.com]

        • by vux984 ( 928602 )

          I take it you find cash fatally flawed for those same reasons: the possibility of theft, loss, or destruction.

          Yes. I don't wander around the streets with $100s or $1000s of dollars on me for precisely those reasons.

          I do make small purchases with cash all the time, but the amount's I'd ever be faced with losing are not significant enough to matter. Last night alone I bought groceries, plus gas, plus the car battery unexpectedly needed to be replaced, and the delay caused by the latter meant we grabbed take o

          • Yes. I don't wander around the streets with $100s or $1000s of dollars on me for precisely those reasons.

            You're cherry-picking scenarios. Who said you have to load thousands of dollars at a time on a preloaded cash-equivalent card?

            I don't really get it with cash either if the person taking my money knows who I am.

            Again with the cherry-picking. Do we really want to play this game? Because an equivalent cherry picked boundary case scenario against credit cards would be where a merchant fraudulently charges your card, the credit card company decides to reject your chargeback/fraud allegation for whatever reason, and then you lost in court when you decided to sue.

            What's that you say, this doesn't

            • by vux984 ( 928602 )

              Who said you have to load thousands of dollars at a time on a preloaded cash-equivalent card?

              Common sense does. I gave a typical example, my evening yesterday. Just regular run of the mill stuff. $700+ in one evening. Sure not every evening is like that, but how often am I going to load the card? I figure to live on a cash or (cash equivalent card) I'm going to be loading the card with at LEAST $1000 to $1500 at a time. And that'll get me a few to a month tops. The alternative would be what? Loading it dai

              • I guess it comes down to how difficult it is to load the stored value card, doesn't it? I view this as tantamount to the amount of cash I'm carrying vs the cash I have in my ATM-linked account. I'm willing to carry several hundred in cash. By the same token, I would be willing to carry several hundred in stored value. More than that and cash gets unwieldy. I blame the government for refusing to issue larger denomination bills despite inflation.

                What stored value cards can give you is a way to purchase things

                • by vux984 ( 928602 )

                  I think you are strongly underestimating the amount of tracking and profiling that happens when you make purchases using a credit card. I presume you're familiar with Target's "pregnancy detection" profiling that caused an uproar a few years ago.

                  Quite familiar. But remember, that's just within Target's own loyalty card. That's not the federal government, and that's not Target tracking you even at other stores. As it happens I do use the loyalty card at the supermarket I use and I'm generally ok with THEM tr

                  • But remember, that's just within Target's own loyalty card.

                    No, it's not. It's tied to your profile they build from your credit card information.

                    I don't generally object to a given store knowing what I've bought AT that store. Indeed i consider it fairly inevitable.

                    If that were the extent of it, I would agree. However, cross-linking databases has continued to grow. I bought a vehicle last year, and either the dealer or the manufacturer sold me out because I get phone calls from other dealers around the country trying to sell me extended warranties. Given our discussion so far, it probably it goes without saying I didn't sign up for or disclose any information beyond what was required

                    • by vux984 ( 928602 )

                      My point is that data gets abused

                      Funny, I'm actually arguing your side of the argument in another thread on another article. So I agree with you completely on that front.

                      I'd like to see anonymous transactions too. But I'm still not sold on stored value cards.

                      a) I don't like the risk associated with having value tied to the physical card.

                      b) I'm not convinced the average stored value card is truly anonymous. Can the system really not track you by the use of your stored value card? Does your proposed card real

      • Just give me a card that plugs into the USB port and that I can charge up at the 7-11 with cash...

        And then when someone steals it, or it just spontaneously stops working one day... sure you'll still be ok with that?

        The TREZOR [bitcointrezor.com] is close to what the GP requested, or would be if 7-11s sold bitcoins. It requires a PIN to spend the funds, which protects against theft, and if it's lost or stolen or simply stops working you can recover your funds with the backup seed and any of several compatible wallet programs. Aside from the backup, which you keep in a secure place, the key never leaves the device, so you don't have to trust the USB host.

  • As anyone who has one knows. The CCV code is 4 digits to bring it into alignment with the other cards.

    I'd sign up for this. I hope they offer it to people sooner rather than later.
  • by hsmith ( 818216 ) on Tuesday November 04, 2014 @03:31PM (#48312649)
    While cumbersome, you'd login to your account, magically find the tab and you could generate a 1 time credit card number. You could set a one time balance, set a monthly balance for recurring charges, etc.

    Fantastic for any online purchases you make. But, in reality - how many times are CC #'s getting stolen online vs in real life?
    • by Anguirel ( 58085 )

      They still have it (ShopSafe), at least for my card. It's about the only reason I still use them. Always interesting to say how many official account names some companies have when buying from slightly different parts of their system (each requiring a separate card).

    • Fantastic for any online purchases you make. But, in reality - how many times are CC #'s getting stolen online vs in real life?

      My debit card was among those believed to be compromised in both of the recent Big News breaches (Target, Home Depot) and all my purchases at both were physical stick-a-card-in-the-reader purchases, not online. So, these things do happen in real life.

  • Solution (Score:3, Funny)

    by rossdee ( 243626 ) on Tuesday November 04, 2014 @03:32PM (#48312653)

    Change the system to use longer numbers, say 32 digits and make it hex, not dec

    They should also have a needle number (like a pin, but longer)

    • nonsense, the length of the number doesn't matter, a thief can steal a 32 digit number as easily as a 16 digit. Hexadecimal doesn't change matters either. The whole concept of using a fixed number is archaic, better solutions have been known (and have been in use in smarter countries for over a decade)

  • by presidenteloco ( 659168 ) on Tuesday November 04, 2014 @03:43PM (#48312751)

    Hey, maybe we don't even need those credit card companies in the mix at all.

  • A number of companies have offered single use credit card numbers in the past. You could generate new credit card numbers online, set time and dollar limits, and then use those for purchases. That offers similar levels of protection but is backwards compatible. Unfortunately, it hasn't caught on much.

  • Am I to assume form this that these token are to be reused?!?!?!? If so, they deserve to be frauded in to the ground.
    • by Shados ( 741919 )

      Probably for subscription purpose... Depending on how its implemented, its not so much the code itself that can be reused, but the transaction made with it that can be "replayed". By revoking the code, you revoke the ability to replay that transaction.

      Subscription services often (usually? I only worked on a few online payment systems, most did it this way but not all) don't store the credit card number itself. They just replay transactions authorization.

  • Please implement it immediately.

    USB dongle with a little computer, display, fingerprint/pulse scanner, and a few buttons. Dongle plugs into a port on the POS payment terminal. You authenticate with an authenticated fingerprint from a finger with a pulse. Dongle makes its own secure connection to the payment clearinghouse and indicates to the clearinghouse that a transaction with [Merchant_ID] is imminent. [Merchant_ID]'s payment terminal makes its own connection to the clearinghouse and says [Your_Publi

    • USB fingerprint reader? Seriously? That's just not needed. We've had chip and pin cards for many years now in Canada. They just need to implement a more secure alternative for online sales. And forget about being backwards compatible - lose the mag stripe and don't process payments from numbers alone.

      • The point of my system is to stop throwing around account information. My system doesn't involve transmitting (or even having) any valuable information where it can be stolen. Not even in encrypted form. Don't process payments from numbers at all .

  • I use "virtual account numbers" for online purchases with my Citi Mastercard. It adds a few steps to the process for a merchant that you haven't used before but it's totally worth it. You're still fucked in a brick and mortar shop, of course.
  • It's really good that the security of the credit card system is being improved. I'm sure that the same thing will happen to the ATM network and operation just as soon as the banks are made liable for consumer losses through ATM fraud. (Today's election day in the US, good luck voting for a candiate that will even propose that solution).
  • summary fail (Score:4, Informative)

    by ahziem ( 661857 ) on Tuesday November 04, 2014 @04:29PM (#48313151) Homepage
    Among popular cards, American Express uniquely has 15 digits. (VISA, Mastercard, and Discover have 16 digits.)
  • by Anonymous Coward

    America (the USA, to be precise) seems to have problems no other developed country has, any more. Among them the absence of universal medical coverage and the old-fashioned credit cards. This is not USA bashing, but an expression of true amazement. For instance, codebooks, or one-time codes sent by SMS have been routinely used in Europe for quite some time now in conjunction with credit cards that are otherwise quite secure by themselves. American Express refused to upgrade and it cost them a lot of clients

  • Visa has a tokenization program available for 3rd parties who want to integrate it. It just so happens that the biggest vendor so far is Apple.
    • Here's a shiny powerpoint to download. Click Here. They say it works. They also say some random number (that sometimes has a letter in it?) next to a $ sign with god awful English.

      Seriously, click here [visa.com].

  • 10 years or so ago, AMEX had "Private Payments", where you could generate a single-use number for a transaction. The number was valid for a single transaction and expired in two days or so.

    Then they dropped the service. I never figured out why.

  • "American Express is trying to improve its security by moving towards the use of unique tokens for online purchases."

    The dumbest idea in online purchases was using Credit Card numbers in the first place ...
  • folks here in the upper 1% of collective intelligence are arguing about what's the best method for the Oligarchs to track us, our purchases, and our movements. Screw accounts, numbers, tokens, plastic, binary 1's and 0's in a computer....Why not barter our time and talents? Why not use cash? Why force small retailers to pay for a transaction some financial entity has no business profiting from, much less knowing about. I pay cash for just about everything, and the things I do purchase electronically are
  • For a long time now several banks (I'm talking EU here, I never saw this in the US, but that doesn't mean they don't have it) offer services where you can generate a temporary card number for a one-time single transaction, and the generated number becomes invalid after that single transaction. It's meant for online payments - you generate the number with a specified sum that can be spent, you make the transaction after which the number disappears. This, combined with a two-layer online banking login (passwo
  • Generating a secure one time use token for any credit card that is stored?

  • If only there existed a solution for the problem of trustless transactions! If someone could write a white paper setting out an algorithm, what a boon it would be....

Time is the most valuable thing a man can spend. -- Theophrastus

Working...