Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
The Almighty Buck The Internet Chrome Firefox Microsoft Safari

Browsers Will Store Credit Card Details Similar To How They Save Passwords (bleepingcomputer.com) 182

An anonymous reader quotes a report from Bleeping Computer: A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online. Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords. The API is also a godsend for the security and e-commerce industry since it spares store owners from having to store payment card data on their servers. This means less regulation and no more fears that an online store might expose card data when getting hacked. By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user. Browsers that support the Payment Request API include Google Chrome, who first added support for it in Chrome for Android 53 in August 2016, and added desktop support last month with the release of Chrome 61. Microsoft Edge also supports the Payment Request API since September 2016, but the feature requires that users register a Microsoft Wallet account before using it. Firefox and Safari are still working on supporting the API, and so are browser implementations from Facebook and Samsung, both eager to provide a simpler payment mechanism than the one in use today.
This discussion has been archived. No new comments can be posted.

Browsers Will Store Credit Card Details Similar To How They Save Passwords

Comments Filter:
  • by Anonymous Coward on Friday October 06, 2017 @10:35PM (#55325925)

    With the greatest respect:

    How about no.

    • All that needs be said about this.
    • by Chas ( 5144 )

      Howsabout "HELL FUCKING NO!!!"?

      If this hits browsers, the first thing I'm doing is disabling it.

    • With the greatest respect, how about fuck no.

  • by El Cubano ( 631386 ) on Friday October 06, 2017 @10:36PM (#55325931)

    ... just like they currently do with passwords

    I don't trust any browser to store even my Slashdot login password. Why in the world would I trust it with my credit card? In fact, I don't even let merchants store my credit card if at all possible (I either choose the option not to save the card or manually delete the card after the purchase).

    It seems like nobody who understands and actually values privacy and security would do this.

    • by ShanghaiBill ( 739463 ) on Friday October 06, 2017 @10:58PM (#55326017)

      I don't trust any browser to store even my Slashdot login password. Why in the world would I trust it with my credit card?

      Because the alternative to sharing your password is to keep it secret and type it each time you need it. But the alternative to your browser storing your CC# is that it is stored by every online merchant you buy from.

      • by Anonymous Coward

        If I, as a consumer, could control the use of, the "When", that this number can be used, then I would be in control. And "Control" is the whole point. Everything else is advertising.

        • If I, as a consumer, could control the use of, the "When", that this number can be used

          That is exactly how it works. You get a popup, and you type in your CVV# to authorize the transaction. You have total control.

      • Because the alternative to sharing your password is to keep it secret and type it each time you need it. But the alternative to your browser storing your CC# is that it is stored by every online merchant you buy from.

        Unless you specifically ask the website to store your CC info, it's not saved beyond that transaction (or it's not suppose to be saved). This is why you need to re-enter it otherwise. With the data stored in the browser, then *any* website can query your stored payment info.

        • With the data stored in the browser, then *any* website can query your stored payment info.

          Bullcrap. This is totally wrong. RTFA ... or download the latest Chrome and try it.

          • With the data stored in the browser, then *any* website can query your stored payment info.

            Bullcrap. This is totally wrong. RTFA ... or download the latest Chrome and try it.

            From TFA:

            The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.

            Though, it's unclear as to what information can be queried. Furthermore, whatever Chrome has implemented isn't the final API being developed.

            • or detect when the user is paying from a normal or incognito mode session.

              But what if incognito is your normal way of browsing?

              • But what if incognito is your normal way of browsing?

                Then you've probably already run into a lot of demands to whitelist a site.

                Private Browsing in Firefox enables tracking protection [mozilla.org], a built-in blacklist of servers involved in tracking a user's behavior from one site to another. Numerous ad-supported websites depend on this tracking for interest-based advertising and aren't smart enough to fall back to self-hosted ads if the tracking servers can't be reached. So if tracking doesn't work, a site like TV Tropes pops up a demand to disable tracking protection.

            • by AmiMoJo ( 196126 )

              Good investigation of the current API here: https://blog.lukaszolejnik.com... [lukaszolejnik.com]

              TL;DR there are some major privacy problems with it, but bug reports have been filed so hopefully they will be fixed.

      • by rtb61 ( 674572 )

        A better payment system would be the store getting your id and details and than clearing the payment with your credit supplier, who than confirms those details with you via you card details and limited remote authorisation code (spend limited). Onsite with a photo taken of the transaction and attached to the spend and offline, digital ID hardware could be used, a rotating aligning crypto exchange, unique to the device and the credit provider servers (think an encrypted clock client connected to an encrypted

      • But the alternative to your browser storing your CC# is that it is stored by every online merchant you buy from.

        No, the alternative to your browser storing it is that you type it in every time you buy something -- just like with passwords.

        • by tepples ( 727027 )

          No, the alternative to your browser storing it is that you type it in every time you buy something

          And getting demerits on your credit report for failing to remember to pay a monthly bill.

      • Not so. For instance, I currently used a password manager to load my passwords and credit card details directly into my browser, without necessarily having to type my master password in each time I need any specific password or credit card.

        Why not take that a step further? Have browsers implement an API through which they can request payment details from external apps of our choosing. The browser sends out a request for information that would allow it to engage in a transaction for a certain amount to a cer

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      yes, it is very stupid to store stuff like this in the browser; but you're fooling yourself if you believe that by not 'saving' the card or by 'deleting' the card at the merchant site you're preventing the merchant from retaining the card details. they ALL store that shit anyway, regardless of what the user does. and a lot of them also retain cvv security code as well, even though they aren't supposed to.

      the only thing you can do is use virtual numbers (like what paypal used to offer years ago, or what a fe

      • This is why I use PayPal: the merchant never receives my card-details at all, only PayPal has them. The merchant only receives a token from PayPal that can be used for drawing the agreed-upon amount of money from your account via PayPal's API and unless the token is a subscription-token, it can't be used by the merchant to draw more money from your account at a later date. It's a million times safer than just giving your card-details to this and that website and hoping they're trustworthy -- which they most likely aren't!

        • It's an extensible API. It will work with PayPal, Apple Pay, Google Wallet, etc as well if they choose to support it.

    • by lucm ( 889690 )

      It seems like nobody who understands and actually values privacy and security would do this.

      I understand and value privacy and security, and I have no problem with storing my credit card info in my browser, as long as there's full disk encryption on the laptop in case it gets stolen.

      The browser is not a concern; the world of online payments already is a gigantic farce. If you ever have the opportunity to integrate some of those payment gateways in an app you'll see how fubar it is. Besides the serious ones like paypal, Google Pay or Apple Pay, there's a shitload of smaller players with plain terri

    • I don't trust any browser to store even my Slashdot login password.

      Obviously this article is not aimed at the tinfoil hat crowd.
      Google uses government mind control satellites for that.

    • I couldn't give two shits about my credit card. the personal information is what has value.
  • I use a separate browser install to make payments (and access any accounts/passwords that would matter if compromised).
  • by Anonymous Coward

    When I saw this story I had to double check that it's not April 1st. This is a bad joke in terms of security. Like a zero trust model, users should give their browser zero trust, or the next sandbox or plugin exploit means everything your saved in your browser is in the hands of criminals.

  • will enable its user(s) to rule the world.

    Seriously, is everything in these encryption algorithms protected by hoping that the product of two large prime numbers can't be easily factored? If so, then I would assume all the world's secrets (and ability to conduct financial transactions) are theirs.

    It's sad that the first network using quantum encryption was put up (literally) by the Chinese (it's using satellites).

    • Seriously, is everything in these encryption algorithms protected by hoping that the product of two large prime numbers can't be easily factored?

      No. State-of-the-art encryption algorithms haven't been based on "factoring prime numbers" for decades.

  • In NO way should ANY browser store Credit Cards!

    • by Mitreya ( 579078 )

      In NO way should ANY browser store Credit Cards!

      Why not?
      I'd rather have someone steal my credit card info than my slashdot credentials.
      I can always cancel (and get a full refund for) any fraudulent CC charges. But a slashdot post under my name is permanent.

      • Re:HELL NO! (Score:5, Insightful)

        by eneville ( 745111 ) on Saturday October 07, 2017 @02:13AM (#55326387) Homepage

        In NO way should ANY browser store Credit Cards!

        Why not?

        I'd rather have someone steal my credit card info than my slashdot credentials.

        I can always cancel (and get a full refund for) any fraudulent CC charges. But a slashdot post under my name is permanent.

        Have you ever tried to cancel a payment? It can take many months. During this time you will no doubt have to get a new card/account details, update regular payments and quite likely be without any spending cash for several days. I think the inconvenience factor and being observant enough to catch fraud before you're rendered bankrupt far out weighs potential gain vs risk.

        • The risk of your CC# getting stolen from this system is so much lower than your PII getting stolen from a credit agency, brick and mortar store, etc. PII theft is much more devastating.
  • PCI DSS Requirements (Score:5, Interesting)

    by Anonymous Coward on Friday October 06, 2017 @10:54PM (#55325995)

    Does this mean that browsers are going to have to be PCI DSS certified?

    That would certainly be interesting, because PCI for example prohibits using anything less than TLS1.2 for secure comms, which might bleed-over into general communications. Could this be the end of non-HTTPS web traffic and SSL/TLS before v1.2? Will browser vendors have to choose between interoperability with (old, shitty) servers and providing storage and transmission of credit card info?

    It would be kind of awesome if one DID imply the other, because the internet would get a lot less shitty really quickly.

    • Of course not - you're not handling other people's credit card numbers, and you do not have a merchant agreement with the card issuers.

      PCI DSS is for businesses that extract money from other people's cards, it's not about storing your own card's info.

      • by MeNeXT ( 200840 )

        You are not but the browser is. This is Google's browser that is handling other peoples CC's

  • by fahrbot-bot ( 874524 ) on Friday October 06, 2017 @11:00PM (#55326021)
    From TFA:

    Payment providers like PayPal or Amazon might not be on board with this new API since it makes them obsolete, but almost everyone else is.

    Or because, in the case of something like Amazon Payments or "Pay with Amazon" they actually need to store your payment information to process transactions that occur outside the browser. If I'm using that, I don't need my browser to handle it too.

    In many ways, the Payment Request API is a much secure method of handling online transactions, but it's not perfect either.

    For starters, browser makers now have a full view of your finances and transactions, a situation that some people might not like, and will refuse to store any such information in their browser.

    Ya think? I imagine the above will be a non-starter for many. Like I want Mozilla, Microsoft or Google accessing my CC transactions.

  • by fahrbot-bot ( 874524 ) on Friday October 06, 2017 @11:06PM (#55326039)
    Saw this after posting above. Also from TFA:

    The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.

    Just great. Then any website could query your browser for available payment information.

    • by thegarbz ( 1787294 ) on Saturday October 07, 2017 @03:46AM (#55326527)

      Saw this after posting above. Also from TFA:

      The researcher notes that sites that don't sell any products or advertisers could abuse the API to fingerprint and profile users (detect what payment options each user/browser has stored in its settings), or detect when the user is paying from a normal or incognito mode session.

      Just great. Then any website could query your browser for available payment information.

      And? Note that they just say payment information. They don't say anything about credit card details, which don't get handed over without user interaction, and in the case of Chrome still needs a CVV code manually entered. Whether or not you have 1 VISA, or 1 Mastercard and 1 PayPal as a payment option really doesn't matter much. Tracking users is already done with near perfect success. It's kind of hard to get worked up about the leak of trackable information.

  • The problem is idiots will
  • Personally I prefer the Kaspersky Credit Card App to store and retrieve my Credit Card Information, because Kaspersky is an Industry Leader in security applications worldwide, and I know that my payment credentials are safe in their hands.

  • They still need your card data, they still need a payment processor. So, now we don't have to enter our CC, it just sends it behind the scenes. So, this helps lazy people and means that a browser flaw could allow an attacker to charge my CC.

    • The only problem I can imagine this solving is the one where the user makes a typo in the credit card details, which causes delays and possible denied charges. Also, you won't spend 2 minutes on the CC form screen. It will just take seconds. The vendors really do want your money as fast as possible.
    • by Ksevio ( 865461 )
      It solves the problem that you need to pull out your wallet and transcribe your credit card number every time you want to buy something.
  • by fahrbot-bot ( 874524 ) on Saturday October 07, 2017 @02:23AM (#55326405)
    From Simpler web payments: Introducing the Payment Request API [windows.com] (and I read similar on Mozilla, Google and W3.org pages):

    Conversion rates in the checkout flow are a key measure for ecommerce sites. 46% of e-commerce shoppers abandon the checkout process during the payment phase, signaling frustration with the complexity and redundancy of re-entering form data or tracking down payment information. Even a small increase in the success rate of checkout make a direct impact on your site’s bottom line, while improving the shopping experience for customers.

    From Payment Request API [mozilla.org]

    Many problems related to online purchase abandonment can be traced to checkout forms, which are user-intensive, difficult to use, slow to load and refresh, and require multiple steps to complete.

    Sure, this API may make things simpler for you -- the purchaser -- but it seems the focus is on benefiting the seller. Perhaps a narrow distinction, but one that may matter if/when push comes to shove and a side must be chosen by the developers.

    Another thing to consider: Since this is implemented in the browser, if you use multiple browsers to shop, then you'll have to store your information in each browser rather than once on the websites on which you shop -- unless the browser vendors can cooperate on a single, shared data storage method.

    • Sure, this API may make things simpler for you -- the purchaser -- but it seems the focus is on benefiting the seller.

      A purchaser / seller relationship is just that, a relationship. It can get frustrated and end for external reasons. That doesn't mean it benefits one side or the other. E.g. I am hungry, I see McDonalds, I drive into the drive through and see a huuuuuuuuge queue. I leave. Sure If they efficiently handled the drive through and there was no queue my shopping there may have "benefited the seller" but as I drive away I'm still hungry.

      If you get to the point where you check-out, not being able to complete the sa

    • by AmiMoJo ( 196126 )

      That's an odd way of interpreting it. Surely the user indicated that they wanted to pay, but were frustrated by a crap UI (or were just trying to find out what the postage cost was).

      This sounds like they are trying to encourage merchants to adopt it by insulting their web sites.

    • Conversion rates in the checkout flow are a key measure for ecommerce sites. 46% of e-commerce shoppers abandon the checkout process during the payment phase, signaling frustration with the complexity and redundancy of re-entering form data or tracking down payment information.

      No, that is not the reason and the conclusion is wrong.

      Most web sites do not show the actual price till actually reach the checkout process. "Log in to see the price", "Check out to see the actual price including shipping handling and the random charge we tack on". Well, I will click it, see the price and decide it is not worth it.

      If the actual price is shown up front, most of that 46% would not have bothered to go to check out process.

      And there are price comparison bots who use the check out process t

  • NO. (Score:2, Informative)

    by Anonymous Coward

    The browser is the one component in my system I trust less. I mean: its job is to go around the Intratubes picking up every bit of dirt out there and *executing it*?

    I don't put my banking data into that now. Much less when there's a standard with a clear label on it "BANKING DATA HERE".

    "But, but" "Sandboxes". Yeah, right. Ponies. Rainbows. Farts.

    No. Fucking. Way.

  • by Anonymous Coward

    I'm getting into the malware industry

  • Safari already offers to store credit card details.

    It's got a little popup that shows up when you use a credit card, and offers to "save the card".

    Unfortunately Safari also offers an "autofill" feature, and doesn't distinguish between hidden fields and visible fields when providing data.

    Automatic phishing.

    • Credit card information isn't stored with the browser (on the Mac at least, I don't know about anywhere else). It's stored in the Keychain, a much safer place. Also, all of your payment history isn't stored like with this proposal. When filling in the information for a credit card there is only the name on the credit card, the card number, and the expiry date. The CCV isn't stored. Any other fields that would get filled in would be part of some other autofill. You don't start entering your name and have you

      • Credit card information isn't stored with the browser (on the Mac at least, I don't know about anywhere else). It's stored in the Keychain, a much safer place.

        It doesn't matter, if Safari is willing to go into the keychain and then to provide the data to a hidden field, without a user notification.

        I talked to Visa, gave them the information, and a list of about 150 sites that had the exploit being actively used. Then it was also reported to Apple.

  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Saturday October 07, 2017 @06:37AM (#55326779)

    I read quite a few of the comments, and noticed that people here are well aware of the problems with having a browser store this kind of information. And yet, I have a bad, bad feeling that in a few years, it's going to be ubiquitous, perhaps even compulsory. I'm surprised they actually spelled it out so clearly:

    "By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user."

    That's it right there. The banks and credit card companies have been trying ever since plastic was invented to make consumers responsible for losses due to fraud and theft. This is their ticket to paradise.

    So watch for deep discounts. Watch for a flood of trolls masquerading as coolest-of-the-cool tech lords explaining how everybody who isn't a doddering old fool is using it. Watch for laws drafted to force you to use it. Like when you have to renew your driver's license, you get a choice of waiting in an endless line during business hours at a single tiny government office, or bringing your smart phone and an app to a no-wait kiosk in a mall, or doing it from home...ONLY if you use the browser function. Watch for more and more stores refusing to accept bills larger than $10 for cash transactions "because counterfeit" or "because security".

    I'm sure there's a dozen more ways, all based around that "well, nobody's forcing you" lie that's been used so often and so well.

    Let's hope that for once people get together and shut this down before it gets started. Right now liability for fraudulent financial transactions is right where it belongs. We need to keep it that way.

    • by MeNeXT ( 200840 )

      This.

      It's becoming more difficult to dispute a CC charge. When a merchant fails to deliver the product, when Airbnb sends you to a unreachable or rat infested destination. When a product is not as advertised and the merchant doesn't care about making a second sale you are left holding the bag. This is about shifting responsibility to the consumer.

      What makes me hesitate purchasing online is experiences with online merchants. With Airbnb I found myself in a situation far from home in a dangerous rental. It wa

      • Well said.

        And thanks for the tip about Airbnb. I remember seeing some stuff about them, but it's different coming first-hand from somebody you can get more information from, if necessary.

      • There's a difference between disputing a charge because it's fraudulent from the start and disputing a charge because the vendor didn't come through with the advertised product.

    • perhaps even compulsory.

      Here's why I don't fear that future (even if it happens): I generate a one-time-use CC# for every online purchase, so I use a different credit card number every time. The browser (or website) can store it as long as it wants. Once the charge clears, the number is no longer valid.

  • "This feature is long overdue and can't come soon enough!" - Blackhats everywhere

  • I don't let my browsers remember my passwords. I'm absolutely not going to let them remember credit card numbers.

    • In the early days of the internet, I had a software firewall on my desktop pc called ZoneAlarm. It had some sort of privacy feature where you give zone alarm your personal information (Name, address, zip code, phone number, ssn, ccn, etc.) and it would notify you when ANY program would attempt to send any of those strings out to the internet (in plain text). The problem is, I didn't know if I could trust Zone Alarm not to encrypt all that data and send it to their own servers. That's why I never used that f
  • Which moron thought this is a good idea? Please step forward so that we can beat you with a wet noodle. Seriously, who comes up with this shit??
  • Wouldn't it be nice if the password vaults in browsers also included password generation and the ability to easily update passwords (think Lastpass but built in)
  • Nov 2001 howstuffworks.com threw up the idea of a 'penny per page' when visiting websites. http://computer.howstuffworks.... [howstuffworks.com]

    Looks like that day is fast approaching. Washingtonpost.com blocks me as I use a hosts file or ADblocker browser on Cell, so I ignore/avoid them. A Payment Request API will allow them to now pull from a previously setup account. Once it starts, all will be looking at it.

  • I don't store passwords in a browser, and I sure as anything NEVER store 'payment information' in a browser. I'd sooner print up 1000 copies of all my CC information and post them on lampposts and grocery store bulletin boards, with "Please feel free to spend my money for me!" printed on them.

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.

Working...