from the 3716-7854-3891-275-489-07/16-491 dept.
In an effort to make to make Internet and mobile transactions more secure, American Express has launched a new service that aims to replace payment card numbers with unique tokens.
E-commerce sites and digital wallet applications that use the company’s new token service won’t have to store customers’ card details. Instead merchants, banks and payment processors will be able to work with digital tokens that are mapped to real payment card accounts.
The payment tokens can be tied to specific merchants, transaction types or payment devices, limiting the ability of cybercriminals to misuse them if compromised. This means that widespread adoption of tokenization for card-not-present transactions would likely reduce fraud.
Unlike payment card numbers, if tokens are compromised, they can easily be revoked and replaced without the need to physically reissue the cards they link back to.
http://www.pcworld.com/article/2842592/seeking-security-american-express-aims-to-swap-card-numbers-with-tokens.html
(Score: 0) by Anonymous Coward on Tuesday November 04 2014, @05:17AM
Has anyone read the spec mentioned in the article?
I would like to know if all tokens for a specific account contain a unique id specific to that account that could be used to cross-reference multiple purchases at different merchants (or even at the same merchant). I suspect the answer will be yes because these things are not usually designed for the benefit of the account holder, only for the merchants and the payment processor. But I would be elated to find out that a new payment system was also privacy-enhancing instead of privacy-weakening.
(Score: 1) by Adam on Tuesday November 04 2014, @05:25AM
I haven't read the spec, but we can follow the money. If Amex issued a randomish token such that they couldn't be threaded together by merchants, it would give Amex a monopoly on the buying habits of those cardmembers - which they could then sell to merchants. So it may be in their financial interest to make it harder for merchants to directly track the consumer, so they can act as middlemen.
(Score: 0) by Anonymous Coward on Tuesday November 04 2014, @06:42AM
AmEx didn't write the spec.
(Score: 0) by Anonymous Coward on Tuesday November 04 2014, @06:29AM
Or is this their way of getting out from liability.
(Score: 2) by zocalo on Tuesday November 04 2014, @08:43AM
The other issue that I can see is that merchants like to track their customers and card numbers are a great way of doing that so I'm expecting them to be less than keen to adopt this without some way of tying a token ID back to a specific customer. On the other hand, the re-use of a one time use token that is indistinguishable from a real card number would be a huge red flag to the bank that they might be dealing with an unscrupulous merchant or leaked card database - once a genuine failed tranaction had been ruled out.
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Tuesday November 04 2014, @01:58PM
Amex used to have one-time-use numbers as far back as 2000.
Citi still does, so does BoA (they got them when they acquired MBNA).
Paypal used to do it.
(Score: 2) by zocalo on Tuesday November 04 2014, @04:24PM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Tuesday November 04 2014, @04:39PM
Yeah, I'd seen a few things about previous trials in this general area previously, although few of them seemed to get beyond the initial trial period and into what might charitably be called "production", and those that did never seemed to last very long before sinking into obscurity and being quietly dropped.
If that's all you saw than you haven't been paying attention. The technology used by all of those companies named so far (and used by lots more outside of the USA) is all based on Orbiscom's "controlled payment number" [wikipedia.org] and like I said BoA and Citi have been in production use for well over a decade. Not "charitably" in production, in actual production with a button right on the logged-in web page for every CC account at those banks.
(Score: 2) by zocalo on Tuesday November 04 2014, @05:42PM
So, the only one of those that applies to the general public outside of the US is the Mastercard system from 2009, and even then you'd have to be using a third party credit card or banking with a specific bank, so easy to miss unless you were looking out for it.
UNIX? They're not even circumcised! Savages!
(Score: 2) by Justin Case on Tuesday November 04 2014, @11:58AM
If this is anything like previous efforts to "improve security" in the electronic payments space, it will:
* Require you to download unsigned Windows-only software over an http connection
* Leave said software running constantly, whether you are shopping or not, or even if you close your browser
* Require you to use Internet Explorer, probably further tied to an outdated version
* Install an Active-X control that gives any web site full control of your hard drive
* Send every URL you visit back to the Mother Ship
and yet still
* Not prevent the same number from being reused hundreds of times by a thief
* Not allow you to set a maximum amount that can be spent per token or per transaction
* Not prevent the merchant from signing you up for monthly auto-pay that you can't cancel without major surgery
* Remove all fraud protections because "you were using our new fraud-proof system"
(Score: 1) by Entropy on Tuesday November 04 2014, @02:41PM
They used to have a 'generate a temporary credit card number' feature years back.. I loved it, and used it extensively. I logged into a web site,
said give me a number, and then pasted this into whatever merchant i didn't exactly trust. I imagine it'll look like this, or a android/iPhone app.
The android phone release will likely be delayed waiting for iPhone approval(lol).
Good new target for malware, I suppose.
(Score: 2) by PizzaRollPlinkett on Tuesday November 04 2014, @02:51PM
So far, the trust until revoked model of security hasn't worked very well. For example, it's given us Stuxnet and its imitators. The time between the trust and the revocation is what the badniks exploit. As long as that window of time exists, the model will be exploited. Someone, somewhere is going to have to generate these tokens, and when the generator is exploited, that's real money being drained off. I don't know if this is any better than credit card numbers. Sounds like adding another layer of things that can go wrong.
(E-mail me if you want a pizza roll!)
(Score: 1) by diaz on Tuesday November 04 2014, @03:20PM
My Bank of America card (formerly First USA) lets you create a virtual credit card number via a web page. You specify the limit (I usually do $5 over the invoice total) and an expiry 2-12 months beyond today (I usually use 2). It is accepted at any web merchant and once used, can only be used at that merchant. That way, if it is stolen 1) it has nothing left on it, 2) it probably won't be valid by the time it is sold, and 3) it can't be used elsewhere. The virtual card transactions appear in my regular CC statement just like the ones from my regular card.
This is a great system and I'm really surprised that other cards don't offer it.
(Score: 2) by VLM on Tuesday November 04 2014, @03:38PM
One problem is it adds about 5-10 minutes to every checkout, and someone who owns your computer / browser continues to own your account, just with a somewhat more complicated set of steps. So it externalizes the cost of poor vendor security onto the customer, while providing little/no value to the customer.
Also somehow removing all financial attack vectors will likely result in customer lists and transaction records becoming public, not just open to all .com and .gov like now, because security has costs, which will have weird implications.
Before "inventing" new services, everyone needs to look into the existing "kids account" systems and "gift card" systems already offered.
(Score: 0) by Anonymous Coward on Tuesday November 04 2014, @04:49PM
> 5-10 minutes
You are exaggerating. Anyone familiar with it can do it in about 2 minutes and you even save some time since you can cut-n-paste the generated number instead of typing it and worrying about errors.
> someone who owns your computer / browser continues to own your account,
As if that will ever be a solvable problem. If your computer is owned then nothing you do with it can be trustworthy.
> So it externalizes the cost of poor vendor security onto the customer, while providing little/no value to the customer.
Sez you. I've been using it for nearly 15 years now. All of my online transactions are done with disposable numbers. Besides the benefit of never having once had to deal with a stolen CC# there is the much larger benefit of being in control of the system. Nobody ever gets to pull that re-occuring charges scam on me. If I give a merchant a CC# I know that I will only ever be charged for what I explicitly specified when I generated the CC#. No worrying about gatekeepers deciding if they should approve my chargeback, no worrying about the merchant siccing a collection agency after me because I did a chargeback. It simply never gets to that stage. Taking the ambiguity out of the system and putting the control into my hands is empowering.
(Score: 2) by etherscythe on Tuesday November 04 2014, @07:14PM
It doesn't have to. We have these things called "smartphones" now. If we put our minds to it we could arrange to have an app with free back-end data connectivity service to a bank server to set this up. 30 seconds, done. You could probably even start the process while the checker is ringing up the charges, not requiring anybody to wait for long at the register. Use the smartphone app for ALL purchases, in person or online, and suddenly you have a manageable threat model. Not perfect, true, but manageable. Let's not make the "perfect solution" the enemy of the good one we have available.
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 2) by VLM on Tuesday November 04 2014, @07:39PM
We have these things called "smartphones" now....Use the smartphone app for ALL purchases...
Actually no only 173 million out of 316 million per some googling. So thats a lot of unbanked people dropping out of the economic system. Even worse if the solution demands only one brand of hardware or some peculiar new hardware. Also given the ridiculous poor reception in some buildings it has to work completely offline.
(Score: 2) by etherscythe on Tuesday November 04 2014, @10:02PM
You do make a good point re: signal reception. I'd momentarily forgotten how terrible the networks are even here in 1st world America, because I mostly don't run into it myself. Then again, we're talking about a voluntary program at the moment, and given the tendency for crime to happen in urban spaces I'd say the potential for improvement is still quite good. I bet we could add some SMS-based functionality to dumbphones and carry through most of the gap. I bet we could also see local transmitters served by the registers themselves as a workaround.
Anyway, for people who want to take initiative, I say give us some more options. It's hard enough getting banks to be responsive to the needs of customers; they seem to think "cash back on every purchase" is somehow enough. Sadly it seems to be true in many cases, and that makes it hard enough for everybody to be secure.
"Fake News: anything reported outside of my own personally chosen echo chamber"