I don't see any advantage to this proposal over the use of one-time credit card numbers for untrusted vendors and normal credit card numbers for trusted vendors. Several CC issuers (Citibank in my case) already allow me to obtain at will a single-use credit card number that bills to my normal account, using a web interface. I then rely on the security of my transaction with Citi -- exactly as I would have to do to obtain the "name field" code in this proposal. Repurposing the name field is sure to create a myriad of subtle problems and is, plainly speaking, a horrible idea.
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Architecturally Unsound
From a data architecture perspective, this breaks one of the fundamental principles "thou shalt not re-use a data field for data that has another meaning".
How on earth do you know (though a human could easily tell) what data is in the field - the name or the name + auth code and know how to treat this accordingly? You would still have to change the back-end coding to not store the one-time auth code, if (and should the Data Protection Act allow) you wish to re-use the card holder name field.
How does a retailler know that the new account, marked as "trusted vendor" is not using a false address if there is no vendor address verification process? In addition, fraudsters are already trying such tricks as pulling their car up onto the driveway of holidaying owners or arriving just as the scheduled van arrives and saying they have "only just got home".
It is this sort of undesign that causes nightmares and sleepless nights for the support team. Especially when it ends up as an "undocumented feature"...
Yes, it may work - as a quick and dirty fix - but I am extremely surprised to see it being recommended as a strategic option.
There is, however, much value in the idea of using a mobile phone for one-time authentication. Even if both the card and phone are stolen, the latter may, nowadays, be registered with MIND and quickly blocked (and is more likely to be missed).
Could Phone Factor Authentication fit?
I wrote about the use of mobile phones as the equivalent fob in my blog, which is exactly the goal of Positive Networks' PhoneFactor.
It would seem to me that this approach would be of great value for the credit card issuer - require a mobile phone (81% market penetration today) number for authentication for online transactions. The card processor delivers an authentication request to the mobile phone which rings and plays a message about the transaction to the user, user accepts or denies the transaction. No extra fobs. Eas(ier) support. The change to the backend is about directing the authentication process to the PhoneFactor service - shouldn't be that big a deal...
Innovative Card Technologies
Innovative Card Technologies develops and markets a secure powered cards for payment and identification. It looks and feels like a credit card, but has an embedded display that generates a 1 time password each time the button is pushed. This can be used to verify the owner of the card has possession of it.
Verisign uses this technology as part of their VeriSign Identity Protection product. I have one in my wallet. You can use purchase and use this card as your OpenID identity by using Verisign's Personal Identity Provider offering.
Links:
http://incardtech.com
http://www.verisign.com/static/042852.pdf
https://pip.verisignlabs.com
One thing
thank you for the important writing...a major issue for all of us.... one thing: you said "A new universal second factor would be useful,"....and I thought: probably NOT universal is better protection...more unique.
it works with people....maybe with virtual identity too? :-)
One-time credit card numbers
The concept of one-time credit card numbers is really interesting - I hadn't heard of this approach.
Single use numbers are great
Single use numbers are great - they are all I use for online shopping.
What about something like
What about something like PhoneFactor? It's realtime out-of-band authentication using a voice channel as a 2nd factor. For example any purchase over a certain amount, I would receive a realtime phone call to approve or cancel that transaction.
How to Get Good Credit Gab blog
My blog, How To Get Good Credit Gab, provides the opportunity to share thoughts, ideas and experiences about obtaining good credit and emphasizes the importance of building and maintaining good credit and the perils of personal financial mismanagement.
Please consider adding this video you your site:
http://www.youtube.com/watch?v=2fi0okku_X4
Post new comment