AmEx To Offer "Disposable" Credit Card Numbers

A reader writes "American Express is going to allow card holders to access one-time use card numbers for purchases online. Not only could this cut down online credit card fraud but it might lead to anonymous purchases. " I'm not sure this gets us closer to totally anonymous purchasing, but it does mean that you can take more steps to protect yourself in online purchasing - now only one megacorp (Amex) could have your records!

In hypothetical BigBrotherLand

(you know, the one where the governemnt has monitoring tools like Echelon and Carnivore)

Anyhow, in hypothetical bigbrotherland, when you get cash from an ATM, it's trivial to include a reader into the ATM that will grab the unique, prominent serial numbers on the bills it gives you (in nice, clear, easy-to-OCR type donchaknow), and correltaes that money to you, a specific individual.

Now you spend this twenty (yuppiebuck) at the market/gun club/peepmall and, being a twenty, it will most likely not be given as change to another customer, but will go straight into the deposit pouch that the store gives to their bank at the end of the day/week.

The bank scans the money, correlates the serial numbers again, sees the path of the bill, and generates reasonable probabilities of the path it took through the system.

Do this for a while and you get statistical certainties on cashflows, who spends what where, telling more about a person's cash habits than an FBI interview would.

I've no idea if the system exists currently, but it's preposterous to think that cash is really anonymous, because cash literally isn't anonymous as long as it has a serial number. It may be anonymous enough for a given purchase, but in the aggregate it tells a great deal about you.

Kevin Fox

Re:How long could they keep doing this?

The first 6 are the BIN number. These are assinged to the banks or creditcard companies in major lots (so MasterCard gets only 5.* and Visa gets 4.*) but there are other 5's that have been assgned to non MasterCards. The short answer is that two cards with the same first 6 number will be issued by the same bank. Currently a given BIN range is also used to tell if its a "gold" as well.

Different countries tend to use different number schemes. The US tends to use nice blocks of well defined numbers which makes scanning trivial. Other banks have even used fully random assignements.

There is no check digit. The "mod 10" system used simply says the sum of the even digits plus the sum of the odd digits x 2 will be a nice mod 10 number. Go look at some of the perl code that does the check and then write the routine in assembly on a machine with BCD instructions. One is about 5 lines and the other isn't. The system was designed to catch transposed digits. if the card is 1234 then the system will catch 1324 and 2134 but not 3214 or 1432. These is also a 1 in 10 chance that bad card number will correctly checksum. Keep in mind that there are still places where those numbers are routinely hand keyd.

No accountability

The income tax people will FREAK on this.

This is why offshore accounts are illegal!

(1st?)

throw-away card == thrown-away money

A disposable credit card is an interesting idea, but unless it's possible to refill the card (thereby defeating part of the reason for having one), it means we'll have the same problem we have with disposable phone cards: they get thrown away with money still on them. After normal use, there's always a small balance that can't be spent through normal use, and the credit company will stand to rake it in as pure profit.

sneakemail and sneake-cc?

Assuming that using a disposible cc number is anonymous, (why wouldnt it be, it would be like a phone card), by using this and sneakemail.com [sneakemail.com] an "e-consumer" would have much more control over his/her purchasing identity and power over junk in their mailboxes (both snail and e) and more importantly, would significantly impact the very valuable side effect of current purchases - customer data. By drying up that source of data we might effect businesses hunger for it, turning their desire elsewhere (maybe towards quality), and be closer to turning an ebusinesses view of the internet as a black box that their goods go in and money comes out. Of course the danger is that cc companies see the value and start selling customer data back to the ebusinesses.

Not such a good idea... couple of reasons why

This may sound like a good idea, but it has its drawbacks.

The first drawback is granularity.

• If the value of every single card is large (few hundred dollars), it would be a mugger's paradise because people don't usually carry around much in cash, but a potentually valuable payment card would be a good target.
• If the value of every single card is small, no one will use it for larger transactions. You can buy your roll of bread quite comfortable using real money, and if you have to enter a dozen numbers when you buy your new $99 sound card online, the system is not going to be very popular. We've had this in Germany because it was considered to use prepaid phonecards for transactions. The idea was dropped, however.

The second drawback is non-rechargability. If recharging devices were available, people would start stealing those and recharging their cards at will. To make this impossible, one has to provide each card with a sort of "shadow bank account" and have the recharger communicate with some central authority. Then, you could desable known stolen rechargers.

The third and worst drawbacks is that if it's an electronic device, you can fake it. I spent some time in 1996 assembling a microcontroller-based board that could pretend it was a German phonecard. No one would introduce a payment card that could be faked this way. In order to stop this, one has to introduce either advanced secret card signing algorithms, which are sure to either leak out or be faked sooner or later, or use shadow accounting like with the German GeldKarte ("money card"). Again, anonymity and non-traceability can no longer be guaranteed, and the advantage will be gone.

A very good introduction how the German GeldKarte payment card system works can be found here [addcom.de]. I'm sorry that it's all in German, but the system is specific to Germany, so most people wouldn't bother to translate it. You can try the fish [altavista.com], though. An English introduction can be found at Manni's page [baier.net]

.

Re:Testing earlier this year...

Fundamentally, I don't care if a transaction is traced to me. Yes, hello, I buy things that get shipped in plain brown packages. I do like the idea of not having to use my debit card (I too refuse the concept of credit as I've seen that version of Hell and have no desire to go back).

Currently I use a similar variation where I have an account at one bank with a debit card and I only keep a small amount of money in there for online buying. This could be made easier if I could just transfer money to a temporary number while I am shopping, use that number and never have to worry about who has sniffed that number. It would also make tracking my online purchases easier as I would get one statement listing all my debits from my account to temp numbers and a list of the amount of money stored on the temp numbers.

Similar to one time passwords

VISA and AmEx have been kicking around ideas to do something equivalent to one time password cryptocards. This is a simple version of the same idea, without all the fancy hardware. If it works, expect the idea to take off with all the major card issuers.

What will probably happen later on is, you will be given an electronic card, with a special token embedded in the circuitry. When you want to use your credit card number online, instead you push a button and a small display tells you the cryptographically hashed version of the card, valuable for a single use over the next hour or so.

The hash function combines a real time clock value, the token, and a counter for each use.

The servers will have a copy of your token, know the time, and keep a local counter. Then the server can compare the crypto hash of your card. If they match, the transaction is authorised. Then later the billing department matches up your hashed number with the real number, and you see the charge show up on your bill.

There are a ton of other little details which the crypto card industry has worked out, but the system mostly works. Too bad this neat methodology will be patented to death, so only the big boys can play with it.

the AC

Re:One-time pads or algorithm?

how long before a cryptologist breaks the algorith to determine whether the number is a valid entry?

What cryptologist?

function isCreditCard(st) {
// Encoding only works on cards with less than 19 digits
if (st.length > 19)
return (false);

sum = 0; mul = 1; l = st.length;
for (i = 0; i digit = st.substring(l-i-1,l-i);
tproduct = parseInt(digit ,10)*mul;
if (tproduct >= 10)
sum += (tproduct % 10) + 1;
else
sum += tproduct;
if (mul == 1)
mul++;
else
mul--;
}

if ((sum % 10) == 0)
return (true);
else
return (false);
}

Blame the shitty formatting on /.'s lack of a <PRE> tag. It took me about three minutes to get it to look even this readable.

I pulled that piece of JavaScript off of some web page way back when. My notes say (don't recall where I got this part from): Credit cards use the Luhn Check Digit Algorithm. The main purpose of this algorithm is to catch data entry errors, but it does double duty here as a weak security tool.

For a card with an even number of digits, double every odd numbered digit and subtract 9 if the product is greater than 9. Add up all the even digits as well as the doubled-odd digits, and the result must be a multiple of 10 or it's not a valid card. If the card has an odd number of digits, perform the same addition doubling the even numbered digits instead.

Re:Feeling safe

>>I feel pretty safe buying online

I felt pretty safe buying online too -- Until somebody somewhere hijacked my card number, and I suddenly had over a $1000 worth of speakers and stereo equipment show up on my bill. No, I did not have to pay for it, and even if they caught the person who did it (a pretty good bet, since the moron also used it to pay his cell phone bill), I wouldn't know for sure that it was from an online purchase becuase they don't release any information about the investigation. But it makes you feel quite vulnerable, and does a lot to make you a little more cynical about tossing your card number around (it was an AmEx, by the way). So, I'm all for this because my security concerns are based on more than artificial worries.

Buying online is probably safer than buying in person. If you take the normal precautions (secure site that is known) you are almost guarenteed safety. Compare this with a restaurant. You eat your meal and give you card to Joe Waiter to carry away and do whatever he wants. No one steals credit cards off the internet, because it is hundreds of times easier to talk to your buddy who works at Denny's and ask him to get you some credit card receipts. People use stolen credit card numbers on the Net, they don't get them there...

Three steps to anonymity

(1) Turn off computer
(2) Go to retail outlets
(3) Pay cash

Great now it's IPs and AMEXs

As if the IP number shortage wasn't enough, now we're going to run out of AMEX numbers too. AMEXv6 anyone?

I just hope they didn't issue all the AMEX card numbers starting with 18 to MIT!

Testing earlier this year...

They were testing this stuff earlier this year at several tech expos. I received a card worth (I think) worth $50 for sitting there and answering a few questions. They could have just as easily emailed me the numbers and said here ya go, use it online instead of giving me a piece of plastic that was worthless after just one usage.

Hmm...looking through my wallet I still got it...I probably still have a dollar or two on this card if anyone wants it :-)

3790 112994 91001
good 02/00 thru 11/01

Blah...to be honest, I really wish I had more of these things. Much easier than carrying cash, and I don't have to worry thieves getting access to my Debit Card (long since gave up the credit thing...) and depleting my account and waiting the 8 months for my lousy bank to redebit the 2 grand the fuckers stole and charged up 4 days after reporting it stolen.

grumble grumble...

clif

Re:No accountability

Can you elaborate on the potential abuses you forsee?

Much of tax evasion and illegal activity detection is based on detecting patterns in otherwise unrelated financial data. Data gathered in audits and submitted by financial institutions is placed into one big soup from which patterns are detected and individuals are picked to have the microscope placed upon.

By providing a next to anonymous conduit for an individual transaction, the possibility of detecting currency flows by means other than direct AmEx record access is reduced by orders of magnitude. This would make IRS fishing expeditions next to useless, and require subpoenas to get at financial information that now can be found/deduced through the regular audit process.

Like I said, they gonna freak :)

Re:Are there enough valid numbers?

Actually the key space is significantly more restricted than this. The paragraph below explains this and is quoted from howstuffworks.com [howstuffworks.com]

What Do the Numbers on My Credit Card Mean?
Although phone, gas and department stores have their own numbering systems, ANSI Standard X4.13-1983 is the system used by most national credit card systems. Here are what some of the numbers mean:

• The first digit in your credit card number signifies the system -- 3=travel/entertainment cards (such as American Express and Diners' Club), 4=Visa, 5=MasterCard and 6=Discover Card.
• The structure of the card number varies by system. For example, American Express card numbers start with 37; Carte Blanche and Diners Club with 38.
• American Express: Digits 3-4 are type and currency, digits 5-11 are the account number, digits 12-14 are the card number within the account, and digit 15 is a check digit.
• Visa: Digits 2-6 are the bank number, digits 7-12 or 7-15 are the account number, and digit 13 or 16 is a check digit.
• MasterCard: digits 2-3, 2-4, 2-5 or 2-6 are the bank number (depending on whether digit 2 is a 1, 2, 3 or other). The digits after the bank number up through digit 15 are the account number, and digit 16 is a check digit.

________________
They're - They are
Their - Belonging to them

great idea, but is it a band-aid or a real fix?

We should be asking ourselves what we want the on-line transaction of the future to look like. This is certainly one way of doing it, and you can bet that Visa and Mastercard will shortly follow suit, but is it the best way?

It certainly has advantages over typing your card number into 50 different on-line databases, but your credit card itself is still the weak link in the chain. Sooner or later the question of authentication will rear its ugly head. How do you know that it was really Joe Shopper requesting that disposable number, and not Joe Cracker?

On another note, notice how anonymity is hyped in the article, and sometimes used in place of privacy? Do we have an unlikely ally in our quest for true web anonymity (i.e. "You don't know who I am."), as opposed to privacy (i.e. "We know who you are. Trust us; we'll try really hard not to tell anyone.")?

Lastly, as another poster already said, the government is sure to get twitchy about this. How will they tax anonymous purchases? Requisition monthly transacion records from AmEx?

Re:No accountability

What is this guy talking about? Offshore accounts are legal.. if used for legal purposes.


But anonymous and undeclared accounts are NOT legal. Also, any financial transaction over a certain threshold is illegal for a US citizen, period, unless the appropriate form is submitted to government by the financial institution. It seems to me that this technology can be very easily applied by anyone who gets a merchant account to achieve near-complete financial impenetrability for money transfers, aka "laundering".

And its not like these credit cards are going to be regulated any different then normal credit card

In theory no. But in reality, I believe that the technology as described allows for very easily circumvention of existing financial regulations.

Sure, there are enough numbers...

Here's how it would likely work:

The numbers need not be "one time only" usage by AMEX. Basically, AMEX only needs to keep the number active long enough for the transaction to be processed, which would last perhaps one month, then the number goes back into circulation. What they would track then is an activity log for each number (for each number, who used it, when, and where) and an activity log for each user (what number they used, when, and where). Any billing questions can be referred to the log for archive purposes and the numbers stay active only for as long as they're needed, then AMEX drop them back into general circulation.

This is not going to be an easy accounting task: issuing number, tracking their usage, deactivating, then reactivating them. I can tell you that I'm pretty good with logistics (being a police dispatcher tends to develop those skills ) and it'd be a nightmare for me to track. I'm not sure of any better way to do it, though.

If there's going to be a security loophole, it'll come in the time a number is active, after the transaction is processed, but before the number is deactivated and put back into circulation.

-Jimmie