Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Almighty Buck

Disposable Credit Card Numbers 126

nihilvt sent us news that disposable credit card numbers are actually being deployed by several credit card issuers. The technology sounds like it involves a silly Windows plug-in of some sort, but I'd think there's a lot of potential for growth here. Has anyone actually used these systems? Do they work well? (We ran a story on this a few months ago.)
This discussion has been archived. No new comments can be posted.

Disposable Credit Card Numbers

Comments Filter:
  • by ModelX ( 182441 ) on Sunday March 11, 2001 @10:23AM (#370736)
    Hey, this is great stuff. Bad guys cannot steal your number and the really bad guys cannot trace you with the number.

    So is the next generation of credit cards going to have a built in mini screen displaying the current disposable number?

  • This also doesn't exactly solve the problem... if I have a one-retailer use card set up for Amazon.com, someone can still steal that and buy stuff in my name from Amazon...

    This could be avoided with the way the system is supposedly set up. In order to use this permanent one use card, the thief would still need to have access to your password from the credit card company - not Amazon.com.

    "If hackers broke in, they couldn't use the virtual number without your password -- which the merchant doesn't have -- and it couldn't be circulated to other sites."
  • I use the MBNA system as well. (And it works from a Mac; a Control Strip module tells the web browser to open a small window on their flash page...) My understanding is that the temporary account is tied to the first web-based merchant that uses it; even if a cracker were to get the number, if he attempted to use that account it would be denied because he's not that company, not just because of the time or credit limits.
  • by cduffy ( 652 ) <charles+slashdot@dyfis.net> on Sunday March 11, 2001 @11:06AM (#370739)
    ...for a research project at CSU Chico.

    Okay, not /that/ much like this... but it still seems relevant enough to post. :)

    The general idea is that a user is issued a transaction generator (for lack of a better word). This is a small device (with a keypad and LED screen) which maintains a counter with the number of times it's been used, and contains unique public and private numbers. When the user wishes to perform a transaction, he/she enters the amount of the transaction and his/her PIN number. The public number and amount (perhaps obfuscated) are output as cleartext; the private number, amount (again), PIN and counter are sent through a one-way hash. This hash is appended to the card's output.

    The verifying agency keeps track of not only the private number but also recently used counter values. When a transaction comes in for verification, it attempts the hash with the last [INSERT CONSTANT HERE] unused counter values (up to a limit of [INSERT CONSTANT HERE]), as well as the next [INSERT CONSTANT HERE] counter values. If one matches, the transaction is approved and the database of used counter values is updated.

    The end result is that: a PIN is required for each transaction. Each transaction value may not be reused. The most data which can be had from reverse-engineering a card is the private number, which is still useless without the PIN; hence, stealing the generator does no good. Stealing the in-transit data will get you the public number, but (thanks to the one-way hash) no private number or PIN. Even watching someone perform data entry and stealing their stream (taking both the PIN and public number) does no good, as the private number is still unrecoverable.

    The bad news is that the number has to be fairly long to include an acceptable amount of hash data -- I determined 26 alphanumerics to be more than sufficient, but providing this means replacing a lot of equipment. This much data is needed in part because the multiple hashes done in verification increase the chances of collisions significantly. Furthermore, it means that software and equipment that performs a Luhn check (as with CC#s) will need to be replaced.

    I still consider it a nifty idea. :)
  • In my post i mention such an 'operating system': the calculator that's not part of your computer but a very simple piece of electronics made in taiwan. And after they capture your keystrokes of the one time number it generated it'll be useless anyway.
  • by XNormal ( 8617 ) on Sunday March 11, 2001 @11:08AM (#370741) Homepage
    Disposable credit cards are not really credit cards, they are monetary transaction tokens which happen to fit inside a field designed for a credit card number. This lets you build a completely new electronic payment system that is still compatible with online merchants desgined for the credit card system.

    These tokens can use any existing billing system as a backend. It can be billed to a real credit card like the systems described in the article. It can also be debited directly from your bank account. It can even be billed through a prepayed card you can buy at the store just like a phone card. I would really like to see a system with a Paypal account as its backend (anyone at paypal listening?)

  • What happens if you try to return the item??? How can they charge it back if the card number has expired??

  • One time use Email address, for signing up for things like The New York Times, shareware downloads, free pr0n, Slashdot troll accounts, etc.

    Signing up for free email accounts every time you need something is annoyng at best. Mabey it could be valid for 24 hours or something. It may even cut down on spam, if the spambots knew that #1 the email would never get read and #2 there is a 90% chance that an email would get returned undeliverable. *grin*

    "Everything that can be invented has been invented."

  • by AaaL ( 309902 ) on Sunday March 11, 2001 @11:11AM (#370744)
    As others have pointed out, Discover currently offers disposable numbers. Although I applaud their efforts, their current offering leaves much to be desired.

    To use it, you have to download a Windows app (NOT a browser plugin) called Deskshop. This program activates itself automatically when I boot up and puts an orange dot on my taskbar. It has a setting to disable automatic startup but it doesn't work. Everyone once in a while, ZoneAlarm will catch it trying to access the internet secretly. I'm sure it is spyware and was trying to upload my browsing/shopping/etc. habits. I would prefer not to use this app but rather just go to Discover's web page to get a disposable number. But I can't do that.

    The number is the usual 16 digits and the first 4 digits are the same as for regular Discover numbers. Apparently merchants are not able to tell whether it is a disposable number or not. When I request a number (via Deskshop), I specify whether it is recurring or one-time. As the names indicate, one-time numbers can be used for one charge only, while recurring numbers can be used again and again (for example, to pay a monthly subscription). I can cancel the recurring number but I have to call Discover customer service. I wish I could use their web page instead. I also wish I could specify a maximum dollar amount for each number I generate. But I can't do that either.

    As for Amazon one-click, I don't see why a recurring number would not work, but I haven't tried it.
  • This is a great idea, and I'm glad it works for you. But the problem is that such a solution, because it is not sheep simple (i.e. easy enough for 22 million AOL users), it won't catch on. Until you have something that's invisible to the user, it won't become popular even if it is a Good Thing(tm). Witness how many people don't use encryption on e-mail even through it's free and relatively easy to do. But make something transparent, like SSL protected web sites, and people will not only use it but demand it. (Most people think they're 'safe' on-line when they see the little gold key thingy.) Because the web site automatically puts the https:// instead of http://, the user doesn't get involved. Sad, but probably true...
  • I've been using one-time credit cards for almost 6 months now, and my experience has been positive. I've always been a pretty active on-line shopper, but I've never trusted my CC # to any sites, especially after hearing the horror stories (egghead comes inmediately to mind). As soon as I heard my local bank was offering a Visa card with a one-time number generator, I got it, and started using it. The system works great, you get a program, enter your password, the amount you're gonna charge the card, and it spits out a number, after checking with the issuing bank that you have enough credit. So far, I haven't had any problems with sites rejecting the cards, my only quibble is that the program is windows-only, and I'm a major Linux user, so now I have to boot up windows to play and shop. So, I think these cards are a fantastic idea. I'd rather have to issue a new CC # for every payment and know that my information is secure. Plus, it invalidates Amazon.com's moronic one-click shopping patent... :)

  • The way the numbers are generated, you would need the person's password to have a number generated, which means that if you broke into someone's email, pc, etc., to gather information on em, chances are you could figure out their password and then generate the number.

    Its a bad idea for credit card companies to go the route of having a user generate a random number based on a password, as history shows us people are simple, and will often rely on choosing simple passwords.

    Again, a simple fix for this would be to have the credit card company pre-determine a block of numbers via mail or fax to the person, then afterwards have the person verify them when they intend to use them by phone if possible where caller ID can be used to ensure its the correct person.

    Upon verifying the information, the credit card co., can then activate the numbers for use.

    Just my two cents.

    Where in the world is my wife [speedygrl.com]
  • I'm no crypto genius, but I've thought about this before.

    Wouldn't it be simpler if you could just confirm every transaction with a secret only the cardholder knows? What I mean is, If I find a card, or preferably someones whole wallet, lying on the street, I can use it on the net, no problem.

    Unless I had to put in a PIN that wasn't written on the card. I'm amazed that all the information you need to use a card is contained ON the card.

    The way I see it, you would have some kind of instant messaging account set up beforehand, and the CC company would have it on file. So every time you entered your card info to make a sale, the merchant would send the request to the CC co. for approval. Before giving that approval, the CC co. would IM you and ask for your PIN. Hopefully the PIN request would be by some out-of-band method (i.e. not via the merchant) pre-agreed on by you and the CC co.

    That way, the merchant would never get your secret (PIN, mother's maiden name, whatever) and couldn't record it in a database. And a criminal wouldn't KNOW the secret, and couldn't use your card.

    How this would work in a physical STORE, away from home, would take someone smarter than me to figure out. :)

    Just a thought.

  • Obviously this is a short term solution. There are only so many credit card numbers if the string is only 16 digits long. Soon numbers will be repeated, which could make for some strange things if companies keep records on file.

    The real solution is to ditch this insane credit card system. It plain makes no sense. Instead of giving the money to the merchant, you are giving him a key to your safe and telling him to "take only what you need." Sure, we have banks to protect overcharging, etc. The consumer actually does have a lot of protection when using a credit card. But think about the hassle that the credit card companies must go through because of this deranged system. What we need is a system that allows the consumer to authorize a payment. Perhaps when you go to the store, there would be a "vendor ID" at the counter and you would just whip out your cellphone and authorize a transaction.

    It's funny, because all of us can talk all day about security and huge bit keys and networking, yet we give our login and password to the waitress every time we eat out.

  • One time use Email address,

    Why do you need an actual email address? Just use some random crap so long as it has an @ and . in it.

    If you do need an actual address, make one on hotmail and use it for everything. But never go there to pick up your mail.

    Or most isps will let you have multiple accounts. Make one for junk, pick up the mail and send it directly to trash via filters.

    No need for temp accounts.
    MOVE 'ZIG'.
  • There is even a Perl module [perldoc.com] that can verify checksums for you.

  • > access-list 102 deny tcp any any established

    you don't need the "established"...

  • I thought the first 4 was the bank code and the last 4 was the checksum, thus giving only 8 numbers to work with. (Maybe each bank has a range of numbers, e.g. 4000-5000 for one bank, 6000-7000 for another, thus giving 12 numbers?) When getting ATM receipts, for personal tracking purposes (did I charge with this card, or that card?) they show only the checksum number (the rest are XXX'ed out), since it is theoretically impossible to reconstruct an 8 digit number from a 4 digit checksum, right?
  • I'd MUCH rather see credit cards that work like phone cards. You buy a card a wal-mart, where you don't have to identify yourself to anyone. You pay $10, $20, $50, $00 or whatever for the card, get it activated at purchase time (or call an 800 number), then you can buy stuff online and have it sent wherever you want.
  • I'd love to use a 'one-time-only' credit card number system. I can't count the times that I've purchased what I thought was a limited-period service and discovered that the merchant automatically charges me at renewal time. It's a bloody nuisance to have to call them to remove the charge and take me off the auto-renewal list. Some of them have been so hard to reach that I've just cancelled the card to end the problem (my early AOL experience was one of those times).
  • The 1st 6 digits are assigned in blocks.

    Credit card numbers can have 19 digits, not just 16. This is going to burn lots of people who assume that the cards are only 16.

    There is nothing keeping letters out of the credit card numbers. The mod 10 checksum even allows for it.

    Large amounts of the number space have been taken by some of the visa 12 digit cards.
  • I'm not sure smart cards are going to work in the real world. I've got a card from an early pilot project a few years ago and now the card won't work. Did I lose the value on the card? Is that money just gone? I know people who refuse to use phone smart cards because they have lost money when they die.

    I now two women who can't wear electronic watches because they end up zapped. They just seem to have strange static field that tends to wipe out stuff. One used to wipe out computers constantly until she went with full anti-static precautions (floor mat, wrist strap, even anti-static chair). Will these people ever be able to use smart cards?
  • Oh boy... where to start?

    The 1st 6 digits are assigned in blocks.

    Actually, the first digit indicates the card type (Amex is 3, Visa is 4, MC is 5). The remaining three to five digits are assigned to issuing institutions (banks). No big deal here in Canada where there might be 100 issuing banks in total (since independent banks are virtually unheard of), but in the USA (where every podunk town has an independent bank) that pool would be exhausted pretty quickly.

    Credit card numbers can have 19 digits, not just 16. This is going to burn lots of people who assume that the cards are only 16.

    Can you name one card type in use today with more than 16 digit card numbers? I sure don't know of any... Where did you get that figure from?

    There is nothing keeping letters out of the credit card numbers. The mod 10 checksum even allows for it.

    The ISO 7810 standard which governs almost all magstripe cards in use today contains provisions for three different types of information recording, referenced as Track 1, Track 2, and Track 3. Track 1 can contain up to 79 alphanumeric characters. Track 2 can contain up to 40 characters of numeric information. Track 3 can contain up to 107 characters.

    Track 2 is where the card number is stored. Thus, card numbers could theoretically be up to 38 digits in length (40 minus the start and stop "sentinel" characters), but cannot contain non-numeric characters. Ergo, letters are out. I have no clue where you got the idea they were possible.

    Even if that weren't the case, I would imagine a VERY good number (>95%) of POS (point-of-sale, not piece-of-shit) cardswipe terminals would freak out if they read a card number off a stripe as "4512A8F7B7A2C88F". Also, how the fsck do you enter that on the terminal's keypad if the stripe gets demagnetized? You don't.

    Large amounts of the number space have been taken by some of the visa 12 digit cards.

    The old Visa cards were 13-digit. All Visa cards now issued have 16 digits. (Amex cards are 15-digit.)

    Speak not from whence you know not.

  • I want to know what is being done for merchants. I really like this idea of a disposible credit card myself, but there's still a pretty huge problem with online sales and that is the chargeback. We online store folks have something like 0 methods of contesting a chargeback. They want documentation? Well, I just print something out from a database. Problem is, that's not enough. What they really want is a physical indication of the presence of the card itself. Well, that's a bit hard over the Internet.

    So, in short, there's not much of anything we online merchants can do when a chargeback comes our way. I would love to see a nice solution to this problem.
  • by wesmills ( 18791 ) on Sunday March 11, 2001 @07:24PM (#370760) Homepage
    The ISO 7810 standard which governs almost all magstripe cards in use today[...]

    Ahh, but we're talking about entering these things into a computer form, eh? Since they don't have to worry about swiping a non-existant one-time-use card, then no worries as to if the number can be entered into a keypad.

    Also, since [presumably] the verification and deactivation are real-time, the numbers are instantly recyclable, since, as they're used they can become immediately available again.


  • So what happens if the item you order is backordered? I've had products ship over a month after I've ordered them before. An example would be a preorder of a product that has a delayed release. Does Amex offer a workaround for this?

  • I've used a similar system in the states. Bank of America offers this serice where you can put X amount of money on a card (from your checking account) and it can then be used as a regular Visa credit card anywhere. Works good for relatives who you regularly send cash to for birthday, christmas, etc...

  • My source is a friend who works in AIB...just let me say he isn't an important cog, just one of the underlings. It just came up in idle conversation one day. He's one of us - a geek/slashdotter - and his main concern was that his bosses(not in IT dept.) didn't even know about the program in any detail - they were doing well to even know it existed. If somebody asked they'd just fob them off with whatever answer they could come up with.
    My friend seemed convinced there would be other versions. My information, however, is older than yours...probably around July. Plus it's less offical. Overall, in my opinion, I'd say your line is more likely.

  • I thought about that too . . . but since they're disposable, I think it's safe to say that you still won't be able to guess a good credit card number. Chances are you'll get a number that was only good for Bob Smith on Amazon.com on 2/3/02.

    So, the only danger is actually using up all the numbers. No problem there either . . . if we say there are 6 billion people in the world, the current 16-digit system still gives each of them somewhere on the order of 2 million numbers to use.

  • Concept should go one more step further. It allow you to buy a Pre Paid card. And shop with that I believe that will be a alot more convient than the throw away numbers.
  • I'm sorry! I should have made that statement clearer! I know the debit cards are less secure than credit cards. Credit Cards have better protection. I meant that I'm not too fond of Credit Card use. I prefer my Debit Card because it's more like a check. I can only spend what I have. I've gotten in trouble with my credit card debt and now that I've taken care of it, I feel better using my debit card. And your reply states my point that Debit Cards need better security so that if a merchant were to take the funds from my bank I could easily do something about it.
  • by kstumpf ( 218897 ) on Sunday March 11, 2001 @10:27AM (#370767)
    I'm not sure if /. discussed this previously, but what about smart cards? These are normal credit cards with a microprocessor and around 32K(??) of memory. There's a reader that attaches to your computer, and when used at an online retailer that supports it, you can pop the card in the reader, enter your access code (like a PIN#) and it will send your information. It's triple DES encrypted, so your CC# is never transmitted or shown in plain text.

    You can also access your account online in this way and do other things, like download coupons to the card to be used at retail stores. For example, you can go to http://www.fakecoffeestore.com, download a discount to the card, then go to the mall to FakeCoffeeStore and use your card there for a discount. Pretty neat...

    Of course the problem with this setup is people have to support it.

    Info on the card I have, the FusionCard, is at http://www.fusioncard.com [fusioncard.com]. I haven't gotten my reader yet, should be a neat toy though.

  • Well, the card has an expiration date just like any other. If, after a delay, the company tries to charge the expired card... Duh. The better question is if the company will ask you for a new one or just boot you to the end of the line because of the expiration, but that has nothing to do with the Private Payments service that AmEx offers.
  • Yeah, I know 3 and 5 are shared. I think JCB has some 3's, and Discover etc. also use 5.

    I didn't know about the Aussie cards. Neat!

    As far as entering CC numbers, I was talking about point-of-sale terminals, not mobile phones. They simply can't handle non-numeric card numbers, period. Thus, letters are out of the question.

  • by FTL ( 112112 ) <slashdot@neil.f r a s er.name> on Sunday March 11, 2001 @10:33AM (#370770) Homepage
    Disposable credit card numbers? That's nothing new; just go to a 'cardz' site and grab a few. Am I missing something? ;-)
  • Just give it time. The automated services you had trouble with are simply too immature to rely on from every Tom, Dick & Harry company you deal with. While I'm not an expert in all experiences of this type (in fact, I've had both good and bad), I expect that problems such as yours will correct themselves in time.

    How long that will be depends, of course. If it means enough to someone, I'm sure they'll fix it.
  • by micromoog ( 206608 ) on Sunday March 11, 2001 @10:35AM (#370772)
    Doesn't this seem like a lot of overhead for the card companies? Now, not only do they have to keep track of millions of cards and billions of dollars spent through them, but they also have to ensure that the right cards are being used by the right retailers.

    Nah, it's not that much of a difference. Think of it in database terms: if they currently identify your account by your CC#, they will just have to change that to some other general ID. They'll have to keep a relationship table going between the real ID and the disposable CC#'s, along with valid vendor and timeframe information, but it won't really change the way they do business that much. The conversion to the new system will cost a pretty penny, but believe me, they can afford it.

    Same concept with the one-use cards, it seems like they'd exhaust the card # space a lot quicker if each person can use 500 card numbers in a year as opposed to 1 every 5 years...

    The system has room for each of 6 billion people to have almost 2 million numbers. Not a problem.

    You can be sure the credit card companies have considered all of these issues. They don't screw around. Due diligence is a way of life for these people; their line of business leaves no room for error.

  • That's absolutely priceless. Here you are, pimping sneakemail as an ideal spam-free, disposable, confidential e-mail provider...

    ...and then you print your e-mail address right along with it, without so much as a "REMOVEME" to stand in the way of spammers. Brilliant move, Einstein.
  • You've just described SET [setco.org].
  • I am big on not giving money to the chain store. This includes people like Amazon.com and others. I buy my books at locally owned book stores, I shop at locally owned grocery stores (the few there are), and so on.

    I have avoided places like Amazon because I like people like Joe at the small bookstore down the street.

    There are exceptions, however. I have yet to find a good way to buy airline tickets except online. I also tend to buy computer equipment online (http://www.smalldog.com/ - a small Mac online Mac store).

    Before buying, however, I make sure of several security concerns - do they save my credit card number? Do they have well-written Privacy policies? Do they send unsolicited Spam?

    Still, I would use one-time credit card numbers if they were made available to me.
  • I understand where you are coming from, and yes, to be a dick I suppose he/she could send you a shit load of stuff. I had thought of that earlier but I think the biggest problem is with merchandise they cannot reclaim. It would be far less worth someones time to break a federal law just to pull a prank (for most people anyway). Besides, if you just refuse shippment, most companies won't (can't?) charge you, it gets refunded when the package returns to the warehouse, including shipping.

    And no, email isn't secure, but when you think about how most people get CC#'s, they usualy don't have access to personal email accounts. So how would they know what address to enter when it asks for one? And to take that even further, perhaps require a PIN number to be entered in the reply mail somewhere. The more the criminal needs to know, the harder it will be for them to succede. And the bigger trail they will leave too.

    "Everything that can be invented has been invented."

  • Only thing is, in solving the problem, they also make credit card generators viable again. I mean, you can get registration code generators for at least half of the commercial software ever released. I can't see this being much different.
  • It's the vendor that loses on fraud.

    If the person sees the charge, then the credit card company will reverse the charge back to the merchant -- unless the merchant can show a valid signature and card swipe.

    The only times when the credit card company loses money, is:

    • when they give a good faith credit to the cardholder on a dispute,
    • when the cardholder does not pay the bill.
  • This, once again, is not news. This was news last september, when it was originally ran. Apparently Michael Sims has a penchant for re-running stories, as he did it last night [slashdot.org] in a story about projectile robots, a 'news' story that's 11 months old.. This is ridiculous... andover's failing quickly, and they're wasting 100k/year on Michael Sims to post shit that happened months ago, that /. has already covered...

    I hope you nerds enjoy reading about stuff that's already happened... its this kind of nonsense that's killing this site.

  • Here in Finland we've had cash cards for many years (approaching 5 I guess). OK, you don't have your own terminal, but you can top them up at any cash machine, and use them almost everywhere you an use Visa for example.


  • I was about to post the same thing...it's been in Ireland - AIB at least - for quite a while now.
    For those of you interested, it actually works pretty well. I installed the software a while ago because there was at least one website I sent my credit card details to that never got back to me(and that makes me worried even though it's over a year ago and the card expires in three weeks 8).
    What I wanted to question was who told you there wouldn't be a Linux version? Was it some minor bank offical, because as far as I could gather, the plans are to press ahead with both Mac and Linux versions. But you know how Irish banks are with truth. (You put down Dublin as place of residence and nationality as Irish on your account application...so do you want a resident or non-resident account?)
    Not intended as a slur against AIB who has only ever practiced good, lawful business practices...as far as I know.

  • There are plenty of CC providers that currently offer a feature like this. Discover [discovercard.com] currently has a system where you login via their web site [novusnet.com] and they will generate a number for you that "links" back your real account number. The online store you purchased from never has the real number, only Discover. So a hacker would have to get into Discover's database to get your number, and if they do that...well...you are all ready screwed :)
  • by micromoog ( 206608 ) on Sunday March 11, 2001 @11:26AM (#370783)
    Like 4. I just used it. Throw it away now.

    Well, there goes Visa. You can still use your MasterCard until someone uses 5 . . . aw crap.

  • Actually, in Germany (and in some other countries in Europe, too, I believe) we now have a company that offers paying via mobile phone: If your merchant wants to get money from you you give him your mobile phone number (or an alias name you might choose freely) and the request is send to the server of Paybox (the company that is offering the service). The Paybox server than calls you on your mobile phone, repeats the amount that will be charged from your bank account and asks you to enter your PIN. If you authorize the payment the merchant will get his money and you will be billed at the end of the month.

    So far the system works quite well but until now it is only available with some cabs and online stores, you can't use it to pay in offline shops yet.
  • by sconeu ( 64226 )
    American Express has been doing this for a while. And while the silly plugin makes it easier, you don't need to use it. I've been using their service (sans plugin) for about 5 months. I think it's great.
  • A much better way:

    Give your customers a way to authorize credit card payments. Instead of using their normal 16 digit cc number for buying a single-month-membership at www.sexyteens.com (and not knowing shit about both the trustworthiness of the webmaster and of their security/antihacking measures), enable them to go to your website (https://www.mastercard.com/) and create a temporary one.

    The users can then e.g. select that he wants this temporary number to carry $30. Some script (hopefully not visual basic...) can then encrypt the data and Base64 it, giving the user the number "KBVjSOEgraG3bp7WIkbMWKPRB" to pass on to the shady website owner.
    This protects him from excessive fraud (having the website charge him $500 instead of $30) as well as from cc theft (the stolen number will be completely worthless as soon as it has been billed for its allowed charge) and identity theft (since a number like that would not be legally allowed as proof of identity)

    But since we're going to have to wait for banks to implement this scheme, I don't believe we'll see a possibility like that before 2050 :(
  • It's funny, because all of us can talk all day about security and huge bit keys and networking, yet we give our login and password to the waitress every time we eat out.

    So how many people have lost all their money due to this lack of "huge bit keys"? Of course the figures usually are impressive if a credit card company announces losses by credit card fraud had been so-and-so many billions last year. But think a minute, or better an hour, about who is losing how much, i.e., how risks are distributed among the customer, the merchant, and the credit card company.

    This is mostly a non-technical problem, and "huge bit keys" can actually make your situation, as a customer, worse. There have been reported cases of European banks accusing their customers of fraud when they complained about phantom withdrawals via ATMs. After all, the bank had strong encryption, so the customer must have done it herself or at least have helped by giving away her secret PIN. So "huge bit keys" did not save the customer's money, but the public prosecutor's job.

    Besides, I haven't seen in years a "more secure" payment system which is as convenient and easy to use (by the honest owner of the money who would like to spend it online or offline) as an old-style credit card. It's universal, it's small, it's something I never leave in the office when I go home, and it does not force me to pay in advance before even knowing what I might want to buy some day. I'm not going to bury my money on smartcards or on my harddisk, and I'm not going to do anything less convenient than fetching my card and typing in what is printed on it, just to buy something on the net. Put a chip onto my credit card and give me two card readers (for home and office use) for free, if that helps to increase security, but don't try to add complexity to my everyday life. If I need something really complex, I'll install IBM DB2. :-)

    Recommended reading:
    Ross J Anderson: Liability and Computer Security: Nine Principles [esecurityonline.com]. (PDF)

  • I refuse to use a credit card in general not just online. I do have one, but I stopped using it a year ago. It's too dangerous! So now all I use is my debit card. Unfortunately there's NO security for debit cards. I'd be responsible for all of the charges. How about the banks get special debit numbers for online use? Thanks for allowing the vent!
  • This can be extremely secure if absed on a smartcard. Basicly its public/private key encryption. Thec ard holds a private key which it uses to generate a token that can be public-key verified on the far end. In various ways it can be ensured that a number once used cannot be used again so in fact it is extra-secure against kiddies grabbing card numbers.

    Keep in midn that vanilla credit cards have a 20% fraud rate. Thats a ALOT of money to pay for infrastructure if you can significantly reduce that percentage.
  • >Credit card numbers can have 19 digits, not just 16. This is going to burn lots of people who assume that the cards are only 16.

    I think the extra three digits in question is a security code frequently found on the back of the card in the signature area; I don't know if they really qualify as part of the card number. (MBNA's ShopSafe system, one of the systems this whole article is about (and the one with which I have personal experience), generates these codes...)
  • This is the CVV (Card Verification Value). It is not present on the stripe.

  • I can't see how you think CC's are more dangerous than Debit cards?

    I know that at my bank, my debit works just like my capitolone Visa card. Capitolone is much better at handling fraud than my puny little local bank is. So, I'm not sure about you, but I'm just the opposite. I'd rather get a bill in the mail from my credit card company and dispute with them the charges than have my some merchant take the funds directly out of my bank account and during the whole time I'm disputting the charges, I'm out of that money.

  • by Anonymous Coward
    Like 4. I just used it. Throw it away now.
  • Won't this make it that much easier for kiddies to find the algorithm that is used to verify these numbers? Or are they maintaining a database of them, which could be stolen, etc?
  • by zaius ( 147422 ) <jeff@nospAm.zaius.dyndns.org> on Sunday March 11, 2001 @10:04AM (#370795)
    Along with the one time use nubmers, they also:

    ...let you assign a permanent (phony) credit card number to a site where you do ongoing business. If you use several such sites, each will have a different number.

    Doesn't this seem like a lot of overhead for the card companies? Now, not only do they have to keep track of millions of cards and billions of dollars spent through them, but they also have to ensure that the right cards are being used by the right retailers. Yes it's convienent, but how much is it going to cost?

    This also doesn't exactly solve the problem... if I have a one-retailer use card set up for Amazon.com, someone can still steal that and buy stuff in my name from Amazon...

    Same concept with the one-use cards, it seems like they'd exhaust the card # space a lot quicker if each person can use 500 card numbers in a year as opposed to 1 every 5 years...

    Sorry if that was incoherent

  • I have never used AOL. Should I suddenly feel the desire to do so, I would have no problem encrypting e-mail. But I never have. Why? First, because the person on the other end might have problems reading it -- far from all clients support encryption, and some support different kinds. Second... ooh, someone's gonna read my e-mail, I'm scared. Just send me your address, I'll forward my gossip to you, too! The assumption that everyone must be a privacy freak is quite annoying.
  • by Mossfoot ( 310128 ) on Sunday March 11, 2001 @10:04AM (#370797) Homepage
    I have a phylosophy in life. Know your limitations, and work your life around them instead of trying to work through them.

    For example. When I first went to university, I was slightly overweight. I know I don't have the willpower for working out regularly, I've tried too many times and failed. So instead, I found an apartment five miles away from the university, with a nice bike path that went almost all the where I lived. There was no way I would pay for a monthly bus pass (money better spent on games) so for the next three years I was biking at least 10 miles a day, five days a week. Sure it's a little extra work, but it's worth it. Problem solved.

    This solution reminds me of that. Instead of trying to make encryption better and better, a process everyon knows will always have problems and flaws, either in security or convenience, they worked their way around it by making the numbers a one-shot deal. Sure it's a little extra work, but the rewards are worth it. Problem solved.
  • You're absolutely right. The software to recognize the situation and extract the password(s) needed for getting single-use card numbers is more complicated than that needed to recognize a valid card number, but the same basic approach of would work.
  • by SClitheroe ( 132403 ) on Sunday March 11, 2001 @09:58AM (#370799) Homepage
    Gotta love this quote "They can't be used on one-click shopping sites such as Amazon, where permanent card numbers must be stored. "

    Seems to me you could enter the credit card number when making a purchase, click "Buy", and still come in at one click..

    The sad thing is that the way it's written, it's like the author really thinks that Amazon _must_ keep credit card numbers on file...
  • MBNA offers them. They use either an HTTPS/HTML solution or a flash plugin to do it. It's nice, because you can basicaly set an arbitrary credit limit and expiration date for the card number. Then if a cracker breaks into the e-commerce site, they can't use the credit card at all, because (hopefully) the thing you bought with the card maxed out the credit card (or at least come close). The way I use it is to get everything ready to go at the e-business and get a total price. Then I go create a credit card number with a limit close to the total and make it expire in a month. I can be pretty sure that no one will be able to steal the card and make big purchases.
  • Actually there are 19 digits available

    The 16-digit limit is indeed artificial. But it's going to be hard to overcome. Sure, 17, 18, and 19 digit cards are going to work just fine at POS terminals that have been implemented carefully with the specification in mind. But it's likely many of them will fail in other places due to artificial limitations added by people who didn't quite understand the big picture.

    Many online ordering forms have a text box for the credit card number that's capped at 16 digits. Worse still, some won't even accept older style 15 digit and shorter AMEX and VISA cards. People who have been cardmembers for a long time (and thus have these lower numbers) have been experiencing this problem for some time and many have requested new cards be issued with 16 digit numbers. New cardmembers that get 17, 18, and 19 digit cards are going to be unable to use them at similarly ill-designed sites and will probably try to gripe at the card issuer for a shorter number.

  • This technology is nice but too bad it runs on your windows computer, now it'll be even more interesting for people running things like sub7 and other trojans to 0wn your windows box, so they can generate their own 1 time credit card numbers from your program (they can find your password with the keylogger).

    A better solution would be a system similair to what my local bank gave me: a device that looks like a calculator protected by a pincode that allows you to digitaly sign things. A few modifications and a device like this could generate your one time credit card numbers. Now that would be a secure solution!

    With some thought this device could do away with passwords etc as well. Now we only have to hope they'll opensource the technology...

  • Doesn't this seem like a lot of overhead for the card companies? Now, not only do they have to keep track of millions of cards and billions of dollars spent through them, but they also have to ensure that the right cards are being used by the right retailers. Yes it's convienent, but how much is it going to cost?

    That's not for the card companies to manage - it's for YOU to manage. For example, I leave my credit card number on file at Netflix.com, and they charge me every month. If I wanted to, I could use a disposable number for that, and I'd know if it got used anywhere else that Netflix's database had been compromised. Then, I'd only have to cancel one disposable card, instead of reentering my card number at all of the places I do business with.

    This is actually a Good Thing, no offense to Martha Stewart. I had my wallet stolen in Mexico a while back, and ever since, I've had a separate credit card that I use just for online transactions. It helps me prevent fraud (that account should never show anything but the same four or five retailers) and makes it a lot easier if I get my pocket picked again - my services keep coming, regardless of whether I have to stop my other cards.
  • This is a really good idea! Think about it more carefully:

    Let's say that I go to a store on the 'Net that I don't know or trust too well. I see a t-shirt or mug or something I want to buy for $12 but don't really want THEM to have access to all my credit on one of my cards.

    So... I generate a credit card number with a fixed limit of $17 and give that number to them, and I don't have to worry about my number being stolen: it's only good for 17 bucks!

    So you see? This allows you to have more control over your credit cards and relieves the worry that your card will be charged more than you wanted it to be.

    Another application are those damn Time-Life CD's they sell on TV. Ever bought one? Of course not! Cause you're not gonna just buy one! They keep sending you CD after CD - the whole set, as long as it will fit on the card you gave them!

    So, just give them a disposable card number for the amount they need, and be done. When they run the card again next month, it'll deny and they won't send you any more crap.

  • Concept should go one more step further. It allow you to buy a Pre Paid card. And shop with that I believe that will be a alot more convient than the throw away numbers.

    They're way ahead of you, pal. Go to cobaltcard.com, something AmEx has had out for more than a year.
  • So, the only danger is actually using up all the numbers. No problem there either . . . if we say there are 6 billion people in the world, the current 16-digit system still gives each of them somewhere on the order of 2 million numbers to use.

    Don't forget that not all 16 digit numbers are valid for use as credit card numbers. In order to be valid, a number must first pass a rudimentary checksum test called LUHN-10. This checksum is intended to prevent unnecessary online verification of numbers that were entered in error. In short, the sum of odd numbered digits (numbering starts at the right, not the left) must be evenly divisible by 10, and the totals of the other digits each individually multiplied by two must also be evenly divisible by 10. As a result, there's far fewer than 10000000000000000 sixteen digit credit card numbers available.

  • Don't forget, sneakemail.com [sneakemail.com] is the perfect complement to disposible cc numbers. If you dont trust a e-commerce company with your cc number, why would you trust them with your email address?
  • Quite a few data thefts occur straight out of a company's database. Take Macy's or any other retailer as an example. When you make a purchase at a B&M store your credit card # and other info is most likely stored in the same database as the online purchases. Why have different systems? And even at B&M stores the card number is still sent over the Internet. The card has to be verified somehow. One time credit cards aren't the answer. I don't see American consumers carrying 20 cards at a time. This problem isn't going to go away until security is taken seriously.
  • The system has room for each of 6 billion people to have almost 2 million numbers. Not a problem.

    Not all 16-digit numbers are valid -- actually, far from it. The LUHN-10 [poly.edu] algorithm [cmu.edu] makes sure a CC number supplied by the client is valid before submitting it for authorization. All credit (and debit/ATM) card numbers must fit that algorithm.

    Therefore, there aren't nearly as many numbers available as you might think.

  • I have the blue card from amex [americanexpress.com] (the one with the microchip) and use this payment numbers. I insert my card in its reader, enter my pin to authenticate and generate a card number. I have now used it for quite a few online purchases without problems. Personally I think it is one of the best things they have done.

    Of course, I can also generate the random numbers by login into their site using my username and pw but hopefully they will add a restriction so i can limit login to my smart card.

    Also, I just took a survey they sent out to gather feedback. In it they asked what of the additional features listed you found most interesting. They included several listed in the article, including generating a long term number you could put on file with someone like Amazon but if was stolen could not be used by someone else (only accepted charges from Amazon) and putting limits on generated numbers (ie. you can know a site cannot overcharge you, you can give the number to a child without worrying etc.) once they have these I will be using Amex for all my online purchases.

    Now I am just waiting for them to get rid of the number on the card itself so I can use it in a store without worrying. There is no reason at all to have a fixed number.

    This, in turn, will save them billions in fraud that they do not recover (so long as the merchant follow the authorization procedure today they are not responsible for fraud charges). We can only hope that they will pass this saving on to us.

  • The sad thing is that the way it's written, it's like the author really thinks that Amazon _must_ keep credit card numbers on file...

    Honest question: When a user makes a purchase, how long does the site have to store the credit card number. Obviously it has to be stored long enough to send off the credit card company for authorization, and perhaps during the rest of the transaction (e.g. to show on the screen as "charged to your Mastercard xxxx-xxxx-xxxx-1234"). But what if there's a dispute or other problem with the transaction. (For example, if the customer returns the item and asks for a refund.) Are there legitimate cases where the credit card number should be stored for at least a while?

  • American Express [americanexpress.com] offfers disposable card numbers to all card holders (as far as i can tell).

    By simply signing in and selecting a card (for those of you with more than one :-) a normal looking card number will be generated along with an expiration date in a small window that pops up.

    It's very cool, plus since it relies on Java/Javascript, so nearly all of us can use it (no doofy Window plugin req'd!)

    What's stupid is the Discover Card [discovercard.com] method. They have a "disposable card number" feature, but it requires a really heinous install procedure, plus it does annoying things like create a bookmark for their site in every browser user's bookmarks file (thanks guys!). But wait, theres more! If you want to use this feature, you have to shop within a small number of stores (and i mean small, like ~50 the last time i checked).

    Bottom line, disposable credit card technology is great - i've used these disposable numbers for over 6 months, and i'm totally sold on the idea. Now when i purchase something on the web, my Amex number can only be used that one time, after which it is completely invalid for charges. I'll be glad to see all Visa and MC companies follow this someday.

    Seen the amihotornot All Your Base [amiallyourbaseornot.com] site yet?

  • If I want to buy something on eBay, I can use a credit/debit card through Paypal or Billpoint. I have to prove to them that I'm me (just a password, admittedly, but I and my source of payment money have already been through a verification process with them). I tell the seller to submit a payment request and then go to the middleman's web site and authorize the payment. The payment goes from the credit card company or the bank to Paypal or Billpoint and then from them to a seller that they've already verified.

    Why can't the credit/debit card companies do this on their own for non-auction site purchases? If I want something from www.everythingforcomputers.com (or whoever), and they already are set up to take Discover or VISA or Diner's Club or whoever, instead of giving them my credit card number (or a stolen one if I were trying to defraud them), why can't I tell them to bill my name at the card company, go to the card company's site and authorize the payment, and they transfer payment to the merchant? With all the money the credit card companies can save by preventing fraudulent use they should be able to more than afford the people and equipment for this and plenty of incentive for security because they'll be the ones who have to suffer the losses.

    Are the credit card companies avoiding shouldering this burden on purpose? If one of them went ahead with it, would the rest have to follow suit for competitive reasons?

  • A minor issue? The author must be on some super drugs. The reasoning for these new advances in credit card protection schemes is for these minor issues else they wouldn't worry about it altogether.

    A nitpick, but I believe the author's point is that consumers don't need to worry about the cost of someone stealing their card. Banks, on the other hand, are worried about it since they pick up the tab. They push for any technology that can cut down on fraud, thereby saving them money.

  • Ahhhhhhhhhhhhhhhhhhhhhhh. There isn't a database where a bunch of plaintext debit card numbers are stored. Look up RSA encryption so I don't have to explain it to you please.
  • I usually visit the store before ordering online. Not because I don't trust the online transaction, but because I can get it today, now and when I want it. There are so many things that I'd rather see in person, that it just makes sense to go to the store. Clothes are one of those things. Some of us have wide feet or short bodies that not just any clothing will fit. To order something online then have to exchange it is a pain in the butt. By going to the store I can see how it fits. This also applies to many of the electronics I buy as well. I want to 'hear' that stereo. Books too. I can go to a book store and see if the book has what I am interested in. (Tech - programming books mainly).

    I'd buy software online or a book that I knew I wanted, or cdroms, but even cdroms I can go to tower and hear some of them to see if I want the cd in the first place.

    I think that this will satisfy some people, but not everyone, and not for everything. I like to buy my groceries in the store, so I know that my bnananas are fresh.

    I don't want a lot, I just want it all!
    Flame away, I have a hose!

  • by Anonymous Coward
    By having one, you're essentially protected from people capturing your CC# and reusing it later. There are some drawbacks though. With the system I used, once you authorized the purchase you couldn't adjust the amount on the temporary credit card. So there wasn't a way to change an existing order because you had to go and get another credit card number for the additional amount.

    I know merchants weren't overly fond of it either. One of the most effective ways of keeping out customers they didn't want was to block by number. With anonymous number systems like this they have to block by name/address which is much less of a hassle to get around because the automated filtering isn't as good. This also affects all of those discounts for "first time" customers which are usually tracked by CC#.
  • Is it going to be the standard 16 digits?

    I know that as it stands, the range of numbers available is so ridiculously wide that you can't realistically guess a credit card number, but will that stay the same if the average person maybe chews through 40-50 CCN's a year?

  • Won't this make it that much easier for kiddies to find the algorithm that is used to verify these numbers?

    The algorithm for credit card numbers is not a secret. You can determine if a card number is potentially correct yourself, but you need to contact the credit card company to ensure that a number is correct (and that they have enough money to cover their charge).
  • Or worse: "gosh, that piece of spam is really strange. The main image seems to be borken. Hey, let's have a look at its source":

    <img src="http://www.amazon.com/cgi/oneclick.cgi?book=d ianetics&confirm=no&details=usecookie">

  • But will it work on all OS'es? As far as triple DES encryption is concerned: this could also be done in software, using a simple java applet for instance.

    Some smart-card proponents says that doing the encryption in software (rather than on the card) would leave the system open to viruses and trojans, which could draw money from your account/reveal personal details. However, if you think about it, this argument doesn't stand. Even if you have a card reader, with a card that does encryption in hardware, you are still vulnerable to Virii/Trojans, the only difference would be that the Virus/Trojan would attack the clear stream from the keyboard to the card reader instead. And unless you do everything using a small keypad directly attached to the card reader, this vulnerability will stay.

  • by JediTrainer ( 314273 ) on Sunday March 11, 2001 @10:15AM (#370838)
    They said that it can't be used for automatic payments, things like cell-phone bills every month, because the number can only be used once.

    I think this is a good thing. I've given up on automatic payments because my cell phone provider (name not mentioned to protect the guilty) double-charged me last January, and it took nearly 2 months and about 10 support calls to get the darned thing fixed.

    I now believe that any "automatic" payment makes it too easy for a company to screw you over, either intentionally or through a glitch (which my case apparently was). No thanks - send me the invoice and I'll pay it manually from now on. Having the credit card number being one-time only would enforce that much better, because now they can't even have a working number for me on file.

    I couldn't believe that they had the gall to ask me several times if I wanted to re-enable the automated payments again.
  • by deran9ed ( 300694 ) on Sunday March 11, 2001 @10:17AM (#370839) Homepage

    Shoppers have two security concerns. First, they worry that their credit-card numbers will be stolen. As a practical matter, that's a minor issue.
    A minor issue? The author must be on some super drugs. The reasoning for these new advances in credit card protection schemes is for these minor issues else they wouldn't worry about it altogether.

    By law, they're liable only for the first $50 spent by a thief, and most card issuers waive even that.
    Regardless if they have to pay any fees at all, someone has still gotten ahold of their information, and depending on the criminal intelligence behind the person who has gotten ahold of the credit card number, they can escalate to identity theft, which has a big market.
    The second, far greater problem is identity theft. If crooks get your name, credit card number, Social Security number and other identifiers, they can create a virtual you - open accounts in your name, charge up a storm and ignore the bills.

    You'll be dunned and sued. It can take a year or more to straighten out the mess. ID thieves steal credit card numbers from many places - stores, restaurants, mail-order businesses. But the Web lets them steal wholesale, by breaking into the databases of the merchants themselves, hence the appeal of card numbers good for only one use.
    Even with thieves stealing information from insecure websites, its an unheard of issue of credit card companies going after the website which was breached. Little is done to sites who don't secure their systems from the possibility of a breach, and they should be held somewhat responsible for the integrity of their data.

    The card pops onto your screen and you enter your name and password. You then get a one-time number for the single purchase you intend to make. Once used, it isn't good any more. Your real number is hidden away at the bank, where you hope hackers can't go.
    This is still a problem as if a "cracker" has somehow gotten ahold of any kind of information on a person, they can leverage this to enter their own username and password to get a "one time" number". What would be nice, is if some of the credit card companies would pre-issue about 20 numbers per month with a 30 day period before their deleted. This was nothing is transferred over the wire and even a temp number can't be generated.

    If hackers broke in, they couldn't use the virtual number without your password - which the merchant doesn't have - and it couldn't be circulated to other sites.
    Well what about the crackers who go the full route to get all of a person's information including the password? I guess all these concepts go right down the drain.


    The Big Breach [antioffline.com] -- Richard Tomlinson (ex MI6 agent)
  • by micromoog ( 206608 ) on Sunday March 11, 2001 @10:50AM (#370840)
    Shocking as it may seem on Slashdot, this is an example of "security through obscurity" being a good thing. It has been demonstrated that current "real" security methods (namely, encryption) haven't worked on a grand scale for the purpose of credit cards. This will work.

    Of course, the back-end (credit card companies) are still responsible for the true security implementation, but they're very very good at that. An example of how paranoid they are: when consultants for my company go on-site at our credit-card vendor customers, they literally have to stand behind the certified operator and tell them what keys to press. No one touches their machines without passing internal security certification procedures.

  • One thing that I always felt could be done, is for the store to sign off the final stage of the transaction to the credit card company. What would happen is the store would send an order number to the credit company and then you authorize the transaction on the credit card company's website, who would then send an authorization number back to the merchant.

    Another idea, would be to have a hardware device that reads your card (prevents your kids from one-clicking) and then handles the encryption algorithm in hardware. The idea here being that there is no trace of your credit-card info on your computer. Maybe we should call it 1-swipe shopping. Oh, this thing would connect via the USB port.

  • OK, well, this service has been available on my Mastercard for a few months now. Not that it worked for me; but it's there. Here's how it goes:

    You download a strange little Flash program, which sits in the task bar. This program lets you create new credit card accounts. You determine how much the limit on those accounts is, and how long they will last (expiration date). The Flash applet then keeps track of those numbers.

    This solves a number of problems talked about here - it keeps track of the numbers for you, and they will last as long as you want (for recurring billing). And, if someone grabs the number, there is a very low limit on how much they can charge from it. You can even drag and drop the number from the applet.

    The number is a standard CC#, 16 digits, with check digits. My experience so far has been that the numbers do not authorize very well (that is, I created a number, tried to charge something on it, and it came back as a bad number).

    Anyhow, it would be nice if it worked right, because it doesn't need any special new card or other junk, just a computer.

  • by EvlPenguin ( 168738 ) on Sunday March 11, 2001 @10:18AM (#370843) Homepage
    I'm sure you've seen commercials for American Express' "Blue" card with the smart chip and boasting of enhanced security features. I recieved mine a few months ago and this is my experience with it:

    A heavy package arrived on my doorstep, containing a suspicious item wrapped in lead. After peeling back the lead, I realized it was the new Blue Amex card! I figured that I may as well test out theses enhanced security features, so I went to a porn site to sign up for a trial memberhip using a disposable card number.

    You may be wondering how you get the card number, and I wondered this myself, until I ran my thumb over the smart chip, and magicly it sprung to life! It scaned my thumbprint, and then out came a holographic image of a terminal, displaying the creation of the random credit card number! Apparently, it checks the position of the moon in it's orbit to form a 32-bit variable. After determining the variable, it checks the temperature of the room, distance above sea level, and speed of sound in the current atmosphere, and calculates a string that is multiplied by the old variable. The resulting number is then plotted according to y=sin(x), and numbers are chosen from 16 points on the graph. The sines are then inverted and strung together to finally form the elusive random credit card number!

    Or something like that.

  • Now, not only do they have to keep track of millions of cards and billions of dollars spent through them, but they also have to ensure that the right cards are being used by the right retailers. Yes it's convienent, but how much is it going to cost?

    Or how much will they save? Credit fraud costs CC co's millions (billions?) yearly, well worth the price of some servers.

    This also doesn't exactly solve the problem... if I have a one-retailer use card set up for Amazon.com, someone can still steal that and buy stuff in my name from Amazon...

    I suppose they could, unless you set up your Amazon account to only allow shipping to your address. And to take that one step further to change your address you would have to log in, have them send you a mail to an address they have on file, and reply to it. Then the thief would not only need your CC# but your email password as well.

    I suppose we could go back and forth with this all day; for every action there is an opposite reaction. Criminals will always try to stay one step ahead.

    "Everything that can be invented has been invented."

  • Does that require any extra installation on the user's part? If so, you're going to need a technical support hotline so that people who don't read directions can call at 2am because they want to buy Fluffy a new dog collar but don't "want to be bothered becoming a computer expert."
  • Stores retain credit card numbers from purchases for anywhere between three and seven years.

    They are required to keep original sales drafts in order to process chargebacks. A number of other consumer protection laws also require the retaining of customer information, including cc numbers.

  • I have two checking accounts, one tied to a debit card, one not.

    When a credit card number is stolen, the cardholder is only responsible for the first $50.00 of fraudulent charges.

    When a debit card number is stolen, the thief can drain the account (whatever the balance is) and you have little hope of getting any of it back.

    Sounds like a credit card is the way to go, right? Well, generally I would say yes, but how about those whose credit is poor or don't want to pay interest charges and fees?

    Here's how I work it. I know that my checking account tied to the debit card is vulnerable so I don't keep very much in it - only what I can afford to lose if I am defrauded. When I need to make a purchase online, I first go to my online banking site and transfer the amount I need for the online purchase and then use the debit card for the purchase. Money goes in, money goes out, the balance stays low.

    If someone compromises the database containing my debit card number they will only get $100.00 or less and I can close that checking account and start a new one tied to a new debit card number. No fighting with the bank or a vendor about unauthorized charges, I take my licks and get out. Sure, I might lose a little more than the $50.00, but to avoid the hassles it's worth it. I can only lose what's in that account so I keep it low and keep my exposure low.

    The two accounts are completely separate. I have no checks to use with the debit card account and no debit card tied to the account I use to write checks. This doesn't fully protect me from identity theft, but makes it tougher on the thief.

  • Another nice feature is you can cancel a number if it hasn't posted yet. I tried to order CloneCD before and they claimed that Amex denined my card. I called Amex, they said they never got an authorization request from them (actually, the site that does their payments for them).

    So, since I used a one-time number from AMEX, I logged into their web site and canceled that number. This means if that site decided to try again or use it, they couldn't and it would be denied for real this time.

  • I don't know about the others but American Express makes the numbers expire during the month you use them. Allows for reuse of the same number at a different date.
  • by [Entropy] ( 87954 ) on Sunday March 11, 2001 @10:20AM (#370859)
    I use this feature all the time through American Express. They call it "Private Payments" and it's completely free to all cardholders. All you have to do is log in to their site, click on "Request new number" and plug it in to the vendor's checkout form. The number expires in about a month and can only be used by one vendor (although multiple charges can be made to the account, since places like Buy.com will charge you as each item ships). You don't have to run any software, and the charges show up like normal on your statement. You can view all your past generated numbers and the vendor that used them. I think it's a great idea.
  • Is it going to be the standard 16 digits?

    Hard to tell, considering that AMEX uses 15 digits, not 16.

The last thing one knows in constructing a work is what to put first. -- Blaise Pascal