h a l f b a k e r yFaster than a stationary bullet.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Please log in.
Before you can vote, you need to register.
Please log in or create an account.
|
If anyone has seen the film "A Beautiful Mind", you may recall a scene where Russel Crowe opens a gate using a secret code imprinted on his forearm.
Now this is no ordinary secret code, as it is printed using some radioactive material that decays predictably over time, causing the numbers to change.
Perhaps
having a Credit Card with a number that would change over time (say weekly) would make internet/phone (and regular) transactions more secure, as if your number fell into the wrong hands, it would soon enough become useless.
The way the numbers change would vary from card to card, and would be quite complex to prevent someone obtaining two numbers and then being able to work out the pattern.
Obviously this is not a fool proof method, but along with the usual security precautions, it should make transactions safer.
Amex disposable card numbers
http://news.com.com...28.html?legacy=cnet [theircompetitor]
Single-Use Credit Cards Fight Fraud
http://apnews.excit...0509/D82FA6600.html "...uses this randomly generated number - provided by his credit-card issuer, Citigroup Inc. - in place of his actual account information..." [theircompetitor, Oct 04 2004, last modified Oct 21 2004]
Single-Use Credit Cards Fight Fraud
http://apnews.excit...0509/D82FA6600.html "...uses this randomly generated number - provided by his credit-card issuer, Citigroup Inc. - in place of his actual account information..." [Klaatu, Oct 04 2004, last modified Oct 05 2004]
[link]
|
|
This is baked at least by Amex |
|
|
Is it? My Dad has an american express card, and the number on that is printed like a regular credit card (ie not able to change unless AMEX have developed some very exciting technology).
Would love to see a link. |
|
|
agree with [tabs] I have a secur-ID tag for work with a predictably changing number. |
|
|
The trouble with the secur-ID and [MikeOliver]'s idea is within the notion that the number must change predictably on the card and associated servers, otherwise it can't be recognised. |
|
|
If it changes predictably then there's a pattern, which weakens the security, although I recognise that it might just be stronger than current solutions. |
|
|
Surely biometrics are the way forward for credit card security. |
|
|
[jon], i appreciate that this system would be breakable, but for one off transactions over the internet, it would be a lot more secure (you'd need access to two consecutive numbers to work out the pattern).
Also by using a fairly complex formula for the number generation you would discourage the casual, opportunity fraudster. The professionals will get around most security, but the idea is to improve the situation, not completely solve the problem.
|
|
|
[mike] in which case I agree that this may help. Other bakers question whether it's been done before, but I'll leave it to them to prove that. |
|
|
On the topic of biometrics vs. SercurID tokens: Biometrics are more predictable than cryptography. If your SecurID card token gets overheard, nothing bad happens. If your SecurID card gets stolen, you cancel it and get a new one. If the data of your iris scan or your fingerprint is copied, you're screwed, and you leave little copies of your "key" behind whenever you touch something or look into a camera.
Biometrics only work as access control in a supervised situation - it can double for the "people recognizer" part of a guard's brain. It doesn't work if there's nobody watching the biometric scanner. |
|
|
The SecurID pattern changes as a predictable function of time and a key, but you can't predict the next pattern from the previous without knowing the key. |
|
|
The current realistic solution for the poster's problem is one-time credit card numbers. It doesn't involve gadgetry, just software - you type in a code to a program, and the program gives you credit card numbers (e.g. for use over the Internet), usually pulling them from a database across the net at some point. Sometimes you can even specify how many times, for what amounts, or for how long a credit card number can be used. |
|
|
If you don't have the end-to-end transaction with the card issuer, you'd probably need a larger number space than we currently have to make it more difficult to guess a number. |
|
|
MikeOliver -- it's a software solution as jutta points out, and has been in existence since 2000 -- see link. |
|
|
As to SecureID, the good news is that RSA now has modules for phones and berries, I believe, so you can get two factor without the separate dongle. |
|
|
So as i understand it, you log onto the Amex site, enter some or all of your account details and are then furnished with a number you can use to make a purchase.
Now what is to stop your login details being stolen and a thief ordering CC numbers directly from the amex site?
My idea means that people who fear their details being stolen online only risk losing a number that is due to expire in a few days.
Amex are using a different idea, similar to buying a gift voucher or a prepayed credit card (as posted recently, i forget who by), where as i am suggesting a way of making a regular credit card more secure.
|
|
|
Also, [zanzibar], taking out a $1000 limit card is impractical because firstly who wants to loose $1000 (you must be very rich!), and secondly, the company will probably increase your limit after a wee while until you get to a point where even you and david beckham can't afford to be ripped off! |
|
|
You're using a secure protocol when logging onto the Amex site (unlike here at the halfbakery, where anyone could evesdrop), and Amex protects its data (because they pay for it if they don't). |
|
|
(In the US, if my credit card gets stolen, I suffer some inconvenience and may not have access to money for a short while, but in the end, the credit card company pays for the losses.
I understand that that's different in the rest of the world, where consumers pay for the losses. Is that still correct?) |
|
|
Yeah, most CC companies will protect you if your details get ripped off, but it doesn't mean we should try to stop it happening!
|
|
|
My pal had his details stolen online, and he was covered, but there was alot of hassle!
|
|
|
"unlike here at the halfbakery, where anyone could evesdrop" - Well i'm not giving any of you my credit card details then! |
|
|
How does your pal know the credit card details were stolen online? |
|
|
// The SecurID pattern changes as a predictable function of time and a key, but you can't predict the next pattern from the previous without knowing the key. // |
|
|
[jutta] would I be right in saying though that if you heard/received 2 (or more) numbers from a SecurID, then it would be possible to decrypt and predict future 'random' numbers? Just interested ... |
|
|
Agree with you re : Biometrics. |
|
|
The internet-based once use credit card number seems like a fairly secure way forward. In a way, I envisage it would be like raising a purchase order like you might do at work. |
|
|
Log On
Choose company with which you are going to purchase goods
Enter creditcard details and passwords or other secure identifiers
Receive unique creditcard number (PO)
Give card number to vendor.
|
|
|
I think he only really used the card online... not 100% sure though, but thats what he told me.
Agreed one use cards are the only way to be totally safe, but the hassle of setting up may put people off!
I was trying to keep the convinience of CC shopping, but slightly increase security. |
|
|
The technology is baked as rolling code for remote car entry systems. The card issues a new number from a looooong table of numbers each time you use it. The credit card company can track where in the table you are because their server and the card were synchronized when the card was issued. It is just a matter of setting a pointer in the table. Each time the server at the credit card company receives a number it updates its own pointer. |
|
|
Since dealers dont always post the payment immediately the credit card company would accept numbers from a range around the current pointer. The car remote does this too because the pointers get slightly out of sync if you push the remote button while you are out of range. |
|
|
Specific numbers show up many times in the table so it is not possible to use the number from a onetime payment to calculate where the pointer to the table is. |
|
|
I really don't think this is necessary, well, at least not for internet transactions. Because when you type in your ##, it's protected by the best system to date. They take 2 huge prime numbers (20-30 digits), then multiply them together, getting an emensly huge number with a single factor pair! They had a contest to see how long it took to find it, it took the best entrance a year and a million dollars to crack it. They change the numbers thousands of times a day, so with present-day technology it's impossible to crack. Unless of course someone discovered how to factor huge numbers instantly, but that's prolly not happenin' anytime soon! |
|
|
What if someone is able to view your number as you type it in, before it is encrypted.
Maybe that is a little paranoid, but obviously credit card numbers are getting stolen, or there wouldn't be a problem to solve... |
|
|
// I really don't think this is necessary, well, at least not for internet transactions.// |
|
|
The issue with Internet transactions isn't with someone snooping on the transactions (although that can happen), but rather it's whether the other company, or any employee thereof, does anything untoward with the information. |
|
|
If someone logs into Amex or some other such entity to get a "one-time-use" credit card number which is authorized for $15, then even if the online retailer where one uses the card is a scamster, the most one can lose is $15, and one doesn't have to go through any hassles or arguments to keep losses to $15. By contrast, if one uses a "normal" credit card, a scamster can use the card to make all sorts of fraudlent purchases. To be sure, the cardholder would likely not be liable in the end, but would have to go through considerable hassle. |
|
|
Why couldn't we use a system similar to the Novell password protection scheme, where if I remember right, the password itself is never sent over the network at all? |
|
|
Almost like it was ripped from the headlines. <link> |
|
| |