Dear Interweb: Incremental improvement to credit/debit card security?

2009-10-06|11:30:07|12.34Many of us have fallen victim to credit/debit card fraud, either through operators illegally collecting the numbers of the cards they handle (the small fries) or through crackers breaking into credit card databases.

The question is: short of totally overhauling the system, is there any way security could be improved?

My (preliminary) ruminations on the topic yields the following:

Pre-authentication
For customers who opt-in, require texting the transaction amount (optionally +/- a given amount) for transaction (esp. above a certain amount) to be approved. Problem: SMS is not a secure medium. Using a smartphone, one could get around this (but then the proportion of customers covered will be much smaller), but given that data connectivity is not common (esp. in US and Asia), we’d still be limited to SMS.

If we care only about authentication, the cleartext plus its PGP signature would fit inside 160 chars, but if one wants to encrypt the content as well, it’s not possible.

e.g. for the cleartext

2009-10-06|11:30:07|12.34

(the timestamp is needed to prevent replay attacks. Yes, this is obviously not secure enough still, but the example is to illustrate the transmission size problem).

Signed, the signature takes 104 bytes. Plus the 26 bytes of the message, and a token separator, we get 131 bytes, within the limits. But what if the message is to stay private as well? Using GnuPG, I get a message size of 625 bytes. This could be split into multiple SMSes, but it’s not convenient.

Post-authentication
Have the card issuer send an SMS *after* an authorization request is received. We still have the transmission size problem above, but the issuer can choose to transmit less sensitive information — e.g. rather than the amount, transmit the merchant identifier. Still a privacy problem, and this will obviously not be popular on a busy check-out line. Also has the problem that to make it secure, you’d need a smartphone (to either decode the message, or verify the signature).

Secret code
There already are security mechanisms asking for the CVV/CVC code. Make it ask for a secret number instead, one that is settable by the customer.

But above all…
Raise the base level of authentication required! Some online vendors like Amazon still do not even verify the billing address (which is convenient, if one’s card is issued in a country like Indonesia, where for some reason address verification *never* works, but scary. Though, funnily, I haven’t gotten any card misused on Amazon. I *did* have one stolen card used on iTunes, so Apple’s authentication is obviously comparably weak).

Any other idea I’m missing, or any problem with the three schemes above that I have not noticed, let me know (comment or trackback) and I’ll update the post. Thanks!

Technorati Tags: , ,

2 responses to “Dear Interweb: Incremental improvement to credit/debit card security?

  1. I recommend reading Bruce Schneier for stuff like this. He has articles on credit card security throughout the archives. Google can help search things.

    • He does indeed, and I’ve read some of them. I guess the most annoying thing with debit cards is that, because the payment is deducted immediately, getting your money back is a much more onerous process.

      The One-Time Password post is particularly sweet. It really ought to be an option, at least for debit card users — I’d pay money for it.