This is an unfortunate follow-up to my posting a few days ago. This morning one of my credit card providers called because there had been a compromise of my credit card information by a third-party. This can’t be Target, because (a) it was for a card I haven’t used in a few months and (b) I didn’t shop at Target during the period that has been publicly claimed as when they were breached. In fact, this is a card that (a) I phased out of usage about 6 months ago and (b) had been replaced because of a previous breach not long before that. Frustrating to say the least.
Of course I now have to contact the few parties who were still using that card for a recurring charge. I wasted a half-hour on the phone with the bank and I still have more time to waste cleaning things up. And they aren’t all websites, so phone calls will be required Monday morning. This one won’t be a biggie because of my previous phaseout, but it still will cost me an hour or two of time.
There are two things that would really help make this situation better, and neither necessarily involve “chip and pin” cards. The first is to give me a way to provide anyone with a unique (though potentially recurring for that specific merchant) credit card number tied to my account. Then an individual breach doesn’t have to impact any other merchant.
Note that single use credit card numbers has been tried before with little success, but that was before the age of smartphones. And they literally were single use, rather than single merchant, making them unattractive for typical web usage scenarios. Now I could just have an app on my smartphone that gives me a unique credit card number. I could request it for Single Use or Single Merchant (Recurring Use) and then hand it out appropriately.
For physical card use there is an alternate solution which is to use 2FA. You’d enable the feature with your bank in which case they wouldn’t approve the charge until you accepted it on your smartphone (via either an app or SMS). If this feature were enabled then they wouldn’t automatically force you to cancel and replace a card in case of a data breach.
There you have it. The current system is broken. Totally broken.
Hal's (Im)Perfect Vision 
In theory you could use PayPal accounts for the single merchant card idea.
Say more? I’m no Paypal expert.
You can get a PayPal credit card (don’t know more about I though). So if you create a PayPal Account per merchant but connect them all to the same bank account to draw money from you could in theory create a system of one card per merchant but only one real bank account. Would be extremely complex and a pain to manage though.
Although if I remember correctly you can have an arbitrary number of email addresses associated with a Paypal account, so you could do an address per merchant. But that is super-painful, unless Paypal wants to implement their own virtual email address scheme 🙂
With a bit of work if PayPal was smart they could do it 🙂
Bitcoin addresses are nice this way: a different address for every merchant and/or transaction.
>>> For physical card use there is an alternate solution which is to use 2FA. You’d enable the feature with your bank in which case they wouldn’t approve the charge until you accepted it on your smartphone (via either an app or SMS). <<<
2FA won't solve it, either. Thousands of phones are lost and stolen every day. I've even had my POBox robbed before — and it was done by "insiders" at the USPS (they hit 20+ mailboxes at one station — and they knew which ones to hit.)
Plus, your phone probably has a military IP address. The government wanted to use your credit card; and, make you pay for it like a good little slave.
SOLUTION: What ever happened to "signatures?" Forgery is a felony. Today… not anymore. Why do you have a signature card at a bank? Is it an agreement to be a slave? Or, is it supposed to be used as a model signature for verification?
I know what it used to be for. People, today, are clueless.
Signatures are stolen every day as well.
Phones are fine for 2FA under a set of conditions, such as requiring an unlock code (or fingerprint) and wiping the phone when it is not entered properly.
Signatures are meaningless and can be forged just as easily, if not more easily, than any other option. I know someone who bought a house by cutting and pasting his wife’s signature on documents, with her permission of course.
Signatures used to be in ink.
30+ years ago, my grandfather was right when he told me, “Your signature is the most valuable asset you will ever have in this world.”
He was right. You can enslave yourself with your signature. Or, you could even sell your children and disown your inheritance.
That’s why I *laugh* every time someone wants me to sign one of those electronic signature gadgets. Being a software developer makes me an ‘elitist’ because I know those ‘signatures’ are stored on disk somewhere. I watch all those ‘clueless’ people diligently signing those things with their best handwriting with such diligence that all I can do is — SMILE.
How do I sign those things? SCRIBBLE. My “real signature” is only in ink.
Anyone walks into a courtroom and wants to ‘push’ some BS signature to a judge… All you gotta do is claim forgery.
The situation is of ‘our’ own making — as software developers. Banks got what they deserved. Software developers substantially caused it. We “sold” them on computer security — fraudulently.
I can even remember arguing with chief counsel (and winning the argument) of a company I worked for (a Fortune company) first used SSNs as identifiers for enrollment in the new company health plan back in about 1990 for the very reason(s) we are having this discussion here on your board.
Call me a prophet.
Oh, I refused to give my college my SSN in 1974 because I didn’t want it as my SSN. But forgery was big in 1974, 1874, 1774,….
Again, repeating myself, “forgery” today is virtually non-existant.
However, an “unauthorized use” of a credit card or even SSN ***may*** be a misdemeanor.
ID Theft happens by the millions now. That ONE (1) Heartland Payment Systems heist by Arthur Gonzales was over 20 million IDs/CCs/SSNs. HE WAS ON SECRET SERVICE PAYROLL WHEN HE DID IT. He got 20 years… but, he still claimed sovereign immunity. How many SS officers also profited; but, threw Arthur under the bus?
Now, look at Microsoft Outlook.Com… and how it can “scan” your emails for things like CCs and SSNs. How many closet criminals work in the server rooms at MS? (This is one of many example. What about MS or Google employees in China or India?)
Food for thought.
Correction: Albert Gonzalez.
>>> Phones are fine for 2FA under a set of conditions, such as requiring an unlock code (or fingerprint) and wiping the phone when it is not entered properly. <<<
Watch the movie, "Gattaca." Fingerprints don't work, either. The ONLY thing that is uniquely yours is your signature [it can't be stolen; but, a REALLY GOOD forger can forge it]; and, blood DNA [can be stolen every time you donate blood].
Wanna sign everything in blood? How about a phone that pricks your finger and extracts blood and performs DNA analysis? A "card" is state-owned property [containing a serial number] that can be stolen. Hence, "ID Theft" means that someone stole your ID card… or your bloodbag from United Way.
Or, we can tatoo everyone like Adolf Hitler did to the Jews. Your skin can't be stolen. [Chips can be copied just like a credit card magnetic strip.]
How about….
http://www.scientificamerican.com/article.cfm?id=computer-game-for-security
I think that was the purpose of the XBOX One. Shall we play Tic-Tac-Toe? Or Call of Duty? Ballmer tried to turn Windows into an XBOX.
I wonder how many companies want to turn their number-crunching business systems into entertainment devices? We already know the average consumer wants an entertainment device; not a computer.