This is an unfortunate follow-up to my posting a few days ago. This morning one of my credit card providers called because there had been a compromise of my credit card information by a third-party. This can’t be Target, because (a) it was for a card I haven’t used in a few months and (b) I didn’t shop at Target during the period that has been publicly claimed as when they were breached. In fact, this is a card that (a) I phased out of usage about 6 months ago and (b) had been replaced because of a previous breach not long before that. Frustrating to say the least.
Of course I now have to contact the few parties who were still using that card for a recurring charge. I wasted a half-hour on the phone with the bank and I still have more time to waste cleaning things up. And they aren’t all websites, so phone calls will be required Monday morning. This one won’t be a biggie because of my previous phaseout, but it still will cost me an hour or two of time.
There are two things that would really help make this situation better, and neither necessarily involve “chip and pin” cards. The first is to give me a way to provide anyone with a unique (though potentially recurring for that specific merchant) credit card number tied to my account. Then an individual breach doesn’t have to impact any other merchant.
Note that single use credit card numbers has been tried before with little success, but that was before the age of smartphones. And they literally were single use, rather than single merchant, making them unattractive for typical web usage scenarios. Now I could just have an app on my smartphone that gives me a unique credit card number. I could request it for Single Use or Single Merchant (Recurring Use) and then hand it out appropriately.
For physical card use there is an alternate solution which is to use 2FA. You’d enable the feature with your bank in which case they wouldn’t approve the charge until you accepted it on your smartphone (via either an app or SMS). If this feature were enabled then they wouldn’t automatically force you to cancel and replace a card in case of a data breach.
There you have it. The current system is broken. Totally broken.