Card transactions by proxy

Jim Murray crypto at digitaldaemons.co.uk
Sun Apr 3 13:36:53 BST 2011 

On 4/3/2011 11:44 AM, Tony Naggs wrote:
>My banks already have my mobile
> phone number which they use to query suspicious transactions.There has
> got to be a better way of securing banking transactions.

I believe there is, unless someone with more knowledge then I have can 
see some fundamental flaw in my logic. I'm taking specifically about 
'customer not present' transactions, which are a significantly higher 
risk for fraud.

Enter our friend, the mobile phone. Almost everyone has one, or at the 
very least access to a landline on which they can be contacted. As I see 
things, the contact number - mobile or landline for a customer is 
already known to the bank. To authenticate a 'customer not present' 
transaction, the bank simply sends an automated message (text or voice, 
I personally think voice would be preferable from a security viewpoint - 
it's harder to hijack voice calls with malware) to the cardholder's 
contact number. For example, a transaction for 20.00 on website 
example.com would generate the following message :

"To confirm your payment of 20.00 to example.com please say the last 
four digits of your card number and the following authorization code 
after this message has ended. To decline the payment just say DECLINED 
or hang up. Your code is (random multi-digit code, specific to the 
transaction)"

It is by no means a bulletproof scheme - no such thing exists nor will 
it ever exist. Retailers, particularly web-based retailers with 'instant 
fulfillment' won't like it because it will slow down their processing 
times. The upside is that card fraud should decrease significantly. 
Cardholders may or may not like it - I suppose that depends on 
individual preference as much as anything else. There are issues, such 
as what happens when the phone can't be reached or when there is no 
reply (allow the retailer to retry later or continue the transaction at 
the retailer's risk would be my choices) and probably others I haven't 
considered but overall it seems easier than the whole 'Verified by 
Visa/3dSecure/SecureCode' mess.

Stealing card details becomes pointless once a real-time authentication 
system like this is in place. You'd need to steal the card details AND 
the right phone AND you'd need to use them before the owner discovered 
their property was gone. If you are going to do that, you're talking far 
more than just card fraud....

Jim Murray.

More information about the ukcrypto mailing list