Card transactions by proxy
crypto at digitaldaemons.co.uk
Sun Apr 3 13:36:53 BST 2011
On 4/3/2011 11:44 AM, Tony Naggs wrote:
>My banks already have my mobile
> phone number which they use to query suspicious transactions.There has
> got to be a better way of securing banking transactions.
I believe there is, unless someone with more knowledge then I have can
see some fundamental flaw in my logic. I'm taking specifically about
'customer not present' transactions, which are a significantly higher
risk for fraud.
Enter our friend, the mobile phone. Almost everyone has one, or at the
very least access to a landline on which they can be contacted. As I see
things, the contact number - mobile or landline for a customer is
already known to the bank. To authenticate a 'customer not present'
transaction, the bank simply sends an automated message (text or voice,
I personally think voice would be preferable from a security viewpoint -
it's harder to hijack voice calls with malware) to the cardholder's
contact number. For example, a transaction for 20.00 on website
example.com would generate the following message :
"To confirm your payment of 20.00 to example.com please say the last
four digits of your card number and the following authorization code
after this message has ended. To decline the payment just say DECLINED
or hang up. Your code is (random multi-digit code, specific to the
It is by no means a bulletproof scheme - no such thing exists nor will
it ever exist. Retailers, particularly web-based retailers with 'instant
fulfillment' won't like it because it will slow down their processing
times. The upside is that card fraud should decrease significantly.
Cardholders may or may not like it - I suppose that depends on
individual preference as much as anything else. There are issues, such
as what happens when the phone can't be reached or when there is no
reply (allow the retailer to retry later or continue the transaction at
the retailer's risk would be my choices) and probably others I haven't
considered but overall it seems easier than the whole 'Verified by
Stealing card details becomes pointless once a real-time authentication
system like this is in place. You'd need to steal the card details AND
the right phone AND you'd need to use them before the owner discovered
their property was gone. If you are going to do that, you're talking far
more than just card fraud....
More information about the ukcrypto