You can't trust consumers to protect themselves

credit cardsWhatever happened to disposable credit card numbers? They're a great idea and they can work really well, but few banks offer them and even those don't push them really hard. The problem is users: To use these numbers, users would have to think about their own security.

Almost every security proposal, especially the really broad ones, has an element of user education in it. "We've got to train users to look for these things and avoid them" or something to that effect. Many security experts will sigh and tell you that it's like teaching math to your dog. Not only will they not learn it, they don't even get the point.

A good example of this is disposable credit card numbers, which are known by a number of other names in the industry: virtual credit card numbers, single-use accounts, temporary card numbers, etc. The idea is that when you shop online (or on the phone I guess, but who does that anymore?), instead of using your actual card number, you go to the bank site and generate a disposable number and CVV code and give it a specific credit limit. So if you buy a $100 item you give it a $100 credit limit.

If that credit card number is compromised by LulzSec or some other gang of cybercriminals (they should all be prosecuted to the fullest extent of the law), all they have is a useless number with no credit on it. It's perfect for the data breach problem.

I think it's a cool idea and I wondered why you don't hear about it from banks. My credit cards don't offer it. I did some research and found a couple offerings: Bank of America's ShopSafe and Citi Single-Use Accounts (commercial cards only). But there are more examples of banks dropping them, including Citi. PayPal used to offer such a card, but dropped it a couple years ago. I contacted both PayPal and Citi and got no response.

There are plenty of crime scenarios that disposable numbers don't address: Malware on your computer is the most obvious one, as is phishing where you are tricked into providing a number. There are also buying circumstances that are tough for them: If you buy tickets online for a theater you usually have to produce the card to pick them up. Same with checking into a hotel or getting a rental car. You lose the convenience of sites like Amazon saving your credit card info so you don't have to enter it every time. And then there are recurring expenses: Is your ISP service or something else on a monthly recurring charge to your credit card? Doesn't work with disposables because of the way the credit limit works.

There is one report I saw of a problem which would make the cards unacceptable, but it's from 3 years ago and involved Citi, who's no longer in the business. This guy claimed that you could charge beyond the credit limit for the disposable number and that Citi told him it was his job to monitor his statement for overcharges. Bogus, if true, but I haven't heard it elsewhere and I wouldn't assume other banks make the same error.

But even with all these problems, the fact that it solves the data breach problem is significant. And while there are circumstances where virtual card numbers don't work well, there are others where they do.

I had a Citi card with disposable numbers many years ago and thought it was really cool, although it was a bit awkward having to go to the site to generate a number, remember the number (I probably copied and pasted it somewhere) and then make your purCiti. E-commerce sites are designed to make it easy to buy.

This, I think, is the real problem with these cards and the reason why banks have been abandoning them. They're too much work for the customer. Even explaining the concept, where they are good to use and where they aren't, is a challenge for most customers. If there were some way to make it really easy, like making "BigBank Virtual Credit Card" a payment option, at which point you could be redirected to the BigBank site, maybe that would work, but it raises its own security issues.

It's stories like this that make me pessimistic about consumer security. You can imagine systems which would be secure enough that you could trust consumers with them. But secure systems that consumers would put up with? My imagination isn't that good.

Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.