Your credit card is a token, one that is used to: - Prove your identity to the merchant - Confirm your intent to process a transaction - Identify your source of funding We have many protocols that can do all of this and more with a high level of security, it’s trivial to name half a dozen. None of them require you to give your full plaintext credentials to a third-party – although that’s exactly what happens every time you use your credit card. You have to give every merchant a complete list of every bit of information that is required to process transactions against your account – or else they can’t process the transaction. Those credentials remain static for several years, by design being given to several thousand anonymous strangers (known only by their participation in the system) over their lifetime. Multi-year credentials for financial authorization that are, by design, shared with any participant in the system. Does this sound broken yet? Seriously, why are we still using credit card numbers? Why don’t we have smartcards containing a megabyte of pre-programmed single-use card numbers (that’s a LOT of card numbers!) that we pull up once and throw away? Or some kind of signature algorithm, put a public key on the card and sign the transaction electronically?
Credit card “security” Monday, December 16, 2013 @ 9:55pm | Modified