Credit cards. Epitome of security by obscurity? It isn’t even much obscurity. Whoever gets a hold of a card or makes a mental image of it can pretty much do anything until the account is suspended. I guess banks run fraud-detection algorithms, but still they, and therefore we, absorb the cost of fraud. Fighting fraud: it’s what Paypal says it spends its R&D dollars on.

Credit card number, name, billing address, expiration date are informational, so I don’t know how they have come to be used as “secrets” for a secure transaction. Seems like a terrible idea. Then there is the 3-digit CVV code. Would somebody mind explaining its utility to me? How does 3 more digits prevent fraud? (They are on the card just like the front-side numbers and they also must be disclosed during a transaction.)

There exists technology, but little infrastructure, for authenticating and trusting the remote host (or person — phone orders are even worse). For online transactions, banks have come up with at least two augmentations to the standard procedure to try to plug the hole. One involves password verification directly with the bank’s web site. Another is to issue single-use credit card numbers. Four soundbites ensue: Inelegant! Ad hoc! Not standardized! Unsatisfactory!

But this is moving in the right direction.

Many are grossly concerned with computer security and wireless channel security. Some are paranoid to the degree that nothing short of provably secure is acceptable for transmitting a few worthless bits that in reality nobody cares about. But we seem to settle for the foundational insecurity that underlies any kind of current remote payment using credit cards. Apparently managed insecurity is accepted, even if it deals with money, about which people should actually care. That’s a strange social phenomenon.

Comments(2)