'Virtual Card' Offers Online Security Blanket

Anne & Lynn Wheeler lynn at garlic.com
Sat Oct 1 11:29:06 EDT 2005


http://www.washingtonpost.com/wp-dyn/content/article/2005/09/30/AR2005093001679.html

Offered to holders of Citi, Discover and MBNA cards, these "virtual
credit cards," or single-use card numbers, are designed to give some
peace of mind to consumers concerned about credit card fraud.

... snip ...

when we were doing x9.59 ... some observed that during any transition
period, groups of people would require two account numbers and claimed
there weren't enough available numbers in the account number space to
support that. the issue is that x9.59 has business requirement that
account numbers used in x9.59 transactions can only be used in strongly
authentication transactions ... and can't be used in other kinds of
transactions. x9.59 account numbers obtained through skimming, phishing,
data breaches, etc ... then can't be turned around and used in ordinary
transactions that aren't strongly authenticated
http://www.garlic.com/~lynn/index.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959

in any case, single-use account numbers also address the issue of re-use
of account numbers from skimming and data breaches (i.e. places that
they might normally be obtained because of wide-spread requirement for
access to account numbers by normal business practices). they are less
effective in phishing attacks, possibly involving, as yet, unused
account numbers. in any case, single-use account numbers could be
considered a much more profligate use of account number space ... than
x9.59.

recent post somewhat related to security proportional to risk
http://www.garlic.com/~lynn/2005r.html#7 DDJ Article on "Secure" Dongle
and long standing example
http://www.garlic.com/~lynn/2001h.html#61

aka there are various scenarios that effectively only need knowledge of
the account number to perform fraudulent transactions ... and the
account number has to be widely and readily available because of its use
in a broad range of standard business processes. because of the broad
range of business processes requiring availability of the account number
... it is difficult to secure it using "privacy" or "confidentiality"
... aka from security PAIN acronym

P ... privacy
A ... authentication
I ... integrity
N ... non-repudiation

application of cryptography technology for privacy/confidentiality
security isn't a very effective solution because of the wide-spread
requirement for account number availability in numerous business
processes. X9.59 approach was to apply *authentication security* (in
lieu of *privacy security*) as a solution to fraudulent mis-use of
account numbers obtained from skimming, phishing, data breaches, etc.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list