Card Seem at Risk? Try a Stunt Double

R. A. Hettinga rah at
Sun May 16 05:48:03 PDT 2004


The New York Times

May 16, 2004

Card Seem at Risk? Try a Stunt Double

FTER days of searching the Internet, Gen Tanabe of Palo Alto, Calif., found
the rare 19th-century memoir he wanted to buy for his father for Christmas
last year. But he had no intention of giving the Web site his credit card

"The site looked like it might have been run by a teenager in a back room,"
said Mr. Tanabe, who writes books about college planning and financial aid.
"I didn't know how secure it was, or what they would do" with the number.

 Online vendors typically encrypt credit card numbers at their Web sites,
but the numbers must be decoded later to receive payment. And they are
often stored in databases that may be vulnerable to hackers or dishonest
employees long after the purchase.

 What if there was a way to fool those who would try to fool us, so that
purchases could be made online without any danger of card numbers falling
into the wrong hands? A few companies are trying such a plan: think of it
as the stunt-double approach to online shopping.

 Anyone with a credit card from Citibank,  MBNA or Discover can request a
temporary account number for use when buying online, by telephone or mail
order. The temporary numbers are linked to customers' real accounts, but
they generally expire after one use, unless the cardholder requests
otherwise - for example, by placing a spending limit on the number.

 Cardholders can get these numbers in one of two ways, depending on their
issuer. They can download software that generates such numbers upon request
or upon detecting that a cardholder is at the checkout page of an online
retailer. Or, in the case of Citibank, which is owned by  Citigroup, they
can also register online, then revisit the company's site each time they
want a new number.

 To avoid giving his real card number to that small online bookstore, Mr.
Tanabe, 32, used a temporary number to buy the present for his father. "I
probably wouldn't have bought it otherwise," he said.

 The temporary numbers can also prevent retailers from renewing purchases
like magazine subscriptions or gym memberships without issuing reminders.
Many customers forget that vendors may automatically charge their
customers' credit cards for such recurring fees.

Fraud remains a big concern for many online shoppers. In a survey of 12,000
consumers at the end of 2003,  Forrester Research, based in Cambridge,
Mass., found that about two-thirds were "very or extremely concerned" about
the theft of their credit card numbers during online activity.

Chris Hoofnagle, a lawyer for the Electronic Privacy Information Center in
Washington, says such temporary numbers ease those worries. Mr. Hoofnagle
says he has used them himself, to prevent online retailers from keeping his
card number in their files. "If the company stores your credit card number,
that database just becomes a honey pot" for hackers, he said.

 The temporary numbers, he said, also make him more comfortable buying from
newer or unfamiliar vendors.

 The free service has been available for more than a year, but few people
seem to know about it. "I think if you interview 100 consumers, you'll find
100 consumers who've never heard of it," said John Gould, director of
consumer lending and bank cards for the TowerGroup, a research company
based in Needham, Mass., that was acquired recently by MasterCard.

Industry analysts say consumers tend to rely on other protections -
including the card companies' promise not to charge them for fraudulent
transactions. Last month, in fact,  American Express stopped offering its
temporary-numbers program, called Private Payments, saying that other
safety features already offered plenty of fraud protection.

 Some consumers may think that their credit card accounts are safe because
retailers encrypt their card data at the time of purchase. Though the
numbers may then be safe in transit, retailers must still decode the
numbers to collect payment.

 Mr. Gould says it is impossible to ensure that all retailers take the next
step: encrypting the numbers again, according to rules set by the card
networks. "This is too big a territory to patrol; in the U.S. alone, you've
got over 400,000 merchants online," he said. "You've always got the issue
of the merchant who is careless. But the real problem is, you've got the
merchant who's a fraudster, whose intent is to steal your information."

ANALYSTS also suggest that the card issuers have done little to promote the
feature because customers pay nothing for it. But the companies say that
the numbers are still relatively new and need time to catch on, especially
because their use requires some effort.

 "And since it's not being offered by every issuer, you just don't have the
repetition or frequency to get people talking about it," said Steve Furman,
director of marketing e-commerce at Discover Card.

 Although many consumers say they worry about fraud risks, some may not
want to bother with temporary account numbers. "Consumers will tell you one
thing and do another," said James F. McCarthy, senior vice president for
emerging products at Visa. "There is only so much they will do to protect

Citibank refers to its temporary numbers as virtual account numbers;
information is available at cb/shp_van.htm.
Discover, meanwhile, calls them single-use numbers and offers them on its
Deskshop page ( /deskshop).

 MBNA customers can create the numbers through the company's online
ShopSafe program (

 The companies have tried to make the numbers easier to use. A cardholder
can now charge monthly phone bills and other recurring payments to the same
disposable number, rather than entering a new one each time. Similarly, a
cardholder can register a number with a favorite merchant for continued use
only with that merchant.

 "You'll never need to reveal your actual credit card number again," said
Amy Radin, executive vice president for the e-business unit of Citi Cards,
a division of Citigroup.

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list