Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The identifier is hidden from the user so if it's huge and complex that is no problem. My point is that we're talking about putting a lot of effort into overhauling the system to support a scheme that is arguably already obsolete. If we're putting in the effort we should just remove the old insecure digits entirely and focus on a cleaner modern solution.


The problem with that is the purpose of a credit card system is convenience, especially the convenience involved in being able to represent the identifier in an easily compact manner. When it's a few groups of digits, I can print it onto a card or piece of paper, and just plug the digits in whenever I need to validate the number and run a transaction. You can't do that with a token. What happens when I want to use my friend's computer to pay for something on Amazon but I haven't saved my card number? Or when I get a new card? I get that the current credit card system is monolithic and outdated, but it's purpose isn't to be modern, it's to be reliable, convenient, and adaptable, and it does a swell job at those things. There's absolutely no need to spend astronomical amounts of money to replace this system with something more modern.


Many of those use cases probably shouldn’t be supported. It would cut down on fraud if we disallowed card not present transactions on unknown devices.


That's an ideal. You have to be reasonable with the expectation that people are going to want to use their card in places where it isn't securely convenient to do so. Otherwise, you will end up creating a niche with no mass market appeal, and there's really no point in developing out infrastructure unless you're replacing the old one completely. Again, credit cards exist for convenience. If it's security you're aiming for, you're targeting the wrong market.


Chip cards are already secure because they use proper cryptography. But online payments are done without any cards whatsoever. For example paypal and webmoney are payment methods of their own.


With the EMV skimmer fraud is dropping. With 2FA on big transactions other frauds can be decreased. Some provider have a mobile app to accept the transaction and/or send a message after a transaction.


Some new cards are moving this model:

When possible some more complex key/token is passed, maybe via nfc, or some other mechanism.

When not possible, a 4x4 number is generated and challenge/response is required to confirm intent before approving the spend.


We could use nfc or some other protocol for submitting online payments via the physical card. This should help reduce fraud. Each token could be randomly generated based on some data stored in a chip on the card, time, etc.


>What happens when I want to use my friend's computer to pay for something on Amazon but I haven't saved my card number?

You pay by logging into your bank account.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: