Anti-Fraud Scheme: Disposable Credit Card Numbers
By Lamont Wood
Each time you give your credit card details to a phone agent or Web site, it can feel like you die a little — after all, you've just given away the keys to your personal kingdom.
Security experts nowadays are trying to help address this fear by developing disposable credit card numbers (DCCNs).
Under one new proposal, the disposable digits would be good only for a single transaction. As detailed in a recent edition of the International Journal of Electronic Security and Digital Forensics, researchers at Anglia Ruskin University in the U.K. suggest a scheme whereby consumers submit a DCCN instead of their regular card number when making online purchases.
Researchers Mohammed Assora, James Kadirire and Ayoub Shirvani suggest that the customer would get the secret code number from the credit card company. Using a simple calculation, the code would be a combination of a number from the e-commerce site (probably the sale price) and the credit card number to create a "hash" of the credit card details.
This hash — which would resemble a long random number — would be stored by the merchant instead of the usual credit card details. Neither the merchant nor any malicious eavesdropper or hacker would be able to read it, but the credit card company could read it, since it knows the customer's code number.
Not popular yet
Disposable credit cards actually are available today — the technology has been around for seven or eight years, said Mike Rothman, head of Security Incite in Atlanta.
"But it complicates the user experience and the result has been less-then-stellar adoption rates," Rothman told LiveScience. "Given that consumers are protected from fraud on their accounts (after the first $50), there isn't a big incentive to use these services," Rothman said.
DCCN examples he cited included CitiBank's Virtual Account Number Option, Bank of America's ShopSafe program and Discover's Secure Online Account Numbers. The numbers are generated online by the credit card company after consumers enter their credit card numbers.
The U.K. researchers say their new approach is superior, because the DCCN can be created offline, so the original credit card number never needs to be transmitted.
FTC fraud log
Protection against fraud on your account does not mean you are completely protected — the merchant could turn out to be fraudulent, or someone could steal your identity and set up new accounts in your name.
About two-thirds of consumer complaints to the Federal Trade Commission involve old-fashion consumer rip-offs.
The latest FTC report shows it logged about 800,000 consumer complaints during 2007, of which 32 percent involved identity theft and 68 percent covered other types of fraud. The median loss on a fraud complaint was $349, and the biggest offenders were shop-at-home channels or Web sites.
Of the identity theft cases, only 23 percent involved a credit card account, and cases of unauthorized new accounts outnumbered misuse of existing accounts by two to one. Other categories involved using someone else's name for a utilities account (18 percent), for employment (14 percent), for government benefits fraud (11 percent), loan fraud (5 percent) and other forms of bank fraud (13 percent).
Also, a study last year by researchers at Utica College found that identities were more likely to be stolen through old-fashion methods, such as purloined mail or wallets, than via the Internet.