% fortune -ae paul murphy

Credit transactions without identification

Some years ago I tried to sell some senior NCR people on an upgrade to the standard credit card point of sale terminal - whether as part of a cash register, in an ABM, or in a simple swipe card reader/printer. What these things do is simple: they read the mag stripe on the card, collect value information from the seller, query the authorization host accordingly, and print either an approval slip with the amounts on it or a rejection notice.

One of the big sources of fraud within this process comes from the fact that it's possible to make purchases with forged or stolen credit cards because the authorization system has no way of knowing whether the Jane Doe presenting the card is the Jane Doe it was issued to. In response the card issuers have made the cards harder to forge, but this is more a means of keeping theft down to a dull roar than it is a means of preventing theft from taking place.

My idea was simple: get a picture of the card holder at the time of issue, and download that picture to the terminal at the time the purchase is authorized: that way, the clerk can see the photo, the customer usually can't, and mismatches can be instantly spotted.

Thus people who routinely let others use their card could simply file other photos, ABMs could be equiped with image matching software and pass the issue to a remote human if necessary, cashiers could be given hidden buttons to summon help, and so on. Basically I thought it was a trivially good idea that would easy to implement - advances in compression having by then made it possible to download a reasonably good image in a few K bytes.

I never did learn why NCR turned it down; it was my view then (and still is) that doing this would give them an enormous competitive advantage among issuers willing to change their processes to use the new technologies - and that all issuers would quickly be forced to follow the leader down this path.

Part of the problem has always been that the industry knows its customers don't want to be asked for additional identification when presenting the card for payment and therefore deprecates, if they don't out right disallow, any attempt to do so.

But abuses are mounting, and something needs to be done. So what to do?

I've often wondered if NCR's problem didn't derive from the opposition the mainframers at VISA partner organizations would have had to the idea - because they would have had neither the processing power to make it happen nor the sense to switch away from the environment constraining them. If so, that problem would still exist today - meaning that the idea is no worse now than it was then, but the liklihood of acceptance is still pretty much zero.

So how about getting a company like Paypal to bypass all of them by offering a new payment process that makes customers happy while making forgery and misuse almost impossible? A chipset, embedded in a card or phone, with no external identification at all. Wave it near a reader and the reader grabs the device identifier, sends that to the host, which then issues a 16 or so digit random number to the device. The device then passes it to the reader, which sends it back to the host. If the number matches on receipt: the device is real, the number becomes the buyer id for the transaction, and further authorization processing proceeds normally.

The transaction between the chipset and the host needs a pretty simple public key authentication mechanism and, of course, the device has to be small enough to fit in a card - or a phone - but there's nothing hard about any of that.

The company would also have to make readers, regular ones that work in a wireless enabled environment and others that broadcast and process a local signal - those would cost more and be less secure, but still better than current alternatives.

Put a basic biomeric identifier - like a fingerprint plate that only works for the authorized user- on the card, or in that phone, and you have a method for proving legitimacy without providing identification. The authorization protocol proves the device is as issued, the biometric identifier proves the person holding it is the person it was issued to - but the merchant doesn't get any identification information: just a completed transaation and a random numerical identifier.

This has other applications too. For example, does the bartender want to see your ID because he thinks you're under age? or because he thinks you might be vulnerable and wants your name and home address? With this, you point your card or phone at his reader and his legitimate questions gets answered: you are both old enough to drink and able to pay for your own. Great, but he doesn't find out that your name is Cynthia, that you're 23, or where you live.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.