Chris Dzombak

Avoiding shared credit card numbers across services

Update: the options available have changed significantly since this post, due to fraud, EMV, and other factors. The post remains here for historical documentation only.

News broke last weekend of a high-profile hack which destroyed Mat Honan's digital life. The attacker used some clever maneuvering with Amazon and Apple's customer support policies (which have supposedly changed).

A key vulnerability the attacker exploited with both Amazon and Apple was the use of credit card data to "prove" identity over the phone. Using CC numbers – especially just the last four digits – to prove identity is a bad idea. Credit card numbers are hardly private; every waiter in Ann Arbor could easily obtain mine, and anyone who finds a receipt in my trash can obtain the last 4 digits. This is a policy which both Apple and Amazon needed to fix, and they (apparently) have, at least temporarily.

But such a vulnerability still likely exists with other high-value targets, especially for an attacker with social engineering expertise. For this set of targets, I consider using the same CC number just as bad a security issue as using a shared password. It is therefore prudent for users to attempt to defend themselves against these attacks, though I concede that the real responsibility to fix this class of CC-as-identity vulnerabilities lies with service providers.

Tools like 1Password, LastPass, and Keepass let users generate and store a unique password for each site. After @mat was hacked, I was inspired to figure out how one might use unique CC numbers for high-value targets such as Apple, Google, and Amazon accounts. Using unique CC numbers for Amazon and Apple would've prevented @mat's attacker from gaining access to his iCloud account.

As a side note, you should enable Google's two factor auth, which would defeat another vector used in this attack.

A solution:

Some research, including a call for help on Twitter, provided several suggestions, which I describe in the remainder of this post. With luck, you may find one useful.

Get another credit card

I didn't personally want to go this route for a few reasons:

This would, however, be a decent (and easy) solution for someone who's comfortable managing several credit cards and isn't as paranoid as I.

(I have exactly one credit card, which I rarely use; I use my debit card and Mint for everything, and I'm considering moving to Simple full time in the near future.)

Amazon store card

Amazon offers several different branded credit cards, all of which have the same disadvantages for me as getting any other credit card.

Discover Secure Online Account Numbers

My one credit card is a Discover card, and Discover offers a service called Secure Online Account Numbers (link requires Discover login). This service:

Per Discover:

Secure Online Account Numbers is a free service that offers you added security by protecting your account number while shopping online, and the convenience of automatically filling online checkout forms. By using a secure number in place of your actual Discover Card account number, your actual account number is not revealed on the Internet or stored in an online retailer's files. If they don't have your number, it can't be lost or stolen.

You can log into Discover and use a (horrible) Flash widget to generate up to 50 unique credit card numbers linked to your real credit card. These numbers don't expire until your real card does, and they don't impose an additional credit limit. You can find this widget after logging in by clicking Account Profile, then scrolling down to "Secure Online Account Numbers". (preview)

That sounds exactly like the solution I'm looking for! I'd prefer if my bank offered a similar solution for debit cards, but I couldn't find one. This is the solution I'm currently using.

Simple

Simple says they've had a lot of requests for a similar feature, and that they're interested, but it sounds like it'll be a while before they implement this feature for their checking accounts.

Capital One

@zigziggityzoo reports that Capital One will also provide "virtual" card numbers, similar to Discover's Secure Online Account Numbers.

Reloadable prepaid cards

Visa, Mastercard, et al offer prepaid debit cards, which each have their own number and could therefore be used to mitigate this attack. Unfortunately, this solution violates several of my goals:

Amazon/Apple gift cards

Amazon or Apple gift cards have all the disadvantages of reloadable prepaid cards, with additional lock-in on your money.

Bank routing/account numbers

Amazon allows you to keep your banking information on file, but… no.

I'm fairly sure this was suggested in jest.

Hilarious Twitter account

See: @NeedADebitCard. (via @andrewa2)