Update: the options available have changed significantly since this post, due to fraud, EMV, and other factors. The post remains here for historical documentation only.
News broke last weekend of a high-profile hack which destroyed Mat Honan's digital life. The attacker used some clever maneuvering with Amazon and Apple's customer support policies (which have supposedly changed).
A key vulnerability the attacker exploited with both Amazon and Apple was the use of credit card data to "prove" identity over the phone. Using CC numbers – especially just the last four digits – to prove identity is a bad idea. Credit card numbers are hardly private; every waiter in Ann Arbor could easily obtain mine, and anyone who finds a receipt in my trash can obtain the last 4 digits. This is a policy which both Apple and Amazon needed to fix, and they (apparently) have, at least temporarily.
But such a vulnerability still likely exists with other high-value targets, especially for an attacker with social engineering expertise. For this set of targets, I consider using the same CC number just as bad a security issue as using a shared password. It is therefore prudent for users to attempt to defend themselves against these attacks, though I concede that the real responsibility to fix this class of CC-as-identity vulnerabilities lies with service providers.
Tools like 1Password, LastPass, and Keepass let users generate and store a unique password for each site. After @mat was hacked, I was inspired to figure out how one might use unique CC numbers for high-value targets such as Apple, Google, and Amazon accounts. Using unique CC numbers for Amazon and Apple would've prevented @mat's attacker from gaining access to his iCloud account.
As a side note, you should enable Google's two factor auth, which would defeat another vector used in this attack.
- Must provide a unique credit/debit card number for each site.
- Must provide reusable numbers; numbers will be on file with Amazon/Apple and should therefore not be one-time-use or severely credit-limited.
- Would preferably not involve opening several different credit cards, due to bookkeeping/management complexity and credit rating concerns.
- Would preferably link to my checking account, not my credit card (I prefer not to use a credit card for much of anything; YMMV).
Some research, including a call for help on Twitter, provided several suggestions, which I describe in the remainder of this post. With luck, you may find one useful.
Get another credit card
I didn't personally want to go this route for a few reasons:
- Increased management and bookkeeping complexity
- Just another attack surface for fraudsters, etc.
- Concern over a hit on my credit score
This would, however, be a decent (and easy) solution for someone who's comfortable managing several credit cards and isn't as paranoid as I.
Amazon store card
Amazon offers several different branded credit cards, all of which have the same disadvantages for me as getting any other credit card.
Discover Secure Online Account Numbers
My one credit card is a Discover card, and Discover offers a service called Secure Online Account Numbers (link requires Discover login). This service:
Secure Online Account Numbers is a free service that offers you added security by protecting your account number while shopping online, and the convenience of automatically filling online checkout forms. By using a secure number in place of your actual Discover Card account number, your actual account number is not revealed on the Internet or stored in an online retailer's files. If they don't have your number, it can't be lost or stolen.
You can log into Discover and use a (horrible) Flash widget to generate up to 50 unique credit card numbers linked to your real credit card. These numbers don't expire until your real card does, and they don't impose an additional credit limit. You can find this widget after logging in by clicking Account Profile, then scrolling down to "Secure Online Account Numbers". (preview)
That sounds exactly like the solution I'm looking for! I'd prefer if my bank offered a similar solution for debit cards, but I couldn't find one. This is the solution I'm currently using.
Simple says they've had a lot of requests for a similar feature, and that they're interested, but it sounds like it'll be a while before they implement this feature for their checking accounts.
Reloadable prepaid cards
Visa, Mastercard, et al offer prepaid debit cards, which each have their own number and could therefore be used to mitigate this attack. Unfortunately, this solution violates several of my goals:
- It introduces increased management and bookkeeping complexity: I have to keep track of these cards, worry about adding money to them regularly, etc.
- It introduces another surface for future attacks.
Amazon/Apple gift cards
Amazon or Apple gift cards have all the disadvantages of reloadable prepaid cards, with additional lock-in on your money.
Bank routing/account numbers
Amazon allows you to keep your banking information on file, but… no.
I'm fairly sure this was suggested in jest.