Jump to content
Sign in to follow this  
Keen

Credit cards and digital signature

Recommended Posts

I'm not sure whether to put this in the computer science section or applied mathematics, but I've always considered cryptography to be applied mathematics, so I will post it here.

 

I don't unfortunately know all the details behind how online transactions work, but as far as I know, you send to the merchant your credit card number and cryptogram and he uses those informations to validate the transaction.

This seems to me a bit insecure, because you have to trust the merchant as you are giving him all the necessary information that can be used to pay anywhere and if someone for example steals it from him, he could reuse it somewhere else. (Yes I am aware that the communication is encrypted, so stealing that number isn't that easy).

 

An alternative, that to me sounds much more secure is to use the credit card number as a private key in some digital signature algorithm like for example DSA. That way, the merchant sends you all the necessary information for the transaction like for instance some identification, price to pay, date etc.. you digitally sign it with your credit card and then send it back to the merchant. That information can be then validated by the payment server and cannot be reused by anyone else, since it is a digital signature of only one specific transaction. If needed, this could most likely be as well adapted for monthly payments. You would simply send a monthly payment order signed by your digital signature to a company like netflix instead of your credit card.

 

Maybe I'm not getting something, but that to me seems much more secure, than sending a simple unchanging information over the internet.

Share this post


Link to post
Share on other sites

How about an email/sms based system whereby you register your phone number with your bank. Then when a transaction is requested you get a message with details of what you are paying for then you can click/text to allow transaction.

Share this post


Link to post
Share on other sites

There all sorts of more secure mechanisms that could be used. But currently, it seems the banks and credit card companies find it cheaper to write off the losses than invest in better systems.

Edited by Strange

Share this post


Link to post
Share on other sites

I suppose yeah. As soon as the client does not see much difference or the security measures become too technical, credit card companies will probably not want to invest in it.

Being an amateur enthusiast in cryptography I just find it disappointing to see a system where you send the same secret data to verify identity being used while there are in my opinion much more secured ways.

There are some banks, which send a one time password by sms, which is already quite a good security measure, but I'd still like to see a system with something like zero knowledge proofs or digital signatures implemented simply because I don't like much the idea of giving my card number to strangers.

Share this post


Link to post
Share on other sites

My bank provides a little device where you type in a PIN and it generates a one-time code. It generates different codes for logging in, authorising transfers, etc. This seems pretty secure.

Edited by Strange

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.