Amazon.com is offering PayPhrase which allows you to pay for purchases at several different websites using your existing Amazon profile. First you set up a phrase and a four digit PIN on your Amazon profile. You can then use this combination to pay for stuff on partner websites including buy.com, DKNY and Jockey without having …
This seems like a very strange idea. By far, the biggest concern for most web shoppers is the rising threat of credit card fraud, not the effort expended in typing a credit card number.
This whole model seems mathematically weak. Amazon actually suggest in their blurb, that it might be convenient to use your first name as the first word in the phrase.
I'm not an expert on linguistics, but I think there are 10000 words in common usage and 50% of English language is made up of the first 600 words.
It does not take a genius to figure out that extremely rapidly every combination of words that you or I would think of, will result in a valid passphrase, particularly as they do not allow numbers or special characters in the passphrase.
Therefore the passphrase appears to have virtually no security value at all.
So what would protect my credit card? No login, no presentation of CV number, no match of address supplied against the address registered with the card, my name does not even need to be presented - just a four digit pin.
If I get this right then, there's soon after launch a theif will be able to pick any two words, and then guess a pin. One time in ten thousand its going to be correct? How long would it take even the least experienced developer write a loop that carries out 10000 guesses?
If I were to get drunk and leave my credit card in a bar. I would cancel it because I'm not an idiot. This appears to be like leaving your credit card in every crook-filled bar in every seedy place in the world. However the analogy is not quite right. If I were to physically loose my credit card, a thief would at least got to pick it up, which requires more effort.
Please, someone put me straight. I would prefer to look like an idiot and be reassured, than continue to believe that a company I have previously trusted so much could come up with such an idea.