Hope they catch the perp
20 years in prison should be resonable punishment.
The publisher of the Runes of Magic videogame is defying a hacker who has threatened to release personal details and payment information on users. The threats were made in posts to the Runes of Magic forum, promising dire consequences unless staff at games publisher Frogster were treated more fairly and the security of the site …
20 years in prison should be resonable punishment.
One year for every point of your IQ.
To generate payment details that are locked to a specific vendor. The details would identify you to the bank but also identify an authorised recipient and if that doesn't match the actual recipient... access denied.
Then when your payment details get leaked, it would be no big deal.
That is a fantastic idea. Can't think of any way to implement it, though. The major problem would be keeping someone from simply modifying whatever details they've stolen for one vendor to match whatever "vendor" they are, I think.
Someone who knows a few things about cryptography might be able to come up with a way.
Does this meet your criteria?
"Typically, a controlled payment number has a limit, and an expiration date between two and twelve months from the issue date, both chosen by the account owner, and while it can usually be set up to allow multiple transactions, it can only be used with a single merchant. This 'alias' number is indistinguishable from an ordinary credit card number, and the user's actual credit card number is never revealed to the merchant."
I don't have to worry about my billing data being breached, because the most they will get is a card number that only works with the merchant/vendor in question. It also helps to keep merchants on a tight leash, because they cannot sneakily charge more than the limit that I allow.
As a bonus, CPN's act as an indirection layer. I got a new CC account number last year due to a massive data breach at some undisclosed card processor. However, all my recurring billing had been setup via ShopSafe controlled payment numbers. These continued to work, and BoA just updated them to point to my new account number. No fuss.
I understand that having one's name and billing address exposed is very irksome. However, I use indirection for those as well: a PO Box billing address and a Google Voice phone number. With GV, I can route specific callers to spam and/or create a whitelist-only system for callers, sending all others directly to voicemail.
Like a direct debit, a standing order, or maybe even that special extra-secure one-time payment system - the personal cheque?
".....that special extra-secure one-time payment system - the personal cheque?"
Yeah, 'cos those are impossible to forge/alter, even when given a specimen signature off the original......
Would you care to take a stab at why these are being phased out and why they went the way of the Dodo eons ago in countries with a more-than-halfway serious organised crime problem?
If that's your idea of "extra-secure" I strongly suggest that you get someone else to look after your money for you. Ideally someone who knows slightly more than fuck-all about security.
Already Exists! As a developer for an insurance company I can outline how our system works:
We take card details once for the first transaction only, These are memory resident only for the duration of the first transaction (usually whilst the customer is on the phone), and are not written to disk ever, (they are not written to any database tables either, only the first four and last four digitis). once the transaction has completed the card details are discarded, if the transaction is sucssfully it returns a transaction ID and a security ID to us which we log. So if and when we need to repeat a payment, make an adjustment, or refund, we do not need the card again, we submit the transaction ID the security ID and the amount only. That money is then debited from the card again and credited to us by the payment gateway (not us), the payments are made to the same accounts as the first transaction. If the transaction Id's and security keys are stolen from us they are of no use to anyone as all they will allow is a repeat payment into OUR account only. There is no way for repeat payments to be made into a different account without the card number - which we do not have!
So Frogster bravely beefing up their security has nothing to do with being blackmailed into improving their security? Maybe they only did it to make it harder to blackmail them into dealing with staff conditions or responding to their pissed off customers.
There are no good guys in this story and as usual the register is very late to the story and too lazy to dig deeper.
Egg (the banking people) allow you to create virtual 'one time' credit cards through their online banking. Basically you login to online banking and generate a virtual VISA or Mastarcard which holds only the amount you need to pay. So you create a VISA for 15 quid and use it to buy a book on Amazon, it's then a dead card.
So it didn't affect many users and security was increased?
Overall result: well done for having to be threatened to actually protect your customer data Frogster.