SMS Credit Card Confirmation

It’s becoming clear that credit cards are no longer worth jack in terms of security.  The great new idea of having a verification code which is actually printed on the card itself now seems embarrassingly stupid. Widespread theft of CC details now happens on such a regular basis that we no longer even flinch when we find out that company X leaked 45 million (yes, Million) credit card numbers over a period of 2 years.

Chip and PIN (Depending on who you believe) has made a significant reduction in the fraud rate that takes place in store, but online is still a very scary place to use your CC. Additionally, even bricks and mortar retailers are having trouble implementing PCI compliant payment solutions within the required timescales. So, what can be done?  Well it occurs to me that there are now a number of things we absolutely always have with us, these days.

In terms of what you must have items are wherever you go, the credit card is a given, but the mobile phone is pretty much the most ubiquitous piece of technology on the planet these dyas.  You’re almost as unlikely to go out without your phone as you are without your trousers.

So, when you make a purchase which is NOT chip and PIN protected, Why not send an SMS authorisation code and await confirmation?  Strikes me that this would be a pretty simple step to take? The merchant code on your favourite website would need a change to allow for the presentation of a unique code.  An SMS message pops up with the unique code and all you have to do is send an empty reply.  Bingo.  The fly in the oitment here, is that the Merchant cannot hold the Mobile phone number: The Moby number has to be the one on file with the credit card company.  REalistically, this means that the CC company or Clearing house has to send the text and await the response.  This has to be the case or the fraudster will just stick in another mobile number at purchase time (Meh).


All in all, this is a great scheme because it’s out of band: it does not rely on details held on the credit card itself or the merchant network.  In fact, eve the credit card company network is less critical: Even the availability of Credit Card to Mobile mappings would not assist an attacker unless they had the ability to Pwn the mobile phone too.  Effectivly, it’s adding another factor to the authentication process.


If we make the (presently flawed) assumption that mobile phones are left strongly secured (i.e. you PIN lock it), then even the theft of your card and phone continues to protect your credit card.


An extra benefit is that because any purchase attempt results in an SMS message to the cardholder, the cardholder gets pretty much instant notification of a possible problem.


As it happens, this leads onto a question: why don’t credit card companies offer SMS on purchase messages now?  It’s an obvious step for those that want a strong connection with what their credit card is doing.




Leave a Reply