Schneier on Security
A blog covering security and security technology.
« Bank Sued for Unauthorized Transaction |
| Smart Water »
February 10, 2005
Authentication and Expiration
There's a security problem with many Internet authentication systems that's never talked about: there's no way to terminate the authentication.
A couple of months ago, I bought something from an e-commerce site. At the checkout page, I wasn't able to just type in my credit-card number and make my purchase. Instead, I had to choose a username and password. Usually I don't like doing that, but in this case I wanted to be able to access my account at a later date. In fact, the password was useful because I needed to return an item I purchased.
Months have passed, and I no longer want an ongoing relationship with the e-commerce site. I don't want a username and password. I don't want them to have my credit-card number on file. I've received my purchase, I'm happy, and I'm done. But because that username and password have no expiration date associated with them, they never end. It's not a subscription service, so there's no mechanism to sever the relationship. I will have access to that e-commerce site for as long as it remembers that username and password.
In other words, I am liable for that account forever.
Traditionally, passwords have indicated an ongoing relationship between a user and some computer service. Sometimes it's a company employee and the company's servers. Sometimes it's an account and an ISP. In both cases, both parties want to continue the relationship, so expiring a password and then forcing the user to choose another is a matter of security.
In cases with this ongoing relationship, the security consideration is damage minimization. Nobody wants some bad guy to learn the password, and everyone wants to minimize the amount of damage he can do if he does. Regularly changing your password is a solution to that problem.
This approach works because both sides want it to; they both want to keep the authentication system working correctly, and minimize attacks.
There's nothing I can do about this, but a username and password that never expire is another matter entirely. The e-commerce site wants me to establish an account because it increases the chances that I'll use them again. But I want a way to terminate the business relationship, a way to say: "I am no longer taking responsibility for items purchased using that username and password."
Near as I can tell, the username and password I typed into that e-commerce site puts my credit card at risk until it expires. If the e-commerce site uses a system that debits amounts from my checking account whenever I place an order, I could be at risk forever. (The US has legal liability limits, but they're not that useful. According to Regulation E, the electronic transfers regulation, a fraudulent transaction must be reported within two days to cap liability at US$50; within 60 days, it's capped at $500. Beyond that, you're out of luck.)
This is wrong. Every e-commerce site should have a way to purchase items without establishing a username and password. I like sites that allow me to make a purchase as a "guest," without setting up an account.
But just as importantly, every e-commerce site should have a way for customers to terminate their accounts and should allow them to delete their usernames and passwords from the system. It's okay to market to previous customers. It's not okay to needlessly put them at financial risk.
This essay also appeared in the Jan/Feb 05 issue of IEEE Security & Privacy.
Posted on February 10, 2005 at 7:55 AM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The text was broken in IE. FF shows it fine, however.
Well, you could always cancel your credit card every 6 months or so, and have the credit company issue you a new one. Not sure about fees, though. You could just tell them you feel you're at a seurity risk because of such databases that keep your credit info forever.
Once more a field where European legislation is ahead of the US. IIRC, German jurisdiction mandates e-commerce sites to offer an account termination link. It has something to do with scarcity of data collected and is part of the privacy legislation we have here.
My credit card has a feature where I can generate a new number for online purchases, which either expires or is one-shot, and would be great for this. Now if only I could figure out from their web site how to generate one, I'd be in business.
In the UK, most banks will waive all customer losses through internet fraud, provided the user hasn't been negligent (giving someone else their card details, not reporting a problem they know about, etc). By law, the maximum the customer is liable for in these situations is £50.
Most companies will delete your details from their database if you ask them. It's more hassle, but I keep a database of every company I've intentionally given my details to, and twice a year I go through it, closing all the accounts I don't use, and emailing the companies who don't have a link for it.
Ahem, the £50 its not law, its a voluntary code of practice, some online banking websites have no set limit, shock horror, meaning your liable for all losses.
Every credit card expires within four years or so, at which point the 3 or 4 digit "security code" on it will change. That's about the only way these types of accounts expire. But yes, your information stays around forever, essentially. Choose good passwords, hope for the best?
Perhaps I'm missing something: what's stopping them from keeping your name, address, card #, purchase history even without an account name linked to it?
The only difference that I can see is without an account name and password, you wouldn't have easy access to the records the company has on you.
If you can enter your credit card details in your account settings, why not just go back and change those details to something that's no longer your valid credit card number?
While I can't guarantee that any given site won't keep my credit information on file, I'm personally not interested in doing business with any site that doesn't make me type it in every time I purchase something new.
Ideally, I'd prefer that the business hold my credit card information only as long as it takes to process the transaction and gt a transaction code from the credit card processing company that verifies the transaction. Should they need to deal with my card in the future, such as for refunds, they should have to contact the credit card processor with my transaction number and a valid reason why they're doing so.
The less they handle my card number, the less risk to me and the less liability for them.
Credit card number do not necessarily change when the expiry date passes. Hence some websites will just prompt you to enter the new expiry date for a card you used previously.
I agree with Eric:
In circumstances where I find that I am unable to disable/terminate the account and they insist on storing personal information such as home address, credit card info I change the information so that none of it is valid. Not only can a legitimate purchase not be made with the mangled information, but even an "accidental purchase".
In the end no one can really count on remote companies to properly discard of any paper trails (with personal information printed on it such as receipts) or ensure their databases are secure and not vulnerable to remote attacks and infiltration... so in the big picture it is all really about flailing in the wind. Those that choose systems of ease must pay one way or the other.
A credit card issuer could make money providing, specifically for an online purchase, for a small fee, over a secure link, a one-time use set (a new name, card number, expiration, and confirmation codes). After the issuer authenticates the set to the e-commerce site and completes the credit transaction, the set expires. It should also expire if not used within some time limit (8 hours?) so the deadline should accompany the set.
I would sign up for this, content to pay a small price to know whoever might steal or sell the use set is screwed in advance. Think of the impracticality of stealing the identify information of imaginary people.
The company policies themselves keep them from processing transactions without retaining the information on file. The more trouble you have to go through to purchase from them, the more likely you will say,"Well, I've already set an account at such-and-such, so I might as well just go back to them rather than make another account at their competitor."
Some companies do actually allow you to remove your credit card information. Some require you to create an account, but don't require that you store your credit card information in their database.
As PETCO has demonstrated, we really shouldn't trust companies to keep our information secure. Not yet, any way.
Of course, if you have already stored your card number and then found that you can't un-store it, you should have the ability to call the credit card company and tell them that your number ended up in the hands of someone you can't trust and need to get a new number assigned to your existing account and the old number dropped.
Id be more than willing to pay $100, even $200 for a credit card that had a secureID-like feature built into it.
Enter the amount, enter your PIN, mix with the current time, and wham - a one-shot "security code" pops out.
Ideally one device could handle multiple "cards".
You know the other problem with this is expiration doesn't also mean termination. A prime example of this with me is Years ago I had a paypal account. Fine and dandy I was using it, it directly tied to my bank account as well as a credit card. Well I quit using it for a very long time. My account had expired there for lack of use. However when I went to sign up again with the same email address, they told me I couldn't because there were bank account associated with my email address. So even if my account had expired and terminated there was still a direct link with them and my accounts. Since then I have changed banks and so on. But I was rather upset at them for this. Then of all things they said if I wanted to use thier service again I had to go get another email address.
In my experience, most e-commerce sites allow you to establish an account (user name and password) without having to permanently store your credit card info, which you then enter manually each time you make a purchase. This seems like a reasonable compromise to me.
It's for this reason, in part, that I have taken to preferring vendors who accept Paypal as a form of payment. In the situation where the vendor accepts paypal, the credit card information is abstracted from the vendor. Of course, you are still liable for the credit card information stored at paypal, but I do have an ongoing use for that information, and an ongoing relationship with its usage.
You can generate one-time credit card numbers that solve this problem if they are MBNA type and reachable at mbnanetaccess.com
Their one-time use type let you define a dollar amount cap and a custom expiration date (minimum 2 months). This in effect makes the CC number you give the merchant only useful for the single purchase of the moment. These support the 3 digit security code also (which is different from your "real" 3 digit security code).
Note that these are different in features than the now defunct AMEX one-time CC numbers.
**NOTE** do not use one-time CC numbers for your PayPal account in an attempt to limit the damage they can do to you. There seems to be a rule that using more than N (N ~ 10?) different card numbers with a PayPal account gets your account frozen and then terminated without redress.
Even if you make a purchase without registering a username, what makes you think the company won't be keeping that information forever?
At least haveing an username you can update your account information with invalid data.
Make it costly enough to keep the data (e.g. regulate retention policies for personal identity information) and the companies will hopefully start to keep cleaner data repositories.
There was an interesting talk at BlackHat last year that was all about one person's work to completely erase all traces of their identity online. My favorite tip was to install a mailbox on a random street, give it a number, and start using it for all your postal correspondance.
Many sites do not keep your card # on file. They use the password/user system to store your other details, but not your card info.
"This is wrong. Every e-commerce site should have a way to purchase items without establishing a username and password. I like sites that allow me to make a purchase as a "guest," without setting up an account."
I agree. I use disposable email addresses for most of my registration. These forward to one of my permanent email accounts. If I get any spam from the site or I have no intention of doing business with them again, I dump the disposal address.
Another alternative which might meet your requirements and is starting to gain traction is a company called BitPass (http://www.bitpass.com). You sign up and fund a virtual debit card and can then buy anonymously from your cash store, without having to do additional sign-ups at every site or give out your credit card number to anyone. BitPass is generally oriented towards people selling digital content for amounts less than $5 but can be used to sell anything at any price. I've enjoyed buying a few things from BitPass vendors and it has worked without problems for me.
Just a point on the UK situation regarding Internet fraud. I have actually been defrauded a couple of years back by a company over the Net, and Barclays, the credit card company, refused to get involved beyond cancelling the card. So if you think that should your card be fradulently charged it is going to be the bank's problem, think again.
Like Bruce mentioned, system passwords expire for security reasons. You are dealing with "shared secret" information here. It seems that the only sure way to guarantee that abuse is prevented is to expire the information yourself, whether through regularly changing your system password, expiring your key pairs, or changing your credit card number by changing accounts.
Thanks for the "Authentication and Expiration" piece. This one had some special meaning for me, since I'm product designer / tech guy at an ecommerce site (we enable online ordering for about 50 area merchants from a single portal). I felt pretty good about your suggestions, since we are already doing most of them. It makes me feel smart - thanks.
Regarding your concern about requiring users to have accounts - at this time we require our users to have account information, because the expectation is that they will use the site over-and-over. Our average user orders about 1.5 times a week, so saving time by not re-entering the card information is significant to them. Our next release will, however, allow someone to order without an account - but our intent on providing this is to allow people to try the service several times before they decide to save more time. The problem with doing that, as you have noted, is that it is harder to get reports on past orders without some user identification, and you cannot assume that a user will always have a copy of an order ID. It will be also hard to do adjustments or refunds unless we store the card information and (very importantly) can identify that the person requesting a refund is actually the person who ordered. Authentication of "guest" users is a real problem in that situation, especially since we really don't want to store the card information for non-account holders. We will have to have some 'expiration' of that information, but will also need to maintain some history about "guest" orders - it will be hard to find a perfect solution here. Maybe someone smart has a good suggestion?
For what it is worth, when you close your account on our system, your login (username, password) are changed and all credit card information is erased. We keep the actual account in existence (though no-one can order from it) for historical reasons - if we ever need to pull up ordering history, etc., we want to be able to do that, even for a closed account.
I like, very much, your suggestion that accounts be terminated after a certain period - we don't currently do that, but I think that we should. I'm not sure why we did not think of that earlier, but I wish we had. You can bet that we'll have that in the next version.
I absolutely agree that it should be possible to cancel any account. I recently asked an airline ticket e business to cancel my account, pointing to Canadian privacy protection laws. They complied but it took them a long time.
@Neil: why don't you send customers who haven't signed in for a certain time an email asking them whether they want to keep the account or not? By the way, I don't think that businesses have an advantage by keeping accounts alive indefinitely. The stored data will expire and become useless anyway. Companies should be happy to have accounts that are no more used deleted from their databases, unless they try to inflate their customer numbers as an accounting trick.
A friend of mine (no, not a foaf) had a related difficulty: he had closed his account with a credit card company, and the paperwork defining the old account was warehoused in some remote location when the company was bought out. Years later, the new company transposed some numbers in a transaction, and began charging his old account. Naturally, since they could not find any data that he had closed the account, they did not understand why he was upset that they were charging him interest and late fees. He ended up paying some or all of the charges in order to clear up his credit report. (Apparently the company simply could not find their own records.) The moral to the story, apparently is: keep good records. (And know a good lawyer)
I had a company billing me for a service I no longer wanted. My credit card was about to expire, so I figured that when that happened they wouldn't be able to bill me.
It turns out that, not only did my credit card number stay the same, but the vendor didn't need a valid expiry date to continue billing! Another vendor sent me a few (seemingly automated) emails in advance of expiry telling me I really needed to update before card expiry, but stamps.com managed to keep billing me without missing a beat...
So, my credit card expires, but the new expiry date is predictable. I don't recall whether the verification code expires - but a three digit code isn't very secure anyway.
A facility to close my account would be useful, but I don't even recall what companies I have an account with. More useful would be the ability to specify an account closure date. It could default to, say, five years or to my credit card expiry date, or the warranty expiry date if I'm making a purchase.
I'd not mind if the company reminded me about the expiry so that I could renew, but that could be an option at purchase time.
I have made a similar experience: A credit card that had been officially cancelled by the card issuer was used to defraud me. Nobody realized that the card was invalid until I detected the fraud. How did it happen? Well, the issuer told me to send them the old card by mail instead to destroy it!
Always make sure that you physically destroy cards you don't use any more. Of course, the card number will still be out there.
When I cancelled a cc: Friday they informed me that any prior periodic automatic charges were considered a "vocal contract" and WOULD be charged to the [cancelled] credit card account, and must be cancelled by me.
Do *NOT* rely on a cancelled credit card.
Much appreciate your email newsletter.
Regarding expirey of accounts... I may WANT to keep my bank account for years, infact I think most people wouldn't drop theirs and get another one more than a half dozen times in their life.
Now however, after avoiding grocery stores that have "POINTS" cards because I really hate tracking, I find that my current grocery store has begun scanning the cash money I give them. CASH.
Suddenly there is a potential and salable link from my bank account of long standing, to marketers at the grocery store. This tremendously sickens me, and puts another spin on whether or not I keep my bank account, to say nothing of shopping elsewhere.
Barter starts sounding pretty inviting.
Yes I can confirm that a lot of sites do not remember your card information you are just not aware of that.
i wil be happy if u please send me peoples credit card numbers and their informationto my e-mail address;email@example.com.Thank u.
please send me credit card data number completly, send my e-mail address;firstname.lastname@example.org Thank u.
i need a valid creditcard
will be happy if i can get powerful credit card for a little shopping
hello i am from nig and i need a creditcard for business pls its important to me pls
pls send me a valid creditcard pin,passwords,expiring,date,and the name of the bank,card holders name.creditcard name to my email-address always.thanks for your concern.
Please,i would like you to send me valid credit cards numbers,verification codes,card name,expiration date,banks name,card holders names and address to my e-mail address.
pls send me a valid credit card number
pls send me a valid credit card number
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.