Masked Credit Cards

I wrote the other day about shifting to unique passwords for every single web site I visit (there were 300 I had to change!) to limit the damage from a data breach such as that at Adobe.  The irony was that to make this work, I adopted a password vault program to remember all these 300 strings of random characters.  Which means that I am putting a LOT of trust into one site, instead of a moderate amount of trust into multiple sites.

The same sort of approach is being investigated with credit cards, where intermediaries are providing masked credit cards with one-time numbers (hat tip to a reader).  In some ways Paypal has a masked approach where the transaction is settled off the retailer's site entirely, though I am not sure I am entirely comfortable with Paypal's security.


  1. Jens Fiederer:

    Not even necessarily intermediaries. One of my credit cards offers that as a direct service.

  2. MingoV:

    If I buy something with a credit card and receive nothing or a product of lesser quality than I ordered, I can call my credit card company. It will withhold payment to the merchant until an investigation is completed. PayPal has no such protection. Also, there's the product warranty benefit. Two of my credit cards add one year to most warranty periods. Products with warranty periods of less than a year get doubled warranty periods. Again, PayPal cannot match that.

    I use PayPal primarily for eBay purchases and for books, DVDs, and other items without warranties.

  3. herdgadfly:

    A Wells Fargo manager helped me set up a bank account with $1.00 deposited in it. The WF debit card for the account serves as my online credit card. When i make a purchase online, I transfer exactly the amount of the purchase from my regular Wells bank account. As a result, I limit my risk to $1.00 more than my purchase.

  4. ErikTheRed:

    One technically important nit that I'll pick - you're not actually trusting the LastPass website with your passwords - they are (allegedly) stored there in encrypted form and the files held there would need your key to decrypt them. Personally, I like products that sync encrypted files through Dropbox or iCloud (I'm looking at trying this with private cloud services as well) for an extra layer of security with only minor additional hassle to set up.

  5. Jerome Jahnke:

    I tend to use the 'Forgot my password' functionality a lot. So instead of remembering a password I have a predictable mechanism for answering the challenge questions which usually never get stolen. That way if they steal the password it is a random string of keys which will probably be unique for that website, but I won't ever use it a second time anyway.

    Things I use all the time I tend to lump so if they get the password them might get it for a few other sites. But who cares if you can log into facebook and linked in as me? Worst you can do is damage my online reputation which admittedly isn't all that good anyway. I do take care with my email account Google has an awesome set of multi factor authentication tools. As long as you protect that one you can sort just about anything else out.

    I also have a lot of access to machines that face the internet but PKI and Kerberos was made for that so I have not needed a password to access a machine for years.

  6. Xmas:

    Bank of America has this feature for their Visa cards. You can create a unique card with a limit just over the cost of your purchase and it gets charged to your regular credit card. You can even give the card a one year expiration date and use it for a subscription service. I think its called Shop Safe, it is under the Additional Services for the credit card on the boa account website.

    I use it all the time. When they first set it up, though, it used to pop out a browser window and resize it to "credit card" size. Which was really annoying with browsers that could be configured to open new windows in tabs.

  7. Rick C:

    I have a friend that used a credit card that offered one-time-use numbers with a limit, several years ago. Then he found out--I forget how--that they didn't actually honor the limit. I think he bought something that wound up costing more than the originally-stated price, and he was surprised when it went through. He called them up and discovered the one-time-use and dollar limit were not real--they would happily let multiple transactions go though as well, so the entire claim was a lie.

  8. FelineCannonball:

    I figure the password vault programs are owned or subsidized by the NSA :).

    Shop Safe type online services have been available for a decade. It would be nice to have such things for traveling physically through rural Wyoming among other places. Seems like every time I do I get a fraud alert and an automatically cancelled credit card.