One-Time Card Numbers for an Era of Endless Breaches

ab081016token2.jpg

Editor at Large

Apple Pay popularized the concept of tokenization — creating one-time codes for merchants to validate payment cards so consumers don't have to share sensitive, valuable account information. But Apple Pay works only in stores or apps right now.

For consumers who remain rightly uneasy about typing their card information into a web browser, several startups are offering tokenization services. These fintechs are partnering with banks to obtain the real bank and card information that they obfuscate online.

If adopted widely, tokenization could limit the risk of major data breaches. Malware trying to steal information from online shopping sessions wouldn't work and merchants like Target and Home Depot would not receive card data, let alone store it, so hackers would have to go elsewhere.

Unfortunately, tokenization doesn't prevent the use of stolen card data, so hackers could target the tokenization providers themselves, given all the personal information they'll be storing.

"Nothing is foolproof," said Steve Weisman, senior lecturer in law, taxation and financial planning at Bentley University and an attorney and privacy advocate. But "the theory is good. It's a matter of the practice."

The effectiveness of the service would depend, in part, on the tokenization providers being better at security than merchants.

"If these companies can maintain much better security — and security is not just a matter of hardware and software, it's also a matter of training employees so they don't fall for spearphishing and other kinds of attacks," then they have a good chance of success, Weisman said. They also need to be careful about protecting users, with features like two-factor authentication, he said.

Meet the Startups

The tagline of token (spelled with a small "t"), a company started by Zohar Steinberg and Yana Zaidiner, is "Let's make payment fraud a thing of the past."

The founders, who are married (they met when they both worked at the billing company Amdocs), say their idea stemmed from a personal need.

"Our credit cards were stolen a few times," Steinberg said. "Since we were entrepreneurs and security people, we wanted to build something for ourselves to begin with."

They came up with a list of requirements for their technology: it had to be free, it had to be globally accepted by any merchant, and consumers had to be able to pay using any bank account, credit or debit card, bitcoins or cash.

"We wanted it to be very user-friendly," Steinberg said. "You don't want to take it too far from the original experience." And of course, it had to be secure.

Token's app generates a 16-digit number a customer can use online the same way she would a card number. It can also generate a fake yet usable cardholder name. The merchant and bank go through a cardlike authorization process; token works with both Visa and Mastercard.

The startup gets a cut of the interchange fee its card issuer partners receive. In return, those card issuers, typically community and regional banks, can court consumers around the country who want to protect their card data, Steinberg said.

Fraud protection "is going to be a consumer acquisition play," he said.

To forge these bank partnerships, "We're knocking on every door, every window, and leveraging every connection and relationship we've built," Steinberg said. Useful bonds were forged at Startupbootcamp Fintech New York, an accelerator program whose mentors included bankers from around the world. Token is also talking to merchants.

Abine is a little older than token. Its founders objected to the prolific use of personal data in advertising.

"We looked at that and said, what's the counterpunch you can have? What kinds of controls does a regular consumer deserve over all these companies trying to learn as much as they can about us?" said Rob Shavell, Abine's CEO. "Our founding concept was, anyone should be able to control their personal data; that's why we call it personal, and the best way to do that is through tokenization."

Consumers can download Abine's Blur software and use it to tokenize their email address, phone number or credit card number.

Abine works with a bank partner to offer a new, one-time-use tokenized credit card, which is really a prepaid Mastercard for the purchase amount. (Consumers are charged a fee.)

Consumer data is encrypted using a password only the user knows. "We can never access our customers' personal data. And even if we're hacked, hackers can't access our customers' data because we can't," Shavell said. "The downside of it is you have to remember your password."

Shavell said the service has millions of users and all Mastercard-friendly merchants accept it.

Abine is working with a couple of banks it cannot yet name, to integrate its technology into their mobile wallets, a way to let customers shop securely from a mobile phone.

As the name implies, the founders of Privacy.com, a startup still in beta testing, are marketing their service as an alternative to legacy systems where oversharing is the default setting.

"We're believers that as a consumer you shouldn't have to share any more information with a merchant than what's really necessary to clear the transaction," said Boling Jiang, Privacy.com's chief executive. The firm, which is refining its model, aims to combine the privacy and security of cryptocurrencies with the customer remediation, compliance and universal acceptance of the established card networks.

"Essentially we allow you to generate temporary card numbers," Jiang said. "You can use them once or just lock them down to a single merchant," so if that retailer were breached the number would be no good anywhere else.

The Limits of Tokens

Weisman is less enthusiastic about services like Abine and Privacy.com that basically buy one-time gift cards for customers to use online on the fly.

"I see that idea as kind of iffy," Weisman said. "There's so much that comes with gift cards, the regulations we have don't seem to match this type of use. I think there's a better way than gift cards."

Identity expert Richard Parry, principal at Parry Advisory, sees limited use to the new crop of tokenization offerings. For instance, they do nothing to prevent the use of already stolen card and personal identity data.

"It's responding to a lot of hype and concern. I don't know that its implementation will give a significant reduction in fraud losses," he said. "If it makes consumers feel better, then more power to the creators."

Parry also noted that merchants may balk at the withholding of consumers' information. The merchants' banks want the information for data verification, and in some cases, retailers themselves want the data for cross-selling.

The strongest argument against tokenization is that it could provide a misguided comfort around using cards online.

"Imagine you've enrolled in this service and then you get fraud because you're using obfuscation of a card whose details are already out there," Parry said. "You've just been lulled into a false sense of security."

These efforts share a noble goal: to help secure and shield consumers as they shop online. Like most security and privacy initiatives, they're a partial answer and not for everyone. It will be interesting to see whether consumers gravitate to these options, or continue to fling their credit card data around online, keeping their fingers crossed.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Bank technology Data security
MORE FROM AMERICAN BANKER