Credit cards and POLA
I just came back from CEAS 2004, the first conference on email and anti-spam. We were sharing some spam and phishing stories over lunch and one struck me.
It was about somebody's grand'pa that received an email claiming that a fraud had been detected and he had been charged for a large number of flowers. His credit card number was asked to credit the money back to his account.
Not only does it illustrate the problem of phishing and social engineering, but it also made me realize how the credit card design violates the POLA principle (Principle Of Least Authority). A credit card number acts as an unrestricted (albeit monitored) handle to the corresponding account.
Providing his credit card number on that page would have given the attacker more authority than it really needed: that of crediting money but also that of charging some, once or more.
Yet, we keep giving it around...
A better design would allow giving out one use charge-only or debit-only handle, for single or multiple uses.
The granularity level is still a matter of discussion, but it could be adapted later if needed.
One other open matter is how to build a usable solution?
What if instead of a passive card, you had a card that allowed you to punch in the options you want (mainly the amount)? You would then input your card number as usual, but also a confirmation code (maybe 3 or 4 digits) that would be cryptographically express the limited authority you want to give out.
The concept of disposable credit card numbers is already being used.______________________________________
Actually, American Express cancelled the private payments program sometime last year.Posted by: Tim Marman (August 2, 2004 08:04 AM)