As much as I try to make as many purchases as possible using That Intarweb Thingy, there are situations when I have to provide my credit card details over the phone. (No, not that situation.) Whenever I do, I usually take a quick look over my shoulder to check that nobody’s listening. If I’m at work, there are at least half a dozen people within earshot who would probably have my credit card number now if they ever had the desire to take it. At least a couple of times I’ve heard someone else reciting their credit card number, and I always have access to a pen and paper at my desk.
It occurred to me that you could fairly easily use what amounts to a one-time pad to make sure that the only people who know your credit card number are you and the person on the other end of the phone. Basically the operator gives you some random digits, four at a time. You add each digit to the corresponding digit in your credit card number, and tell the result, modulo 10, to the operator.
So, say my credit card number starts with 9108. The operator gives me the random numbers 4, 7, 9, 7. I do a quick bit of mental arithmetic, and come up with 3, 8, 9, 5. Repeat for the rest of the number, and possibly do something similar for the expiry date. The operator subtracts those numbers (or has data entry software that does it automatically), and away we go.
The most obvious problem is that you have to do some mental gymnastics that, even if you happen to be able to do that without clutching your head and moaning, you have a good chance of getting wrong at least once out of 16 times. And if you do it on paper, it defeats the purpose, for the same reason that making people change their passwords so often that they have to write them down defeats the purpose. And it doesn’t really do much about anyone who can get hold of your bank statement, or decides to glance in your wallet, or has access to any of the records held by any of the companies where you’ve used your credit card, or, for that matter, the operator you’ve just gone through this whole process with. But hey, the appearance of security is all that matters, right? That’s how airports work at least.
There are a few simpler variations you could use that, while they don’t have the strength of a one-time pad, introduce enough permutations of possible credit card numbers that it won’t help anyone who’s listening. Most of the time the first 8 or so digits are common between a whole family of cards, so you could cut down the obfuscation to the last 8. You could restrict the range of random numbers, say -2 to 2, to make the arithmetic easier. Or instead of adding mod 10, the operator could ask for the digits in a random order.
Anyway, I’m not expecting this to be something any company would do to make themselves popular with their customers. But maybe they could train their operators to do it if asked, to cater for the more geeky and paranoid among us.1 comment