Friday 29 December 2006

Virtual Single Use Credit Cards

My bank used to offer plebs like me a very nifty "virtual" single use credit cards via an application\service called O-Card from Orbiscom. It had stagnated a bit over the years and I must say that I was getting a bit concerned that it hadn't been updated since 2002 or so however I was really disappointed whne they told me in July that they were discontinuing it and that from now on Verified by Visa or somesuch would keep my credit card safe in future. Frankly I was not impressed - Verified by Visa is all fine and dandy but the model still requires me to send my actual credit card details over the net and that is the part that the O-Card really sorted out. I could happily shop on www.wearaetotallydodgy.com and know that I had full control of the risk I was getting in to.

The O-Card worked as follows:
  1. You get to a checkout on an on line site looking for credit card details.
  2. Fire up the O-Card application and log in.
  3. Select the credit limit for the one time Credit Card.
  4. It gives you a Credit Card number with the same user name and billing address as your real card that has the following differences:
    1. It can only be used once. As soon as the vendor clears the transaction it can no longer be used for anything.
    2. It has a low credit limit - provided you chose to do this of course.
    3. The Card number and CVV2 number are different
    4. The issue date is the current month and the expiry date is next month.
  5. I give these details to the online vendor and my order clears.
  6. If they are evil and chose to try and reuse the number or are unlucky and get hacked by some Zero day sploit or are stupid\inept and just let my details get stolen later I don't care. In all cases the card number is useless.
  7. All I have to worry about is whether I get my stuff and my real credit card remains safe.
In general it took less time to get a card number from it that it took for me to get a credit card out of my wallet. Really sweet, and I'm sure you can tell that I was rightly pissed off when they chose to kill it off rather than beef up the security or do whatever deal it was that Orbiscom wanted in order to keep it alive.

In their defence the O-Card application model probably had some serious security problems but frankly since there hadn't been a single update to the client app since 2002 (and maybe even 2001) I think that no one was really making any effort to make the client any better. Suggesting that we all just trust "Verified by Visa" is certainly a lot easier for them though and I suspect that their risk assessment process just told them to dump the service since it wasn't very popular. Its low popularity had a lot to do with the fact that their marketing of it was abysmal but what do I know about marketing eh?

There is a very costly alternative available in the form of 3V Vouchers but their charges and terms of use make money lending look like a socially responsible business. OK that's unfair but I find the Euro 5 - 7.50 per transaction fixed fee detailed in their terms and conditions to be outrageous given that these are really targeted at folks who can't afford a real credit card and these are a totally risk free pre-paid voucher as far as the issuing card company is concerned. Compared to the zero cost per transaction of the O-Card it really doesn't seem right to me but I suppose they have to make a shilling after all. Frankly I suspect that the demise of the O-Card and the rise of these vouchers is related but I might just be getting too paranoid.

All is not lost however because it seems that Paypal are launching something similar. This blog post from Techimo points to this Paypal info page that describes a new Paypal service\utility that is not hugely dissimilar to the O-Card. I'm quite keen to see this come out of restricted beta and check how well they have implemented this. It's the first positive sign that I've seen that one of the large operators in the online payments game is making a serious effort to give end users a more concrete way of managing the risk they are prepared to handle when paying for things online. For me I'm just looking forward to being able to shop with confidence at www.wearaetotallydodgy.com again. Happy days.

1 comment:

Lorra said...

from what I have read about O-card I can make a conclussion that this card is rather conviniet, but to my mind it would be safer if you did not have to enter your actual card number.