The rise of cloud computing and hosted applications only seems to be on the rise and while this opens up vast possibilities it also opens us up to security implications. Aside from trusting these third-parties with our data, it also means trusting them with our financial details.
One of the biggest stories of 2011 was the news of hackers breaking into Sony’s PlayStation Network and stealing millions of user’s credit/debit card details. And they were just one of several companies hit, bit corporations who have the resources to protect their data properly. As I’ve said before though, hackers will get in eventually, no matter how good you are. Now Sony (and others) are adding clauses to their contracts so you can’t sue them if they have a breach.
If we start to rely on hosted services, then they’re likely to want to store our details so we can continue to pay for them and remove the barriers to buying new services. These big pools of card details provide a tantalising target for hackers interested in financial gain, so we need to start thinking of other ways to protect our details.
One way to do this might be stop companies storing details and disconnect the payment process so instead of using your card to buy the service, you could buy a coupon code which you would then enter to buy something. You still end up having to dig out a card to buy new services though and risk your service getting cut-off because you forgot to renew.
So how about single-use credit/debit cards? By that I mean simple codes, generated by your bank, which are limited to a specific timeframe, linked to a website or company and can’t be used outside of these parameters? So when you wanted to sign up to the PlayStation Network you would login to your bank, enter some details to limit it by that company name, say, then generate a card number which could not be used anywhere else. Even if someone broke in and stole your details, they’re useless, or at least limited. Once you know your details have been compromised, you simply login to your bank and cancel the virtual card.
You could potentially even assign a certain amount of money to the card so no more could be spent, as you can do in certain countries already (pre-paid cards, electronic money essentially), maybe even set them to require your permission before a transaction could be processed (as it’s not your main card it’ll be feasible to approve each transaction).
Similar services already exist, though through a limited number of providers and with limited options. For example, PayPal did offer the service, in the US only, but have since disabled it. In the UK, none of the banks appear to offer such a service. It’s clear the current system of cards has problems and needs to be updated, we need greater flexibility and more control.