August 30, 2005

How to Build a Secure Credit Card Authoriser - 5 mins biz plan

Business 2.0 runs an innovative idea - ask the VCs what they'll spend money on right now! First cab of the rank is FC, with building an app to secure CC purchases from the mobile / cell phone / PDA platform:

$5M Mobile ID for Credit Card Purchases
WHO: John Occhipinti, Woodside Fund, Redwood Shores, Calif.
WHO HE IS: A former executive at Oracle and Netscape, Occhipinti is a managing director and security specialist, leading investments in BorderWare and Tacit.
WHAT HE WANTS: Fraudproof credit card authorization via cell phones and PDAs.
WHY IT'S SMART: Credit card fraud is more rampant than ever, and consumers aren't the only ones feeling the pain. Last year banks and merchants lost more than $2 billion to fraud. Most of that could be eliminated if they offered two-part authentication with credit and debit purchases -- something akin to using a SecureID code as well as a password to access e-mail. Occhipinti thinks the cell phone, packaged with the right software, presents an ideal solution. Imagine getting a text message on your phone from a merchant, prompting you for a password or code to approve the $100 purchase you just made on your home PC or at the mall. It's an extra step, but one that most consumers would be happy to take to safeguard their privacy. More important, Occhipinti says, big banks would pay dearly to be able to offer the service. "It's a killer app no one's touched yet," Occhipinti says, "but the technology's within reach."
WHAT HE WANTS FROM YOU: A finished prototype application within eight months. "I'm looking for the best technologists in security and wireless, the top 2 percent in their industry," Occhipinti says. The team would need to be working with a handful of banks and merchants ready to start trials, in hopes of licensing the technology or selling the company.

FCers know well how long we've been pushing this idea (Pelle beat me to it by a day, and beats anyone any time you push the button). For the newcomers, here are some scratch notes:

The basic essence of doing anything securely has been known for more than a decade, but the business models in place can best be described as blocking and non- secure, which has led to the current situation with credit cards. We know how to fix this, but it requires a ground-up replacement (a.k.a., ignoring all prior "popular security.")

Tech would be like this: Create the key on the PDA/cell platform, then register it in a human process with a server. Use that key to then authenticate each transaction. This could be done with a simple token, supplied by the merchant, remitted to a gateway that then matches it into the backends of the CC system.

Two alternates: No CC info need be transmitted on the net, and the gateway escrows the details in waiting, OR have the CC packet encrypted and sent. Either works as the key is the foundation on which you can build anything you like.

Phones now have the grunt to do the proper crypto. The problem is not a crypto or tech problem, but a "right crypto and right protocols" problem. It is critical to avoid heavy-weight PKI, or connection oriented technologies, or WAP or like telco gateway server models. None of these will work, for various reasons.

Beyond that the problem is a business one, being flexible and sexy enough at the *gateway* and for that you need both tech-savvy and CC-savvy people. You also
need some handy phone hackers, maybe 2-3 and one and only one young opportunistic crypto guy, as long as your core architect can communicate the ideas well enough. Selling into the banks is hard. Look for banking entre and also, consider the securities market as their transaction profile is much more suited to this market. Further, recall that the basis of the phone is lifestyle, so the rollout should be done p2p thus WoT is used as the basic authentication.

(Names of suitable FCers all available on request!)

Bear in mind that Paypal started out with this model, and dumped it. Things were different then, they didn't have the phones, nor the security imperitive.

Posted by iang at August 30, 2005 12:40 PM | TrackBack

Wrote about this over on my blog. I believe the technical issues have been stored ages ago. Ever now and again a new startup or mobile operator sponsored project starts up. But I don't honestly think that there is much to do at least in the US, without some "couragous" moves by the cc associations with respect to issuing banks.

Posted by: Pelle Braendgaard at August 31, 2005 01:45 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.