From Bruce Scheier's blog[1]:
"But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the transaction, not the person, is the way to proceed.
"Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone or Internet, where no one verifies the signature or even that you have possession of the card.
"Even worse, no credit card company mandates secure storage requirements for credit cards. They don't demand that cardholders secure their wallets in any particular way. Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction."
The only reason this isn't a big deal is that it remains incredibly easy for attackers to get CC#'s without capturing packets off the wire.
That had me laughing, you really clearly have not dealt with large numbers of $10 to $50 transactions.
Card companies don't care at all about such charges, if you have a valid card number, expiry in the future and a cvv that matches the charge will be accepted.
VBV and its sister programs has been designed to combat this and passes most of the responsibility back to the consumer or their bank in five-way handshake between the consumer, the merchant, the IPSP, the bank and the issuer.
I seriously doubt that Schneier would consider this information disclosure OK based on this loose interpretation of his blog post.
I googled "waiter stealing credit card numbers" and here's an example from today's news of some folks who got caught:
http://www.wjla.com/news/stories/0510/739156.html
On the other hand if you have a radio scanner and are picking up numbers going over the air from tow truck companies there's no traceable link between you and anything in the database.
Then I stopped using checks.
The CC number is almost never secure.
Find insecurity in competitors service, make loud blog noises, drop payload.
Amex's lack of security is no less interesting if it's discovered by a competitor. It's a pretty serious mistake by an organization you would expect to be more careful and knowledgeable about these things.
It's just an attack on a competitor and a veiled ad.
As for the butthurt, and this comment: http://news.ycombinator.com/reply?id=1379577 I think you're missing the tone of the conversation around you and it makes you stand out in a negative way.
If that wasn't bad enough, look at how services like Mint have to interface with these institutions? When will something like OAuth come into play at banks?
I'd love to charter a bank on the premise of superior online service.
It's the only explanation I can come up with.
(I also had a Paypal debit card canceled for authorized charges. Needless to say, I just buy everything with the Amex. Good customer service, good interest rate, cash back.)
This comment is complementing American Express.
Really identity thievery is an issue b/c of the banks + loan companies. They're perfectly willing to roll accounts with very little scrutiny and I don't understand why there are not class action lawsuits etc. to nail the lender not the jacked identity. Search on the "credit freeze" if you want the real solution.
Name + billing address + four last digits should be enough? Or eight last. Or four last + CVC. Asking for everything that's required for a purchase is beyond dumb. To me, it's like giving out your password while talking to customer representatives, that's also something you don't do.
