We millennials do a lot of shopping online. In fact, we account for about 35% of all online shopping. We also make about half of our purchases online. With so much of our shopping done online, the security of our data is a huge concern. We want to know that our credit card information is secure and is only going to the intended merchant, who will protect that information.
Cybersecurity is a major concern and multiple companies, including Ebay, JP Morgan, Home Depot, Target, and Citibank have had data breaches, where credit card information was also stolen. According to the IBM Security 2016 report, each of these data breaches have cost the companies around $4 million. And, that’s nothing compared to the personal impact that these breaches have had on the customers whose information was stolen.
As an online shopper, this makes me very nervous about using my credit card. But, I also love the convenience of using my credit card online. I have multiple recurring payments set up on each card. Most of my bills are paid online. The majority of my non essentials shopping is done online. And I wouldn’t be able to do all of that without my credit card, right?
Privacy is a new payment service that lets you do all the shopping you want, without ever entering your credit card info. But how does that even work? You hook Privacy up to your bank account. Then, whenever you want to buy something, Privacy generates a ‘Virtual Visa.’ All the information for the card is randomly generated, so the number is not tied to your information. If a hacker were to get their hands on the ‘card number’ used for the transaction it would be useless.
Privacy offers two types of cards- regular and burner. The regular card is for trusted merchants. You connect this card to your bank account and to make it more secure, you can set spending limits (per transaction, per month, or even just amount limits) or if you just want to make sure you don’t spend too much. The card’s randomly generated number is specific to that merchant, so if someone got their hands on it and tried to use it somewhere else the card number wouldn’t work.
The burner card randomly generates a single use ‘Virtual Visa.’ Once the transaction is processed the card number is destroyed, so it can’t be used again. This is a better option if you’re making a transaction from a place you’re iffy about, because the merchant will not have access to your credit card info.
Although they plan to roll out a bunch of new features, Privacy’s upcoming revamped mobile app will soon be available to all users.
1. They’re PCI DSS Compliant. This means they’re following the standard set of information security policies and procedures for card payments.
2. Passwords are hashed using PBKDF2 (Password-Based Key Derivation Function) with 100k iterations and salted to make rainbow table attacks more difficult.
3. Merchants do not have access to your bank account or credit card information. If the merchants were hacked, the data breaches wouldn’t directly affect you because the entered card numbers will either be randomly generated and destroyed after use or be tied to a specific merchant; in both scenarios, you’re not going to be getting notifications of random purchases by hackers, due to the data breach.
4. Privacy also has proprietary software that detects potential breaches to companies where your card was used. They have a notification system that will ping you if they believe a company you used your card at has experienced a breach. This is much safer than using your credit card online.
Don’t get what those security terms mean? Here’s a quick security 101
If you don’t get these technical terms, that’s alright, we got your back.
A cryptographic hash function is a kind of algorithm that can be run on a piece of data, like an individual file or a password, producing a value called a checksum (Fisher 2015). It’s used to verify the authenticity of a piece of data. In the context of passwords, the password entered by the user needs to be identical to the password stored in the database; if these are the same, the checksums generated from both (using the hash function) will also be identical.
PBKDF2 is a password hashing algorithm. It encrypts your data and adds a unique value called “salt” to the password.
A salt (not the one you use in the kitchen) is a randomly-generated string added to the password, to make it safer.
A brute force attack is when a hacker tries to guess password, and enters multiple combinations; one of them has got to be your password right? How many of you use your birth year, part or full name, or a specific place or person’s name in your password? If your answer is yes, might be time to change it. We could go on and on about secure passwords, but that’s a conversation for another time.
A rainbow table attack is when a hacker uses a list of possible plaintext permutations of encrypted passwords specific to a given hash algorithm, in an attempt to crack passwords in a database.
So why did Privacy opt for PBKDF2 instead of SHA, another strong hashing algorithm? We were curious, and so we reached out to them.
According to Privacy’s CTO Jason Kruse:
“It’s fairly common knowledge that passwords should be stored using a one-way (hash) function. SHA is a fine hashing function but is primary meant to be fast, which, in general, is a good thing. However for passwords you want the hashing function to be computationally expensive to thwart any potential of brute force password cracking attempts. We chose PBKDF2 because it’s designed specifically for passwords (i.e. it’s an intentionally slow algorithm) that allows us to make our password hashing function arbitrarily complex by using PBKDF2 with a high number of iterations”.
In short, PBKDF2 intentionally slows down possible attacks, by decreasing the number of guesses an a hacker can make, per second. So PBKDF2 wins this round. *Rings bells*
What did we not like?
You can’t currently hook the ‘Virtual Visas’ up to your debit or credit card. You can’t even use the routing number and account number for your bank. It’s all done through banking login credentials. If that makes you nervous, then wait until the service integrates with credit or debit cards. Currently, Privacy only works with a limited number of banks. They’ve got all the major ones covered, but if you use a smaller, local bank, then you might not be able to use the service yet.
Some have raised concerns about the validation of Privacy’s cards on the merchant’s end. When you enter the card information for Privacy’s cards, you don’t have to use your real name or your real billing address since Privacy has access to your banking login. However, there is concern that sending bogus information through to the merchant’s will cause them to flag the transaction and reject it without delivering the merchandise. This can be avoided by simply using your real information on Privacy’s cards.
Privacy is currently available only in the US. This is great for our US-based audience, but because our Tempest fam is global and reaches over 90 countries, we would love to see Privacy being offered globally as well.
Overall, Privacy provides a convenient and viable alternative to using your debit or credit card online; it’s a sound service from a security aspect. If you’re looking for a new, safe way to shop online, we definitely recommend checking them out.