Hacker News new | past | comments | ask | show | jobs | submit login

For the last 7 years or so of making payments online I've had an iron clad rule which I have yet to break: only use one time credit card numbers with a low spending limit which are provided on demand by my bank. It's a service tailored specifically for working around the problem of having your CC details stored indefinitely on poorly secured databases of every two-bit company out there.

And with each major (and minor) data breach I'm more happy I use it.




It is too bad that more and more banks and credit cards companies are removing the ability to create one time credit card numbers because users are not using it. The only one of my credit cards that I have that allows it is my Bank of America Visa card.


I didn't know I could use this until I read this thread.


Discover lets you (last time I used it was a few months ago).


Have you ever investigated in depth how much security one-time credit card numbers give you? I ask because my Paypal account was compromised last month. I cancelled my credit card, but Paypal was still able to refund money to my card even though the number was no longer valid. Also, I had pre-ordered but not paid for an iPod touch. When the touch shipped, my credit card was billed even though the old number had been cancelled, and the new one had not been activated yet.


I have used the one time numbers that my Bank of America card creates and have had to retire a few due to breaches and after they were retired I got a call asking me if I had authorised another charge to that now defunct account number, and I said no, so they didn't let the charge through.

I know for example that credit cards with expiration dates can still be charged for a couple of months after the expiration so that users who have not had the chance to update recurring services have more time to do so. Also, it is entirely possible that Apple had placed a hold on your account for the money and when it finally shipped it went from a hold to actual transaction and that is why it was still allowed through.


I had an amex that was compromised, cancelled, and beyond its original expiration date, and AMEX continued to charge Netflix charges to the old expired cancelled/compromised number ... flowing the charges through to my new account number. To their credit, they removed all of the charges once I caught it, but just helps to know that a cancelled number isn't always a cancelled number even when you've already reported the number compromised.


It's a cancelled number, but what happens (this happened to me on xbox live) is that they continue to charge it because they've got an active pre-authorisation. So when they're charging you, they're actually charging that pre-authorisation. If a different merchant were to try the card, it would fail.

Microsoft charged me for two years after the card's expiration date until I noticed.


What kind of one-time credit card number was that? Are you sure you are even talking about a one-time number? "old number had been cancelled, and the new one had not been activated"? With one time numbers there is no such concept of old and new numbers.

You create a number, you set a dollar limit and expiration date. If you close it no one can bill it. It's called a http://en.wikipedia.org/wiki/Controlled_payment_number


One-time account numbers and cancelled/changed account numbers protect you from money going out, not money coming in. You can always get refunds.


I assume one-time credit card numbers are only valid for one purchase.


No, not one purchase. But yes one merchant. So even if the number is lost and the dollar limit still allows transactions a 3rd party can not charge it.


The details of a temporary CC number vary a lot by the issuing bank. Some services offer numbers that are are truly single use for a single transaction. Some are time limited to 30 days or some such. Some are limited to one merchant (my Discover does this.) Some have a dollar limit. There's also combinations of the above.

I gather that issuing banks are converging on limiting to one merchant and are phasing out other options for that. Remember that the banks are acting in their interest, not the consumers'. A merchant lock keeps you safe from a stolen number, and avoids most fraud scenarios; the banks do care about that since they're legally liable (in US law) for fraudulent charges. But this approach allows the single merchant to make recurring charges (which some customers want protection from); the banks of course have a vested interest in keeping a stream of transactions coming.


Why? You have zero liability for fraud -- it's you bank's problem. Just don't use a debit card.


seems like a lot of effort. I don't really care if my CC details appear in some IRC channel on EFNet, as I'm not liable for fraudulent use... a simple phone call to my card provider and they'll issue a chargeback...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: