Hacker News new | past | comments | ask | show | jobs | submit login

Have you ever investigated in depth how much security one-time credit card numbers give you? I ask because my Paypal account was compromised last month. I cancelled my credit card, but Paypal was still able to refund money to my card even though the number was no longer valid. Also, I had pre-ordered but not paid for an iPod touch. When the touch shipped, my credit card was billed even though the old number had been cancelled, and the new one had not been activated yet.



I have used the one time numbers that my Bank of America card creates and have had to retire a few due to breaches and after they were retired I got a call asking me if I had authorised another charge to that now defunct account number, and I said no, so they didn't let the charge through.

I know for example that credit cards with expiration dates can still be charged for a couple of months after the expiration so that users who have not had the chance to update recurring services have more time to do so. Also, it is entirely possible that Apple had placed a hold on your account for the money and when it finally shipped it went from a hold to actual transaction and that is why it was still allowed through.


I had an amex that was compromised, cancelled, and beyond its original expiration date, and AMEX continued to charge Netflix charges to the old expired cancelled/compromised number ... flowing the charges through to my new account number. To their credit, they removed all of the charges once I caught it, but just helps to know that a cancelled number isn't always a cancelled number even when you've already reported the number compromised.


It's a cancelled number, but what happens (this happened to me on xbox live) is that they continue to charge it because they've got an active pre-authorisation. So when they're charging you, they're actually charging that pre-authorisation. If a different merchant were to try the card, it would fail.

Microsoft charged me for two years after the card's expiration date until I noticed.


What kind of one-time credit card number was that? Are you sure you are even talking about a one-time number? "old number had been cancelled, and the new one had not been activated"? With one time numbers there is no such concept of old and new numbers.

You create a number, you set a dollar limit and expiration date. If you close it no one can bill it. It's called a http://en.wikipedia.org/wiki/Controlled_payment_number


One-time account numbers and cancelled/changed account numbers protect you from money going out, not money coming in. You can always get refunds.


I assume one-time credit card numbers are only valid for one purchase.


No, not one purchase. But yes one merchant. So even if the number is lost and the dollar limit still allows transactions a 3rd party can not charge it.


The details of a temporary CC number vary a lot by the issuing bank. Some services offer numbers that are are truly single use for a single transaction. Some are time limited to 30 days or some such. Some are limited to one merchant (my Discover does this.) Some have a dollar limit. There's also combinations of the above.

I gather that issuing banks are converging on limiting to one merchant and are phasing out other options for that. Remember that the banks are acting in their interest, not the consumers'. A merchant lock keeps you safe from a stolen number, and avoids most fraud scenarios; the banks do care about that since they're legally liable (in US law) for fraudulent charges. But this approach allows the single merchant to make recurring charges (which some customers want protection from); the banks of course have a vested interest in keeping a stream of transactions coming.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: