UW Computer Security Research and Course Blog

Bank of America (after its acquisition of MBNA in 2005) started offering “One-Time Credit Card” (OTCC) numbers to all of its credit card holders; the trade name of this service is “ShopSafe.” MBNA had offered this service back in the 1990’s; several other banks had also followed suit. This security review is of the “ShopSafe” system currently used by Bank of America.

To obtain a OTCC, a cardholder must login to BofA’s online banking site, where a Flash applet allows them to review existing OTCCs, or create a new one. Creating a new one prompts the cardholder to specify a spending limit and expiration date (with a minimum of 2 months from the present) for the new OTCC. The number is then created, complete with a 3-digit CVV2 code. The cardholder can use this OTCC in any context where a regular credit card number would do: buying things over the internet, via phone, mail-order, etc. Since the OTCC can have a low limit (typically just over the amount of the intended transaction), even if the credit card number is compromised (e.g. when an online merchant’s database is hacked), the amount of damage is limited. If the attack occurs too late, the OTCC may have expired and so is not a security risk. Most importantly, the OTCC cannot be easily linked back to the cardholder’s “real” credit card number, with its higher spending limit and longer expiration date.

Stakeholders
The cardholder is the primary stakeholder; it is her money and credit reputation that stands to suffer from any theft of credit card information. The financial institution offering the credit card (in this study, Bank of America) also has a direct interest in reducing the frequency and magnitude of credit card fraud, as most card issuers will simply take the money lost to credit card fraud as a write-off: the cardholder is typically not responsible for anything if the fraud is reported in a timely manner.

Assets
The cardholder’s “real” credit card number is the primary asset. With its high limit and long expiration date, it is a valuable target. A compromised card is also something of a pain to replace, requiring that the cardholder call the issuer and have a new card shipped via mail. Another asset is the cardholder’s credit rating – damage to this rating due to identity theft can be very expensive and time consuming to revert.

Adversaries
There are many criminals who are interested in people’s credit card information, both to perform identity theft and to simply steal money. Credit card numbers can also function as a relatively strong identifier for tracking purposes; a cardholder may be concerned about advertising agencies or unscrupulous retailers gathering too much information about him because they can link all his purchases together via their common credit card information.

Potential Weaknesses
The BofA OTCC system does not produce a full 16-digits worth of entropy with each new OTCC number. The most-significant 4 digits are always the same (as is usually the case across all credit cards issued by a given financial institution); more worryingly, the 5th through 8th significant digits are also always the same for each OTCC number (in the author’s few months of experience with the system). Thus, a OTCC has no more than 9 digits of entropy, when it could have 1000x more. Moreover, the 5th-8th digits of a OTCC are different from the corresponding digits of the “real” credit card number. Thus, it should be possible for a thief to distinguish OTCC numbers from real ones – if a thief has multiple credit card numbers from what they believe to be the same person, they can perform this simple check to see if they have only OTCCs, and to distinguish the “real” credit card number from the others. A thief can then execute different attacks based on the kind of card number they have: stealing smaller amounts of money more immediately for a OTCC, and saving larger attacks for “real” cards when they are more likely to work.

Another potential weakness of the system is that, presently, the shortest expiration date that can be set is two month’s from the current month. This leaves a “window of vulnerability” open that is much longer than need be; if these credit cards are truly used in a one-time fashion, it would be ideal to set an expiration date to a week or so. Even though a credit card’s expiration date is typically expressed only as a month and year, BofA could maintain, internally, a more precise expiration date and thereby decrease the window of vulnerability substantially.

Potential Defenses
The BofA OTCC numbers likely display less entropy than they could to make it easier for the bank to do the extra lookup necessary to resolve a OTCC number to its owner’s account. Providing more entropy would require more processing on the bank’s part, which is apparently not cost-effective for the extra security it would provide.

Similarly, providing expiration dates at a finer granularity would also increase security by a small amount, but would entail more complexity in BofA’s credit card processing. It is likely for legacy reasons that the system has been implemented the way it has been.

Risks
The benefits of using OTCCs regularly clearly outweigh the presence of these potential weaknesses in the system. Even though a compromised OTCC is subject to some attacks, the fact that it likely has a lower limit (most of which has been used up already for the intended purchase) and a tighter expiration date mean that it is much less valuable to any thief. If the thief can discern that he has stolen a OTCC, he may simply not bother trying to exploit it as the potential gains are not very large, which achieves the security goals just as well as if the thief had never stolen the card in the first place.

Conclusions
The BofA OTCC system seems quite secure. A OTCC offers similar benefits to a one-time pad. Since card numbers are not reused, or reusable, their value to an attacker is much lower than that of a real credit card number which is of enduring value. OTCC also provide “strong unlinkability” between transactions made by the same person (at least as far as 3rd parties go), which protects the privacy of the purchaser. There is little that discourages the use of OTCCs. I only hope that someday we will have a physical analog – a physical credit card that, maybe because it uses RFID technology and not a hard-to-modify mag strip, can change numbers after each transaction, or at the end of each day or so. This would make credit card fraud much more difficult, and seems implementable within the next few years.