For 2.5 yrs, from mid ’95 ’til the end of ’97, I worked as director of strategy for the first payment system company on the Internet, called First Virtual Holdings Inc. (FVHI). The payment system was to this date, probably the most secure online solution ever devised (using zero encryption, just cleverness) because it was founded on the principle that a user’s credit card would never be made visible or accessible via the Internet. This principle was a very important one to the founders, 3 Internet luminaries: Einar Steffereud (developed first Internet listserv in 1972), Marshall Rose (co-author of SNMP v.2 and was one of the Area Directors of the IETF), and Nathaniel Borenstein (creator of MIME (Multipart Internet Mail Extension, yes invented the protocol for e-mail attachments) and a very successful business man, Lee Stein, who had managed several high profiles music bands, had been Chairman of the San Diego Stadium Authority and a commercial real-estate developer. Many people poo-poo’d this foundational principle, but it was at the crux of why this system was so secure. To register, one could do so using an online form or by e-mail, but when it came time to provide the credit card details this had to be done by phone through an AVR (automated voice response) system where the user was asked to type in their credit card number, expiration, and their VirtualPIN which was the instrument being bound to the credit card that would be used online.
When a user wanted to buy something from an individual or a service online that accepted VirtualPINs (aka. VPIN), the user would simply provide their VPIN and the process would begin from there. The service accepting the VPIN would then send a transaction to FVHI (by e-mail or another faster but e-mail like protocol) with the user’s VPIN and the service provider’s VPIN, FVHI would then forward an approval notification to the user by e-mail asking them to confirm the transaction with a response of “yes”, “no” or “fraud”. The meaning of the first two choices are obvious, the third, “fraud”, was intended to be a rapid way to suspend a transaction if the VPIN had been stolen. The “no” response really dealt with someone changing their minds on completing a transaction.
The system has some drawbacks to physical goods merchants which were addressed in later iterations of the system, but the key was that security was obtained through obfuscation because transactions between merchants and FVHI, and between FVHI and the VPIN holder, never contained both the VPIN and the VPIN holder’s e-mail address, hence there was a shared secret between FVHI and VPIN holder which created the security. The merchant only needed to send the VPIN, and FVHI only needed to send the VPIN holder a confirmation e-mail. The response to FVHI was one word (“yes”, “no”, “fraud”), the response back fm FVHI to the merchant was a transaction number with an approval or rejection code to complete the transaction. If someone were to steal the VPIN, the confirmation message would arrive to the actual VPIN holder’s e-mail account and they could respond “fraud” to immediately terminate the transaction.
FVHI counted 3 financial institutions as its primary investors, First Data Corporation (the largest processor of credit card transactions), First USA (now part of Chase after the BancOne acquisition, who had previously acquired FUSA), and GE Capital (the largest issuer of private label store cards at the time). We also spent quite a bit of time talking with Visa and MasterCard. A VP from MasterCard joined FVHI as president in early ’97. It’s only in recent history that the credit card companies now enable cardholders to receive e-mail confirmations after any transaction they do (or based on user definable criteria, ie. over $1,000 transactions).
FVHI spent a great deal of time explaining the dangers of putting credit cards online. For one, they’re easily detectable. We demonstrated an application we called “Card Shark” which could make its way on to a machine (this was before spyware or major viruses) like a virus, quietly and undetectable, and watch the keyboard buffer. From this, it could recognize any time a user was typing in a credit card and store this in a message that would be sent with the next e-mail connection without the users knowledge. It would end up in an abandoned newsgroup somewhere expressly set-up to receive credit cards numbers. This demonstration upset a lot of people and FVHI was labeled a fear-monger at the time. The abnking industry paid some attention to this, but still preferred the idea of the fees they would generate from not obstructing the flow of credit card transactions online. Programs started appearing guaranteeing losses. It used to be that cardholders were responsible for up to $50 if there was a fraud committed with their cards. Soon, this limit was removed and now a cardholder would owe nothing if their card was misappropriated (online or otherwise since there was no way to know where the card number had been captured).
Well, FVHI changed its business to being a provider of bulk e-mail services and was acquired by Softbank as part of a roll-up they were doing with e-mail services companies, and renamed the whole, MessageMedia. Since FVHI had already made it to the public markets (Nasdaq), MessageMedia assumed that position and a full-fledged e-mail services company was grown. Much later, DoubleClick acquired MessageMedia, and its payment system patents were sold to eBay whose recent acquisition at the time, Paypal, was fighting a lawsuit brought on by AT&T on some of its payment system patents. I believe the case was settled once eBay got the FVHI patents.
At the time, I remember all of us thinking that there wasn’t much difference between being right and no one listening or believing us (since this people would still put their credit cards out in the clear), and being wrong. EIther way, you don’t get the business. Even with our well thought out explanation saying that if there was a significant breach and a million credit cards were stolen, and a $2 transaction was done on each card, you’d never find out where the fraud came from and wouldn’t know the extent of the damage (most cardholders wouldn’t notice a $2 transaction). This would force the entire credit card industry to reissue every card and would prove disastrous. Even this wasn’t enough.
Well since then, we’ve witnessed several events that are leading us in this very direction. The ChoicePoint case was one not so long ago, and now we find another that begins to approach the more serious type of incident we predicted back then. Perhaps none of these have yet surfaced the apocalypse we once predicted, but it sure looks like, albeit slowly, we will see these predictions come true in my lifetime, and it will be a sad day as all of us will suffer from the arrogance of the credit card industry which could have prevented this in several ways over the past 10 years, but preferred to stand by and let their greed dictate the path.
Payment processor fears credit card crooks
By Joris Evers
Staff Writer, CNET News.com
A major online payment provider said Monday that its processing service had been used in an attempt to charge money to stolen credit and debit cards.