Skip to navigation

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

Latest News

Amazon lets shoppers pay with a phrase

Amazon PayPhrase
 
Gallery

Posted on 29 Oct 2009 at 16:31

Amazon has launched a new online payment service that lets users pay for goods on the internet simply by entering a phrase and a PIN number.

Dubbed PayPhrase, the service lets you link a two-word phrase and a four-digit PIN number to the credit card and shipping details already stored on your Amazon account. Users can create their own phrase or use the one provided by Amazon.

Each PayPhrase is unique, and can vary in length from only four to 100 characters.

PayPhrases can be used to buy goods on Amazon and a rather thin selection of other US retailers. The system is not yet available in the UK.

There's a concern that people usually use very dumb phrases

The system will naturally raise security concerns, especially as Amazon is encouraging parents to supply their children with PayPhrases and PINs, which are given a set spending allowance each month.

Amazon is also encouraging customers to create different PayPhrases for different shipping addresses, further increasing the temptation to write those key phrases and PIN numbers down somewhere.

Security experts believe there are other dangers to the system. "There's a concern that people usually use very dumb phrases [for passwords], often dictionary words that people can guess," says Graham Cluley, senior technology consultant at Sophos.

He's also worried that people will use the same PIN number for their PayPhrase as they do on their bank cards, making them a prime target for phishing attacks. "Numbers are even harder to remember than words," he cautions.

Amazon insists the system will make online shopping easier. "PayPhrase solves the headache of trying to keep track of all the different usernames and passwords people use to shop on various sites across the web," says Amazon's PayPhrase general manager Matt Williams, who bizarrely reveals that his own PayPhrase is "Good to Go" in the Amazon press release.

"With PayPhrase all you need is one phrase and one PIN to pay online,” he adds.

Now all you've got to do is guess his PIN then...

Author: Barry Collins

User comments

I like the idea

With up to 100 characters this has the potential to be a secure system, If the password was entered via a touch-screen PC not even a key logger virus could capture it.

By Tibbs on 30 Oct 2009

@Tibbs,

Unfortunately, I don't think using a touch-screen PC would help prevent a key-logger from detecting the phrase, as the user would probably be using the standard Windows 'onscreen keyboard'.

I have not looked into it, but I suspect that a good keylogger would detect the events triggered by the onscreen keyboard and log them. Failing that, it will just breed a whole load of new keyloggers.

eg. popping up an identical-looking onscreen keyboard which sits over the default Windows one. When the user pushes a key, the key is logged, and then the SendKeys API is used to transfer the key to the legitimate text box.

Unfortunately, until we move to one-time-keys for such things (like the paypal dongles and RSA securID things, I don't think anything like this will help protect against malware.

By GlasgowGuy on 30 Oct 2009

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Latest Blog Posts Subscribe to our RSS Feeds
Latest Reviews Subscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
SIGN UP

Your email:

Your password:

remember me

Create an account

advertisement


Hitwise Top 10 Website 2008