The Israeli startup PlugWallet has developed a payment system that is made directly against the company's servers, when the seller does not receive the user's information.
The affair of the Saudi hacker who exposed the details of thousands of Israeli credit cards online caused a huge storm accompanied by great fear - could this happen to any of us? Why was it so easy for a hacker to get to the information, how can one defend against such a situation, and also alternatives - how to pay online without a credit card.
Behind the scenes: how online payment works
The world of credit is based on mediation. In the process of purchasing via the Internet, the credit companies act as an intermediary between our virtual wallet, which is the bank account, and the store. During an online purchase, our credit card number goes through several iterations: after typing it on the store's website, it goes to the Gateway, which sends the information to the credit card companies in order to verify the customer's details. After receiving the confirmation, the information makes its way back through the same chain to the store, and the transaction can be executed.
At the time of payment, when we type in our credit card information in the online store, if the store owner is honest enough, he will ensure that the site has security protection (according to the strict PCI standards), and also, it is desirable that he ensure that our credit information is deleted at the end of the purchase, and not saved on his server forever. And the credit companies themselves have the moral duty to ensure that the virtual stores they work with keep the security codes.
Apparently what happened in the Saudi hacker case, is that all these conditions were not met. Although the credit companies are extremely secure, and there is a small chance that someone will be able to break into their server directly and steal the details from there, but if the credit companies do not make sure that the shopping sites also maintain security, then it is very easy for hackers to make the detour, and reach a hole in the wall - the broken security of the shops.
Pay without revealing the credit card
There are many online payment methods. As mentioned, the most common method is through credit cards. Another method, which is also based on credit, is PayPal, according to which the customer types in his credit number once - on the PayPal company's platform. He then receives a virtual card number with which he can make purchases on the sites. In this case the credit card number is hidden behind a secure "mask". The advantage is that you do not have to give the credit information to every virtual store, but there are disadvantages: the method can only be carried out if the customer has a credit card, and secondly, it is relatively expensive, because of the clearing fees paid to all the intermediaries along the way (PayPal, the credit companies and the bank).
Another method is called COD (Cash on Delivery) and it does not require a credit card. In the process, the customer orders a product from a certain website, and pays for it only upon receiving it, through a messenger who acts as an intermediary in the transaction. With this method, the seller in the store has to believe that the customer does intend to pay, then he sends a messenger to deliver the product and return with the money (similar to ordering a pizza - a messenger arrives and takes the cash). The main problem here is geographical, because a certain proximity between the customer and the physical store is needed in order for this to come true. Second, the seller must have some kind of trust in the customer, because he cannot risk sending couriers if he is not sure he will receive his money.
The eBillme method is also cash-based, but there is no need for a courier. Here, the surfer orders a product through the website, and upon signing the transaction, he receives a code. Using the code, he pays at a kiosk or bank, and then receives the product in the mail. The method is widespread mainly in the USA, in stores such as Seven Eleven and Western Union. And it operates widely in India as well.
Prepaid is also a similar method, but here the order of events is reversed - the customer first deposits the cash, and then goes and makes the purchase using a loaded card (in the analogy of the communication world, this is similar to Tuckman). The obvious advantage is that even if the money is broken into and stolen, it is limited to the amount that the customer deposited only, it is not possible to steal beyond that.
The Israeli startup company PlugWallet operates with this method. According to Yuval Ron, Vice President of Technology at Flagwalt, "Since with us the payment is made directly against the company's servers, the seller does not receive the user's information. Everything happens directly in front of Flagwalt's servers."
"Since it is a cash-based card, there is no exposure of a credit card involved here, and it doesn't matter whether or not you have a credit card," explains Ron. "The customer loads his account with the amount he wants at the charging stations (in the store or at the kiosk), and then makes the purchase using the smartphone or computer."
According to Ron, "rather quickly we realized that one of the problems with the existing online payment methods is that they are based on credit cards and involve several intermediaries. In Flagvolt, since the payment is made in cash directly in front of the company's servers, the clearing fees take into account only one intermediary, so this reduces the fees by about 70%-90%."
Why is Flagwalt sitting on a cloud? Isn't it more dangerous?
"On the contrary. Our server sits on the Amazon service platform (AWS), which provides security services. Amazon invests millions of dollars to secure its servers, and has a battery of experts whose job it is to make sure the server is secure. In such a situation, it is not worth it for me, as a company, to own and secure my own server, but it is better to rent the security services in the cloud. I only have the responsibility to secure my application."
Regarding security, Ron adds, "In addition to a username and password number, there is a key that only works from the customer's own device, so even if a hacker breaks in and reveals the username and password, he must also steal the device through which the purchases are made, which of course makes it very difficult for all The idea of a break-in".
Flagwalt, founded in 2008, by Yuval Ron, and his father, Amos Ron (former, CEO of the Ports Authority), mainly targets developing markets, where "there are many more people who have internet than those who have credit cards, in fact 65% of users The network registered around the world are without credit cards," says Yuval. "Most of them are in developing countries, such as India and China. They just walk around there with huge amounts of cash in hand."
18 תגובות
Remittance to someone who does not know the identity of the buyer is only good for products that are computer files. In any other case, the seller must act against a buyer whose details are known, because he is sending physical goods and this needs a physical address.
Regarding anonymity in money transfers, you usually don't need to encrypt details at the level of who-knows-what. I use a prepaid credit card and it provides all the required anonymity. The disadvantage of a card loaded in Israel is that the loading is unilateral, which means that there is no possibility of a refund in case of cancellation of a transaction. But this is not a fundamental defect of prepaid credit cards but a decision of prepaid credit card issuers to make the cards defective. I don't know what the policy is on credit cards loaded abroad, it's possible that there are fewer defects there.
Regarding PayPal. They cater to anonymous clearing but charge a high fee for their service. So it's only a matter of time until someone offers a cheaper competing service (I bet the Chinese already offer a competing service to eBay on Ali-Express).
A welcome move by the company. As a regular online shopper, this article only strengthens my confidence and I wish this would catch a serious wave for more and more secure purchases.
There is another collection technology, simpler, without any means of payment at all. You simply dial a special phone number that is assigned for the purpose of billing, and the collection is made through the caller's phone account. Without revealing payment details or identifying details. It seems to me that paycall is the only Israeli company that has this technology (as of now).
PAY PAL is currently the safest I know. You can make transactions there even without a credit card, there are transfers that are quite beto and the receipt does not circulate on the net (or with a crazy Saudi!).
Yael,
Thank you for the clarification. If they work with the pre-paid method, where is their relative advantage compared to the postal cards? What are they hoping to raise money on?
Just a small comment according to Ron: those who are talented enough to develop computer systems
It is appropriate that he should know the difference (in Hebrew) between equal (=) and worthwhile.
Yael Petar
I did not suggest that he do research, but only said that it would be more correct to present
Readers are also informed of what is happening in the world in systems of this type
In regards to hacking and hackers, really, really briefly..
Otherwise it may be implied from your words that you believe that finally
We have an unhackable system that guarantees us complete protection
in all the financial operations we carry out through it.
I think that, as we did in the 90s, a private line for the Internet and a private line for the phone, now there will be a telephone line with ADSL or HOT, and a private line in Bezeq only for direct payment transactions, at a certain cost we will have a purchase line! It can be secure and safe that only we in front of a dedicated Bezeq server will know the transaction
You can expand a lot on the subject, but simply say that it can be a good solution
What's new is that the guy from this startup wants to raise funds and create hype after the hacking storm of the credit card database theft and thinks science readers are gullible.
I suggest posting this on YNET where you will find laymen and it is easy to manipulate them, especially emotional ones which are especially effective due to the recent events.
Advertising?
What's new here?
You're right, I meant credit card or bank account.
With PayPal you don't need a credit card, you can transfer money directly from the bank account to the PayPal account.
light,
You're right, anything can theoretically be hacked. But if you encrypt it well enough, then it makes it harder to hack.
It's like any door of a house can be broken into, but a door that has a lot of defenses and is sophisticated (like for example a pediment), is more difficult to break into than just a simple wooden door with a simple lock.
Regarding the proposal to do an article about hacking in history - I internalized it, but I'm not sure I'll have time to post about it. You are of course welcome to write yourself a comprehensive article on the subject and send it to the editor-in-chief of Hidan, Avi Blizovsky.
rummy,
As you can see, PayPal is the first method I presented. But it actually works on credit cards. The meaning of the purchase without credit cards is that if there is a customer who does not have a card, or who wishes to purchase in cash, this can be done through the network.
the other me
I wrote "the start-up company Flagwalt operates with this method" - that is, with the pre-paid method.
Yael Petar
To the best of my understanding, any information/data on the Internet is not safe,
And all the protection methods are decoded and hacked at this late stage.
It is fairer to the readers to display next to each article on this topic,
A small part of the history of hacking and hacking, through computer and communication systems
such as bank hacks to the Pentagon, public institutions and businesses,
As we know, they were partly protected by the best defense systems.
The development of a system without credit cards is called PAYPAL and it has been around for years
It is not so clear to me from the article what is the difference between Prepaid that can be bought and loaded at any post office and the PlugWallet solution?