Rafe Needleman at CNET writes about a startup that is offering a new online payment system. The problem is that users have to enter their checking account AND routing numbers via a keyboard online.
If "noca" believes that enabling consumers to pay directly out of their checking accounts by typing their Checking Account Number (CAN) and bank routing numbers into a browser space with a keyboard they might want to revisit that idea.
Followers of this blog undoubtedly know my stance on typing/entering any account numbers online. Sorry...No Can Do...I'm just not the type.
Anyway...during a demo of a $10 transaction, Rafe needled the CEO about the security of the system (it asked for a mobile phone number, then called it and gave it a PIN) but the CEO, said that if it was a bigger amount, it "may have" incorporated a tougher question. May have? Brilliant!
Now I don't know if the CEO (pictured on right) was sleep walking when he did the interview, but "PJ" Gupka, (who stated he was formerly in charge of VIsa network architecture) said that his system is more secure than Visa's.
I would think that when scheduling a demo in front of CNET, purporting your system "is more secure than Visa's" (especially with security being such a hot topic following the Heartland breach), you may want to choose the amount that actually incorporates those "tougher security measures." At the end of the day though, if you are typing your "CAN" with a keyboard, (and your routing number) it doesn't matter how they encrypt it or what type or how many algorithms they use. The data is fair game UNTIL it's encrypted. It appears that it's not encrypted until it's captured, and my concern is that via a myriad of hacker inspired methodologies, it can be captured by them first. Since the security of a transaction is only as secure as it's "weakest" link, then this doesn't appear to be very secure at all.
End-To-End Encryption (E2EE) is the only way to guarantee a secure transaction. That's why Heartlands CEO is calling for it, (after a potential 100 million card breach) and more importantly, why HomeATM has provided E2EE on ALL it's transactions since January of '07. Now I'm no security expert, I know (maybe) enough to be dangerous (to myself) but I think I'm within my rights to recommend that you don't buy the "type hype." Malware, keylogging, sniffers, bots, etc will tell you that. Heck, Heartland got hacked and they were PCI certified. They got nailed when they "unencrypted" the card data. Nobody "typed" their card, oh excuse me, in this case, their checkiing account numbers online. Sounds like a good idea 5 years ago...not today.
Here's the story...with some of my comments included:
A new way to pay: Noca's credit card alternative
Rafe Needleman - Rafe Needleman writes about start-ups, new technologies, and Web 2.0 products, as editor of CNET's Webware. e-mail Rafe.
When you buy a product online and use either a credit card or Paypal, a significant percentage of your transaction cost--from 2.5 percent to 4 percent when all the fees are considered--goes straight to either the credit card processing company or to PayPal. With so many retailers operating at such slim margins already, this is a material expense. While payment processing will probably never be free, a new company, Noca, is launching today that undercuts payment processing by an order of magnitude: It charges just 0.25 percent for transactions. (Editor's Note: I think they meant .0025% if it's 2.5 basis points)
Noca, CEO PJ Gupta told me, does not enable credit of any sort. Rather, it's a financial interchange platform that lets consumers pay for goods through direct checking account withdrawals.
Gupta told me he was formerly in charge of Visa's network architecture, and that Noca is built in a more efficient way. "There's no reason to use IBM servers today," as the credit card processing companies do. "There are two to three order of magnitude of inefficiencies there." (Editor's Note: He sure likes that "order of magnitude" line, doesn't he? I wonder to which order of magnitude his system blows away the efficiency of Visa and IBM)
He also says that Noca is more secure. Transactions are handled and encrypted by Noca's servers; merchants never see the checking account and bank routing numbers consumers enter (the same is true of PayPal transactions). Editor's Note: The merchants are NOT the one's I'm worried about...it's the "hackers." If a user "types or clicks" his Credit Card, Debit Card, PIN number, Social Security Number, it doesn't matter, online, it can be had ) An additional, adaptive security comes in to play depending on the type and amount of the transaction. (Editor's Note: It doesn't matter, it's fair game when you type instead of swipe.)
In a live demo where Gupta was buying $10 worth of digital goods from early Noca customer Klatcher, the system asked for a mobile phone number, sent a PIN to it, and required the user to enter that PIN on the transaction form. I didn't see how that added any security at all. (the buyer could give out any mobile number), but Gupta told me that if the transaction had been for more money or for physical goods, the verification process "might have" incorporated Yodlee's system of challenging the buyer to produce personal information from financial records, such as selecting an accurate previous address or amount of the buyer's regular mortgage check.
To pay using Noca, get out your checkbook and copy down some numbers. (Editor's Note: Get out my checkbook? Did I go back in time? Copy down some numbers...yes apparently I did)
Gupta believes that the technology he's built to link into the banks, prevent fraud, and do so cheaply is a competitive barrier. But I am surprised that his customer roster at launch is sparse--only three vendors, and probably not one you've heard of. (Editor's Note: ya think?) There are a dozen companies evaluating the system or getting closer to launching with it, Gupta says. There will be major vendors online with Noca, "well before June 30," he promised. (Editor's Note: More proof PJ is sleeping...now he's even dreaming)
One downside: (Editor's Note: That was the punchline) Noca doesn't offer chargeback or dispute arbitration services. That's between merchants and their customers. But it does give consumers far more detailed transaction statements than credit cards or bank accounts. (I don't know how smart that is either)
The author concludes by saying that Noca is a smart company for the current economy. Credit is tight for everyone, including consumers, some of whom are losing or just throwing out their credit cards. Noca makes online purchasing easy and secure even without credit. And its lower fees could help make goods purchased online less expensive, too.
Editor's Note: Smart? I didn't read anything I tought was smart about it. For current economy? Question: Does anyone 14-41 years old even have a checkbook anymore, (NO Checking Accounts) or remember what drawer it's in? "Makes online purchasing easy and secure?" Typing in all those numbers, both your Checking Account Number (CAN) AND your routing number is neither convenient, nor easy and it's definitely NOT secure.
In closing, I guess there's two ways to make my point that noca will never do online, (ndo) 1. 1. Add the "ndo" acronym to the end of their name and it creates a whole new message: Nocando.
Put another way Sorry noca, but:
N
O
Checking
Account
Number
Done
Online
In closing, I woke up in a sarcastic mood this morning (again) and used this story to further demonstrate that it is not safe to type any numbers (credit card, debit card, checking account, social security, etc) into a web browser. If noca feels I went overboard, I would welcome their rebuttal and gladly post it here. If you have any comments, click the title of this post and a comment form will appear at the bottom of the post. Remember...Instead of Typin'...
Noca charges 0.25% for transactions regardless of the size of transaction. For a $10.00 transaction the total charge would be $0.025 that either 2 to 3 pennies.
You may want to look at their website before commenting
Thank you to "The Traveler" who pointed out that I had misinterpreted the amount charged by noca. I have thus edited to post to eliminate references made to Interchange but left the majority of the post intact as it did not preclude my larger issue with noca, which is simply as follows: When you "type in" your "CAN" with a keyboard, (and your routing number) it doesn't matter how it's encrypted it or what algorithms are used. That data (the CAN, the PAN, the PIN) is fair game UNTIL it's encrypted. And since a secure transaction is only as secure as it's "weakest" link, then this approach doesn't appear to be very secure at all. End-To-End Encryption (E2EE) is the only way to guarantee a secure transaction
Thanks for your comment!
"If a user "types or clicks" his Credit Card, Debit Card, PIN number, Social Security Number, it doesn't matter, online, it can be had."
Ok... so it seems like your whole rant is against most forms of online payment, not just Noca. Plenty of people use CCs online. So why then is Noca doomed to fail? It's no less secure than CCs.
But they're WAY late to the game. Entering your CC number into a PC will be soon be a thing of the past. It you type it, they (hackers) can swipe it. 3 processors have been breached in 3 months. That's not a coincidence.
Do you know anything about payment processing to even write a credible article on this topic?