Tangled in the Threads

Jon Udell, October 11, 2000

More e-payment alternatives

PayPal, Orbiscom, AMEX: everyone's looking for the right formula

To many in the US, PayPal looks like a killer app. Norwegians wonder what all the fuss is about.

I don't hang out on eBay, but my wife -- who is an artist and buys a lot of beads, jewelry, and other stuff for her work -- is there a lot. And that's how it came to pass that she became a user of PayPal's innovative e-payment service before I had even heard of it. That, I would say, is a sure sign of a killer Internet app. PayPal is definitely in the "why didn't I think of that?" category. It's also intensely viral. Here's how it works.

At PayPal, you can:

Although this caught on initially in the auction space, indications are it will spread widely. From an article in the Wall Street Journal:

Among PayPal's most common uses is the cybersettling of accounts between family and friends. Andrew Brenner, for example, a 31-year-old tech-industry employee, recently threw a big barbecue party with friends. Afterward, he e-mailed $83 to pay his buddy for his share of the burgers and beer.

PayPal strongly encourages members to become "verified" -- which means that you give the system one of your bank account numbers. You can use that account to wire money into and out of your PayPal account, but it also functions just as a form of authentication -- a way of binding your name and email address to a real-world identity, which is the same function that a digital certificate performs.

I'll admit I'd have to think twice, make it three times, before giving PayPal a bank account number. Of course, they do have a $200 cap on transaction, which makes the system best suited for things like modest eBay purchases and "friends-and-family" reimbursements.

Andrew Ducker: It looks great. As soon as it appears over here in the UK, I'll be using it.

Fred Pacquier: It's US-only at the moment?

Andrew Ducker: Apparently so. Which is a shame, because I have a credit card that works fine in the USA. I don't see why I can't buy dollars with it and then email them to people. But I'd be breaking their terms and conditions to do so. And if they find out that I have done so, they are within their T&C's to keep all my money.

Alexander Staubo: There's a technical reason, too: The PayPal payment system verifies your billing address, and does not accept non-US addresses. In fact, this is a problem I have come across with several e-commerce sites, including massmerchandise.com. First they rejected my billing address. Then, when I tried a different card, the bank rejected it again because -- as an email from their tech support personnel later explained -- my Europe-based email address was considered "high-risk". Looks like the Internet isn't quite borderless after all.

American Express endorses Orbiscom's strategy

The subject of e-payment comes up repeatedly in the newsgroup. Back in March, Franck Arnaud drew our attention to Orbiscom's clever one-time credit-card-number scheme. Briefly, it addresses the problem of secure storage of credit-card numbers on merchant sites. It does so by eliminating the need for such storage. The scheme, described in my Mar 27 column, issues disposable credit card numbers, each good for only one purchase. Recalling that earlier discussion in the context of the PayPal discussion, Gavin Brelstaff noted:

Look like AMEX have been reading joncon too!

http://news.cnet.com/news/0-1007-202-2716407.html

According to the story Gavin cites, American Express is planning its own, Orbiscom-like disposable credit-card-number scheme. The AMEX announcement enabled Orbiscom to crow, in a recent press release:

"This is a market that Orbiscom initiated and has been developing since 1997," commented Graham O’Donnell, Group CEO of Orbiscom. "AMEX’s announcement that it is moving into the Orbiscom space is another tacit recognition that our technology has emerged as the dominant global standard for secure on-line payments."

Orbiscom's idea is, I'll say again, breathtakingly elegant. What good is on-the-wire encryption if merchants can't safely store your credit card number? And the plain fact is, they can't. Break-ins happen every day; the constant stream of CERT advisories shows no sign of slowing; truly secure operating systems remain in the realm of theory. The genius of the Orbiscom scheme is that it relies only on on-the-wire security -- the one problem that is reasonably well solved by current technology. And, it asks for little behavioral change on the part of consumers, and none on the part of merchants. For consumers, there is the irreducible extra step of acquiring a one-time number for use with a purchase. For merchants, the number looks like any other, and they can just pump it through the CyberCash (or equivalent) gateway.

Admittedly, the extra step required of the consumer is going to be a problem. But it's a software-only, Web-based step, and that's a lot less than AMEX's Blue card requires. The Blue card, AMEX's "Internet charge card," is a forward-thinking service. As per recommended security practices, it combines something you have (the card) with something you know (the PIN). To spur adoption, AMEX is giving away the readers. This is great news (depending on what AMEX means when it says the reader was "developed to industry standads") since widespread deployment of readers is in everyone's interest. But, of course, any hardware requirement at all creates huge obstacles.

Randy Switt:

Well, I've actually got one (a Blue card that is), and DID submit my request for a reader, which I got a couple weeks later. At the time they were offering only a serial port version, so that's what I got. Both my serial ports were in use at the time, so I put off actually installing it. Now they are also offering a USB version. Your post got me interested again, and I've since cleaned up my computer and both serial ports are available, so I hooked it up. Blech, not only is there a hardware requirement, it is ONLY compatible with Win95/98/NT of course. So my Win2000Pro station is out of luck for now (it detects it, but won't load the drivers). Don't even think about Macs, much less Linux. These companies MUST get out of this one OS fits all mentality, I don't care if 90% of users have Win95/98, that other 10% is a mighty affluent lot, and among the MOST technically literate, and therefore likely to want to use this stuff. Win2K support is forthcoming, but of course they have no date. Now I just have a bad taste in my mouth from all this.

Christian Riege:

As soon as the device starts to get interesting for some people with a sound technical background, it will get reverse engineered and drivers/applications for it will start to pop up. Just look at what happened to the CueCat device.

I think it's important for corporations to *not* claim intellectual property on these simple (the emphasis here is on simple) devices, and not pull reverse-engineers into court.

Cultural relativity

It's useful to keep in mind that what seems innovative to some of us can look utterly blasé to others.

Alexander Staubo:

PayPal makes a whole lot more sense in the US than many other places! And it seems as though it should not be this way.

In a recent discussion about PayPal on Slashdot, I wrote this:

Coming from Norway, PayPal and assorted services do not make much sense to me. I recently had to explain to a friend why personal checks are more or less obselete in my country.

Within Norway, you can wire money to anybody with a bank account, regardless of which bank I, or they, use. To pay bills, I go online to my bank's Internet service, enter the account number of the person to transfer to, the amount, and the date at which the transaction should execute. Setting up recurring payments is also possible.

Transferring between countries is also quite simple using the SWIFT system.

Now, I can appreciate why PayPal appeals to Americans, if only as a temporary stopgap until all your banks allow people sending money to each other. In the meantime, my American friends keep "writing checks". Sheesh. Welcome to the future, guys :)

The main differences between the system I describe, and PayPal, is that with PayPal you only need the email address of the person whereas I need to email the person to ask for his/her account number, and secondly, your ability to transfer online is dependent on which bank you use.

Most banks also offer wiring by telephone, which means you dial into an automatic IVR system, and enter all the stuff through the keypad. My girlfriend has used this system for years.

Thanks for the reality check, Alexander! It's true, of course, that here in the US we have for many years used the telephone as a banking interface -- though admittedly I transfer money only between accounts that I control at one bank, not between banks or among other accounts. Even so, it disturbs me that there is no encryption required, or even possible, in such transactions. Secure telephony, one of the first applications to inspire Whitfield Diffie, remains just a distant dream as we blithely radio our PIN numbers to our neighbors' scanners.

In light of our ludicrously unprotected telephone banking, it seems silly to worry about a banking transaction that's approved by a click on a password-protected SSL page. But, I do. That level of authentication seems inadequate. Of course, real-world authentication technology isn't so great either. More than once, in a bank, I've flummoxed a clerk by asking: "How do you know that I'm me?"

Apparently, cultural relativism applies here as well. Alexander reports that his Norwegian bank uses a SecurID-like scheme to assure the authenticity of SSL sessions:

My own bank puts a lot of emphasis on security. SSL, of course. When you acquire the account, they give you a little device that produces password keys. Whenever I transfer money, I have to enter a key to start a transfer, and once again to execute the transfer. They don't keep login state, so if I then want to check my account balance, I have to enter the key again. The device itself is protected by a PIN code.

Like the AMEX Blue card in principle, but differently in practice, a SecurID authenticator combines something you have (a code, generated just for you every 60 seconds, and also generated independently at the server), and something you know (a password). It's a hardware device, which is always a drawback, but at least it's a standalone hardware device, unburdened by serial/USB port conflicts and device driver problems.

I've got all sorts of beefs with my local bank. Maybe I should look into opening an acccount in Norway! Meanwhile, cultural relativity notwithstanding, PayPal is just plain nifty. We increasingly do business in the context of email, and payment-enabling that medium is a great idea.


Jon Udell (http://udell.roninhouse.com/) was BYTE Magazine's executive editor for new media, the architect of the original www.byte.com, and author of BYTE's Web Project column. He's now an independent Web/Internet consultant, and is the author of Practical Internet Groupware, from O'Reilly and Associates. His recent BYTE.com columns are archived at http://www.byte.com/index/threads

Creative Commons License
This work is licensed under a Creative Commons License.