Bill Me Later -- Really Secure?

[AngelicKnight]

Does anyone have any experience with Bill Me Later? Is it well secured? It's certainly advertised as such and very popular, but consider this:

To use "Bill Me Later," shoppers need only provide their birth date and the last four digits of their Social Security Number -- rather than a full credit card number. (To authorize a purchase, I4 Commerce also needs the purchaser's name and address, which it can glean from transactional data.)

SOURCE

The last four digits would be much easier to phish than a full SSN. That doesn't sound very encouraging to me...

However...

Does Bill Me Later® protect me from unauthorized charges?
Yes, Bill Me Later® provides “zero fraud liability” protection; the same protection provided by most major credit cards. This means you are not responsible for unauthorized charges.

And Bill Me Later® has been designed with other features to help protect against unauthorized use of your account. Your identity is validated with top-of-mind information such as date of birth and last four digits of your Social Security Number. This means there is no account number that can be lost or stolen.

SOURCE

Not sure about this one...

[kurt_der_koenig]

Does Bill Me Later® protect me from unauthorized charges?
Yes, Bill Me Later® provides “zero fraud liability” protection; the same protection provided by most major credit cards. This means you are not responsible for unauthorized charges.

And Bill Me Later® has been designed with

Sounds like they require one to authorize it by email or something when one or someone attempts to buy something. Sounds okay but nothing is real secure when you add the other factors into the spiel. Like how well the code is programed, did the person get 'owned', and so on. Do you know of any sites that currently use this?

[AngelicKnight]

Quite a few from what I've read. TigerDirect uses BillMeLater (where it first caught my attention) and evidently Overstock.com recently added it as a payment option.

[Juridian]

Erm, look at what it asks for. Birthdate and last four of your soc for authentication....do you know how easy that is to get?

You don't even have to phish for it...you can easily steal some mail or get it one of a hundred other ways.

[Phonedog911]

whats phishing?

[AngelicKnight]

Right, which is why I noted that in the first quote. The counter seems to be in the second quote, where they claim that an account holder will not be held accountable for "fraudulent" spending done on their account. But is that still any assurance? Still sounds awfully weak to me.

[Tiger Shark]

Your identity is validated with top-of-mind

And what if the mind that created this was a retard.... The top wouldn't be very far from the bottom really would it?

I don't know the mechanism it uses for billing, (probably emails you and says that "X has just been billed do you authorize the purchase?"), which would allay the issue of getting the DOB and last 4 to some extent. Then the question would be how easy would it be to redirect or intercept the mail. Regardless of that, you still get your CC bill every month and while you might not notice that $10 charge you will notice that gleaming new laptop someone bought.

Then you have two levels of recourse, the CC company and the service itself....

I still say that if you are worried about CC fraud the best way to deal with it but still be able to use them online is to get a card, call the issuer and tell them you want a limit of $200 or whatever you feel is reasonable. That way your potential for loss is mitigated.

[hypronix]

Originally posted here by Tiger Shark
Regardless of that, you still get your CC bill every month and while you might not notice that $10 charge you will notice that gleaming new laptop someone bought.

Unless they're buying the laptop on a payment plan, $30 every month or something

DoB and SIN sound easy enough to phish out from somebody. But then again the best 128-bit encryption you can find [most sites that use CCs online] is useless if you have a keylogger on your box, as a result of an unpatched machine, so...