It is no secret that I am a major fan of Blur, the privacy service that allows you to mask your email address and phone number. One of my favorite features of Blur is credit card masking – the ability to create one-time-use credit card numbers that are billed to your real credit card. A new service has come along that allows you to create one-time use credit card numbers. The service is a little bit different than Blur, and has some advantages and disadvantages. It is called Privacy.com.
Unlike Blur, Privacy.com does not mask your credit card. Instead it masks your bank account information. When you spend money with a Privacy.com card, money is drafted from your bank account to cover the cost. The scary part: when you set up a funding source with Privacy, you must provide the name of your bank, and your username and password. I view this as a slight escalation over Blur’s model. With Blur I only provide my credit card number. If it is stolen or misused, I can report fraudulent charges. Some trust in the system is necessary, however, and I chose to trust Privacy.com.
With that out of the way, what are the benefits of Privacy.com? First of all, it is free. This means it is free to join, and it is free to create a new card. It also means there are no charges for keeping cards open. This is an excellent option for services that have recurring fees that you need to leave open for months. How do they monetize? This is addressed in their FAQ, but monetization is done through credit cards fees that are charged to the merchants. the FAQ also says that some premium (paid) features are planned but the core service will always remain free.
Unfortunately, at present new accounts require an invite. To request one navigate to https://privacy.com/ and click the “request an invite” button. You will be required to enter an email address. I have no information about wait times.
I like the settings for this service. They are extremely simple and intuitive. Though there aren’t very many of them, they seem to have the bases covered.
Add New Funding Source: To do this you are required to submit your online banking username and password. Though there is only a username and password field, bank accounts protected with two-factor authencation should still work, depending on the second factor. My bank uses a software token, and I had no issue. The staff at Privacy.com informed me that if your bank doesn’t work, you can disable two-factor temporarily (a matter of minutes), allow the service to connect, and then re-enable it.
Login Details: There are two settings here, username and password. Both are easily changed. I really appreciate that the username can be changed because it allows you to use the username as a security measure. There are also no assinine password restrictions; I have used passwords in excess of 100 characters with no problems.
Two-Factor Authentication: Two-factor authentiction is a simple toggle slider. There is only one option: the software-based token through an app like Google Authenticator or Authy. I like this implementation a lot: it doesn’t allow users to use the less-secure SMS method. It doesn’t even use SMS as a backup (TFA is only as strong as the backup). Toggle the slider “on” and a QR code will be displayed. Scan it with your app, which will accept it immediately. Enter a code to verify it was scanned properly. Your account is now protected with two-factor authentication.
Private Payments: Toggling this slider on allows you to hide your purchases from your bank. Instead, you can click the drop-down and choose to display payments from any of the following: Privacy.com, H&H Hardware, or Smiley’s Corner Store.
Notifications: This setting can be turend off entirely (I don’t recommend it), or you can choose to receive notifications in the event of transactions and declines, or declined transactions only. I choose to receive notifications for all transactions.
There are numerous features and functions that make these cards way more secure than your standard bank card. Most of these features closely control when and where, and in what amount, the card numbers can be used. Because of services like these, I am starting the view conventional credit/debit card similar to how I view using a single email account: antiquated and risky.
Single Merchant Cards: These are cards that lock onto the first merchant with which they are used. This is awesome – you can set up a new card for each of your bills. If your electric company spills all its credit card data, well, you aren’t super worried about it because your card number can ONLY be used by the electric company. Single Merchant cards are the default card-creation mode for Privacy.com.
Set Charge Limit: You can set a charge limit on the each card, limiting the merchant to a set amount. If you are purchasing something from a sketchy online store, this will ensure that you can’t be charged for more than the amount of your purchase. Even if your card number is stolen, you’re covered.
Make this a Burner Card: A burner card will close after two minutes of the first charge being made. This ensures that it cannot be used to make additional charges. This is a good option for services that have automatically recurring charges (but for which you only wish to do a one-time subscription). This is also nice if you’re worried about your credit card number being stolen in transit. Unless the man-in-the-middle can use it within two minutes it is worthless to him or her.
Once cards are opened and have been used, they can be turned off. You can do this by pausing or closing the card. Pausing the card gives you the option to re-enable it again in the future. Let’s say you want to use a card for Amazon purchases. You only use Amazon occasionally, so you don’t want the card to be active when you are not making a purchase. You can pause the card and know that you cannot be charged for that Prime subscription you don’t really want. Closing a card is undoable.
Privacy.com Apps and Add-Ons
Privacy.com also has an iOS application and an add-ons for Chrome and Firefox. I confess that I have used neither the mobile app nor the browser add-ons. Both allow you to automate the creation of new cards on website purchase pages. Without either of these you can still login via the web interface and create new cards manually. That is my preferred technique as it allows me a feeling of more control, and I don’t make that many online purchases to begin with. I definitely see the utility, and the draw for users who are only casually security-conscious, and I may review these more fully in the near future.
The Bottom Line: I am really enjoying this service. The card creation is painless, I am secure in the knowledge that each card can only be used where they should be used, and it is free. If you haven’t signed up for an invite yet, head on over to https://privacy.com and request one today!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.