Just completed ‘Crypto’ by Steven Levy. Excellent book, very accessible account of the development of public-key cryptography and all the security stuff we take for granted.

Made me think though, as I filled in my credit card details on yet another e-commerce site: why do I need to hand out my credit card details to every site I want to buy stuff from? The technology for digital cash already exists and is well understood by the crypto community. It is technically feasible for a customer (me) to visit a trusted site (eg. my credit card provider), and request a secure token that represents a sum of money equal or greater to the amount I want to spend, and hand that over to the merchant. The token is digitally signed to verify its authenticity and value. The transaction can then take place with the merchant needing no credit card information, or even personal details (although a delivery address might be useful). Opportunities for fraud would be limited to (a) the amount the token is good for, and (b) a window of time before the merchant has handed it to the credit card company, at which point it is tagged as ‘used’ and worthless. Used tokens could be posted on a website for all the good they would do fraudsters, so high profile cases of hackers downloading a database full of credit card numbers would be a thing of the past.

Of course, there is the one extra step of having to obtain the token first, which is a tiny inconvience, and therefore far less preferable than having your credit card number stolen, which usually involves no effort whatsoever.