Payments – Secure and Traceable

Current Payment Methods

Wouldn’t it be nice if we had a common payment infrastructure. What we have now with Check and even On-Line banking services is outdated and not secure. Checks were first used in the 17th century here in the US. Here are a list of problems that I’ve seen over the past few years with payment systems. I’m sure this is not a complete list:

  • Handwritten checks can be cashed by anyone who can convince a bank to do that.
  • Handwritten checks can be lost in the mail, so you need to pay postage and extra fees to have tracking numbers to assure they are delivered to the correct person / entity.
  • Online Banking services are not much better than handwritten checks. There are three means of delivery of payments by the services that I’ve seen. At least two banks in my area use the same online-banking service, so there aren’t choices that I can easily find. 1 – They take your money from your account, then they write a check on their account and mail that check, apparently with no tracking and there is no transparency so if the check is lost, you need to deal with it in a cumbersome way by visiting your bank, and contacting the payee. 2 – They take your money, then do a money transfer directly to the payee. You have no visibility that this has been done or that it worked. 3 For some payees, your money is taken from your account, then it’s bundled up with many other payments and a bulk money transfer is done. Again no transparancy or accountability is available on the online banking website to assure this worked and when.
  • Credit cards and debit cards sometimes work, depending on the Payee. But there is no security if the card number is passed to a website since if the website is hacked your card may be stolen.
  • Privacy.com is a website that creates virtual cards funded by a Debit card from your bank and provides additional security and accountability. Privacy cards can be created at will, with a limit, and are locked to the merchant the first time they are used. If the merchant is hacked, only that card need be replaced since all other merchants have a different card number. The payments are easily tracked on the Privacy website. But there are transactions that will not work with Privacy. Payments are limited to small amounts – a few hundred dollars – unless you pay for a paid plan. So Privacy can help with small and continuing payments made online, but only if the payee takes credit cards and only if the amounts are relatively small.

Let’s examine this problem in more detail and propose at least part of a modern solution to solve it:

An Example of the Problem

Here’s an example where the above payment services were not ideal:

I just e-filed my taxes. The payment to the IRS was a few thousand dollars and the payment to the state was about $30. The most convenient way, and lowest cost way, to pay the tax bills via the TurboTax application was to provide my Routing / Account number and let the IRS and State deduct the money.

I see a few problems with this:

  • The Routing/Account number apparently can be used by anybody that has them. There is no security at all.
  • I am dependent on the bank to report the transaction.
  • I am not able to limit the amount of the transaction in any way. So for example if the state takes $50 rather than $30, then I have to contact the state tax board to deal with it.
  • Verifying the transaction means checking online banking or my monthly statement to verify that it has happened.

None of the security and traceability of modern internet security is in place for these transactions. At least the security if any is not transparent. I have no idea what’s going on. And the only traceability that I’m provide is looking at online banking or my monthly statement.

Proposal for a Better Payments Method

There may be details I’ve not considered. I’m sure it should be enhanced, but here’s a starting point.

Every bank account comes with a Security Certificate like websites currently use on the internet. This includes a private key, held by the online banking service, and a public key that payers must use to pay bills or transfer money.

All money transfers are Deposits. There are no “Withdrawals” as in the above example of paying taxes. Folks can’t steal money from your account using this system they can only pay you. And you can only pay some other entity, be it person or company.

When you decide to pay some bill, you get a secure file, similar to a Web Certificate but with some additional information. It contains the following, at least:

  • Name of the entity [person or company] to be paid. Also an account number of their bank account.
  • Domain of that entity [ the bank in the case of a person ].
  • Any additional information required – Name of person paying the bill, transaction id etc.
  • Amount of transaction.
  • Public key of entity to be paid. This is the bank in the case of a person. This comes from a website or app when you set up the transaction. You’re not going to type this in.
  • The whole certificate is digitally signed so it can’t be forged or tampered with. The signature is a number provided with the certificate. One way to do this might be to run a cryptographic function over the data to provide a number and this number is encrypted with the creators private key. Any receiver of this certificate can check the signature using the public key provided in the certificate and if the signature does not match, the payment certificate has been forged.

This payment certificate is transferred to your online banking system in some way. It might be uploaded or cut/pasted from the website to the online banking system or emailed to your bank. Email does not need to be secure since this certificate cannot be used by anyone else. Of course if you use a Payment App on your phone, then that app transfers the payment certificate to your bank.

While using online banking, you can pull up a list of these payment certificates and do several things: Pay them. Queue them to be paid every month / week etc. Cancel recurring payments for a certificate. This cancellation can also be done by the payee in the case you cancel your account / service with them. Make sure that a payment has been made and exactly when.

To handle recurring payments where the amounts change each time, like an power bill for example, the payee would be given a URL to your bank, and each payment period the payee would send a certificate to the bank with the same format as above. But the bill would only be paid if a matching certificate was present in the online banking service for your account. The certificate you place in your online banking in this case has at least the following: “Recurring, period [week, month, etc]. Amount range or limit, and optionally End date.”

The certificate can also be transferred via paper by the payee printing a QR code in a bill mailed to you and scanning this QR code in the banking app on your phone will place that payment in your online banking list of payments.

With this system the online banking service never takes your money before the bill is actually being paid. There is only one way for the online banking service to pay bills, not three as above. No letters need be sent. The transactions can be done via the internet.

We have heard lots of noise over the past few years about Central Bank Digital Currency. There seems to be lots of disagreement about this effort and I notice that it’s been years without it happening. If we get CBDC, then something like the above proposal must certainly be part of it. The current mess surely won’t work with CBDC.

Summary

This proposal would appear to work along side credit cards. But I note that about half of the reasons that I use Privacy.com would disappear if the above propsal was in effect.

I have not used Venmo or other payment services. None of the web sites or other services that I pay have indicated that they use these services. It seems clear that these payment services could benefit from a more secure infrastructure for payments since these payment services are intermediaries between bank account of persons or companies.

I’m sure there are issues that I’ve not addressed. But I think this is a place to start to think about making money transactions more secure.

:ww

The art was found on Deviant Art and is used without permission. Here is the artist for the pictures I’ve used.