Amazon is launching “PayPhrase” a simple way to verify your account to speed up purchasing – a great move ahead of the holiday season when even more people than ever will be shopping online.
It’s simple stuff. You set up a unique phrase like “Axe Murderer” or “Car Lover” or “Honey I shrunk the kids” and tie it to a 4-digit PIN. This is linked to your Amazon account which, of course, is pre-loaded with your credit card and shipping address.
I do have to wonder what was so hard about entering an email address and password, but clearly Amazon’s psychological research unit thought “Fluffy Bunnies”, or some such, was going to be easier for the average Jane or Joe to remember.
It’s also positioned as a parent/teen solution competing (kind of) with PayPal Student Accounts, because, like the latter, you could give your student son or daughter a PayPhrase which access your account which doesn’t actually access your account controls. PayPhrase lets parents track spending and set account permissions/alerts/etc.
There are other participating websites which will be implementing PayPhrase, including DKNY.com, Jockey.com, and Buy.com that already accept by Amazon’s Checkout service. Of course, earlier this month, eBay came up with its Bill Me Later deferred payment option for both eBay and PayPal which will be carried by Toys R Us, Zappos.com, Petco and Wal-Mart among others.
However, how many people are not going to have a cutesy phrase and default instead to something like “Dad’s Birthday”. All you then need do is type in a plausible month and day like “0820″ for the PIN and… voila! And how many people will just use “1234″ for their PIN? Plenty.
What do you think? Leave your thoughts in the comments.
um… so I could give out my payphrase out in public, right? sweet!
And no two PayPhrase’s can be the same. I think I am going to avoid this for a while to see how it shakes out.
I’m not sure, but it reads like you may have misunderstood this.
I understand it as being a phrase attached to a particular set of addresses/credit card numbers in your account, not a replacement for login.
It is a replacement:
“You don’t need to sign in to buy using PayPhrase – you only need your PayPhrase and PIN.”
https://www.ama...whats-this.html
How will they stop imposters from having a very similar box in their website and tricking people into coughing out their information?
Will it even matter? If the customer cannot update shipping information, then all the imposter can do is look at the shipping address and stuff, right?
I don’t know, but from your description is seems like a really huge security hole. I mean, yes, in theory it’s secure, but setting the default values is just waaay to easy (not the case with email and longer-than-4-digits password).
yawn…i can see people forgetting their “pay phrases”
A norwegian site has already cracked all these pins, none are safe now. http://www.dins...kket-paa-nettet
Just more ids and pin numbers to remember.
As a parent, as well as a business owner, this sounds like it could really simplify the purchasing process.
Now, if they could expand it to pizza delivery, the world would be a happier place.
What I understand is that it makes using shopping in stores other than Amazon easier and more secure. Don’t see much advantage within Amazon since it just replaces a login with the payphrase, and more, 1-click ordering still seems much easier than the payphrase.
It’s a security measure. As others above note, knowledge of the passphrase will only enable someone to buy things on your behalf and send them to YOUR address. Therefore there is no incentive to phish it.
Aksing for login and password associated with a credit card in web pages of random (since the program is self-service) unauthorized sites is seizure-inducing to any company. That’s why all openid/facebook connect providers host the login boxes in the same URL.
This is the solution to the above problem.
nice move for me. the one page checkout looks easy to understand. …let’s wait 3 months and see what happen
Hi – I can not find the URL, recently there was a study out of Carnegie-Mellon. Phrases make a much better password than say harder to parse
(and remember) string like ab#c12@&1
Think of the phrase as a replacement for passwords, but not calling it a password.
I found this “feature” on my Amazon acct today and immedaitely emailed them:
Will you please immediately deactivate PayPhrase for my account.
I refuse to be held responsible for any purchase made using any Payphrase.
Please do not issue any “pre-assigned” anything on my account, ever.
Please do not make any changes to the security of my account, personal, and financial information security without notifying me in advance and making any change an “opt-in” and not an “opt-out”.
What are you people thinking?
If you don’t agree to Amazon terms you can close your account.
As far as I can tell it is an opt-out. You don’t have any phrases unless you create them your self – nothing is pre-assigned.
@ScaredWitless, why are you posting identical (and inaccurate) comments about this on multiple sites?
From my understanding from the email from Amazon I received this morning about it, it’s more for use on other sites (they list off a few, that includes Buy.com as one). Instead of having to create a new account on that site, you can use your PayPhrase to pay for the order via Amazon, therefore keeping your credit card numbers, addresses, etc safer. It’s similar to Google Checkout.
This will be great for startups integrating Amazon Payments and FPS. It’s a modification of 1-click to make purchases on 3rd party sites somewhat secure.
Apparently the payphrase must be unique, which should prevent more than one person to use the same phrase. Though you can see people doing variations of the same thing to get around this.
In any case, since one cannot change the shipping address and CC card using the payphrase, then it is much less attractive to a criminal since all one can do is ship stuff to the victim’s home or work address. There could be some potential information gathering (address, cc ending in XXXX) that one could use for social engineering attacks though.
If (big if) this gets broad adoption, one could say this reduces exposure of the main amazon username and password which is really the most sensitive credential here.
Technically speaking, how is this any different from a username/password pair? All you do is replace the word “username” with “payphrase” and the word “password” with “pin”.
PayPhrase is only used for ordering, username and password will be used for account management.
So with PayPhrase you’ll have a safer buying experience since if someone steals it from you they can only order stuff to your address. To change the address they’ll need email and password, which is probably impossible to get.
Just read some of the comments left before yours.
I think this risk is not the main issue, but rather the opportunity for new types of scalable fraud of users against users within the payments platform. I just posted something about this very subject here: http://fraudbac...risky-step.html
“knowledge of the passphrase will only enable someone to buy things on your behalf and send them to YOUR address.”
please santamazon, send this Kaczynski Special to “my” cave in pakistan…