This is a variation of Bill Me Later idea that brings phone companies and mobile authentication into the picture.  Payment by phone and authentication by phone are old ideas. Combine them with Bill Me Later along with 3D-Secure and you get: Bill My Phone.

Just like Bill Me Later, transaction starts by pressing the "Bill My Phone" button on a merchant's checkout page.  It uses 3D-Secure variation so the 3D-Secure merchant plugin redirects the customer to a 3D-Secure ACS at the customer's phone company using the customer's home phone number.  A soon-to-be-ubiquitous 3D-Secure authentication window with my phone company's logo pops up.  At this point, the customer can authenticate and approve the transaction using one of three way:

1. enter password into the popup
2. enter password into his or her cellular phone (WAP or J2ME)
3. answer home telephone and press some numbers displayed on the popup.

At this point, the transaction is complete and the purchase amount will be added to the customer's monthly bill.  Obviously, processors like First Data will need to get into the picture, but I think the chemistry is there just waiting to be mixed.

For the past few days, I have been thinking about Doug Kaye's Consumer-Centric Form-Fill and Sign-on post.  There was really nothing new to Doug's proposal, but his post made me fall back into thinking about authentication, privacy, payment, and user experience; things I used to spend great deal of time thinking about while working for Arcot Systems.

Doug's solution centers around client-based form-filler like RoboForm and server-based storage of encrypted profile, meaning the user needs to download and install a form-filling software and somehow negotiate a remote storage.  The main problem with this approach is that people rarely take actions to overcome non-accumulative inconveniences. 

Forms are incidental, meaning one runs into them while trying to do something, and form related inconveniences are amply rewarded by completing the form (otherwise the user would not have completed the form in the first place).  Unless the task is as painful as filling out tax forms, people won't bother to install software especially if they have to pay for it.

Luckly, I expect Microsoft to add form-filling feature into Internet Explorer.  But I expect it to work only with Passport and MSN until people have gotten used to them.

Rising another 1000 feet and looking down on Bill Me Later and credit card-based online payment, I found little difference between the two from the customer's point of view.  A credit card is essentially an aggregated billing service.  Instead of receiving bills from all the merchants, the customer receive one bill from the card issuer.  One key difference is that  Bill Me Later doesn't use a shared secret (credit card number) as account ID.  With credit cards, you are forced to share that secret on every purchase with the merchant.

Technically, not much change is needed to adapt 3D-Secure to work with Bill Me Later.  With Bill Me Later, the ACS can handle payment on top of authentication and authorization, increasing throughput as well as making merchant side simpler.

Bill Me Later should take a serious look at 3D-Secure for several reasons:

1. Look and Feel – 3D-Secure UI will be what users will be expecting to see when they make online purchases.  With both Visa and MasterCard making efforts to make this happen, alternative payment methods should adopt similar look and feel to avoid startling the customers.
2. Merchant Adoption – Merchants have either installed 3D-Secure merchant plugin already or have plans to do so in the near future.  Slipping in Bill Me Later support into those merchant plugin will be simpler than asking merchants to install yet another software their servers.

Bill Me Later should work with 3D-Secure vendors such as Arcot Systems which currently has the largest 3D-Secure merchant installation base.

A News.com article provides further details on Bill Me Later, an alternative online payment service previously mentioned by "Scott" in conjunction with my Market-based Credit Card idea.

I finally get it.  Psychologically, deferred payment is a great gimick, almost as great as xx% off sale.

Two concerns raised by the News.com article were the potentially large cost and difficulty of managing authentication and transaction liability.  One possible way to address both concerns is to offer aggregated billing service with an eye toward lowering cost of billing for companies that have existing trust relationships with customers.

For example, I have been paying PG&E, my gas and electricity company, for ages.  Politics aside, there is no reason for PG&E not to use Bill Me Later to collect payment if the cost of billing is lower.  The key point here is that my PG&E acccount can be used as a basis of trust for my Bill Me Later account.  Compared to using an e-mail address as the primary basis of trust, which is what Passport does, my PG&E account is more trustworthy.

From "Scott"

Arcot announced yesterday that Identrus has certified Arcot's ArcotID software smart card for secure authentication and digital signing.

I worked on that long long time ago and the paint has finally dried.  Lets hope Identrus can put some shine back into E-SIGN with ArcotID.

"Scott" reported on a couple of commentaries on "Liberty Alliance" by Doug Kaye and Patricia Seybold.  Both commented on LA 1.0 spec as being marketing-oriented and did not offer much to the consumers.  I agree completely and that is why I like LA.  Let me explain.

LA is an unusually large group of influential companies from most segments of the online market.  With the exception of Apache Foundation, each of those companies are profit driven meaning they seek to profit from LA initiative, either by increased revenue or cost saving.  Consumers and privacy issues are secondary to these companies, meaning those issues matters only if it affect their primary concerns: profit and growth.  So it is not a surprise to me that LA 1.0 spec addresses consumer and privacy concerns only from "what can we get away with?" point of view expressed in marketing smoothtalk.

What I like about LA is that it is a very large and very diverse group, not unlike realworld LA.  What I am looking forward to is how the group leadership will change in the future.  Sun has no real impact in security nor customer markets, so leadership change is likely in the near future.  What I am predicting is that juxtaposition of diverse self-interests will eventually centered around customers concerns because these issues are really all they have in common other than the need for profit.

FYI, current LA President, Eric Dean from United Airlines, resigned as of Friday.

Brian Valentine, a MS Senior VP in charge of Windows development team said

"I'm not proud," Valentine said, as he spoke to a crowd of developers here at the company's Windows .Net Server developer conference. "We really haven't done everything we could to protect our customers … Our products just aren't engineered for security."

Even worse, Microsoft is clueless to the techniques used in recent attacks against Win2K.

"As of August 2002, the PSS [Product Support Services] Security Team has not been able to determine the technique that is being used to gain access to the computer," the company wrote in its security bulletin posted on August 30.

So Microsoft is a Clueless Swiss Cheese.  One spot of good news is that Microsoft finally raised the severity rating of recent SSL Cert vulnerability to critical and released a patch, a patch that everyone should install ASAP.

I have recently issued an advisory to 3D-Secure (aka VbV) implementors to protect against this vulnerability by hashing the 3D-Secure PIN before submitting it to the issuer.  Yup, supposed security of SSL made sending password in plaintext seem reasonable.  Complacency is not just a bug, but a queen bug.

A fun to read after-the-fact formulation of principles behind Web that has no place in the real world.  One of the key principle is: Use absolute URI references.  There was a storm of arguments for and against this principle about a year ago (I think) both in public and in W3C WGs, and I have no recollection of a consensus being reached.  Meanwhile, one striking feature of W3C specs is that when you Save As MHT files for offline reading, intra-document links are broken because they are using absolute URI for even intra-document links.  Another clash of Principle and Reality, I suppose.