Moreover, even if an online thief gets hold of a user’s PayPhrase and PIN, he could only use it to send goods to the address that person has on file. The payment technology cannot be used to buy digital goods, and an attacker could not change the address on file without the password to the user’s Amazon account.
“It is one layer removed from your account and your password,” Williams says. “You cannot change the shipping address or payment method with just the use of the PayPhrase.”
Robert Vamosi, an analyst covering security, risk and fraud for Javelin Strategy & Research, says that many consumers may trust Amazon to protect their information better than smaller websites.
“If I saw a recognizable logo online, I might be more willing to buy,” Vamosi says. “I could see it as beneficial, in that it could open up more places for me to shop online. It also offers more stores my purchasing power.”
In addition, PayPhrase lets people set allowances on their accounts. This feature would allow parents to give their children access to an account that the parents control, or provide workers with limited access to an account controlled by their employer. Such additional restrictions could also offer consumers some protection against fraud.
Amazon’s Williams stresses that PayPhrase is more than just financial information–it’s instructions on how that information can be used. “A PayPhrase bundles a set of instructions,” he says. “At launch it is your payment method and shipping address.”
Such assurances do not completely convince Aite Group’s Holland. “With the address, it reduces the potential for fraud, but there will still be ways around it,” he says. Holland argues that Amazon should not underestimate the impact of social engineering. Malicious sites could imitate the look of the Amazon PayPhrase service to get users to hand over their credentials. “You can have the most robust security in the world, but if you give someone your keys when they ask, then it doesn’t matter,” he says.