Can Amazon's PayPhrase Combine Convenience with Security?
Amazon hopes its latest payment technology will steal its competitors’ thunder.
Amazon’s latest payment technology, PayPhrase, lets customers buy from Amazon and affiliated merchants by using two or more words and a four-digit password. The technology, which was announced last Thursday, accesses information stored in the customer’s Amazon account to pay for purchases and to identify the shipping address.
PayPhrase is designed to work on Amazon’s own site and on third-party sites that use the payment technology. While Amazon would not reveal the number of sellers using its technology, DKNY.com, Patagonia.com and Buy.com were part of Amazon’s Thursday announcement.
“The vision of PayPhrase is to allow Amazon customers to pay wherever they would like to pay,” says Matt Williams, general manager of PayPhrase at Amazon.
Amazon’s latest foray into online payment technology is meant to make buying easier for both businesses and consumers without sacrificing security. Amazon wants PayPhrase to compete directly with eBay’s PayPal and Google Checkout. Amazon’s Checkout technology already allows businesses to use Amazon to process customers’ payments, and its Simple Pay system allows customers to use the financial information stored at Amazon to pay for goods on other sites.
Some analysts worry that the combination of a memorable phrase and a simple four-digit PIN may not be secure enough for financial transactions, even if Amazon promises to freeze an account when the wrong information is entered too many times.
“People tend to use the same phrases–it ends up being guessable,” says Nick Holland, senior analyst of emerging technologies and payments at the Aite Group. “It presents a single phrase that, once guessed, could be used on multiple sites.”
Amazon counters that PayPhrase actually increases data security. The use of PayPhrase–or a similar “federated identity service” such as Verified by Visa–means that smaller merchants, who may not have adopted strict security practices, do not have to store a customer’s financial information. If Amazon’s service is used, customers’ financial information will be kept in fewer places, Williams says.
Compared to many other payment systems, “the big difference with PayPhrase is that you store that information once with Amazon,” Williams says. “You have one identifier, and use it in many different places and know that merchants are not sharing your financial information.”
Moreover, even if an online thief gets hold of a user’s PayPhrase and PIN, he could only use it to send goods to the address that person has on file. The payment technology cannot be used to buy digital goods, and an attacker could not change the address on file without the password to the user’s Amazon account.
“It is one layer removed from your account and your password,” Williams says. “You cannot change the shipping address or payment method with just the use of the PayPhrase.”
Robert Vamosi, an analyst covering security, risk and fraud for Javelin Strategy & Research, says that many consumers may trust Amazon to protect their information better than smaller websites.
“If I saw a recognizable logo online, I might be more willing to buy,” Vamosi says. “I could see it as beneficial, in that it could open up more places for me to shop online. It also offers more stores my purchasing power.”
In addition, PayPhrase lets people set allowances on their accounts. This feature would allow parents to give their children access to an account that the parents control, or provide workers with limited access to an account controlled by their employer. Such additional restrictions could also offer consumers some protection against fraud.
Amazon’s Williams stresses that PayPhrase is more than just financial information–it’s instructions on how that information can be used. “A PayPhrase bundles a set of instructions,” he says. “At launch it is your payment method and shipping address.”
Such assurances do not completely convince Aite Group’s Holland. “With the address, it reduces the potential for fraud, but there will still be ways around it,” he says. Holland argues that Amazon should not underestimate the impact of social engineering. Malicious sites could imitate the look of the Amazon PayPhrase service to get users to hand over their credentials. “You can have the most robust security in the world, but if you give someone your keys when they ask, then it doesn’t matter,” he says.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today