On November 2009, Amazon launched a new payment mode so called PayPhrase. The idea is simple. You associate to your profile a passphrase, i.e. a sentence with at least two words (more than four characters) and a 4-digit PIN. The payphrase is linked to a shipping address and a payment method. Would you like another shipment address, use a second payphrase.

Amazon offers this service for other sites. The other sites will validate the information through Amazon but will never have access to your personal data neither to your credit card data. The basic assumption is that you trust Amazon to make a clean work in securing your personal data (which seems a reasonable assumption)

Of course, Amazon expects to become a competitor to established payment methods such as PayPal.

Is it serious? Well, I have spotted one funny issue. How do I define a payPhrase?

Create an original PayPhrase yourself, or choose one of our suggestions. Once you have claimed a particular PayPhrase, it can’t be claimed by anyone else.

The unicity of the payPhrase shows that the idea is that you replace your identity by the payPhrase and the authentication is the PIN. This means two things:

• The latest incomers may have some trouble to set up an easy to remember payPhrase because the most trivial will be used.
• People will use the most trivial ones

And this last one is the fun part of the game. Try to find a trivial payPhrase and check if it is active. Then, you may try a DOS for this person by trying many PINs until it is blacklisted.

I tried my favorite trivial passphrase “Trust no one”. Guess what? It belongs to somebody of Portland paying with Visa! I did not try the PIN.

Lesson: Some design decisions may have “funny” side effects.