Slashdot Mirror

← Back to Stories (view on slashdot.org)

To Pay With Your Credit Card, Please Speak Up

Posted by samzenpus on from the voice-activated dept.

prostoalex writes "It's reasonable easy for a thief to steal the social security number and bank account information (which is printed on a check) as well as an address. The next generation of financial tools are fighting this problem. Business Week talks about voice verification in future debit and credit cards. "Here's how it works: A special sensor on the credit card stores its owner's previously recorded voiceprint in digital form. When the owner receives a new card, he or she speaks a password into the sensor on the card. If the voiceprint matches, the card is activated.""

7 of 300 comments (clear)

  1. 508 Compliance by ubrgeek · · Score: 3, Informative

    Should any of the credit card companies that want to use this type of technology hope to have the cards used by the federal government, they'll need to make sure that the card is 508 compliant http://www.section508.gov/ and that would take into account someone who could not speak.

    --
    Bark less. Wag more.
  2. Only Slightly Effective by SpottedKuh · · Score: 2, Informative
    So, I read the article, and was left wondering how this new measure could do more than marginally dent the problem of credit card fraud. For those who didn't feel like reading the article, it basically outlines two potential uses for voice biometrics:
    1. Identifying people who phone a bank (ie. for phone services or ordering a credit card)
    2. When people first receive a credit card, they speak to it to activate it
    But, here's what this type of biometrics fails to address:

    From TFA, "Over-the-phone fraud already affects 12% of all banks offering e-payment services." 12%? That's it? Of all the banks offering electronic/phone services, only 12% have ever been affected by over-the-phone fraud, which this new technology is supposed to help prevent? That makes me think that most credit card frauds are being conducted another way.

    Point two: This type of biometrics does nothing to protect consumers if their card or card number are stolen after their card is activated. Continuing from my above comment about how most frauds actually happen, I'd wager good money that most credit card frauds do not occur from cards being stolen from the mail before they're activated; rather, I'm guessing that most frauds happen because the little numbers on someone's card are stolen.

    They need to rethink their manner of usage if they want this new biometric scheme to be anything more than a headache (I mean, how many different things could go wrong with a voice-recognition chip embedded in a little card?). I mean, a voice-authentication system is definately a better scheme than asking someone what their birthday is, but there has to be a more effective way of using it than this.
  3. Re:I personally think this is their best idea so f by Anonymous Coward · · Score: 1, Informative

    And they'll be smart enough to realise it's not worth it!

  4. Re:First things first by JimBobJoe · · Score: 2, Informative

    Start with a picture of the cardholder on the card. Some banks already do that.

    And yet it goes nowhere. There's a myriad of reasons for this, but one of the biggest is that it makes little difference. Very little credit card fraud is perpetrated by people who are using someone else's physical card. The main security system on that fraud is purchase pattern/auditing systems and the ability to kill off the card.

    Most credit card fraud is online and/or via altered cards (like with the criminal's name and if you really insist, face, but the magnetic stripe with completely different information.)

    Having said that, the photographs on credit cards started off as a service to the card holder so that they could have an extra form of ID on them. (I have a 1967 advertisement from an Ohio bank that offered a Mastercard with a polaroid photo...so that check cashing would be easier. In time, I believe the credit card companies did not want people using their cards for check cashing purposes. I also remember Citibank advertisements from the early 1990s offering their cards with photos for the same reason...second form of ID.)

    But for the bank, it's a costly pain in the ass (as you noted) and with little benefit for the bank (especially since it prevents little fraud.) Today the photocards are basically sold as a false security benefit in the competitive credit card industry. I believe that cards will be less likely to have photos in the future..

  5. Re:Why does a SSN need to be attached? by keep-the-sci-in-scif · · Score: 3, Informative

    Well, it's required by law; specifically it's a provison in the USA PATRIOT Act. Any financial institution doing business in the United States is required to collect your SSN if you are a US Citizen (living in the US or abroad). Your SSN is bounced against fincen.gov and can be placed by the bank into the SAR (Suspicious Activity Report) http://www.fincen.gov/reg_sar.html This was all created because of the terroist bull3hit but now it's used for any 'suspicious' activity. And, just like those people who can't fly anymore without a cavity search due to their name matching a 'person of interest', this can really screw your finances up...

  6. I still don't see the security by gDeleteMe · · Score: 2, Informative

    I'd say a vast majority of credit fraud is committed without actually stealing the card, just the information on the magstrip. So I guess instead of the shady waiter just swiping your card through his personal magstrip reader before charging your order, it becomes standard for people to have to talk to their cards before the shady waiter swipes your card through his personal magstrip reader before charging your order. Advancement+!!!

  7. Re:Got to be better than the system here by Lenolium · · Score: 5, Informative

    I have written software for the credit card terminals.

    The pin pad is the only device in that chain that is secured at all. The pin pad is tested, and has to meet very, very tough standards. Your pin is not stored on the device, and the credit card terminal cannot get the actual pin number from the pin pad. All that comes from the pin pad is a big pile of "garbage" that is some sequentially ordered 3DES encrypted data that at one time resembled your PIN number. This block of encrypted data cannot be retransmitted, and if it is, it will be denied.

    During our testing phase with the terminal (not the PIN pad, we just bought those from someone else), the other programmer that was working on the code messed up some offsets and was not giving the correct PIN data to the test site. This got right past the testing, because even the merchant services test system cannot decrypt the data that comes out of the PIN pads. The rest of your data (including the entire contents of your magnetic strip, which in no way shape or form contain your pin number), is just sent across the wire in plaintext via 2400 bps modems. There was also no security testing of our terminal at all, and there is not even a requirement that credit card numbers aren't stored.

    So, the moral of this story is this: If there is one thing to trust in the whole credit card processing world, it is this: Your PIN is the most secure part, unless the PIN pad has been tampered with (aka, has a new set of buttons over the old set of buttons, or a camera to capture your finger movements, because opening up a PIN pad will destroy the key stored on the pad, and will render it useless) that part is secure.