Slashdot Mirror

← Back to Stories (view on slashdot.org)

To Pay With Your Credit Card, Please Speak Up

Posted by samzenpus on from the voice-activated dept.

prostoalex writes "It's reasonable easy for a thief to steal the social security number and bank account information (which is printed on a check) as well as an address. The next generation of financial tools are fighting this problem. Business Week talks about voice verification in future debit and credit cards. "Here's how it works: A special sensor on the credit card stores its owner's previously recorded voiceprint in digital form. When the owner receives a new card, he or she speaks a password into the sensor on the card. If the voiceprint matches, the card is activated.""

25 of 300 comments (clear)

  1. so.. by Turn-X+Alphonse · · Score: 4, Insightful

    So you speak to activate it.. and if you get a cold or have an accident and can't talk?

    --
    I like muppets.
    1. Re:so.. by saned · · Score: 3, Insightful

      Forget about being unable to speak...! If this speech recognition is as good as any of my cell phones' then you'll keep repeating 4, 5 or more times, until this chip recognizes your voice, or worst case, blocks itself until the next day for security purposes...

      YMMV
      -P@

      --
      signal_connect(0, "test_top.dut.my_sig", "clk");
    2. Re:so.. by DevNull+Ogre · · Score: 4, Insightful

      The need for a side channel to serve the voice challenged population presents a (possibly huge) problem. If somebody who legitimately cannot speak can activate a credit card without speaking, then so can the bad guys. That side channel will also need to be secure.

      Could it be done properly (so that the bad guys can't get around the system)? Probably. Will it? Probably not. And, like so much so-called security, we'll end up inconvenienced in exchange for little or no benefit.

      Not that it should need saying, but security systems such as this will need to cater to everybody, not just those of us with voices.

    3. Re:so.. by cayenne8 · · Score: 3, Insightful
      "maybe you jusk freaked out because you're one of those 'tards who insists on using a card for every single purchase"

      Why do you call people who use credit cards for everything retards?

      I pretty much use mine for everything (amex mostly)...I just feel more comfortable doing that than carrying around large sums of cash. And, usually, it seesm with me, if I've got cash in my pocket...I'm more apt to spend it.

      Also, it is just convenient....I don't have to worry about making a trip to find one of my banks money machines (I can't stand paying ATM fees going to other banks' ATM's)...payments to me are direct deposit....so, I rarely need to go to a bank branch.

      And I pay it off every month...just like cash...just without the hassle...

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  2. I personally think this is their best idea so far. by peculiarmethod · · Score: 5, Funny

    I somehow get the feeling that wives, girlfriends, and daughters the world over will not like this one bit.

    --
    ** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
  3. oh good! Cause that *CANT* be beaten by np_bernstein · · Score: 4, Funny

    where did I put that tape recorder again?

    --
    RandomAndInteresting.comdefending the world from stupidity since 1979
    1. Re:oh good! Cause that *CANT* be beaten by aussie_a · · Score: 3, Funny

      Checkout Chick: Why are you using a tape-recorder to say your password?
      Thief: Errr.... I have a cold. Yeah, that's it. A cold.

    2. Re:oh good! Cause that *CANT* be beaten by JanneM · · Score: 5, Funny

      Checkout Chick: Why are you using a tape-recorder to say your password?
      Thief: Errr.... I have a cold. Yeah, that's it. A cold.

      Checkout Chick: Ok, like it's my problem or anything anyhow. Please enjoy all your new, easily resold wide-screen tv's.

      --
      Trust the Computer. The Computer is your friend.
    3. Re:oh good! Cause that *CANT* be beaten by Ogerman · · Score: 5, Funny

      I have but one comment:

      Hello.. my.. name.. is.. Werner Brandes.. my.. voice.. is.. my.. passport.. verify.. me?

  4. Cracked in 4 seconds by Anonymous Coward · · Score: 4, Funny

    Step 1:
    Build card reader for voice print
    Step 2:
    Download voice print to your MP3 player
    Step 3:
    PROFIT!

  5. Got to be better than the system here by Realistic_Dragon · · Score: 4, Insightful

    ...where you type your PIN into a small box attached to the cash register.

    Because, as we all know, typing your PIN into someone elses computer system is by far the best way to keep it confidential.

    ATMs are at least owned by the bank and significantly harder to tamper with in a non-obvious way.

    --
    Beep beep.
    1. Re:Got to be better than the system here by Lenolium · · Score: 5, Informative

      I have written software for the credit card terminals.

      The pin pad is the only device in that chain that is secured at all. The pin pad is tested, and has to meet very, very tough standards. Your pin is not stored on the device, and the credit card terminal cannot get the actual pin number from the pin pad. All that comes from the pin pad is a big pile of "garbage" that is some sequentially ordered 3DES encrypted data that at one time resembled your PIN number. This block of encrypted data cannot be retransmitted, and if it is, it will be denied.

      During our testing phase with the terminal (not the PIN pad, we just bought those from someone else), the other programmer that was working on the code messed up some offsets and was not giving the correct PIN data to the test site. This got right past the testing, because even the merchant services test system cannot decrypt the data that comes out of the PIN pads. The rest of your data (including the entire contents of your magnetic strip, which in no way shape or form contain your pin number), is just sent across the wire in plaintext via 2400 bps modems. There was also no security testing of our terminal at all, and there is not even a requirement that credit card numbers aren't stored.

      So, the moral of this story is this: If there is one thing to trust in the whole credit card processing world, it is this: Your PIN is the most secure part, unless the PIN pad has been tampered with (aka, has a new set of buttons over the old set of buttons, or a camera to capture your finger movements, because opening up a PIN pad will destroy the key stored on the pad, and will render it useless) that part is secure.

  6. Why does a SSN need to be attached? by rattler14 · · Score: 4, Interesting

    No really, I'm am really curious. I admit, I wear a tin-foiled hat with pride, but I've recieved some pretty BS responses from banks when asked this question.

    The worst response? "You need it on your account for your protection". Oh really? Until, I don't know, 1 of the 100 forms my SSN is one gets scanned and posted somewhere on the internet.

    And for those that think it can't happen, some dipshit made a family tree of all of my family across the country and posted it on the internet... 1 out of 10 (out of ~600 people... this tree goes back pretty far) has a SSN posted and it's now in google's cache.

    So I ask again... why is a SSN required for a bank account? What about those people withouth SSNs?

    --
    my last sig was too controversial... now, a new and improved useless sig!
    1. Re:Why does a SSN need to be attached? by keep-the-sci-in-scif · · Score: 3, Informative

      Well, it's required by law; specifically it's a provison in the USA PATRIOT Act. Any financial institution doing business in the United States is required to collect your SSN if you are a US Citizen (living in the US or abroad). Your SSN is bounced against fincen.gov and can be placed by the bank into the SAR (Suspicious Activity Report) http://www.fincen.gov/reg_sar.html This was all created because of the terroist bull3hit but now it's used for any 'suspicious' activity. And, just like those people who can't fly anymore without a cavity search due to their name matching a 'person of interest', this can really screw your finances up...

  7. even lower tech by mbkennel · · Score: 3, Insightful


    Step 1: steal identity and get credit card mailed to oneself, shameless thief.

    Step 2: record your voice onto some shmoe's card.

    Step 3: PROFIT!

  8. Heh... by Eythian · · Score: 3, Funny

    "My voice is my credit card. Pay for me"

  9. I would be real impressed... by Lead+Butthead · · Score: 3, Interesting

    Considering that voice recognization is still rather unreliable (particularly when people get excited and such) I would think it's a bad idea until reliablity improves.

    It would be rather sad trying to pay for caugh drops with ATM/CC but unable to do so because the sore throat is causing your voice print to shift.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  10. Does anybody remember LAUGHTER? by Lapsed+Catholic · · Score: 5, Funny

    There was a /. article a few years ago about a biometric password scheme that remembered how you laughed. It became a running joke at work, where we have someone with a very distinctive laugh. We figured a scheme like that would become annoying really fast.

    Coworker A: huh huh huh... huh huh huh... it's not letting me in... huh huh huh... oh wait I think I changed it... huhhuhuhhuhuh huhhuhhuhuh... huhhuhuhhhuh... no, that doesn't work either huh huh huh...

    Coworker B: Here, I'll log in for you. hahahahah!

    Coworker A: Huh huh huh thanks!

  11. Why not SMS? by md17 · · Score: 4, Insightful

    I would prefer that the Visa or Mastercard system sends me a SMS that I reply to in order to authorize the payment.

  12. Re:Working in the wrong direction by Neil+Blender · · Score: 4, Funny

    Rather than working to make it harder to use a stolen credit card, companies should work at making it easier to find somebody using a stolen credit card. Maybe start requesting that stores associate a purchase with a time and a checkout lane, which could lead to accessing security camera archives once a purchase is claimed fraudulent by the account holder. I am sure there are more possibilities.

    Oh, man, I'd love to see a story about that posted on Slashdot. The comments. The comments! It would be hours of fun.

  13. Paypal Authentication by SuperSanta · · Score: 3, Insightful

    I hate to admit it - because, you know, all the fraudulent things that have happened to people with PayPal and eBay - but I have to say that PayPal is starting to do things well.

    Require you to put in your work phone number and then an automated system phones it and asks you to authenticate what is onscreen by touchpad. Atleast with this method of authentication the hackers have to spoof more than one method of communication and would leave a rather sizeable paper trail of changing account data.

    Not like reading the extra 3 digits off your card into a computer system so that someone else can steal those digits and reuse 'em.

    This post started out with better ambitions. Stupid boob tube, oh how you distract me!

  14. 508 Compliance by ubrgeek · · Score: 3, Informative

    Should any of the credit card companies that want to use this type of technology hope to have the cards used by the federal government, they'll need to make sure that the card is 508 compliant http://www.section508.gov/ and that would take into account someone who could not speak.

    --
    Bark less. Wag more.
  15. Biometrics DO NOT WORK by initialE · · Score: 3, Insightful

    It's been proven over and again that biometrics are a poor form of authentication that can easily be beaten. Not only are you unable to protect it (try not leaving your fingerprints everywhere, or not speaking to someone so they can't get your voice recording, or maybe even not shedding your hair so you don't leave any DNA traces), you're also unable to change it, and it's made doubly dangerous because of the way people seem to think it's effective. So maybe they should stop beating that dead horse around...

    --
    Starbucks, Harbuckle of Breath.
  16. First things first by houghi · · Score: 3, Insightful

    Start with a picture of the cardholder on the card. Some banks already do that. So unless you have a serious change in how you look, a person can SEE if you are the person on the photo or not.

    Unfortunatly that means that the wife will have to have her [SHOCKING] own card. Yes this would mean going to the bank to have your picture taken. It also means it costs money and as long as the cost of theft are below the cost of security, they will gladly pay up to whomever is stealing from them.

    --
    Don't fight for your country, if your country does not fight for you.
  17. I can't stand the rain... by DumbSwede · · Score: 4, Interesting
    I use to work at Wolfram Research and when they moved into their new building the building was protected after hours by a voice activated entry device. This was about 14 years ago. Anyway the device worked reasonably well except when it was raining. There was no awning or other overhang, so in driving rain when you would really like to get in - well you just couldn't. The idea was to be a cost saver by not having to issue individual cards. Oh yeah they ripped the thing out after about a two months. One of the employees (I don't remember who) took it as a challenge to slowly modify his voice entry phrase to something else slowly day by day, by slowing morphing one phoneme at a time into something else. I wish I had a list of phrases he changed from and to, but I don't.

    This was good technology applied in a bad way. As one of more than one way of activating a card this would be a good thing. Thieves are a skittish lot, even if they could sign for card use or use a stolen PIN, the fact they would be expected to voice activate the card first would deter them, not wishing to draw undue attention to themselves.

    Even 14 years ago this technology had a extremely low false positive rate misidentifying someone as someone else. Even 25 years ago I seem to remember this technology being not being prone to misidentification, though more finicky and with a much smaller vocabulary (like 10 words).

    --
    Letter To Iran