To Pay With Your Credit Card, Please Speak Up

prostoalex writes "It's reasonable easy for a thief to steal the social security number and bank account information (which is printed on a check) as well as an address. The next generation of financial tools are fighting this problem. Business Week talks about voice verification in future debit and credit cards. "Here's how it works: A special sensor on the credit card stores its owner's previously recorded voiceprint in digital form. When the owner receives a new card, he or she speaks a password into the sensor on the card. If the voiceprint matches, the card is activated.""

so..

[Turn-X+Alphonse]

So you speak to activate it.. and if you get a cold or have an accident and can't talk?

Re:so..

[DevNull+Ogre]

The need for a side channel to serve the voice challenged population presents a (possibly huge) problem. If somebody who legitimately cannot speak can activate a credit card without speaking, then so can the bad guys. That side channel will also need to be secure.

Could it be done properly (so that the bad guys can't get around the system)? Probably. Will it? Probably not. And, like so much so-called security, we'll end up inconvenienced in exchange for little or no benefit.

Not that it should need saying, but security systems such as this will need to cater to everybody, not just those of us with voices.

I personally think this is their best idea so far.

[peculiarmethod]

I somehow get the feeling that wives, girlfriends, and daughters the world over will not like this one bit.

oh good! Cause that *CANT* be beaten

[np_bernstein]

where did I put that tape recorder again?

Re:oh good! Cause that *CANT* be beaten

[JanneM]

Checkout Chick: Why are you using a tape-recorder to say your password?
Thief: Errr.... I have a cold. Yeah, that's it. A cold.

Checkout Chick: Ok, like it's my problem or anything anyhow. Please enjoy all your new, easily resold wide-screen tv's.

Re:oh good! Cause that *CANT* be beaten

[Ogerman]

I have but one comment:

Hello.. my.. name.. is.. Werner Brandes.. my.. voice.. is.. my.. passport.. verify.. me?

Cracked in 4 seconds

Step 1:
Build card reader for voice print
Step 2:
Download voice print to your MP3 player
Step 3:
PROFIT!

Got to be better than the system here

[Realistic_Dragon]

...where you type your PIN into a small box attached to the cash register.

Because, as we all know, typing your PIN into someone elses computer system is by far the best way to keep it confidential.

ATMs are at least owned by the bank and significantly harder to tamper with in a non-obvious way.

Re:Got to be better than the system here

[Lenolium]

I have written software for the credit card terminals.

The pin pad is the only device in that chain that is secured at all. The pin pad is tested, and has to meet very, very tough standards. Your pin is not stored on the device, and the credit card terminal cannot get the actual pin number from the pin pad. All that comes from the pin pad is a big pile of "garbage" that is some sequentially ordered 3DES encrypted data that at one time resembled your PIN number. This block of encrypted data cannot be retransmitted, and if it is, it will be denied.

During our testing phase with the terminal (not the PIN pad, we just bought those from someone else), the other programmer that was working on the code messed up some offsets and was not giving the correct PIN data to the test site. This got right past the testing, because even the merchant services test system cannot decrypt the data that comes out of the PIN pads. The rest of your data (including the entire contents of your magnetic strip, which in no way shape or form contain your pin number), is just sent across the wire in plaintext via 2400 bps modems. There was also no security testing of our terminal at all, and there is not even a requirement that credit card numbers aren't stored.

So, the moral of this story is this: If there is one thing to trust in the whole credit card processing world, it is this: Your PIN is the most secure part, unless the PIN pad has been tampered with (aka, has a new set of buttons over the old set of buttons, or a camera to capture your finger movements, because opening up a PIN pad will destroy the key stored on the pad, and will render it useless) that part is secure.

Why does a SSN need to be attached?

[rattler14]

No really, I'm am really curious. I admit, I wear a tin-foiled hat with pride, but I've recieved some pretty BS responses from banks when asked this question.

The worst response? "You need it on your account for your protection". Oh really? Until, I don't know, 1 of the 100 forms my SSN is one gets scanned and posted somewhere on the internet.

And for those that think it can't happen, some dipshit made a family tree of all of my family across the country and posted it on the internet... 1 out of 10 (out of ~600 people... this tree goes back pretty far) has a SSN posted and it's now in google's cache.

So I ask again... why is a SSN required for a bank account? What about those people withouth SSNs?

Does anybody remember LAUGHTER?

[Lapsed+Catholic]

There was a /. article a few years ago about a biometric password scheme that remembered how you laughed. It became a running joke at work, where we have someone with a very distinctive laugh. We figured a scheme like that would become annoying really fast.

Coworker A: huh huh huh... huh huh huh... it's not letting me in... huh huh huh... oh wait I think I changed it... huhhuhuhhuhuh huhhuhhuhuh... huhhuhuhhhuh... no, that doesn't work either huh huh huh...

Coworker B: Here, I'll log in for you. hahahahah!

Coworker A: Huh huh huh thanks!

Why not SMS?

[md17]

I would prefer that the Visa or Mastercard system sends me a SMS that I reply to in order to authorize the payment.

Re:Working in the wrong direction

[Neil+Blender]

Rather than working to make it harder to use a stolen credit card, companies should work at making it easier to find somebody using a stolen credit card. Maybe start requesting that stores associate a purchase with a time and a checkout lane, which could lead to accessing security camera archives once a purchase is claimed fraudulent by the account holder. I am sure there are more possibilities.

Oh, man, I'd love to see a story about that posted on Slashdot. The comments. The comments! It would be hours of fun.

I can't stand the rain...

[DumbSwede]

I use to work at Wolfram Research and when they moved into their new building the building was protected after hours by a voice activated entry device. This was about 14 years ago. Anyway the device worked reasonably well except when it was raining. There was no awning or other overhang, so in driving rain when you would really like to get in - well you just couldn't. The idea was to be a cost saver by not having to issue individual cards. Oh yeah they ripped the thing out after about a two months. One of the employees (I don't remember who) took it as a challenge to slowly modify his voice entry phrase to something else slowly day by day, by slowing morphing one phoneme at a time into something else. I wish I had a list of phrases he changed from and to, but I don't.

This was good technology applied in a bad way. As one of more than one way of activating a card this would be a good thing. Thieves are a skittish lot, even if they could sign for card use or use a stolen PIN, the fact they would be expected to voice activate the card first would deter them, not wishing to draw undue attention to themselves.

Even 14 years ago this technology had a extremely low false positive rate misidentifying someone as someone else. Even 25 years ago I seem to remember this technology being not being prone to misidentification, though more finicky and with a much smaller vocabulary (like 10 words).