Slashdot Mirror
VeriSign To Offer Passwords On Bank Card
Billosaur writes "Imagine the PayPal security tool embedded on a credit card. VeriSign is announcing that a deal is in the works to provide credit cards with one-time-use passwords. By placing the technology directly on the card, it becomes more convenient and provides an extra layer of security for online credit-card transactions. A cardholder would type in their information as normal and then would be prompted to enter the passcode displayed on the card. This means a user would need to have the physical card in hand in order to use it, thus thwarting identity thieves who steal credit card information but do not possess the card itself. VeriSign said it expects to announce a major bank using its cards in May."
Dear VeriSign,
Can I put in a request for the password 12345 before anyone else does?
-m
I know this isn't the first application of this technology, Shell Oil used to use something like this for their programmers, but the device was considerably bigger than a credit card. Anyone care to guess how they are going to power this? External power source at the reader? Rechargeable cards?
In Soviet Russia jokes are formulaic and decidedly non-humorous.
Wouldn't this basically be a version of SecurID? Why don't banks just roll out SecurID to everyone and get the same net effect?
stuff |
How long is the cycle on the card? And how do they keep it from going out of sync? My watch loses about a second every day (ok, it's a cheap watch), but nonetheless, the only way it and the server can work is if the key is based on time. If that is the case, then they card's clock has to stay sync'd with the server's clock... Wouldn't that be a problem?
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
So I memorized my credit card account number for nothing...
So as I understand it from the article, there'll be some sort of "device" in a corner of the card, with a "display window" that shows the randomized password? How's it powered? How's it controlled? What happens when the battery in my credit card is dead?
I wish there was a choice that said "Factually Wrong -1" when I mod.
Um. How's that practical with a credit card again?
And what about when I'm paying for gas with a credit card. Do I have to go in to give the guy the password, or are they changing out all the pump credit terminals for ones with full keyboards?
RSA has been selling these for years. Some banks use them - I have one from etrade.
RSA also sells credit card sized versions.
of the people in that bank's customer call centers now when people start calling in because the numbers on the card of out of sync.
Sorry Verisign. I don't trust you. Period.
And I don't want you to have ANYTHING to do with my financial information. Period.
Stay away from my bank account. Stay away from my CC. Just stay away.
I'm worried now because my Credit Union just sent me a new VISA card for no reason,
my current one doesn't expire until late next year but my CU is telling me they are going to
expire it this month and I'm compelled to use the new one they sent. What a pain in the ass.
Now I have to change all my online accounts that I've been using without problem for the past 2 years.
And the new CC they sent me is weird looking, it's CLEAR. WTF sort of feelings of Joy Joy is that
supposed to instill in me?
I hope like hell there's an OPT OUT when this rolls out.
Verisign can go to hell. Hands off my bank account assholes.
Ok it's just a watch kinda battery but it'll still last longer than the expiration on your credit card.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Isn't anyone afraid just because paypal is going to use it? With their security track record?
Comment removed based on user account deletion
my password is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Oops!
My immediate concern is durability. Credit cards take a lot of punishment. I probably replace my credit card once a year because the magnetic strip has become damaged and no longer readable. All the same, magnetic strips have shown great durability for putting up with a fair amount of punishment. I'm not sure I can visualize an LCD screen thin enough to be incorporated into a card that will withstand 175+ lbs of pressure for hours at a time. And that doesn't even consider the circuitry involved in generating the passcode.
RSA has been issuing SecureID keyfobs with this technology for at least 10 years. Hundreds of thousads, of not millions, exist worldwide. While I am sure they had issues like this in the past they would have long since sorted it out. SecureID keyfobs are one of the standard pilliars in the seucirty chain - encompassing the "something you have".
Usually you have to type in your password (the "something you know") along with the current number on the keyfob ("something you have"), in order to successfully authenticate with a SecureID system. They're very common in government; basically they make stealing passwords muuch less useful, since the hacker would need to steal both the password AND the keyfob - and if someone loses their keyfob they would be issued a new one and the original deactivated, so there is a small window of opportunity there as well.
Frankly it is about time someone pressured the banks into issuing this technology. I have wished I needed a keyfob for online banking and CC transactions for YEARS. The initial expense of the rollout would be quickly offset by the savings in fraud I suspect.
Umm, how is this different then the CVV number which is already on cards for the same purpose?
http://en.wikipedia.org/wiki/CVV_number
F909119D02473E5BD81456C5365688C0
This technology has been around for some time actually. If there are any smart card developers hanging about, they might point you in the right direction.
As someone with intimate knowledge of bank card costs and the infrastructure required to support a new bank card, the likelihood of this happening is slim to none. "Impossible!" you say. Please consider the following.
1. The cost of producing these cards is extremely high relative to the plastic most users have. On order of 10x.
2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.
3. The banks can't shift the costs of this new-fangled card off to the merchants. FYI: The merchants shift the cost of accepting bank cards and paying for fraudulent transactions to all consumers.
The project will be a nice idea that they can use as an example to regulators that they are "enhancing customer security." but is destined for the shelf.
What's needed here is an OSS banking system, not the one we currently have.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
You have your PIN and the number on the fob which changes every 30 seconds or so and the server knows the number cause the securID is associated with the card and pin number. Just like credit cards expire securID would expire as well.
http://www.daveramsey.com/ Myth: Debt is a tool and should be used to help create prosperity. Truth: Debt is not a tool; it is a method to make banks wealthy, not you. Debt is dumb. Most normal people are just plain broke because they are in debt up to their eyeballs with no hope of help. If you're in debt then you're a slave, in the sense that you do not have the freedom to use your money to help change your family tree. According to a recent USA Today article about debt, 78 percent of baby boomers have mortgage debt, 59 percent have credit card debt, 56 percent have car payments.
When a man lies he murders a part of the world.
On second thought to the dead battery thing: A lithium battery should be able to power the card for 3 years or more. The card company would just have to make a point to reissue a new card every two years or so to avoid that problem. This would eliminate the problem of changing the battery and allow it to be sealed into the card.
Batteries can last long enough to generate a new number every minute for a couple years, and digital clocks are good enough not to go out of sync for that long. Even if you are off by a few seconds, it is not a big deal because the server can simply check previous and next numbers in the sequence, while still not allowing the same number to be used more than once to complete a transaction. Traditional credit cards already have expiry dates in the two year range, so I don't see the problem.
This will push up the size/weight/cost of cards somewhat ...and don't use your card to scratch the ice off your car.
Engineering is the art of compromise.
I don't trust verisign at all. They are rolling out this solution. This news makes my skin crawl. This moderation makes my blood boil.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why would the sequence need to be reset? If such a remote possibility does arise, the bank can simply send a new card.
I insert my card into the ATM, put in my PIN as normal and then I have to put in the number that's being displayed on the card inside the ATM. If the card is inside the ATM, how do I get the number? Of course, I could memorize the number before inserting the card into the ATM. That should be popular with senior citizens.
How does this differ from "Verified by Visa," and in what ways is it better and/or worse?
The same security issues apply to debit cards. Whether or not credit cards are evil is not really a subject of discussion here.
While I applaud companies for looking for better security solutions, there are many potential issues to consider. Durability, longevity of the battery powering the card, extra manufacturing costs and waste. It seems like a mass roll out would be problematic. And what about recurring charges? Would a company need to get reauthorization for every scheduled charge?
Part of the hardcore faithful who believed in Apple long before it was cool again to do so
First, before I go into why it's a good idea and how it's hackable, let me address a bunch of these posts above. *YES* similar ideas have been done before and *YES* this is very similar to an RSA SecurID token (or product of similar vendors). However, the BIG difference here is that it is built-in to your EXISTING credit/debit card. You do NOT have to carry an additional device. Get it? See that credit card you have already? OK.. imagine it with a little changing number on it. There you go! Basic reading 101 folks. End of the sarcasm too..
This is a great idea and will go a long way to stop illegal credit card use/reuse. Especially in the case of a compromised database. However there are a few issues and ways this is still possibly hackable.
Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now.
Issue 2: What algorithm are they going to use? How easy can it be cracked? If they're teaming with RSA then I think they will be pretty good so long as the seed files aren't compromised. This shouldn't really happen, but who knows. If they algorithm was weak, it could potentially only take a few consecutive numbers to start generating the future numbers. However, who knows how feasible this will be.
I think it shounds like an excellent idea. Question is.. how much will it cost the consumer? If anything.
Many banks ARE rolling them out in this form: http://www.rsa.com/node.aspx?id=3019
I'm surprised that you have 6 replies to your post that are all wrong.
The cards don't generate the keys based on time. The keys are generated much the same way random numbers are generated in a computer.
The way this works:
You pick a number (seed) and a function that produces a pseudo-random output (the authentication key) based on an input. You program the same seed and function into both the card and the server.
When you go to log in, you have your credit card use the seed and function to generate a key (key1). You send key1 to the server. The server then takes the seed and function it has on record and also generates key1. If the outputs match, which they should, congratulations, you've authenticated.
Each time you request a key from the card, the card uses the last key generated as the input to the function to generate the next key. Each time you successfully authenticate, the server stores the key you authenticated with and the next time you try and authenticate it feeds that key into the function to generate the next key. Since both the card and the server know the last key they authenticated with and the function to compute the next key, they can both compute the next key.
Seed->run function->key 1
key 1->function->key 2
key 2->function->key 3
Etc, etc. The card and the server continue to generate the same keys to compare - so getting a new key is not based on TIME, but on how many authentications you've attempted.
In practice, the server generally accepts the next key, AND some number of keys after that. So, if the last time you authenticated with key315, the next time you authenticate the server will check the key you present against not only key316, but also key317,318,319,320, etc. If the key you present matches any of those, it will accept your authentication and store that key as the 'last' key. This is to make the system more usable - in this case, you could generate 4 keys and not use them before your card would be too far out of sync with the server to succesfully authenticate.
paintball
I think you misspelled that. I guess you probably meant buttery security.
Mmmmmm. Butter.
... stem the losses from credit card fraud.
What you fail to acknowledge is the merchant and, eventually you and I pay those fraud costs. Banks do not assume the costs associated with fraud. Period. Therefore, the bank card system works pretty good for the banks.
You also are completely unaware there is a rather secure banking standard used in many parts of the industrialized world. If _that_ was implemented we'd be much better off. But the banks can shift the costs of the standard, so it doesn't get implemented.
If you base an OSS banking system...
Cryptography is not a magic bullet. Transparency and accountability, the kind associated with stable markets and Free software are much more effective tools. And, the kind of trustworthy hardware you think doesn't exist costs about $20-$30 depending on the config. Doesn't need a secure PC either.
Verisign is Jumping the Shark
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Way to entirely miss the point. This security feature has NOTHING TO DO with transactions where the buyer and the seller are in the same place. In that case, the seller knows the buyer has the card because they can SEE it. And the seller can ask to see photo ID before accepting the card if they are so inclined.
This is geared towards transactions where the buyer and the seller are NOT in the same spot - either over the phone, or over the internet. In those kinds of transactions, it is not currently possible to determine if the person presenting a credit card number to you actually has the card, or just managed to swipe the CC number off a website somewhere.
This is actually a significant problem for online retailers of big-ticket items like jewelry. It will probably make financial sense for them to adopt whatever equipment/procedure changes necessary to use these codes. It probably isn't worthwhile for your local pizza place - they can just check your card when they deliver the pizza if they are so inclined.
paintball
I think the basic idea is to prevent fraudulent purchases by requiring the purchaser to have the physical card. Many people are victims to credit card theft without having their physical card stolen from their possession. This feature will all but eliminate that. A fishing attempt that accesses your bank account in real time probably still can't even do much... In order to change any account information, a confirmation link should be sent to the account owner's email address. Maybe likewise for transferring money. Put a 60-second delay on sending the confirmation link, and by that time the SecurID code has changed. Then you need to enter a new SecurID code to confirm the account change/transaction.
But as for entering your account password, I'm pretty sure that even Joe Schmoe knows that when making an online purchase, all the merchant needs is your name, address, credit card number and now SecurID code. The user should be told by the bank that no merchant will ever require your bank account password. Better yet, this could be WRITTEN on the card itself next to the SecurID key, e.g. "Never give your account password to a merchant. Never enter your account password into a Bank of WTF hyperlink. Only type 'www.bankofwtf.com' manually into your address bar to access your account."
I was thinking that instead of a card, it would be neat to have a little USB device that could receive an encoded package from the payment website, decrypt it, and then display said code on a small LCD. The user enters the code, and proceeds with the transaction.
That way you have a code unique to the user (or at least the USB device) and verification in return that the owner has access to the device.
I have, right now, in my front pockets:
1 Geoerge Kastanza wallet, containing receipts back to 1995
2 key chains, including:
- One LED flashlight
- One leatherman
- One small swiss army knife
- ~35 various keys
- Nail clippers
- Ninja Remote
- ~ 10 supermarket/blockbuster/best buy/etc discount program dongles
- Craftsman 4-headed flat-head screwdriver
- large car key
- remote car opener dongle
~ 5 various tags (volvo/strongbad/etc)
and TWO cell phones.
If you can't fit your wallet in your front pocket with the rest of your stuff, you're just not trying hard enough.
paintball
You're right about the idea behind it and we agree there. However, there are man-in-the-middle type attacks that occur here. I don't think I want to get a link to my e-mail everytime I visit a shopping website or log into my bank. Chances are it's just an additional layer that has to be entered when making a transaction or logging in. If someone fakes this form or snoops it, they can quickly use and replay the information. This is why a lot of compromises in areas that use SecurID still occur. I send you a fake form that asks for your username and passocde (pin+tokencode) that looks legit. You enter it in and I'm waiting/watching and all fired up to login/make the real transaction with your information that you *just* provided. It limits the scope, but don't think for a second that it doesn't and won't happen.
massive amount of fraud that the credit companies face
No. The burden of payment fraud falls on you. This is a simple fact. Sadly, you aren't aware of this.
Read the following carefully. Re-read it if necessary.
Banks do NOT assume the costs associated with fraud. The merchants accepting bank cards assume the cost of the fraudulent transaction. Let me give you an example:
I buy a book from amazon.com with a stolen credit card, Amazon eats the cost of the book and the transaction PLUS those charges have to be reversed, and the merchant pays for the reversal.
Where is the bank losing money??? They are not. In fact, the retailer passes the costs onto you. Banks win. You lose. Time to move on.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Credit is a tool. Unfortunately it tends to in most cases carry a form of debt, but the big trick is managing it.
My car is paid off. My credit cards I use purely because I can accumulate travel points (paid off in full bi-weekly). My house has a mortgage, because - given both the current and rising market costs - there is no way I could possibly afford to save up money for a house in the next 5-10 years while also paying the (rising) cost of rent.
I'm paying slightly more for the mortgage, but the fact is that in owning a house, if I really wanted to I could sell after my 5-year term and have cash coming back. With rent it's simply gone with no returns. The mortgage is within my realm of affordability, and on accelerated payment. I will of course end up paying back more than I borrowed, but things aren't too bad.
Given that I have a roomate, I'm paying about $6900/year into a mortgage, vs $5400 rent on my previous place (which judging from the rates nowadays, would definitely be more now). In the initial years I'll hardly be denting the mortgage, I figured about five years before things start rolling. After that point I'm chipping at a bit more mortgage and a little less interest, and in the end I have a house instead of... rent.
Nowadays, unless you have an alternate source of money, singular individuals will find it hard to avoid some form of rent. Yes, the banks will get richer, but in some cases it's better to accept some debt for an appreciable asset over time.
What pisses me off is that I make maybe 10-20% more than my old man did at my age, but the cost of real-estate is up by something like 300% or more locally (and more in most appreciable-sized cities)
I do, anyway. I don't trust Verisign, period.
Agree there as well. I am 100% for this and think it is wonderful if implemented appropriately. I am not saying the MITM scenarios will make this useless by any means. This will go a long way to stopping fraud. However, the attackers will then just try and get more targetted and sophisticated. Guess what.. they just stole your information and don't have the current code. Well, you probably entered in a phone number. So they're probably going to start calling you pretending to be the "bank" when they want to use your card now. This has potential to cut CC fraud in half. It would make CC's + info useless to someone that doesn't want to try and then call the user or target them with specific e-mails trying to get their current passcode. However, it won't stop the fraud. It will severely impact it though (a good thing).
Oh wait, there already were attempts to put smart card on credit card in US. Amex Blue, for example, started out as one. Practically same "dongle on the chip" but without readable display, and with an interface for terminal to read.
Instead they threw it out and switched to "RFID" chip on the card. So you can use the chip for additional verification, and copying card becomes much harder.
If the contactless payment system (Exxon stations, fast food places, and some other point of sale terminals are running trials) spreads any further, this new proposal of VeriSign chip on the credit card becomes almost irrelevant (especially when combined with solution like Verified by Visa, where you can add extra verification for online-only orders).
Hyperom.com
I don't think you're offtopic at all--so now whoever it was can mod me down as well.
"Here's what's happening. You're starting to drive like your Dad..." - Red Green
So what you're saying is that you're walking around with pockets bulging like the cheeks of a chipmunk on free nut day.
I solved that problem by adding 30 lbs to my waistline. Now the pocket bulges are barely noticeable.
paintball
I had an immediate vision of the ATM asking me what the number displayed on the card is .... and of course the card is inside the ATM at the time....
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
VbV has these two issues: Activate During Shopping asks for SSN digits I'm at the checkout stage with a random (legitimate) merchant, and suddenly I get a VbV activation page with a URL on the merchant's web site asking for the last 4 digits of my social security number. Whoa! The page tells me that these digits will be sent directly to my bank, not to the merchant. How do I know if this is true? The merchant's web site uses JavaScript and can do essentially whatever it wants with form data. If I'm an expert and dissect the page, maybe I can feel safe. But, can an average consumer be expected to distinguish this from a phish? Web browser sessions cross trust boundaries A VbV password is a password checked by my bank that helps to prove I own the CC. Within a single session with a web browser, I don't want to be communicating with a merchant and also communicating with my bank. There are too many browser vulnerabilities that could allow a merchant to hijack me. Sure, I'll give the merchant my CC #, but certainly not any reusable banking password! I've always used separate browser sessions for my bank, and currently use sessions on separate virtual machines.
moderator on crack !! moderator on crack !! or atleast high-in-the-stars ;)
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Did that cop follow you for 5 years till you were going to commit counterfeit.. for nothing...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Not talking about SecurID or other similar technology, but currently I can pay with my card online and it asks for one time key that my bank has issued. This is through Verified by Visa, and the card that I use is Visa Electron. Not a credit card, but a debit card. The one time keys are stored in a piece of plastic that have several id-key pairs and the bank interface asks (after asking customer number and pin code) for the id and I must type the corresponding key. When that plastic starts to run out of id-key pairs I get sent another by mail. If I lose that plastic, then I can call my bank or disable those online. Also all customers of our bank are strongly urged to keep that piece of plastic in separate place where my Visa Electron card is kept, and I personally follow that.
In my opinion this is the most secure way of doing online shopping and it does not add too much extra difficulty. Only real threat to this security is either stealing the mail that the new card is sent or some sort of phishing attack. Only phishing attack I have seen was that you needed to enter the next key value from the card and the id was not given. For example I would not remember which was next on that list of hundreds and it immediately seems suspicious that the id is not there. And the mail attack is not possible with all banks, as some banks here require that you get the id-key pairs personally from the bank offices.
If anyone is wondering I live in Finland. We have these one time password type identification in all of our banks and it has been in use for more than 5 years, only this Verified by Visa is a new development. At first they were used exclusively on accessing bank account and paying bills online. Also this bank issued one time key is in use for example handling our taxes online.
It's a good first step. Now to also kill MITM (Man In The Middle) attacks dead in their track, add a check that computes a secure number based on the amount of money you want to transfer. Want to pay a good that costs $1357? Enter 1357 on your CC (yup, you need a "keyboard") and the only amount that this *single* transaction shall ever allow to move is this exact amount.
One MITM could still steal exactly $1357 and transfer it to someone else... But there are protections against that too. In Europe wire-transfer are becoming more than common (as in "there are many people that prefer to pay by wire-transfer for it's way more secure) and in this case you enter the amount + the account you want to transfer money to and you get back a secure number allowing to transfer exactly that amount to precisely the bank account you entered.
Once people are trained to only ever enter the number of the account they need to transfer money to this is "good game" for attackers once and for all. That's the ultimate finger to the attackers using a "card not present" low-life-scum scheme.
Thieves could steal the CC and your PIN, but we're talking about a different crime then... And not half as easy to manage.
I'm amazed at all the completely uninformed comment by people saying idiocy like "My CC is resistant, how could they embed a chip on a CC without having it breaking" or "How can you embed a device that has processing power inside a CC".
Dudes, we're in the 21st century. Sun is selling millions of Java SmartCard having a powerful chip capable of responding to cryptographic challenges. Some countries are using such a device for every fscking citizen as an ID card while in other countries this is used nation-wide by the healthcare system (Brazil).
Please, guys, wake up. The processing power you can have inside a CC today is way more important than what you had in a big server 30 years ago.
Computing a time-based / card-based secure number is more than easy on such a device. Displaying it requires a tiny "screen" but in this day and age of robust miniaturization this is nowhere near a problem.
The benefits of such a technology are just too important to let lame trolls whine all together "but it's gonna be fragile" and "you can't compute anything on a device that small".
I didn't see it in the tfa, who will be the card issuers, has Mastercard/Visa signed on? Will the PCI standard be interested in this?
Get up!