VeriSign To Offer Passwords On Bank Card

Billosaur writes "Imagine the PayPal security tool embedded on a credit card. VeriSign is announcing that a deal is in the works to provide credit cards with one-time-use passwords. By placing the technology directly on the card, it becomes more convenient and provides an extra layer of security for online credit-card transactions. A cardholder would type in their information as normal and then would be prompted to enter the passcode displayed on the card. This means a user would need to have the physical card in hand in order to use it, thus thwarting identity thieves who steal credit card information but do not possess the card itself. VeriSign said it expects to announce a major bank using its cards in May."

Re:Two Factor Dynamic Login Verification

[Red+Flayer]

I've got one of these for international banking. The case is about 5 mm thick, could easily thinner except for usability concerns for something designed to be a keychain. Solar powered, but could just as easily be mechanically recharged a la some of the watches on the market. It generates an 8-digit password from some time-based algorithm; when submitted to the bank, the bank server checks the password against all possible passwords possible for the previous short period of time.

Already done

[brunes69]

RSA has been issuing SecureID keyfobs with this technology for at least 10 years. Hundreds of thousads, of not millions, exist worldwide. While I am sure they had issues like this in the past they would have long since sorted it out. SecureID keyfobs are one of the standard pilliars in the seucirty chain - encompassing the "something you have".

Usually you have to type in your password (the "something you know") along with the current number on the keyfob ("something you have"), in order to successfully authenticate with a SecureID system. They're very common in government; basically they make stealing passwords muuch less useful, since the hacker would need to steal both the password AND the keyfob - and if someone loses their keyfob they would be issued a new one and the original deactivated, so there is a small window of opportunity there as well.

Frankly it is about time someone pressured the banks into issuing this technology. I have wished I needed a keyfob for online banking and CC transactions for YEARS. The initial expense of the rollout would be quickly offset by the savings in fraud I suspect.

Re:Already done

[b0bby]

The initial expense of the rollout would be quickly offset by the savings in fraud I suspect.
My impression is that the card companies don't care too much about fraud, since mostly they just charge anything back to the merchant, who has to eat it. Card companies mostly care about getting people to use their card a lot, which is why you don't have to sign for lots of purchases under $25 these days. If a merchant gets some disputed charges, that's their problem.

Verisign's Jumping The Shark

[mpapet]

This technology has been around for some time actually. If there are any smart card developers hanging about, they might point you in the right direction.

As someone with intimate knowledge of bank card costs and the infrastructure required to support a new bank card, the likelihood of this happening is slim to none. "Impossible!" you say. Please consider the following.

1. The cost of producing these cards is extremely high relative to the plastic most users have. On order of 10x.

2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.

3. The banks can't shift the costs of this new-fangled card off to the merchants. FYI: The merchants shift the cost of accepting bank cards and paying for fraudulent transactions to all consumers.

The project will be a nice idea that they can use as an example to regulators that they are "enhancing customer security." but is destined for the shelf.

What's needed here is an OSS banking system, not the one we currently have.

Re:CVV?

[jmn2519]

Because the number will change every minute or so. Just like the FOB from paypal. Basically what they are doing is taking that FOB with the LCD and changing the form factor to be a credit card (complete with mag stripe). Someone could steal your CVV or trick you into giving it to them. That becomes a lot more difficult with these one time passwords when the number changes all the time.

Re:while the concept is interesting

[daeg]

The server knows the last few values and the next few values -- any selected from a reasonable amount of time are generally permitted. Higher security requirements can lower the time window. But given a time code that changes once every 5 minutes, and a server that permits the current and previous/next two, that's a 25 minute window. So even an inaccurate clock that loses a second a day is good for almost 2 years without a clock sync.

You could even build the terminals such they sync the clock. Many terminals run on always-on connections now, so running something like ntp on them is feasible. You could use the clock skew to detect attempted fraud, too -- if you know the clock in a particular card loses 2.4 seconds a day from historical data, and the number of days between the last purchase * 2.4 seconds doesn't equal the real time, something is wrong -- possibly a forged card. It's easy to duplicate a magnetic strip, I'd bet it's harder to forge an purposely-inaccurate clock that varies from card-to-card.

As an aside, I hope the electronics are recyclable and the credit card companies actively solicit returns of them. It'd be nice if the cover/numbers of the card were simply an overlay that could be replaced, along with the clear protective coating. Replace the front panel, sync the clock, put the new data on the magnetic strip, coat it, and wham, new card without wasting the electronic components.

What Massive Fraud?

[mpapet]

massive amount of fraud that the credit companies face

No. The burden of payment fraud falls on you. This is a simple fact. Sadly, you aren't aware of this.

Read the following carefully. Re-read it if necessary.

Banks do NOT assume the costs associated with fraud. The merchants accepting bank cards assume the cost of the fraudulent transaction. Let me give you an example:

I buy a book from amazon.com with a stolen credit card, Amazon eats the cost of the book and the transaction PLUS those charges have to be reversed, and the merchant pays for the reversal.

Where is the bank losing money??? They are not. In fact, the retailer passes the costs onto you. Banks win. You lose. Time to move on.

Re:The cycle is INFINITELY long.

[fwr]

You are describing another synchronous token system, everyone else is describing a more familiar synchronous token system. Both are valid and existing technologies. There are also asynchronous token systems. TFA says:

"VeriSign was expected to announce a deal Tuesday with Innovative Card Technologies Inc."

and

"That code constantly changes, meaning the customer needs to have possession of the card to access the account."

Now, ICT says this:

"InCard has embedded an operating system into the card - the press of a button on the card activatesa battery, circuit, and chip, which sends an algorithm-generated passcode to an embedded display. Each time the button is pressed, another passcode is generated. This passcode is good for only one use during a limited time, thus proving possession of the card and guarding against electronic fraud."

and:

"OTP generated with OATH or custom algorithm"

This certainly sounds like a counter based synchronous system, but is it? How can it be "good for only one use during a limited time" if time is not a factor? What would stop you from generating a code, writing that down, and using it days or weeks later. I'm not pointing this out to question the security of the device, as I believe they would still be secure (just don't generate codes and write them down where they can be stolen along with your card number!). I'm pointing it out because it leaves one to question whether this is truely a counter based synchronous system.

OATH's definition of a OTP token is the industry standard:

"OTP (One Time Passwords) authentication (commonly used today) can be divided in two
types; synchronous (based on a transformation of a common shared secret and a moving
value that is synchronous on both the server side and the client side. This method is what
usually is referred to as OTP) and challenge-response (in which a server generates a
challenge value that will be transformed by the client based on a secret shared between
the client and the server)."

They call asynchronous authentication challenge-response, it it's all the same. The OATH Reference Model does say this:

"OATH has endorsed a new OTP algorithm standard called HMAC-based OTP [HOTP],
based on the HMAC SHA-1 algorithm. It is an event-based OTP algorithm, in which a
counter value is used in the OTP calculation and incremented on the client and server
after each use. The algorithm has been submitted to the IETF for standardization as an
Informational RFC. Areas of future work include possible extensions to the current HOTP
algorithm, such as:
  Time-based OTP algorithm variant
  Counter-based re-synchronization method for clients that can send the count value to
the server along with the OTP value
  Composite shared secrets (e.g., based on user PIN or other deterministic data for
computing the shared secret)
  Addition of a data field for computing OTP values
Additionally, OATH will also look to promote standardization of other low cost
authentication technologies, specifically targeted towards consumer usage scenarios.
Some of the areas that OATH is investigating include scratch-cards and methods
derived from battleship or bingo cards."

So it certainly looks like your guess that we are talking about a counter based system rather than a time based system is accurate. However, it's still a guess; until more information is available we just won't know. Did Verisign specify their own algorithm that is time based as ICT says they can support (the alternative algorithm, not necessarily anything that requires a clock)?

Re:securid?

[Zeinfeld]

Wouldn't this basically be a version of SecurID? Why don't banks just roll out SecurID to everyone and get the same net effect?

Because SecureID is a closed, proprietary system.

The VeriSign/OATH scheme is patented but there is a royalty free license that allows anyone to make the cards/tokens/whatever.

Also the OATH scheme is a counter based token, not a clock. A clock would not work on the card form factor, the battery would not last long enough to be interesting. A counter based scheme is much more practical.