Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign To Offer Passwords On Bank Card

Posted by kdawson on from the third-factor dept.

Billosaur writes "Imagine the PayPal security tool embedded on a credit card. VeriSign is announcing that a deal is in the works to provide credit cards with one-time-use passwords. By placing the technology directly on the card, it becomes more convenient and provides an extra layer of security for online credit-card transactions. A cardholder would type in their information as normal and then would be prompted to enter the passcode displayed on the card. This means a user would need to have the physical card in hand in order to use it, thus thwarting identity thieves who steal credit card information but do not possess the card itself. VeriSign said it expects to announce a major bank using its cards in May."

15 of 158 comments (clear)

  1. O rly? by EveryNickIsTaken · · Score: 2, Insightful

    Imagine the PayPal security tool embedded on a credit card. I imagine myself never signing up for this card, then.
    1. Re:O rly? by eln · · Score: 2, Insightful

      Long gone are the days when you neede to ELABORATE your post to get this insightful honour...

      Slow down there, bucky. Are you trying to suggest there was EVER a time in Slashdot's history where this was the case? You must be new here. ®

      As for this one-time use password thing, my big concern would be durability. My plastic credit card is pretty tough. I can, say, hit it with a mallet and it's fine. How will they make it that durable if they include circuitry and a display window capable of generating and displaying a one time password?

  2. Re:Password request... by ichigo+2.0 · · Score: 2, Insightful

    They're pregenerated one-time passwords so that would be no.

  3. Re:while the concept is interesting by jonnythan · · Score: 2, Insightful

    Various companies have been issuing badges with changing keys like this for years. Several people I work with have them. They change about once a minute.

    So, I suppose it's safe to say they've figured those problems out.

  4. Re:securid? by Lachryma · · Score: 3, Insightful

    Exactly like SecurID, but without a separate token to lose and juggle for each account. It's right on the card.

  5. CVV? by parodyca · · Score: 2, Insightful

    Umm, how is this different then the CVV number which is already on cards for the same purpose?

    http://en.wikipedia.org/wiki/CVV_number

  6. Dead battery by Radon360 · · Score: 2, Insightful

    On second thought to the dead battery thing: A lithium battery should be able to power the card for 3 years or more. The card company would just have to make a point to reissue a new card every two years or so to avoid that problem. This would eliminate the problem of changing the battery and allow it to be sealed into the card.

  7. Re:Durability by smooth+wombat · · Score: 2, Insightful
    that will withstand 175+ lbs of pressure for hours at a time.


    Let me guess, you take the George Costanza approach and stick napkins under your other ass cheek so you don't have to sit at an angle.

    Why do men insist on sitting on their wallets all day long? Take them out of your back pocket! Put it in your desk drawer, a backpack, any place but your back pocket. I leave mine in my car when I'm at work. Why bother bringing something else to work that you won't use and have to carry it back out at the end of the day?

    And what are you doing, besides sitting on it, that you need to replace your card once a year? Mine always last the entire term of four years or so. Can't say the same for my signature on the card but that's not my problem since no one checks anyway.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  8. Re:Verisign's Jumping The Shark by LS · · Score: 2, Insightful

    So you're saying the cost of these cards is going to be more than the massive amount of fraud that the credit companies face? That's not possible. Also, banking software is not general purpose, publicly usable software. The amount of software in this category that is written by open source authors is virtually nonexistent, and furthermore it's millions of lines of highly secure code. Who's going to write this "OSS banking system"?

    LS

    --
    There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
  9. The cycle is INFINITELY long. by raehl · · Score: 4, Insightful

    I'm surprised that you have 6 replies to your post that are all wrong.

    The cards don't generate the keys based on time. The keys are generated much the same way random numbers are generated in a computer.

    The way this works:

    You pick a number (seed) and a function that produces a pseudo-random output (the authentication key) based on an input. You program the same seed and function into both the card and the server.

    When you go to log in, you have your credit card use the seed and function to generate a key (key1). You send key1 to the server. The server then takes the seed and function it has on record and also generates key1. If the outputs match, which they should, congratulations, you've authenticated.

    Each time you request a key from the card, the card uses the last key generated as the input to the function to generate the next key. Each time you successfully authenticate, the server stores the key you authenticated with and the next time you try and authenticate it feeds that key into the function to generate the next key. Since both the card and the server know the last key they authenticated with and the function to compute the next key, they can both compute the next key.

    Seed->run function->key 1
    key 1->function->key 2
    key 2->function->key 3

    Etc, etc. The card and the server continue to generate the same keys to compare - so getting a new key is not based on TIME, but on how many authentications you've attempted.

    In practice, the server generally accepts the next key, AND some number of keys after that. So, if the last time you authenticated with key315, the next time you authenticate the server will check the key you present against not only key316, but also key317,318,319,320, etc. If the key you present matches any of those, it will accept your authentication and store that key as the 'last' key. This is to make the system more usable - in this case, you could generate 4 keys and not use them before your card would be too far out of sync with the server to succesfully authenticate.

    --
    paintball
    1. Re:The cycle is INFINITELY long. by Marillion · · Score: 2, Insightful

      I think the reason why people have gone the way they have is because so many of us have held such a device in our hands. The elegance of the technology they're describing is that there is no input except ticks from a clock. Anything more complicated than that would require adding a button to the card. I'd hate to accidentally hit the "next key" button too many times because it was in my wallet and I sat on it.

      --
      This is a boring sig
  10. Re:GREAT IDEA! .. but still hackable by Pap22 · · Score: 2, Insightful

    Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now

    I think the basic idea is to prevent fraudulent purchases by requiring the purchaser to have the physical card. Many people are victims to credit card theft without having their physical card stolen from their possession. This feature will all but eliminate that. A fishing attempt that accesses your bank account in real time probably still can't even do much... In order to change any account information, a confirmation link should be sent to the account owner's email address. Maybe likewise for transferring money. Put a 60-second delay on sending the confirmation link, and by that time the SecurID code has changed. Then you need to enter a new SecurID code to confirm the account change/transaction.

    But as for entering your account password, I'm pretty sure that even Joe Schmoe knows that when making an online purchase, all the merchant needs is your name, address, credit card number and now SecurID code. The user should be told by the bank that no merchant will ever require your bank account password. Better yet, this could be WRITTEN on the card itself next to the SecurID key, e.g. "Never give your account password to a merchant. Never enter your account password into a Bank of WTF hyperlink. Only type 'www.bankofwtf.com' manually into your address bar to access your account."

  11. Re:securid? by ady1 · · Score: 2, Insightful

    Not sure if you're serious, but the last securID I used was quite tiny and judging by it's size, I think it can easily be fitted into a credit card without making the card any bigger. Maybe a little thickness increase due to LCD or maybe they can use some alternate technology or thinner LCDs to not change the card at all.

    I fact I'm more concerned about the battery since that will be harder to fit into card and may not last as long or maybe not.

    https://www.softwareplusonline.com/catalog/product Detail.aspx?productid=He1bT4v5hgI%3D

  12. Re:securid? by farnsworth · · Score: 2, Insightful
    Why don't banks just roll out SecurID to everyone...?

    Because it's more convenient to have the device on the card. I carry many credit cards, I don't want to have a corresponding securid device for each card.

    --

    There aint no pancake so thin it doesn't have two sides.

  13. I like the concept ... but by Allnighterking · · Score: 2, Insightful

    I had an immediate vision of the ATM asking me what the number displayed on the card is .... and of course the card is inside the ATM at the time....

    --

    I'm sorry, I'm to tired to be witty at the moment so this message will have to do.