VeriSign To Offer Passwords On Bank Card

Billosaur writes "Imagine the PayPal security tool embedded on a credit card. VeriSign is announcing that a deal is in the works to provide credit cards with one-time-use passwords. By placing the technology directly on the card, it becomes more convenient and provides an extra layer of security for online credit-card transactions. A cardholder would type in their information as normal and then would be prompted to enter the passcode displayed on the card. This means a user would need to have the physical card in hand in order to use it, thus thwarting identity thieves who steal credit card information but do not possess the card itself. VeriSign said it expects to announce a major bank using its cards in May."

securid?

[192939495969798999]

Wouldn't this basically be a version of SecurID? Why don't banks just roll out SecurID to everyone and get the same net effect?

Re:securid?

[brunascle]

It's right on the card.

judging by the size of the tokens, it'd be more the the card is right on the token

while the concept is interesting

[jimstapleton]

How long is the cycle on the card? And how do they keep it from going out of sync? My watch loses about a second every day (ok, it's a cheap watch), but nonetheless, the only way it and the server can work is if the key is based on time. If that is the case, then they card's clock has to stay sync'd with the server's clock... Wouldn't that be a problem?

Power?

[airos4]

So as I understand it from the article, there'll be some sort of "device" in a corner of the card, with a "display window" that shows the randomized password? How's it powered? How's it controlled? What happens when the battery in my credit card is dead?

One time use passwords?

Um. How's that practical with a credit card again?

And what about when I'm paying for gas with a credit card. Do I have to go in to give the guy the password, or are they changing out all the pump credit terminals for ones with full keyboards?

Durability

[eimsand]

My immediate concern is durability. Credit cards take a lot of punishment. I probably replace my credit card once a year because the magnetic strip has become damaged and no longer readable. All the same, magnetic strips have shown great durability for putting up with a fair amount of punishment. I'm not sure I can visualize an LCD screen thin enough to be incorporated into a card that will withstand 175+ lbs of pressure for hours at a time. And that doesn't even consider the circuitry involved in generating the passcode.

GREAT IDEA! .. but still hackable

[madsheep]

First, before I go into why it's a good idea and how it's hackable, let me address a bunch of these posts above. *YES* similar ideas have been done before and *YES* this is very similar to an RSA SecurID token (or product of similar vendors). However, the BIG difference here is that it is built-in to your EXISTING credit/debit card. You do NOT have to carry an additional device. Get it? See that credit card you have already? OK.. imagine it with a little changing number on it. There you go! Basic reading 101 folks. End of the sarcasm too..

This is a great idea and will go a long way to stop illegal credit card use/reuse. Especially in the case of a compromised database. However there are a few issues and ways this is still possibly hackable.

Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now.

Issue 2: What algorithm are they going to use? How easy can it be cracked? If they're teaming with RSA then I think they will be pretty good so long as the seed files aren't compromised. This shouldn't really happen, but who knows. If they algorithm was weak, it could potentially only take a few consecutive numbers to start generating the future numbers. However, who knows how feasible this will be.

I think it shounds like an excellent idea. Question is.. how much will it cost the consumer? If anything.

Missing The Points

[mpapet]

... stem the losses from credit card fraud.

What you fail to acknowledge is the merchant and, eventually you and I pay those fraud costs. Banks do not assume the costs associated with fraud. Period. Therefore, the bank card system works pretty good for the banks.

You also are completely unaware there is a rather secure banking standard used in many parts of the industrialized world. If _that_ was implemented we'd be much better off. But the banks can shift the costs of the standard, so it doesn't get implemented.

If you base an OSS banking system...
Cryptography is not a magic bullet. Transparency and accountability, the kind associated with stable markets and Free software are much more effective tools. And, the kind of trustworthy hardware you think doesn't exist costs about $20-$30 depending on the config. Doesn't need a secure PC either.

Verisign is Jumping the Shark

Smart Cards, anyone?

[saikou]

Oh wait, there already were attempts to put smart card on credit card in US. Amex Blue, for example, started out as one. Practically same "dongle on the chip" but without readable display, and with an interface for terminal to read.
Instead they threw it out and switched to "RFID" chip on the card. So you can use the chip for additional verification, and copying card becomes much harder.
If the contactless payment system (Exxon stations, fast food places, and some other point of sale terminals are running trials) spreads any further, this new proposal of VeriSign chip on the credit card becomes almost irrelevant (especially when combined with solution like Verified by Visa, where you can add extra verification for online-only orders).