Slashdot Mirror
VeriSign To Offer Passwords On Bank Card
Billosaur writes "Imagine the PayPal security tool embedded on a credit card. VeriSign is announcing that a deal is in the works to provide credit cards with one-time-use passwords. By placing the technology directly on the card, it becomes more convenient and provides an extra layer of security for online credit-card transactions. A cardholder would type in their information as normal and then would be prompted to enter the passcode displayed on the card. This means a user would need to have the physical card in hand in order to use it, thus thwarting identity thieves who steal credit card information but do not possess the card itself. VeriSign said it expects to announce a major bank using its cards in May."
Dear VeriSign,
Can I put in a request for the password 12345 before anyone else does?
-m
Wouldn't this basically be a version of SecurID? Why don't banks just roll out SecurID to everyone and get the same net effect?
stuff |
How long is the cycle on the card? And how do they keep it from going out of sync? My watch loses about a second every day (ok, it's a cheap watch), but nonetheless, the only way it and the server can work is if the key is based on time. If that is the case, then they card's clock has to stay sync'd with the server's clock... Wouldn't that be a problem?
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
So as I understand it from the article, there'll be some sort of "device" in a corner of the card, with a "display window" that shows the randomized password? How's it powered? How's it controlled? What happens when the battery in my credit card is dead?
I wish there was a choice that said "Factually Wrong -1" when I mod.
I've got one of these for international banking. The case is about 5 mm thick, could easily thinner except for usability concerns for something designed to be a keychain. Solar powered, but could just as easily be mechanically recharged a la some of the watches on the market. It generates an 8-digit password from some time-based algorithm; when submitted to the bank, the bank server checks the password against all possible passwords possible for the previous short period of time.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
my password is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Oops!
My immediate concern is durability. Credit cards take a lot of punishment. I probably replace my credit card once a year because the magnetic strip has become damaged and no longer readable. All the same, magnetic strips have shown great durability for putting up with a fair amount of punishment. I'm not sure I can visualize an LCD screen thin enough to be incorporated into a card that will withstand 175+ lbs of pressure for hours at a time. And that doesn't even consider the circuitry involved in generating the passcode.
RSA has been issuing SecureID keyfobs with this technology for at least 10 years. Hundreds of thousads, of not millions, exist worldwide. While I am sure they had issues like this in the past they would have long since sorted it out. SecureID keyfobs are one of the standard pilliars in the seucirty chain - encompassing the "something you have".
Usually you have to type in your password (the "something you know") along with the current number on the keyfob ("something you have"), in order to successfully authenticate with a SecureID system. They're very common in government; basically they make stealing passwords muuch less useful, since the hacker would need to steal both the password AND the keyfob - and if someone loses their keyfob they would be issued a new one and the original deactivated, so there is a small window of opportunity there as well.
Frankly it is about time someone pressured the banks into issuing this technology. I have wished I needed a keyfob for online banking and CC transactions for YEARS. The initial expense of the rollout would be quickly offset by the savings in fraud I suspect.
Umm, how is this different then the CVV number which is already on cards for the same purpose?
http://en.wikipedia.org/wiki/CVV_number
This technology has been around for some time actually. If there are any smart card developers hanging about, they might point you in the right direction.
As someone with intimate knowledge of bank card costs and the infrastructure required to support a new bank card, the likelihood of this happening is slim to none. "Impossible!" you say. Please consider the following.
1. The cost of producing these cards is extremely high relative to the plastic most users have. On order of 10x.
2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.
3. The banks can't shift the costs of this new-fangled card off to the merchants. FYI: The merchants shift the cost of accepting bank cards and paying for fraudulent transactions to all consumers.
The project will be a nice idea that they can use as an example to regulators that they are "enhancing customer security." but is destined for the shelf.
What's needed here is an OSS banking system, not the one we currently have.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
On second thought to the dead battery thing: A lithium battery should be able to power the card for 3 years or more. The card company would just have to make a point to reissue a new card every two years or so to avoid that problem. This would eliminate the problem of changing the battery and allow it to be sealed into the card.
First, before I go into why it's a good idea and how it's hackable, let me address a bunch of these posts above. *YES* similar ideas have been done before and *YES* this is very similar to an RSA SecurID token (or product of similar vendors). However, the BIG difference here is that it is built-in to your EXISTING credit/debit card. You do NOT have to carry an additional device. Get it? See that credit card you have already? OK.. imagine it with a little changing number on it. There you go! Basic reading 101 folks. End of the sarcasm too..
This is a great idea and will go a long way to stop illegal credit card use/reuse. Especially in the case of a compromised database. However there are a few issues and ways this is still possibly hackable.
Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now.
Issue 2: What algorithm are they going to use? How easy can it be cracked? If they're teaming with RSA then I think they will be pretty good so long as the seed files aren't compromised. This shouldn't really happen, but who knows. If they algorithm was weak, it could potentially only take a few consecutive numbers to start generating the future numbers. However, who knows how feasible this will be.
I think it shounds like an excellent idea. Question is.. how much will it cost the consumer? If anything.
I'm surprised that you have 6 replies to your post that are all wrong.
The cards don't generate the keys based on time. The keys are generated much the same way random numbers are generated in a computer.
The way this works:
You pick a number (seed) and a function that produces a pseudo-random output (the authentication key) based on an input. You program the same seed and function into both the card and the server.
When you go to log in, you have your credit card use the seed and function to generate a key (key1). You send key1 to the server. The server then takes the seed and function it has on record and also generates key1. If the outputs match, which they should, congratulations, you've authenticated.
Each time you request a key from the card, the card uses the last key generated as the input to the function to generate the next key. Each time you successfully authenticate, the server stores the key you authenticated with and the next time you try and authenticate it feeds that key into the function to generate the next key. Since both the card and the server know the last key they authenticated with and the function to compute the next key, they can both compute the next key.
Seed->run function->key 1
key 1->function->key 2
key 2->function->key 3
Etc, etc. The card and the server continue to generate the same keys to compare - so getting a new key is not based on TIME, but on how many authentications you've attempted.
In practice, the server generally accepts the next key, AND some number of keys after that. So, if the last time you authenticated with key315, the next time you authenticate the server will check the key you present against not only key316, but also key317,318,319,320, etc. If the key you present matches any of those, it will accept your authentication and store that key as the 'last' key. This is to make the system more usable - in this case, you could generate 4 keys and not use them before your card would be too far out of sync with the server to succesfully authenticate.
paintball
... stem the losses from credit card fraud.
What you fail to acknowledge is the merchant and, eventually you and I pay those fraud costs. Banks do not assume the costs associated with fraud. Period. Therefore, the bank card system works pretty good for the banks.
You also are completely unaware there is a rather secure banking standard used in many parts of the industrialized world. If _that_ was implemented we'd be much better off. But the banks can shift the costs of the standard, so it doesn't get implemented.
If you base an OSS banking system...
Cryptography is not a magic bullet. Transparency and accountability, the kind associated with stable markets and Free software are much more effective tools. And, the kind of trustworthy hardware you think doesn't exist costs about $20-$30 depending on the config. Doesn't need a secure PC either.
Verisign is Jumping the Shark
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I think the basic idea is to prevent fraudulent purchases by requiring the purchaser to have the physical card. Many people are victims to credit card theft without having their physical card stolen from their possession. This feature will all but eliminate that. A fishing attempt that accesses your bank account in real time probably still can't even do much... In order to change any account information, a confirmation link should be sent to the account owner's email address. Maybe likewise for transferring money. Put a 60-second delay on sending the confirmation link, and by that time the SecurID code has changed. Then you need to enter a new SecurID code to confirm the account change/transaction.
But as for entering your account password, I'm pretty sure that even Joe Schmoe knows that when making an online purchase, all the merchant needs is your name, address, credit card number and now SecurID code. The user should be told by the bank that no merchant will ever require your bank account password. Better yet, this could be WRITTEN on the card itself next to the SecurID key, e.g. "Never give your account password to a merchant. Never enter your account password into a Bank of WTF hyperlink. Only type 'www.bankofwtf.com' manually into your address bar to access your account."
massive amount of fraud that the credit companies face
No. The burden of payment fraud falls on you. This is a simple fact. Sadly, you aren't aware of this.
Read the following carefully. Re-read it if necessary.
Banks do NOT assume the costs associated with fraud. The merchants accepting bank cards assume the cost of the fraudulent transaction. Let me give you an example:
I buy a book from amazon.com with a stolen credit card, Amazon eats the cost of the book and the transaction PLUS those charges have to be reversed, and the merchant pays for the reversal.
Where is the bank losing money??? They are not. In fact, the retailer passes the costs onto you. Banks win. You lose. Time to move on.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Oh wait, there already were attempts to put smart card on credit card in US. Amex Blue, for example, started out as one. Practically same "dongle on the chip" but without readable display, and with an interface for terminal to read.
Instead they threw it out and switched to "RFID" chip on the card. So you can use the chip for additional verification, and copying card becomes much harder.
If the contactless payment system (Exxon stations, fast food places, and some other point of sale terminals are running trials) spreads any further, this new proposal of VeriSign chip on the credit card becomes almost irrelevant (especially when combined with solution like Verified by Visa, where you can add extra verification for online-only orders).
Hyperom.com
So what you're saying is that you're walking around with pockets bulging like the cheeks of a chipmunk on free nut day.
I solved that problem by adding 30 lbs to my waistline. Now the pocket bulges are barely noticeable.
paintball
I had an immediate vision of the ATM asking me what the number displayed on the card is .... and of course the card is inside the ATM at the time....
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.