Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign To Offer Passwords On Bank Card

Posted by kdawson on from the third-factor dept.

Billosaur writes "Imagine the PayPal security tool embedded on a credit card. VeriSign is announcing that a deal is in the works to provide credit cards with one-time-use passwords. By placing the technology directly on the card, it becomes more convenient and provides an extra layer of security for online credit-card transactions. A cardholder would type in their information as normal and then would be prompted to enter the passcode displayed on the card. This means a user would need to have the physical card in hand in order to use it, thus thwarting identity thieves who steal credit card information but do not possess the card itself. VeriSign said it expects to announce a major bank using its cards in May."

8 of 158 comments (clear)

  1. securid? by 192939495969798999 · · Score: 4, Interesting

    Wouldn't this basically be a version of SecurID? Why don't banks just roll out SecurID to everyone and get the same net effect?

    --
    stuff |
  2. Re:Password request... by EveryNickIsTaken · · Score: 4, Funny

    Neither. You should recognize the movie reference.

  3. Re:Oh great... by Red+Flayer · · Score: 5, Funny

    So I memorized my credit card account number for nothing...
    Oh great... so I memorized your credit card account number for nothing...
    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  4. Well.. by Anonymous Coward · · Score: 5, Funny

    my password is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Oops!

  5. Durability by eimsand · · Score: 4, Interesting

    My immediate concern is durability. Credit cards take a lot of punishment. I probably replace my credit card once a year because the magnetic strip has become damaged and no longer readable. All the same, magnetic strips have shown great durability for putting up with a fair amount of punishment. I'm not sure I can visualize an LCD screen thin enough to be incorporated into a card that will withstand 175+ lbs of pressure for hours at a time. And that doesn't even consider the circuitry involved in generating the passcode.

  6. Verisign's Jumping The Shark by mpapet · · Score: 4, Informative

    This technology has been around for some time actually. If there are any smart card developers hanging about, they might point you in the right direction.

    As someone with intimate knowledge of bank card costs and the infrastructure required to support a new bank card, the likelihood of this happening is slim to none. "Impossible!" you say. Please consider the following.

    1. The cost of producing these cards is extremely high relative to the plastic most users have. On order of 10x.

    2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.

    3. The banks can't shift the costs of this new-fangled card off to the merchants. FYI: The merchants shift the cost of accepting bank cards and paying for fraudulent transactions to all consumers.

    The project will be a nice idea that they can use as an example to regulators that they are "enhancing customer security." but is destined for the shelf.

    What's needed here is an OSS banking system, not the one we currently have.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  7. The cycle is INFINITELY long. by raehl · · Score: 4, Insightful

    I'm surprised that you have 6 replies to your post that are all wrong.

    The cards don't generate the keys based on time. The keys are generated much the same way random numbers are generated in a computer.

    The way this works:

    You pick a number (seed) and a function that produces a pseudo-random output (the authentication key) based on an input. You program the same seed and function into both the card and the server.

    When you go to log in, you have your credit card use the seed and function to generate a key (key1). You send key1 to the server. The server then takes the seed and function it has on record and also generates key1. If the outputs match, which they should, congratulations, you've authenticated.

    Each time you request a key from the card, the card uses the last key generated as the input to the function to generate the next key. Each time you successfully authenticate, the server stores the key you authenticated with and the next time you try and authenticate it feeds that key into the function to generate the next key. Since both the card and the server know the last key they authenticated with and the function to compute the next key, they can both compute the next key.

    Seed->run function->key 1
    key 1->function->key 2
    key 2->function->key 3

    Etc, etc. The card and the server continue to generate the same keys to compare - so getting a new key is not based on TIME, but on how many authentications you've attempted.

    In practice, the server generally accepts the next key, AND some number of keys after that. So, if the last time you authenticated with key315, the next time you authenticate the server will check the key you present against not only key316, but also key317,318,319,320, etc. If the key you present matches any of those, it will accept your authentication and store that key as the 'last' key. This is to make the system more usable - in this case, you could generate 4 keys and not use them before your card would be too far out of sync with the server to succesfully authenticate.

    --
    paintball
  8. Re:CVV? by jmn2519 · · Score: 4, Informative

    Because the number will change every minute or so. Just like the FOB from paypal. Basically what they are doing is taking that FOB with the LCD and changing the form factor to be a credit card (complete with mag stripe). Someone could steal your CVV or trick you into giving it to them. That becomes a lot more difficult with these one time passwords when the number changes all the time.