Credit Cards That Think They Are Gadgets

holy_calamity writes "Pittsburgh startup Dynamics Inc has unveiled gadget-like credit cards with buttons, lights and even displays built into the same space as a conventional card. One card has two buttons on the front, which, when pressed, rewrite the data on the card's magnetic stripe, allowing it to act as multiple bank or credit cards in one. Another has several buttons and a display in place of the card's number. Only after entering a PIN is the magnetic stripe populated and the full card number revealed, and after a short time both go blank again for security." I wonder how long it'll be until somebody builds onboard biometrics into one of these things.

Biometrics?

[spun]

You mean, digital passwords you can never change? Sounds secure...

Re:Biometrics?

Did you ever tried to change your fingerprints?

Re:Biometrics?

[slshwtw]

Three kinds of security:

• something you are (biometrics)
• something you have (card)
• something you know (pin)

As parent indicated, biometrics is the weakest of these, as if someone is able to 'break the code' you have no way of changing your fingerprints, etc. The best approach is a combination of having and knowing, such as an ATM card which a thief can't use without knowing the PIN, or a building access card that requires you to punch in a code. If you lose your card, no big deal, just issue a new one and assign it a new code just in case.

Re:Biometrics?

[toastar]

Biometrics is also the weakest against the guy with a gun at the ATM scenario, You fingerprint is still there if he blows your brains out, Your Pin not so much

Re:Biometrics?

[Zerth]

Turbine just generates a non-reversible key from fingerprints. It does nothing to help you out if your fingerprint data gets out. Like by touching a car door.

Re:Biometrics?

[profplump]

Please don't conflate "biometerics as a stand-alone authenticator" with "biometrics as a second authentication factor". It's pretty reasonably to combine a physical token with biometrics, because you *can* deactivate/replace/rekey the physical token pretty easily. It's important that the authentication system includes some revokable factor, and ideally you'd also have a PIN or other knowledge-based authentication token, but physical + biometric is not a bad start, and can form a perfectly usable, revokable system.

And it's certainly not a bad system compared to the current "physical only" authentication currently in place.

Your fingerprints can't be changed, but they can't be as trivially reproduced as a password either. I agree, someone *could* steal your fingerprints and reproduce them in some useable way, though it would take a higher level sophistication than simply stealing your card or copying your password. And if someone stole your fingerprints and your card you could simply deactivate the stolen card and have a new one issued. The person with your fingerprints would then have a copy of your fingerprints and a useless credit card dongle. He'd need to steal your physical credit card all over again in order to use make use of his copy of your fingerprints.

Re:Biometrics?

[moderatorrater]

Then they just need to check the temperature of the finger to make sure that it's still alive. It should work: criminals with microwaves can't run away very fast.

Erm

[iONiUM]

Why don't they just tie this shit into your cell phone instead? They already have something similar in Japan with swipe phones for the JR line.

Why does every company have to try and put another gadget in your pocket. They should just integrate better with existing gadgets so I don't have to wear fucking cargo pants and have a wallet that is 3 feet big.

Re:Erm

[swanzilla]

They should just integrate better with existing gadgets so I don't have to wear fucking cargo pants and have a wallet that is 3 feet big.

That ain't a wallet. This is a wallet...

Re:Erm

[tekrat]

That's also why, when women hit you with their purse, the injury is now fatal.

Re:Erm

[oodaloop]

AS TFA points out, there are 16 million credit card readers out there. Instead of making them all RFID readers, just use the existing infrastructure. And this would potentially reduce the size of your wallet, not increase it, by allowing you to carry just one programmable card instead of many.

Re:Erm

[Microlith]

Why don't they just tie this shit into your cell phone instead? They already have something similar in Japan with swipe phones for the JR line.

Because in Japan the companies are far more tightly integrated, and it's much easier for NTT to work with JR East on what they want to do, and decree to handset makers that their next products will include the functionality. In the US, for instance, it's virtually guaranteed we'd have massive infighting and incompatibilities as vendors fought for dominance over all others. Verizon would work in some places, AT&T in others, and unless you bought your phone from them you couldn't use it at all.

Basically, there's a whole bunch of bullshit in the States that prevent solutions like Japan has from working.

Re:First

[IndustrialComplex]

Though this seems like a much safer alternative to today's credit/debit cards, although like TFA says, what will this really do for security? How long until a flaw is discovered or it is cracked?

So I'm guessing you wrote that just so you could get in an early comment.

Or are you really concerned about security on an item which literally has all of its information printed right on its surface which you hand to strangers and gets stored in a third party database. Oh and I forgot that most of the printing is actually raised so it can be recorded with a simple piece of paper and a crayon.

You are worried that something could be less secure than THAT? Well I suppose adding a speaker for blind cashiers might be a bit less secure...

The main use

[wirelessdreamer]

Scammers will love these, they'll find a flaw where they can reprogram any name and card number, swipe a card and clone it.

Re:The main use

swipe a card and clone it

And how this is different from what we have now?

biometrics? bah

[TheCreeep]

I wonder how long it'll be until somebody builds onboard biometrics into one of these things.

Screw that, I'm waiting for these guys to port Quake to a credit card.

How about just universal chip&pin?

I know chip&pin isn't perfect, but it'd be a step in the right direction..

I just went on vacation and had no problem with my cards until the end, when someone cloned one of my cards and "swiped" it nearly ten days after I'd last used the card in that particular city.

Curiously the card was never out of my sight. They carried a machine to the table in restaurants and swipe on the spot, as is common in Europe.

Then, when my genius bank thought there might be fraud, they called me on my land line at home. This despite having told them my travel plans and they knew I wouldn't be home for another 24 hours. Since I didn't get back to them soon enough they let the fraudulent charges go through -- one of them for over $2000 -- and I had to deal with it the hard way when I got home.

Re:How about just universal chip&pin?

[Dog-Cow]

It's not uncommon. It's done to prevent charges at the destination from being rejected due to automated fraud prevention.

I'm waiting for transaction-specific codes

[mysidia]

Cards that will populate the mag-strip with transaction-specific codes each time. So you can type the code in, the guy at the restaurant can pick up the card with your ticket, and swipe it once.

But if he tries to scan the stripe and clone the card, the number he gets is useless, because it is transaction specific.

I would envision each CC being allocated a block of 200 random CC numbers, to be used in sequence, when it is printed, 200 random initial CVV2 numbers, and 1000 random CVV2 offsets in the form of a number between 0 and 999. For each transaction, pick a number, with no number re-used until 199 more transactions have been made.

Each time a number is used, the CVV2 is to be the initial CVV2 number plus the next CVV2 offset, modulo 999. CVV2 offsets are not re-used until 999 more transactions have been made.

Each time a number is used, the CC company can determine it is valid and compute exactly the right CC and CVV2 numbers that should be used by the next 10 transactions.

Unless there is delayed processing involved, they can also know to reject any number other than those 10.

Even if there is delayed transaction processing involved, the CC company can know a code 199 transactions ago is "too old", because there have been transactions made since then that are too old.

There should also be a way to enter a special PIN to generate a 'vendor specific' code that can be used for multiple transactions.

Possibly assigning card users larger pools of numbers, so expiration dates, and dollar limits can be encoded using the CC# and CVV2.

If multiple failures are detected with a CC# (e.g. someone tries to clone one number and try it with multiple CVVs), then that CC# is retired permanently, and the CC company sends the customer a new file to flash their credit card's memory with.

Re:I'm waiting for transaction-specific codes

[Mr_Silver]

Cards that will populate the mag-strip with transaction-specific codes each time. So you can type the code in, the guy at the restaurant can pick up the card with your ticket, and swipe it once.

It's called Dynamic Magstripe and is available now. One example of it is here.

In Europe, they are solving this problem by moving away from magstripe to chip-and-pin. This is for two reasons, you don't give your PIN out to anyone else and because the card never leaves your sight.

For example, when you pay for food at a restaurant, the server physically brings you the Point Of Sale terminal for you to insert your card, confirm the price and enter your PIN. This means that it's impossible for them to run off and make a copy of the card without you seeing it happen.

(I was in the US recently and did not like the fact that my credit card disappeared from my sight when I went to pay for the bill)

Re:I'm waiting for transaction-specific codes

[dj245]

I experienced table-top POS terminals during a recent trip to Nova Scotia. Apparently they are very popular there, and the waitress couldn't believe that I had never seen one in the US. The biggest problem is that in Europe, tipping is not expected or required. In the US, you can write the tip and walk away without the waitress watching you. If they go to table-top POS terminals like I saw in Canada, then you need to tip in front of your server. As an American, it was not very comfortable, although I suppose it is more profitable for the waitstaff. As an aside, when I was younger, tipping was commonly 10% and 15% for good service. Now my coworkers give me a hard time if I give any less than 20%. I think its time that we pay servers more and do away with the tip. The hidden cost of tipping is starting to be a substantial part of the restaurant bill.

Re:I'm waiting for transaction-specific codes

[mentil]

The problem with this system is that many of these machines wirelessly transmit the CC# to the POS machine, cleartext. Sniffers in a van in the parking lot intercept the CC# and clone it anyways. A poster above you had exactly this happen to him (although he didn't realize how it was done.)

Something similar

[dsavi]

A major corporation that someone I know has worked for used to use what looked like a very thick credit card to log into what I believe was a VPN. You would input a PIN on the front, and it would display a code that would be valid for 30 seconds or so for logging into the VPN that it calculated itself, based on the current time and PIN. I think this card was made by RSA, now I think the same company uses a slightly different system.

Re:Something similar

[rickb928]

SecureID I think. Mine is the size of a care remote. The thin ones broke a lot. Old technology, but effective.

No thanks

[pavon]

Because cell phones are buggy pieces of shit, and I wouldn't trust them with my credit card number and PIN for anything. Especially as they become more and more tied to the web.

Now more fraud can be blamed on you.

[tekrat]

This is all just a way to make you pay for more and more. Card companies/Banks have to write off fraud, usually, and they hate doing this, so every new card gimmick that comes along will be aimed at making fraud more your problem and less theirs.

But it will also be used to make you pay for everything big companies won't. Let's create an example: Say you walk into Walmart and buy a pair of Calvin Klein jeans. You pay for the Jeans at the checkout. However, Walmart never pays the supplier, Calvin Klein (or the distributor). Thanks to all these shared records, the databases can track everything and one day you get a bill from Calvin Klein for the jeans you purchased at Walmart.

Sounds implausible right? I'm right now fighting with Direct TV for services I purchased through Verizon. Verizon didn't pay Direct TV, so Direct TV is billing me instead, even though I paid Verizon. I never got a Direct TV bill before this one. I was never their customer (directly), I was a Verizon customer. And yet here I am, stuck with the bill.

Trust me, my above example at Walmart may be implausible now, but 5 years from now it'll be commonplace to see the average joes being shafted at both ends by large companies. This card is one more step towards that end.

One Time Password Credit Card Numbers

[Doc+Ruby]

The most useful change in credit cards would be giving buyers a stack of one time passwords, each one issued to the vendor tied to the specific parties and dollar amount of the transaction, with a short expiration date.

The best way to do it would be a smartphone app that took a token from the vendor, the vendor's ID (another onetime string from a vendor pool of onetime ID#s), encrypted it with the dollar amount and a onetime ID# from the buyer's pool, and sent it over the network to the credit corp. The credit corp would decrypt it and credit the vendor's account. That way no ID info is shared that can be reused.

If they want to make a physical credit card that does those things once connected to a network (like a chipcard), great. Let them put a fingerprint sensor and PIN on the card, along with a display of the available credit remaining and outstanding balance to date. But the one time passwords are by far the most value to deliver to the consumer, and therefore to the vendor, too.

Re:First

[DarthVain]

I used my chip card at a store once, and they guy was like "Hi Steve!", and I was like "Er hi?", and the merchant was like "Your name is stored on the chip and when I plug it in, your name pops up on my screen!", he seemed so happy I didn't want to tell him that it is also printed on the card as well, that you can see what your eyeballs.

Re:One Time Use Cards

[ad454]

Agreed, these cards would be invaluable if they had a one-time card number generator. But in practice, that is a lot harder to do then you would think.

Credit cards have 15-16 digits, but the top 6 reserved are for the BIN that identifies the issuer and corresponding VAP/MIP/... processing station in the credit card network that authorizations are sent to. The last digit is reserved for the mod10 checksum. So that means that you have only 7-8 digits available per BIN. Note that each BIN typically is used for 10's of thousands of individual cards.

When you use a one-time card number online, it is generated/provided by a centralize server and database in order to efficiently maximize that 7-8 digit pool for one-time use that is SHARED, coordinated, and distributed among the 10's of thousand of card holders.

But since these new computerized cards do not have any networking capabilities, and since of the 10's of thousand of card holders need to be identified individually, you would only have a 2-3 digital pool for the one-time use, which is not enough for security.

The only option for these new computerized cards would be to either add network capabilities, like a bluetooth connection to a mobile phone, or add a one-time passcode to another field in the magstripe, perhaps appended to the card holders name.