Slashdot Mirror
Amex to deploy Internet card with embedded chip
ajlaw writes "American Express with be deploying a new blue card the contains an embedded chip for use when making purchases on the Internet.
The card's chip will be used for security in shopping on the Web. The company will distribute free card readers for customers to hook up to their computers. " Wierd-they have no details, but apparently the card swiping is supposed to be more secure then typing it in-but I'm not sure how.
In holland and sweden (where I live now)most bank cards are equiped with embedded chips. One of the applications of it is as an electronic wallet.
i.e. you go to a bank machine, withdraw some money wich is then put on the chip in the form of credits. Then you go to a shop and pay by sticking the card into a machine that subtracts some credits from the amount on the card. (this is not the same as paying with an ATM card since there's no communication with the bank at the moment you pay) you can also use the card to phone in a telephone cell. In addition to that insurance companies can store some information on the chip as well.
One of the reasons this has never really worked well in Holland is the fact that there are two groups of banks in holland, each pushing their own smartcard, each requiring a different machine in the shops and each offering slightly different functionality. It took nearly three years for them to figure out the card would never become popular unless they started cooperating (which is what they are doing since a few months).
As a consumer I think, the chip cards don't really offer much value. The whole concept of taking your card to a machine and adding credit has always seemed a little rediculous to me and I can pay in a shop using my ATM card or my credit card.
The reason that banks push it anyway is that a chipcard is probably cheaper for the banks: ATM cards require communication to verify whether there's enough money on your account and credit cards require some other administration to be done which makes both of them unsuitable for small purchases (from the banks point of view). What's also nice for banks is the marketing info they can collect from payments done with the chip card.
This bank seems to be pushing the card for webpayments. Unless they manage to convince all other banks that their particular cardformat should be used for online payment it won't work. The card only works if the ecommerce websites have the software to deal with these cards and I don't see that happen just because one bank is pushing a card.
A second problem is that you can't just stick the card into your floppy drive: you'll need a cardreader.
BTW. For the same reason (no standardization) I don't see biometrics becoming popular anytime soon.
So in order for this to work:
- banks will have to agree on a cardformat (preferably international)
- banks will have to provide their clients with cardreaders (also standardized) for free because noone will be interested in buying one
- there will have to be some added value for the card users (discounts?)
- there will have to be some added value for ecommerce sites in order to get support for the card there
Basically this card doesn't fullfill the requirements listed above so its a guaranteed failure.
Jilles
Paper on how they work, and how they might be cracked is here
Hello...I'm a credit card issued within the last two years.
Count how many numbers are on the front of the card...probably it's 16 if it's a MasterCard or VISA...or 15 for American Express...
Now flip me over and take a look at the signature area of the card. Chances are you will see a series of numbers printed there.
Count how many numbers are in the signature box. Hey...there's 18 or 19!
The first 15 or 16 are the credit card number from the front. The remaining two or three are the CVV2 code.
What is this CVV2 code? It's a PIN number. Just like a PIN number in a debit purchase, the CVV2 code is NEVER echoed anywhere in the transaction record.
One of the best security systems is "somthing you have, something you know." Lets say you crack some ISPs CC database and steal a whole bunch of credit card info. Well, when you go to purchase something on an Internet site, you are screwed because you don't have the physical card in your hand to get the CVV2 code. On the other hand, let's say you pick someone's pocket and take a physical card complete with CVV2 on the back. Well, when you go to purchase something, you are screwed because you don't know the billing information like address, ZIP, phone, etc.
As long as customers are aware they should treat the CVV2 code like a PIN code and NEVER give it out to anyone they wouldn't trust with their PIN code, then this system will work.
Next time some business cries about how much they lose due to credit card theft...tell them it's their own damn fault for not using the tools that are already availabe to them.
http://secure.logicom.com/cvv2.htm
- JoeShmoe
It's more secure for one reason only--you have to actually physically have the card to order with it.
Ahem. You mean I have to physically generate the stream of bytes that gets send to the serial port or wherever the card reader gets plugged in?
I thing the suggestion that this is just a way for people to have/use long passwords/keys in a convenient fashion. You know why PINs have only four numbers (9999 key space!), right? Because the average Joe Schmoe cannot remember more than four numbers.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Have a look at http://www.protonworld.com or http://www.proton.be
It gives all info who/what is behind this initiative.
The article states a person can either enter his card number as usual, or if he wants "extra security" he can swipe it through a reader.
/or without/ the reader, I don't see how this can be any more secure that existing methods, and that's ignoring the issue of /how/ the reader "secures" the transaction.
/very few/. Maybe the big guys who can afford to jump on every hype bandwagon the credit card cartel sends thundering by, but not the little guys and the small business merchants they support.
Because it works with
Assuming it isn't just a sexy lady in a black box cooing "Your transaction is secure," there has to be some server-end software. Shopping carts will presumably have to receive and process the data.
How many carts are going to support this new protocol? My (educated) guess is
Am I worried about the little guy? Not really. Wallet software has been notoriously unsuccessful in the e-commerce industry, and I don't see this gizmo faring any better.
--
#19845
Card swipping will be more secure for the simple reason that more information will be stored on the chip than the existing card number and expiry combination used the validate a card.
More data == more secure? Well at least not as easy to defraud. Perhaps.
How does this relate to the various Mondex / Electronic Cash projects that are underway?
The Mondex system, which is in a fairly strong Beta phase in Canada, uses a smart-card chip (you know, the 6-pin ones on phone calling cards) and a bit of encryption to store cash amounts and personal data.
I wouldn't be surprised if the card readers weren't just readers, but also did some encryption before they spat it out their serial ports to the computer, to the browser, to the server, etc. down the chain.
Anyone on the inside have any tech details? RFC specs? Anything?
Even a yearly fee amount or an interest rate amount?
What would be really cool is a PCMCIA card reader so you could use this in your laptop without lugging something external. I know there are PCMCIA adapters to read standard smartcards...
mindslip
P.S. first? (yay.)
On a more serious note, those that are aware that it is possible to copy the contents of this chip (and/or the entire card) might not feel as safe as the uninformed. So it might be a bigger success than the pesimistic existing slashdot'ers may think.
-
ping -f 255.255.255.255 # if only
avaiable here from American Express web site. Not much, some pretty pictures, some "offers", etc, but it's the "official" home.
(Not directly linked from the original news article - irritating)
http://home4.americanexpress.com/b lue/splash.asp
Nothing unfortunately in the way of technical information to speak of.
--
This isn't the post you're looking for. Move along.
--
"This isn't the post you're looking for. Move along."
In Germany the blue Amex is already marketed for quite some time now. As far as I know, it's some "you're too young/poor/different to qualify for our real green credit card, so we're giving you a blue one instead, so everyone can see, how young/poor/different you are"-thing. No one wants to be seen with one of those.
The embedded chip in this new card will probably allow it to work a lot like a SecureCard.
It has a pseudo-random number generator, which essencially functions as an ECB. Your PIN and the ECB value for that moment in time are both required to perform a valid transaction. This way, either just the card (if lost), or just your PIN (if overheard?) are individually useless, since they only work jointly.
A ChipCard, for online shopping, is probably not a very good application. An ATM card would make more sense, but since Amex has more clout, it's easier for them to introduce the tech.
Then again, I might be completely wrong, and the chip might simply store data such as encryption certificates, and facilitate another layer of security. This makes much more sense for online transactions.
Perhaps a built in ROM capable of Diffie-Hellman?? But then why bother to hook it up to a PC, a simple acoustic coupler between the phone and the card would do... Uhoh, starting to think... Should get back to work.
-- What you do today will cost you a day of your life.
If I've understood it correctly, smart cards at terminals are intended as a medium for storing secret keys. They're not really supposed to be more secure in any cryptographic sense, but they're expected to be more easily understood by naive users. A lot of people don't know what a secret key is and how you're supposed to manage it, and they don't like long, complex passphrases and tend to choose weak ones. But everybody is familiar with a credit card, and everyone knows that you're not supposed to lose one; so the effect in the end is that people will tend to be more conscientious about key management (although they don't realize that that's what they're doing).
That's the theory, so far as I understand it. Of course, if somebody does swipe your card, they could shop up a department store on the Internet before you get a chance to report the theft. Then again, it's still pretty hard to benefit from a stolen card, because the goods have to be delivered somewhere, so it might be possible to trace the thief by finding out where the stuff gets sent.
Always keep a sapphire in your mind
Total hypothesis here, but it could work similar to my SecureID card. The card has some sort of imbedid processor that does nothing but generate numbers twice a minute. The "randomly" generated numbers are seeded by some other set of numbers known by my dial-in server and my card. Basically what happens is that when I dial in, my password is a combination of this randomly generated number (shown on a neat little LED), and a pin number that I set on the dial-in server. You can't get connected without knowing both the pin, and the number that is currently showing on the LED. If this CreditCard has a similar setup, users would be required to type in their credit card pin, and then swipe the card. If the number sent by the card (generated off of some known seed of course) and the pin don't match what our faithfull credit card company says they should be, then the transaction would be denied.
The nice thing is that if you wanted to steal the credit cards information, you couldn't just snag the creditcard number. You would have to know the algorithm for generating these numbers, as well as the pin (which could be snagged from the transmission)! So you would have to watch these purchases over a period of time, and only then would you be able to pretend to be the card owner.
something clever
While they are at it, they could extend an existing browser to storing the user specific data on the card as well. This way, you could just walk up to any terminal that supports this feature (and remember, they give the card reader away for free), insert your card and off you go surfing with all your bookmarsk, cookies etc. AT&T Labs who developed VNC used a technology like that to make your home session appear on any terminal you walk by in their office. Cool.
Yes, you are right there. -- Another glass of champagne?
When you type in, your browser does the digital signing and encryption. A chipcard can store your account #, private key, sign and encrypt any data you want by itself. One can crack a computer and replace any software, but IC cards are a lot tougher. They have simpler data interface, and use strong cryptography.
-- what is a sig?
In a traditional credit card system, all you need to know to make a purchase with the card is the card number and expiry date (and possibly also the name on the card and the address at which it is registered). These are easily visible on the card, and readable from the magnetic strip. They are sent to the merchant whenever you make a credit card transaction of any kind.
The problem with this is obvious: you do not need the card to be present to make a purchase. Embedding a chip in the card enables us to be a little more clever.
If AmEx have implemented the scheme sensibly then the chip embedded in the card will be a small microprocessor. It will have some non-volatile memory for key storage, some volatile memory for working storage, and probably some hardware crypto acceleration (because implementing crypto in software on slow microprocessors yields poor performance). The chip will be designed such that it is difficult (i.e. expensive, time-consuming and obvious that it has taken place) to read out the contents of the memory.
When an online purchase takes place, the details of the purchase (merchant ID, amount of transaction, etc.) will be sent to the customer's computer. To complete the purchase the details must be sent to the card, which will perform some cryptographic operation and return some more data which must be sent back to the merchant. (The precise details will depend on the implementation.) The point of the whole scheme, and the reason that it is more secure, is that the data returned to the merchant depends on key material embedded in the chip.
It is still possible to attack systems like this, either by exploiting errors in the system design or implementation, or by physically attacking the smartcard. See this widely-cited paper for more information and references.
These are one component of the new Secure Electronic Transaction group of protocols to protect financial details while transiting electronic communications facilities. It specs everything starting at the main credit mainframes out to banks, regional centers, and finally out to doing authentication/verification of individual retailer's POS registers. It is so complicated and assembled by a commitee of hostile interests it makes the whole TCP/IP suite look like childs play. People are making entire careers specialising in SET integration (second only to SAP/PeopleSoft programmers in europe for excessive salaries, ~350K GBP/year for one year's experience, ~500K for a project lead)
:-)
Similar chip cards have been used widely in Europe for years, and the French, Belgian, and German banking systems use them almost exclusively. In Holland they have an NVRAM/crypto function and you can load the card with some credit and use it at merchants without having to verify every transaction.
The chip (in the french Carte Bleu system) is an 8-bit processor with enough power to provide a challenge-handshake for a secret shared key, and the agreed upon result is used to encypher the additional details of the card. The machine reading the card then uses that coupled with the PIN the user types in to further encypher the communications back to a regional control center, providing a second level of authentication. The crypto used is not difficult to crack or spoof, but just by raising the bar a little has dramatically reduced fraud from the old system which was just like the american system of today.
I'm glad to see Amex doing this. I think they announced this system about 2 years ago, and its been an oft delayed vapor promise since.
If you read the small print on the bottom of the page, they guarantee you against all fraud when you use this system. There isn't even a $50 deductible for each fraud. That in itself is pretty amazing.
Its obvious this is only for win95/98/NT4, since there is some software you have to load on your computer which is always running and will ask for your PIN when you insert the card. And the software somehow stores some "electronic cash" in your "wallet" on your system, and only uses the card and PIN to unlock it.
Hmmm, I have an idea that anyone smart enough to crack the system is not stupid enough to bring the wrath of the law on their heads by actually spoofing a transaction (unless it was their own). But I can see a day soon when someone releases a script-kiddie and howto package and suddenly the system gets taken offline for a few months of "maintenance" after a passing lightning storm
But if it increases security even a little bit, then its a good thing. I just hope slashdotters remember there is no such thing as perfect security, just continuing improvements.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Disclaimer: Although I work for one of the biggest smart card makers in the world and the inventor of Java Card (Java on smart card), as far as I know AmEx is not using our cards.
As for Blue, Frost and Sullivan's analysis is a good place to start. Personally, I think it is a good thing: get consumers used to idea of smart cards and making everything free at first really helps. And if they use Java Card based smart card, they'll be able to roll out new features in the future. Besides, free card, free reader and 0% APR are hard to beat (unless they start cutting checks, I guess). At least I've applied for the Blue card.
Linux support probably can be found at: http://www.linuxnet.com/ (I say probably because AmEX is highly likely to use one of the well known readers, much of them supported by MUSCLE project)
As for security: much of the first 40 posting I've read are either wrong or misinformed. I'd recommed that you read some smart card introduction before posting here:
Smart card industry association: http://www.scia.org/
Smart card forum: http://www.smartcrd.com/
Java Card (but lots of general smart card info) http://members.xoom.com/javacard/
-----
More misc.: AmEx are working on a web page: www.blueamex.com (www.blueamex.net, too)
Danny (shameless ad: Java Card was invented here: www.cyberflex.slb.com)
Danny Kumamoto
Using zero knowledge proofs and bidirectional communications, the remote server can establish to an arbitrary degree of certainty whether the person at the computer is in posession of the card holding the chip. Even if the line is completely unencrypted and open, nobody else can impersonate the holder of the card, no matter how much they listen.
Of course, whether AMEX is doing this right or doing something lame remains to be seen.
Well, if the chip contains more info than is printed on the card, it is less likely that someone will say, "But I didn't buy that!!" The extra info transmitted will show that that exact card was used. If they still have the card, bingo, they used it.
I had a website ask for my 'security' number on my credit card once, explaining that there are an additional 3 digits printed on the signature strip of my card. I looked, and sure enough, there they were. If you look at the microsoft licence keys you have to type in for windows, the win98 is HUGE! I imagine as people ask for more secure credit cards, cc companies will change to using more info to verify that someone is using a good card. An automated process of entering a large amount of info is needed (like the bar codes for ms keys).
-Adam
It doesn't seem to me that it's difficult to see why this is more secure than the current scheme.
Your average credit card is insecure because an eavesdropper has got all the information they need to fake further transactions. With this system, one imagines that what would happen is that the transaction site sends you a challenge (e.g. a bit string) and the card swiper responds by preparing a response (e.g. encrypting the bit string using a private key stored on the card). By embedding a time stamp or unique identifier in the challenge, you ensure that an eavesdropper can't fake a transaction because they aren't allowed to use the same challenge/response pair and aren't able to manufacture the response to a new challenge to create a different one.
Better still, you can embed the amount of the transaction in the challenge too, and then the transaction site itself can't try to claim you authorised more money than you actually did.
This has been done before; I knew somebody once who worked for a company with a severely paranoid firewall. He could connect into the inside of the firewall from the outside, but only by using a little hand-held special crypto device. He'd telnet to the firewall machine, which would give him back a bunch of digits and he'd punch them into the device. The device would supply a response string of digits, which he typed back into the firewall and then it let him through.
Clearly, AMEX is good at Public relations, but what is new here? It seems to me that this card is just a basic smartcard, like they have been used, for example in France, for many years. This card shouuld be able to store some data and perform computations. Smartcards for crypto tend to have a regular chip and another one dedicated to specific task (like modular exponentiation), so they can perform complex operations such as digital signatures. Hence, one possible use, (which by the way), as already been started by VISA, is to plug a little reader in your computer, then when a query for paiement is made, the reader displays it, you are then asked to type your pin, which unlocks your private key, with which you can actually _sign_ the paiement. And no more credit card fraud.. Cool, isn't it :)
I think you're missing the point.
If the system is not cryptographically secure, you can still copy the card, you can still use man-in-the middle attacks, there are all sorts of things you can do.
What if some sad little program like happy99 was designed to double-swipe your card? We don't know if that kind of attack or others are possible. Unless they say exactly how the system works, it is best to assume that it is not secure.