Amex to deploy Internet card with embedded chip

ajlaw writes "American Express with be deploying a new blue card the contains an embedded chip for use when making purchases on the Internet. The card's chip will be used for security in shopping on the Web. The company will distribute free card readers for customers to hook up to their computers. " Wierd-they have no details, but apparently the card swiping is supposed to be more secure then typing it in-but I'm not sure how.

we have had that in holland for years

[jilles]

In holland and sweden (where I live now)most bank cards are equiped with embedded chips. One of the applications of it is as an electronic wallet.
i.e. you go to a bank machine, withdraw some money wich is then put on the chip in the form of credits. Then you go to a shop and pay by sticking the card into a machine that subtracts some credits from the amount on the card. (this is not the same as paying with an ATM card since there's no communication with the bank at the moment you pay) you can also use the card to phone in a telephone cell. In addition to that insurance companies can store some information on the chip as well.

One of the reasons this has never really worked well in Holland is the fact that there are two groups of banks in holland, each pushing their own smartcard, each requiring a different machine in the shops and each offering slightly different functionality. It took nearly three years for them to figure out the card would never become popular unless they started cooperating (which is what they are doing since a few months).

As a consumer I think, the chip cards don't really offer much value. The whole concept of taking your card to a machine and adding credit has always seemed a little rediculous to me and I can pay in a shop using my ATM card or my credit card.

The reason that banks push it anyway is that a chipcard is probably cheaper for the banks: ATM cards require communication to verify whether there's enough money on your account and credit cards require some other administration to be done which makes both of them unsuitable for small purchases (from the banks point of view). What's also nice for banks is the marketing info they can collect from payments done with the chip card.

This bank seems to be pushing the card for webpayments. Unless they manage to convince all other banks that their particular cardformat should be used for online payment it won't work. The card only works if the ecommerce websites have the software to deal with these cards and I don't see that happen just because one bank is pushing a card.

A second problem is that you can't just stick the card into your floppy drive: you'll need a cardreader.

BTW. For the same reason (no standardization) I don't see biometrics becoming popular anytime soon.

So in order for this to work:
- banks will have to agree on a cardformat (preferably international)
- banks will have to provide their clients with cardreaders (also standardized) for free because noone will be interested in buying one
- there will have to be some added value for the card users (discounts?)
- there will have to be some added value for ecommerce sites in order to get support for the card there

Basically this card doesn't fullfill the requirements listed above so its a guaranteed failure.

hand-held special crypto device

[Booker]

They're made by Security Dynamics. See 'em here

Paper on how they work, and how they might be cracked is here

Increased security from ChipCards

[jabber]

The embedded chip in this new card will probably allow it to work a lot like a SecureCard.

It has a pseudo-random number generator, which essencially functions as an ECB. Your PIN and the ECB value for that moment in time are both required to perform a valid transaction. This way, either just the card (if lost), or just your PIN (if overheard?) are individually useless, since they only work jointly.

A ChipCard, for online shopping, is probably not a very good application. An ATM card would make more sense, but since Amex has more clout, it's easier for them to introduce the tech.

Then again, I might be completely wrong, and the chip might simply store data such as encryption certificates, and facilitate another layer of security. This makes much more sense for online transactions.

Perhaps a built in ROM capable of Diffie-Hellman?? But then why bother to hook it up to a PC, a simple acoustic coupler between the phone and the card would do... Uhoh, starting to think... Should get back to work.

Smart cards for secret keys

[Get+Behind+the+Mule]

If I've understood it correctly, smart cards at terminals are intended as a medium for storing secret keys. They're not really supposed to be more secure in any cryptographic sense, but they're expected to be more easily understood by naive users. A lot of people don't know what a secret key is and how you're supposed to manage it, and they don't like long, complex passphrases and tend to choose weak ones. But everybody is familiar with a credit card, and everyone knows that you're not supposed to lose one; so the effect in the end is that people will tend to be more conscientious about key management (although they don't realize that that's what they're doing).

That's the theory, so far as I understand it. Of course, if somebody does swipe your card, they could shop up a department store on the Internet before you get a chance to report the theft. Then again, it's still pretty hard to benefit from a stolen card, because the goods have to be delivered somewhere, so it might be possible to trace the thief by finding out where the stuff gets sent.

Amex, could you please...

[Markee]

While they are at it, they could extend an existing browser to storing the user specific data on the card as well. This way, you could just walk up to any terminal that supports this feature (and remember, they give the card reader away for free), insert your card and off you go surfing with all your bookmarsk, cookies etc. AT&T Labs who developed VNC used a technology like that to make your home session appear on any terminal you walk by in their office. Cool.

Don't be silly - it's obviously more secure

[sde1000]

Provided that they implement the system correctly, it will be more secure than current credit card systems.

In a traditional credit card system, all you need to know to make a purchase with the card is the card number and expiry date (and possibly also the name on the card and the address at which it is registered). These are easily visible on the card, and readable from the magnetic strip. They are sent to the merchant whenever you make a credit card transaction of any kind.

The problem with this is obvious: you do not need the card to be present to make a purchase. Embedding a chip in the card enables us to be a little more clever.

If AmEx have implemented the scheme sensibly then the chip embedded in the card will be a small microprocessor. It will have some non-volatile memory for key storage, some volatile memory for working storage, and probably some hardware crypto acceleration (because implementing crypto in software on slow microprocessors yields poor performance). The chip will be designed such that it is difficult (i.e. expensive, time-consuming and obvious that it has taken place) to read out the contents of the memory.

When an online purchase takes place, the details of the purchase (merchant ID, amount of transaction, etc.) will be sent to the customer's computer. To complete the purchase the details must be sent to the card, which will perform some cryptographic operation and return some more data which must be sent back to the merchant. (The precise details will depend on the implementation.) The point of the whole scheme, and the reason that it is more secure, is that the data returned to the merchant depends on key material embedded in the chip.

It is still possible to attack systems like this, either by exploiting errors in the system design or implementation, or by physically attacking the smartcard. See this widely-cited paper for more information and references.

Its a CHAP device for SET

[anticypher]

These are one component of the new Secure Electronic Transaction group of protocols to protect financial details while transiting electronic communications facilities. It specs everything starting at the main credit mainframes out to banks, regional centers, and finally out to doing authentication/verification of individual retailer's POS registers. It is so complicated and assembled by a commitee of hostile interests it makes the whole TCP/IP suite look like childs play. People are making entire careers specialising in SET integration (second only to SAP/PeopleSoft programmers in europe for excessive salaries, ~350K GBP/year for one year's experience, ~500K for a project lead)

Similar chip cards have been used widely in Europe for years, and the French, Belgian, and German banking systems use them almost exclusively. In Holland they have an NVRAM/crypto function and you can load the card with some credit and use it at merchants without having to verify every transaction.

The chip (in the french Carte Bleu system) is an 8-bit processor with enough power to provide a challenge-handshake for a secret shared key, and the agreed upon result is used to encypher the additional details of the card. The machine reading the card then uses that coupled with the PIN the user types in to further encypher the communications back to a regional control center, providing a second level of authentication. The crypto used is not difficult to crack or spoof, but just by raising the bar a little has dramatically reduced fraud from the old system which was just like the american system of today.

I'm glad to see Amex doing this. I think they announced this system about 2 years ago, and its been an oft delayed vapor promise since.

If you read the small print on the bottom of the page, they guarantee you against all fraud when you use this system. There isn't even a $50 deductible for each fraud. That in itself is pretty amazing.

Its obvious this is only for win95/98/NT4, since there is some software you have to load on your computer which is always running and will ask for your PIN when you insert the card. And the software somehow stores some "electronic cash" in your "wallet" on your system, and only uses the card and PIN to unlock it.

Hmmm, I have an idea that anyone smart enough to crack the system is not stupid enough to bring the wrath of the law on their heads by actually spoofing a transaction (unless it was their own). But I can see a day soon when someone releases a script-kiddie and howto package and suddenly the system gets taken offline for a few months of "maintenance" after a passing lightning storm :-)

But if it increases security even a little bit, then its a good thing. I just hope slashdotters remember there is no such thing as perfect security, just continuing improvements.

the AC

Blue has many good things going for it

[DannyKumamoto]

Disclaimer: Although I work for one of the biggest smart card makers in the world and the inventor of Java Card (Java on smart card), as far as I know AmEx is not using our cards.

As for Blue, Frost and Sullivan's analysis is a good place to start. Personally, I think it is a good thing: get consumers used to idea of smart cards and making everything free at first really helps. And if they use Java Card based smart card, they'll be able to roll out new features in the future. Besides, free card, free reader and 0% APR are hard to beat (unless they start cutting checks, I guess). At least I've applied for the Blue card.

Linux support probably can be found at: http://www.linuxnet.com/ (I say probably because AmEX is highly likely to use one of the well known readers, much of them supported by MUSCLE project)

As for security: much of the first 40 posting I've read are either wrong or misinformed. I'd recommed that you read some smart card introduction before posting here:

Smart card industry association: http://www.scia.org/

Smart card forum: http://www.smartcrd.com/

Java Card (but lots of general smart card info) http://members.xoom.com/javacard/

-----
More misc.: AmEx are working on a web page: www.blueamex.com (www.blueamex.net, too)

Danny (shameless ad: Java Card was invented here: www.cyberflex.slb.com)

It's just challenge and response, surely?

[Simon+Tatham]

It doesn't seem to me that it's difficult to see why this is more secure than the current scheme.

Your average credit card is insecure because an eavesdropper has got all the information they need to fake further transactions. With this system, one imagines that what would happen is that the transaction site sends you a challenge (e.g. a bit string) and the card swiper responds by preparing a response (e.g. encrypting the bit string using a private key stored on the card). By embedding a time stamp or unique identifier in the challenge, you ensure that an eavesdropper can't fake a transaction because they aren't allowed to use the same challenge/response pair and aren't able to manufacture the response to a new challenge to create a different one.

Better still, you can embed the amount of the transaction in the challenge too, and then the transaction site itself can't try to claim you authorised more money than you actually did.

This has been done before; I knew somebody once who worked for a company with a severely paranoid firewall. He could connect into the inside of the firewall from the outside, but only by using a little hand-held special crypto device. He'd telnet to the firewall machine, which would give him back a bunch of digits and he'd punch them into the device. The device would supply a response string of digits, which he typed back into the firewall and then it let him through.