Amex to deploy Internet card with embedded chip

ajlaw writes "American Express with be deploying a new blue card the contains an embedded chip for use when making purchases on the Internet. The card's chip will be used for security in shopping on the Web. The company will distribute free card readers for customers to hook up to their computers. " Wierd-they have no details, but apparently the card swiping is supposed to be more secure then typing it in-but I'm not sure how.

Increased security from ChipCards

[jabber]

The embedded chip in this new card will probably allow it to work a lot like a SecureCard.

It has a pseudo-random number generator, which essencially functions as an ECB. Your PIN and the ECB value for that moment in time are both required to perform a valid transaction. This way, either just the card (if lost), or just your PIN (if overheard?) are individually useless, since they only work jointly.

A ChipCard, for online shopping, is probably not a very good application. An ATM card would make more sense, but since Amex has more clout, it's easier for them to introduce the tech.

Then again, I might be completely wrong, and the chip might simply store data such as encryption certificates, and facilitate another layer of security. This makes much more sense for online transactions.

Perhaps a built in ROM capable of Diffie-Hellman?? But then why bother to hook it up to a PC, a simple acoustic coupler between the phone and the card would do... Uhoh, starting to think... Should get back to work.

Its a CHAP device for SET

[anticypher]

These are one component of the new Secure Electronic Transaction group of protocols to protect financial details while transiting electronic communications facilities. It specs everything starting at the main credit mainframes out to banks, regional centers, and finally out to doing authentication/verification of individual retailer's POS registers. It is so complicated and assembled by a commitee of hostile interests it makes the whole TCP/IP suite look like childs play. People are making entire careers specialising in SET integration (second only to SAP/PeopleSoft programmers in europe for excessive salaries, ~350K GBP/year for one year's experience, ~500K for a project lead)

Similar chip cards have been used widely in Europe for years, and the French, Belgian, and German banking systems use them almost exclusively. In Holland they have an NVRAM/crypto function and you can load the card with some credit and use it at merchants without having to verify every transaction.

The chip (in the french Carte Bleu system) is an 8-bit processor with enough power to provide a challenge-handshake for a secret shared key, and the agreed upon result is used to encypher the additional details of the card. The machine reading the card then uses that coupled with the PIN the user types in to further encypher the communications back to a regional control center, providing a second level of authentication. The crypto used is not difficult to crack or spoof, but just by raising the bar a little has dramatically reduced fraud from the old system which was just like the american system of today.

I'm glad to see Amex doing this. I think they announced this system about 2 years ago, and its been an oft delayed vapor promise since.

If you read the small print on the bottom of the page, they guarantee you against all fraud when you use this system. There isn't even a $50 deductible for each fraud. That in itself is pretty amazing.

Its obvious this is only for win95/98/NT4, since there is some software you have to load on your computer which is always running and will ask for your PIN when you insert the card. And the software somehow stores some "electronic cash" in your "wallet" on your system, and only uses the card and PIN to unlock it.

Hmmm, I have an idea that anyone smart enough to crack the system is not stupid enough to bring the wrath of the law on their heads by actually spoofing a transaction (unless it was their own). But I can see a day soon when someone releases a script-kiddie and howto package and suddenly the system gets taken offline for a few months of "maintenance" after a passing lightning storm :-)

But if it increases security even a little bit, then its a good thing. I just hope slashdotters remember there is no such thing as perfect security, just continuing improvements.

the AC

It's just challenge and response, surely?

[Simon+Tatham]

It doesn't seem to me that it's difficult to see why this is more secure than the current scheme.

Your average credit card is insecure because an eavesdropper has got all the information they need to fake further transactions. With this system, one imagines that what would happen is that the transaction site sends you a challenge (e.g. a bit string) and the card swiper responds by preparing a response (e.g. encrypting the bit string using a private key stored on the card). By embedding a time stamp or unique identifier in the challenge, you ensure that an eavesdropper can't fake a transaction because they aren't allowed to use the same challenge/response pair and aren't able to manufacture the response to a new challenge to create a different one.

Better still, you can embed the amount of the transaction in the challenge too, and then the transaction site itself can't try to claim you authorised more money than you actually did.

This has been done before; I knew somebody once who worked for a company with a severely paranoid firewall. He could connect into the inside of the firewall from the outside, but only by using a little hand-held special crypto device. He'd telnet to the firewall machine, which would give him back a bunch of digits and he'd punch them into the device. The device would supply a response string of digits, which he typed back into the firewall and then it let him through.