Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck IT

To Pay With Your Credit Card, Please Speak Up 300

prostoalex writes "It's reasonable easy for a thief to steal the social security number and bank account information (which is printed on a check) as well as an address. The next generation of financial tools are fighting this problem. Business Week talks about voice verification in future debit and credit cards. "Here's how it works: A special sensor on the credit card stores its owner's previously recorded voiceprint in digital form. When the owner receives a new card, he or she speaks a password into the sensor on the card. If the voiceprint matches, the card is activated.""
This discussion has been archived. No new comments can be posted.

To Pay With Your Credit Card, Please Speak Up

Comments Filter:
  • so.. (Score:5, Insightful)

    by Turn-X Alphonse ( 789240 ) on Wednesday April 20, 2005 @07:12PM (#12298089) Journal
    So you speak to activate it.. and if you get a cold or have an accident and can't talk?
    • Re:so.. (Score:3, Insightful)

      by saned ( 736423 )
      Forget about being unable to speak...! If this speech recognition is as good as any of my cell phones' then you'll keep repeating 4, 5 or more times, until this chip recognizes your voice, or worst case, blocks itself until the next day for security purposes...

      YMMV
      -P@
    • Re: (Score:2, Funny)

      Comment removed based on user account deletion
    • My voice is my passport *cough*, verify me. *click-click... BAM!*
    • Or worse, speech (and hearing) impediments like mine. :(
    • by DumbSwede ( 521261 ) <slashdotbin@hotmail.com> on Wednesday April 20, 2005 @08:10PM (#12298502) Homepage Journal
      I use to work at Wolfram Research and when they moved into their new building the building was protected after hours by a voice activated entry device. This was about 14 years ago. Anyway the device worked reasonably well except when it was raining. There was no awning or other overhang, so in driving rain when you would really like to get in - well you just couldn't. The idea was to be a cost saver by not having to issue individual cards. Oh yeah they ripped the thing out after about a two months. One of the employees (I don't remember who) took it as a challenge to slowly modify his voice entry phrase to something else slowly day by day, by slowing morphing one phoneme at a time into something else. I wish I had a list of phrases he changed from and to, but I don't.

      This was good technology applied in a bad way. As one of more than one way of activating a card this would be a good thing. Thieves are a skittish lot, even if they could sign for card use or use a stolen PIN, the fact they would be expected to voice activate the card first would deter them, not wishing to draw undue attention to themselves.

      Even 14 years ago this technology had a extremely low false positive rate misidentifying someone as someone else. Even 25 years ago I seem to remember this technology being not being prone to misidentification, though more finicky and with a much smaller vocabulary (like 10 words).

  • by peculiarmethod ( 301094 ) on Wednesday April 20, 2005 @07:12PM (#12298093) Journal
    I somehow get the feeling that wives, girlfriends, and daughters the world over will not like this one bit.
  • by np_bernstein ( 453840 ) on Wednesday April 20, 2005 @07:12PM (#12298097) Homepage
    where did I put that tape recorder again?
  • by Anonymous Coward on Wednesday April 20, 2005 @07:14PM (#12298106)
    Step 1:
    Build card reader for voice print
    Step 2:
    Download voice print to your MP3 player
    Step 3:
    PROFIT!
  • Zug.com has a funny prank, that was listed on /. [zug.com] the other month, about someone signing his credit card receipts with phony names or pictures.

    I tried it, it's no problem, just sign all of your bills "It's Me", no one cares.
  • by Realistic_Dragon ( 655151 ) on Wednesday April 20, 2005 @07:16PM (#12298120) Homepage
    ...where you type your PIN into a small box attached to the cash register.

    Because, as we all know, typing your PIN into someone elses computer system is by far the best way to keep it confidential.

    ATMs are at least owned by the bank and significantly harder to tamper with in a non-obvious way.
    • In most smaller retailers, the terminals (including the keypads) are provided by the banks' merchant services division.

      For the rest, they have to be certified equipment, from authorised suppliers, and be tested on site and approved [chipandpin.co.uk] before rollout by your merchant services provider. Aquirer Acceptance Testing is by no means a walk in the path - it's a rigorous process.

      If you have unapproved equipment, then you don't escape the liability shift [streamline.com], and are now liable (in the UK anyway - different countr

    • by Lenolium ( 110977 ) <[rawb] [at] [kill-9.net]> on Wednesday April 20, 2005 @09:43PM (#12299094) Homepage
      I have written software for the credit card terminals.

      The pin pad is the only device in that chain that is secured at all. The pin pad is tested, and has to meet very, very tough standards. Your pin is not stored on the device, and the credit card terminal cannot get the actual pin number from the pin pad. All that comes from the pin pad is a big pile of "garbage" that is some sequentially ordered 3DES encrypted data that at one time resembled your PIN number. This block of encrypted data cannot be retransmitted, and if it is, it will be denied.

      During our testing phase with the terminal (not the PIN pad, we just bought those from someone else), the other programmer that was working on the code messed up some offsets and was not giving the correct PIN data to the test site. This got right past the testing, because even the merchant services test system cannot decrypt the data that comes out of the PIN pads. The rest of your data (including the entire contents of your magnetic strip, which in no way shape or form contain your pin number), is just sent across the wire in plaintext via 2400 bps modems. There was also no security testing of our terminal at all, and there is not even a requirement that credit card numbers aren't stored.

      So, the moral of this story is this: If there is one thing to trust in the whole credit card processing world, it is this: Your PIN is the most secure part, unless the PIN pad has been tampered with (aka, has a new set of buttons over the old set of buttons, or a camera to capture your finger movements, because opening up a PIN pad will destroy the key stored on the pad, and will render it useless) that part is secure.
  • by rattler14 ( 459782 ) on Wednesday April 20, 2005 @07:16PM (#12298131)
    No really, I'm am really curious. I admit, I wear a tin-foiled hat with pride, but I've recieved some pretty BS responses from banks when asked this question.

    The worst response? "You need it on your account for your protection". Oh really? Until, I don't know, 1 of the 100 forms my SSN is one gets scanned and posted somewhere on the internet.

    And for those that think it can't happen, some dipshit made a family tree of all of my family across the country and posted it on the internet... 1 out of 10 (out of ~600 people... this tree goes back pretty far) has a SSN posted and it's now in google's cache.

    So I ask again... why is a SSN required for a bank account? What about those people withouth SSNs?

    • As someone who's heavily into Ellenburg Genealogy, I also post SSNs.

      Of the dead.

      Of course, it's not like the information isn't publicly available from the Social Security DEATH Index.

      Odds are... this is what that other guy is doing, too.

      I figure, if someone wants to use my dead mom's SSN let 'em. This is going to affect me HOW?

      Now, with regards to the SSNs of any of my living relatives that's a different story. It's not like I go asking my brothers all the time, "Hey! What's your SSN?"
      • by Anonymous Coward
        I once knew a guy who lost his credit after an exterminator stumbled onto his dead wifes Social Security Card and drivers license. He started receiving bills in her name almost 10 years after her death. Even the SSNs of dead people are vulnerable to identity fraud.
    • Basically so big brother can watch for illegal activities, like money laundering. Large transactions throw up a red flag to government officials. I believe banks are required to report these to the government. I'm not sure what the trigger amount is.
      • Large transactions throw up a red flag to government officials. I believe banks are required to report these to the government. I'm not sure what the trigger amount is.

        $10,000, OR a series of smaller transactions which a bank thinks a regulator MIGHT think could eventually add up to $10,000. In other words, any two transactions that make the teller think: ``Ooh, that's a lot of cash.''

    • It's for when you get overdrawn by a few hundred and skip town. That SSN now has a black mark on it. But if you are a smart criminal, you use someone elses ssn to get the account and so on.

      So in all fairness.. this only hurts the honest people. So yea, banks don't need a SSN.
    • Well, it's required by law; specifically it's a provison in the USA PATRIOT Act. Any financial institution doing business in the United States is required to collect your SSN if you are a US Citizen (living in the US or abroad). Your SSN is bounced against fincen.gov and can be placed by the bank into the SAR (Suspicious Activity Report) http://www.fincen.gov/reg_sar.html [fincen.gov] This was all created because of the terroist bull3hit but now it's used for any 'suspicious' activity. And, just like those people wh
  • Heh... (Score:4, Funny)

    by Eythian ( 552130 ) <robinNO@SPAMkallisti.net.nz> on Wednesday April 20, 2005 @07:16PM (#12298133) Homepage
    "My voice is my credit card. Pay for me"
  • Record the voice, learn to imitate the voice of somebody? Damn, I'm going to start trying to mimc the voice of Bill Gates

    And what will happen when you're cold and your voice is not the same? In fact, teenagers would not be able to use it from one year to another :P
  • what are the mutes to do?
  • by Lead Butthead ( 321013 ) on Wednesday April 20, 2005 @07:20PM (#12298156) Journal
    Considering that voice recognization is still rather unreliable (particularly when people get excited and such) I would think it's a bad idea until reliablity improves.

    It would be rather sad trying to pay for caugh drops with ATM/CC but unable to do so because the sore throat is causing your voice print to shift.
  • I sincerly hope you don't have your SSN on your checks! All I have is my name and home address--if someone needs to complain, write me a letter.
    • Exactly. Having your SSN on your checks is a very, very bad idea. You're just asking for identity theft. If you're one of those few who've been foolish enough to do this, my advice is to get new checks without the SSN on them ASAP, and destroy your existing checks.
    • I had relatives in Virginia who used to have their SSNs on their checks. It wasn't until the mid 90s (as I recall) that Virginia allowed individuals to have their driver's licenses issued with an ID number that was different from their SSN. (Don't know why Virginia took forever, but someone needs to track down the moron legislator who made the SSN the license ID number and give them a sharp kick in the ass.)

      At any rate, in order to facilitate check usage, they put their driver's license number right onto t
  • "Hello, my name is Alexander Burke. My voice is my passport. Verify me."

    Next stop: the Sony Store! :)
  • by Lapsed Catholic ( 875641 ) on Wednesday April 20, 2005 @07:22PM (#12298171)
    There was a /. article a few years ago about a biometric password scheme that remembered how you laughed. It became a running joke at work, where we have someone with a very distinctive laugh. We figured a scheme like that would become annoying really fast.

    Coworker A: huh huh huh... huh huh huh... it's not letting me in... huh huh huh... oh wait I think I changed it... huhhuhuhhuhuh huhhuhhuhuh... huhhuhuhhhuh... no, that doesn't work either huh huh huh...

    Coworker B: Here, I'll log in for you. hahahahah!

    Coworker A: Huh huh huh thanks!
  • For some of us, who live in romote America (USA), and still use old telephone lines, which are on many cases not as clear as the "standard", are doomed if we are to attempt transact business on the telephone. Imagine trying to identify yourself with that crackling sound in the background...What shall we do?
  • by theguywhosaid ( 751709 ) on Wednesday April 20, 2005 @07:23PM (#12298183) Homepage
    Rather than working to make it harder to use a stolen credit card, companies should work at making it easier to find somebody using a stolen credit card. Maybe start requesting that stores associate a purchase with a time and a checkout lane, which could lead to accessing security camera archives once a purchase is claimed fraudulent by the account holder. I am sure there are more possibilities.
    • by Neil Blender ( 555885 ) <neilblender@gmail.com> on Wednesday April 20, 2005 @07:27PM (#12298208)
      Rather than working to make it harder to use a stolen credit card, companies should work at making it easier to find somebody using a stolen credit card. Maybe start requesting that stores associate a purchase with a time and a checkout lane, which could lead to accessing security camera archives once a purchase is claimed fraudulent by the account holder. I am sure there are more possibilities.

      Oh, man, I'd love to see a story about that posted on Slashdot. The comments. The comments! It would be hours of fun.
      • Ok, start the fun - they do this in england :)

        My GF had a new card stolen from her mail, and only noticed 3 days later when her account was empty. The police went to the store where the largest purchase was made and caught the thieves from the CCTV footage.

        I'm going with the 'public place, CCTV warnings all over, you should expect your privacy to be compromised, especially since you're on someone else's property' position.

        Flame on :)

        Slightly on-topic (sorry, I had to), some form of card initialisation w
    • start requesting that stores associate a purchase with a time and a checkout lane,

      As a former retail worker I can tell you that store number, date, time, register, and cashier number have been printed on receipts for several years, if not a decade or two. They may not be in an easily recognized format, but you didn't think all those meaningless numbers at the top and bottom of your reciepts were actually random, did you?

      As for tying it into the security cameras & keeping tapes long enough to review d
  • Why not SMS? (Score:5, Insightful)

    by md17 ( 68506 ) <james@james[ ]d.org ['war' in gap]> on Wednesday April 20, 2005 @07:26PM (#12298198) Homepage
    I would prefer that the Visa or Mastercard system sends me a SMS that I reply to in order to authorize the payment.
  • Comment removed based on user account deletion
    • But once you give someone your PIN on the phone, then your PIN is "in the wild" and subject to the security and honor of the seller. A more robust way to handle all of this is for card holders to have a way of assigning a unique one-time PIN (OTPIN) for each transaction, whether a check, credit card, or debit card. (For checks, you just write the OTPIN on the check.) The seller would not be able to debit the account without a valid OTPIN given to them by the buyer. Buyers would be able to go to a web site (
  • I guess it just depends on your location and the available infrastructure for delivering verifiable voice communications. What happens when I'm vacationing in Figi and can't get my funds transfered because the bad connection is destroying the biometric signature of my voice?
  • It's discrimination I tell ya!
  • by SuperSanta ( 843034 ) on Wednesday April 20, 2005 @07:35PM (#12298272) Journal
    I hate to admit it - because, you know, all the fraudulent things that have happened to people with PayPal and eBay - but I have to say that PayPal is starting to do things well.

    Require you to put in your work phone number and then an automated system phones it and asks you to authenticate what is onscreen by touchpad. Atleast with this method of authentication the hackers have to spoof more than one method of communication and would leave a rather sizeable paper trail of changing account data.

    Not like reading the extra 3 digits off your card into a computer system so that someone else can steal those digits and reuse 'em.

    This post started out with better ambitions. Stupid boob tube, oh how you distract me!
  • I'd like to have a credit card that will only allow a single charge based on something that program into it.

    For example, it has a module on which I've stored my thumbprint (the module will only verify my print. It won't give out the data). I strobe it and a unique credit card number appears which is only good for that transaction.

    Or perhaps I can write my own custom module which requires me to tap out a randomly generated five character sequence that it displays in Morris code accurately in less than

  • Still using checks. I like you yankees, I really do (strange for an european these days), but I know that checks are a common way of payment in the US, and I honestly don't understand this. Checks are a horrible throwback from the past and should have never crossed the millennium time barrier.

    I am sure there's a logical explanation why you're still doing this - I just don't really see it.

    (the other thing I never figured out, is: the US dollar is the most forged currency in the world, and yet, it's also on
    • There's a reason the americans don't change their currency. It is the gold standard in underdeveloped countries. From dictators in Africa with safes full of hundred dollar bills to ordinary people in parts of latin america who want "dollars". If you changed it, how are you planning on telling the millions of people in the world with dollar bills from the past few decades. That's also why they're all the same boring colour.
      • I have heard this argument before, and I don't buy it: in every country where US dollars have a certain value, there is a bank that will replace the banknotes. Or at least, there is a neighboring country with such a bank. There must be, otherwise there is no way that the little green pieces of paper would have a certain value.

        Therefore, replacing the bills with something more advanced and harder to forge, is possible albeit not simple.
    • First, If you call all us US folks "yanks" that's okay... but there are huge swaths of folks in this country (mostly in the southeast) that calling them a "yankee" will get you in a whole heap of trouble. Word to the wise if you ever visit. ;-)

      Secondly, checks are really on their way out here, too. I draw exactly two checks a month. One's the electric company and I do that on the web, so does that even count? The other is my water company, which is a tiny little mom and pop operation with about 700 cu

  • Bruce Schneier discusses identity theft and more in his latest news letter [schneier.com].
  • by initialE ( 758110 ) on Wednesday April 20, 2005 @07:52PM (#12298397)
    It's been proven over and again that biometrics are a poor form of authentication that can easily be beaten. Not only are you unable to protect it (try not leaving your fingerprints everywhere, or not speaking to someone so they can't get your voice recording, or maybe even not shedding your hair so you don't leave any DNA traces), you're also unable to change it, and it's made doubly dangerous because of the way people seem to think it's effective. So maybe they should stop beating that dead horse around...
  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Wednesday April 20, 2005 @07:54PM (#12298405)
    Comment removed based on user account deletion
    • by JimBobJoe ( 2758 )
      Start with a picture of the cardholder on the card. Some banks already do that.

      And yet it goes nowhere. There's a myriad of reasons for this, but one of the biggest is that it makes little difference. Very little credit card fraud is perpetrated by people who are using someone else's physical card. The main security system on that fraud is purchase pattern/auditing systems and the ability to kill off the card.

      Most credit card fraud is online and/or via altered cards (like with the criminal's name and if
      • Don't forget that at one time not all states required a photo on drivers licenses. I know one person who (20+ years ago) had to have here photo visa card with her all the time because her drivers license didn't have a photo. (It was optional in that state for some people and she met the requirements so they didn't even try to get her in for a photo) Her school checked photo Id for tests, so her Id was her Visa. Write a check and the clerk needs a photo id - Visa again.

        If you need to present two forms

  • by SpottedKuh ( 855161 ) on Wednesday April 20, 2005 @07:55PM (#12298413)
    So, I read the article, and was left wondering how this new measure could do more than marginally dent the problem of credit card fraud. For those who didn't feel like reading the article, it basically outlines two potential uses for voice biometrics:
    1. Identifying people who phone a bank (ie. for phone services or ordering a credit card)
    2. When people first receive a credit card, they speak to it to activate it
    But, here's what this type of biometrics fails to address:

    From TFA, "Over-the-phone fraud already affects 12% of all banks offering e-payment services." 12%? That's it? Of all the banks offering electronic/phone services, only 12% have ever been affected by over-the-phone fraud, which this new technology is supposed to help prevent? That makes me think that most credit card frauds are being conducted another way.

    Point two: This type of biometrics does nothing to protect consumers if their card or card number are stolen after their card is activated. Continuing from my above comment about how most frauds actually happen, I'd wager good money that most credit card frauds do not occur from cards being stolen from the mail before they're activated; rather, I'm guessing that most frauds happen because the little numbers on someone's card are stolen.

    They need to rethink their manner of usage if they want this new biometric scheme to be anything more than a headache (I mean, how many different things could go wrong with a voice-recognition chip embedded in a little card?). I mean, a voice-authentication system is definately a better scheme than asking someone what their birthday is, but there has to be a more effective way of using it than this.
  • This will not help with online fraud. Most fraud online is the result of 'card not present' fraud where the 16 digit number is typed in by a human.
  • can't even imagine the gajillion ways this is going to fubar. Just glad I won't be manning any of their helpdesks.
  • Hmm, won't do anything to stop people with your card details spending online (or through mail order / telephone order).

    Also not clear if it will prevent counterfiting, where someone swipes your card through a magnetic stripe reader. Get a blank card, copy the magstripe data onto it, and record your own voice print...

  • Voice recognition is still not there. From stuff I've read rather recently, voice recognition stuff still can't understand southern accents. I'm not talking about deep dixie, or Louisiana, either.
    President Clinton's voice is too southern for todays voice recognition software to accurately recognize.
    • I'm guessing that what you say really doesn't matter so much as that you say the same thing each time and the system recognizes the resonances and attributes of the sound that are shaped by your various body cavities and your vocal chords.

      In other words, this is really just another form of biometrics.

      Of course the fact that you have a gallon of phlegm in your lungs, a hoarse voice from barfing and fever induced hiccups today because you've just caught avian flu may make paying for your medical visit a bit

  • "Open the pod bay doors HAL."

    "I'm sorry, Dave, you have reached your credit limit."

    But, hey, I've had too much coffee today.

  • I don't know about you, but I loan out cards on a regular basis to trusted individuals. That is the entire reason for having a signiture line on the back. You do know that the signiture line indicates if you want ID to be required to use your card right?

    They need to fix checks not Credit/Debit transactions. On every check is all the information needed to perform check-by-phone transactions. I have been scammed this way twice (both times by credit card companies who wanted to use my account to pay someone
  • I recently underwent a tonsellectomy and various sinus surgeries. One noticable side effect, at least to my friends and family, is that my voice has changed. Many co-workers who I have called for years on a daily basis have needed several weeks to recognize my voice.

    A minor concern, but I guess I would likely need to retrain any voice programs at this point in time. I do know that my cell phone auto dialer is not working anymore, but then again, it was never a very reliable voice dial to begin with...
  • This doesn't seem to be any added protection to me. Here's why:
    Voices would it seem need to be encoded into digital format to be useful. I.e. you do a match on the numberic voiceprint stored in the card vs that stored in a database.

    Oh poo. There's a database involved somewhere--that also means that merchants will want to capture and store those fingerprints to prevent chargebacks.

    Double poo. There's a second set of databases involved--ones which are often guarded willy-nilly (if at all).

    Maybe I'm m
  • There has already been a case [bbc.co.uk] of carjackers cutting off the owner's finger in order to obtain access to a biometrically secured Mercedes.

    The whole idea that a "key" that is a part of your body is somehow more secure than a manufactured gadget you carry with you has more emotional than logical appeal.
  • I'd say a vast majority of credit fraud is committed without actually stealing the card, just the information on the magstrip. So I guess instead of the shady waiter just swiping your card through his personal magstrip reader before charging your order, it becomes standard for people to have to talk to their cards before the shady waiter swipes your card through his personal magstrip reader before charging your order. Advancement+!!!
  • I think it's a bad idea to consider the word/phrase you speak for the card to ID your voice a 'password' -- or even to limit it to a single word. People are more familiar with the concept of passwords than voice identification, and you're going to wind up with a lot of people that are worried about others listening into their transaction, trying to overhear their password.
  • Reminds me of the old quote by Borusa:

    There's nothing more useless than a lock with a voice print.

    that he ironically used to key a lock with a voice print...

  • .. or any other medication for conditions that alter the sound of your voice.

    Yawn. Move along, just another dotcom idea lying on teh floor, nothing to see..
  • Around 6 or 7 years ago, my older brother had a voice-recognition password on his computer; it was neat and funky, and very futuristic. Then I found out that I could pitch my voice lower and get in after a couple of tries. Granted, the software standard at the time probably wasn't up to what we'd be looking at here, but it's still a consideration.

The world will end in 5 minutes. Please log out.

Working...