VeriSign To Offer Passwords On Bank Card 158
Billosaur writes "Imagine the PayPal security tool embedded on a credit card. VeriSign is announcing that a deal is in the works to provide credit cards with one-time-use passwords. By placing the technology directly on the card, it becomes more convenient and provides an extra layer of security for online credit-card transactions. A cardholder would type in their information as normal and then would be prompted to enter the passcode displayed on the card. This means a user would need to have the physical card in hand in order to use it, thus thwarting identity thieves who steal credit card information but do not possess the card itself. VeriSign said it expects to announce a major bank using its cards in May."
O rly? (Score:2, Insightful)
CVV? (Score:2, Insightful)
http://en.wikipedia.org/wiki/CVV_number [wikipedia.org]
Re: (Score:1)
Re:CVV? (Score:4, Informative)
Re: (Score:3, Insightful)
Slow down there, bucky. Are you trying to suggest there was EVER a time in Slashdot's history where this was the case? You must be new here. ®
As for this one-time use password thing, my big concern would be durability. My plastic credit card is pretty tough. I can, say, hit it with a mallet and it's fine. How will they make it that durable if they include circuitry and a display window capable of generating
Re: (Score:2)
Slashdot has always sucked, even in the beginning. It only succeeded because it predates RSS feeds.
Re: (Score:2)
Password request... (Score:3, Funny)
Can I put in a request for the password 12345 before anyone else does?
-m
Re: (Score:3, Insightful)
Re: (Score:2)
I would like to request the following pregenerated one-time passwords:
1
2
3
4
5
Re: (Score:1, Funny)
Re: (Score:2)
So should I listen to you or my IQ test from Test the Nation [bbc.co.uk]?
Re:Password request... (Score:4, Funny)
Re: (Score:2)
Sorry, I missed your joke as it was going at ludicrous speed over my head!
Two Factor Dynamic Login Verification (Score:1)
Re: (Score:2)
Re:Two Factor Dynamic Login Verification (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If I were doing this, I'd use something like eInk. This way, the only time an internal battery is used to drive the display is when the six-digit code number is being updated. Bonus points for making this card and
Re: (Score:2)
Re: (Score:2)
I don't see this as new - although it is somewhat unusual for anything involving finance to actually care about security... take this email I receive regularly for example (spot the number of "click here" links (MNBA rock, every bank should model themselves on this lame company):
Just writing to giv
securid? (Score:5, Interesting)
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Re: (Score:2, Insightful)
I fact I'm more concerned about the battery since that will be harder to fit into card and may not last as long or maybe not.
https://www.softwareplusonline.com/catalog/product Detail.aspx?p [softwareplusonline.com]
Re: (Score:2)
Well that works well (Score:2)
This will push up the size/weight/cost of cards somewhat ...and don't use your card to scratch the ice off your car.
Re: (Score:3, Insightful)
Because it's more convenient to have the device on the card. I carry many credit cards, I don't want to have a corresponding securid device for each card.
Re: (Score:3, Informative)
Because SecureID is a closed, proprietary system.
The VeriSign/OATH scheme is patented but there is a royalty free license that allows anyone to make the cards/tokens/whatever.
Also the OATH scheme is a counter based token, not a clock. A clock would not work on the card form factor, the battery would not last long enough to be interesting. A counter based scheme is much more p
while the concept is interesting (Score:4, Interesting)
Re: (Score:3, Insightful)
So, I suppose it's safe to say they've figured those problems out.
Re: (Score:2)
btw: like the sig.
Re:while the concept is interesting (Score:4, Informative)
You could even build the terminals such they sync the clock. Many terminals run on always-on connections now, so running something like ntp on them is feasible. You could use the clock skew to detect attempted fraud, too -- if you know the clock in a particular card loses 2.4 seconds a day from historical data, and the number of days between the last purchase * 2.4 seconds doesn't equal the real time, something is wrong -- possibly a forged card. It's easy to duplicate a magnetic strip, I'd bet it's harder to forge an purposely-inaccurate clock that varies from card-to-card.
As an aside, I hope the electronics are recyclable and the credit card companies actively solicit returns of them. It'd be nice if the cover/numbers of the card were simply an overlay that could be replaced, along with the clear protective coating. Replace the front panel, sync the clock, put the new data on the magnetic strip, coat it, and wham, new card without wasting the electronic components.
Re: (Score:1)
The server knows the previous token so if you get a token wrong it prompts you to enter the next token that appears.
If both tokens are correct, then it can tell how much the clock is skewed, and adjust the time seed accordingly.
Already done (Score:4, Informative)
Usually you have to type in your password (the "something you know") along with the current number on the keyfob ("something you have"), in order to successfully authenticate with a SecureID system. They're very common in government; basically they make stealing passwords muuch less useful, since the hacker would need to steal both the password AND the keyfob - and if someone loses their keyfob they would be issued a new one and the original deactivated, so there is a small window of opportunity there as well.
Frankly it is about time someone pressured the banks into issuing this technology. I have wished I needed a keyfob for online banking and CC transactions for YEARS. The initial expense of the rollout would be quickly offset by the savings in fraud I suspect.
Re: (Score:2)
Re: (Score:3, Informative)
My impression is that the card companies don't care too much about fraud, since mostly they just charge anything back to the merchant, who has to eat it. Card companies mostly care about getting people to use their card a lot, which is why you don't have to sign for lots of purchases under $25 these days. If a merchant gets some disputed charges, that's their problem.
Re: (Score:2)
The cycle is INFINITELY long. (Score:5, Insightful)
The cards don't generate the keys based on time. The keys are generated much the same way random numbers are generated in a computer.
The way this works:
You pick a number (seed) and a function that produces a pseudo-random output (the authentication key) based on an input. You program the same seed and function into both the card and the server.
When you go to log in, you have your credit card use the seed and function to generate a key (key1). You send key1 to the server. The server then takes the seed and function it has on record and also generates key1. If the outputs match, which they should, congratulations, you've authenticated.
Each time you request a key from the card, the card uses the last key generated as the input to the function to generate the next key. Each time you successfully authenticate, the server stores the key you authenticated with and the next time you try and authenticate it feeds that key into the function to generate the next key. Since both the card and the server know the last key they authenticated with and the function to compute the next key, they can both compute the next key.
Seed->run function->key 1
key 1->function->key 2
key 2->function->key 3
Etc, etc. The card and the server continue to generate the same keys to compare - so getting a new key is not based on TIME, but on how many authentications you've attempted.
In practice, the server generally accepts the next key, AND some number of keys after that. So, if the last time you authenticated with key315, the next time you authenticate the server will check the key you present against not only key316, but also key317,318,319,320, etc. If the key you present matches any of those, it will accept your authentication and store that key as the 'last' key. This is to make the system more usable - in this case, you could generate 4 keys and not use them before your card would be too far out of sync with the server to succesfully authenticate.
Re: (Score:3, Insightful)
I think the reason why people have gone the way they have is because so many of us have held such a device in our hands. The elegance of the technology they're describing is that there is no input except ticks from a clock. Anything more complicated than that would require adding a button to the card. I'd hate to accidentally hit the "next key" button too many times because it was in my wallet and I sat on it.
Re:The cycle is INFINITELY long. (Score:4, Informative)
"VeriSign was expected to announce a deal Tuesday with Innovative Card Technologies Inc."
and
"That code constantly changes, meaning the customer needs to have possession of the card to access the account."
Now, ICT says this:
"InCard has embedded an operating system into the card - the press of a button on the card activatesa battery, circuit, and chip, which sends an algorithm-generated passcode to an embedded display. Each time the button is pressed, another passcode is generated. This passcode is good for only one use during a limited time, thus proving possession of the card and guarding against electronic fraud."
and:
"OTP generated with OATH or custom algorithm"
This certainly sounds like a counter based synchronous system, but is it? How can it be "good for only one use during a limited time" if time is not a factor? What would stop you from generating a code, writing that down, and using it days or weeks later. I'm not pointing this out to question the security of the device, as I believe they would still be secure (just don't generate codes and write them down where they can be stolen along with your card number!). I'm pointing it out because it leaves one to question whether this is truely a counter based synchronous system.
OATH's definition of a OTP token is the industry standard:
"OTP (One Time Passwords) authentication (commonly used today) can be divided in two
types; synchronous (based on a transformation of a common shared secret and a moving
value that is synchronous on both the server side and the client side. This method is what
usually is referred to as OTP) and challenge-response (in which a server generates a
challenge value that will be transformed by the client based on a secret shared between
the client and the server)."
They call asynchronous authentication challenge-response, it it's all the same. The OATH Reference Model does say this:
"OATH has endorsed a new OTP algorithm standard called HMAC-based OTP [HOTP],
based on the HMAC SHA-1 algorithm. It is an event-based OTP algorithm, in which a
counter value is used in the OTP calculation and incremented on the client and server
after each use. The algorithm has been submitted to the IETF for standardization as an
Informational RFC. Areas of future work include possible extensions to the current HOTP
algorithm, such as:
Time-based OTP algorithm variant
Counter-based re-synchronization method for clients that can send the count value to
the server along with the OTP value
Composite shared secrets (e.g., based on user PIN or other deterministic data for
computing the shared secret)
Addition of a data field for computing OTP values
Additionally, OATH will also look to promote standardization of other low cost
authentication technologies, specifically targeted towards consumer usage scenarios.
Some of the areas that OATH is investigating include scratch-cards and methods
derived from battleship or bingo cards."
So it certainly looks like your guess that we are talking about a counter based system rather than a time based system is accurate. However, it's still a guess; until more information is available we just won't know. Did Verisign specify their own algorithm that is time based as ICT says they can support (the alternative algorithm, not necessarily anything that requires a clock)?
Re: (Score:2)
That's good. But where is the second number? The one where the bank authenticates themselves to me?
So that I know I'm not at a phishing site. One-way authentication is not good enough in any situation where both parties can be spoofed.
Bricks-and-mortar banks are hard to spoof but not so web sites or telephone numbers.
---
DRM. You don't control it means you don't own it.
Re: (Score:2)
How about USB? (Score:2)
That way you have a code unique to the user (or at least the USB device) and verification in return that the owner has access to the device.
Re: (Score:2)
Those are not problems this is meant to solve. (Score:2)
This is geared towards transactions where the buyer and the seller are NOT in the same spot - either over the phone, or over the internet. In those kinds of transactions, it is not currently possi
Power? (Score:4, Interesting)
Ah there's the beauty! (Score:2)
Ok it's just a watch kinda battery but it'll still last longer than the expiration on your credit card.
Re: (Score:2)
How's it powered?
Likely, by a small lithium battery. However, the power requirements are small enough that a solar cell/capacitor arrangement or a very small mechanism that generates a small current from motion (think Eco-drive watches) would be feasible solutions in the future.
How's it controlled?
See how RSA SecurID works here [rsa.com].
What happens when the battery in my credit card is dead?
Replace it. The server should resync with the unit after one failed attempt (it will just ask you to enter the next code).
Dead battery (Score:3, Insightful)
On second thought to the dead battery thing: A lithium battery should be able to power the card for 3 years or more. The card company would just have to make a point to reissue a new card every two years or so to avoid that problem. This would eliminate the problem of changing the battery and allow it to be sealed into the card.
Re: (Score:2)
And disposable too? Good for the enviroment then.
However, the power requirements are small enough that a solar cell/capacitor arrangement
My wallet is pretty dark. How is going to keep time if its only exposed to light briefly a few times a week.
or a very small mechanism that generates a small current from motion (think Eco-drive watches) would be feasible solutions in the future.
One of card spends most of its time in a drawer. Same issue, sure it'll have enough power when
Re: (Score:2)
1. Robustness - put the fragile bits (screen) in the merchant terminal.
2. Time sync - see above.
3. Battery power - recharge when you put the card in the terminal.
Granted, that does not fix hacked terminals (as reported here) or 'man in the middle' attacks, but that's not what the device proposed is trying to do.
All the same, perhaps mobile phones have more promise for secure payment devices...
One time use passwords? (Score:1, Interesting)
And what about when I'm paying for gas with a credit card. Do I have to go in to give the guy the password, or are they changing out all the pump credit terminals for ones with full keyboards?
Re: (Score:2)
Or maybe instead of asking you to enter a 5-digit zip code, you enter a 5-digit one-time-PIN.
No way. (Score:1, Offtopic)
And I don't want you to have ANYTHING to do with my financial information. Period.
Stay away from my bank account. Stay away from my CC. Just stay away.
I'm worried now because my Credit Union just sent me a new VISA card for no reason,
my current one doesn't expire until late next year but my CU is telling me they are going to
expire it this month and I'm compelled to use the new one they sent. What a pain in the ass.
Now I have to change all my online accounts tha
Re: (Score:1)
How the hell is this offtopic? (Score:2)
Re: (Score:2)
Disclaimer: I am a VeriSign employee, but this post is solely my own opinions, made off-the-clock on my own time. I work in a completely separate division of the company than the one responsible for this product, and in fact this Slashdot story was the first I've heard of it.
What do you have against VeriSign? As far as I know, the only "bad thing" the company has done is SiteFinder. While that was a very serious breach of the trust the community placed in VeriSign as a DNS provider, it did get dropped re
This Isn't Offtopic (Score:2)
moderator on crack !!! (Score:2)
Paypal? (Score:2)
Re: (Score:1)
Well.. (Score:5, Funny)
Durability (Score:4, Interesting)
Re: (Score:3, Insightful)
Let me guess, you take the George Costanza approach and stick napkins under your other ass cheek so you don't have to sit at an angle.
Why do men insist on sitting on their wallets all day long? Take them out of your back pocket! Put it in your desk drawer, a backpack, any place but your back pocket. I leave mine in my car when I'm at work. Why bother bringing something else to work that you won't use and have to carry it back out at t
Re: (Score:2)
It sits in my center console while I drive and on my desk while I work, but if I'm in a restaurant or something, it needs to be in my back pocket. My front pockets are already taken and I'm not putting it on the table etc.
I sometimes need something from mine when I'm at work. But then, we have restaura
Re: (Score:2)
You shouldn't make a habit of putting your wallet in your back pocket when you are sitting, it's bad for your back and can lead to long-term musculoskeletal problems. If you've no room in your front pockets from all the devices you carry, you should consider carrying a manpurse. Or just simplify your device load.
Are you kidding me? (Score:2)
1 Geoerge Kastanza wallet, containing receipts back to 1995
2 key chains, including:
- One LED flashlight
- One leatherman
- One small swiss army knife
- ~35 various keys
- Nail clippers
- Ninja Remote
- ~ 10 supermarket/blockbuster/best buy/etc discount program dongles
- Craftsman 4-headed flat-head screwdriver
- large car key
- remote car opener dongle
~ 5 various tags (volvo/strongbad/etc)
and TWO cell phones.
If you can't fit your wallet in your front pocket with the rest of you
Re: (Score:2)
Not at all. (Score:3, Funny)
I solved that problem by adding 30 lbs to my waistline. Now the pocket bulges are barely noticeable.
Safety of Leaving Wallet in Car? (Score:2)
One of my friends had his car broken into and lost his wallet. The police detective told him that it's not a great idea to leave any values (such as a wallet) in your car. Getting everything replaced was a real hassle for him. I'm assuming that you've had no issues so far? You must live in a pretty safe area (or you stash your wallet in an inconspicuo
Re: (Score:2)
Cool, where do you park? Just curious.
Verisign's Jumping The Shark (Score:5, Informative)
As someone with intimate knowledge of bank card costs and the infrastructure required to support a new bank card, the likelihood of this happening is slim to none. "Impossible!" you say. Please consider the following.
1. The cost of producing these cards is extremely high relative to the plastic most users have. On order of 10x.
2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.
3. The banks can't shift the costs of this new-fangled card off to the merchants. FYI: The merchants shift the cost of accepting bank cards and paying for fraudulent transactions to all consumers.
The project will be a nice idea that they can use as an example to regulators that they are "enhancing customer security." but is destined for the shelf.
What's needed here is an OSS banking system, not the one we currently have.
Re: (Score:2)
2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.
That might be, but some sort of improved hardware is going to be required to stem the losses from credit card fraud. The simple fact is that CC security right now is basically at the plain-text password stage of the security game. Every store you "authenticate" to ends up with all the informa
Missing The Points (Score:3, Interesting)
What you fail to acknowledge is the merchant and, eventually you and I pay those fraud costs. Banks do not assume the costs associated with fraud. Period. Therefore, the bank card system works pretty good for the banks.
You also are completely unaware there is a rather secure banking standard used in many parts of the industrialized world. If _that_ was implemented we'd be much better off. But the banks can shift the costs of the standard, so it doesn't get imp
Re: (Score:2)
10x cheap still isn't expensive for those willing to pay the extra few bucks for increased security.
The producers are VeriSign. Reasonable speculation follows: This feature is intended to help secure web transactions, not the kind where you must be physically present. The back end and fro
Re: (Score:2)
So far, the bank has 1 customer, you. Banks will pass all of their new card, IT systems, employee training, legal overhead, costs onto you. Given there are clever managers in banks, I'm sure they'll find some other costs for you to pay. That makes the card you want to order in the double-digit-millions of dollars.
Now, what about the going forward costs of promoting and implementing the backend software tha
Re: (Score:2)
First of all they will have more than one customer. 2nd of all, the only additional cost the banks have is the card itself. Which, given that it's only 10x the cost of plastic (your estimate), isn't that expensive... especially considering the banks and merchants would have to cover the cost of unauthorized less secure transactions anyway. VeriSign is the one running t
Re: (Score:2)
No it doesn't. Online transactions can be quite secure with an EMV compatible smart card and smart card reader. There's even open source middleware for it.
Verisign is adding no value other than their brand.
Verisign is totally Jumping the Shark on this one.
Re: (Score:3, Insightful)
LS
What Massive Fraud? (Score:3, Informative)
No. The burden of payment fraud falls on you. This is a simple fact. Sadly, you aren't aware of this.
Read the following carefully. Re-read it if necessary.
Banks do NOT assume the costs associated with fraud. The merchants accepting bank cards assume the cost of the fraudulent transaction. Let me give you an example:
I buy a book from amazon.com with a stolen credit card, Amazon eats the cost of the book and the transaction PLUS those charges have to
Many Potential Issues (Score:2)
Re: (Score:2)
It's kind of like the 3-4 digit security number (CVV2) on most cards - merchants don't need to pass it to the processor/bank, and if they do they can charge the card even when the number doesn't match. It's just not in their best interest
GREAT IDEA! .. but still hackable (Score:3, Interesting)
This is a great idea and will go a long way to stop illegal credit card use/reuse. Especially in the case of a compromised database. However there are a few issues and ways this is still possibly hackable.
Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now.
Issue 2: What algorithm are they going to use? How easy can it be cracked? If they're teaming with RSA then I think they will be pretty good so long as the seed files aren't compromised. This shouldn't really happen, but who knows. If they algorithm was weak, it could potentially only take a few consecutive numbers to start generating the future numbers. However, who knows how feasible this will be.
I think it shounds like an excellent idea. Question is.. how much will it cost the consumer? If anything.
Re: (Score:2, Insightful)
I think the basic idea is to prevent fraudulent purchases by r
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We need more alternatives (Score:2)
Smart Cards, anyone? (Score:3, Interesting)
Instead they threw it out and switched to "RFID" chip on the card. So you can use the chip for additional verification, and copying card becomes much harder.
If the contactless payment system (Exxon stations, fast food places, and some other point of sale terminals are running trials) spreads any further, this new proposal of VeriSign chip on the credit card becomes almost irrelevant (especially when combined with solution like Verified by Visa, where you can add extra verification for online-only orders).
I like the concept ... but (Score:3, Insightful)
Re:Oh great... (Score:5, Funny)
even greater! (Score:2)
Did that cop follow you for 5 years till you were going to commit counterfeit.. for nothing...
Re: (Score:1)
Re: (Score:2)
"09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0"? That's the stupidest key I've ever heard of in my life! That's the kind of processing key someone would put on their copy of Spaceballs: The HD-DVD!
Re: (Score:2)
It all depends on the type of credit.
I have 13k in student loans at 3.5% interest (tax deductible.) Now I could pay that off fairly quickly or I can invest that money and get ahead.
IMO, if you're paying less than 6% a year it's probably a good deal and if it's over 8% a year you're getting screwed. Unless your buying something that is going to give an even higher return on investment. Aka it's ok to put an unexpected expen
Debt is not a tool. (Score:2)
My car is paid off. My credit cards I use purely because I can accumulate travel points (paid off in full bi-weekly). My house has a mortgage, because - given both the current and rising market costs - there is no way I could possibly afford to save up money for a house in the next 5-10 years while also paying the (rising) cost of rent.
I'm paying slightly more for the mortgage, but the fact i
Re: (Score:2)
This scheme doesn't allow that attack scenario, because the passcode would change before that "later date". If they attempted to use it immediately and directly you will have more information about who the attacker is, rather than just the nebulous information that somebody'
Re: (Score:2)