Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses The Almighty Buck

VeriSign To Offer Passwords On Bank Card 158

Billosaur writes "Imagine the PayPal security tool embedded on a credit card. VeriSign is announcing that a deal is in the works to provide credit cards with one-time-use passwords. By placing the technology directly on the card, it becomes more convenient and provides an extra layer of security for online credit-card transactions. A cardholder would type in their information as normal and then would be prompted to enter the passcode displayed on the card. This means a user would need to have the physical card in hand in order to use it, thus thwarting identity thieves who steal credit card information but do not possess the card itself. VeriSign said it expects to announce a major bank using its cards in May."
This discussion has been archived. No new comments can be posted.

VeriSign To Offer Passwords On Bank Card

Comments Filter:
  • O rly? (Score:2, Insightful)

    Imagine the PayPal security tool embedded on a credit card.
    I imagine myself never signing up for this card, then.
    • CVV? (Score:2, Insightful)

      by parodyca ( 890419 )
      Umm, how is this different then the CVV number which is already on cards for the same purpose?

      http://en.wikipedia.org/wiki/CVV_number [wikipedia.org]
      • by swimin ( 828756 )
        I'd assume that this number/password changes with a function of time or something similar. Though, I haven't read the article.
      • Re:CVV? (Score:4, Informative)

        by jmn2519 ( 954154 ) on Tuesday May 01, 2007 @03:06PM (#18946123)
        Because the number will change every minute or so. Just like the FOB from paypal. Basically what they are doing is taking that FOB with the LCD and changing the form factor to be a credit card (complete with mag stripe). Someone could steal your CVV or trick you into giving it to them. That becomes a lot more difficult with these one time passwords when the number changes all the time.
  • by minotaurcomputing ( 775084 ) on Tuesday May 01, 2007 @02:02PM (#18944999) Homepage Journal
    Dear VeriSign,
    Can I put in a request for the password 12345 before anyone else does?
    -m
  • I know this isn't the first application of this technology, Shell Oil used to use something like this for their programmers, but the device was considerably bigger than a credit card. Anyone care to guess how they are going to power this? External power source at the reader? Rechargeable cards?
    • Solar power seems reasonable to me. You don't need a lot of power, and if you just hold it out in the light, it should power up and provide the next number.
      • by Red Flayer ( 890720 ) on Tuesday May 01, 2007 @02:11PM (#18945171) Journal
        I've got one of these for international banking. The case is about 5 mm thick, could easily thinner except for usability concerns for something designed to be a keychain. Solar powered, but could just as easily be mechanically recharged a la some of the watches on the market. It generates an 8-digit password from some time-based algorithm; when submitted to the bank, the bank server checks the password against all possible passwords possible for the previous short period of time.
        • If it is only solar powered (with no storage cell) then it wouldn't have an accurate clock (unless it also has an antenna and circuitry to go get the valid time). So I don't know that the time-based algorithm would work like it does with RSA SecureID cards. But if it is just solar power for the display and an actual storage cell or battery for the clock then it could indeed work like you mentioned.
          • I'm sure it has a storage cell. But it's been locked in a desk for two months without failing -- my bank says it's time-based, however.
    • I know this isn't the first application of this technology, Shell Oil used to use something like this for their programmers, but the device was considerably bigger than a credit card. Anyone care to guess how they are going to power this? External power source at the reader? Rechargeable cards?

      If I were doing this, I'd use something like eInk. This way, the only time an internal battery is used to drive the display is when the six-digit code number is being updated. Bonus points for making this card and

      • by ryanov ( 193048 )
        Finding a magnet might not be such a swell idea when talking about a credit card with a magnetic stripe.
    • by leenks ( 906881 )
      BT used this years ago in a credit card sized device (albeit a bit thicker) for access control. Certainly I saw such a device in the late 80's (the Father of a university friend worked in a senior position at BT).

      I don't see this as new - although it is somewhat unusual for anything involving finance to actually care about security... take this email I receive regularly for example (spot the number of "click here" links (MNBA rock, every bank should model themselves on this lame company):

      Just writing to giv
  • securid? (Score:5, Interesting)

    by 192939495969798999 ( 58312 ) <info AT devinmoore DOT com> on Tuesday May 01, 2007 @02:04PM (#18945049) Homepage Journal
    Wouldn't this basically be a version of SecurID? Why don't banks just roll out SecurID to everyone and get the same net effect?
    • Re: (Score:3, Insightful)

      by Lachryma ( 949694 )
      Exactly like SecurID, but without a separate token to lose and juggle for each account. It's right on the card.
      • Re: (Score:3, Interesting)

        by brunascle ( 994197 )

        It's right on the card.
        judging by the size of the tokens, it'd be more the the card is right on the token
        • Re: (Score:2, Insightful)

          by ady1 ( 873490 )
          Not sure if you're serious, but the last securID I used was quite tiny and judging by it's size, I think it can easily be fitted into a credit card without making the card any bigger. Maybe a little thickness increase due to LCD or maybe they can use some alternate technology or thinner LCDs to not change the card at all.

          I fact I'm more concerned about the battery since that will be harder to fit into card and may not last as long or maybe not.

          https://www.softwareplusonline.com/catalog/product Detail.aspx?p [softwareplusonline.com]
    • It does sound like securid. I used securid for a few years and it worked pretty well.

      This will push up the size/weight/cost of cards somewhat ...and don't use your card to scratch the ice off your car.

    • Re: (Score:3, Insightful)

      by farnsworth ( 558449 )
      Why don't banks just roll out SecurID to everyone...?

      Because it's more convenient to have the device on the card. I carry many credit cards, I don't want to have a corresponding securid device for each card.

    • Re: (Score:3, Informative)

      by Zeinfeld ( 263942 )
      Wouldn't this basically be a version of SecurID? Why don't banks just roll out SecurID to everyone and get the same net effect?

      Because SecureID is a closed, proprietary system.

      The VeriSign/OATH scheme is patented but there is a royalty free license that allows anyone to make the cards/tokens/whatever.

      Also the OATH scheme is a counter based token, not a clock. A clock would not work on the card form factor, the battery would not last long enough to be interesting. A counter based scheme is much more p

  • by jimstapleton ( 999106 ) on Tuesday May 01, 2007 @02:04PM (#18945061) Journal
    How long is the cycle on the card? And how do they keep it from going out of sync? My watch loses about a second every day (ok, it's a cheap watch), but nonetheless, the only way it and the server can work is if the key is based on time. If that is the case, then they card's clock has to stay sync'd with the server's clock... Wouldn't that be a problem?
    • Re: (Score:3, Insightful)

      by jonnythan ( 79727 )
      Various companies have been issuing badges with changing keys like this for years. Several people I work with have them. They change about once a minute.

      So, I suppose it's safe to say they've figured those problems out.
      • I guess that's true, it's just a large scale rollout has me worried.

        btw: like the sig.
      • by daeg ( 828071 ) on Tuesday May 01, 2007 @03:09PM (#18946191)
        The server knows the last few values and the next few values -- any selected from a reasonable amount of time are generally permitted. Higher security requirements can lower the time window. But given a time code that changes once every 5 minutes, and a server that permits the current and previous/next two, that's a 25 minute window. So even an inaccurate clock that loses a second a day is good for almost 2 years without a clock sync.

        You could even build the terminals such they sync the clock. Many terminals run on always-on connections now, so running something like ntp on them is feasible. You could use the clock skew to detect attempted fraud, too -- if you know the clock in a particular card loses 2.4 seconds a day from historical data, and the number of days between the last purchase * 2.4 seconds doesn't equal the real time, something is wrong -- possibly a forged card. It's easy to duplicate a magnetic strip, I'd bet it's harder to forge an purposely-inaccurate clock that varies from card-to-card.

        As an aside, I hope the electronics are recyclable and the credit card companies actively solicit returns of them. It'd be nice if the cover/numbers of the card were simply an overlay that could be replaced, along with the clear protective coating. Replace the front panel, sync the clock, put the new data on the magnetic strip, coat it, and wham, new card without wasting the electronic components.
    • by Anonymous Coward
      I've built a global login system that used the RSA SecurID which works like this.

      The server knows the previous token so if you get a token wrong it prompts you to enter the next token that appears.
      If both tokens are correct, then it can tell how much the clock is skewed, and adjust the time seed accordingly.
    • Already done (Score:4, Informative)

      by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Tuesday May 01, 2007 @02:22PM (#18945339)
      RSA has been issuing SecureID keyfobs with this technology for at least 10 years. Hundreds of thousads, of not millions, exist worldwide. While I am sure they had issues like this in the past they would have long since sorted it out. SecureID keyfobs are one of the standard pilliars in the seucirty chain - encompassing the "something you have".

      Usually you have to type in your password (the "something you know") along with the current number on the keyfob ("something you have"), in order to successfully authenticate with a SecureID system. They're very common in government; basically they make stealing passwords muuch less useful, since the hacker would need to steal both the password AND the keyfob - and if someone loses their keyfob they would be issued a new one and the original deactivated, so there is a small window of opportunity there as well.

      Frankly it is about time someone pressured the banks into issuing this technology. I have wished I needed a keyfob for online banking and CC transactions for YEARS. The initial expense of the rollout would be quickly offset by the savings in fraud I suspect.

      • by uab21 ( 951482 )
        ...The problem becomes when you have one of these tokens for each bank / account. The SecureID tokens are not small enough to carry more than one (I don't even like to carry the one I have). It sounds as if these may be embedded in the card, but multiple SecureID tokens would be a pain in the ass.
      • Re: (Score:3, Informative)

        by b0bby ( 201198 )
        The initial expense of the rollout would be quickly offset by the savings in fraud I suspect.
        My impression is that the card companies don't care too much about fraud, since mostly they just charge anything back to the merchant, who has to eat it. Card companies mostly care about getting people to use their card a lot, which is why you don't have to sign for lots of purchases under $25 these days. If a merchant gets some disputed charges, that's their problem.
    • by Kjella ( 173770 )
      Well, if it's anything like the RSA key I have for work, sometimes it'll accept the token, but ask for the next token as well. I imagine this is some sort of synch to correct for drift because the first one is outside the time window. An attacker that only caught a one-time token wouldn't be able to key in the second token, so security is still fairly well preserved.
    • by raehl ( 609729 ) <raehl311.yahoo@com> on Tuesday May 01, 2007 @02:58PM (#18945991) Homepage
      I'm surprised that you have 6 replies to your post that are all wrong.

      The cards don't generate the keys based on time. The keys are generated much the same way random numbers are generated in a computer.

      The way this works:

      You pick a number (seed) and a function that produces a pseudo-random output (the authentication key) based on an input. You program the same seed and function into both the card and the server.

      When you go to log in, you have your credit card use the seed and function to generate a key (key1). You send key1 to the server. The server then takes the seed and function it has on record and also generates key1. If the outputs match, which they should, congratulations, you've authenticated.

      Each time you request a key from the card, the card uses the last key generated as the input to the function to generate the next key. Each time you successfully authenticate, the server stores the key you authenticated with and the next time you try and authenticate it feeds that key into the function to generate the next key. Since both the card and the server know the last key they authenticated with and the function to compute the next key, they can both compute the next key.

      Seed->run function->key 1
      key 1->function->key 2
      key 2->function->key 3

      Etc, etc. The card and the server continue to generate the same keys to compare - so getting a new key is not based on TIME, but on how many authentications you've attempted.

      In practice, the server generally accepts the next key, AND some number of keys after that. So, if the last time you authenticated with key315, the next time you authenticate the server will check the key you present against not only key316, but also key317,318,319,320, etc. If the key you present matches any of those, it will accept your authentication and store that key as the 'last' key. This is to make the system more usable - in this case, you could generate 4 keys and not use them before your card would be too far out of sync with the server to succesfully authenticate.
      • Re: (Score:3, Insightful)

        by Marillion ( 33728 )

        I think the reason why people have gone the way they have is because so many of us have held such a device in our hands. The elegance of the technology they're describing is that there is no input except ticks from a clock. Anything more complicated than that would require adding a button to the card. I'd hate to accidentally hit the "next key" button too many times because it was in my wallet and I sat on it.

      • by fwr ( 69372 ) on Tuesday May 01, 2007 @04:52PM (#18947981)
        You are describing another synchronous token system, everyone else is describing a more familiar synchronous token system. Both are valid and existing technologies. There are also asynchronous token systems. TFA says:

        "VeriSign was expected to announce a deal Tuesday with Innovative Card Technologies Inc."

        and

        "That code constantly changes, meaning the customer needs to have possession of the card to access the account."

        Now, ICT says this:

        "InCard has embedded an operating system into the card - the press of a button on the card activatesa battery, circuit, and chip, which sends an algorithm-generated passcode to an embedded display. Each time the button is pressed, another passcode is generated. This passcode is good for only one use during a limited time, thus proving possession of the card and guarding against electronic fraud."

        and:

        "OTP generated with OATH or custom algorithm"

        This certainly sounds like a counter based synchronous system, but is it? How can it be "good for only one use during a limited time" if time is not a factor? What would stop you from generating a code, writing that down, and using it days or weeks later. I'm not pointing this out to question the security of the device, as I believe they would still be secure (just don't generate codes and write them down where they can be stolen along with your card number!). I'm pointing it out because it leaves one to question whether this is truely a counter based synchronous system.

        OATH's definition of a OTP token is the industry standard:

        "OTP (One Time Passwords) authentication (commonly used today) can be divided in two
        types; synchronous (based on a transformation of a common shared secret and a moving
        value that is synchronous on both the server side and the client side. This method is what
        usually is referred to as OTP) and challenge-response (in which a server generates a
        challenge value that will be transformed by the client based on a secret shared between
        the client and the server)."

        They call asynchronous authentication challenge-response, it it's all the same. The OATH Reference Model does say this:

        "OATH has endorsed a new OTP algorithm standard called HMAC-based OTP [HOTP],
        based on the HMAC SHA-1 algorithm. It is an event-based OTP algorithm, in which a
        counter value is used in the OTP calculation and incremented on the client and server
        after each use. The algorithm has been submitted to the IETF for standardization as an
        Informational RFC. Areas of future work include possible extensions to the current HOTP
        algorithm, such as:
          Time-based OTP algorithm variant
          Counter-based re-synchronization method for clients that can send the count value to
        the server along with the OTP value
          Composite shared secrets (e.g., based on user PIN or other deterministic data for
        computing the shared secret)
          Addition of a data field for computing OTP values
        Additionally, OATH will also look to promote standardization of other low cost
        authentication technologies, specifically targeted towards consumer usage scenarios.
        Some of the areas that OATH is investigating include scratch-cards and methods
        derived from battleship or bingo cards."

        So it certainly looks like your guess that we are talking about a counter based system rather than a time based system is accurate. However, it's still a guess; until more information is available we just won't know. Did Verisign specify their own algorithm that is time based as ICT says they can support (the alternative algorithm, not necessarily anything that requires a clock)?

      • by bit01 ( 644603 )

        That's good. But where is the second number? The one where the bank authenticates themselves to me?

        So that I know I'm not at a phishing site. One-way authentication is not good enough in any situation where both parties can be spoofed.

        Bricks-and-mortar banks are hard to spoof but not so web sites or telephone numbers.

        ---

        DRM. You don't control it means you don't own it.

    • I was thinking that instead of a card, it would be neat to have a little USB device that could receive an encoded package from the payment website, decrypt it, and then display said code on a small LCD. The user enters the code, and proceeds with the transaction.

      That way you have a code unique to the user (or at least the USB device) and verification in return that the owner has access to the device.
  • Power? (Score:4, Interesting)

    by airos4 ( 82561 ) * <changer4NO@SPAMgmail.com> on Tuesday May 01, 2007 @02:05PM (#18945069) Homepage
    So as I understand it from the article, there'll be some sort of "device" in a corner of the card, with a "display window" that shows the randomized password? How's it powered? How's it controlled? What happens when the battery in my credit card is dead?
    • It's powered by clean safe(tm) Atomic power, so the battery never dies!

      Ok it's just a watch kinda battery but it'll still last longer than the expiration on your credit card.

    • How's it powered?

      Likely, by a small lithium battery. However, the power requirements are small enough that a solar cell/capacitor arrangement or a very small mechanism that generates a small current from motion (think Eco-drive watches) would be feasible solutions in the future.

      How's it controlled?

      See how RSA SecurID works here [rsa.com].

      What happens when the battery in my credit card is dead?

      Replace it. The server should resync with the unit after one failed attempt (it will just ask you to enter the next code).

      • Dead battery (Score:3, Insightful)

        by Radon360 ( 951529 )

        On second thought to the dead battery thing: A lithium battery should be able to power the card for 3 years or more. The card company would just have to make a point to reissue a new card every two years or so to avoid that problem. This would eliminate the problem of changing the battery and allow it to be sealed into the card.

      • by vux984 ( 928602 )
        Likely, by a small lithium battery.

        And disposable too? Good for the enviroment then.

        However, the power requirements are small enough that a solar cell/capacitor arrangement

        My wallet is pretty dark. How is going to keep time if its only exposed to light briefly a few times a week.

        or a very small mechanism that generates a small current from motion (think Eco-drive watches) would be feasible solutions in the future.

        One of card spends most of its time in a drawer. Same issue, sure it'll have enough power when
    • Easy fix for all of the above.

      1. Robustness - put the fragile bits (screen) in the merchant terminal.
      2. Time sync - see above.
      3. Battery power - recharge when you put the card in the terminal.

      Granted, that does not fix hacked terminals (as reported here) or 'man in the middle' attacks, but that's not what the device proposed is trying to do.

      All the same, perhaps mobile phones have more promise for secure payment devices...
  • by Anonymous Coward
    Um. How's that practical with a credit card again?

    And what about when I'm paying for gas with a credit card. Do I have to go in to give the guy the password, or are they changing out all the pump credit terminals for ones with full keyboards?
    • by raehl ( 609729 )
      Do I have to go in to give the guy the password, or are they changing out all the pump credit terminals for ones with full keyboards?

      Or maybe instead of asking you to enter a 5-digit zip code, you enter a 5-digit one-time-PIN.
  • No way. (Score:1, Offtopic)

    by pair-a-noyd ( 594371 )
    Sorry Verisign. I don't trust you. Period.
    And I don't want you to have ANYTHING to do with my financial information. Period.
    Stay away from my bank account. Stay away from my CC. Just stay away.
    I'm worried now because my Credit Union just sent me a new VISA card for no reason,
    my current one doesn't expire until late next year but my CU is telling me they are going to
    expire it this month and I'm compelled to use the new one they sent. What a pain in the ass.
    Now I have to change all my online accounts tha
    • They probably sent you a new card due to the TJMaxx fiasco. I had a new card and account # forced on me by CitiBank for the same reason.
    • I don't trust verisign at all. They are rolling out this solution. This news makes my skin crawl. This moderation makes my blood boil.
    • by Alereon ( 660683 ) *

      Disclaimer: I am a VeriSign employee, but this post is solely my own opinions, made off-the-clock on my own time. I work in a completely separate division of the company than the one responsible for this product, and in fact this Slashdot story was the first I've heard of it.

      What do you have against VeriSign? As far as I know, the only "bad thing" the company has done is SiteFinder. While that was a very serious breach of the trust the community placed in VeriSign as a DNS provider, it did get dropped re

    • I don't think you're offtopic at all--so now whoever it was can mod me down as well.
    • moderator on crack !! moderator on crack !! or atleast high-in-the-stars ;)
  • Isn't anyone afraid just because paypal is going to use it? With their security track record?
  • Comment removed based on user account deletion
  • Well.. (Score:5, Funny)

    by Anonymous Coward on Tuesday May 01, 2007 @02:20PM (#18945309)
    my password is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Oops!
  • Durability (Score:4, Interesting)

    by eimsand ( 903055 ) on Tuesday May 01, 2007 @02:22PM (#18945333)
    My immediate concern is durability. Credit cards take a lot of punishment. I probably replace my credit card once a year because the magnetic strip has become damaged and no longer readable. All the same, magnetic strips have shown great durability for putting up with a fair amount of punishment. I'm not sure I can visualize an LCD screen thin enough to be incorporated into a card that will withstand 175+ lbs of pressure for hours at a time. And that doesn't even consider the circuitry involved in generating the passcode.
    • Re: (Score:3, Insightful)

      that will withstand 175+ lbs of pressure for hours at a time.

      Let me guess, you take the George Costanza approach and stick napkins under your other ass cheek so you don't have to sit at an angle.

      Why do men insist on sitting on their wallets all day long? Take them out of your back pocket! Put it in your desk drawer, a backpack, any place but your back pocket. I leave mine in my car when I'm at work. Why bother bringing something else to work that you won't use and have to carry it back out at t

      • Why do men insist on sitting on their wallets all day long? Take them out of your back pocket! Put it in your desk drawer, a backpack, any place but your back pocket.

        It sits in my center console while I drive and on my desk while I work, but if I'm in a restaurant or something, it needs to be in my back pocket. My front pockets are already taken and I'm not putting it on the table etc.

        I leave mine in my car when I'm at work.

        I sometimes need something from mine when I'm at work. But then, we have restaura

        • but if I'm in a restaurant or something, it needs to be in my back pocket. My front pockets are already taken and I'm not putting it on the table etc.

          You shouldn't make a habit of putting your wallet in your back pocket when you are sitting, it's bad for your back and can lead to long-term musculoskeletal problems. If you've no room in your front pockets from all the devices you carry, you should consider carrying a manpurse. Or just simplify your device load.

          the solution that works for you does not wor

        • I have, right now, in my front pockets:

          1 Geoerge Kastanza wallet, containing receipts back to 1995
          2 key chains, including:
          - One LED flashlight
          - One leatherman
          - One small swiss army knife
          - ~35 various keys
          - Nail clippers
          - Ninja Remote
          - ~ 10 supermarket/blockbuster/best buy/etc discount program dongles
          - Craftsman 4-headed flat-head screwdriver
          - large car key
          - remote car opener dongle
          ~ 5 various tags (volvo/strongbad/etc)
          and TWO cell phones.

          If you can't fit your wallet in your front pocket with the rest of you
          • So what you're saying is that you're walking around with pockets bulging like the cheeks of a chipmunk on free nut day. I choose not to look like I'm wearing jodhpurs when I walk down the street.
            • Not at all. (Score:3, Funny)

              by raehl ( 609729 )
              So what you're saying is that you're walking around with pockets bulging like the cheeks of a chipmunk on free nut day.

              I solved that problem by adding 30 lbs to my waistline. Now the pocket bulges are barely noticeable.
      • I leave mine in my car when I'm at work. Why bother bringing something else to work that you won't use and have to carry it back out at the end of the day?

        One of my friends had his car broken into and lost his wallet. The police detective told him that it's not a great idea to leave any values (such as a wallet) in your car. Getting everything replaced was a real hassle for him. I'm assuming that you've had no issues so far? You must live in a pretty safe area (or you stash your wallet in an inconspicuo

      • by 6Yankee ( 597075 )
        Why do men insist on sitting on their wallets all day long? ... I leave mine in my car when I'm at work.

        Cool, where do you park? Just curious.
  • by mpapet ( 761907 ) on Tuesday May 01, 2007 @02:26PM (#18945393) Homepage
    This technology has been around for some time actually. If there are any smart card developers hanging about, they might point you in the right direction.

    As someone with intimate knowledge of bank card costs and the infrastructure required to support a new bank card, the likelihood of this happening is slim to none. "Impossible!" you say. Please consider the following.

    1. The cost of producing these cards is extremely high relative to the plastic most users have. On order of 10x.

    2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.

    3. The banks can't shift the costs of this new-fangled card off to the merchants. FYI: The merchants shift the cost of accepting bank cards and paying for fraudulent transactions to all consumers.

    The project will be a nice idea that they can use as an example to regulators that they are "enhancing customer security." but is destined for the shelf.

    What's needed here is an OSS banking system, not the one we currently have.
    • by BeBoxer ( 14448 )
      1. The cost of producing these cards is extremely high relative to the plastic most users have. On order of 10x.

      2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.


      That might be, but some sort of improved hardware is going to be required to stem the losses from credit card fraud. The simple fact is that CC security right now is basically at the plain-text password stage of the security game. Every store you "authenticate" to ends up with all the informa
      • Missing The Points (Score:3, Interesting)

        by mpapet ( 761907 )
        ... stem the losses from credit card fraud.

        What you fail to acknowledge is the merchant and, eventually you and I pay those fraud costs. Banks do not assume the costs associated with fraud. Period. Therefore, the bank card system works pretty good for the banks.

        You also are completely unaware there is a rather secure banking standard used in many parts of the industrialized world. If _that_ was implemented we'd be much better off. But the banks can shift the costs of the standard, so it doesn't get imp
    • 1. The cost of producing these cards is extremely high relative to the plastic most users have. On order of 10x.

      10x cheap still isn't expensive for those willing to pay the extra few bucks for increased security.

      2. The costs of integrating a new kind of card into banking/CRM infrastructure is another huge cost center.

      The producers are VeriSign. Reasonable speculation follows: This feature is intended to help secure web transactions, not the kind where you must be physically present. The back end and fro

      • by mpapet ( 761907 )
        10x cheap still isn't expensive for those willing to pay the extra few bucks for increased security.

        So far, the bank has 1 customer, you. Banks will pass all of their new card, IT systems, employee training, legal overhead, costs onto you. Given there are clever managers in banks, I'm sure they'll find some other costs for you to pay. That makes the card you want to order in the double-digit-millions of dollars.

        Now, what about the going forward costs of promoting and implementing the backend software tha
        • So far, the bank has 1 customer, you. Banks will pass all of their new card, IT systems, employee training, legal overhead, costs onto you.

          First of all they will have more than one customer. 2nd of all, the only additional cost the banks have is the card itself. Which, given that it's only 10x the cost of plastic (your estimate), isn't that expensive... especially considering the banks and merchants would have to cover the cost of unauthorized less secure transactions anyway. VeriSign is the one running t

      • by mpapet ( 761907 )
        Reasonable speculation follows:....

        No it doesn't. Online transactions can be quite secure with an EMV compatible smart card and smart card reader. There's even open source middleware for it.

        Verisign is adding no value other than their brand.

        Verisign is totally Jumping the Shark on this one.
    • Re: (Score:3, Insightful)

      by LS ( 57954 )
      So you're saying the cost of these cards is going to be more than the massive amount of fraud that the credit companies face? That's not possible. Also, banking software is not general purpose, publicly usable software. The amount of software in this category that is written by open source authors is virtually nonexistent, and furthermore it's millions of lines of highly secure code. Who's going to write this "OSS banking system"?

      LS
      • What Massive Fraud? (Score:3, Informative)

        by mpapet ( 761907 )
        massive amount of fraud that the credit companies face

        No. The burden of payment fraud falls on you. This is a simple fact. Sadly, you aren't aware of this.

        Read the following carefully. Re-read it if necessary.

        Banks do NOT assume the costs associated with fraud. The merchants accepting bank cards assume the cost of the fraudulent transaction. Let me give you an example:

        I buy a book from amazon.com with a stolen credit card, Amazon eats the cost of the book and the transaction PLUS those charges have to
  • While I applaud companies for looking for better security solutions, there are many potential issues to consider. Durability, longevity of the battery powering the card, extra manufacturing costs and waste. It seems like a mass roll out would be problematic. And what about recurring charges? Would a company need to get reauthorization for every scheduled charge?
    • I'm guessing that businesses will be able to use this passcode when authenticating a card that a user has attached to an account. Afterwards, the passcode need not be used to authorize and charge for purchases. At least that's the only way that it would make sense to me.

      It's kind of like the 3-4 digit security number (CVV2) on most cards - merchants don't need to pass it to the processor/bank, and if they do they can charge the card even when the number doesn't match. It's just not in their best interest
  • by madsheep ( 984404 ) on Tuesday May 01, 2007 @02:39PM (#18945629) Homepage
    First, before I go into why it's a good idea and how it's hackable, let me address a bunch of these posts above. *YES* similar ideas have been done before and *YES* this is very similar to an RSA SecurID token (or product of similar vendors). However, the BIG difference here is that it is built-in to your EXISTING credit/debit card. You do NOT have to carry an additional device. Get it? See that credit card you have already? OK.. imagine it with a little changing number on it. There you go! Basic reading 101 folks. End of the sarcasm too..

    This is a great idea and will go a long way to stop illegal credit card use/reuse. Especially in the case of a compromised database. However there are a few issues and ways this is still possibly hackable.

    Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now.

    Issue 2: What algorithm are they going to use? How easy can it be cracked? If they're teaming with RSA then I think they will be pretty good so long as the seed files aren't compromised. This shouldn't really happen, but who knows. If they algorithm was weak, it could potentially only take a few consecutive numbers to start generating the future numbers. However, who knows how feasible this will be.

    I think it shounds like an excellent idea. Question is.. how much will it cost the consumer? If anything.
    • Re: (Score:2, Insightful)

      by Pap22 ( 1054324 )

      Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now

      I think the basic idea is to prevent fraudulent purchases by r

      • You're right about the idea behind it and we agree there. However, there are man-in-the-middle type attacks that occur here. I don't think I want to get a link to my e-mail everytime I visit a shopping website or log into my bank. Chances are it's just an additional layer that has to be entered when making a transaction or logging in. If someone fakes this form or snoops it, they can quickly use and replay the information. This is why a lot of compromises in areas that use SecurID still occur. I send
        • by vidarh ( 309115 )
          Limiting fraud to within a minute after getting a user to enter their details on a fake form is huge though. I've run billing system handling a million dollars a month in payments, and we had people from all over the world hammering us with US credit card numbers, apparently mainly to try to test whether the card numbers were still valid (as the service we offered would be useless to them but was cheap enough to be worthwhile to test with). A fairly high percentage of those cards were already reported stole
          • Agree there as well. I am 100% for this and think it is wonderful if implemented appropriately. I am not saying the MITM scenarios will make this useless by any means. This will go a long way to stopping fraud. However, the attackers will then just try and get more targetted and sophisticated. Guess what.. they just stole your information and don't have the current code. Well, you probably entered in a phone number. So they're probably going to start calling you pretending to be the "bank" when they
  • I do, anyway. I don't trust Verisign, period.
  • Smart Cards, anyone? (Score:3, Interesting)

    by saikou ( 211301 ) on Tuesday May 01, 2007 @04:30PM (#18947627) Homepage
    Oh wait, there already were attempts to put smart card on credit card in US. Amex Blue, for example, started out as one. Practically same "dongle on the chip" but without readable display, and with an interface for terminal to read.
    Instead they threw it out and switched to "RFID" chip on the card. So you can use the chip for additional verification, and copying card becomes much harder.
    If the contactless payment system (Exxon stations, fast food places, and some other point of sale terminals are running trials) spreads any further, this new proposal of VeriSign chip on the credit card becomes almost irrelevant (especially when combined with solution like Verified by Visa, where you can add extra verification for online-only orders).
  • by Allnighterking ( 74212 ) on Tuesday May 01, 2007 @08:52PM (#18950275) Homepage
    I had an immediate vision of the ATM asking me what the number displayed on the card is .... and of course the card is inside the ATM at the time....

"Mach was the greatest intellectual fraud in the last ten years." "What about X?" "I said `intellectual'." ;login, 9/1990

Working...