Credit Cards To Feature Mutating Passcodes

A major bank will offer Credit cards with built-in, constantly shifting passwords starting in May.

When shopping online, consumers will enter in all their information like normal, as well as a six-digit code displayed on the card. The code will change every 30 seconds.

Basically it’s the Paypal security key fob, except hardwired into the card. Just like that device, users will have to actually have the physical card in order to conduct the transaction. This could be a major security measure in this age of rampant credit card fraud, and identity theft, where thieves trade stolen credit cards around the interweb in blocks of thousands at a time. — BEN POPKEN

VeriSign to offer passwords on bank card [AP]
(Photo: Sam Wilkinson)

Comments

Edit Your Comment

  1. blander says:

    We use these key fobs at work and have to pay $50 if we ever lose them, because of the need to reprogram a card and change the code associated with your account. I wonder if these cards are going to have some sort of similar penalty for losing them.

  2. Kornkob says:

    $50 for 2 minutes of someone’s time? That’s all it really costs to change teh code associated with your account and disable the lost item.

    That $50 is the approximate replacement cost of an RSA passkey (or it was a couple years ago when we were looking at them).

    Now– the real question is this: will credit card companies save enough money in reduced fraud that they are willing to eat the lost card costs (never mind increased replacement frequency because of limited battery life).

  3. wesrubix says:

    if they use e-ink the battery life could be a lot longer than we think. Moreover, maybe they’ll slip a tiny solar cell in there.

    as for paying $50/loss, maybe that’s just a punishment fee to make you afraid of losing your fob. In all my history of having jobs with fobs (ha) I’ve never encountered an employer that charged for them.

    Ah yes, the costs and complications of 2-factor authentication. Something you know and something you have…

  4. Charles Duffy says:

    Back in school I got a research grant for a similar proposal, except that it required the user to enter a PIN [small keypad on the "card" itself] (so just possessing the card wasn’t sufficient) and tried to work with preexisting physical equipment (for card-present situations). Finding enough bits to have a meaningful one-way hash (in addition to the card’s fixed “public” number — a separate, associated private number went into the hash to make brute-force attacks harder despite the shortened hash length) while still fitting inside a typical CC# and passing the Luhn check was… challenging. I don’t remember right now whether I met that goal or fell back to requiring vendors’ equipment to be updated.

    The information included also included a usage count (to avoid replay attacks, such that each time the card was used money could only be deducted based on that usage once; this went inside the hash) and a price value (so if the customer agreed to one price and entered that on their card, they couldn’t be charged a different value; this went both inside and outside the hash). I’m gathering that the proposal here is significantly less capable — protection only against replay attacks that take place outside of the 30s window, no PIN (to protect against cases where the physical card is stolen), no mechanism to verify that the price charged is the price the consumer agrees to.

    But it’s something (and something useful, as opposed to something that gives a happy security feeling but no real security at all… there’s a lot of that going ’round these days), and a significant improvement on the current state of affairs.

  5. This could lead to some potential problems. I see people on 56k having issues with their 30-second password changing between the time they click Submit and the data actually being processed.

    This will also effect the designers of these forms – security code now needs to be the last thing entered. You don’t want user’s entering the credit card info, then filling out billing for 2-3 minutes, and now their credit card information is incorrect.

    Finally – how is the bank notified of the correct security code? I simply can’t believe they are using a wireless network connection to transmit this data (unsecure and what about those people not in a hot spot). This means the security code is nothing more than an algorithm based off of time and the data stored on the card (card number, address, etc). Since it’s nothing more than an algorithm – it can be broken.

    Just like video games require you to have the jewel case in-hand to enter the serial number during installation (unless you have a key generator), I see key generators cropping up for these cards fairly quickly.

  6. levenhopper says:

    So how would it work? In the store, you enter the password on the pinpad? That means every pinpad in the nation would need to be reprogrammed. And it would need to know that only certain CCs require the said password.

    Or is it only an online feature?

  7. dantsea says:

    Oh lord. If you think wait times to speak to your credit card company are bad now, just wait until this hits wide deployment and Mom and Pop Normal start flooding the lines, demanding to know why they couldn’t complete their eBay purchase.

    I agree it’s probably a necessary security step, but I get dizzy just thinking about the learning curve involved with it, for most people.

  8. Lars says:

    @Michael Wales: Agreed on the 30 second time shift. That’s not much time between the entry of the data and the submission for purchase.

    Moreover, what happens when your password changer becomes inoperable for whatever reason (battery, chemical assault, electro-magnetic problem)? Currently I can purchase online whether or not my credit card is functional in readers.

  9. mac-phisto says:

    my (f/k/a) mbna mastercard used to have an online shopping feature where you could get a card number generated anytime you shopped online w/ a simple click-thru on their banking site.. the card number would ONLY be usable once, so if someone thieved it, they wouldn’t get too far. i used to love that feature. don’t know what happened to it. that’s seems far more useful & less complicated than a fob.

  10. kerry says:

    @mac-phisto: Discover still does this. I’ve never tried it, because I’m just too lazy. I’m thinking maybe I should start.

  11. jaredharley says:

    @mac-phisto and @kerry: My Citi card has this feature too. I’ve used it to order magazines subscriptions online – I set the “card” to expire in a month, and set the total “credit available” to just above what I’m paying – that way, if they try to set me up for a recurring charge or some such thing, no dice for them!

    Also, I wanted to know if anyone else came across this, but my local Papa John’s (pizza place) asks for the 3 digit security code on the back of the card when you order by phone. It creeps me out, so I only order online now or pay cash when they deliver.

  12. Pawpaw323 says:

    If you want to know how the technology works, go to http://www.incardtech.com, which is the website for the company that manufactures the password cards. The product sheet is here: http://www.incardtech.com/pdfs/ProductSheet.pdf.

  13. FLConsumer says:

    What the heck is the “thing” in the picture on top of the credit card?

    I’ve wondered why we don’t at least have PIN numbers on cards in the US. I’ve seen them used abroad, but not here. Sure, it can be stolen (phished) from anyone just as easily as the number, but at least it’s not easily obtained from having the card itself in your hands.

    I like the Verisign thing overall, BUT, how am I supposed to fit a card that thick in my wallet? Will it break if I sit on it while it’s in my wallet?

  14. shdwsclan says:

    This means the codes is actually being displayed on the card itself….the problem is, you can actually take apart the card, and download the algorithm and generate numbers for other cards with it…..bad idea….really bad idea…

  15. Chaoticfluffy says:

    @FLConsumer: Looks like a plush squid to me. Makes perfect sense for a post about credit ca-…no, wait… wtf?

  16. Snakeophelia says:

    I work from home one day a week, and to log in to our network remotely I need my login name, the six-digit code off my RSA token AND a six-digit personal password that I change whenever I like. This means even if someone steals my RSA token and guesses my login, they still can’t get in. Perhaps the credit card companies are considering something like this?

  17. @jaredharley
    I’ve experienced the same with various delivery pizza places (Great Alaska Pizza Company is one). I just explained to the person on the phone that I won’t give them that number as it is the only way to verify the person actually has the card in hand – and I don’t want him to be able to do that with my card.

    Of course, he came back with “How do I know you have this card in your hand without the number?”

    “Well, you now know I’m ordering from Domino’s…”, was my response and his manager decided to go ahead and take my order without the number.

  18. urban_ninjya says:

    I think it’s a good idea. It’s offers more security not less. Of course you’re still screwed if someone steals the physical cards, but protects a bit against people who guessed your credit card number via a luhn check generator or have somehow photographed your physical card & have all the billing information needed to charge your account normally.

  19. orielbean says:

    They are subject to a man-in-the-middle attack, where the hacker site takes your passcode, makes you think you did it wrong, then uses that to get into the banking site. It then redirects you to the real site on your 3rd attempt, so you will eventually be able to log in for real. But the damage is already done at that point… It is more secure than other methods, but it’s already been broken. It syncs up using an algorithm, but it is a very robust security method.

  20. Indecision says:

    @shdwsclan: “…the problem is, you can actually take apart the card, and download the algorithm and generate numbers for other cards with it…”

    Wrong. How do you expect to generate the *correct* numbers for another card? You’ll need to know that card’s private key, and you won’t get it unless you have the card in your possession. And if you’ve got the card, then why do you need to break the algorithm?

    The fact is, knowing the algorithm doesn’t mean you can break into anything. Public-key encryption relies on this fact. The algorithms are well-known and openly published, and yet it’s possible to encrypt files in such a way as to be, for all intents and purposes, unbreakable.

  21. Indecision says:

    @orielbean: “They are subject to a man-in-the-middle attack, where the hacker site takes your passcode, makes you think you did it wrong, then uses that to get into the banking site.”

    You give these guys too little credit. I’m not even a security expert, and here’s how I’d make your efforts to hack my users meaningless…

    1) First of all, the number you collected works precisely once, for (less than) 30 seconds. This means you have to either be present to use it the moment it’s collected, or have a *very* good automated system. In case of the latter…
    2) Too many logins to different accounts from the same IP address locks you out of the site for a while.
    3) Any single account can only be logged in from one location at a time. The moment the user gets to the real banking site and logs in, you are logged out.
    4) I might also require you to answer a security question if you’re not logging in from your usual computer, identified by cookies, browser ID string, and/or IP address.
    5) Aside from all of the above, logging in only lets you look. If you want to actually move any money around, you’ll need to enter another number from the card.

  22. MaliBoo Radley says:

    I’m not super interesting in the article, but I really want a toy octopus! Where can I get one of those?

    http://www.kilgorekitchen.blogspot.com

  23. Moosehawk says:

    @levenhopper

    It would only be an online thing. If someone physically stole your CC, they would have the password anyway.

  24. Jara says:

    The plush cephalopod is a Beanie Baby. I have one. Probably readily available from some stores and/or Ebay.

  25. MeOhMy says:

    A stuffed squid? Come on now…wouldn’t everyone prefer a stuffed Cthulu?

  26. Solo says:

    @Kornkob:
    “will credit card companies save enough money in reduced fraud that they are willing to eat the lost card costs.”

    Sorry to burst your bubble, bu credit cards companies don’t bear the cost of fraud, merchants do, because fraudulent use always result in a chargeback. And the merchant has to eat the loss.

    If anything this gizmo will save some grief for the merchant as the transaction can be recorded as “card present” which comes with lower risk (and lower fees)

    Also, talking about merchants, they are also bearing the cost of the “reward”. For the privilege of taking your money on one of those kickback cards, the merchant gets to cough up a higher fee. And you thought your credit card company was being nice to you… how naive…

  27. Charles Duffy says:

    @Indecision: It’s not quite that easy. Attackers can spread their originating IPs out through a botnet, making countermeasures that just look for a lot of attempts coming from a small set of compromised hosts useless. The security question is easily worked around — just ask the user for their security questions again when they’re logging into their regular site; something like 60% falls for that if it’s done with a slick enough UI. As for only allowing one login at a time — well, if you’re running arbitrary code on their machine (and if you’ve rented a botnet, you can do that), you can redirect them to a fake “sorry, we’re down right now” site instead of the real thing after stealing their info; hence, they don’t then get to log into the genuine site. Etc.

    Getting too complacent in the security measures one has deployed is a sure way to end up with an embarrassing incident.

  28. Charles Duffy says:

    @Michael Wales: Just because the code changes every 30 seconds doesn’t mean that the old one is invalid the second a new one shows up. It’s conventional in situations like this to have a sliding window for validity.

  29. Trackback says:

    Dude Busted For Running An Illegal Bank For Tax Evaders From His Suburban Home Today’s lesson: don’t give your money to someone you don’t know who runs a “bank” out of his house. Oh, and you’ll get caught if you try evading taxes.