New Credit Cards Incorporate Security Key Fob Features

This new kind of credit card being shown off at trade shows is designed to prevent against loss due to identity theft by incorporating a security key fob with a credit card. The idea is that when you buy online, swipe at the store, or take money out of the ATM, you hit a button to randomly generate a unique, disposable key code. Enter that code to verify the transaction. This way, someone would actually have to steal your physical credit card to conduct fraud. Best of all, it’s the same size and thickness as a regular credit card.

Credit Card Embedded Authentication Device [Info Products Security Guide]

Comments

Edit Your Comment

  1. Trevor says:

    I wonder how much thicker it is than a current credit card. If its the same size exactly I think this is a brilliant idea. If not, it won’t fit properly into wallets or swipe properly through machines

  2. 3drage says:

    Interesting concept. I wonder if it works the same for online transactions, if so, brilliant.

  3. mopar_man says:

    @Trevor:

    If they made the stripe part the same thickness as regular cards and bulked up the display area, it’ll work in machines but you’re right on the wallet thickness.

  4. INconsumer says:

    even if it was a key chain opposed to a thick card, the idea is heading in the right direction. i think this should only be used for purchases made without the card being present.

  5. Hedgy2136 says:

    If they can incorporate a PIN, similar to the existing RSA cards, it could concievably eliminate (or at least drastically reduce) fraud.

  6. qwickone says:

    @INconsumer: but can’t thieves get your number and then make a physical card (I think I’ve heard of that)? In that case, I would want it for all transactions.

  7. savvy999 says:

    20 years ago I used to have a little calculator that looked just like that, but alas, the LCD in it no like being in my wallet in my back pocket.

    So I guess displays are flexible now. Cool. How is that thing powered? Solar? No battery I know of is thinner than a credit card.

  8. ChChChacos says:

    I agree with Savvy999 above, how will this thing be powered?

  9. lalala1949 says:

    Savvy’s comments have been the most interesting this week. He wins the comment award in my book

  10. liquisoft says:

    OH NO IT WILL END THE CONVENIENCE OF USING A REGULAR CREDIT CARD!
    So much for those Visa commercials that imply credit cards are so quick and easy and that cash is soooo cumbersome that it restricts the flow of consumerism.

  11. @ChChChacos: It is being powered by awesomeness!

    Seriously though, there was a commercial a while back for a watch that had a battery that was recharged by the wearer’s movements. If it isn’t solar powered perhaps it does that.

  12. IphtashuFitz says:

    My big question is how user friendly these things will be.

    We had a type of key-fob for computer access at a previous job of mine. The fob had a buttons to enter a PIN and then would display the OTP. If you screwed up the PIN a preset number of times then it would lock the fob until it was brought back to the IT department and unlocked. I know one guy who finally convinced the IT department to do away with the lockout feature on his fob because his 2-year old son thought the fob was a toy and kept locking it up.

    On a similar note, what happens if you generate a series of OTP’s and then end up not using them? If all you have to do is press a button to generate a new OTP then you’ll likely end up generating a ton of them while you’ve got one of these stuck in your wallet and you’re sitting on it. Back at my old company the system they apparently used kept a sliding window of about 50 OTP’s per fob. So if you generated an OTP and didn’t actually end up using it you could generate another and another. But if you generated too many and went over the limit that the server imposed then you’d again be out of luck until you got the fob reset.

  13. IphtashuFitz says:

    For those of you asking about power for these things, I just did a quick Google search for the company name at the top of the linked article (InCard Technologies) and found the following information on their website at [www.incard.com] :

    SAFETY NOTE: like many portable electronic devices, the ICT DisplayCard contains a lithium battery, which may be harmful if it is cut open and the contents of the battery contact the skin, eyes or mouth.

    So they apparently have a very thin lithium ion battery embedded in these things…

  14. sweet11 says:

    My friend is testing out this product for his company….it gets powered by his body heat.

  15. Hawk07 says:

    @ChChChacos:

    It’s going to be powered by:

    IMAGGINNNAAAAAAAATION, IMAGINNAAAAAAAAAAAAATTIN

  16. Veeber says:

    I wonder if it uses the same key generation properties that we get with the RSA security IDs. And what happens when you’re in the restaurant and hand your credit card to the waiter to pay your bill? Maybe those wireless credit card swipers will become more regular. What if they could store multiple credit card numbers in one on these and you can enter a passcode to pick the credit card you want to use.

  17. savvy999 says:

    @lalala1949: Aw shucks. Thanks [/blush]

  18. savvy999 says:

    @IphtashuFitz: Nice find. Just didn’t know they made Li-ions that thin.

  19. Since they solved all the battery and display issues Savvy mentioned, why not have it require an access code before working? Enter in PIN, hit random generator, boom card works.

  20. blander says:

    @PFBLUEPRINT- It may be hard to accomplish, but instead of a PIN, how about a biometric thumb scan? They’ve already incorporated biometric thumb scanners into USB hard drives to access the data. Flatten it out and then not only do you need the card but you also need someone’s thumb to use it. Though I guess that could just lead to people stealing your card and hacking off your thumb.

  21. Andronicus1717 says:

    [computer.howstuffworks.com]
    Smart Cards are used pretty extensively in the DOE/DOD complex for access to potentially sensitive unclassified information services.

  22. IphtashuFitz says:

    @blander: Fingerprint scanners still aren’t all that foolproof, and they require a lot of hardware & processing power. Fitting all of that into a credit card would be a LOT more expensive than a simple keypad would be.

  23. Buran says:

    @mopar_man: Article says it’s the same thickness as standard cards.

  24. Goatweed says:

    At my job, we use a dongle thingy that generates a random keycode which we need to provide (on top of a username & password) to access the online banking /wire transfer portions of out operating account. It’s a great system when it works but if the dongle freaks out (which has happened once or twice) it takes a while for the bank to send out a replacement. I would imagine it would be the same with these cards, but it’s a definite stepup in security over using the last three digits on the back of the card…

  25. Buran says:

    @savvy999: I think it’s a lithium polymer — those are made up of many layers stacked atop each other. For something like this there will be a very small number of layers.

  26. kellyd says:

    @IphtashuFitz: I agree that these things are no magic answer as I’ve experienced them. My job recently started requiring us to use these keychains that generate a new code automatically every thirty seconds or so if we want to access systems remotely. I’m no luddite, but I now refuse to work remotely because these things are so frustrating. You have to be quick to enter the code before it’s regenerated. If you do it too soon, you have to wait for a new one to be generated and, again, be quick. And accurate. You hit the wrong key and then you’re in some sort of lockout.

    While my experience (at a technology company) with these things might relate to the specific system or protocols they’re using, my feeling is I don’t want my credit card to be anything but super secure, so even if my IT department is going overboard with timeouts, resets, invalid attempts, I would hope my bank would be at least as anal.

    Basically, if these things happen, I’ll be paying with cash a lot more–which is a good thing from a Consumerist perspective.

  27. TechnoDestructo says:

    I see two problems.

    1. If this will work something like anti-spam/anti-bot verification images on websites, it will be broken half the time, and you’ll have to enter the code 15 times before the one on the server and the one on your card actually match. (And those verification images are all coming from the same place you’re sending your response to! With credit cards, we’re getting a third party involved!)

    2. Will it survive a trip through the washing machine? The dryer…I could forgive it not surviving that.

  28. Schmee says:

    I’ll admit to not reading the article, but I’m curious how the card and the server link up to make sure the right code was entered… even more so for online purchases where there is no credit card reader involved.

  29. Jetfire says:

    This is a most likely a disconnect security token. The device has a quartz clock and a random seed. When you want to authenticate the server knows your seed and can calculate what the key code will be. Your clock can drift so it may have a several minute window.

    This allows you to have two factory authentication, something you have and something you know.

    A problem is that not only does the system have to be able to connect to authenticate the card but also for the key code, adding another point of failure for credit cards.

  30. Charles Duffy says:

    I was there first, damnit!

    Well, sorta. I got a research grant for a paper on something superficially like this back in ’99 or ’00 or thereabouts. I’m much too busy to follow up and do a proper comparison (and don’t even know where my original source code and design documents are these days… though I suppose I could look on the university’s servers, as they still haven’t cut off my access).

    That said, my approach generated a code that incorporated details of the transaction (into a large, cryptographically strong hash) — a private key unique to the card, the transaction amount, the transaction sequence number (for nonreplayability), a public value identifying the card, and whatever else I don’t remember. Stronger protection that way (you authorize $9.95 and your card can’t be run for $99.55 using the same code), but there were some significant downsides — POS hardware needed to be changed, software systems running everything through a Luhn check before passing it upwards would fail, and so forth; consequently, it wasn’t easy to roll out in the context of existing infrastructure.

    Nonetheless, it was a fun and interesting project for a starving student, and seeing this brings back memories.

  31. TechnoDestructo says:

    @Charles Duffy:
    If they have any patents pending, make sure the patent office knows about your prior art, if any’s relevant.

  32. Mr. Gunn says:

    How long until you can generate a new one-use number with every swipe so that useful card numbers can’t be stolen? I’d think some merchants, say, TJ Max, would be interested.

  33. theblackdog says:

    How long until someone cracks the “random number generation” algorithm and renders this useless?