Visa cards with a built in one-time code generator are to be trialled by four European banks. The technology is designed to tackle the growing problem of online credit card fraud. MBNA, a Bank of America company in the UK, Corner Bank in Switzerland, Cal in Israel and IW Bank in Italy are to take part in limited trials of Visa's …
should also stop 'away from card' fraud.
When can we type in your chip 'n' pin number and also the live generated pin on the card in shops and use both over the phone?
That's what I call good security, chip 'n' pin was 'sold' to users as being more secure than a signature. Was it bollox! It was purely an excuse to move the fraud liability from the card providers/banks to shops.
I've thought about how to stop card fraud online and I think one solution would be for the card issuers to provide online authorisation for transactions on your card. The system would work as follows.
1. You buy something online.
2. The shop processes your purchase and informs you this has been initiated.
3. You logon to your credit card online banking system, enter a password and click "Authorise" on the payment request.
4. Transaction proceeds as normal.
While this doesn't work for non-online purchases, it would eliminate a lot of "cardholder not present" fraud. Just so long as the fraudsters don't get access to your online banking system.
one time cards
One time pins are only half the problem.
Until some UK card provider offers the MBNA scheme that generates one time (fixed limit) cards so that you *never* have to use your card details over the net, I am going to have to keep shredding the Egg cards they keep sending me - and yes I did start the Egg registration process but never finished it!
This is what we've needed for a long time! It is essentially chip & pin where you own the PIN device, so your PIN is *never* in anyone else's hands, and replay attacks can't work!
Now eventually I would like to see NFC in cell phones using RSA encryption & certificates, but this is a huge step in the right direction, and should work for phone purchases as well.
Alternative/addition to Giles' suggestion
I would imagine that most people buying over the 'net would also own a mobile phone, so why not use a text based system: you make purchase, bank texts your registered number, you reply to confirm. OK, not infallible (what is?) but easier than having yet another bit of electronic kit to loose. I might even be prepared to pay for the security of a text service. Or maybe skip the texting back, just a notification of purchase (so if you didn't do it you could let your bank know).
one time cards pt2
I've been using one time cards for over 3 yrs now and was the main reason I chose Cahoot for my current account... its great as you can set the upper limit so the online company cant run up more than you have authorised and you dont have to remember where you put your wallet to buy something! :)
I dont know why more banks etc dont use them!
Nationwide already has it, but for pointless things
Nationwide BS issued its customers earlier this year with calculator-like gadgets that generate one-time passcodes. I thought for one foolish moment that they might be used in the way that Steve Medway and Giles Jones suggest.
But no, the only time when I have been asked to use this gadget is to pay utility bills. That is, after I have already entered my online banking password, and (separately) set up the details of accounts to which transfers can be made. In other words, the online payment situations that are least in need of extra security. I can only suppose that this is another weapon in the campaign to bully me into using direct debit.
My brother is also a Nationwide customer, but currently lives in the US. He was sent one of these things and had to use it to transfer money between his own British bank accounts. However, having not used it for a while, he mis-typed his PIN. so the gadget blocked the card. As a result, he had to send card and PIN back across the pond so that someone could put it in a Nationwide ATM to re-set it. So the entire security benefit was negated.
Meanwhile, I have only been asked to use "Verified byVisa" for transactions for 4 and 12 pounds. Not for booking flights or hotels or any other large purchases.
Unfortunately, the banks and most of their customers believe that complicated implies secure, and don't have a clue about security protocols.
one time cards - Cahoot webcard!
Cahoot has been offering one-time credit card numbers generated on the fly for it's customers since many years, I have used them often myself for online shopping, it works great, you can set an individual credit limit for each on-time card number each time you need one too.
Why has no other bank ever adopted this system?
I can't help wondering if, with this new card design, they will move the fraud liability onto the cardholder instead. They could even argue that it is fairer, as the new system is "fraud-proof" so any problem "must" be caused by the cardholder not taking sufficient care.
To mitigate the negative PR aspects of this, they could even start to offer a fraud protection insurance, albeit for a small fee...
RE: one time cards
I have an AT&T Universal Mastercard, issued by Citibank, that has had a "Virtual card number" for years. It generates a new cc number for each transaction, which expires the following month (to give the merchant time to process the purchase).
It also includes an "auto-fill" feature that pastes your shipping info the order form, but it is IE only so I'm not sure how well it works. I've been trying to get them to support Firefox for years. There is also a security hole in that the application is not tied to your user account - i.e. it loads no matter who logs onto the computer. I have filed complaints about that too, but nothing has come of it yet.
OTP shares a problem with PIN in "card not present" situations: you don't know who uses the card. Someone legit, or someone who collected the required credentials before then stealing the card - it just moves the issue elsewhere.
So, duh. Most have been a later Friday..
Eurovision fever spreading to banks, now ?
Israel, famously part of Europe in the world-renowned Eurovision contest, has now apparently also been declared part of Europe as far as banking is concerned.
What is wrong with journalists these days ? Cal headquarters are located in Givatayim, Israel. Geographically, that is farther from Europe than Istanbul, and anyone actually living in the EU knows what a bag of snakes THAT issue is.
Cal is apparently in the business of managing Visa, MasterCard and Diners Club credit cards, so I accept without problem that Cal probably has a non-negligeable chunk of business in the EU zone.
So does Bank of America. Does that make Obama a President-Elect of a European Union state ?
Don't think so.
Half a solution...
Having a PIN or other electronic security measure is only half the solution. Sure, it makes it more difficult for anyone to carry out transactions without the card itself. But if they have the card?
That's why additional security mechanisms are a good idea. Passwords could potentially be useful, but it was slightly worrying to read on the other thread about the number of people that can't remember a simple password, just because it has two digits in it...
At work, our network passwords have no requirement for digits, but we have to change them every four weeks (well, in reality every 3.5 weeks because problems arise if you wait until the last possible moment...), and you're not allowed to reuse old passwords, so a couple of digits in the password comes in very useful :)
And how would they cope with a system like the university I went to, which placed the additional requirements of it couldn't contain any 3 letter plus dictionary word forwards or backwards (so something like rightsaidfred53 would be disallowed), anything that looked like a telephone number, NI number, DOB, or anything that looked like a numberplate (again, forwards or backwards)...
As for changing the password, at my work we have a series of five security questions required to reset the password yourself - if you forget any of them then it's a call to ICT Services. Of course, in the real world, caller ID could be used as a security mechanism, combined with however many of the security questions you can remember, for them to reset the password on your behalf...
But then, you'd need the banks to prompt you for secure security questions - stuff such as DOB, favourite colour, pet's name, primary school could easily be obtained by a hacker - particularly if you either (a) use a social networking site, or (b) use a job search site (the kind that keeps an electronic CV). So security questions may offer a bit of additional security, but they're nowhere near infallible.
Something like a Citrix keyfob (i.e. a small identification system separate from the card) could be useful - I presume most people keep their purse/wallet and keys in separate pockets.
Then, regardless of what ID methods are used, how about instead of using an iFrame to your bank or Visa, just do a plain old ordinary link. You enter your details in the full knowledge that you are where you think you are, then you click a link to take you back to whence you came, whereupon a few seconds later the bank / Visa lets the retailer's website know via a secure channel that the transaction has been authorised.
Goggles, for (hopefully) obvious reasons...
Until the card issuers enforce the same kind of authentication across every country on earth, none of this will ever do any good.
Chip and PIN was supposed to stop fraud, but all that happens is the card gets cloned and then either used in the "customer not present" manner, or it gets used in another country where PIN authentication isn't used. These non-PIN countries are alarmingly near, just a quick RyanAir flight (crash landings permitting) away!
one time cards pt 3
I've also had the small calculator-type thingy for generating challenge/response inputs for 2-3 years. Mine was issued by NatWest.
Like others, I've been asked to use it about once, and then only when logged into Natwest Online as part of setting up a payment to a different bank.
This is good technology: it keeps the card cost down by providing a separate keyboard and display, avoids having a battery in the card and is small enough to keep carry round. There is no reason at all why the same type of challenge/response device shouldn't work with ANY smartcard.
Unfortunately its bugger all use until the banks get their finger out and start making much more use of the things.
See my comment on http://www.theregister.co.uk/2008/08/07/verified_by_visa_compulsion/comments/
(Search for “by Mo”).
Should I expect the black helicopters?
Lots of Use?
So if I had one of these and used it a lot, would a thief be able to deduce the four digits of my PIN by which numbers were most worn on the card?
I wouldn't expect to see anything like this any time soon, there are several problems:
How long can a battery last if it is small enough to fit into a credit card and have that card be backwardly compatible (cash machines, swipey card readers, those mechanical ker-chunk things with the carbon paper slips)
How hard wearing will it be - it seems to have an LCD screen?
How much will it cost? This is the clincher, if the device doesn't come in cheap enough to outweigh the total cost of CNP fraud, it aint going to be widely used.
I suspect that we'll see a software based solution like those mentioned above.
I hate these things
My bank decided to inflict SMS based "authentication" on me a while back. Twice now I've been unable to use my money because of a phone network outage, and one other time because my phone number was being ported to another provider.
It's inconvenient at best and frustrating on days when it just doesn't want to work. Oh, and for "security" they only keep the key they send valid for 60 seconds. Too bad if your phone provider has laggy text messaging.
I'm all for improving bank security. But so many need to start with the basics instead of the gimmicks.
Israel... in Europe?
Wow, they just let anyone in Europe nowadays, do they? I wonder how Turkey feels now...
"This is what we've needed for a long time! It is essentially chip & pin where you own the PIN device, so your PIN is *never* in anyone else's hands, and replay attacks can't work!"
Some Chip & PIN terminals delivered to shops have been found to have some slight modifications from the original design which record and send the PIN on to whichever mafia it is this time (probably Russian or Eastern European). So I'm not sure if this card would be any different.
Not secure enough
Devices that generate one-time passwords are used mostly to combat password stealing malware - not cases when the card/device/whatever itself is stolen. However, they can be bypassed in at least two different ways:
1) The malware on the infected PC intercepts the (one-time) password generated by the user, does not permit it to be sent to the bank/on-line store/whatever and generates some dummy error message. Later, without the knowledge of the user, it uses the captured password to initiate a transaction of its own.
2) The malware simply waits for the authentication process to complete (e.g., for the user to log in) and then starts issuing transactions on behalf of the user. This attack is usually used in on-line banking; not in credit card transactions.
A possible way of combating both attacks is to have the device generate password/PIN based not only on the time but also on the amount of money involved. However, this means more inconvenience for the user (who now has to enter the amount of money for each transaction in the device, too).
Identity theft and online fraud mainly occurs because consumers leave their credit or debit data to intermidiaries' systems and networks. These systems are the weakest link and more prone to attack. The solution of the PIN in the card still forces online consumers to leave their credit data to these intermediaries.
Have you seen what the guys at www.kanatait.com are proposing? They argue that plastic cards (with chips or PINs) shouldn't be used in online transactions. Instead credit data is only seen and approved by the financial institution or credit card issuer and nobody else. Now that is a more compelling reason to eliminate fraud...
- Bugger the jetpack, where's my 21st-century Psion?
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth
- The land of Milk and Sammy: Free music app touted by Samsung
- Privacy warriors lob sueball at Facebook buyout of WhatsApp