A new hi-tech credit card from CryptoCard bundles two-factor authentication onto the plastic in a bid to clamp down on phishing and other forms of banking fraud. The CD-1 Credit Card Display token, launched on Tuesday, is designed to combat fraud in online and telephone banking. Looking further ahead, CryptoCard hopes to use the …
Not two-factor authentication
Whilst this may be able to make CNP transactions more secure, it isn't two-factor authentication - the card alone is all that is needed to complete the transaction. The Card Authentication Programme (CAP) extension to the EVM standard requires the entry of a PIN in order to generate OTP, challenge-response or digital signatures - therefore authenticating the card AND cardholder
At a cost of "$25-$30" I would suggest that this is actually significantly more expensive than a standard card and EMV-CAP device. I presume it also requires proprietary software on the issuing host to validate the one-time-passcode. EMV-CAP leverages the standard EMV cryptographic infrastructure.
To be honest, I can't see this getting off the ground without the support of the card schemes (Mastercard & Visa) and they are committed to EMV-CAP.
...it apparently couldn't do anything about the Danish IT Chief.
Nice try, but not good enough
CryptoCard's Hollister said: "I don't want to criticise to technology of Emue card but it's too expensive for the extra benefit it offers. I don't expect you'll see large volumes. It's further up the technology curve than banks want to go."
Well, he would say that wouldn't he.
While the CryptoCard avoids the problem of replay type attacks it doesn't solve the problem of man-in-the-middle attacks. If you've got to enter your PIN and the OTP it's better than just the static security code. But it's not good enough.
With the millions of users out there with trojans running on their PCs can you really trust the machine in front of you? If it hasn't already happened then it won't be too long before a man-in-the-middle attack will be built into the tojan running on the PC in front of you. The CryptoCard does nothing to protect the data from modification in transit. At least with the Emue card there is the possibility of generating a signature external to the user's PC.
This is the challenge. A useable payment process that can cope with a PC or till that cannot be trusted.
"It's further up the technology curve than banks want to go."
What this actually means is that it costs more than the banks currently lose in fraud.
Until legislation is introduced that forces banks to bear the full cost of fraud made possible by the sub-optimal security systems they force their customers to use, thus making things very expensive for them, they will always opt for solutions that cost the least whilst being able to claim that they did their best.
Remember the chip and PIN scam? One of the least publicised aspects of that was the part where they shifted the responsibility for keeping the cardholders security identifier (their PIN) secure onto the cardholder rather than the banks themselves as under the previous system (matching signatures).
I wouldn't mind paying for a card if it provided real security instead of this, as you observe, halfway house that is only secure in certain circumstances.
Why should it be much cheaper? The card still has a display, battery and switchpad. There may be fewer buttons, and the chip may be simpler, but extra buttons are much cheaper than the first button, chips are cheap as ... well, chips :)
Solutions already in place?
ASB in NZ has been making RSA secureid tokens available for nominal cost for quite a while now, but have enhanced their challenge/response system for large value xfers to all cellphone support.
I would imagine that if successful (and it does work very well from my experience) they'd be able to deploy similar systems elsewhere.
What are the odds of you not noticing that your cellphone had been stolen?
It's a cheap and easy fix and works around the more obvious problems in CNP fraud - but still can't deal with the more expensive aspects (which the banks can't afford to worry about)
So, if you lose your card, then you also lose the second authentication factor, guaranteed? At least with the external reader that my bank gave me, the two are rarely in the same place - I only do Internet Banking from home, so that's where the reader stays, while the card is usually in my pocket.