Whilst this may be able to make CNP transactions more secure, it isn't two-factor authentication - the card alone is all that is needed to complete the transaction. The Card Authentication Programme (CAP) extension to the EVM standard requires the entry of a PIN in order to generate OTP, challenge-response or digital signatures - therefore authenticating the card AND cardholder

At a cost of "$25-$30" I would suggest that this is actually significantly more expensive than a standard card and EMV-CAP device. I presume it also requires proprietary software on the issuing host to validate the one-time-passcode. EMV-CAP leverages the standard EMV cryptographic infrastructure.

To be honest, I can't see this getting off the ground without the support of the card schemes (Mastercard & Visa) and they are committed to EMV-CAP.

CryptoCard's Hollister said: "I don't want to criticise to technology of Emue card but it's too expensive for the extra benefit it offers. I don't expect you'll see large volumes. It's further up the technology curve than banks want to go."

Well, he would say that wouldn't he.

While the CryptoCard avoids the problem of replay type attacks it doesn't solve the problem of man-in-the-middle attacks. If you've got to enter your PIN and the OTP it's better than just the static security code. But it's not good enough.

With the millions of users out there with trojans running on their PCs can you really trust the machine in front of you? If it hasn't already happened then it won't be too long before a man-in-the-middle attack will be built into the tojan running on the PC in front of you. The CryptoCard does nothing to protect the data from modification in transit. At least with the Emue card there is the possibility of generating a signature external to the user's PC.

This is the challenge. A useable payment process that can cope with a PC or till that cannot be trusted.

"It's further up the technology curve than banks want to go."

What this actually means is that it costs more than the banks currently lose in fraud.

Until legislation is introduced that forces banks to bear the full cost of fraud made possible by the sub-optimal security systems they force their customers to use, thus making things very expensive for them, they will always opt for solutions that cost the least whilst being able to claim that they did their best.

Remember the chip and PIN scam? One of the least publicised aspects of that was the part where they shifted the responsibility for keeping the cardholders security identifier (their PIN) secure onto the cardholder rather than the banks themselves as under the previous system (matching signatures).

I wouldn't mind paying for a card if it provided real security instead of this, as you observe, halfway house that is only secure in certain circumstances.

So, if you lose your card, then you also lose the second authentication factor, guaranteed? At least with the external reader that my bank gave me, the two are rarely in the same place - I only do Internet Banking from home, so that's where the reader stays, while the card is usually in my pocket.