Two-factor authentication just got a whole lot more convenient for residents of Singapore, after Standard Chartered Bank's local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token. MasterCard calls the device a 'Display Card' and says it includes “an …
No Longer Two Factor?
By putting the card and the two-factor generator in the same device (which generates the MasterCard SecureCode), doesn't this defeat the purpose of two-factor authentication?
Re: No Longer Two Factor?
Well, my HSBC device still requires me to input a 4-6 character PIN (different from my normal PIN) before the password is generated. Someone stealing it from me couldn't use it.
Re: No Longer Two Factor?
No, it's still something you have and something you know.
It is, however, a silly idea in terms of the cost of the card and having just made it more breakable.
The fact this is used for online banking, not when you use the credit card itself, if good. It just gives the individual a convenient, carry sized two factor authentication device, far better than having to tote something larger around with you.
Re: Nice concept!
Steal the card generate the code?
It would appear a certain amount of ignorance is rife. This device isn't the second factor, it's a mechanism to safely transmit the second factor.
In short, that keypad on the front is used to enter a PIN. The device encrypts the PIN plus a value from an internal clock. The result is displayed and transmitted to the authorizing server, which calculates what the result would have been plus-or-minus a minute or so and, assuming it gets a match, updates its own database with an indicator of what the device's clock thinks the time is.
Maybe this will make inroads into moving the PIN entry in C&P to the card, removing a potential MitM attack.
I'm pretty sure a decent hard token will produce the one time password 123456 approximately 1/1000000 of the time unless they have deliberately compromised cyptographic integrity. If they removed all the number combinations that humans sees patterns in then the pool of permitted values quickly declines.
Re: Picture caption...
Mine once gave me me the password 101010 which was pretty hoopy.
Instead of having to stick the same card into a rather bigger device that does pretty much the same, this is small enough, and hopefully thin enough, to fit conveniently in the old wallet.
Now for open-sourcing everything but the key used to seed the thing so that cryptanalysts might have a look-see whether the algorithms used are any better than, say, DVD's CSS. That lack of transparency is actually becoming more worrisome as banking becomes more computerised.
Re: Nice work
All that is needed is a one way hash of the internal card number, the PIN and the current time - even MD5 would suffice. Without knowing the internal card number or the PIN there is only 1 chance in 999999 of getting the right value. Note the card does NOT need to know the correct PIN so there will be no indication to an attacker that the wrong PIN has been entered.
Re: Nice work
Existing implementations of this (which have been around under other brand names for several years) use the standard OATH protocols (see www.openauthentication.org) which are completely open. Not sure about the Nagra case. I know that in the past they have had difficulty in making this work because the display is an LCD and prone to breakage. Some competing products use e-paper for the display.
One problem with these systems is clock drift. Making a crystal keep time under a variety of temperatures while sitting in someone's wallet is not trivial. It can be done with the key-fob tokens which are in wide use, but they have more space to play with. Getting it to work reliably in a thin card form factor is much harder, especially when you factor in an EMV chip, the pad for access PIN entry and perhaps a contactless loop antenna as well, and the result is likely to be quite expensive per unit.
Presumably if the pin is entered many times over the life of the card then the wear patterns will show the numbers used - albeit not the sequence. Unless one has small fingers then a stylus will be needed for reliable selection of the numbers.
With a Pin Sentry it is easy to even up the wear on keys as a standard procedure before using the card each time.
Re: Physical indicators
That's assuming the numbers are actual buttons. They could also be simply touch-sensitive but not powered until the Chip goes in. Such light contact wouldn't leave as strong an impression on the plastic, and by the time it did, it would probably be at expiration, in which case a new card would be issued.
Why not e-ink as a display - I'd have thought it would be fine for the job.
It could even mean that the location of the numbers changed each time, so that wear was even... (just step across by one every use).
I would imagine an e-Ink screen would be significantly more expensive than an LCD.
wear & tear, I mean if you use it to enter a pin over and over again then the keys would have to be pretty robust not to give a thief a hint at least as to what the pin might be?
This I very interesting concept allowing someone to telesign in a transaction or payment with the OTP. I'm hoping that more companies start to offer this awesome functionality.
An another way
I somehow prefer the mobile way - as in PKI on a SIM. It seems to work for the Finns etc just fine.
True separation from any financial platform, to provide universal tools for any type of transaction.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16