back to article Singaporeans get hard token baked into credit card

Two-factor authentication just got a whole lot more convenient for residents of Singapore, after Standard Chartered Bank's local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token. MasterCard calls the device a 'Display Card' and says it includes “an …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    No Longer Two Factor?

    By putting the card and the two-factor generator in the same device (which generates the MasterCard SecureCode), doesn't this defeat the purpose of two-factor authentication?

    1. Oliver Mayes

      Re: No Longer Two Factor?

      Well, my HSBC device still requires me to input a 4-6 character PIN (different from my normal PIN) before the password is generated. Someone stealing it from me couldn't use it.

    2. Anonymous Coward
      Anonymous Coward

      Re: No Longer Two Factor?

      No, it's still something you have and something you know.

      It is, however, a silly idea in terms of the cost of the card and having just made it more breakable.

  2. SteveCarr
    Go

    Nice concept!

    The fact this is used for online banking, not when you use the credit card itself, if good. It just gives the individual a convenient, carry sized two factor authentication device, far better than having to tote something larger around with you.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nice concept!

      Steal the card generate the code?

  3. Malcolm Weir Silver badge

    It would appear a certain amount of ignorance is rife. This device isn't the second factor, it's a mechanism to safely transmit the second factor.

    In short, that keypad on the front is used to enter a PIN. The device encrypts the PIN plus a value from an internal clock. The result is displayed and transmitted to the authorizing server, which calculates what the result would have been plus-or-minus a minute or so and, assuming it gets a match, updates its own database with an indicator of what the device's clock thinks the time is.

  4. Charles 9

    What next?

    Maybe this will make inroads into moving the PIN entry in C&P to the card, removing a potential MitM attack.

  5. The Mole
    FAIL

    Picture caption...

    I'm pretty sure a decent hard token will produce the one time password 123456 approximately 1/1000000 of the time unless they have deliberately compromised cyptographic integrity. If they removed all the number combinations that humans sees patterns in then the pool of permitted values quickly declines.

    1. Oliver Mayes

      Re: Picture caption...

      Mine once gave me me the password 101010 which was pretty hoopy.

  6. Anonymous Coward
    Anonymous Coward

    Nice work

    Instead of having to stick the same card into a rather bigger device that does pretty much the same, this is small enough, and hopefully thin enough, to fit conveniently in the old wallet.

    Now for open-sourcing everything but the key used to seed the thing so that cryptanalysts might have a look-see whether the algorithms used are any better than, say, DVD's CSS. That lack of transparency is actually becoming more worrisome as banking becomes more computerised.

    1. Duncan Macdonald

      Re: Nice work

      All that is needed is a one way hash of the internal card number, the PIN and the current time - even MD5 would suffice. Without knowing the internal card number or the PIN there is only 1 chance in 999999 of getting the right value. Note the card does NOT need to know the correct PIN so there will be no indication to an attacker that the wrong PIN has been entered.

    2. Anonymous Coward
      Anonymous Coward

      Re: Nice work

      Existing implementations of this (which have been around under other brand names for several years) use the standard OATH protocols (see www.openauthentication.org) which are completely open. Not sure about the Nagra case. I know that in the past they have had difficulty in making this work because the display is an LCD and prone to breakage. Some competing products use e-paper for the display.

      One problem with these systems is clock drift. Making a crystal keep time under a variety of temperatures while sitting in someone's wallet is not trivial. It can be done with the key-fob tokens which are in wide use, but they have more space to play with. Getting it to work reliably in a thin card form factor is much harder, especially when you factor in an EMV chip, the pad for access PIN entry and perhaps a contactless loop antenna as well, and the result is likely to be quite expensive per unit.

  7. Anonymous Coward
    Anonymous Coward

    Physical indicators

    Presumably if the pin is entered many times over the life of the card then the wear patterns will show the numbers used - albeit not the sequence. Unless one has small fingers then a stylus will be needed for reliable selection of the numbers.

    With a Pin Sentry it is easy to even up the wear on keys as a standard procedure before using the card each time.

    1. Charles 9

      Re: Physical indicators

      That's assuming the numbers are actual buttons. They could also be simply touch-sensitive but not powered until the Chip goes in. Such light contact wouldn't leave as strong an impression on the plastic, and by the time it did, it would probably be at expiration, in which case a new card would be issued.

  8. John Robson Silver badge

    Power?

    Why not e-ink as a display - I'd have thought it would be fine for the job.

    It could even mean that the location of the numbers changed each time, so that wear was even... (just step across by one every use).

    1. Anonymous Coward
      Anonymous Coward

      Re: Power?

      I would imagine an e-Ink screen would be significantly more expensive than an LCD.

  9. Andy ORourke
    Meh

    what about......

    wear & tear, I mean if you use it to enter a pin over and over again then the keys would have to be pretty robust not to give a thief a hint at least as to what the pin might be?

  10. Anonymous Coward
    Anonymous Coward

    This I very interesting concept allowing someone to telesign in a transaction or payment with the OTP. I'm hoping that more companies start to offer this awesome functionality.

  11. Karhea

    An another way

    I somehow prefer the mobile way - as in PKI on a SIM. It seems to work for the Finns etc just fine.

    True separation from any financial platform, to provide universal tools for any type of transaction.

    YMMV, though.

This topic is closed for new posts.