One Time Password DisplayCard heightens transaction security
While we were a bit skeptical when Chase sent us one of their questionably-secure RFID-equipped "Blink" cards last year, we're gonna be all over a new technology from several companies that actually gives credit cards a heigtened level of security by generating a one-time passcode for each transaction, viewable on an embedded e-ink display. The OTP DisplayCard, as it's being called, was developed by InCard Technologies in conjunction with security firm nCryptone using technology from SiPix Imaging and SmartDisplayer, and is being targeted at financial institutions or at other companies as a replacement for the password-generating key fobs used to enable VPN access to their intranets. While the added security feature would come into play for both online and in-person transactions, it will probably be most useful for Internet purchases, making your credit card info almost worthless to identity thieves who can't get their hands on the card itself. Oh, and to answer the inevitable question: no, these cards will not be able to play Doom.[Via mobileread]
Filed under: Displays, Misc. Gadgets
Reader Comments (Page 1 of 1)
Brothernod @ May 11th 2006 3:05PM
The random number is only as secure as the infrastructure for storing the key check system, and the complexity of the alorithm.
The vendor will be doing some sort of key validation when processing your order and although significantly more secure than current credit card systems, it's not impossible for the new system to be hacked whether by flaw or attack.
Where there is a will there is a way.
Though no denying that's mad cool.
Phil @ May 11th 2006 3:09PM
What they need is and RFID "Authentication Hotline" of some sort that you have call and input your credentials to authorize that the RFID is valid. If anyone has the card, they can still use it. With having to authorize the RFID by entering user-created credentials, unauthorized use will be thwarted if they can not authorize the use of the card.
Jason von Nieda @ May 11th 2006 3:18PM
Great, so now I'll have to bust out my card for every purchase instead of using the stored info on the sites that I purchase from regularly? What about repeat billing? Is GoDaddy's auto-renew (and a million other services like it) a thing of the past?
Consumers: This isn't being made to benefit you. Cardholders are already well protected from fraud. This is so that card issuers can stop offering that fraud protection and place the blame back on you.
Lame.
Arthur @ Jun 5th 2007 5:40AM
Spot on, sir. Consumers do not pay for fraud, that is why we have fraud protection and that is why we pay exorbitant annual fees to charge card companies. I don't want to be inconvenienced, I want my transactions to be fast and simple. It is my responsibility to ensure that my card is not lost or stolen, but if it is, then I expect all those fees that I pay to start working for me. I am completely indifferent to how much a lost or stolen card may cost my card issuer in terms of time or money. That's none of my business, so I don't care. As far as I'm concerned, I've already paid for it. If they don't want to do their jobs, then they should stop charging us fees.
david @ May 11th 2006 3:25PM
no doom??? miserable
diulei @ May 11th 2006 3:34PM
I'm pretty sure companies who implement something like this will ask you when you want to implement it, and when you don't, i.e. recurring billing.
oshean @ May 11th 2006 3:37PM
Yes, but can it play Lemmings?
Rob Cameron @ May 11th 2006 3:39PM
I thought it would be neat to have a display like this that would show the current balance on your account. That'd require either the balance to be stored on the card (but wouldn't be kept up-to-date for purchases made over the internet or withdrawls at the bank) or have some kind of wi-fi system that would let you request your account balance from the card.
weed @ May 11th 2006 3:45PM
SO will the Fraud Protection people stop calling me and asking me to divulge personal information to a stranger over the phone?
zenprime @ May 11th 2006 3:54PM
I'm sure we could at least get it to do Zork
John M @ May 11th 2006 4:02PM
#2, ever had a card stolen? Yes, you aren't out any money, but it doesn't change the fact that it is a huge pain in the ass to deal with.
Jason @ May 11th 2006 4:20PM
I am loving this concept!
I want one of these NOW.
K @ May 11th 2006 4:34PM
can someone explain that doom reference?
yup @ May 11th 2006 4:35PM
Good points about protecting the card issuer, not the customer. One reason this could be very beneficial is increasing the ease of use for one time credit card numbers, currently it is a huge pain in the ass to get card companies to issue a one time purchase CC number so you can make a purchase on that questionable internet site that has something you just "have to get".
You could have one of these for what are considered risky purchases, like visiting a different country, and one for your repeating bills, etc.
Racekarl @ May 11th 2006 5:00PM
Even if the consumer is "well protected" you still end up paying for fraud in one form or another. Anything that reduces dead-weight loss from these transactions will ultimately benefit the consumer.
Galley @ May 11th 2006 5:15PM
My Bank of America card already has my photo and signature on the front of it, but I guess that's not much good online, is it?
Stefan @ May 11th 2006 5:17PM
This sounds cool for sure, but there are still heaps of details I'll need to know to decide if I'll like it or not, but something needs to be done for sure!
Either way, there are already secure ways of doing internet purchases with credit cards. Banks in Sweden (and probably other countries also) issue "internet credit cards". For the online store, these cards work exactly like any other credit card and there is no way to tell the difference. They are linked to your real card, meaning when you use them to buy stuff with, the money gets taken from your actual card. The trick is though, that the card number sometimes change, along with the expire date and check code, and you have to login to your bank site with your details and enable the card for each purchase (but its open for 30 days, for one purchase, for each time you enable it - this way it works on sites like Amazon and such, when your credit card is not billed until the item is shipped).
EdZ @ May 11th 2006 5:41PM
12>
EVERYTHING plays Doom.
the_toad @ May 11th 2006 5:46PM
trust me... in about a month this baby will be running linux... and a week later there will be doom on it
Matt @ May 11th 2006 5:55PM
My friend's father used to be the head of security at Pantex--a major nuclear weapons facility in Amarillo. He had a similar device that continuously updated a passkey, and I thought it was the coolest thing in the world.
I want one.
John @ May 11th 2006 6:20PM
For security in a corporate environment, Ive heard about a token type (portable credit card) deal for some computer systems that reequire you to authenticate with a fingerprint and then also sync with the monitor (think Timex DataLink) and *then* you get your one-time code to login. That... is pretty cool/secure. Can't remember the name of it though...
Nick @ May 11th 2006 6:23PM
"Oh, and to answer the inevitable question: no, these cards will not be able to play Doom."
...not yet, anyway. ;)
hongkongtechkid @ May 11th 2006 6:26PM
Here is Hong Kong people get a key fob sent to them with a display and one button. when they press the button a number is generated and that is used as an extra password to access online banking.
Molly @ May 11th 2006 9:00PM
if it cant play doom its useless...i dont want it
Rob @ May 12th 2006 12:01AM
It's very cool - secureID on a credit card! I want one!
I'm sure they'll have a "trusted merchant" program so that you can subscribe to automatic renewal transactions. It doesn't make things completely secure, but it's a really big step. Especially since that 3-digit security code is useless now that we have to enter it everywhere.
I wonder, though, if a crypto-freak can get a ton of these cards and crack the pseudorandom number generators behind the one-time pads for all of them.
Rob @ May 12th 2006 3:08AM
BTW - it protects the customer (us) as well as the merchants, because the fraud protection usually has an annual cap (e.g. on some AMEX cards it is $1k and after that you're on your own).
Been there, AMEX paid for it. @ May 12th 2006 6:51AM
Federal law states that you are not liable for any fraud from a stolen credit card if you report it as stolen before the fraud occurs. If you report it after the fraud occurs you are liable up to a maximum of
$50. This is a federal law, the card companies can't put an annual cap on it. I recently had AMEX cover over $3000 worth of fraud on my card and the only questions they asked were about if I had any involvement or profit from it.
ATM debit cards are a different story - you can be liable for much more.
http://www.ftc.gov/bcp/conline/pubs/credit/atmcard.htm
Andrew @ May 12th 2006 8:15AM
I can see this kind of technology making cards that act as electronic wallets such as Chipper here in Holland much more attractive than at present. If I can see exactly how much is in my "wallet" without having to go to some terminal or vending machine then I will be a lot more inclined to actually use such a card. Maybe we'll finally be able to get rid of the loose change in our pockets.
Al Scagnetti @ May 12th 2006 12:46PM
# 24 - You sound like a disciple of Steve Gipson!
Rob @ May 12th 2006 7:44PM
#28: No, i just finished rereading cryptonomicon, and part of the plot involved someone cracking a one-time pad, so that got me thinking....
Darrell Shandrow @ May 13th 2006 3:27PM
In each instance where this technology is implemented, as it currently stands, it will serve to take away the ability of the blind and visually impaired to do business. We must absolutely insist on equally accessible alternatives!
Marian @ May 13th 2006 3:40PM
Citi Bank offers me a much better way to shop online without worries: Virtual Account Numbers. They generate for you a new CC# (when you ask for one), that will be used only for one merchant (eventually for only one transaction).
That's real protection: the merchand doesn't need to have special features for processing CCs, like the Verified by Visa crap.
Joseph Nikodem @ May 14th 2006 2:46PM
This will not be a good thing for the blind and visually impaired community. We must have something we can work with. This would be a step back in doing things and being independent.
Allison Carter @ May 20th 2006 9:03PM
Although I'm blind, I can shop online, and that has made a huge difference for me. This kind of card would be useless and take away that ability. 0 stars.
Navin @ May 22nd 2006 7:44AM
Wonder why cant everything (including CC) be part of the mobile phone. So basically, whether its your CC, ATMcard or any other card...everything is a software.
To communicate with the POS, can use NFC, Bluetooth or any other short range protocol.
Even the OTPs can be generated at the click of your mobile button for online transactions...and yes these OTPs can be read aloud by the mobile.
I am sure you can play mini-Doom on the mobile with other users using bluetooth..else use the shotgun.