One Time Password DisplayCard heightens transaction security
By Evan Blass 
posted May 11th 2006 2:50PM
posted May 11th 2006 2:50PM
While we were a bit skeptical when Chase sent us one of their questionably-secure RFID-equipped "Blink" cards last year, we're gonna be all over a new technology from several companies that actually gives credit cards a heigtened level of security by generating a one-time passcode for each transaction, viewable on an embedded e-ink display. The OTP DisplayCard, as it's being called, was developed by InCard Technologies in conjunction with security firm nCryptone using technology from SiPix Imaging and SmartDisplayer, and is being targeted at financial institutions or at other companies as a replacement for the password-generating key fobs used to enable VPN access to their intranets. While the added security feature would come into play for both online and in-person transactions, it will probably be most useful for Internet purchases, making your credit card info almost worthless to identity thieves who can't get their hands on the card itself. Oh, and to answer the inevitable question: no, these cards will not be able to play Doom.[Via mobileread]
The random number is only as secure as the infrastructure for storing the key check system, and the complexity of the alorithm.
The vendor will be doing some sort of key validation when processing your order and although significantly more secure than current credit card systems, it's not impossible for the new system to be hacked whether by flaw or attack.
Where there is a will there is a way.
Though no denying that's mad cool.
What they need is and RFID "Authentication Hotline" of some sort that you have call and input your credentials to authorize that the RFID is valid. If anyone has the card, they can still use it. With having to authorize the RFID by entering user-created credentials, unauthorized use will be thwarted if they can not authorize the use of the card.
Great, so now I'll have to bust out my card for every purchase instead of using the stored info on the sites that I purchase from regularly? What about repeat billing? Is GoDaddy's auto-renew (and a million other services like it) a thing of the past?
Consumers: This isn't being made to benefit you. Cardholders are already well protected from fraud. This is so that card issuers can stop offering that fraud protection and place the blame back on you.
Lame.
Spot on, sir. Consumers do not pay for fraud, that is why we have fraud protection and that is why we pay exorbitant annual fees to charge card companies. I don't want to be inconvenienced, I want my transactions to be fast and simple. It is my responsibility to ensure that my card is not lost or stolen, but if it is, then I expect all those fees that I pay to start working for me. I am completely indifferent to how much a lost or stolen card may cost my card issuer in terms of time or money. That's none of my business, so I don't care. As far as I'm concerned, I've already paid for it. If they don't want to do their jobs, then they should stop charging us fees.
no doom??? miserable
I'm pretty sure companies who implement something like this will ask you when you want to implement it, and when you don't, i.e. recurring billing.
Yes, but can it play Lemmings?
I thought it would be neat to have a display like this that would show the current balance on your account. That'd require either the balance to be stored on the card (but wouldn't be kept up-to-date for purchases made over the internet or withdrawls at the bank) or have some kind of wi-fi system that would let you request your account balance from the card.
SO will the Fraud Protection people stop calling me and asking me to divulge personal information to a stranger over the phone?
I'm sure we could at least get it to do Zork
#2, ever had a card stolen? Yes, you aren't out any money, but it doesn't change the fact that it is a huge pain in the ass to deal with.
I am loving this concept!
I want one of these NOW.
can someone explain that doom reference?
Good points about protecting the card issuer, not the customer. One reason this could be very beneficial is increasing the ease of use for one time credit card numbers, currently it is a huge pain in the ass to get card companies to issue a one time purchase CC number so you can make a purchase on that questionable internet site that has something you just "have to get".
You could have one of these for what are considered risky purchases, like visiting a different country, and one for your repeating bills, etc.
Even if the consumer is "well protected" you still end up paying for fraud in one form or another. Anything that reduces dead-weight loss from these transactions will ultimately benefit the consumer.
My Bank of America card already has my photo and signature on the front of it, but I guess that's not much good online, is it?
This sounds cool for sure, but there are still heaps of details I'll need to know to decide if I'll like it or not, but something needs to be done for sure!
Either way, there are already secure ways of doing internet purchases with credit cards. Banks in Sweden (and probably other countries also) issue "internet credit cards". For the online store, these cards work exactly like any other credit card and there is no way to tell the difference. They are linked to your real card, meaning when you use them to buy stuff with, the money gets taken from your actual card. The trick is though, that the card number sometimes change, along with the expire date and check code, and you have to login to your bank site with your details and enable the card for each purchase (but its open for 30 days, for one purchase, for each time you enable it - this way it works on sites like Amazon and such, when your credit card is not billed until the item is shipped).
12>
EVERYTHING plays Doom.
trust me... in about a month this baby will be running linux... and a week later there will be doom on it
My friend's father used to be the head of security at Pantex--a major nuclear weapons facility in Amarillo. He had a similar device that continuously updated a passkey, and I thought it was the coolest thing in the world.
I want one.
For security in a corporate environment, Ive heard about a token type (portable credit card) deal for some computer systems that reequire you to authenticate with a fingerprint and then also sync with the monitor (think Timex DataLink) and *then* you get your one-time code to login. That... is pretty cool/secure. Can't remember the name of it though...
"Oh, and to answer the inevitable question: no, these cards will not be able to play Doom."
...not yet, anyway. ;)
Here is Hong Kong people get a key fob sent to them with a display and one button. when they press the button a number is generated and that is used as an extra password to access online banking.
if it cant play doom its useless...i dont want it
It's very cool - secureID on a credit card! I want one!
I'm sure they'll have a "trusted merchant" program so that you can subscribe to automatic renewal transactions. It doesn't make things completely secure, but it's a really big step. Especially since that 3-digit security code is useless now that we have to enter it everywhere.
I wonder, though, if a crypto-freak can get a ton of these cards and crack the pseudorandom number generators behind the one-time pads for all of them.
BTW - it protects the customer (us) as well as the merchants, because the fraud protection usually has an annual cap (e.g. on some AMEX cards it is $1k and after that you're on your own).
Federal law states that you are not liable for any fraud from a stolen credit card if you report it as stolen before the fraud occurs. If you report it after the fraud occurs you are liable up to a maximum of
$50. This is a federal law, the card companies can't put an annual cap on it. I recently had AMEX cover over $3000 worth of fraud on my card and the only questions they asked were about if I had any involvement or profit from it.
ATM debit cards are a different story - you can be liable for much more.
http://www.ftc.gov/bcp/conline/pubs/credit/atmcard.htm
I can see this kind of technology making cards that act as electronic wallets such as Chipper here in Holland much more attractive than at present. If I can see exactly how much is in my "wallet" without having to go to some terminal or vending machine then I will be a lot more inclined to actually use such a card. Maybe we'll finally be able to get rid of the loose change in our pockets.
# 24 - You sound like a disciple of Steve Gipson!
#28: No, i just finished rereading cryptonomicon, and part of the plot involved someone cracking a one-time pad, so that got me thinking....
In each instance where this technology is implemented, as it currently stands, it will serve to take away the ability of the blind and visually impaired to do business. We must absolutely insist on equally accessible alternatives!
Citi Bank offers me a much better way to shop online without worries: Virtual Account Numbers. They generate for you a new CC# (when you ask for one), that will be used only for one merchant (eventually for only one transaction).
That's real protection: the merchand doesn't need to have special features for processing CCs, like the Verified by Visa crap.
This will not be a good thing for the blind and visually impaired community. We must have something we can work with. This would be a step back in doing things and being independent.
Although I'm blind, I can shop online, and that has made a huge difference for me. This kind of card would be useless and take away that ability. 0 stars.
Wonder why cant everything (including CC) be part of the mobile phone. So basically, whether its your CC, ATMcard or any other card...everything is a software.
To communicate with the POS, can use NFC, Bluetooth or any other short range protocol.
Even the OTPs can be generated at the click of your mobile button for online transactions...and yes these OTPs can be read aloud by the mobile.
I am sure you can play mini-Doom on the mobile with other users using bluetooth..else use the shotgun.