VeriSign set to offer one-time use passwords on bank cards
VeriSign has already teamed up with PayPal to offer one-time use passwords on key fobs, but it looks like it's now found a way to make that additional layer of protection even more portable, partnering with Innovative Card Technologies Inc. to squeeze the disposable digits onto standard size bank cards. Apparently, you'll get a new password after each transaction you make online (displayed by pushing a button on the back of the card), making it theoretically impossible for anyone without the card to access your account, even if they somehow manage to get a hold of your regular password. While it's not clear when the cards will actually be put into use, VeriSign is promising to make an announcement about a "major bank" set to use the cards sometime this month.
Filed under: Misc. Gadgets
Reader Comments (Page 1 of 1)
Mike @ May 1st 2007 4:48PM
Amazing, wonderful idea. These should be mandatory on all credit/debit cards.
Ben @ May 1st 2007 4:58PM
While I agree that this is a very cool idea, (similar products are out there) I have to take issue when someone suggests that anything be made "mandatory".
I happen to like capitalism. If I want it, I'll buy it. If I don't, I won't. The consumer is king.
Not sure I'd need it, but very cool nonetheless.
mr friggles @ May 1st 2007 5:15PM
Ben, not everybody thinks "capitalism" as you describe it is all sugar & creme. It tends to get watered down to the point where the most rich take advantage of the most weak. What you get in the end is somewhere between economic servitude and fascism (corporations blended with gov't).
mr friggles @ May 1st 2007 5:56PM
youaretehn00b I assume you mean "free" when you use the word "liberal". The situation I describe exists in clear plain-as-day reality. Where DON'T you see peoples lives being reduced to essentially servitude to pay off their bills & debts? And they usually do it with loans and credit.
Where don't you see the poor and underrepresented marginalized to the point where they don't even exist to society, yet industries and businesses that aren't even struggling get billion-dollar ballouts and tax breaks/credits/loopholes/havens "just because". Where in this government don't you see the government moving in anticipation of corporate interests and desires? And the same officials that draft and sign these policies eventually go on to be lobbyists for those same industries. This is just barely skimming the surface. I could go on but I can see I already shattered your fictional fairytale reality with my 1st post.
TVGenius @ May 1st 2007 6:12PM
Wait... I'm still waiting for touchless payments. Can we get one innovation actually rolled out at a time please? And for that matter, the technology to do this (granted, not embedded in the card) has been around for a long time (I had a token almost ten years ago for a website I worked on)... so what took so long?
rcme @ May 1st 2007 8:47PM
Interesting, but this won't stop the latest round of real-time MITM phishing attacks. These OTP (one time password) are just as suseptible to MITM attacks as any other OTP.
To stop MITM attacks users need to be able to verify the identity of the "other end" (aka bank web site), which SSL works fine for, if it weren't for the greedy CAs that destoyed the current SSL trust model.
Until the SSL trust can be reestablished, what is really needed is out of band transaction authentication/verification (i.e. a SMS message sent to a registered cell phone, digitally signed by the financial institution, which contains the transaction information).
mr friggles @ May 1st 2007 9:29PM
The way you talk sounds like you're basing reality off some fox news crapola. Who here doesn't recognize that corporations extort whatever they can for profit, including and especially the disadvantaged. Ever heard of outsourcing? Ever heard of Walmart?? Geez. Go outside sometime. Yeah everybody has an equal opportunity... theoretically. Theoretically, a monkey on a computer long enough could crack the NSA database, or say a verisign password protected bankcard :)
Swu @ May 1st 2007 10:09PM
HSBC in Hong Kong has alreay issued one-time password dongles for about a year. They're great and while I still only tele-bank at home, it gives me better peace of mind knowing that it's that much harder for some one else to get into my bank account.
Swu @ May 1st 2007 10:28PM
rcme,
Regarding the man in the middle attck, doesn't the OTP force the attacker to work in real time, because as soon as the connection is terminated then a new password is needed to reconnect? And doesn't the average connection terminate after 5 minutes of inactivity? Wouldn't that make the attacker's window of opportunity very tight?
Also regarding SSL trust, can't you check the security certificate on the connection to verify the site of the bank that you're connecting to via a third party? Or is there something that I'm missing.
Caterina @ May 2nd 2007 12:10AM
I for one like this idea. I have already have my number stolen once and would like to avoid the hassle of having to report fraudulent use.
http://www.stillagirl.com
rcme @ May 2nd 2007 1:32PM
Swu
The current MITM attack consists of what is basically a proxy. The user connects to what they think is their bank/FI, but it is really the MITM website which looks just like the user's bank/FI website. The MITM website/proxy then establishes a connection to the real bank/FI and just forwards the user's authentication/OTP on to the real bank/FI website and then sits in the middle of the session, providing the user only the information about that session/transaction that the MITM wants the user to see.
Since this all occurs in real-time (aka the MITM proxy), the OTP can't stop this attack.
One way to stop this is to use out of band verification, like SMS or voice messages confirming a transaction.
Another way to stop this attack is to allow the user to verify the identity of the real bank/FI, which SSL was designed to do many years ago. The problem is that SSL trust has been eroded by the CAs that issue SSL certificates, and since there is currently no consistency in SSL certificate issuance, and DNS webhost naming, it is virtually impossible for the averge user to understand the trust associated with a given SSL certificate issued for a given hostname. The problem is, SSL certs can be gotten today for look-alike hostnames that can be used to commit fraud. This is as much a problem with DNS as it is with SSL certs. It is not clear that even the latest EV SSL certs will solve this problem, especially if the CAs that issue the EV SSL certs don't perform proper diligence in vetting the identity of the bbusiness owner requesting the EV SSL cert for a given hostname.
Johan S @ May 2nd 2007 2:01PM
A colleague of mine at a previous place I worked had the idea of an RFID smart card that had biometrics (fingerprint reader?) built into a wallet (or right on the card). So that way, it's convenient and can't be stolen. And of course there'll be a display on the card showing your current balance and the company name/code you are about to pay. We looked it up and it turns out fingerprint readers do exist that are thin enough, but also there was a company in Finland that may have implemented a similar idea (but i think they no longer exist).