New Credit Card Includes Display and Keypad 118
First time accepted submitter pev writes "A new credit card released in Singapore includes a screen and keyboard in order to generate one-time passwords for your online banking. From the article: 'The card has touch-sensitive buttons and the ability to create a "one-time password" - doing away with the need for a separate device sometimes needed to log in to online banking. Future versions of the card could display added information such as the remaining balance.' Lets hope they've put more thought into the implementation than with chip and pin."
What am i missing? (Score:2)
Don't one-time-pasword exists just in case you loose your card???
With these cards, it's like writing your PIN in the back of the card itself...
Re:What am i missing? (Score:5, Informative)
No, they're to prevent the used of the information on the card without the card itself. These basically replace the CVV on the back of the card for determining that the user actually has it in their possession.
Re: (Score:1)
That makes perfect sense...
Cheers!
Re: (Score:3)
Re: (Score:2)
It's not required in order to make the transaction (nor, technically, is anything other than the account number; however, your interchange costs increase and your ability to fight chargebacks decrease by providing less information).
Re: (Score:2)
Actually, that's simply because it's against PCI regulation to store the CVN.
Most companies don't realize that asking for it on subsequent transactions is pointless so long as you ask for it the first time: you can still prove (with reasonable certainty) the customer had the card in-hand at some point; i.e. it wasn't bought from a Russian warez site.
In practice that's not true at all, but since when do theory and practice ever overlap?
Re: (Score:3)
Re: (Score:2)
Magnetic strip data contains different information than what's read off the card; it effectively replaces the CVN for swiped card-present transactions. The issuing bank goes through a different (though functionally equivalent) routine to authorize the payment when they're sent PAN/CVN/exp instead of the raw track data.
Re: (Score:2)
Yes, it's security theater at it's finest. The one time password on the new card is at least an improvement over that.
Re: (Score:2)
Yes, because you can't enter it if you've never seen the card. The CVV was introduced when machines still physically imprinted receipts and prior to the laws banning the display of more than 4 or 5 digits of the number on any printed receipt. It isn't embossed, it's not on the front in the cases where an image is taken of the card, and any merchant found to be storing the code has their payment contract invalidated.
It was to combat the relative ease with which people could gather the name, number, and expir
Re:What am i missing? (Score:5, Informative)
What they did here is integrate a secure terminal like this one [bayimg.com] directly on the card.
These terminals are used for online banking. Every time you log in, you receive a different challenge. You then insert the card into the terminal and enter both the pin and the challenge and get the response back. Then you enter the response in the browser.
The goal of the system is to provide two-factors authentication. You need both something you have (the card) and something you know (the PIN).
The reason you need a secure terminal is that typing the PIN directly on the computer would allow a keylogger to steal it.
Overall it is a pretty solid system.
Re: (Score:3)
Indeed. PostFinance (a bank in Switzerland where I have an account as I'm a grad student there) has those exact same terminals. It's pretty slick.
Only disadvantage: they only allow one card to be linked to one's account for online access, even if it's a joint account. In my case, my wife has access to it because she does most of the financial stuff, but it's annoying. Naturally, we both have bank cards and can access the account via ATMs and the like, but only her card can be used for logging into the websi
Re: (Score:2)
I wish they implemented this for all transactions, not just using the bank website.
Re: (Score:2)
Yes: we used to use RSA cards with numeric pads to do mutual authentication at (the late, lamented) Sun Microsystems. This is basically the minimum functionality one needs to be able to do financial transactions without having to maintain (and pay out!) huge reserves against fraud.
--dave
Re: (Score:2)
Re: (Score:2)
They're also used to "sign" online transactions, like money transfers and paying bills.
Re: (Score:1)
Re:What am i missing? (Score:5, Interesting)
I saw these (or a similar type) last year here in Belgium when I was part of a test panel/opinion group.
Basically it was all possible types of payment systems thrown together in one card.
It had the debit card system we have here (Maestro / Bancontact), but at the same time you could use it as a credit card too (Visa / Mastercard). Most people in the group found this a good idea as all had multiple cards in their wallet.
As you can see it has the keypad type thing for extra authentication on the internet so you don't need an extra device for it. Nice, but less useful. Not everyone had a need for it, and we didn't get technical details about how secure it was or how it worked.
It also had some kind of contact-less system we don't have yet in Belgium but they said it was used in France. Small payments you could just make by holding your card above a reader, no need to enter a pin. As we don't know this, most found it insecure.
It also wasn't known if you could deactivate certain things or always had all features - like only use the debit/credit card combination but not the touchless thing.
I remember one disadvantage: the 'buttons' you had to push to generate the nr were difficult to operate. Had to push hard in exactly the right spot. Don't think elderly people could get along with it.
Technically I was impressed with this card for having battery electronics and lcd in it, as it was very thin and still flexible.
Re: (Score:2)
The problem is that this is just for on specific card. An open standard would really be nice so that you didn't need to carry multiple cards, but the card companies consider that against their interests. Something like Google Authenticator on a smartphone would also be a nice solution.
Re: (Score:3)
Don't one-time-pasword exists just in case you loose your card???
I assume by "loose" you mean "set your card free," as in giving it to your girlfriend. Seems a one time password would work if you only wanted to let her use it once. Nice idea, I like it!
similar to Sweden, where all banking is electronic (Score:5, Interesting)
Re: (Score:3)
Re: (Score:2)
Yes, we have the same thing here in the UK.
Re:similar to Sweden, where all banking is electro (Score:5, Informative)
Yes, we have the same thing here in the UK.
it's called CAP, Chip Authentication Programme [wikipedia.org]. I was the designer of the system that used by a big UK bank. It requires a self powered sleeve reader (that looks alike a calulator) and it's an open standard so that all EMV cards can use any branded reader device (they don't tell you that). Some of the readers have a "MENU" button and you can read off the transaction counter etc on your card. A handy way to tell if someone close has been using the card while you're not looking. if you do muck around with your card, be careful. I changed my PIN to be 6 digits on some test gear and ended up having to get a new bank card because the UK ATM network is hard coded to 4 digits. EMV cards support 6 digits.
Re: (Score:3)
"I changed my PIN to be 6 digits on some test gear and ended up having to get a new bank card because the UK ATM network is hard coded to 4 digits."
Why couldn't you use the test gear to change it back to 4 digits , or once its set to 6 digits is it fixed at that and can't be reverted?
Re: (Score:2)
in the UK, the CAP readers are totally standalone and powered by batteries - i.e. need no host computer. Given that i use Linux myself, there was no way I was building in OS restrictions.
Re: (Score:2)
"No personal checks in Sweden, so all person-to-person transfers are done in cash"
Did they get rid of cheques or did they never have them? I always thought sweden was an advanced country , but it doesn't sound like it. Personal cheques are damn useful in situations where electronic banking can be a PITA and cash isn't feasible - eg paying a builder.
Re:similar to Sweden, where all banking is electro (Score:5, Interesting)
They are advanced. Everything is electronic. All train tickets, most plane tickets, and most subway tickets can just be done with the mobile phone (no paper needed).
They're REALLY pushing for a cashless society and making significant progress. Everyone is paid on the same day (25th of the month) after all.
To be honest, it's much more of a hassle in Germany and a total nightmare in the US, compared to the simplicity in Stockholm. Once you get up and running, it's super easy.
Re: (Score:1)
To be honest, it's much more of a hassle to find dissidents in Germany and a total nightmare in the US, compared to the simplicity in Stockholm. Once you get up and running, it's super easy
There, fixed that for you.
Nice (Score:2)
This comment was 100% insightful. Now it's 100% offtopic. Except, it's clearly 100% on topic.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Paper versions still exist, I'd assume.
Re: (Score:2)
Here in the US, Credit Card payments siphon off a percentage to the CC company. Is that different in Sweden and other 'advanced' places?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
"he gives you an invoice with his/her banking info and you just transfer it. He'll just email/SMS you the invoice. Pretty simple. "
Considerably less simple than just handing him a cheque on the day he finishes.
Re: (Score:2)
You could hand him cash - they still have that, they just don't have that out-dated form of transferring money. I can't see the benefit of cheques.
* You still need a bank account, so they're still traceable, ie. You can't use them for hiding funds, unless you take them to some dodgy cheque cashing place, which will take a percentage. I suppose you bank off-shore, but the issuer will still be able to determine where the money has gone.
* They take longer to clear, as the bank has to verify the issuer that the
Re: (Score:2)
You could hand him cash - they still have that, they just don't have that out-dated form of transferring money. I can't see the benefit of cheques.
Checks make receipts unnecessary. With cash he'll have to write a reciept. The check will be proof of payment to a judge, a receipt maybe or maybe not.
Re: (Score:2)
It's really not that hard to log in and transfer the money. And you'll never run out of transfers, they can't be lost and you don't force the person receiving the transfer to have to go to the bank or scan in a check to get their money. It's not as hard as you're making it out to be and there are benefits.
Re: (Score:2)
Handing him the cheque isn't the completion of the transaction though. He then has to appear at the bank in person to deposit it and then there's a few days for it to clear while if you did it electronically, the transaction will actually be complete.
Re: (Score:2)
Re: (Score:2)
Why are cheques so much more secure? They can still bounce, or I could call up the bank and ask them to cancel my chequebook, and still write them out. Sure, it's fraudulent, but if I'm willing not to pay somebody, the I probably don't care about upsetting some lawn care guy.
... or an insignificant matter of money (although don't necessarily have that money cause you didn't stop at the bank) how do you pay some one?
Easy, I log onto internet banking and queue the transfer for tomorrow. If you're relying on the cheque clearing delay as a free overdraft, I think you've got bigger worries.
Re: (Score:2)
They can still bounce, or I could call up the bank and ask them to cancel my chequebook, and still write them out. Sure, it's fraudulent
And you will go to jail for it, guranteed (at least in my state).
Re: (Score:2)
What I want to know is how do I leave the lawn care guy $40 USD in an envelope.
1. Get $40USD
2. Get envelope
3. Put cash in envelope
4. Leave for lawn care guy
It's really not all that difficult.
Re: (Score:2)
"Hmm, why would electronic banking be a PITA when paying for a builder?"
Hmm , let me think. Because he doesn't have a computer or card reader on site and he doesn't do electronic banking anyway.
"I use online banking for person-to-person transfers (even the very small amounts) "
Good for you. But not everyone loves technology so much that they find farting about with electronic payment simpler than spending 30 seconds writing a cheque.
Re: (Score:2)
Re: (Score:2)
"Everyone in Sweden and all of Northern Europe does it this way"
If by northern europe you don't include the UK, ireland or france then sure. If you mean just scandinavia then maybe , but scandinavia != the world and a lot of people in the rest of the world (myself included) find cheques quick and simple. I've done electronic payments for many things including my house and car and they are somewhat more hassle than just writing a cheque and handing it over.
"With a mobile phone and the bank's App, a transfer
Re: (Score:1)
Re: (Score:2)
Wow, a real +5 insightful response there mate. Got no answers then?
And no, I'm not whoever you seem to think I am.
Re: (Score:2)
Cash is anonymous. Rather useful if you want to avoid tax. And yes I have used it for that and no I don't give a damn if you disapprove so save your breath.
Ah, we've now got to the nub of it. I was wondering who would seriously trust a piece of handwritten paper that hopefully will be worth the money. As far as I can see, the people that want to keep cheques going are exactly the one you should never trust a cheque from.
Seeing as you seem to mention builders and workmen a lot, it would appear that you work in the building trade - there's a surprise - always looking for a loophole and a shortcut.
Re: (Score:3)
spending 30 seconds writing a cheque.
Plus 5 minutes to deposit said cheque, then a few days waiting for said cheque to clear before your balance reflects reality again.
Re: (Score:2)
But in countries with ubiquitous electronic banking, he WOULD have a computer or card reader. It'd be a fundamental tool of the job, without which he simply couldn't run his business. They're not exactly expensive these days, especially the ones that just attach to an existing mobile phone. Your builder probably spent more on his last new hammer.
Re: (Score:2)
In the UK they want to get rid of them and they were due to be phased out but got a last minute reprieve. They're old tech but no solution for sending gifts if you're a granny etc have been found yet.
Re: (Score:2)
Can't speak for Sweden, but honestly I'm surprised there are still places that have any measurable use of paper cheques still. I'm in my 30s and have never had a cheque account. Never written a cheque. Never received one. Hell, never even seen one other than vague recollections of my parents using them in the 80s when I was a kid.
I'm in Australia and while they technically haven't abolished cheques here, virtually no one uses them. The need for them vanished due to the invention (and more importantly standa
Re: (Score:2)
The obvious answer is that the system only accepts 4-digit PINs, so having a 6-digit PIN means you can never enter it as the system only allows 4 digits, which never validate against 6 digit PINs.
Flashback (Score:2)
It's been a good 20 years since I've used a device like that for authentication. Maybe 19. Used it to log into telco switches. The token generator was a little device about the size of a small calculator, securely attached to a desk next to a laminated sheet of paper (taped to the desk) with step by step authentication instructions including username/password. The desk was in a secluded corner right next to an unlocked door that opened onto the building's loading dock. :facepalms:
physical keys (Score:2)
Let's get it right... no cell phones have a physical keyboard anymore, yet it's credit cards that get (limited) keyboards and display? Something is amiss...
Re: (Score:2)
Absolutely. The device as described sounds to me exactly like an app on a smartphone. Albeit it would have to be a pretty damn secure app, not the garbage most apps seem to be these days.
Why would I want to carry one of these gadgets around when I already have a smartphone which can do the same job?
Re: (Score:3)
Why would I want to carry one of these gadgets around when I already have a smartphone which can do the same job?
You answered this question in your first paragraph. A mobile phone application runs on a general purpose OS (which, unless its an iPhone or a Google-branded Android phone, probably has a load of old and buggy libraries and kernel because your carrier doesn't push out updates sufficiently competently). Even if the app itself is perfectly written, the TCB contains a whole load of other stuff that really shouldn't be trusted - you install one malicious app by mistake (or visit one malicious web page with a b
Re: (Score:2)
A smartphone would be useless here. The key here is something you have (the card) and something you know (the pin). The device, whether built into the card or separate, and the PIN leads to creating the OTP. Maybe I'm just dense, but I don't see how a smartphone (w/o a card reader) would be any use here.
Re: (Score:2)
Re: (Score:2)
The whole point is to make sure the person making the transaction is in possession of the card. If "card possession" is not your concern, you're talking about a completely different system.
Re: (Score:2)
A smartphone app could be more secure. You've got the link from your phone to your bank under your control, a
Re: (Score:2)
The CVV number is an attempt to further ensure that the card possessor is the authorized user.
Seeing as the number is printed on the back of the card, the only thing that number really does is ensure that the "user" has both sides of the card...
Re: (Score:2)
Re: (Score:2)
Is it? I don't see what's surprising here. The expensive device with more functionality has got the better input system. The cheap device that's distributed "freely" by banks to all their customers has the crappy input device that works less well but is significantly cheaper.
What's amiss?
Who pays for the improved card? (Score:1)
This is against the banks interest. In Australia, the banks actually MAKE money out of fraud by overcharging and charge-backs to the merchant.
Only because the law says owner up to the first $50, the bank wears the cost for any fraud. So it is a no brainer to send a 50 cent mag stripe card, than an expensive unit that may actually harm their business model. Camera's and SMS messaging do the job nicely.
Years ago, patents for laser stripe cards - replace mag strip with dvd like material, or high resolution mag
WTF? (Score:2, Flamebait)
Can someone please explain why, when I submitted this story yesterday, it was flagged as spam?
http://slashdot.org/submission/2344885/credit-card-has-display-acts-as-security-token [slashdot.org]
I had one of these in the 1980s... (Score:3)
So why the big fanfare about sticking electronics in a card again, 30 years later?
Re: (Score:1)
Because some people still think digital displays are a pretty neat idea.
Re: (Score:3)
Not replacing chip and pin (Score:1)
The card displayed in TFA has a 'chip', and is presumably comptable with chip and pin systems.
As far as I understand it, this is simply trying to integrate an authentication device [wikipedia.org] into the card itself, not replace the current card system.
Re: (Score:1)
Includes display and leopard (Score:1)
Instant Failure. (Score:3)
Show me how durable that thing is by putting it in a overstuffed wallet that is then used by a construction worker who bends over and plops down 90 times a day.
I remember the SecurID credit cards. I had to replace them 3 times a year from cracked LCD screens or cracked boards.
Re: (Score:1)
http://i1299.photobucket.com/albums/ag67/tempforsd/WP_000647.jpg [photobucket.com]
I'm not saying all brands are that good, but that one is.
SmartDisplayer (Score:3, Informative)
Basically we have "news" of a product by SmartDisplayer [smartdisplayer.com.tw], that they have been producing for the last 7 years, already implemented by some 30 banks, used by Visa in some markets, which I have been using with the in-house TOATH authentication systems for the last four years. So where's the news? Slow news day?
Re: (Score:2)
On the new Slashdot... EVERY DAY is a slow news day!
LCD? (Score:2)
Why choose LCD over e-ink?
Saw that yesterday. (Score:1)
Only credit card with buttons and display I want (Score:2)
can be found here http://www.rpn-calc.ch/ [rpn-calc.ch]
Fully functional HP-15C clone - updatable firmware!
seems more useful for face-to-face transactions (Score:2)
I'm not too worried about online. It seems to me that this technology would be far more useful for securing face-to-face transactions. Every time you hand your card over to a cashier or a waiter, you give them nearly unrestricted access to your account. If you just gave them a one-time password, that would be a huge increase in security.
This is 20-year-old technology (Score:2)