Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Almighty Buck Technology

New Credit Card Includes Display and Keypad 118

First time accepted submitter pev writes "A new credit card released in Singapore includes a screen and keyboard in order to generate one-time passwords for your online banking. From the article: 'The card has touch-sensitive buttons and the ability to create a "one-time password" - doing away with the need for a separate device sometimes needed to log in to online banking. Future versions of the card could display added information such as the remaining balance.' Lets hope they've put more thought into the implementation than with chip and pin."
This discussion has been archived. No new comments can be posted.

New Credit Card Includes Display and Keypad

Comments Filter:
  • Don't one-time-pasword exists just in case you loose your card???
    With these cards, it's like writing your PIN in the back of the card itself...

    • by Fjandr ( 66656 ) on Friday November 09, 2012 @05:50AM (#41930349) Homepage Journal

      No, they're to prevent the used of the information on the card without the card itself. These basically replace the CVV on the back of the card for determining that the user actually has it in their possession.

      • That makes perfect sense...
        Cheers!

    • by Bomazi ( 1875554 ) on Friday November 09, 2012 @06:03AM (#41930391)

      What they did here is integrate a secure terminal like this one [bayimg.com] directly on the card.

      These terminals are used for online banking. Every time you log in, you receive a different challenge. You then insert the card into the terminal and enter both the pin and the challenge and get the response back. Then you enter the response in the browser.

      The goal of the system is to provide two-factors authentication. You need both something you have (the card) and something you know (the PIN).

      The reason you need a secure terminal is that typing the PIN directly on the computer would allow a keylogger to steal it.

      Overall it is a pretty solid system.

      • by heypete ( 60671 )

        Indeed. PostFinance (a bank in Switzerland where I have an account as I'm a grad student there) has those exact same terminals. It's pretty slick.

        Only disadvantage: they only allow one card to be linked to one's account for online access, even if it's a joint account. In my case, my wife has access to it because she does most of the financial stuff, but it's annoying. Naturally, we both have bank cards and can access the account via ATMs and the like, but only her card can be used for logging into the websi

      • Similar one used by my bank; Card + Pin + Reader = One time pad, presumably based upon a synchronised clock between the reader and the authentication server RSA-token style.

        I wish they implemented this for all transactions, not just using the bank website.
      • by davecb ( 6526 )

        Yes: we used to use RSA cards with numeric pads to do mutual authentication at (the late, lamented) Sun Microsystems. This is basically the minimum functionality one needs to be able to do financial transactions without having to maintain (and pay out!) huge reserves against fraud.

        --dave

    • It's a one-time-password for getting access to your online banking, not (as I assume you mean) for getting cash out of the machines in emergencies.
    • You need to enter a passcode to get the OTP. Something you have (the card) plus something you know (the code).
    • by DZign ( 200479 ) <averhe AT gmail DOT com> on Friday November 09, 2012 @08:19AM (#41930975) Homepage

      I saw these (or a similar type) last year here in Belgium when I was part of a test panel/opinion group.

      Basically it was all possible types of payment systems thrown together in one card.

      It had the debit card system we have here (Maestro / Bancontact), but at the same time you could use it as a credit card too (Visa / Mastercard). Most people in the group found this a good idea as all had multiple cards in their wallet.

      As you can see it has the keypad type thing for extra authentication on the internet so you don't need an extra device for it. Nice, but less useful. Not everyone had a need for it, and we didn't get technical details about how secure it was or how it worked.

      It also had some kind of contact-less system we don't have yet in Belgium but they said it was used in France. Small payments you could just make by holding your card above a reader, no need to enter a pin. As we don't know this, most found it insecure.

      It also wasn't known if you could deactivate certain things or always had all features - like only use the debit/credit card combination but not the touchless thing.

      I remember one disadvantage: the 'buttons' you had to push to generate the nr were difficult to operate. Had to push hard in exactly the right spot. Don't think elderly people could get along with it.

      Technically I was impressed with this card for having battery electronics and lcd in it, as it was very thin and still flexible.

      • The problem is that this is just for on specific card. An open standard would really be nice so that you didn't need to carry multiple cards, but the card companies consider that against their interests. Something like Google Authenticator on a smartphone would also be a nice solution.

    • by mcgrew ( 92797 ) *

      Don't one-time-pasword exists just in case you loose your card???

      I assume by "loose" you mean "set your card free," as in giving it to your girlfriend. Seems a one time password would work if you only wanted to let her use it once. Nice idea, I like it!

  • by acidfast7 ( 551610 ) on Friday November 09, 2012 @06:02AM (#41930385)
    No personal checks in Sweden, so all person-to-person transfers are done in cash. However, banks won't take huge piles of money ... say anything over €500 ... so all of the those transfers are done electronically. When I sold my used bike, we met and did the transfer electronically at a cafe via mobile phones. The biggest difference was that you had to the put the credit card into a device that looks like a calculator and enter a number from the banking website into the card-inserted device. The number returned is that entered into the web to authenticate the transfer. This just does it all on one credit card, which is GREAT.
    • Looks like this [blogspot.de] for those interested ...
      • by Bogtha ( 906264 )

        Yes, we have the same thing here in the UK.

        • by rapiddescent ( 572442 ) on Friday November 09, 2012 @07:31AM (#41930713)

          Yes, we have the same thing here in the UK.

          it's called CAP, Chip Authentication Programme [wikipedia.org]. I was the designer of the system that used by a big UK bank. It requires a self powered sleeve reader (that looks alike a calulator) and it's an open standard so that all EMV cards can use any branded reader device (they don't tell you that). Some of the readers have a "MENU" button and you can read off the transaction counter etc on your card. A handy way to tell if someone close has been using the card while you're not looking. if you do muck around with your card, be careful. I changed my PIN to be 6 digits on some test gear and ended up having to get a new bank card because the UK ATM network is hard coded to 4 digits. EMV cards support 6 digits.

          • by Viol8 ( 599362 )

            "I changed my PIN to be 6 digits on some test gear and ended up having to get a new bank card because the UK ATM network is hard coded to 4 digits."

            Why couldn't you use the test gear to change it back to 4 digits , or once its set to 6 digits is it fixed at that and can't be reverted?

    • by Viol8 ( 599362 )

      "No personal checks in Sweden, so all person-to-person transfers are done in cash"

      Did they get rid of cheques or did they never have them? I always thought sweden was an advanced country , but it doesn't sound like it. Personal cheques are damn useful in situations where electronic banking can be a PITA and cash isn't feasible - eg paying a builder.

      • by acidfast7 ( 551610 ) on Friday November 09, 2012 @06:17AM (#41930443)

        They are advanced. Everything is electronic. All train tickets, most plane tickets, and most subway tickets can just be done with the mobile phone (no paper needed).

        They're REALLY pushing for a cashless society and making significant progress. Everyone is paid on the same day (25th of the month) after all.

        To be honest, it's much more of a hassle in Germany and a total nightmare in the US, compared to the simplicity in Stockholm. Once you get up and running, it's super easy.

        • To be honest, it's much more of a hassle to find dissidents in Germany and a total nightmare in the US, compared to the simplicity in Stockholm. Once you get up and running, it's super easy

          There, fixed that for you.

        • and all of that technology would have been useless in the past week here in the northeast. No electric = nightmare for cashless society. Even the places with electric were having trouble processing credit cards.
        • As a serious question, what if someone doesn't have a phone?
        • Another serious question :)

          Here in the US, Credit Card payments siphon off a percentage to the CC company. Is that different in Sweden and other 'advanced' places? ;-)
        • It's a shame the Swedish government mandated that all retailers that accept payments must have a 'black box' that tracks payments for the government. I develop software for (among others) the Swedish market. In Soviet Sweden my life is a pain in the arse!
      • Also, in Stockholm, I never saw a builder without a mobile phone? I never saw anyone with a mobile phone. And, don't say that the "government just wants it piece of the cake by not allowing cash." I like it because it really keeps things on the "up-and-up" as all personal tax records are publicly available.
      • >Did they get rid of cheques or did they never have them?
        In the UK they want to get rid of them and they were due to be phased out but got a last minute reprieve. They're old tech but no solution for sending gifts if you're a granny etc have been found yet.
      • Can't speak for Sweden, but honestly I'm surprised there are still places that have any measurable use of paper cheques still. I'm in my 30s and have never had a cheque account. Never written a cheque. Never received one. Hell, never even seen one other than vague recollections of my parents using them in the 80s when I was a kid.

        I'm in Australia and while they technically haven't abolished cheques here, virtually no one uses them. The need for them vanished due to the invention (and more importantly standa

      • by tlhIngan ( 30335 )

        Why couldn't you use the test gear to change it back to 4 digits , or once its set to 6 digits is it fixed at that and can't be reverted?

        The obvious answer is that the system only accepts 4-digit PINs, so having a 6-digit PIN means you can never enter it as the system only allows 4 digits, which never validate against 6 digit PINs.

        "No personal checks in Sweden, so all person-to-person transfers are done in cash"

        Did they get rid of cheques or did they never have them? I always thought sweden was an advanced

  • It's been a good 20 years since I've used a device like that for authentication. Maybe 19. Used it to log into telco switches. The token generator was a little device about the size of a small calculator, securely attached to a desk next to a laminated sheet of paper (taped to the desk) with step by step authentication instructions including username/password. The desk was in a secluded corner right next to an unlocked door that opened onto the building's loading dock. :facepalms:

  • Let's get it right... no cell phones have a physical keyboard anymore, yet it's credit cards that get (limited) keyboards and display? Something is amiss...

    • Absolutely. The device as described sounds to me exactly like an app on a smartphone. Albeit it would have to be a pretty damn secure app, not the garbage most apps seem to be these days.

      Why would I want to carry one of these gadgets around when I already have a smartphone which can do the same job?

      • Why would I want to carry one of these gadgets around when I already have a smartphone which can do the same job?

        You answered this question in your first paragraph. A mobile phone application runs on a general purpose OS (which, unless its an iPhone or a Google-branded Android phone, probably has a load of old and buggy libraries and kernel because your carrier doesn't push out updates sufficiently competently). Even if the app itself is perfectly written, the TCB contains a whole load of other stuff that really shouldn't be trusted - you install one malicious app by mistake (or visit one malicious web page with a b

      • The device as described sounds to me exactly like an app on a smartphone

        A smartphone would be useless here. The key here is something you have (the card) and something you know (the pin). The device, whether built into the card or separate, and the PIN leads to creating the OTP. Maybe I'm just dense, but I don't see how a smartphone (w/o a card reader) would be any use here.

        • Why can't the "Something I have" be the phone itself, rather than some ratty piece of plastic? After all, it's just the number on the card that's important. Why can't that number be inside the phone?
          • The whole point is to make sure the person making the transaction is in possession of the card. If "card possession" is not your concern, you're talking about a completely different system.

            • Actually, the whole point is to make sure the person making the transaction is authorized to make the transaction. "Card possession" is merely the mechanism used to accomplish that end. Theft and abuse have made it so that mere possession of the card is no longer sufficient to ensure that authority. The CVV number is an attempt to further ensure that the card possessor is the authorized user.

              A smartphone app could be more secure. You've got the link from your phone to your bank under your control, a
              • The CVV number is an attempt to further ensure that the card possessor is the authorized user.

                Seeing as the number is printed on the back of the card, the only thing that number really does is ensure that the "user" has both sides of the card...

                • Sorry. Clumsy wording on my part. The card company equates possessing the card with being authorized to use the card. The CVV ensures that whoever is making the transaction has the card (and thus is authorized to use it).
    • Is it? I don't see what's surprising here. The expensive device with more functionality has got the better input system. The cheap device that's distributed "freely" by banks to all their customers has the crappy input device that works less well but is significantly cheaper.

      What's amiss?

  • by Anonymous Coward

    This is against the banks interest. In Australia, the banks actually MAKE money out of fraud by overcharging and charge-backs to the merchant.
    Only because the law says owner up to the first $50, the bank wears the cost for any fraud. So it is a no brainer to send a 50 cent mag stripe card, than an expensive unit that may actually harm their business model. Camera's and SMS messaging do the job nicely.

    Years ago, patents for laser stripe cards - replace mag strip with dvd like material, or high resolution mag

  • WTF? (Score:2, Flamebait)

    by Bearhouse ( 1034238 )

    Can someone please explain why, when I submitted this story yesterday, it was flagged as spam?

    http://slashdot.org/submission/2344885/credit-card-has-display-acts-as-security-token [slashdot.org]

  • by Aphrika ( 756248 ) on Friday November 09, 2012 @06:48AM (#41930555)
    ...all the rage it was. I could do maths and stuff on it and everything. Fitted in my wallet and was credit card sized and 1mm thick...

    So why the big fanfare about sticking electronics in a card again, 30 years later?
    • Because some people still think digital displays are a pretty neat idea.

    • I'm not sure about the one in TFA, but one of the big differences in the prototype that I saw was that it used eInk instead of a traditional LCD for the display. This means that the battery life is a whole lot better. That, combined with improvements in battery technology means that it's possible to create one that will last for longer than the lifetime of a credit card and be able to create cryptographic tokens for this entire time. Oh, and I think you're misremembering the thickness of the 'credit card
  • > Lets hope they've put more thought into the implementation than with chip and pin

    The card displayed in TFA has a 'chip', and is presumably comptable with chip and pin systems.

    As far as I understand it, this is simply trying to integrate an authentication device [wikipedia.org] into the card itself, not replace the current card system.

    • by Hrrrg ( 565259 )
      This is slightly offtopic, but I want to promote the use of two-factor authentication. I just ordered a Yubikey for $25. It reportedly is supported by gmail, fastmail, lastpass among others: http://www.yubico.com/ [yubico.com]
  • by Anonymous Coward
    Thanks to XKCD, this appears to have awesome security features.
  • by Lumpy ( 12016 ) on Friday November 09, 2012 @08:17AM (#41930963) Homepage

    Show me how durable that thing is by putting it in a overstuffed wallet that is then used by a construction worker who bends over and plops down 90 times a day.

    I remember the SecurID credit cards. I had to replace them 3 times a year from cracked LCD screens or cracked boards.

  • SmartDisplayer (Score:3, Informative)

    by cocotoni ( 594328 ) on Friday November 09, 2012 @08:32AM (#41931045)

    Basically we have "news" of a product by SmartDisplayer [smartdisplayer.com.tw], that they have been producing for the last 7 years, already implemented by some 30 banks, used by Visa in some markets, which I have been using with the in-house TOATH authentication systems for the last four years. So where's the news? Slow news day?

  • Why choose LCD over e-ink?

  • I thought it was pretty cool, for a gadget, I'm curious to see just how useful it really is. http://slashdot.org/submission/2345093/mastercards-get-a-facelift [slashdot.org]
  • can be found here http://www.rpn-calc.ch/ [rpn-calc.ch]

    Fully functional HP-15C clone - updatable firmware!

  • I'm not too worried about online. It seems to me that this technology would be far more useful for securing face-to-face transactions. Every time you hand your card over to a cashier or a waiter, you give them nearly unrestricted access to your account. If you just gave them a one-time password, that would be a huge increase in security.

  • MasterCard were demo'ing this in the late 1980s under the name "Super Smart Card". The only difference was that back then the cards were gold-coloured, not silver as in the BBC photo. Since then this has been retried a number of times by different manufacturers, failing each time. So I wouldn't hold out much hope for this one succeeding. OTOH wait a few years and there'll be another press release from another vendor about it.

Genius is ten percent inspiration and fifty percent capital gains.

Working...