Security

New Credit Cards Show Their Smarts

Today's smaller, slimmer mobile phones look like credit cards -- and in a curious twist, future credit cards could look like mobile phones, with their own displays and keypads. That is, if the cards don't end up merging with mobile phones first. Both possibilities were on show at the Cartes & IDentification show on the outskirts of Paris this week.

A new credit card demonstrated by Visa adds a couple of new security features to the usual tamper-proof signature strip and embedded chip: an eight-digit display and a 12-button keypad. The new features are intended to improve security in online payments.

At the touch of a button, the cardholder can generate a single-use security code to validate an online transaction. They do this by entering the four-digit personal identification number usually used to secure transactions via an ATM, but in this case the code never leaves the card, so it can't be intercepted in transit. Because the generated code is single-use, it will not work even if it is intercepted.

The same card can also verify the identity of an e-commerce Web site before a transaction is made, through a challenge-response mechanism where the user enters a code displayed on the site and the card reports whether it is genuine.

The card's internal battery should last for three years if used for 20 to 30 transactions per week, said company spokesman David Main.

The bank knows a single-use code is valid because the codes form part of a pseudo-random number sequence based on a seed unique to the card and known only to the bank. The bank keeps track of how many codes the card has generated and can predict which one should come next in the series. If the two get out of sync (perhaps because the cardholder generates a few unused codes showing it off to friends) then the bank can "look ahead" to see if the code offered as authentication appears a little later in the same card's sequence, and if so choose to accept it anyway.

To fit all of that -- and a battery with an expected service life of three years -- into a card that's slimmer than many so-called credit-card-sized pocket calculators, something had to go. In this case, it was the embossed number on the front (the stamping process would wreck the battery), so the new cards can't be used anywhere that still makes manual impressions of cards.

Several banks will soon begin testing "Visa Card with one-time code": MBNA in the U.K., Cornèr Bank in Switzerland, Cal in Israel and IW in Italy. Main also named BarclayCard as one of the testers.

Not content with combining cards and security tokens, Visa also wants to turn the "contactless" cards it already issues in some markets into transit passes.

The company's PayWave cards -- and similar cards issued by MasterCard -- incorporate flat antennas that can absorb radio waves transmitted over a short distance from a reader in order to power a tiny chip that authenticates transactions. The same technology is used in London and Paris to replace tickets on public transport systems: Wave a card, and the ticket barrier opens. The difference is that when a ticket barrier beams a message at a PayWave card asking "Are you a valid transit pass?" the answer is going to be "No."

Visa is working with London Transport and with the RATP in Paris to modify their ticket barriers so that this first refusal can be followed by another electronic challenge: "Are you a credit card with the means to pay for this journey?" The company demonstrated a working ticket gate from the Paris Métro that accepted Navigo travel passes and PayWave cards.

London Transport's OysterCard is a stored-value card that travelers must regularly top up with more money. BarclayCard has already conducted trials of a credit card combined with an OysterCard, but the two functions are independent: Cash stored in the OysterCard component can only be spent on transport, and once that's gone, paying for journeys with the credit card requires a visit to a kiosk to top up the OysterCard with more money. Visa's project takes the integration one step further, debiting travel costs directly from the payment card.

The advantage is that, "As a consumer you don't have to top up," said Visa spokesman Kamil Roble.

Japanese commuters can already wave their mobile phones to take the train or to pay for things, but for Europeans such transactions are still a little way off.

However, Visa is studying how to embed the chips used in its credit cards into phones -- and to link those chips to the mobile-phone network and to a secure data store in the phone. That could enable cardholders (or phone subscribers) to make payments directly over the wireless Internet, but, "You could also do peer-to-peer transactions by touching your phone to mine," said company spokesman Omar Rifaat.

One company working on the hardware needed to enable such transactions is STMicroelectronics. It demonstrated a phone from LG Electronics, the KU380-NFC, modified to include a new Near-Field Communications controller chip it has developed. The ST21NFCA acts as a kind of secure router between the phone, its SIM (Subscriber Identity Module) and the NFC antenna. There are a number of NFC-enabled phones already on the market, but STMicro representatives said their chip can make a phone behave as both a token and a reader. They showed how the phone could be used to make a payment -- and also to read information from another card and display it on the screen.

Subscribe to the Security Watch Newsletter

Comments