This is a nifty little device: a credit card with an onboard one-time password generator. The idea is that the user enters his PIN every time he makes an online purchase, and enters the one-time code on the screen into the webform. The article doesn’t say if the code is time-based or just sequence-based, but in either case the credit card company will be able to verify it remotely.
The idea is that this cuts down on card-not-present credit card fraud.
The efficacy of this countermeasure depends a lot on how much these new credit cards cost versus the amount of this type of fraud that happens, but in general it seems like a really good idea. Certainly better than that three-digit code printed on the back of cards these days.
According to the article, Visa will be testing this card in 2009 in the UK.
EDITED TO ADD (12/6): Several commenters point out that banks in the Netherlands have had a similar system for years.
Posted on December 4, 2008 at 6:17 AM •
Israel is implementing an IFF (identification, friend or foe) system for commercial aircraft, designed to differentiate legitimate planes from terrorist-controlled planes.
The news article implies that it’s a basic challenge-and-response system. Ground control issues some kind of alphanumeric challenge to the plane. The pilot types the challenge into some hand-held computer device, and reads back the reply. Authentication is achieved by 1) physical possession of the device, and 2) typing a legitimate PIN into the device to activate it.
The article talks about a distress mode, where the pilot signals that a terrorist is holding a gun to his head. Likely, that’s done by typing a special distress PIN into the device, and reading back whatever the screen displays.
The military has had this sort of system — first paper-based, and eventually computer-based — for decades. The critical issue with using this on commercial aircraft is how to deal with user error. The system has to be easy enough to use, and the parts hard enough to lose, that there won’t be a lot of false alarms.
Posted on March 10, 2008 at 12:24 PM •
A 2003 “Camp Delta Standard Operating Procedures” manual has been leaked to the Internet. This is the same manual that the ACLU has unsuccessfully sued the government to get a copy of. Others can debate the legality of some of the procedures; I’m interested in comments about the security.
See, for example, this quote on page 27.3:
(b) Upon arrival will enter the gate by entering the number (1998) in the combination lock
(c) Proceed to the junction box with the number (7012-83) Breaker Box and open the boc. The number for the lock on the breaker box is (224).
Posted on November 20, 2007 at 6:49 AM •
Clever idea. Only five buttons, a maximum of ten digits for the PIN, and almost certainly a gazillion ways to get around the padlock function once you pry the case open — but definitely on the right track.
Posted on August 27, 2007 at 10:08 AM •
In case you were wondering:
Mr Shepherd-Barron came up with the idea when he realised that he could remember his six-figure army number. But he decided to check that with his wife, Caroline.
“Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,” he laughs.
Posted on July 4, 2007 at 8:52 AM •
I’m amazed that ATMs still don’t have basic communications security measures. One fraudster inserted a recording device into the ATM’s phone line and recorded customer card numbers and PINs.
Posted on November 20, 2006 at 6:19 AM •
Research paper by Omer Berkman and Odelia Moshe Ostrovsky: “The Unbearable Lightness of PIN Cracking“:
Abstract. We describe new attacks on the financial PIN processing API. The attacks apply to switches as well as to verification facilities. The attacks are extremely severe allowing an attacker to expose customer PINs by executing only one or two API calls per exposed PIN. One of the attacks uses only the translate function which is a required function in every switch. The other attacks abuse functions that are used to allow customers to select their PINs online. Some of the attacks can be applied on a switch even though the attacked functions require issuer’s keys which do not exist on a switch. This is particularly disturbing as it was widely believed that functions requiring issuer’s keys cannot do any harm if the respective keys are unavailable.
Basically, the paper describes an inherent flaw with the way ATM PINs are encrypted and transmitted on the international financial networks, making them vulnerable to attack from malicious insiders in a bank.
One of the most disturbing aspects of the attack is that you’re only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank’s ATMs.
The authors tell me that they’ve contacted the major credit card companies and banks with this information, and haven’t received much of a response. They believe it is now time to alert the public.
Posted on November 17, 2006 at 7:31 AM •
You can open a door in only 3,129 button presses. On the average, it should take half that. (Article is from 2004.)
Posted on September 27, 2006 at 12:22 PM •
O2 is a UK cell phone network. The company gives you the option of setting up a PIN on your phone. The idea is that if someone steals your phone, they can’t make calls. If they type the PIN incorrectly three times, the phone is blocked. To deal with the problems of phone owners mistyping their PIN — or forgetting it — they can contact O2 and get a Personal Unlock Code (PUK). Presumably, the operator goes through some authentication steps to ensure that the person calling is actually the legitimate owner of the phone.
So far, so good.
But O2 has decided to automate the PUK process. Now anyone on the Internet can visit this website, type in a valid mobile telephone number, and get a valid PUK to reset the PIN — without any authentication whatsoever.
EDITED TO ADD (7/4): A representitive from O2 sent me the following:
“Yes, it does seem there is a security risk by O2 supplying such a service, but in fact we believe this risk is very small. The risk is when a customer’s phone is lost or stolen. There are two scenarios in that event:
“Scenario 1 – The phone is powered off. A PIN number would be required at next power on. Although the PUK code will indeed allow you to reset the PIN, you need to know the telephone number of the SIM in order to get it – there is no way to determine the telephone number from the SIM or handset itself. Should the telephone number be known the risk is then same as scenario 2.
“Scenario 2 – The phone remains powered on: Here, the thief can use the phone in any case without having to acquire PUK.
“In both scenarios we have taken the view that the principle security measure is for the customer to report the loss/theft as quickly as possible, so that we can remotely disable both the SIM and also the handset (so that it cannot be used with any other SIM).”
Posted on July 3, 2006 at 2:26 PM •
We discuss credit card data centers getting hacked; why banks getting hacked doesn’t make mainstream media; reissuing bank cards; how much he makes cashing out bank cards; how banks cover money stolen from credit cards; why companies are not cracking down on credit card crimes; how to prevent credit card theft; ATM scams; being “legit” in the criminal world; how he gets cash out gigs; getting PINs and encoding blank credit cards; how much money he can pull in a day; e-gold; his chances of getting caught; the best day to hit the ATMs; encrypting ICQ messages.
Posted on June 5, 2006 at 6:23 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.