Wear and tear
Knicked the card, examine the keypad on the back, the worn out pads reveal the PIN!
Couldn't be that easy could it?
Visa has introduced a computerised credit card which it hopes will help banks battle fraud. The innovation could force other card issuers and banks to implement similar technology, one data protection expert has said. Four banks have agreed to trial Visa's card, which generates a unique, one-use code to verify each transaction …
This post has been deleted by its author
I've often wondered why SecureID technology hasn't been adopted by banks. The cards are replaced regilarly anyway and I'm sure the technology could be fitted into a card at little extra cost (I'd be happy to pay for the priviledge)
My only slight concern with this system would be that repeated use of the card might make it obvious after a while which 4 numbers are in the user's PIN as they could become worn with frequent use.
Worn keys: if you, once you've finished a transaction, just press each of the numbers that isn't in your PIN (or even just each of the numbers, probably) wear will be similar across the whole pad.
So for just a few moments and a little application, this attack vector can be nullified.
I do this frequently for my office door, the code for which I can never remember. The best thing about most common mechanical door / pin entry systems you see is that they don't even care what order the numbers are entered.
I do not doubt for a moment that they could be that stupid. The one I got from NatWest works in exactly this way.
Assumed workings:
Take card number, PIN number and timestamp (or for devices lacking a RTC, like a creditcard, something reproducable on both ends like a transaction counter) add some padding (for added complexity) and encrypt this using a predefined cypher to obtain a confirmation code.
The receiving party has a decrypt key and can extract the relevant information before they decide to OK the transaction.
A keypad on the card is more secure than a separate keypad (which could store both the card number and the PIN code), but more vulnerable to wear and tear.
I guess we won't be seeing any more Visa commercials of ladies pulling a creditcard from their bathingsuit to pay with.
This is less of a response to stolen credit cards (usually that's pretty obvious when that has happened) than to online frauds and cloned cards. Having had that happen to me twice, then I am strongly in favour os one time password systems. The current PIN system and online checks are wide open to replay attacks - a one time password system will eliminate those possiblities.
I have to say I think this sounds far more secure than the current VbyV scheme, so a step in the right direction.
I think a LOT will depend on how secure the one-use numbers will be. If, for example it's solely time-based then anyone who works out the generation method and gets a few of your number could probably predict future ones with ever higher chances of success for each number captured.
I don't see that it can be a one-time pad idea when A) the card could run out of numbers to use (OK, this is avoidable with a Meg or so of memory for the lifetime of a card but that might hit the production cost) and B) if you generate a code but never use it, the card would be out of synch with the Visa database - and I wouldn't want it to bhe fuzzy on which code to expect.
It will be interesting to know what bettery life is expected to be and how durable the cards will be. I suppose it might be possible to recharge cards whilst in a cashpoint through some form of induction?
Seeing as the thing has a keypad already, i would think it a good idea to use a challenge-response type system, where the website gives you a transaction number, you enter it and get a response back. one thats unique to you and that transaction. this removes the time element, ties it to a specific transaction (so a man in the middle couldnt use it against a different one) and also gives more even wear to the keypad. but then again i guess they dont trust the average user to be able to type more than a 4 digit pin accurately.
I think these people thinking of "one-time use" codes are a bit off the mark. In theory, it sounds good. In reality, not so much. Many remote transactions are one-time transactions, true. But many are not. For example, let's say you've decided to purchase three movies from amazon, and you use your new Visa with it's one-time code. Amazon ships out two of the movies, but the third one is backordered. They receive shipment the following day, but when they try to authorize payment, your bank will reject it because the one-use code has already been used.
I (unfortunately) use a Citi (CitiGroup/Citibank) credit card, and they have a "Virtual Account Number" program which you can use to generate a new credit card number for each transaction. The benefit of this system over Visa's one-use system is that with Citi's VAN, you can use that generated number any number of times at the same store. So I can generate a new number, set it with a $500 limit, set it to expire in 6 months, and use it at Amazon. I can keep using it at Amazon until the limit is reached or the time expires (both the limit and expiration can be extended at any time before the expiration). Once an authorization is attempted, it will not accept authorizations from other stores (so I couldn't use it at both Amazon and Barnes & Noble). While this will not have the same level of security, it's most likely a good enough solution without causing massive inconvenience and expense (expense of vendors having to upgrade their systems, and expense of banks having to issue new cards). MBNA also had this same technology (even using the same downloadable app), though they used a different name for it, before they were bought out by Bank of America.
This post has been deleted by its author
>"If pins are 4 digits long and 4 keys are worn the most, then the number of combinations for that 4 digit pin is 4 factorial:"
OK, but you are allowed to have repeated digits in your PIN, so the number of combinations is actually 4 to the power of 4, albeit that with some of those combinations only 1, 2 or 3 keys are "worn the most".
in principle using a password to protect online transactions is an OK idea. with a bit of education along the lines of 'don't use your pet's name, your childrens' names of your DOB' most of us can manage to generate a suitably complex word or phrase that is unlikely to be guessable by a third party.
the problem lies with websites which try to steer you in the right direction by laying down a list of preconditions as to what is and is not acceptable as a password, such as insisting on a certain number of letters, or requiring that [as a site i was on recently did] 'your password must be at least eight letters, must contain 3 numerals and must be in mixed lower and upper case'. it's in those circumstances - where people are being forced to change the password they originally had in mind in order to make it fit the requirements of a particular website - that they resort to writing it down, so they don't forget it themselves - which kind of defeats the purpose of having the supposedly more secure password in the first place!
Most mobile phones allow you to lock them with a PIN between 4 and 8 digits long. How about banks also introducing the concept of variable length PINs?
OK, so replacing all the Chip'n'Pin pads might be a logistical challenge, but Tesco appear to have already replaced all theirs since introduction (used to be a black top-entry, now it's a grey bottom-entry).
Oh, and for a 4 digit pin that uses three numbers, that's 18 possible combinations (3^3).
2 numbers, each repeated twice = 6 (not terribly secure...)
2 numbers, 1 repeated thrice = 4 permutations (someone will have been daft enough...)
1 number, repeated 4 times = 1 permutation (wouldn't surprise me...)
Of course, one way to handle possible wear would be to replace cards, not on the basis of time, but on the basis of number of transactions. Someone who rarely uses their card online could have the standard 2 year timescale, whereas someone addicted to buying stuff online could have it replaced more often.
"the problem lies with websites which try to steer you in the right direction by laying down a list of preconditions as to what is and is not acceptable as a password, such as insisting on a certain number of letters..."
Exactly. While I do remember a lot of passwords for my own system and for my clients' systems, I also find it extremely difficult to remember a completely random password. And a completely random password is not more secure than a correct password (in fact, I'd say they're less secure). Allow the user to select a suitably long password without any other restrictions, and it'll be far more secure (as long as the users actually use an easy-to-remember but hard-to-guess phrase).
For example, which is more secure -- "Abcd123!", "a7bF23jZ", "rustic-albino-black-moon", or "I can't think of a password today, so I guess this will have to suffice"? The more conditions you force upon the user, the shorter they will make the password so they don't spend all day typing it in and so that they can remember it more easily (for those times when they misplace the paper they wrote it on). Compare that with long strings which they can remember much more easily. Along with the typical conditions (requiring a certain number of numerals, requiring upper and lowercase, etc), the one thing that I personally think is the most self-defeating is when these idiotic sites have a maximum password length. Since these sites *should* be storing password hashes, not the actual passwords (there's literally no reason for anybody to see your password), a maximum length shouldn't be a problem. For people thinking about hash collisions, that should be avoidable by saving and comparing the hashes of multiple algorithms. I'd say it's extremely unlikely (if it's even possible) to create a string that will cause a collision in both MD5 and SHA1.
I've actually seen sites (which like to call themselves "high-security") that require at least two numerals, require upper and lowercase characters, require special characters (punctuation, etc), and have a minimum password length of 8 characters... and then have a maximum password length of 12 characters. Then again, these are also the same kinds of sites that think they're increasing security by having additional "security questions" whose (true) answers are easily discovered or are a matter of public record. For those, I'll just use completely random answers or satirical answers that won't be easily guessed (Q: "In what city were you born?", A: "Insecure insanityville").