New For Your Wallet, Secure Credit Cards With Displays and a Button

The firms -- Verisign and Innovative Card Technologies (ICT) -- announced Tuesday that they are jointly trying to sell this concept to various credit-card (and debit card) issuers, with per-card prices ranging from $10 to $30, depending on volume purchased. That compares with a traditional card that costs less than a dollar and sometimes far less than a dollar. Verisign VP Fran Rosch guessed that major banks would likely pay "in the teens" for the new formfactor, given the volumes they would likely be using.

The concept of the card is powerful and timely, as retailers are desperately trying to improve POS security, especially for E-Commerce transactions. With thefts of credit-card identifying data growing rampant, the idea of an authentication code that in theory couldn't possibly be stolen from some retailer's database is quite compelling.

"Personally, I think this form factor makes tremendous sense," said Gartner security analyst Avivah Litan. "It's much more convenient for users and it can be used in multiple channels -- point-of-sale, ATM, voice and web. Most of the data stolen from breaches would be rendered useless unless the thief stole the actual card."

Litan said it looked quite likely that banks will end up supporting this approach. "I am fairly certain they'll get one or two top-ten banks to pilot it. And let's be real: considering all the charges consumers get on their credit card or debit card bills, the banks could easily slip in another $10 'security fee' if they believed in the solution. This would be a lot less offensive than their late fees and financing charges."

She also made the case that technology advances along with more standardization before such a rollout could be completed. "Work has to be done to upgrade the payment/ATM/VRU and Web systems to accept this form factor and one-time-passwords but those costs are less than the costs of security upgrades today," Litan said. "The banks need to spend more on the cards though so we haven't seen that much momentum from financial institutions and card issuers but it could help solve a lot of security problems out there in the market today."

But that's not necessarily going to happen. Even assuming the extreme lower-end of that price range, the price could easily be far too expensive for the typical large card issuer, said David Robertson, publisher of The Nilson Report , a well-respected research site tracking the payments space.

"The cost is way too high for mass market distribution in the U.S., even at $10," Robertson said. "There are cheaper fraud solutions for online purchases."

The typical card today costs 27 cents to make, compared with the $10-$30 range for the one-time-password-issuing version. Although an oft-quoted figure for credit card cost is $1/card, that includes 73 cents for the customization of the embossed name, the magstripe programming, packaging and distribution, among other things. All of those other charges would still have to happen with the higher-priced secure card, making the true comparison price 27 cents, Robertson said.

With more than 1.2 billion cards in the market today, this could only be "a niche card for people who are doing a lot of online purchasing," he said. But he doesn't see how one could make a business case for it.

"That's a lot of money of money to spend to push someone who might be a fence-sitter, who might be hesitant to make purchases online. The differential between 27 cents and $10 and you're going to take a reluctant customer and try and push them beyond their insecurity?" Robertson asked. "You're not going to find any major financial issuer in the United States adopting this kind of technology."

Given the fact that consumers have not pulled back from online purchasing even in the wake of TJX and other recent well-publicized large data breaches, Robertson can't see the ROI argument here. "Online sales are increasing and the good guys are able to stay one step ahead of the bad guys at this time," he said. "Fraud is part of the cost of doing business. It's a manageable cost at this time."

Even if the market changes enough to make the price acceptable, there are still technological hurdles that would have to be overcome. "Work has to be done to upgrade the payment/ATM/VRU and Web systems to accept this form factor and one-time-passwords but those costs are less than the costs of security upgrades today," Gartner's Litan said. "The banks need to spend more on the cards though so we haven't seen that much momentum from financial institutions and card issuers but it could help solve a lot of security problems out there in the market today."

Banks would theoretically have several payment options, including passing all of the charges along to the consumer, some of the charges to consumers or absorbing the whole cost and turning it into a marketing advantage for nervous consumers.

Verisign and ICT's statement said that would "integrate the security of a one-time password token into a card the size of a standard credit or debit card. At the push of a button on the back of the card, an integrated display shows a password that changes with every transaction. During an online transaction, this number is entered into a user interface with other information (such as the user's static PIN and login name) for multifactor authentication."

The credit-card formfactor is the most interesting part of the announcement, but the two companies are also trying to sell their one-time-password-issuing device in other formfactors, primarily pocket-sized standalone security devices. The one-time-password device being tested by EBay's PayPal is one such application from Verisign and ICT.

Verisign's Rosch said many banks are conservative and hesitant about new formfactors. "When they start changing, they're very cautious," which is why the pair are offering a standalone security device in addition to the credit card version.

When asked, Rosch said "we think we'll have 1.5 million out by the end of the year" but then clarified that "a relatively small percentage will be credit cards."

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Merchant Terminals Provide New Method For Stealing Customer's Credit Cards
UK based Timesonline reports a flurry of credit card fraud in the first half of 2007. Researchers at Cambridge found chip and PIN merchant terminals lack necessary security encryption. The merchant terminal can be programmed to capture pin and card numbers in order to produce a clone card. The programming takes only 10 minutes.
Web Alarms, Mobile Alerts Aim to Make You Safer
From emergency message networks that can reach 100,000 people within minutes to alarm systems that allow you to monitor your home over the Web, new technologies are aiming to make U.S. consumers feel safer.
House Bills Would Rework e-Gambling, Internet Radio Royalties
A pair of House bills would permit U.S. gambling on the Internet as well as rewrite the royalty structure for Internet radio, possibly allowing smaller Webcasters to continue operating.
TJX Intruder Had Retailer's Encryption Key
Not that the culprit necessarily needed it. Data was apparently taken during the card-approval process before it was encrypted. These are among the latest details in what is almost certainly the worst retail data breach ever.
'Cyberblackmail' on the rise
As illegal moneymaking schemes go, it's certainly not a new one: Crooks steal something of value from their victims and then demand ransom for its safe return. The 21st-century twist in the tale is that now it's not just loved ones and pets being kidnapped, it's also the contents of your hard drive. According to a new report, a new generation of online criminals is now blackmailing victims for the safe "return" of data that has been stolen and encrypted from their computers.
The Web: Mobsters extinguish firewalls
Firewall? Forgetaboutit. Cyber-criminals, including the mafia, are now so savvy they can penetrate past these supposedly sturdy security measures and hack your computer network, whether you work at a university, Fortune 500 company or smaller firm, experts tell UPI's The Web.
The Web: WTO's gambling deadline missed
A deadline imposed by The World Trade Organization for the Bush administration to clarify its stance on online gambling passed earlier this month, without a public response from the government, gaming experts are telling United Press International's The Web column. "We haven't seen anything from them yet," Peter Marcus, a spokesman for online gaming company, Intercasino, told The Web in an interview from London Tuesday. "We're not really expecting anything either. This is an election year in the U.S. The world has to appreciate it."
Breakthrough in split second 3D face imaging
Face recognition technology that could revolutionise security systems worldwide has been developed by computer scientists at Sheffield Hallam University. The new specialist software can produce an exact 3D image of a face within 40 milliseconds.

New For Your Wallet, Secure Credit Cards With Displays and a Button

Related stories:

News discussion: