Forgot your password?
typodupeerror
The Almighty Buck

Amex to deploy Internet card with embedded chip 107

Posted by Hemos
from the i'll-be-like-bloomies dept.
ajlaw writes "American Express with be deploying a new blue card the contains an embedded chip for use when making purchases on the Internet. The card's chip will be used for security in shopping on the Web. The company will distribute free card readers for customers to hook up to their computers. " Wierd-they have no details, but apparently the card swiping is supposed to be more secure then typing it in-but I'm not sure how.
This discussion has been archived. No new comments can be posted.

Amex to deploy Internet card with embedded chip

Comments Filter:
  • So what does the black one do?
  • by jilles (20976) on Friday September 10, 1999 @12:57AM (#1691533) Homepage
    In holland and sweden (where I live now)most bank cards are equiped with embedded chips. One of the applications of it is as an electronic wallet.
    i.e. you go to a bank machine, withdraw some money wich is then put on the chip in the form of credits. Then you go to a shop and pay by sticking the card into a machine that subtracts some credits from the amount on the card. (this is not the same as paying with an ATM card since there's no communication with the bank at the moment you pay) you can also use the card to phone in a telephone cell. In addition to that insurance companies can store some information on the chip as well.

    One of the reasons this has never really worked well in Holland is the fact that there are two groups of banks in holland, each pushing their own smartcard, each requiring a different machine in the shops and each offering slightly different functionality. It took nearly three years for them to figure out the card would never become popular unless they started cooperating (which is what they are doing since a few months).

    As a consumer I think, the chip cards don't really offer much value. The whole concept of taking your card to a machine and adding credit has always seemed a little rediculous to me and I can pay in a shop using my ATM card or my credit card.

    The reason that banks push it anyway is that a chipcard is probably cheaper for the banks: ATM cards require communication to verify whether there's enough money on your account and credit cards require some other administration to be done which makes both of them unsuitable for small purchases (from the banks point of view). What's also nice for banks is the marketing info they can collect from payments done with the chip card.

    This bank seems to be pushing the card for webpayments. Unless they manage to convince all other banks that their particular cardformat should be used for online payment it won't work. The card only works if the ecommerce websites have the software to deal with these cards and I don't see that happen just because one bank is pushing a card.

    A second problem is that you can't just stick the card into your floppy drive: you'll need a cardreader.

    BTW. For the same reason (no standardization) I don't see biometrics becoming popular anytime soon.

    So in order for this to work:
    - banks will have to agree on a cardformat (preferably international)
    - banks will have to provide their clients with cardreaders (also standardized) for free because noone will be interested in buying one
    - there will have to be some added value for the card users (discounts?)
    - there will have to be some added value for ecommerce sites in order to get support for the card there

    Basically this card doesn't fullfill the requirements listed above so its a guaranteed failure.
  • Correction: the Amex "Proton" system is not an electronic cheque system, its an electronic cash system which works in exactly the same way as Mondex.

    Paul.

  • ...will these these readers run on Linux?

    No, but seriously!

    I bet it won't be long before someone takes the reader apart, figures it out, intercepts secure communications from other users (I mean, it might be a card, but unless it's timestamped by an outside authority you can reproduce it all you want) and empty someone else's account before they have time to realise it.

    They're very short on details, and if this thing doesn't use strong encryption to work, it's gonna be crackable, card or no card. Having a reader at home is like having an ATM hooked up while you're able to play with it. What makes ATM secure is that it's physically secure. Not so with a little plastic peripheral.

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

  • I imagine this could work much like SecureID cards work for Citrix. It is the challenge and response method (I think some one else mentions this further up in the thread).

    SecureID cards generate a [pseudo]random number that changes every 60 seconds. This is number in sync with whatever you are trying to get access to. The cards that I have seen have an LCD where you can read off the number and punch it in. This way you must be in posession of the card at the time of the transaction. A card reader would just add a further layer of abstraction.

    As for how the card is kept in sync with the main server, I can only guess. The card likely encrypts the clock time modulo some granularity with a secret key that is stored on the card. The server performs the same encryption using its clock, then applies a skew based on the last time the card successfully authenticated, with a sliding window to allow for greater drift latitude over time. Just a guess, though. :)

    I think that a side affect of this is that the cards must be changed fairly frequently. Or at least more frequently than most people get new credit cards.

  • by Booker (6173) on Friday September 10, 1999 @01:56AM (#1691537) Homepage
    They're made by Security Dynamics. See 'em here [securitydynamics.com]

    Paper on how they work, and how they might be cracked is here [homeport.org]

  • Mail order fraud is more challenging than you describe. Most credit card companies require that products purchased by mail order must be shipped to the billing address for the card. Admittedly, this does not apply to pr0n sites ;-) and other situations where the product need not be shipped. As a result, if I get your card number and expiry, I can buy something and have it shipped to you, I can subscribe to some pay website, or I can try to change your billing information so that I can actually get product shipped to me.

    I would imagine that changing someone's billing address is quite easy... Whenever I've moved, the only authentication they've tried is phone numbers, birthdate, card number, name, old address. Would I do this? No - it leaves a trail pointing at me.
  • Statistically, according to Merchant Service Providers (businesses that set shops up with merchant numbers so that they may run credit cards) and the credit card companies themselves, swiped transactions are less likely to be fraudulent charges as opposed to charges typed in... plus swiping the cards through will allow the merchant to get a lower rate on the transactions... non-swiped transactions cost more than swiped transactions... plus the rate of returns is lower on swiped transactions as well... to me, the real winner with this amex thingee do is the merchant accepting the transaction...

    now... whether or not the card is actually more secure, i would not know... but a lot of times, credit card companies would rather give the image of being secure than actually BEING secure...

    btw - i work for a credit card transaction software company... so i know a little of what i speak... =-P
  • If the customer is stupid enough to compromise their own card, it's all their fault and they deserve to go through the hassle of calling up the credit card company, which actually isn't much of a big deal. It's all natural selection.
  • by Anonymous Coward
    Hello...I'm a credit card issued within the last two years.

    Count how many numbers are on the front of the card...probably it's 16 if it's a MasterCard or VISA...or 15 for American Express...

    Now flip me over and take a look at the signature area of the card. Chances are you will see a series of numbers printed there.

    Count how many numbers are in the signature box. Hey...there's 18 or 19!

    The first 15 or 16 are the credit card number from the front. The remaining two or three are the CVV2 code.

    What is this CVV2 code? It's a PIN number. Just like a PIN number in a debit purchase, the CVV2 code is NEVER echoed anywhere in the transaction record.

    One of the best security systems is "somthing you have, something you know." Lets say you crack some ISPs CC database and steal a whole bunch of credit card info. Well, when you go to purchase something on an Internet site, you are screwed because you don't have the physical card in your hand to get the CVV2 code. On the other hand, let's say you pick someone's pocket and take a physical card complete with CVV2 on the back. Well, when you go to purchase something, you are screwed because you don't know the billing information like address, ZIP, phone, etc.

    As long as customers are aware they should treat the CVV2 code like a PIN code and NEVER give it out to anyone they wouldn't trust with their PIN code, then this system will work.

    Next time some business cries about how much they lose due to credit card theft...tell them it's their own damn fault for not using the tools that are already availabe to them.

    http://secure.logicom.com/cvv2.htm

    - JoeShmoe
  • If you have to ask, you can't afford it.
  • >> ... password is a combination of this randomly generated number (shown on a neat little LED), ...

    Not nitpicking either, just showing :)

    The LED would not be necessary. The less that the user has to do, the more they will like it (Sad but true golden rule of user interface design). In this case, they only need to Swipe the card into aforementioned card readers. The reader would read the "random" pin number from the card, in what I am assuming to be, a method not completely unlike a smart card (some of which are said to have a processing power equivalent to an Apple IIe).

  • Someone moderate Jeremy up please. Good answer.
  • Actually, I did blank out the last five...

    If you can figure what those are, you're in luck!

    Nick.
  • I doubt they actually do this, but one very good way to prevent the above would be to embed the shipping address in the card and then refuse to ship elsewhere.

    Unfortunately, that would probably fail because of "inconvenience", the bane of all security.
  • requires a PC running Windows 95, 98, or NT.

    Nuff said...
  • Outside Uncle Sam country, in the rest of the known universe, they have this funky digital mobile phone technology that actually *works*, and is too secure for the FBI/NSA to like it, which is why most of y'all don't have it (though there are fledgling networks in MA, NY, VA, WA and CA). It goes by the name of GSM.

    Unlike all the US systems (TDMA, CDMA, IS-136), your phone number isn't tied to the handset, it goes to a little 1/2" chip which you put in the handset, called a Subscriber Identity Module (SIM). Apart from the convenience of being able to choose a handset separately from service, this has huge security benefits.

    A curious fact about SIM's is they actually contain not only a private key, but an active CPU and EEPROM. The challenge-response is two way, and they are very difficult to "clone" even WITH physical access to the chip. No-one has *EVER* cloned a GSM SIM using the air interface.

    For the disbelieving, I repeat - no-one has EVER cloned a GSM SIM over the air.

    So, you ask, WTF does this have to do with this Amex chip?

    If Amex have half a brain, they will have adopted this technology - it can be secure even over something insecure like SSL, and could avoid a lot of potential risks in online credit card handling, including replay. Because of the proliferation of GSM, these chips can be mass produced for around $1 each.

    Of course, around here (I now live in the US, for my sins) this probably counts as strong crypto technology and would not be allowed to be exported, for fear the North Koreans might use the smart chips configured in a Beowulf cluster to design the next anti-McCarthy bomb.
  • A couple of thoughts. First, I gotta agree that allowing the more traditional transaction, where the consumer enters in their card number and expiration date is a weak link. All it takes is one transaction, and the potential for an authorized transaction is increased to the level of the old number/date pair. Second, yes I do feel that a reader could advance security, mostly doing things that an average user would consider cumbersome, and in the end not worth the effort. Bidirectional communication would help (multiple layers), but NOTHING is foolproof. If you think it is, you just haven't found the right fool yet. In the end, backwards compatability with existing machines I think will be the biggest whole for this card. Dont lose it in a vegas casino!
  • >>That might be the case for small scale trials, but for real use in a national roll-out the situation would be different. When you put cash onto your Mondex card the bank does not "keep the money", it transfers it onto your card.
    ...
    >>Your objection is akin to saying that if you give the bank five pound coins and get a five pound note, then the bank is keeping your money and giving you a paper token in return.

    (I prefer this way. less HTML typing.)

    (*this).rant(true);

    I don't know much about mondex, but do know of ways to part people of thier money.

    1) Lets say mondex is a company (probably sponsored by a bank). You go with your mondex card, and want to put, say, $100 on it. The company takes your $100, and puts a figure representing $100 on the card. Simple enough.

    Lets say you don't use the card for a week. In that time, the company would probably have put that $100 you paid for a profitable motive (investments as part of the money reserve). Thus, company makes a quick buck from your $100, before you even spend it. The company simply has locked your money away.

    This already exists in real life. Bus passes. Buy 10 and save a couple of bucks on fares. Prepaid cards. Buy a card, and get 10 movie passes for a discount. Reason? The companies *want* your money ahead of time, so they can put it to proper use, while you, the purchaser, gets essentially a contract saying that the company will provide those services *in the future*.

    Then again, lots of people seem to like big tax refunds... even though they're basically saying you overpaid your taxes (thus, the IRS, Revenue Canada, etc get free reign on your money to invest for a little while).

    As for giving the bank 5 pounds (sterling) in coins and getting a 5 pound note, this analogy doesn't work, because you've gotten the same money back, and can use it. It would hold if no one TOOK the 5 pound note except the bank, though, and during which, the 5 pounds the bank has will be used to make a profit from before you decided to cash it in.

    The same reason holds for why most companies wait until the last moment to pay their bills (eg. around the 25th-odd day of the 30 day grace) is to let the money sit and make some profit for the company, rather than give it to the other company to make a profit from.

    Generally, unless it's a great inconvenience, it's probably cheaper to buy the mondex money as and when you need it. I.e., going to buy that $35 book. First stop, load $35 in the card, then pay for the book. Mondex won't make so much money then.

    Personally, the only prepaid cards I have are photocopy cards, which have an average of oh, $.03 on them (not enough for a photocopy). Less money to lose if I lose them, and I've not given the card issuer my money to make money out of.

    Yes. I have a bank account. Yes, the bank makes far more money off my money than I get from the bank in interest. Except, I get paid (however meagre that it is) for that money I lent the bank to use. Ideally, I'd get it in cash, and stuff it under my mattress, but my mattress doesn't make me any money (however pathetically little the bank pays me).

    Moral? Unless you're making some money from it, avoid giving it away to other companies to boost their bottom line.

    (*this).rant(false);
  • 1) Lets say mondex is a company (probably sponsored by a bank). You go with your mondex card, and want to put, say, $100 on it. The company takes your $100, and puts a figure representing $100 on the card. Simple enough.

    Not quite. This ignores where the "figure representing $100" comes from. A central feature of the Mondex scheme is that the bank cannot just create Mondex value out of nowhere. The total amount on all the cards is fixed (modulo accidental losses when someone destroys a card).

    Mondex value would be counted as part of the National cash supply, and regulated in exactly the same way. In order to "mint" new Mondex value the bank (a consortium including HSBC in the case of Mondex) must get permission from the national authority for the relevant currency.

    Lets say you don't use the card for a week. In that time, the company would probably have put that $100 you paid for a profitable motive (investments as part of the money reserve).

    But they also have $100 less Mondex value to do the same thing with. The two things balance. Thats the whole point.

    Bear in mind that the bank has no way of keeping track of how and when I use that $5 on my card, any more than they can if they hand me a newly printed $5 note. This is the advantage of electronic cash schemes such as Mondex: the bits stored on the card are not a key to the bank account where the cash is held, they are the cash itself. If I transfered the $5 to you, and you paid it back into the bank, the bank would have absolutely no way to relate the two transactions.

    Try taking out a $5 note and looking at it (or equivalent if you are outside the US). Its a piece of paper with ink on it. Its value is not in the paper and ink, it is in the knowledge that the US Mint has authorised its creation, and can be trusted to enforce a limited supply in the future. Mondex works in exactly the same way.

    Consider the history of paper money. Originally the US Mint only produced coins, and those coins were "backed" by the precious metal they were made of. In effect the limited supply of the coins was guaranteed by the difficulty of obtaining more metal.

    But coins are difficult to use in large amounts, so banks, as a service to their customers, started taking the coins on deposit and issuing paper notes in return. These notes were similar to today's Bearer Bonds, except that the denominations were smaller. This is where the phrase "I promise to pay the bearer..." comes from. You could give the note to someone as a proxy for the cash, and they could be sure that they could reclaim the cash by taking the note to the bank. As long as the rest of the town trusted the bank you could circulate the note indefinitely and the coins never needed to leave the bank.

    Unfortunately a mixture of poor security, a confusing multiplicity of obscure banknote designs, and occasional bank frauds and failures made this system expensive to run. Governments took over the job of printing bank notes, and bank notes became part of the national currency. Eventually they realised that digging lots of gold out of the ground just to store in vaults as "backing" for paper was a waste of time and they dropped that part of the system.

    Now Mondex comes on to the scene. You can take your paper notes to the bank and get back an equivalent amount on your Mondex card. In effect the card says "I , promise to pay the bearer of this card the sum held in its registers on demand". Note the similarity to the way bank notes originally worked. One way to implement this would indeed be to have the Mondex value backed by physically holding your bank notes and coins in a vault somewhere. But its much simpler for the treasury to just authorise the creation of the Mondex value as part of the national money supply, along with all the bank notes.

    Incidentally, those who think that lumps of metal in a bank vault can magically solve economic ills should consider the stagflation suffered by Spain when it suddenly imported lots of gold from the Americas.

    Paul.

  • by Kaa (21510)
    It's more secure for one reason only--you have to actually physically have the card to order with it.

    Ahem. You mean I have to physically generate the stream of bytes that gets send to the serial port or wherever the card reader gets plugged in?

    I thing the suggestion that this is just a way for people to have/use long passwords/keys in a convenient fashion. You know why PINs have only four numbers (9999 key space!), right? Because the average Joe Schmoe cannot remember more than four numbers.

    Kaa
  • Have a look at http://www.protonworld.com or http://www.proton.be

    It gives all info who/what is behind this initiative.
  • You can find many readers supported at:

    www.linuxnet.com

    I won't be surprised if AmEx reader is already supported. (I'll find out as soon as I get mine.)

    Danny
  • This feature is actually something that the new Sun Ray terminals offer. A lot of people've bashed them for being expensive xterm's that Sun is trying to use to get people to buy more servers (which may or may not be true), but it has a smart-card slot built into the front of it.

    Walk up, pop in your card, and your saved desktop (bookmarks & preferences & environment, oh my!) is readily available to you. On a large campus (educational or otherwise), this seems like a good application.

    My guess is we'll start to see a lot more apps using Smart Cards. I'm sure the wallet people are already designing the uberWallet, for all your smart card needs ;)

    --Mid
  • My roommate works for MCI/Worldcom and he has one of those little buggers on his keychain. In his case the number it generates is used as the password for windows dial up networking. I might just be uninformed here but it seems a little extreme to use something like that for windows DUN. All I know is that the hyper-security of the thing makes his Internet really-really slow. But hey, I've got a cable modem. What do I care?

    Pete
    I'm not a media planner but I play one on TV
  • The article states a person can either enter his card number as usual, or if he wants "extra security" he can swipe it through a reader.

    Because it works with /or without/ the reader, I don't see how this can be any more secure that existing methods, and that's ignoring the issue of /how/ the reader "secures" the transaction.

    Assuming it isn't just a sexy lady in a black box cooing "Your transaction is secure," there has to be some server-end software. Shopping carts will presumably have to receive and process the data.

    How many carts are going to support this new protocol? My (educated) guess is /very few/. Maybe the big guys who can afford to jump on every hype bandwagon the credit card cartel sends thundering by, but not the little guys and the small business merchants they support.

    Am I worried about the little guy? Not really. Wallet software has been notoriously unsuccessful in the e-commerce industry, and I don't see this gizmo faring any better.

    --
  • However, it would be nice if they offered the customers an option that would make it so that their card could only be used if it was swiped (I honestly don't know how they would do this, I'm just hypothesizing).

    I work in the retail EFT industry. Currently, nearly all protocols aimed at retail transactions capture this information ("swiped" vs. "keyed"). Internet based protocols usually don't, as nearly nobody has a card reader by their machine, but one imagines that could be changed fairly quickly.

    Of course, the problem that you are going to have is that someone who knows these protocols could fake it pretty easily.
  • ...one very good way to prevent the above would be to embed the shipping address in the card and then refuse to ship elsewhere.

    Nah. What if you move?
  • One of the reasons that banks love these things (and why consumer acceptence might be slow) is that it passes off much of the liability to the consumer. Because the cash is actually "in" the card, the card becomes identical to cash. If the card is stolen, the card-holder is out of luck. As long as the account data is stored on the physical card, this pretty much has to be the case.

    In contrast, if a debit card or credit card is stolen, the card-holder is typically liable only for $50. (Or $0 if they can show that the retailers using the card did not make an appropriate security effort, which they almost never do. Generally, if the signatures don't match your ID, you aren't out anything.)

    It should be obvious why the banks would love to see everyone walking around with smart cards instead of credit cards. Their own liability goes down. The same goes for retailers. They barely check IDs now, can you imagine how little they'll do it if they have no liability in accepting stolen cards?

    A similar thing happens with those "gift certificate" cards you can get at blockbuster video. These aren't typically smart cards, however, it is interesting that in most cases, name data is not stored either on the card or at the host where the data is kept. The reason for this is deliberate. Companies don't want to deal with lost cards and the like. By refusing to store name data, the card becomes just like cash, and all card security is the consumer's problem.
  • It is more secure because it requires that you actually have the card itself, not just the number on the card.

    The card is described as having an intelligent chip. I presume that means that it isn't a simple swipe, but a negotiation between the card and the authorization agency. Ideally it would additionally require a secret that only the card owner knows.

    Something you know, something you have, and something you are are the canonical authentication mechanisms. Most systems use only one or two of the three since for example retinal scanners are a bit expensive.

    Slashdot only uses the something that you know (your login and password) since the results of compromise are not disastrous, and the difficulty of getting people to properly protect other forms of identity keys is tricky.

  • That's what I mean. We give up security for convenience.

    Personally, I'd take the inconvenience of having to be issued a new card when moving if it meant that the card would be utterly and completely useless if stolen.

    But then, some people complain when the cashier wants to see an ID with a credit card. And then they wonder how the guy who stole their card managed to charge it to the limit without getting caught.
  • All these attempts to make the internet "safe for shopping" and the like are all futile and pathetic. No matter what the security measures, there will _always_ be people who are able to steal tihngs online.

    Everytime that someone accidently gives out their CC info online to a malicious person, it could have been prevented. Instead of creating new security methods to try and make it harder to steal CC info, we should be educating consumers on how to safely shop online. If you follow some simple rules, you will never lose your credt card info to anyone who wasn't supposed to get it. For instance, only make purchases from reputable merchants, only make purchases using ssl, never email CC info....

  • The nice thing is that if you wanted to steal the credit cards information, you couldn't just snag the creditcard number. You would have to know the algorithm for generating these numbers, as well as the pin (which could be snagged from the transmission)! So you would have to watch these purchases over a period of time, and only then would you be able to pretend to be the card owner.

    Acutally, the secureID also requires you to synch the card with the secureId server. Even if you could discover the algorithm, you would need to monitor sufficiently many transactions to ensure that your implementation was reasonably synchronized with the server (or convince the sysadmin to synch your app). See this [vpnsolutions.net] for details from the vendor
  • Card swipping will be more secure for the simple reason that more information will be stored on the chip than the existing card number and expiry combination used the validate a card.

    More data == more secure? Well at least not as easy to defraud. Perhaps.
  • How does this relate to the various Mondex / Electronic Cash projects that are underway?

    The Mondex system, which is in a fairly strong Beta phase in Canada, uses a smart-card chip (you know, the 6-pin ones on phone calling cards) and a bit of encryption to store cash amounts and personal data.

    I wouldn't be surprised if the card readers weren't just readers, but also did some encryption before they spat it out their serial ports to the computer, to the browser, to the server, etc. down the chain.

    Anyone on the inside have any tech details? RFC specs? Anything?

    Even a yearly fee amount or an interest rate amount?

    What would be really cool is a PCMCIA card reader so you could use this in your laptop without lugging something external. I know there are PCMCIA adapters to read standard smartcards...

    mindslip

    P.S. first? (yay.)
  • by sporty (27564)
    Ok, how many people wager that idiots will put their card in a floppy or zip drive when trying to use it?

    On a more serious note, those that are aware that it is possible to copy the contents of this chip (and/or the entire card) might not feel as safe as the uninformed. So it might be a bigger success than the pesimistic existing slashdot'ers may think.

  • avaiable here [americanexpress.com] from American Express web site. Not much, some pretty pictures, some "offers", etc, but it's the "official" home.
  • "Card swipping will be more secure for the simple reason that more information will be stored on the chip..."

    Yes, but that's missing the point. That's like saying "It will be more secure because it's written down and stored in your pocket..."

    How does that create security? If, for instance, there is no encryption or even scrambling going on, it's still sent from the card reader to the serial or keyboard ports... That's how card readers typically work, they spit ascii to their port.

    Not only is that readable, but it's sent straight over a web site, which is also readable, unless you're using HTTPS (then it's only semi-secure... c'mon, 40 bit encryption? Ha!)

    Ah well. Still, I trust web purchases more than I trust the 15 year old with an attitude behind the counter at most CD stores! ;->

    mindslip
  • (Not directly linked from the original news article - irritating)

    http://home4.americanexpress.com/b lue/splash.asp [americanexpress.com]

    Nothing unfortunately in the way of technical information to speak of.

    --
    This isn't the post you're looking for. Move along.
  • In Germany the blue Amex is already marketed for quite some time now. As far as I know, it's some "you're too young/poor/different to qualify for our real green credit card, so we're giving you a blue one instead, so everyone can see, how young/poor/different you are"-thing. No one wants to be seen with one of those.
  • by jabber (13196) on Friday September 10, 1999 @12:22AM (#1691582) Homepage
    The embedded chip in this new card will probably allow it to work a lot like a SecureCard.

    It has a pseudo-random number generator, which essencially functions as an ECB. Your PIN and the ECB value for that moment in time are both required to perform a valid transaction. This way, either just the card (if lost), or just your PIN (if overheard?) are individually useless, since they only work jointly.

    A ChipCard, for online shopping, is probably not a very good application. An ATM card would make more sense, but since Amex has more clout, it's easier for them to introduce the tech.

    Then again, I might be completely wrong, and the chip might simply store data such as encryption certificates, and facilitate another layer of security. This makes much more sense for online transactions.

    Perhaps a built in ROM capable of Diffie-Hellman?? But then why bother to hook it up to a PC, a simple acoustic coupler between the phone and the card would do... Uhoh, starting to think... Should get back to work.
  • by Yarn (75)
    I've had a Mondex card for 3 years now, its my student ID card for my Uni. Originally it was a smartcard which could be charged up (ie, out money on) in any of the university payphones, which was convenient. Now it can be charged in special mondex points around campus, and its also used to register unix passwords and gain access to computer labs.

    Some info here:The University of Exeter Mondex Project [ex.ac.uk]
  • by rde (17364)
    Dissing a new technology before you've the slightest notion how it works is never wise. But neither am I, so here I go.
    Doesn't matter a damn what sort of hardware you've got, you're still sending stuff over the web. Therefore it can be faked. You won't need a reader; you just need to wait for an issue of phrack that contains the spec then you can spoof away.
  • I don't see having more Data on the card will cause an increase in security (tcpdump or similar will still make fraud relativly easy for those who are that way inclined).
    More worryingly, it may make people think their card reader is secure, and so send their credit card details to less secure sites - so this impression of security might actually lead to more fraud. Maybe I'm just paranoid.
    It would be more useful if there was some form of encryption used by the chip; The card could contain a secret key, and encrypt transfers - there would be a database of the corresponding public keys. Unfortunatly, the infrastructure for such a system would be expensive. It might reduce fraud though...
  • by Get Behind the Mule (61986) on Friday September 10, 1999 @12:24AM (#1691586)
    If I've understood it correctly, smart cards at terminals are intended as a medium for storing secret keys. They're not really supposed to be more secure in any cryptographic sense, but they're expected to be more easily understood by naive users. A lot of people don't know what a secret key is and how you're supposed to manage it, and they don't like long, complex passphrases and tend to choose weak ones. But everybody is familiar with a credit card, and everyone knows that you're not supposed to lose one; so the effect in the end is that people will tend to be more conscientious about key management (although they don't realize that that's what they're doing).

    That's the theory, so far as I understand it. Of course, if somebody does swipe your card, they could shop up a department store on the Internet before you get a chance to report the theft. Then again, it's still pretty hard to benefit from a stolen card, because the goods have to be delivered somewhere, so it might be possible to trace the thief by finding out where the stuff gets sent.
  • Total hypothesis here, but it could work similar to my SecureID card. The card has some sort of imbedid processor that does nothing but generate numbers twice a minute. The "randomly" generated numbers are seeded by some other set of numbers known by my dial-in server and my card. Basically what happens is that when I dial in, my password is a combination of this randomly generated number (shown on a neat little LED), and a pin number that I set on the dial-in server. You can't get connected without knowing both the pin, and the number that is currently showing on the LED. If this CreditCard has a similar setup, users would be required to type in their credit card pin, and then swipe the card. If the number sent by the card (generated off of some known seed of course) and the pin don't match what our faithfull credit card company says they should be, then the transaction would be denied.

    The nice thing is that if you wanted to steal the credit cards information, you couldn't just snag the creditcard number. You would have to know the algorithm for generating these numbers, as well as the pin (which could be snagged from the transmission)! So you would have to watch these purchases over a period of time, and only then would you be able to pretend to be the card owner.

  • by IQ (14453)
    I believe it competes directly with Mondex. Check out: Smart Card Solutions [sc-solutions.com]
  • Indeed. Even if the chip on the card added another security level to the transaction things, would not be more secure.

    The card could still be stolen and used by any Joe Fool.

    Now if those readers had an iris-reader on them it could add authentication to the transaction...
  • by Markee (72201) on Friday September 10, 1999 @12:33AM (#1691590)
    While they are at it, they could extend an existing browser to storing the user specific data on the card as well. This way, you could just walk up to any terminal that supports this feature (and remember, they give the card reader away for free), insert your card and off you go surfing with all your bookmarsk, cookies etc. AT&T Labs who developed VNC [att.com] used a technology like that to make your home session appear on any terminal you walk by in their office. Cool.
  • the real question is, does the card reader run linux? :P
  • by Anonymous Coward
    I think you're all missing the point.

    This doesn't store a longer number, it's not doing one-time keys, it's not a SmartCard, it's not going to magically make your order uncrackable by the NSA.

    It's more secure for one reason only--you have to actually physically have the card to order with it. That simple fact alone will tremendously reduce internet fraud.
  • When you type in, your browser does the digital signing and encryption. A chipcard can store your account #, private key, sign and encrypt any data you want by itself. One can crack a computer and replace any software, but IC cards are a lot tougher. They have simpler data interface, and use strong cryptography.
  • I predict they wont be making the specs available to non-corporate people. If you are a hardware-making company they will send the technical details available to you, but if you are "just" an individual trying to see whether you really want to entrust your money to this, good luck getting the information. (I am not saying it is smart to hold back those specs; but many suits, especially in that not-really computer oriented area think so)
  • Actually, it has the potential to solve one problem that I've often noticed about using a credit card over the Internet. In order to order over the Internet, you only have to have 1) the card number, 2) the expiration date, 3) the name on the card. That means I can place an order over the Internet for a card that isn't even mine.

    If AmEx were to require that the card be swiped in order to be used to purchase something over the Internet, this could prevent this type of fraud. According to the article, they aren't doing this, probably because people freak out whenever they can't do something the "old way". So currently, the card doesn't seem to have any secuirity benefits.

    However, it would be nice if they offered the customers an option that would make it so that their card could only be used if it was swiped (I honestly don't know how they would do this, I'm just hypothesizing). I realize that any system that they used to increase secuirity could be cracked. I also realize that any secuirity system can be cracked, the object is to make it more difficult.

    And I don't know how often this particular type of credit card fraud happens, I just know that it should be possible (I haven't tried it). If anyone else has some more information, please share it.
  • Provided that they implement the system correctly, it will be more secure than current credit card systems.

    In a traditional credit card system, all you need to know to make a purchase with the card is the card number and expiry date (and possibly also the name on the card and the address at which it is registered). These are easily visible on the card, and readable from the magnetic strip. They are sent to the merchant whenever you make a credit card transaction of any kind.

    The problem with this is obvious: you do not need the card to be present to make a purchase. Embedding a chip in the card enables us to be a little more clever.

    If AmEx have implemented the scheme sensibly then the chip embedded in the card will be a small microprocessor. It will have some non-volatile memory for key storage, some volatile memory for working storage, and probably some hardware crypto acceleration (because implementing crypto in software on slow microprocessors yields poor performance). The chip will be designed such that it is difficult (i.e. expensive, time-consuming and obvious that it has taken place) to read out the contents of the memory.

    When an online purchase takes place, the details of the purchase (merchant ID, amount of transaction, etc.) will be sent to the customer's computer. To complete the purchase the details must be sent to the card, which will perform some cryptographic operation and return some more data which must be sent back to the merchant. (The precise details will depend on the implementation.) The point of the whole scheme, and the reason that it is more secure, is that the data returned to the merchant depends on key material embedded in the chip.

    It is still possible to attack systems like this, either by exploiting errors in the system design or implementation, or by physically attacking the smartcard. See this widely-cited paper [cam.ac.uk] for more information and references.

  • The only reason financial services firms bring new products or serivces to market. It's NOT to get more customers or expand market share - it's to extort more money from their existing customers and present the illusion that you're locked in to the service provider. Whatever the purported benefits of something like is are, expect to pay more for so called extra security. What happens next is that big online vendors like Amazon will either offer discounts to pay using this service or will attempt to terrify customers that their transactions aren't secure w/o the service. Upon the first advertised breach of the security they will install a new system that requires the smart card and a PIN code thereby rendering the entire system useless, moot and worse off from a security perspective. Also expect the smartcard to interact with your cookies and track everthing you do so that the service provider can whore themselves out and buy and sell your behavior, your indentity like you're a piece of meat. Imagine that your entire payment transaction history for year is stored in a card in your wallet and you lose your wallet is that not a strong enough motivation for someone to devote unlimited resources to figuring out how to break open these things?
  • >AT&T Labs who developed VNC used a technology like that to make your home session appear on any terminal you walk by in their office. Cool.

    nononono!

    AT&T *bought* ORL, the research lab collaboration between Olivetti and Oracle(I believe). VNC was already an extremely mature platform at the time of purchase, thanks to the extraordinary labors of its core programmers. (Heh Wez.)

    I'm tempted to agree with those who worry most about individual credit for projects being supplanted by corporate attention-mongering. Not that AT&T has done anything bad...well, yet.

    AT&T did try to sue to get BSD back, if I remember correctly...

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

    Once you pull the pin, Mr. Grenade is no longer your friend.
  • by anticypher (48312) <anticypher.gmail@com> on Friday September 10, 1999 @01:24AM (#1691601) Homepage
    These are one component of the new Secure Electronic Transaction group of protocols to protect financial details while transiting electronic communications facilities. It specs everything starting at the main credit mainframes out to banks, regional centers, and finally out to doing authentication/verification of individual retailer's POS registers. It is so complicated and assembled by a commitee of hostile interests it makes the whole TCP/IP suite look like childs play. People are making entire careers specialising in SET integration (second only to SAP/PeopleSoft programmers in europe for excessive salaries, ~350K GBP/year for one year's experience, ~500K for a project lead)

    Similar chip cards have been used widely in Europe for years, and the French, Belgian, and German banking systems use them almost exclusively. In Holland they have an NVRAM/crypto function and you can load the card with some credit and use it at merchants without having to verify every transaction.

    The chip (in the french Carte Bleu system) is an 8-bit processor with enough power to provide a challenge-handshake for a secret shared key, and the agreed upon result is used to encypher the additional details of the card. The machine reading the card then uses that coupled with the PIN the user types in to further encypher the communications back to a regional control center, providing a second level of authentication. The crypto used is not difficult to crack or spoof, but just by raising the bar a little has dramatically reduced fraud from the old system which was just like the american system of today.

    I'm glad to see Amex doing this. I think they announced this system about 2 years ago, and its been an oft delayed vapor promise since.

    If you read the small print on the bottom of the page, they guarantee you against all fraud when you use this system. There isn't even a $50 deductible for each fraud. That in itself is pretty amazing.

    Its obvious this is only for win95/98/NT4, since there is some software you have to load on your computer which is always running and will ask for your PIN when you insert the card. And the software somehow stores some "electronic cash" in your "wallet" on your system, and only uses the card and PIN to unlock it.

    Hmmm, I have an idea that anyone smart enough to crack the system is not stupid enough to bring the wrath of the law on their heads by actually spoofing a transaction (unless it was their own). But I can see a day soon when someone releases a script-kiddie and howto package and suddenly the system gets taken offline for a few months of "maintenance" after a passing lightning storm :-)

    But if it increases security even a little bit, then its a good thing. I just hope slashdotters remember there is no such thing as perfect security, just continuing improvements.

    the AC
  • Disclaimer: Although I work for one of the biggest smart card makers in the world and the inventor of Java Card (Java on smart card [slb.com]), as far as I know AmEx is not using our cards.

    As for Blue, Frost and Sullivan's analysis [cnbc.com] is a good place to start. Personally, I think it is a good thing: get consumers used to idea of smart cards and making everything free at first really helps. And if they use Java Card based smart card, they'll be able to roll out new features in the future. Besides, free card, free reader and 0% APR are hard to beat (unless they start cutting checks, I guess). At least I've applied for the Blue card.

    Linux support probably can be found at: http://www.linuxnet.com/ [linuxnet.com] (I say probably because AmEX is highly likely to use one of the well known readers, much of them supported by MUSCLE project)

    As for security: much of the first 40 posting I've read are either wrong or misinformed. I'd recommed that you read some smart card introduction before posting here:

    Smart card industry association: http://www.scia.org/ [scia.org]

    Smart card forum: http://www.smartcrd.com/ [smartcrd.com]

    Java Card (but lots of general smart card info) http://members.xoom.com/javacard/ [xoom.com]

    -----
    More misc.: AmEx are working on a web page: www.blueamex.com [blueamex.com] (www.blueamex.net, too)

    Danny (shameless ad: Java Card was invented here: www.cyberflex.slb.com [slb.com])
  • Yes, but that's missing the point. That's like saying "It will be more secure because it's written down and stored in your pocket..."

    That's missing the point. You see by swiping the card you prove that the card was present. It's easy to have it so it knows the difference between the swipe and entry. That's part of why you swipe the card in retail. It proves card was present. That at least stop people who collect just numbers.

    Plus it cuts down on entry erros probably.

  • If they do it correctly, a card with a chip embedded can be a lot more secure than either a manual password or even a SecurId card.

    Using zero knowledge proofs and bidirectional communications, the remote server can establish to an arbitrary degree of certainty whether the person at the computer is in posession of the card holding the chip. Even if the line is completely unencrypted and open, nobody else can impersonate the holder of the card, no matter how much they listen.

    Of course, whether AMEX is doing this right or doing something lame remains to be seen.

  • You're assuming that anyone with the 16 digits can use the account. With smart cards this isn't necessarily true. Read some of the other comments - even with something as simple as a shared block of secret data, you can perform a challenge/response which can be used over an insecure channel and yet can't be exploited by a malicious eavesdropper.

    Public key crypto is even easier to use - write out the transaction information and sign it. It doesn't matter who sees the information. They can't duplicate the signature so they can't make their own transactions.

    We shouldn't just be educating people about how to use credit cards. We should be replacing them with more secure tokens which are harder for an ignorant user to compromise.
  • The signatures in this case are merely meant as an identification. Meaning it just says 'it is truly me'. I agree with you that it does not solve the problem of the amount of money you transfer.
    That would mean you need to create a trusted path. What you might do is:

    Step 1:
    The merchant wants to do a transaction with you. It tells a local web browser plug in (or whatever), please contact Amex, with my transaction ID and authorise US$50.
    Step 2:
    The local machine/plug in contacts the Amex server (using ssl?!?), with the transaction ID, 'please authorise US$50 for merchant ID#xxx.
    Step 3:
    Amex sends you a random number, that the chip on the credit card has to sign. You send that back.

    Now it can go two ways:
    A:
    Step 4:
    Amex sends you an digitaly-signed (this would then be an secure channel) payment authorisation.
    Step 5:
    You send this package over to the merchant.
    Step 6:
    The merchant verifies with its own 'secure' way that the authorisation is valid.

    or B:
    step 4:
    Amex contacts the merchant with the authorisation over a secure channel.
    step 5:
    Merchant 'pushes' over the open HTTP connection the end result.

    Final step:
    Purchase has been completed.

  • Disclaimer: I work for a company which makes smart cards NOT based on Java. :-)

    ...if they use a Java Card based smart card, they'll be able to roll out new features in the future.

    I must defend other cards here... LOTS of non Java Card smart cards are capable of being loaded with new applications after distribution. Any card with a reasonable processor and a reasonably flexible OS should be capable of supporting future feature additions.

  • Swiping the card is cool because it requires that you have the card, not just the number. I think it would only be worth it online if shops would say "We're only going to accept SmartCard transactions" so they could make sure you are who you say you are, or at least you have the credit card of the person you say you are. That would require mass acceptance of those cards though, which won't happen for awhile. Maybe if all the credit companies get on the SmartCard bandwagon as a way to increase security. Good possibilities here I think.
  • Because the cash is actually "in" the card, the card becomes identical to cash. And for the same reason, since the cash is no longer "in" the bank account, the banks don't have to pay interest on it. If many people used smartcards instead of ATM cards, this would save the banks a lot of money.
  • I don't think the guys over at CNET mean 'swipe' as in magentic strip, but more like 'insert your chipcard'.

    Chip cards are far more usefull, as the embedded chip might be able to do (3)DES, Public-key-signatures or more advanced stuff.

    For example, the american express computer might issue a number that then gets encrypted/signed by the card, send back the result et-voila, Amex now knows for sure it's your personal card.

  • This url might be pertinent www.ibutton.com
  • Well, if the chip contains more info than is printed on the card, it is less likely that someone will say, "But I didn't buy that!!" The extra info transmitted will show that that exact card was used. If they still have the card, bingo, they used it.

    I had a website ask for my 'security' number on my credit card once, explaining that there are an additional 3 digits printed on the signature strip of my card. I looked, and sure enough, there they were. If you look at the microsoft licence keys you have to type in for windows, the win98 is HUGE! I imagine as people ask for more secure credit cards, cc companies will change to using more info to verify that someone is using a good card. An automated process of entering a large amount of info is needed (like the bar codes for ms keys).

    -Adam
  • by Simon Tatham (66941) on Friday September 10, 1999 @12:37AM (#1691617) Homepage

    It doesn't seem to me that it's difficult to see why this is more secure than the current scheme.

    Your average credit card is insecure because an eavesdropper has got all the information they need to fake further transactions. With this system, one imagines that what would happen is that the transaction site sends you a challenge (e.g. a bit string) and the card swiper responds by preparing a response (e.g. encrypting the bit string using a private key stored on the card). By embedding a time stamp or unique identifier in the challenge, you ensure that an eavesdropper can't fake a transaction because they aren't allowed to use the same challenge/response pair and aren't able to manufacture the response to a new challenge to create a different one.

    Better still, you can embed the amount of the transaction in the challenge too, and then the transaction site itself can't try to claim you authorised more money than you actually did.

    This has been done before; I knew somebody once who worked for a company with a severely paranoid firewall. He could connect into the inside of the firewall from the outside, but only by using a little hand-held special crypto device. He'd telnet to the firewall machine, which would give him back a bunch of digits and he'd punch them into the device. The device would supply a response string of digits, which he typed back into the firewall and then it let him through.

  • Clearly, AMEX is good at Public relations, but what is new here? It seems to me that this card is just a basic smartcard, like they have been used, for example in France, for many years. This card shouuld be able to store some data and perform computations. Smartcards for crypto tend to have a regular chip and another one dedicated to specific task (like modular exponentiation), so they can perform complex operations such as digital signatures. Hence, one possible use, (which by the way), as already been started by VISA, is to plug a little reader in your computer, then when a query for paiement is made, the reader displays it, you are then asked to type your pin, which unlocks your private key, with which you can actually _sign_ the paiement. And no more credit card fraud.. Cool, isn't it :)
  • I reckon the AMEX engineers said "we'll implement a 'numberless' card that'll work a bit like GSM authorisation - there will be a secret number on the chip that gets hashed with a random number sent out from the transaction server, which compares it with the same hash sent from the AMEX mega-secure servers. There'll be no way to read the secret number from the card or the mega-secure servers, and you'll need to snoop six gazillion transactions to work it out."

    Management said "It's an AMEX card. Put a number on it."

    :-)
  • There's a little bit of information a bit deeper in:

    about the chip-reader [americanexpress.com]
    about the "wallet" [americanexpress.com]

    Just to save people some time hunting...

  • At times like this I have to ask myself: Just what does security mean to people when the average end-user seems to choose passwords such as the name of their husband, wife, child, or favorite pet? Talk about some "strong encryption".

  • All of these options would presumably require the web site to support the system. The chances are that for a significant period of time most would not. Or of course it might never take off and they never will.

    This means that the user will still be sending credit card details by the old 'insecure' method for at least some purchases, or at least it will not be unusual for a single account to regularly use both methods. Also the old method is open to the simple attack of jotting down the details of the card having merely seen it.

    Would it not make sense for a user to choose to only allow transactions on the account using the new secure method. Surely if this isn't possible, much of the security is made irrelevant.

  • SecurID cards have little lcd screens. Led would probably use too much power. These cards usually run for 3 years, then the battery runs out. If I've been informed correctly (not bloody likely with the &*(*& we buy them from) the battery cannot be replaced so you need a new card after the battery runs out.
    There are two varieties of this card, one where you type your pin on the SecurID card (the pin will be verified by the card), and one where you combine your pin or password with the code generated by the card (pin will be verified by whatever security system on the server side (radius is what we use)).

    I would think the first option would be safer (inputting the pin on the card)

    (Not nitpicking, just trying to clarify the comment)

    Message on our company Intranet:
    "You have a sticker in your private area"
  • You take money out of your account and put it on the card. You no longer earn interest on that money. You don;t spend it for a week, and the bank pockets the cash! Multiply this by the ~20000 students and hey, thats a tidy profit.

    True, but do you really worry about the interest you make in your *checking* account? Even in Scotland, if memory serves, the interest on these types of accounts is so negligible that it barely covers account maintennance fees.

    As for the new cards, I'd have to say that if implemented correctly, this could take a big chunk out of credit card fraud. Adding even a simple digital signature routine to CC transactions will make fraud and/or forgery that much more difficult to pursue.

    ----
    Dave
    All hail Discordia!
  • See my comment above/below for details... Danny
  • That might be the case for small scale trials, but for real use in a national roll-out the situation would be different. When you put cash onto your Mondex card the bank does not "keep the money", it transfers it onto your card.

    The Amex system seems to be an "electronic cheque" system: your card creates a signed docucument instructing Amex to transfer money from your account to the person you are paying.

    Mondex, in contrast, is an electronic cash system. The total value in all Mondex chips in circulation (including those held by the bank) is kept constant. When you move money from one chip to another the system is designed so that one chip has to be debited before the other can be credited. The system is enforced by digital signatures and certificates signed by the bank: in order to persuade a Mondex card that it can accept money from you, you have to produce a digital certificate signed by its issuing bank.

    Your objection is akin to saying that if you give the bank five pound coins and get a five pound note, then the bank is keeping your money and giving you a paper token in return.

    Paul

  • no matter what data is on the chip, if it's done on http (not https) or I crack the encryption on the https, I still have the original data, and it's not too far to resend that exact same info to another site. Of course, then there's an electronic record of where the goods went, so they can know at least geographically close to where I operate from, even if I use a PO box. This different info cannot be used in a store (given that the chip contains different info than on the face of the card, if it doesn't, then it's just plain a stupid idea), so it's that much more secure. But if there is different info on the chip, do e-commerce sites need to change the way they operate to incorporate this? If they do, then AmEx is being foolish not to have involved everyone else because soon everyone will have their own way of doing it.
  • Actually the Dutch cards are very different. Chipper or Chipknip cards, as they're called, are the electronic equivalent of cash. When you charge them, money is taken from your account, and put on the card. The only security in this card is designed to stop you from charging it yourself, which would be the same as printing your own money.
    It was created to eleminate the high transaction costs of "traditional" ATM payment where a connection with the bank would need to be established to authorize a transaction. The cards in this story are more "traditional" cards, just used to authorize transactions, not to actually "contain" money.

    Message on our company Intranet:
    "You have a sticker in your private area"
  • We have this at our Uni [ed.ac.uk] too, but it is a subtle rip-off. Not only can you only use the "cash" in very select places but the bank running the scheme [ed.ac.uk] (the Bank of Scotland [bankofscotland.co.uk]) makes a fortune. It does this in a way which most people don't notice. You take money out of your account and put it on the card. You no longer earn interest on that money. You don;t spend it for a week, and the bank pockets the cash! Multiply this by the ~20000 students and hey, thats a tidy profit.

  • I think you're missing the point.

    If the system is not cryptographically secure, you can still copy the card, you can still use man-in-the middle attacks, there are all sorts of things you can do.

    What if some sad little program like happy99 was designed to double-swipe your card? We don't know if that kind of attack or others are possible. Unless they say exactly how the system works, it is best to assume that it is not secure.

  • This is not the first American Express smartcard, I don't think.

    There is the so-called Charter Card, which is black, and comes with a pocket smartcard reader which is designed to access some of the data stored on the smartcard chip - details of foreign exchange rates, cardmember discounts, insurance, benefits and so on.

    Just in case any of you think that I'm making this up, I happen to have a photo of one right here.

    American Express Charter Member card [ox.ac.uk].

    Cool, huh?

  • Not really, cause the smart card incorporate public key algorithms (generally RSA) and secret key algorithms (DES or other). When you ask for a transaction there is a challenge to your card (you must at this momment enter your pin code). Your secret key is stored on the smart card and there is NO WAY to read it.
    So you send only encrypted stuff on the web, and you can not easily fake it. The only way is to be able to crack DES in less time than duration of the transaction.

"If it ain't broke, don't fix it." - Bert Lantz

Working...