05 December 2008

Token-based authentication coming to credit cards

Credit card numbers, like all numbers, are just too easy to steal. And it doesn't matter if you have to steal 19 digits instead of 16.

Visa is going to test out credit cards with a tiny keypad and display built in. You have to enter your PIN to get a one-time password to get your online transaction to go through. This is pretty nifty.

The root problem (people copying your card) still exists for physical magstripe cards, though. This is a huge advantage that RFID has over magstripe and I wonder why people haven't made a bigger deal out of it. Once you've read the magstripe off a card, you have all that there is to know about the card. But an RFID chip can contain active machinery inside. It's a black box that you can only interact with in certain ways, unless you reverse-engineer the hardware to figure out what the silicon is doing (this is not super easy). So you can implement a challenge-response mechanism which resists some kinds of man-in-the-middle attacks (remember the hubbub about fake ATMs?).

No comments:

Post a Comment