Credit Cards That Think They Are Gadgets

holy_calamity writes "Pittsburgh startup Dynamics Inc has unveiled gadget-like credit cards with buttons, lights and even displays built into the same space as a conventional card. One card has two buttons on the front, which, when pressed, rewrite the data on the card's magnetic stripe, allowing it to act as multiple bank or credit cards in one. Another has several buttons and a display in place of the card's number. Only after entering a PIN is the magnetic stripe populated and the full card number revealed, and after a short time both go blank again for security." I wonder how long it'll be until somebody builds onboard biometrics into one of these things.

Biometrics?

[spun]

You mean, digital passwords you can never change? Sounds secure...

Re:First

[IndustrialComplex]

Though this seems like a much safer alternative to today's credit/debit cards, although like TFA says, what will this really do for security? How long until a flaw is discovered or it is cracked?

So I'm guessing you wrote that just so you could get in an early comment.

Or are you really concerned about security on an item which literally has all of its information printed right on its surface which you hand to strangers and gets stored in a third party database. Oh and I forgot that most of the printing is actually raised so it can be recorded with a simple piece of paper and a crayon.

You are worried that something could be less secure than THAT? Well I suppose adding a speaker for blind cashiers might be a bit less secure...

The main use

[wirelessdreamer]

Scammers will love these, they'll find a flaw where they can reprogram any name and card number, swipe a card and clone it.

Re:Erm

[Microlith]

Why don't they just tie this shit into your cell phone instead? They already have something similar in Japan with swipe phones for the JR line.

Because in Japan the companies are far more tightly integrated, and it's much easier for NTT to work with JR East on what they want to do, and decree to handset makers that their next products will include the functionality. In the US, for instance, it's virtually guaranteed we'd have massive infighting and incompatibilities as vendors fought for dominance over all others. Verizon would work in some places, AT&T in others, and unless you bought your phone from them you couldn't use it at all.

Basically, there's a whole bunch of bullshit in the States that prevent solutions like Japan has from working.

Re:The main use

[Anonymous Coward]

swipe a card and clone it

And how this is different from what we have now?

Re:Is it water proof?

[Openstandards.net]

LOL, just read it when I switched back to finish TFA. Should of searched TFA first before posting. SIGH.

Smudges on card will reveal the PIN.

[Last_Available_Usern]

Even if the numbers/strip are obscured without a PIN the finger smudges on the card over the commonly used numbers will make the PIN a trivial matter to guess. What is the point of this security? Would you not call in the card missing/stolen just because it has better security?

Re:Biometrics?

[slshwtw]

Three kinds of security:

• something you are (biometrics)
• something you have (card)
• something you know (pin)

As parent indicated, biometrics is the weakest of these, as if someone is able to 'break the code' you have no way of changing your fingerprints, etc. The best approach is a combination of having and knowing, such as an ATM card which a thief can't use without knowing the PIN, or a building access card that requires you to punch in a code. If you lose your card, no big deal, just issue a new one and assign it a new code just in case.

Re:Biometrics?

[Prune]

Revocable biometrics exist, and you don't have to chop off your fingertips either: for example, http://www.turbine-project.eu/ [turbine-project.eu] or http://vast.uccs.edu/biodistmet.html [uccs.edu] or http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4318487 [ieee.org] and so on By the way, not to be a grammar nazi, just informative: did you ever tried -> did you ever try

Re:Biometrics?

[toastar]

Biometrics is also the weakest against the guy with a gun at the ATM scenario, You fingerprint is still there if he blows your brains out, Your Pin not so much

Re:Biometrics?

[Zerth]

Turbine just generates a non-reversible key from fingerprints. It does nothing to help you out if your fingerprint data gets out. Like by touching a car door.

One Time Password Credit Card Numbers

[Doc Ruby]

The most useful change in credit cards would be giving buyers a stack of one time passwords, each one issued to the vendor tied to the specific parties and dollar amount of the transaction, with a short expiration date.

The best way to do it would be a smartphone app that took a token from the vendor, the vendor's ID (another onetime string from a vendor pool of onetime ID#s), encrypted it with the dollar amount and a onetime ID# from the buyer's pool, and sent it over the network to the credit corp. The credit corp would decrypt it and credit the vendor's account. That way no ID info is shared that can be reused.

If they want to make a physical credit card that does those things once connected to a network (like a chipcard), great. Let them put a fingerprint sensor and PIN on the card, along with a display of the available credit remaining and outstanding balance to date. But the one time passwords are by far the most value to deliver to the consumer, and therefore to the vendor, too.

Re:Biometrics?

[profplump]

Please don't conflate "biometerics as a stand-alone authenticator" with "biometrics as a second authentication factor". It's pretty reasonably to combine a physical token with biometrics, because you *can* deactivate/replace/rekey the physical token pretty easily. It's important that the authentication system includes some revokable factor, and ideally you'd also have a PIN or other knowledge-based authentication token, but physical + biometric is not a bad start, and can form a perfectly usable, revokable system.

And it's certainly not a bad system compared to the current "physical only" authentication currently in place.

Your fingerprints can't be changed, but they can't be as trivially reproduced as a password either. I agree, someone *could* steal your fingerprints and reproduce them in some useable way, though it would take a higher level sophistication than simply stealing your card or copying your password. And if someone stole your fingerprints and your card you could simply deactivate the stolen card and have a new one issued. The person with your fingerprints would then have a copy of your fingerprints and a useless credit card dongle. He'd need to steal your physical credit card all over again in order to use make use of his copy of your fingerprints.

Re:I was idly thinking about this the other day

[natoochtoniket]

The "cash" economy includes lots of activity, not just illegal sales. Lots of "unbanked" people conduct all of their transactions in cash, and many of them can't or don't keep records. Think, lawn service, tree trimmers, the guy who sells water mellons fro the back of a pickup truck, the immigrant laborers who re-roof your house. A surprising fraction of people are illiterate (unable to read or write). An even larger fraction of all people are innumerate (unable to use numbers).

Without "cash", your lawn doesn't get mowed, your car doesn't get detailed, your trees don't get trimmed, you cannot buy fresh food, and your roof will leak. It isn't because you can't pay for them. It's because the sellers of those services cannot receive payment in any other form.

Keypads are not secure in such cases.

[Arancaytar]

On a keypad that is used to enter only a single combination, wear patterns can leak information [schneier.com]. That's one advantage the ATM's keypad has over one on your personal card.

An advantage of entering the PIN on the card's keypad, on the other hand, is that it cannot be gleaned by a fake ATM machine.

Re:Biometrics?

[Anonymous Coward]

but..you'd be dead and so the money wouldn't matter very much..

Re:Biometrics?

[moderatorrater]

Then they just need to check the temperature of the finger to make sure that it's still alive. It should work: criminals with microwaves can't run away very fast.

Re:I'm waiting for transaction-specific codes

[mentil]

The problem with this system is that many of these machines wirelessly transmit the CC# to the POS machine, cleartext. Sniffers in a van in the parking lot intercept the CC# and clone it anyways. A poster above you had exactly this happen to him (although he didn't realize how it was done.)