Credit Cards That Think They Are Gadgets

holy_calamity writes "Pittsburgh startup Dynamics Inc has unveiled gadget-like credit cards with buttons, lights and even displays built into the same space as a conventional card. One card has two buttons on the front, which, when pressed, rewrite the data on the card's magnetic stripe, allowing it to act as multiple bank or credit cards in one. Another has several buttons and a display in place of the card's number. Only after entering a PIN is the magnetic stripe populated and the full card number revealed, and after a short time both go blank again for security." I wonder how long it'll be until somebody builds onboard biometrics into one of these things.

I'm waiting for transaction-specific codes

[mysidia]

Cards that will populate the mag-strip with transaction-specific codes each time. So you can type the code in, the guy at the restaurant can pick up the card with your ticket, and swipe it once.

But if he tries to scan the stripe and clone the card, the number he gets is useless, because it is transaction specific.

I would envision each CC being allocated a block of 200 random CC numbers, to be used in sequence, when it is printed, 200 random initial CVV2 numbers, and 1000 random CVV2 offsets in the form of a number between 0 and 999. For each transaction, pick a number, with no number re-used until 199 more transactions have been made.

Each time a number is used, the CVV2 is to be the initial CVV2 number plus the next CVV2 offset, modulo 999. CVV2 offsets are not re-used until 999 more transactions have been made.

Each time a number is used, the CC company can determine it is valid and compute exactly the right CC and CVV2 numbers that should be used by the next 10 transactions.

Unless there is delayed processing involved, they can also know to reject any number other than those 10.

Even if there is delayed transaction processing involved, the CC company can know a code 199 transactions ago is "too old", because there have been transactions made since then that are too old.

There should also be a way to enter a special PIN to generate a 'vendor specific' code that can be used for multiple transactions.

Possibly assigning card users larger pools of numbers, so expiration dates, and dollar limits can be encoded using the CC# and CVV2.

If multiple failures are detected with a CC# (e.g. someone tries to clone one number and try it with multiple CVVs), then that CC# is retired permanently, and the CC company sends the customer a new file to flash their credit card's memory with.

Something similar

[dsavi]

A major corporation that someone I know has worked for used to use what looked like a very thick credit card to log into what I believe was a VPN. You would input a PIN on the front, and it would display a code that would be valid for 30 seconds or so for logging into the VPN that it calculated itself, based on the current time and PIN. I think this card was made by RSA, now I think the same company uses a slightly different system.

One Time Use Cards

[Jason Levine]

This could make a long-time dream come true for me. I use one-time use numbers online but in brick-and-morter transactions (like paying at a restaurant), I still have to give my real credit card number. Perhaps these cards could be made to generate a one-time use number. Then, when I'm paying at the grocery store, they get one number while the pizza place gets a second number. I'm sure there would be some security hurdles to clear but it is a promising development.

No thanks

[pavon]

Because cell phones are buggy pieces of shit, and I wouldn't trust them with my credit card number and PIN for anything. Especially as they become more and more tied to the web.

Re:Soo...

[Dog-Cow]

This is fractionally more secure than current CCs, and it allows consolidation. As someone who carries his cards loose in his pocket, I only see this development as positive. I hope financial institutions start supporting it.

Re:First

[DrgnDancer]

It's pretty much infinitely more secure than what we have now. Here's my suggestion to improve it further. You enter your pin, and rather than displaying your static credit card number, it displays a static identifier combined with an RSA style changing number. So say, the first 10 digits of the "card number" is a static identifier, then the last 6 digits are a code based on a shared secret between the card and your bank, changing every 5 minutes say. The magnetic strip can also have the same system. So if you enter the pin, then you can either swipe the card or enter the displayed number into a online system. Your card is approved based on the currently active code. 5 minutes later, that code is no longer valid so if someone gets the card database it doesn't matter.

Downside of course is that it will break any kind of storing your card number for monthly payments or stuff like Amazons One-click. It would be very secure though.

Re:How about just universal chip&pin?

[freeweed]

How do you do it? Call the CC 800 number?

Basically, yes. Talk to a CSR at the CC company.

If so, what prevents me from calling and saying I'm you and that I'm in Milan?

The same way you're prevented from calling the CC company and changing my address, or calling my bank and wire transferring money into your account, or 300 other nasty things you could think up. They do have *some* security on your account that way - they ask you enough personal information that they're satisfied it's you.

You don't travel much and/or own a credit card, do you? This has been routine practice for decades.

I was idly thinking about this the other day

[CrazyJim1]

What if the US did away with cash, and instead we started using credits like scifi? Well at first you'd think you'd carry a credit card around, and maybe a device to transfer credits from one to another with an indicator of how many transfer so no one cheats? Then I figured the device could be on the card itself, and two cards interact in a certain method.

Wouldn't it be great to be able to look over how a politician obtains and spends his money? Public officials should lose their privacy while they're in office and all their money transactions should be able to be scrutinized.

Illegal sales like drugs would be more difficult to do because if someone gets caught by the police, the police could then scan the offender's device and see all of his contacts.

Of course you automatically upload to the IRS every tax season at least and FBI maybe more. I'm thinking with cell phone capabilities, it could auto network.

I guess there are a lot of downsides to this too that I'm not seeing, but since it has some good points its worth at least idly talking about. What are some downsides we'd have if we moved to an all credit system? I guess one would be the worry that the government could seize your money with a few clicks. Or maybe two would be hackers.

Re:How about just universal chip&pin?

[jeffmeden]

It is common for anyone who doesn't want their card frozen due to seemingly fraudulent use. You call the 800 number, do the usual authentication rigmarole (they check your source phone number, they ask you a number of security questions) and then amend your account details with the window you will be traveling and the destination. I have had a card deactivated even on a short road trip where I stopped too frequently at various gas stations and it auto-locked my card due to a pattern too far out of my normal routine.

Their algorithms are surprisingly sophisticated, to date I have had 1 false-positive (due to taking a trip I didn't notify the bank about) and 2 true-positives (due to two cards being stolen and used before I could call the bank) with banks using a properly implemented system (like Chase, Discover, BofA, etc). If you have a GEMB or other "bargain basement" card servicer, forget about it, they could care less.

Old Skooool

[Fizzl]

Magnetic stripe huh?
I think I haven't used that part of my card ever. This was issued in ...2008.
It's secure chips and online verification all the way in scnadinavia now. Helpfully, it is hard to overrun your bank account with a debit card this way. I wonder if this was deployed for my or the banks safety?

walmart already does something similar

[Chirs]

According to an article I read, Walmart currently doesn't actually take ownership of their inventory until it is sold. That's right...they don't pay the manufacturer until they've already sold the item.

Brilliant way to leverage market dominance into increased interest earnings by holding onto their money a while longer.

Re:I'm waiting for transaction-specific codes

[dj245]

I experienced table-top POS terminals during a recent trip to Nova Scotia. Apparently they are very popular there, and the waitress couldn't believe that I had never seen one in the US. The biggest problem is that in Europe, tipping is not expected or required. In the US, you can write the tip and walk away without the waitress watching you. If they go to table-top POS terminals like I saw in Canada, then you need to tip in front of your server. As an American, it was not very comfortable, although I suppose it is more profitable for the waitstaff. As an aside, when I was younger, tipping was commonly 10% and 15% for good service. Now my coworkers give me a hard time if I give any less than 20%. I think its time that we pay servers more and do away with the tip. The hidden cost of tipping is starting to be a substantial part of the restaurant bill.

Re:Biometrics?

[Anonymous Coward]

Thermos full of hot water, one of those sodium acetate phase-change heating pads... the number of ways to get a severed finger back to body temperature is legion.

CASH is still king. Here is why.

[aristotle-dude]

1. CASH is always the same speed.

Think of those times when you were in a hurry and you were stuck behind some someone who enters in the wrong pin or chooses the wrong bank account type when they were buying items that cost less than 20 bucks. What if there was a network error? Had they used cash, you would have been out of there long before they finally got the transaction to work.

2. Cash is accepted everywhere.

Not every place accepts Visa or Mastercard and a lot of places do not accept Amex. Some places do not accept debit cards for logistical reasons (ferries, planes and many taxis). Cash is generally accepted everywhere.

3. Cash does not carry a per transaction fee when traveling in a foreign country.
  Most credit cards charge a fee per transaction on top of their poor currency exchange fees which is why I take cash with me when I travel to Europe, the States or Japan. In fact, Japan is still very much a cash based society outside of their PASMO/SUICIA system for convenience stores and trains/transit. Don't expect your North American credit or debit card to work over there.

4. Cash is easily transferable between people.

You can lend/give cash to anyone but you cannot do the same with a credit/debit card.

Re:Biometrics?

[Anonymous Coward]

(AC for obvious reasons).

I worked on a project a few years ago where we tried to crack heat sensitive fingerprint readers (using real, dead fingers) and I can tell you it isn't difficult at all to heat a finger up to the same temperature as a living body to pass the "alive" test that many biometric readers on the market implement.

Its slightly harder to simulate a pulse in a dead finger, but that is also entirely possible.

And yes, it was a gross project but if the only thing standing between you and millions of dollars worth of "stuff" is a dead finger, I'm pretty sure you'd spend some time trying to work out how to make it "alive". Well, SOMEONE will anyway.