Password equivalence and identity theft (II)

| Comments (2) | TrackBacks (55) |
Although credit card style systems (and I include in this VISA debit cards which have the same properties) has a lot of inherent security flaws looked at from a purely user interface perspective, there are some real advantages:

Static and reusable
Because the credit card number almost never changes, you can memorize it. Even better, merchants can memorize it, which is what lets Amazon do 1-click ordering.

Easy to read
There are three separate ways for the merchant to get the information they need to clear your credit card. The easiest is to swipe the mag stripe, but the raised digits let them use a credit card press (or even some carbon paper and a pencil in a pinch) or they can just transcribe the credit card number visually off the face.

Short
Credit card numbers are fairly short, which makes them easy to type in into fields (e.g., at Amazon). This would be impractical if the numbers were much longer.

Cheap
Finally, credit cards are incredibly cheap to manufacture. I don't know what credit card companies pay, but you can buy mag strip cards in lots of 1000 for less than $.15/each, so I imagine the price to the credit card issuers is more like $.05. Mag stripe readers are also cheap and credit card terminals are extremely simple and cheap to manufacture.

(Nearly?) all proposed more secure solutions involve giving up one or more of these properties. If it doesn't it's going to be basically isomorphic to credit cards: a symmetric key which you give directly to the merchants in order to execute a transaction.

The naive approach that everyone thinks of first is to use digital signatures. Every credit card account gets a public/private key pair and when you want to execute a transaction you just digitally sign it. This is an outstanding design in that it manages to sacrifice nearly all of the above properties: You'd sign each transaction separately so the authenticator always changes. Performing the signature requires extensive computation so it's not cheap. The signatures are long (The shortest digital signature scheme based on a standard assumption (BLS) is 163 bits long, which maps to about 50 decimal digits! (Yes, there are alternative encodings but they're still long.)) so you can't really type them in, meaning you need some kind of electronic interface to deliver them. Probably no more mag stripe interfaces, at least not static ones.

Despite all this, signatures aren't an inherently bad technology for making purchases on the Internet. Of course, they'd require entirely new software deployments on the client, but that's arguably merely a transition problem, and software only takes half of forever to replace. However, for in-person transactions that involve swiping credit cards, this means that the customer has to have some handheld computing device. Typically this is assumed to be a smartcard, which means replacing every point of sale terminal--not an easy task. Even if you've succeeded, note that you've now basically ruled out the possibility of dump POS devices like the old credit card swipe machines. I still get asked to use these fairly often...

Years ago I was a bit player in Visa/MasterCard's SET signature-based electronic payment system. SET managed to have all the disadvantages I mentioned above and then some. Aside from requiring extensive processing on the client side, the protocols and PKI in particular were fiendishly complex. In addition, the computational effort required on the server side was truly excessive. To make matters worse, Visa and MasterCard never offered any real incentives to merchants to deploy SET. This explains why going on 10 years later you're still not using SET to buy stuff on the Internet.

Another possibility is to have a device that simulates a credit card but that produces a different credit card number for each transaction. The card would generate a stream of valid credit card numbers (some credit card issuers already have web sites that let you produce temporary numbers in order to let users shop online while reducing the perception of fraud). This type of system can be made to have a lot of the same UI properties as today's system: the numbers would have to be a little longer but not enormously--maybe 20 or 25 digits instead of 16. You could implement this with a smartcard but a more attractive approach would be with an LCD display like a SecureID card. Then people could key in the numbers just like with a conventional card. You might even be able to convince it to simulate a mag stripe, just like those CD-to-tape adapters you can get for your car. Merchants wouldn't necessarily be able to store the number, since it would change every time, but you could imagine having the card also produce long-term codes one per merchant, thus making merchant database compromise more easily containable. This design has at least one major disadvantage: the cards are sure to be expensive and will likely be bulkier than an ordinary credit card.

The principal concern with any of these systems is getting merchants to be willing to deploy them. The issuers can ship new cards to users whenever they're ready, but unless the merchants deploy the readers and server side software, people will have to use standard credit cards. Back when I was working on SET, everyone assumed that the acquiring banks would give merchants who deployed SET a break on their credit card processing charges, but as far as I know this didn't happen--though they may have belatedly decided to do it after I was no longer involved. Some incentive like that will surely be required to get deployment of any new system: remember that customers have no real liability when their cards are stolen so their incentive to change is extremely small.

If we ever do see attempts to deploy a new system, expect the initial few generations of cards that get rolled out to be dual purpose, e.g., a smart card with a mag stripe and raised credit card digits on the face. You could use the card in either mode but merchants would get a break for using it in secure mode. I don't see many signs of this happening in the US though. I keep hearing that smartcards for financial transactions are big in Europe, but I'm not that familiar with the European financial industry so I don't know if this is true.

55 TrackBacks

Listed below are links to blogs that reference this entry: Password equivalence and identity theft (II).

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/321

credit repair from credit repair on August 3, 2005 6:10 AM

credit repair Read More

bank of america from bank of america on September 1, 2005 9:39 AM

bank of america Read More

online dating louisville from online dating louisville on September 5, 2005 3:20 AM

online dating louisville Read More

I like your site! Read More

paris hilton sex tape from paris hilton sex tape on September 28, 2005 11:38 AM

paris hilton sex tape Read More

free credit report from free credit report on September 30, 2005 12:02 AM

free credit report Read More

Yanks back up pledge Read More

Casino Gaming from Casino Gaming on November 8, 2005 2:26 PM

All I want to say Read More

Avian Bird Flu from Avian Bird Flu Updates on November 12, 2005 9:24 PM

Avian Bird Flu Updates Read More

poker games online from poker games online on November 20, 2005 2:15 AM

Check these: poker games . Read More

free texas holdem poker room from free texas holdem poker room on November 22, 2005 7:47 PM

Check these: texas holdem poker . Read More

Check these: online poker . Read More

play pacific poker from play pacific poker on November 23, 2005 9:16 PM

Check these: pacific poker . Read More

texas hold'em game from texas hold'em game on November 23, 2005 9:19 PM

Check these: texas hold em . Read More

empire poker site from empire poker site on November 24, 2005 8:01 PM

Check these: punto empire poker . Read More

Disney World Read More

pacific poker 888 from pacific poker 888 on November 26, 2005 11:49 PM

Check these: pacific poker . Read More

party poker freeroll from party poker freeroll on November 27, 2005 6:46 AM

Check these: rock party poker . Read More

Thank You for Commenting Read More

play online poker bonus from play online poker bonus on November 27, 2005 6:19 PM

Check these: play online poker . Read More

free texas holdem from free texas holdem on November 28, 2005 7:38 AM

Check these: free texas holdem . Read More

personal loans from personal loans on December 1, 2005 1:42 AM

plebiscite.Brinkley maturely:pawnshop abstentions:Robinsonville brainstorm countrywide home loans http://countrywide-home-loans.rulo.biz/ Read More

Korean teen sex movie from Sexual hentia movies on December 14, 2005 3:06 PM

Free dog sex vid Real uncensored sex movies girls Chinese rape samples Tits trailer free hot Read More

Mom son porn free movie Porn clips trailers free Adult sex comix Dansk sex clip Read More

Luxury Caribbean Cruise from Luxury Caribbean Cruise on January 8, 2006 4:42 AM

Luxury Caribbean Cruise Read More

TITLE: cubic zirconia URL: http://cubic-zirconia.fasthoster.de/ IP: 220.247.234.32 BLOG NAME: cz jewelry DATE: 01/10/2006 05:01:28 PM Read More

oxycontin from oxycontin health on January 13, 2006 9:20 PM

TITLE: oxycontin URL: http://oxycontin.mappibiz.com/ IP: 71.11.156.128 BLOG NAME: oxycontin health DATE: 01/13/2006 09:20:26 PM Read More

home equity loan from home equity loan on January 19, 2006 3:34 PM

testability publications chunky ringer Rufus:Edwardine becalm loan http://loan.money-lovers.com/ confirm simulations loans http://loans.our-money.com/ Read More

TITLE: plavix URL: http://plavix.mappibiz.com/ IP: 140.134.6.32 BLOG NAME: plavix DATE: 01/20/2006 03:47:39 PM Read More

carpal tunnel syndrome from carpal tunnel syndrome on January 23, 2006 12:59 PM

TITLE: carpal tunnel syndrome URL: http://b-link.ch/cure/carpal-tunnel-syndrome.htm IP: 193.252.53.22 BLOG NAME: carpal tunnel syndrome DATE: 01/23/2006 12:59:36 PM Read More

Cheap Adipex from Cheap Adipex on February 2, 2006 8:54 PM

Adipex diet pills Prickly adipex diet pills adipex p remunerative adipex p adipex nonagricultural adipex. Read More

Cash Advance from Cash Advance on February 3, 2006 2:43 PM

Cash Advance Read More

Payday Loans Online from Payday Loans Online on February 18, 2006 12:55 PM

Online Payday Loans Read More

Barbecue Secrets from Barbecue Secrets on February 19, 2006 4:39 AM

Barbecue Secrets Read More

Debit Consolidation from Debit Consolidation on February 22, 2006 6:06 AM

Oversee 5.34% 5 Yr Fixed - Lowest Rates - Lowest Rates * Last updated 2/9/2006 DomainSponso... Read More

TITLE: diazepam URL: http://www.20mbweb.com/Health/diazepam2006/buy-diazepam.html IP: 202.41.167.246 BLOG NAME: diazepam DATE: 02/28/2006 11:36:17 AM Read More

2 Comments

Everyone in the UK is moving to chip-and-PIN credit card transactions. I understand the credit card companies are putting major financial pressure on the retailers to roll it out, and the change has been pretty dramatic in the space of just a year.

Look for MasterCard "PayPass." These are contactless smart card chips embedded in the credit card. Readers that accept PayPass are already up and running here in Berkeley. The use case is that you wave your card at the reader and go -- they are managing fraud for the moment by capping PayPass transactions at $25.

While we are at it, you might enjoy looking at Gerhad Hancke's paper on practical attacks on ISO 14443 systems. :)
http://www.cl.cam.ac.uk/~gh275/

Leave a comment