Could someone tell me why this idea wouldn't work?:
Your credit card comes with a simple communication port (usb, bluetooth, whatever) and a two line B&W text LCD display (like on cryptocards or cheap electronic watches). Every time you want to buy something, you connect the card with the merchant. (This works in person and over the internet.) The merchants sends the card an official merchant name ("Delta Airlines"), which is registered with the credit card company, and a price ("$234"). These appear on the first and second lines of the card readout. If you approve the charge, you hit a single button on your credit card. Your credit card then sends an authorization code to the merchant which is good only one time, on that date, for that price, and with that merchants (using some sort of RSA hash).
If a wireless connection is used, there is little risk of criminals trying to secretly communicate with your card sitting in your wallet; you simply won't approve the transaction (unless they have physical control of your card, at which point you're no more vulnerable than you are now).
Further, you'd know exactly how the name of the merchant would appear on your bank statement.
The only downside I can think of is that the card would by slightly thicker (like a crypto card), slightly less durable, and need a battery (which would last for the life of the card). But we already replace the physical card every few years, so is this a problem? Is the technology particularly expensive?
A very similar system is already in use in the UK and other parts of Europe. It's called "chip & pin". You plug your card in to a card reader and check the LCD display and type in your PIN to authorise a transaction.
In a shop, the card reader is owned by the shop and is similar to point-of-sale card readers used in the USA. However, most banks now provide customers with a small reader (that looks like a calculator) for logging on to online banking, or authorising payments made via internet banking.
For example, to authorise a payment you: put your card into the reader, type in the account number you want to pay, type in the amount, and type in your pin. You then get an cryptographic authorisation code to type into online banking.
Crucially, the scheme works using cryptography, and the cryptography is performed within the chip on the bank card - it is not possible to read the PIN off the card.
(edit: and, in contrast to the scheme described in the parent post, stealing a card doesn't help much if you don't know the PIN, and the card will disable itself if the wrong PIN is used too many times)
> most banks now provide customers with a small reader (that looks like a calculator) for logging on to online banking, or authorising payments made via internet banking.
This means you can only make online purchases easily and securely at home. If I want to be able to make purchases at someone else's computer, an insecure back door must necessarily be left open even when you're not away.
> To authorise a payment you: put your card into the reader, type in the account number you want to pay, type in the amount, and type in your pin.
This doesn't solve the problem (which people may not care about) that the merchant could now have your pin.
>You then get an cryptographic authorization code to type into online banking.
This seems like a huge burden. Physically typing in long cryptographic codes? Do people actually subject themselves to this?
Thanks very much for the perspective.
EDIT: I retract the second criticism for reasons explained below.
> This means you can only make online purchases easily and securely at home.
Fair point - I had this problem when wanting to use Internet banking at work, but these pin readers are compact (smaller than an iPhone, marginally thicker) so I just keep mine in my bag now.
> This doesn't solve the problem (which people may not care about) that the merchant could now have your pin.
Only if the reader itself is compromised (very unlikely with the small ones provided by banks for online banking, and pretty unlikely in a shop too). However, note that the PIN is useless without the card, because the crypto chip is on the card, and it can't be cloned by a reader.
> This seems like a huge burden. Physically typing in long cryptographic codes?
They are only 8 digits long. And yes, I don't want fraudulent use of my account so I don't mind.
> However, note that the PIN is useless without the card, because the crypto chip is on the card, and it can't be cloned by a reader.
Ahh. So then the merchant could only really make use of a pin (which it would have to do by compromising the pin reader--a tall order for small time crooks) if he also stole your physical credit card. I agree that this isn't much of a risk, and retract that criticism.
Someone wrote a criticism of the chip&pin system a while ago. I don't remember the link, but they were arguing that this system also had serious security flaws. The most memorable one was that while before people who held you up for your ATM card and PIN had to physically go to an actual ATM to see if the PIN you gave them worked, now they can get to work on you with a pair of pliers and a blowtorch until the card reader says "Pin OK" without risk of revealing themselves to an ATM camera. They claimed that this has already happened.
The fix for that, if we're remembering the same article, was simply to have the card reader display junk output instead of "bad pin". The bad output could then be entered into the bank website three times, and then block the account from there too.
That might be the deal-breaker here. People with wallets sit on their credit cards daily. I've split the plastic on mine a few times, even though I've gotten into the habit of taking my wallet out when I sit down.
Credit card purchase authorization over SMS might be more sturdy, although that has its own security considerations (I think this exists somewhere already though).
> How is this supposed to work? They send you a text, and you reply to confirm? The inability to make purchases without a signal seems fatal.
Yes, that sounds about right. You have a mobile number associated with your account, and your bank texts you when you make a purchase. I don't think it would be required that you confirm every purchase - it would be more of a notification system. You could require it, but there's a balance of convenience and security that people are already used to.
As for not being able to purchase without a signal, I posit that in the case where you need to authorize purchases, it has the same limitations as your credit-card-communication concept :)
> As for not being able to purchase without a signal, I posit that in the case where you need to authorize purchases, it has the same limitations as your credit-card-communication concept :)
No, see that's the thing. With the right cryptography, the credit card itself can compute an authorization code. There's no need for the credit card to contact the credit card company. It's authorization from the consumer (by way of a button they press on the card), not from the card company, that is imporant.
Your credit card comes with a simple communication port (usb, bluetooth, whatever) and a two line B&W text LCD display (like on cryptocards or cheap electronic watches). Every time you want to buy something, you connect the card with the merchant. (This works in person and over the internet.) The merchants sends the card an official merchant name ("Delta Airlines"), which is registered with the credit card company, and a price ("$234"). These appear on the first and second lines of the card readout. If you approve the charge, you hit a single button on your credit card. Your credit card then sends an authorization code to the merchant which is good only one time, on that date, for that price, and with that merchants (using some sort of RSA hash).
If a wireless connection is used, there is little risk of criminals trying to secretly communicate with your card sitting in your wallet; you simply won't approve the transaction (unless they have physical control of your card, at which point you're no more vulnerable than you are now).
Further, you'd know exactly how the name of the merchant would appear on your bank statement.
The only downside I can think of is that the card would by slightly thicker (like a crypto card), slightly less durable, and need a battery (which would last for the life of the card). But we already replace the physical card every few years, so is this a problem? Is the technology particularly expensive?