SecurID credit cards?

On Tuesday's All Things Considered, NPR reported on a high-tech credit card design developed by Innovative Card Technologies. The idea is to provide a way to prove that you have the card, when you use it for online purchases and other situations where there's otherwise no physical connection between you and the card.

The way this is handled for online purchases now is that there's a “security code” printed on the card, but not in raised characters, so it doesn't transfer. Someone who has gotten your name and card number from an imprint will not have the security code. Someone who physically has your card will have the code. So it doesn't address theft of the card itself, only theft of the card number.

Of course, the code printed on the card is static, so anyone who has a good enough look at your card (without necessarily stealing it) can see and remember the security code. Effectively, then, knowledge of the code doesn't prove current possession of the card after all.

But if someone builds electronics into the card, allowing the number to change over time — in a predictable but not publicly known way (we'll get back to this later) — the credit system can tell whether the code you're trying to use is current, and only accept it if it is. You'd make your online purchase as now, and when it tells you to enter the security code, you'd read the code off the card as you do now. Only, it won't be the same code as it was ten minutes ago, when you made your previous purchase.

This is the same technology that's been in SecurID devices, which many of us have had to use at one time or another to log into our corporate networks. The SecurID device can be annoying, because it's something else you have to remember to have with you — usually presented as something to put on your key chain, and far too thick to stick in a wallet. The difference here, though, is that it would be built into the credit card, thanks to micro-electronics, and wouldn't change the size or shape of the card. There'd be nothing extra to carry with you.

I will note that such a card could even be safely used at Internet cafes and kiosks, because it's immune to data capture attacks (such as keystroke loggers), since the captured security code will not be reusable. The attacker will have your credit card number, and your name and address... but not a usable security code.

It's a generally interesting idea, though I see a few issues with it.

The card will have a battery, giving the card a definite limit to its useful life. Credit-card companies do replace cards regularly already, so that's not necessarily a problem — they'll likely replace the card before the battery dies. The problem is that the failure mode, if they don't replace it soon enough, is disruptive: you won't be able to make any non-point-of-sale purchases until you get a new card with a fresh battery.

The SecurID fobs are pretty much indestructible, because they're built in those hard plastic cases (look at the photos in the Wikipedia article; I used to have to carry around one of the “older style” ones in the second photo). The risk of damage is also fairly low because they're being used for a specific purpose by people who know they have to take care of them. What will happen when those electronics get stuck into credit cards that are less sturdy; are carried around constantly and tossed here and there; are used, misused, handled, and manhandled far more often; and are used by all sorts of random people who treat them as credit cards, rather than as pieces of electronic equipment? Will they survive?

The SecureID devices work because they're a closed system. An attacker can't link the device to the “seed” (key) that generates that device's codes. If this stuff is in use on credit cards all over the world, the incentive to crack the system will be great. Will an attacker be able to use his own card to discover the algorithm? Will it still be impossible to extract the key from a card without stealing the card? The answer to the last question is probably “Yes, it will still be impossible.” The key would not be readable from the card, but would be built into the card's electronics. The other end of the system would look up the card number in its database and get the key from there. No one at the cardholder's end could get the key. Probably. If it's done right.

But if the key is compromised, the card has to be invalidated and replaced, and that means that you'd have to know that the key has been compromised. And, again, there's no protection afforded by this system to physical theft of the card.

Finally, while this does protect you against continued use of your card by someone who's captured your data, it still doesn't protect you against a man-in-the-middle attack, exemplified by “phishing” sites, where they grab your data and immediately use it for a bogus transaction that suits their needs. They only get one shot, so this is an improvement. But they do still get that one shot.

It occurs to me, though, that there's an opportunity to use this system in a different way. Assign two different card numbers to the same account. Issue a card with one number and no security code; this card is only usable at points of sale, so this is the one you carry around with you. Issue a second card with the other number and containing the new electronics. This card could not be used at points of sale, and would only be for things like online purchases. You wouldn't carry the second card with you, and the risk of its theft would be low.

I think that would resolve most of my concerns with the new card technology (though not the last, the phishing attack), without creating much of a burden on the cardholders.