Two cards containing microprocessors that generate one-time passwords are being touted to Australian banks as possible replacements for tokens and passwords delivered by SMS--and one is already being trialed by Visa.
Melbourne-based security company EMUE claims that trials of its one-time password (OTP)-generating card will proceed in the next six months at one of the major banks in Australia.
The card contains an embedded microprocessor, a 12-button keypad, a small display where the password appears, and a battery--the same size as a standard credit card. To generate a password, the user must enter their PIN using the keypad on the card. Once the right PIN is entered, the card generates an additional OTP that can be entered into banking systems as a secondary authentication.
EMC's security division RSA this month released a similar card called SecurID that generates OTPs when the user squeezes a button in a corner of the card. RSA's card, however, doesn't require users to enter a PIN to generate the password. According to Geoff Noble, RSA's banking and finance specialist, the SecurID card is simply a different form factor to its tokens.
"This is just a stepping stone for us and the next thing is to put out that [card] device with an EMV chip on it," he told ZDNet Asia's sister site ZDNet Australia.
EMV is the Europay, Mastercard, Visa standard for chip and PIN cards, which is gradually being introduced in Australia.
Since the introduction of chip and PIN cards in Europe, card not present fraud (CNP)--conducted when the user is not physically present at the time of the transaction, such as Internet and phone shopping--has increased, driving growth in the black market for the three-digit CVV (card verification value) security number used to authenticate CNP transactions.
According to IBM ISS security researcher, Gunther Ollman, stolen credit card numbers and CVVs are available for as little as US$2.
RSA's ambition to put the OTP generating device on an EMV chip and PIN card appears to have been trumped by EMUE Technologies. Visa Europe announced this month that it will be trialing EMUE's cards under the name "Visa PIN Card" in a number of countries within Europe.
"The banks are being given exclusivity by territory which Visa Europe will announce in due course. At this stage they're looking at four territories in Europe," Brendan McKeegan, CEO of Emue Technologies said.
"The key difference between RSA's card and ours is that ours doesn't have just one button and RSA's is a 'companion card' while ours is integrated into a payment card," he pointed out.
ZDNet Australia contacted ANZ and National Australia Bank about the products. Neither bank claims to be trialing either the RSA or the EMUE card.
Play video
Why not use VeriSign VIP and OTP Card technology?
Or would you rather trust a start-up with this kind of transaction authentication technology?
Posted by Trust on Wednesday, December 03 2008 04:46 AM