update Credit cards able to generate one-time PIN (OTP) could offer better security for users, but the technology first needs to overcome some barriers in order to gain mainstream acceptance.
Last month, Emue Technologies said it is embedding OTP-enabled microprocessors into EMV (Europay-Mastercard Visa)-compliant cards. Visa is reported to be trialing one of the cards.
According to Ronnie Ng, Symantec's Singapore systems engineering manager, credit cards with in-built tokens can address risks associated with the three-digit card verification value (CVV) when it is stolen and used illegally--thereby, reducing the risk of card-not-present (CNP) fraud. CNP transactions are made via mail, telephone or the Internet, where no signatures are required and merchants assume some 90 percent liability in cases of fraud.
"The CVV is the security number stated at the back of a credit card and always remains the same, making it easier for the number to be detected and misused," Ng explained in an e-mail interview. "However, the one-time password generated on the credit card will constantly change, so someone can only use the PIN if they have the card in their possession."
Abhishek Kumar, senior research analyst at IDC's Financial Insights, said embedding two-factor authentication (2FA) is a "good security option" for Web transactions such as online shopping. However, he said there are several factors that impact the success of the technology.
Cost, for one, is a significant barrier.
Kumar said: "EMV cards are already a big cost concern for banks as they are, on average, three times the cost of the normal magnetic stripe cards. For banks looking to implement EMV--mostly to prevent card cloning activities--the costs of implementing both a 2FA, and EMV solution may be too high to bear."
In addition, Kumar noted that hardware tokens as a second authentication factor are regarded by financial institutions as an expensive investment.
"Banks may also be unwilling to pay for the additional cost per [credit] card if they have already made the investment in 2FA tokens, especially since 2FA credit cards are not a regulatory requirement," he said.
Emue Technologies' CEO Brendan McKeegan acknowledged, in an e-mail interview, that the OTP credit cards are more expensive but did not indicate by how much. However, he said some financial institutions still find the technology a viable option.
The total cost of ownership when compared to having separate tokens and credit cards is in some cases more favorable, McKeegan pointed out. "Banks also see our product as an opportunity to gain market share."
IDC's Kumar noted that another concern is the shelf-life of these 2FA cards. "Ideally, they should last as long as normal magnetic stripe credit cards, which I believe is roughly four to five years," he said.
Kumar and Symantec's Ng also warned that 2FA credit cards remain susceptible to security risks, such as "man-in-the-middle" attacks.
Ng pointed out that even with an enhanced level of technology, there "will always be a certain amount of risk".
Another security concern is that hackers will find a way to capture the user's PIN number on the card, making it easy to access the accounts of stolen cards," he said.
No plans for Asia, yet
According to Emue Technologies' McKeegan, the company is currently working with banks in Australia and Europe, but has "not formally engaged with Asian banks".
Kumar said OTP credit cards are "definitely an option for Asia's banks", but may not be relevant in all markets.
"Emerging economies such as Vietnam, may not find this solution as relevant due to the [current] relatively low level of online shopping and transactions," the analyst said.
OCBC Bank, which is in the midst of adapting EMV technology for its range of credit cards, is open to 2FA cards. Lynn Gaspar, OCBC Bank's head of group lifestyle credit, told ZDNet Asia in an e-mail that the bank constantly reviews credit card technologies and offerings to develop customer products and services.
"Being a new technology, the OTP-generating [credit] card will need to be tested, to ascertain its practicality in business applications and merchants’ receptivity before we decide whether to implement this new technology," said Gaspar.
Visa declined comment for the story.
Play video
Advanced features: 
» Blades for mission-critical operations
There are currently no comments for this post.