Security

Debit/credit card fraud: Can smart payment cards prevent it?

Is an intelligent and interactive payment system the answer to debit/credit card fraud? Dynamics, Inc. thinks so. Find out what they are up to.

Is an intelligent and interactive payment system the answer to debit/credit card fraud? Dynamics, Inc. thinks so. Find out what they are up to.

-----------------------------------------------------------------------------------------

Current payment-card technology in the United States is low-hanging fruit for criminals. Why? Other countries, of interest to the bad guys are using Chip and PIN systems. Not necessarily the best answer, but more secure than the current magnetic-stripe approach used in the United States.

So why isn't the U.S. converting to Chip and PIN? The cost to replace 60 million magnetic-stripe readers might have something to do with it.

Recently, a company surfaced with a alternative solution. Dynamics, Inc. on September 14 gave a presentation at Demo Fall 2010 (scroll down to the Dynamics, Inc. video) demonstrating how to increase payment-card security and still be economically feasible.

Credit cards on steroids

In the video, founder and CEO Jeff Mullens describes what amounts to a credit card with a built-in computer. Amazingly, it looks like a normal credit card, except for the LEDs and readout.

That means there is some out-there technology going on and I had to learn about it. So, I contacted Jeff Mullen, and he kindly provided the following insight into his company and inventions:

TechRepublic: Dynamics, Inc. was started by you in 2007. Could you give a brief overview of the company? Jeff Mullen: Dynamics, Inc. is focused on engineering next-generation payment solutions. In the U.S. this takes the form of complementing the current magnetic stripe reader acceptance infrastructure. We do this to solve many problems.

One problem we solve, is giving consumers the power of choice at the point-of-sale. Consumers will be able to select options on their cards and have these options communicated to their card issuer via the existing infrastructure. We call this heightened social interaction between a cardholder and their issuer as the Payments 2.0 application space.

TechRepublic: Could you describe Card 2.0 and Electronic Stripe, the two technologies you incorporate in your cards? Jeff Mullen: The Card 2.0 platform is a complete computer architecture that has a processor and a number of sub-circuits for various functions (e.g., power management and control).

The Electronic Stripe technology is the world's first fully-programmable magnetic stripe, meaning the Card 2.0 platform has control of what is written to the magnetic stripe.

TechRepublic: Can you give us an idea as to what it takes to fit 70 components and a battery into a piece of plastic that is less than a millimeter thick. Jeff Mullen: Approximately three years of work from a team of extremely dedicated, disciplined, and focused engineers; a number of confidential partners, and millions of dollars in capital. (If you watch the Demo Fall 2010 video linked above, you will see how the components are physically arranged.) TechRepublic: There are two types of payment cards, MultiAccount and Hidden. Could you describe what each payment card offers? Jeff Mullen: Sure, here are the descriptions we used in the Dynamics Inc. press release: MultiAccount: The device includes two buttons on the face of a card. Next to each button is a printed account number and a light source. The user can select an account by pressing one of the buttons. The card visually indicates the selection by turning ON the light source associated with the selected account.

Then the information associated with the selected account is written to the Electronic Stripe. The card can then be swiped at any current magnetic-stripe reader. The slide below is one example:

Hidden: The device includes five buttons on the face of a card and a thin flexible display. The display hides a portion of a cardholder's payment card number. To turn the device ON, a user must enter a personal unlocking code into the card. If the user enters in the correct unlocking code, the card will then visually display the user's payment card number so that the user can read the number for online transactions.

The Electronic Stripe is then populated with the correct magnetic information so that the card can also be used with magnetic stripe readers. After a period of time, the display turns OFF and the Electronic Stripe erases itself - thus removing all critical payment information from the surface of the card. If the card is lost or stolen, the card is essentially useless. The slide below shows the Hidden card, note the series of buttons used to input the card owner's personal code:

One thing that I would like to reiterate. Mr. Mullen pointed out that both cards are capable of working on the current payment-card scanners. Something that no other solution has been able to accomplish.

TechRepublic: Do you see Card 2.0 technology solving problems not related to security? Jeff Mullen: We solve a number of core-payment problems not related to security. I can't disclose more right now. But, as more information is released, I think everyone will start to realize the power of the Payments 2.0 application space. TechRepublic: Besides payment cards, do you see any other uses for your card technology? Jeff Mullen: Card 2.0 technology is a platform. Dynamics, Inc. will continue to introduce valuable new technologies to card issuers and card holders. That said, there are several other markets in which the platform can provide significant value, for example; security cards, medical cards, and identification cards. Final thoughts

As a security type, I see lots of potential for computerized-payment cards. It could easily become a multi-factor authentication device, verifying a relationship between the card and the card's owner as well as a relationship between the card and the financial institution.

What I'd like to see is a MultiAccount/Hidden combination card, gaining both increased security and convenience. I would like to thank Jeff Mullen for explaining the technology behind Card 2.0 and Electronic Stripe and Melinda Jenkins of Edelman.com for her assistance.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

107 comments
Who Am I Really
Who Am I Really

not to the consumer a forged signature can be disputed but the entry of the PIN cannot be disputed it says in all the CC literature, agreements etc. that come with the new Chip cards that the CC company is not responsible for fraudulent CC usage when the pin is entered (as there is no way for the consumer to prove that they didn't make the transaction or that they didn't reveal their PIN to some other person etc.)

Michael Kassner
Michael Kassner

News release: FINOVATE, New York, Oct. 5, 2010, Dynamics Inc., an innovator in next-generation payment devices, today reveals its Redemption payment device in a card form-factor. The payment card with the option for in-store point redemption is another Payments 2.0 application built on Dynamics? Card 2.0 technology. Redemption allows consumers to pay at the point of sale with credit or request to redeem their reward points or cash rewards toward the purchase of any item at any merchant. The company is demonstrating this ground-breaking payment device today at FinovateFall 2010, a conference showcasing innovations in financial and banking technology. Redemption has been in trials with a small number of Citi credit card customers since May 2010. Citi expects to expand the trial with select U.S. credit card customers this November. Terry O'Neil, Executive Vice President at Citi Cards, said, "Citi is committed to bringing innovative solutions to market that provide our customers with greater choice, control and flexibility to help them better manage their money. Today we are announcing a consumer trial program that will use Dynamics' technology to put the power of choice in the customer's hands, with the simple press of a button. By piloting this technology, we've essentially created a new way for consumers to redeem their reward points. With the simple press of a button and swipe of their Citi card, consumers can choose to use their points toward their purchase." "Citi is at the forefront of embracing and executing new technologies that bring extreme value to consumers," said Jeff Mullen, CEO of Dynamics. "Never before has an issuer brought this type of capability to market, one that allows consumers to choose at the point-of-sale to use points that they've earned." Redemption will work at any merchant where magnetic stripe readers are used. The face of the device is printed with a single credit account number and includes two buttons with associated light sources. A user can choose whether to use points or use credit at the point of sale by pressing the appropriate button. The card will then visually indicate the selection by turning ON the light source associated with the selected option. The magnetic-stripe information associated with the payment option is then written to the Electronic Stripe. The card can then be swiped at any magnetic stripe reader and the information is then received and processed by Citi. "We created a device with a very elegant user interface that offers consumers a very natural, yet functional, experience," added Mullen. In September 2010, Dynamics unveiled two other Payments 2.0 applications: MultiAccount and Hidden. MultiAccount is directed to the convenience-oriented consumer and includes multiple payment accounts on a single card. A user simply presses a button associated with a particular payment account to activate the card. Hidden is directed to the security-conscious consumer and includes five buttons on the face of a card with a portion of the cardholder's account number hidden by a paper-thin flexible display. A user must use the buttons to enter a personal unlocking code in order to display the hidden numbers to activate the card.

hkoncke
hkoncke

Very interesting technology but I really can't see how this helps to prevent users from being fooled and inserting their cards into "fixed" ATM slots.

santeewelding
santeewelding

They get it down to a smart prosthetic middle fingertip for my dealings with the credit industry.

seanferd
seanferd

This is what I am curious to discover, once these are in use. Interesting technology solution, to be sure.

wlramsey
wlramsey

I would be interested to know how this thing is powered. One would be almost certain that there is some battery is some shape or form on it. Is it rechargable, or once it is dead, throw away and get a new one? Also, do the users get to pay for these? What will they cost? Great technology on the upside! Awesome job guys!

Scott111
Scott111

Without metrics on the proportion of credit card fraud that results from lost/stolen cards, versus skimming, data breach, and other fraud channels, as well as metrics on how the cost per card in volume for Card 2.0 compares to cost per card for Card 1.0, it is difficult to assess the effectiveness of this technology. If, for example, "only" 10% of credit card fraud is attributed to lost/stolen cards, then while this technology does go a long way to mitigate that 10%, the other 90% is still out there. A 10% reduction is nothing to sneeze at, but if the cost of a Card 2.0 credit card is many times the cost of a Card 1.0 credit card, that 10% reduction in the cost of fraud may not be a reduction of total cost at all. Having said all that, I think the technology is very interesting, and certainly does have many potential applications.

ande151
ande151

The front door is locked but the back door is wide open and what the thief is after is the HDD located in the store server where the information is stored. The thieves could care less about the card as they have what they want all stored neatly on the HDD. Even though encrypted it doesn't take a rocket scientist long in cracking the encryption. No this type of card will solve nothing. The store has to be diligent in ensuring that HDD is wiped clean every day at closing time.

santeewelding
santeewelding

That Dynamics is complimenting the current infrastructure. What was the nature of the compliment?

Howard.Hooper
Howard.Hooper

So if the card runs out of power you're unable to buy anything?...Great idea I'd like one for my fiancee ;o)

delphi9_1971
delphi9_1971

I've had my card numbers stolen twice. In both cases it was stolen because of poor security after the transaction took place. In one event, the card number was secured via SSL when I ordered over the internet, only to get an invoice with my CC number and Exp Date in plain text. The second time I believe it was skimmed at a point of purchase. In either case, this device would not have helped. I believe the end point devices at the Point of Purchase is what really needs to be addressed. Put controls in place at this point to prevent the nefarious from stealing our card numbers and you would do much to improve the security. The problem in this country is we don't want to pay for these new features. That's why we have to band aid the problem.

Michael Kassner
Michael Kassner

The banks are pushing the responsibility back to the consumer. Hope that does not fly here in the US.

JCitizen
JCitizen

in authenticating the transaction; this wouldn't bother me particularly. I wonder how much consumer resistance will come up against such security technology in the US. People have such short attention spans and so little patience here in the US, that I wonder how much they will tolerate. I know that seems silly for the damage that can be done without it, but there goes the fickle consumer for you!

JCitizen
JCitizen

it would be trivial to program an area of the chip to analyze how many magnetic fields are present at the reader area of the device. This induction signature would shut down the transaction and alert the user! I like this even better than the anti-skimming nano/tech mag strip reader Michael wrote about some time ago! Although - that one wasn't bad either - it was very cheap for institutions to implement/ or should have been.

Michael Kassner
Michael Kassner

The current security is for stolen or lost cards. I did not refer to ATM skimming in the article.

JCitizen
JCitizen

with rotating, self erasing account numbers for security! Tell me I'm crazy! :p I've already got a credit card with that, why not a debit card like this one? I know - the bank won't pay for it - but willing customers like me would!!

JCitizen
JCitizen

even at high prices - here is the reason why. It can be used anywhere right now. It brings it's infrastructure with it; that is, the technology that is needed for whatever reader is available. This would also allow banks to upgrade in time, and also to let the technology jell, and prove itself. Banks won't by into this without a huge volume manufacturing to bring the price down. But with this card, any enterprising financial institution with a reputation, could sell them to willing clients everywhere. It could even cause a massive shift of assests into their coffers, to make transactions easier. Bear in mind, this would have to be a big company to be able to buy in volume, and also have the rep to add trust to the equation; and still build infrastructure to match.

Michael Kassner
Michael Kassner

I would be willing to pay some to get rid of one or more of my cards.

Dzmitry Z
Dzmitry Z

Looks like the battery is on the left. It looks like a small version of those Li-Ion Polymer batteries iPods have. It's quite sizable compared to the rest of the components.

Michael Kassner
Michael Kassner

According to Dynamics, Inc. Usually that is about the time a card expires and needs to be replaced. I am not sure how the cost dynamics will play out. The cards are still in the testing phase.

JCitizen
JCitizen

from what I visualize. Customized card numbers could put the data where researchers could pin it down. I see much scalability here!

Michael Kassner
Michael Kassner

Jeff Mullens did point out that Card 2.0 technology has a great deal of potential. They are just starting to unravel what it can do. So, stay tuned

JamesRL
JamesRL

I used a credit card to pay my monthly ISP bills automatically. My ISP had been compromised and their billing information including thousands of credit card numbers stolen. I actually showed up at a hotel, the staff were waiting for me. They took my card, cut it up and dialled the credit card company and then handed me the phone. They explained the situation and had a credit card couriered to me at the hotel. The TJ Maxx event a couple of years back showed us the real targets. Someone with a laptop with a wireless card sat near the head office, broke in and stole credit cards from the US and Canada. James

JCitizen
JCitizen

was a compromised vendor. Fortunately, only basic information was available and no one has cracked my ID yet. One thing to think about is temporary card numbers allotted to individual stores/vendors. This would narrow who got cracked, and speed up any investigation into how it happened. With this card this is finally a infrastructure wise alternative.

Michael Kassner
Michael Kassner

But, I recently had my CC number stolen and it is a huge pain to get that all in order again. Think about all the places that use the card information on a monthly basis.

Michael Kassner
Michael Kassner

Is the advertised battery life. I think most cards are replaced by then.

AnsuGisalas
AnsuGisalas

why europe has been so keen on upgrading to chip and pin. The shops here have been changing readers twice in five years, on account of new card requirements. New end points, all things being equal, are safer. Fast too, used to be all sorts of long waits for validation, now it's mostly from 0,5 to 3 seconds.

Michael Kassner
Michael Kassner

Payment card systems have many problems. I have written about many of them. This approach will help remove several of the issues, but not all of them. The card is just coming to life. Jeff Mullen has mentioned numerous times that we have not seen anything yet.

Michael Kassner
Michael Kassner

That is a good point. There would be the ability to sense more than one scan.

AnsuGisalas
AnsuGisalas

The E-Vl-I! Oh... gotta run patent that right now!!!

Michael Kassner
Michael Kassner

I did not think of that. As you say, nothing changes. The smart cards could be offered as an option.

seanferd
seanferd

rather than a cost, overall. But that may depend on the distribution channel for these card devices.

Michael Kassner
Michael Kassner

It is interesting technology. Would they use a rechargeable battery in something that does not have the ability to recharge?

Michael Kassner
Michael Kassner

I have been working with some law enforcement agencies and the new scam is focused on debit cards and ATMs. That way they do no need the money mule in the middle.

Michael Kassner
Michael Kassner

What I would like to see is the computerized card be able to issue one-time credit card numbers. That would help tremendously.

Michael Kassner
Michael Kassner

When I was in Sweden recently, I found that my US credit card worked.

Michael Kassner
Michael Kassner

If the next generation of card scanners were designed to use Magneprint.

JCitizen
JCitizen

a stochastic process may be possible from this, although the geometry of the Magneprint C= technology made this easier. Imagine if both were available on the same card? Nawww! I'm just dreaming! HA! But you never know when mergers come up on the market!

JCitizen
JCitizen

something I shouldn't do; but if you combined the same thing Discover card does with the temporary numbers, and this new card, you would really give the criminals a one-two punch! :ar!

Michael Kassner
Michael Kassner

I suspect if they feel they can pass the expense on to the consumer, it will be rolled out sooner than later.

Michael Kassner
Michael Kassner

Still cards are typically replaced every three years due to expiration. I wonder with these if they would do the same.

JCitizen
JCitizen

science now, a very thin film solar cell could do the same thing off the lights in the room. If it will run a calculator, there is no doubt it would run this. However these batteries never fail within three years. My wrist watch is going on 8 years or more, and was supposed to run only 5.

Michael Kassner
Michael Kassner

I have read about that process and it would work. I do not know if that is what Dynamics has in mind or not.

Dzmitry Z
Dzmitry Z

through induction charging. No wires, no mess. Just come home in the evening and "charge" your credit cards, haha.

JCitizen
JCitizen

I already saw with this article. It could be used to shut down the card and warn the user to fraud also.

JCitizen
JCitizen

everywhere, and what my bank tells me too. Americans are actually a very practical lot, but only now are the laws catching up to client rights. Liability on the part of the bank may be increasing now, so the banks may finally be goaded into action. If I were a banking institution, I'd probably buy into something like Passwindow or Magneprint. Even better both. These are potentially very cheap solutions, that don't cost much on either end.

JCitizen
JCitizen

a very excellent article! And yes, it was the readers that were the problem. I tend to think this would be better in that it can rely on two different technologies, and can be scalable either way that is more successful in thwarting compromise. I like the multi card selection; I think this design actually has promise, because it works with the present system, and I feel it may be a good way to avoid skimming too!

Michael Kassner
Michael Kassner

It is interesting. Jeff Mullen said they were looking at multiple new uses for this technology and I can believe it. As for Chip and PIN, I believe the readers have been the target, not the actual card. They use the ATM skimmer approach to get the person's information. I wrote about a different Chip and PIN attack, but it is a complicated one requiring a notebook and a card that has wires connected to it: http://blogs.techrepublic.com.com/security/?p=3153

JCitizen
JCitizen

I can see where the mag stripe is sufficient in itself! If the company started a cooperation with the reader manufactures, they could issue new temporary card numbers; one for each button; that could be transmitted after the last one expires to the mag stripe on the card. Any stripe reader that is programmable can receive a transmission too, I'd think. The chip would only be used to store the next batch of temp numbers and minimal customer data, receive instructions through more expensive chip readers, and issue commands to the stripe device. This seems like a pretty good, scalable solution all by itself! The crook could not use the temp number, only the vendor assigned that number could use it. If the number gets abused, the reader gets a command over the ATM/reader network on next strip to alert the user and delete that number. Am I making mountains out of mole hills here? Please tell me where the fault in my logic is. I know chip and pin has been hacked, but with this communicative ability, maybe the threat can be mitigated. Magstripe reader tech is cheaper than Chip reading tech. and cracking the chip may be harder to do this way too. I don't know?! I wonder how resistant Chip & Pin is to RFID cracking? I also wonder how this dual nature could avoid the paper clip crack that was discovered soon after Chip & Pin was issued in Europe?!

david.hunt
david.hunt

Because you cannot yet guarantee that all readers will have the capability to read a Chipped card, the card still has to support a mag stripe only reader. That is a current weakness of the slow migration, and one that will be perpetuated rather than closed by introduction of this non-chip reader technique. A Reader with chip capability will request the merchant to read the chip if they just swipe the stripe, so its the non-chip readers that leave an open vulnerability.

Michael Kassner
Michael Kassner

That the cost of card fraud is significantly less than the cost to replace the existing system. I suspect that might have something to do with it, if true.

AnsuGisalas
AnsuGisalas

The magnetic stripe is really sadly easy to swipe. But then the US has some strangely foot-dragging ways in some of these areas; like the way cell phone carriers work, and then this magnetic stripe. What happened to innovation for innovation's own sake? ;) On the other hand, wait-and-see can save bucks. I guess the chip readers are much less expensive now than before large-scale adoption took place.

JamesRL
JamesRL

We saw the HW first in Canada. My bank credit card changed six months ago to chip and pin, my debit card a month ago. My non-bank credit mastercard has not changed to chip and pin yet. All are still useable at the new hw for now.

AnsuGisalas
AnsuGisalas

Legacy support... it's not like they want to say no thanks to your money :p ;)