Visa makes 'use once' password cards

Two cards containing microprocessors that generate one-time passwords are being touted to Australian banks as possible replacements for tokens and passwords delivered by SMS — and one is already being trialled by Visa.

Two cards containing microprocessors that generate one-time passwords are being touted to Australian banks as possible replacements for tokens and passwords delivered by SMS — and one is already being trialled by Visa.

Melbourne-based security company EMUE claims that trials of its one-time password (OTP)-generating card will proceed in the next six months at one of the major banks in Australia.

The card contains an embedded microprocessor, a 12-button keypad, a small display where the password appears, and a battery — and is the same size as a standard credit card. To generate a password, the user must enter their PIN using the keypad on the card. Once the right PIN is entered, the card generates an additional OTP that can be entered into banking systems as a secondary authentication.

Visa Europe is promoting EMUE's OTP card as the "Visa PIN Card" to issuing banks.
(Credit: EMUE Technologies)

EMC's security division RSA this month released a similar card called SecurID that generates OTPs when the user squeezes a button in a corner of the card. RSA's card, however, doesn't require users to enter a PIN to generate the password. According to Geoff Noble, RSA's banking and finance specialist, the SecurID card is simply a different form factor to its tokens.

"This is just a stepping stone for us and the next thing is to put out that [card] device with an EMV chip on it," he told ZDNet.com.au.

RSA's OTP card: no trials yet. (Credit: RSA)

EMV is the Europlay, Mastercard, Visa standard for chip and PIN cards, which is gradually being introduced in Australia.

Since the introduction of chip and PIN cards in Europe, card not present fraud (CNP) — conducted when the user is not physically present at the time of the transaction, such as internet and phone shopping — has increased, driving growth in the black market for the three-digit CVV (card verification value) security number used to authenticate CNP transactions. According to IBM ISS security researcher, Gunther Ollman, stolen credit card numbers and CVVs are available for as little as US$2.

RSA's ambition to put the OTP generating device on an EMV chip and PIN card appears to have been trumped by EMUE Technologies. Visa Europe announced this month that it will be trialling EMUE's cards under the name "Visa PIN Card" in a number of countries within Europe.

"The banks are being given exclusivity by territory which Visa Europe will announce in due course. At this stage they're looking at four territories in Europe," Brendan McKeegan, CEO of Emue Technologies told ZDNet.com.au.

"The key difference between RSA's card and ours is that ours doesn't have just one button and RSA's is a 'companion card' while ours is integrated into a payment card," he told ZDNet.com.au.

ZDNet.com.au contacted ANZ and National Australia Bank about the products. Neither bank claims to be trialling either the RSA or the EMUE card.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All