In an article titled ” Card Juggling: Crimes Using ATMs ” we talked about how easy it is to lose money due to carder tricks. The main reason for this is the basic security system, which dates back to the 1970s. The data stored on the magnetic strip in „plain text” and the PIN code – which is a short security number that is sensitive to theft – provide complete security for your bank account.
There is no doubt that the financial industry, which is currently losing huge sums of money due to various frauds, is doing its best to use the most modern and advanced technologies to secure transactions.
To date, the most successful idea of all projects is chip-based card technology (or the EMV standard ). Due to the dissemination of these solutions in Europe and Canada, the number of payment card cloning cases in these regions has drastically decreased. And carders who use ATM skimmers are looking for a better life in the US and Asian countries where the EMV standard is not widely popular and used.
Nevertheless, regardless of the advancement of the EMV system in terms of card security, it is still not an ideal solution that will protect us from every threat we can only imagine – assuming that the skimming techniques will continue to develop. It is quite possible that we will be using different types of cards in the (foreseeable) future.
What will they be? Let’s try to imagine it.
Password and answers
The most obvious solution to the problem is adding another layer of security. An example would be the use of two-factor authentication, which is already widely used throughout the internet.
In the case of online payments, in addition to entering the CVV2 security code, which is on the back of the card, you also need to enter a one-time password, which is received via SMS, ATM printout or generated by an authorized device from the bank – token. Two-factor authentication can also be used for offline transactions where large cash withdrawals are involved.
A similar authentication mechanism is available for bank cards with an integrated display. In this case, the basic payment card is equipped with a built-in mini-computer with an LCD display and a digital keyboard. In addition to generating one-time passwords, this solution also allows you to display your account balance, transaction history, etc.
Although the first interactive cards have been on the market for more than five years, only a few banks in Europe, the United States and developed Asian countries offer them to their customers.
Card on request
The American company Dynamics offers even more „exotic” solutions – its card does not have a stable magnetic strip, in the literal sense of the word. It is generated dynamically and on demand by the built-in hardware. However, before that, the user has to enter the password using the integrated keyboard.
If you forget your password, the magnetic strip will not be generated and the transaction will not be performed. Moreover, such a card does not have the popular 16-digit number: part of the numerical sequence is not printed on the plastic, but only displayed on the screen after entering a password.
May I have your finger please?
A password can be a strong way to protect a card, but this is not the case if the owner is distracted or unable to keep secrets. We all know the stories of „smart” people who wrote their PIN on the same card and then lost it.
Biometric-based authentication is a fairly radical solution to this problem. The Norwegian company Zwipe and MasterCard are currently working on a prototype of a payment card that will have an integrated fingerprint scanner. To confirm the transaction, place your finger on a special plate and … goodbye, PIN!
Kwant is here to help
Despite the research conducted for many decades, fully functional quantum computers remain in the sphere of „dreams to come true”. Yet there is a light at the end of the tunnel: some features of quantum technology will be used to create unforgettable identifiers.
Dutch researchers from the University of Twente in Enschede and the University of Technology in Eindhoven intend to use the concept of a quantum security system for payment cards and ID cards. Although their research work is still in the laboratory version, their model of a quantum security system is developed under the acronym QSA (quantum secure aunthentication).
A small piece of a regular plastic card is covered with a thin layer of zinc oxide. Then this part of the card is „bombarded” with single photons emitted by the laser. Upon impact of the nanoparticles, the photons are randomly reflected inside the zinc oxide layer. This process changes the optical properties of a single layer, thus creating a unique key.
Thus, if a specific sequence of laser pulses is emitted (that is, a „question” is asked), the response should result in a predetermined pattern („answer”). Such combinations of unique „question-answers” are stored in the banking data system that is used to authenticate the keys.
If a thief tries to intercept a question-answer combination during a transaction, it will not work. Additional photoelectric detectors used in the system will destroy the quantum state or at least some of the photons. Thus, the entire process of interception by the data thief will be obliterated.
An alternative way to compromise this type of security system is by counterfeiting cards. However, even by faithfully reproducing the size, location and other parameters of nanoparticles, a thief is doomed to failure. The production process of such a card is so complicated and advanced that it is practically impossible to counterfeit it.
The creators of QSA argue that despite its complexity, the technology can be implemented relatively simply and cheaply by commonly available means.
Hurry up slowly
After all, it is unlikely that banks will quickly implement these security systems. The financial industry is quite conservative and it would probably be too costly to implement the new technology on such a large scale.
That is why we are sure that these innovative payment methods will first be available in alternative services (not strictly related to banks), such as the new payment systems Apple Pay or Google Wallet, and even in promising „black horses” such as Coin, Wocket or Plastc ( but we will tell about it another time).
Unfortunately, all the advanced innovations related to technical wonders are not often implemented due to imperfections in adaptation, as happened with EMV cards. The main security problem here is the technical firewall – the current terminals are not able to read the data from the security strip, so the whole process will again narrow down to the good old magnetic strip. This means using the standards we currently have available, so all the efforts to implement new technologies will be wasted.