New Scientist – Credit card only works when spoken to
Beepcard has announced a new credit card they have developed that supports audio-based authentication for credit card transactions, via technology embedded within the card itself. This is a very cool idea, assuming they can get past a couple technology and personal adoption issues.
Beepcard had previously developed a credit card that could be used to verify that a remote customer had physical possession of the credit card being used for an online transaction. The customer would hold the special credit card up to a microphone hooked up to the computer being used to facilitate the transaction. The customer pressed a button and the card would emit a pseudo-random sound. The actual sound is determined by an algorithm simultaneously run on a chip on the card and running on a server. The sound is recorded by an applet that can be installed by the customer or downloaded from a website. Beepcard’s software running on a remote server would then verify whether the correct sound was emitted. Since the sound is cryptographically (3DES) unpredictable, you don’t have to worry about a replay attack.
Although the article doesn’t mention it (but Beepcard’s website hints at this), I don’t see why a company couldn’t ask the customer to hold the card up to a telephone’s microphone and press the button, record the sound on the call center’s equuipment, and then verify the recording with the server’s calculation. That would provide additional security even for orders through a human or automated call center agent. Of course, calls over cellphones or poor connections might have problems. Sampling rates for telephone calls are typically around 8 kHz with 8-bit samples, so a second or two of audio should be able to provide you with plenty of information bits for a secure audio code. Heck, the RSA SecurID token I used to have at work used only a six digit number as the ID code.
Their new credit card contains a microphone. You speak your password and the card authenticaes you. Assuming they used digit-only passwords, the voice recognition software needs to distinguish between only ten digits., albeit in a speaker independent manner. Of course, this is still quite an accomplishment for software running on a very small, extremely low power, CPU.
Some day, this will be extended to speaker authentication with non-secret phrases. You will speak a large set of phrases and a model will be constructed for your speech patterns. You will then be prompted to repeat a varying, non-secret phrase, such as count from 1 to 6, or say the alphabet from f to j. The randomness will make it harder for a thief to use a recording and the non-secret nature of the phrase will allow you to use in public settings.
Of course, the challenges include:
- Battery life – they are targeting to support 10 transactions a day for two years
- Thicker, more fragile card – the card is three times as thick as a normal card, and obviously more fragile
- Customer security concerns – even though the card should make transactions more secure, people often fear new technology, especially if it is difficult to explain to them exactly how it works
- Spoken passwords – Since you have to speak your password, it is suitable for use only where you don’t think anyone else can hear you
- Hoarse voices – if the customer can’t speak normally, they can’t use the card unless they tell someone else their password. This will be an even bigger problem for speaker authentication.
Robert:
Great comments.
In answer to some of the issues you raise:
1) Voicecard Thickness: Our current version is a prototype. Other than the logical components, all of the items in the prototype are electrically and physically identical to what would be in a finished card. We are taking the prototypes around to customers, before committing the final list of features to an ASIC. Once we reduce the logic circuits to an ASIC, the finished product will have the same part count as our current bank-card thickness ComDot cards. So we have no theoretical barrier to making the voice card in credit card thickness.
3) Voicecard function: It goes beyond security, because the chip supports an adequate vocabulary of speaker-independent commands. The chip can be coded using text to speech, so writing new entertaining applications should be easy.
4) ComDot Card Over the Phone: We have that function built and deployed. Yes, it works great. We should give it more mention on the website.
Thanks for the Input!
This is indeed a great product. What are your target customers for this product? Are you going to go international too? Can you coment on the demographics of your customers?
Bala, you should probably follow up directly with someone at BeepCard. I doubt that they will see your questions here.
I have no affiliation with BeepCard.