Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Visa and Emue Technologies deploy cards with built-in one-time password generator

The Visa Card with one-time code, being offered to issuing banks by Visa Europe and Emue Technologies, is an innovative new way of securing online payment and banking transactions - and building consu...


See article

Visa and Emue CARD OTP Combo - an innovation showcase

 

OTPs are of course better than static pin-codes. A move to require OTPs instead of the static pin-code will surely help eradicate card-present fraud.

Can such a card even be inserted into any chip and pin terminal? If so, I just can't imagine how I can use this card combo to: generate an OTP, try to remember the OTP, insert it into an ATM machine, then cancel the transaction just because I can't remember the OTP...  

I must admit that it does look nice. But other than that, I can think of many other reasons why a separate OTP device would make more sense.

 

5573

Comments: (3)

A Finextra member
A Finextra member 02 March, 2009, 11:17Be the first to give this comment the thumbs up 0 likes

 

The OTP generated by the card is not the same as the PIN, and it does not serve the same function.  In a CNP environment, the OTP is used to verify that the remote purchaser is the legitimate cardholder; it is one step more secure (allegedly) than simple VbV or SecureCode pre-set passcodes, and relies on the successful result of a PIN challenge generated by the card.  The OTP is then used in place of the static passcode.

Now, what would happen in a normal retail environment, or at an ATM?

I would have to ask the card to generate a OTP, which I hope is within the "magic number 7, plus or minus 3" capabilities of my short-term memory.  The card would then ask me to authenticate myself - and I do so by keying in my PIN - which is the only way the card can tell if it is indeed me!

Ooops!  Back where we started.

[Magic Number - George A Miller - 1956]

 

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 02 March, 2009, 11:34Be the first to give this comment the thumbs up 0 likes

Marite,

The current implementation is to use OTP for Internet/MOTO transactions only, not at ATM's. 

As such I agree that the benefit of having the ability to generate the OTP on the card is not great, a separate reader is more attractive when you consider the costs.  

A Finextra member
A Finextra member 02 March, 2009, 13:47Be the first to give this comment the thumbs up 0 likes

Yes, OTPs for card-not-present 'seems' to be a given and thus I intentionally focused on card-present fraud.

But although OTPs' lack of 'replayability' makes them a better authentication factor than let's say a pin-code, password or even biometrics, they are, however also not immune to man-in-the-middle attacks. So, let's also not get carried away with OTPs.

How difficult would it be to prop a legit-looking online merchant site (even mimicking a popular merchant site) and redirect unsuspecting Consumers to this website? Card details, even verified by visa passwords, MC's UCAF/SPA and yes, also OTPs can be intercepted and replayed by the fraudster with real legitimate online merchants.

Blog group founder

Retired Member

Member since

19 Mar 2009

Location

Blog posts

6,023

Comments

6,224

This post is from a series of posts in the group:

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.


See all