Display Cards for Securing EͲCommerce Don Malloy – Business Development Manager 10th February 2012 Salt Lake City
Transcript
Display Cards forSecuring E Commerce
Don Malloy – Business Development Manager
10th February 2012 �– Salt Lake City
Presenter
Greetings �Introducing subject The global rise of eCommerce and online transactions brought increased opportunities for online fraud. �Fortunately today we have tools and mechanisms such as 2-factor authentication , security tokens, and even this sophisticated card reader device than can provide challenge/response and transaction signing capabilities in order to address this problem very effectively. So, the purpose of my presentation today is to talk about how NagraID Security approaches this in a different but very innovative way….with the NagraID Security Display Card.�
Professional audio & hi-fi products Middleware & Interactivity
Smart card technologies
Physical access solutions & Ticketing
Nagra Kudelski GroupActivity Lines
Digital TV
Group Revenue 2010 : USD 1.1B
Presenter
Over 1 Billion CHF turnover Founded 1951 Group ~3000 ppl 7000 installations Skidata 150 milion cards delivered for digital TV The Display Card business is handled by NIDS and NID which fall under the Smart Card technologies group.
Did you know that every time you go online, you’re connecting to thousands of unknown networks and millions of their users?
• Daily attacks increased 93% last year alone:Major attacks in 2011 – not just small companies without
significant resourcesApple, Google, Sony, & EMC
Look at the list: one of the largest companies in the US, The leader in online economy, the leader in entertainment and the largest security company in the world.
If this doesn’t concern your organization it should.
Michaels Craft stores and Lucky’s Supermarkets –this past summer and fall
• Fraudsters impersonated Verifone employees and (upgraded the terminals), placied false keypads on top and recorder customer’s card info and their pin #.
• The information was transmitted wirelessly to a partner waiting in the parking lot and the collected account # and pin were quickly sold on the black market. Before the person got home there would be charges rung up in the thousands $
• Average hack at an ATM nets $20-30K more than 3X a regular bank robbery.
Criminals are getting bolder:
What is needed
• A more layered approach to security:
• Multifactor authentication would have prevented these attacks. Without the physical card in their possession the hacker would not be able to generate the one time password.
What is a Display Card?• Security
• Control
• Convenience
Presenter
2-factor authentication provides a very secure mechanism to protect your online login account. And this is exactly one of the main functionalities of the display card, it can generate a dynamic passcode for 2-factor authentication, which gives cardholders peace of mind, a feeling of security It also gives them control over their expenses, they can control the authentication process for remote banking and payment transactions across multiple channels all from their payment card. Despite this intense technology, for users, this card is familiarity, simplicity, convenience; �it is very easy to use
What can Display Cards do?Multiple Applications Logical, Physical Access, Payment
Payment Card: Standard banking functionalities
Authentication Card: • Supports 3DSecure
• Oath, CAP, Visa Codesure, Custom algorithms
• PIN protected access to OTP
Information Card: • Fingertip access to account balance,
transaction history, expenses, reward points.
• Standard EMV script.
Presenter
Supports 3DSecure deployments Enhanced security with built-in OTP functionality �(Oath, CAP, Visa Codesure, Custom algorithms) PIN protected access to OTP Portable, anywhere/anytime access compared to token, sms or similar solutions Customer familiarity facilitates adaptation
What can Display Cards do?
Before
Today
Physical Access Control:• All in one device : Logical/Physical access
NIDS Single Button SeriesSingle Button Display Card
Powerful yet Simple
Features•Easy to use – button triggers OTP •6-digit display•Event or time based •OEM branding, OATH or CAP•Secure contactless interface EAL5+(on ES and TS version)•ISO 14443 Type B•Embossing
• 1 Button
• 6 Digit LCD Display
• RF Interface
(HID, Mifare, Legic�…)
• MasterCard Certified
Presenter
The first thing that we notice about this card, is it’s amazing simplicity. It is equipped with the same high contrast ultrafast 6 digits LCD screen found in the highest end model. And has an easy to use 1 button user interface that when pressed, generates a one time use dynamic passcode (which can be derived from OATH or CAP algorithm). If you don’t pay attention, it can be mistaken as an ordinary plastic card The 106 embeds a powerful Secure Element chip that can be loaded to run advanced custom applications. Physically this card is as close as you can get to a standard payment card, It is MasterCard certified, It can be customized with a magnetic strip, EMV contact chip and even embossing for markets that require support for legacy card reading methods. All these familiar features makes it great for rapid user adoption. So, to recap, the 106 is the ideal card for situations where we need a simple cost effective one time password solution.
Physical AccessTOUCH Keypad
• Secure access to networks, facilities and properties
• Personalization options
• All-in-one device
Account ProtectionPaypal �– Security Key
Paypal provides clients extra layer of protection and cross compatibility
Paypal Security Key also works with EBAY
Multi Button Display CardTOUCH Keypad
A breakthrough in card interactivity
Features• Unique TOUCH keypad• Bright flexible 6-digit LCD display• Oath or CAP, OCRA• LaserEngraving• Secure contactless interface EAL5+ IC
The Huge breakthrough about the 306 is the addition of a 12 button Touch sensitive keypad, that provides the same feeling as a smartphone interface. This keypad fundamentally changed the way we interact with a plastic card. One of the most obvious and immediate benefits of the 306 is it eliminates the need for a separate, bulky and inconvenient card reader where user input is required.� The 306 features the same state of the art flexible LCD display found in the other products An EAL5+ certified Secure Element that can run custom applications and enables Post Seeding, Wireless interface 14443 B, contact chip, Magnetic stripe, holographic hotstamp, as well as a printable surface for instant issuance. Furthermore, the 306 can receive laser engraved cardholder information, which also makes it suitable as a payment card. �In fact, this card is also MasterCard certified In terms of firmware, the 306 is immediately available with One Time Passcode generation, OCRA (Oath Challenge/Response algorithms) or Full MasterCard CAP Chip and PIN (Chip authentication Protocol) Additionally PIN protection is standard, which provides extra security to the card itself as it protects the card from unauthorized use in case it’s lost or stolen
Over the PhoneExample of Challenge Response
1 The client calls an establishment to
make a high valued transaction
over the phone
2The establishment gives the client a verification code
(challenge) to enter into the
TOUCH Keypad on their card
3Once the card
verifies the challenge code it
generates a response code
4The establishment verifies the clients
response code and the request can securely be completed over
the phone
Client Business Client Business
Presenter
Prescription.
Information Display CardInterconnected EMV Chip
Fingertip access to critical information• Interconnected EMV Chip /
dual interface
• Paypass Certified
• 6-digit display
• Up to 12 button TOUCH keypad
• MasterCard Certified
Standard EMV chip technology updates the informationevery time the card is authorized online.
Presenter
Everything they love about the credit card: availability, convenience, …just got even better. Now their payment card comes to life and… communicates with them. The 526 MasterCard card providers cardholders fingertip access to critical information, precisely when it is needed. This card is so much more than just a simple OTP device, It provides amazing features such as the display of account balance, transaction information, or even important Just-in-time personalized messages such as payment due dates.��Issuers�Unlike many other previous attempts to implement smart payment solutions, the MasterCard information card really leverages on existing EMV infrastructure. Demo
Communicate with Cardholder
• Card can be updated at any EMV POS terminal
• Display Updated Account Balance
• Fingertips access to transaction history
• All standard Payment Functionality
526 Information Card
Presenter
Fingertip access to critical information, precisely when it is needed Uses standard EMV chip technology to update information via scripting messages whenever card goes online Provide card, loyalty and transaction information on the display unit of the card to eliminate the need for ADC (Call center, ATM, Internet, SMS) and printed reports Enriched customer experience, security perception enabling control of spending with instant transaction and account information on the display unit Just-In-Time messages at the point of sales or authentication terminal for unprecedented interactivity between issuers and cardholders Leverages existing investment, compatible with current card business models and infrastructures� Many other potential product propositions
Information Card in Action
1
23
4
VISA CodeSureDot Matrix Display
Features• New DOT MATRIX screen enables display of
virtually any characters• Unique TOUCH Keypad• Secure contactless interface EAL5+ IC (ES and
TS version)• ISO 14443 Type B
Multi – Applications Card• OTP• Pin activation• Challenge/response• Payment Card• ..more features to come
Presenter
Finally we have the Visa Codesure. The Codesure shares the same technical characteristics of the 306 with a different firmware from EMUE and a new dot matrix LCD that enables the display of extended characters. The screen and the touch keypad are at the back of the card and the Codesure firmware provides all standard OTP functions as well as a challenge/response implementation from EMUE that they call Mutual Authentication Technology. VISA will commercialize this card sometimes during the 4th quarter of this year, and you will hear about it very soon as they are about to begin public communication .
ConvenienceTOUCH Keypad Innovation
• NID Security’s TOUCH Keypad Display Cards eliminate the need to carry around an additional cumbersome keyfob and/or card reader
• Single device cuts back on handling and management costs
• Single device is more environment friendly, reduces the use of resources
Presenter
Now Your Bank Card is Also Your OTP Device NID Security’s TOUCH Keypad Display Cards eliminate the need to carry around an additional cumbersome card reader Keypad is built into the card itself enabling all functions to be performed on one single device, the size of a normal credit card Users need to only carry the one card that they would normally already have with them Using only one device cuts back on costs and the use of resources Issuers only needs to supply the user with one device Reduced packaging, product and shipping waste Enhanced security with built-in OTP functionality� Increased transaction security reduces fraud costs� PIN protected access to OTP� Portable, anywhere/anytime access compared to token, sms or similar solutions� Enriched customer experience with leading edge technology� Customer familiarity facilitates adaptation� Increased customer security perception drives growth in e-commerce transaction volumes� Leverages existing infrastructure investments
MasterCard ResearchPublic Information 2010
47% of consumers would apply for a MasterCard Debit Balance Display Card if offered
by their bank.
71% of consumers are concerned about the level of risk when purchasing online.
60% of card payment fraud is associated with Cardholder Not Present transactions
80% of acceptors of Display Cards would use their cards once a week and
57% would spend more
€10-15 the amount consumers are willing to pay for display cards.
70% of call centre calls come from mobile phones, of which 50% are simple balance enquiries. Celent, Financial Services Technology Magazine, Issue 5
VISA Europe Research8 European banks, thousands of consumers
90%90% of consumers said they wanted to use the card for logging into more than online banking
86%86% of consumers were reassured about the bank s approach to security.
€36Research showed that French consumers are willing to pay €1per month
70%70% said that they would use their cards for card not present more often
97%97% rated the bank high in terms of innovation
Summary
What Do Consumers Seek
• Security
• Control
• Convenience
Presenter
With more and more transactions being done online, Need for security became essential. Today this is met by various mechanisms, encryption for the transmission of data, password /logins for authentication. But not secure enough because it can be noted down., 2 factor authentication is a very efffective and relatively cheap way to remediate this problem. Something you know, + something u have, ie: password lists, scratch card or a OTPassword generating device, Security Authentication Display Cards give cardholders peace of mind and a feeling of security. This feature gives cardholders the reassurance that their online transactions are just as secure as if they were purchasing right from the store. Control Especially With todays economic climate, cardholders see having control over their accounts as a must. The more Information u have at hand the better you can make decisions and have control over you account... Authentication gives them control over remote banking and payment transactions across any channel, anywhere, anytime all from their payment card. (Implementing something that fulfills Security and control needs Can be quite challenging if we don’t want to compromise convenience) So We came up with the idea to design and build a device that enables secure online transactions, and also provide anywhere anytime important account information that can be carried with you all the time. Thus was born the Display Card. The familiarity of the credit card form and convenience of the card already in their wallet makes our authentication solution ideal for most cardholders.
End of Presentation
Thank you
Swiss HeadquartersCrêt du Locle 10P.O. Box 1419 2301La Chaux de FondsSwitzerlandt: +41 (32) 924 0404
U.S. Office8615 Washington BlvdLos Angeles, CA 90232USAt: (310) 841-2939
