Quantum plastic: an insight into credit cards of the future

In our recent blog post, “Jiggling with cards: doing criminal business on ATMs“, we told you how easily you could lose your money because of the tricks carders play on

In our recent blog post, “Jiggling with cards: doing criminal business on ATMs“, we told you how easily you could lose your money because of the tricks carders play on you. The main reason why it’s still happening is the rudimentary card security system which dates back to 1970’s. The data on the magnetic strip is written as ‘plain text’, and a PIN, a short security number easily susceptible to theft, serves the only stronghold of protection for your bank account.

 

It goes without saying that the finance industry, which currently loses unbelievable sums of money to all types of scammers, does its best to deploy more advanced transaction security technologies.

By now, the most successful project of all is the technology of chip-enabled cards (or EMV cards). Following their massive proliferation in Europe and Canada, the number of card cloning cases in these geographies decreased dramatically. Carders who use skimmers went to seek a better life to USA and Asia where EMV cards are not so widely used.

However advanced the EMV system might be in terms of card protection, it is not ideal and cannot protect against any threat imaginable — provided the skimming techniques also continue to evolve. It well may be we’ll be using different types of cards in the foreseeable future.

What would they be like? Let’s take a look.

Password and reply

The most obvious solution to the problem is adding another layer of security — like in the two-factor authentication approach used all over the Internet.

As for Internet, the thing really works. When paying online, besides a CVV2 security code on the reverse side of the card, a card-holder enters a one-time randomly generated password, either sent to a mobile phone in an SMS, printed by ATM or generated by a bank-authorized hardware appliance, a token. Two-factor authentication may be used even for offline transactions should large sums of money be involved.

Bank cards with an integrated display employ a similar method of authentication. In this case, a regular credit card is equipped with a built-in mini-computer, including an LCD screen and a digital keyboard. Besides generating one-time passwords, it is capable of displaying the balance, the history of transactions and so on.

Although the first interactive cards have been available for over five years, only several banks in Europe, USA and developed Asian countries offer them to the customers.

Card on demand

Dynamics, an American company, provides an even more exotic solution. The card does not have a stable magnetic strip, in the sense of the word. The latter is generated dynamically by the built-in hardware, on demand, and the user, as first, has to enter the password by means of an integrated keyboard.

If you happen to lack a password, the magnetic strip would not be generated and, consequently, the transaction would not be executed. Moreover, such a card does not have an ordinary 16-digit number: a part of the numeric sequence is not printed on the plastic but is displayed on the screen after the card-holder enters the password.

May I have your finger?

A password might be a powerful means of protecting your card, but there is no use in it should an absent-minded person be unable to keep it secret. We all know stories about ‘wise’ cardholders who would write a PIN on the very card and then lose it.

Biometry-based authentication is a radical solution to this problem. Zwipe, a Norway-based company, in association with Mastercard, is currently running a trial of a credit card with an integrated fingerprint scanner. The only thing you need to approve the transaction is placing your finger on the contact plate and — well, farewell, PIN!

Quantum comes to help

Regardless of decades of research, fully operable quantum computers remain a dream yet to come true. But there is a silver lining: some features of quantum tech will serve to create identifiers not possible to spoof.

At least, Dutch researches of University of Twente and Eindhoven University of Technology plan to use this concept of quantum-based security system for credit cards and personal IDs. Although now available only as a lab trial, their model of a quantum-based security system is being developed under the name of quantum secure authentication (QSA).

A tiny section of an ordinary plastic card is covered with a very thin layer of zinc oxide (no magic here — a.k.a ‘zinc white’). Then this section is bombarded by discreet laser-emitted photons. When hitting nano-particles, photons randomly reflect inside of the zinc oxide layer. This process alters the optical properties of a particle layer, forming a unique key.

So, if one beacons such a card with a sequence of laser impulses (i.e. ‘asks the question’), they receive a defined reflection pattern (i.e. ‘the answer’). A combination of unique ‘question-answer’ bundles is stored in the bank data system and is used to authenticate the key.

If a culprit tries to hijack a question and answer combination during the transaction it doesn’t work. Any additional photoelectric detector implanted into the system would destroy the quantum state of at least part of the photons and will corrupt the whole process for the attacker.

An alternative method of hacking this security system presupposes card forgery, keeping exact size, location and other parameters of the nano-particles in order to produce an accurate copy, and is practically infeasible due to high complexity of the process.

QSA developers claim that, regardless of a seemingly complex concept, this technology is relatively simple and cheap to deploy using readily-available tech and methods.

Make haste slowly

It is quite unlikely the banks would deploy the aforementioned security systems really soon. The finance industry is quite conservative and render it costly to roll out new tech in deployments of scale.

With that in mind, we are quite sure the payment method innovation will first be achievable in alternative non-banking services, including, for instance, new payment systems like Apple Pay or Google Wallet, or promising dark horses like Coin, Wocket and Plastc (we’ll relate their story a bit later).

Besides, it is crucial all wonders of tech in these sophisticated novelties would not be in vain because of imperfections in deployment process, as it frequently happens with EMV cards. The main security problem in this respect is that in case a terminal is not able to read data from a secure chip, it will turn to good old magnetic strip which remained there for the sake of backward compatibility. Well, the entire effort is then down the drain.

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.