This credit card might be too secure for you

October 31, 2006, 7:04 AM UTC

I’ve been checking out a new high-tech credit card that reminds me of a security lesson I learned years ago.

Soon after I started a tech reporting job at the San Jose Mercury News in 1999, I was lucky enough to land a cubicle next to a guy named David L. Wilson. Dave, who covered the Microsoft anti-trust trial, was a geek’s geek and a treasure trove of information. One of the things he explained to me early on was a basic concept in security — something called three-factor authentication.

If you want to make it hard to break into something — I mean, really lock it down — demand three unique pieces of information from people before they’re allowed in.

  1. Something they carry, like a key.
  2. Something they know, like a password.
  3. Something they are — a piece of biometric data like a

    fingerprint, a voice print or a retinal scan.

Alone, any one of those factors can make something reasonably secure. If you think about it, most houses and cars are secured by one factor: a key.

Hard-core security these days, for most consumers, means two factors: something you carry combined with something you know. Most home security systems require that after you get in using a key, you punch in a password — something you know — to disable the system. ATM cards work similarly. To withdraw money, you first must have the card, which is one factor. Then you must enter a PIN number, for two factors.

These days it seems like only government agencies and extremely important financial transactions use the third factor — a fingerprint scan, retinal scan, voice print, etc. But that might be changing.

A Very Secure Card

As evidence of this, I bring you the ICT DisplayCard from Innovative Card Technologies. It’s a pretty remarkable little gizmo. It has the same size and flexibility as a normal credit card, but it has a little display built into the upper right-hand corner showing an 8-digit number. Pinch the lower right-hand corner of the card, and that number changes.

Folks who use tokens or key fobs for remote access the corporate network will recognize the concept. Because the number changes each time you press the button, it ensures that a person actually has the card. A system like this, fully implemented, would make it difficult for someone to do much damage with a stolen credit card number. It combines something you know (the credit card number) with something you have (the PIN number), theoretically giving normal online transactions the same level of security that an ATM machine offers.

So, given how worried folks are about identity theft these days, why aren’t you likely to get an offer to receive this card anytime soon?

For one, they cost $11.40 each.

Security Firms Likely to Bite First?

I talked to John A. Ward III, Innovative Card Technologies’s CEO, about the card’s prospects. He said the card is now in tests with one company in Latin America, two in Europe, and one in the United States. He doesn’t expect the cost of the card to drop dramatically anytime soon, so banks probably won’t start mailing them out en masse.

“I think our major sales are going to come from security firms,” he said. “This cannot be a product for the mass market. I think the

target market segments are affluent and wealthy, online banking,

brokerages. To date there hasn’t been the demand from the consumers

to want to buy a card like this.”

I’d be thrilled to have a card like this that I could slip out of my wallet when I need to access the corporate network. As for the credit card market — we’ll see.