The folks from Visa Europe have announced a new scheme. They want to plant a random number generator on a credit card:
[Visa PIN Card] combines a debit or credit chip with technology that generates a secure one-time-only code displayed to the cardholder via an integrated eight-digit alpha-numeric screen. Not only is it extremely user-friendly to operate, it has a built-in battery designed to last for at least three years. As a result it offers issuers with a completely secure solution to better authenticate online transactions while giving cardholders ultimate peace of mind when shopping over the telephone or internet without the need for a separate device.
Sounds like a really enhanced shopping experience, doesn't it? And I'll bet online retailers just can't wait to re-tool their shopping cards to accept this new capability.
By the way, don't start checking the mail every day for your new random-number enabled credit card. They're going to be tested for six to 12 months to see how well things shake out.
In the meantime, security experts will probably point out numerous ways the random number generation could be bypassed. For instance, maybe hackers will figure a way to crack the random number generator to results that will work with the system. Or perhaps a man-in-the middle attack could be used to capture the codes as they're being entered, and then quickly used on another site.
I wouldn't worry about such tactics. I'm sure Visa Europe will then issue a firmware update that will temporarily thwart the hackers who figured out the original random number generator, and the man-in-the-middle attacks can be defeated by placing a digital signature on each card. All the online merchants would have to do is then update their sites with some "simple" PKI implementation. See how convenient all of this will be?
But it won't be the attacks that kill this idea. It'll be the crack screens that display the random code. It'll be how credit cards that go through the wash no longer work. Or how keeping the card in your wallet bends it so much that it no longer works.
It's the inconvenience of it all that will kill this idea.