November 12, 2008 – 3:22PM
A small Australian tech firm believes it can stop up to $1 billion a year in credit card fraud with its new battery-powered supercard.
The card includes an alpha-numeric display, built-in microprocessor, a keypad and three years of battery power.
When a user enters a PIN into the card the display shows a one-time number with which to authenticate each online credit card transaction.
Each card costs about five times more than a regular credit card to produce and will be sold to bank customers during overseas trials for between $US18 and $US30 each.
The technology was developed over 2½ years by a small Deloitte-backed technology firm called EMUE Technologies based in Adelaide and Melbourne.
The two founders previously worked in banking security and technology companies.
EMUE’s chief executive, Brendan McKeegan, said trials would begin with an Australian bank in the first quarter of next year.
This week Visa announced it was piloting EMUE’s technology at one bank each in Britain, Israel, Switzerland and Italy. The bank in Britain is Bank of America.
“The interest in this solution in the industry has been overwhelming and we look forward to working with the banks involved in the pilots to gain greater insights into how effective this solution can be in the longer term,” Sandra Alzetta, head of innovation and new products at Visa Europe, said.
Bureau of Statistics figures show 383,300 Australians lost an average of $1600 to credit card fraud last year.
But the bureau acknowledged the true figure was much higher because its survey only recorded an individual’s most recent loss.
Banks have struggled to stamp out credit card fraud because, no matter how secure their systems are, they can do little to prevent a customer from losing their credit card details.
It is common today for viruses to send back a detailed log of everything the victim enters into their keyboard, including automatically pulling out credit card numbers with expiry dates and the three-digit security code.
Getting infected by such viruses only takes opening an email attachment or clicking on a malicious web link.
Similarly, there is little banks can do if a merchant is hacked and its customers’ credit card details are stolen.
With EMUE’s technology, even if all of these details are stolen the hacker is unable to make any online transactions because the security code is different each time.
Whenever users want to buy something online, they give the online merchant their credit card and expiry date as normal.
But instead of using a static three-digit security code typically found on the back of the card, the user enters the PIN on the card’s keypad and uses the one-time number generated by the card as the security code.
This means merchants do not have to modify their systems in any way.
“It’s a fundamental step that will solve most of the fraud, notwithstanding if someone attacks me and steals my card and convinces me to give them the PIN,” McKeegan said.
He said the technology could also be used for logging into online banking and for verifying a bank’s identity during phone calls from the bank. With online banking, the password used is the code generated after typing the PIN into the back of the card.
McKeegan explained that the PIN was not stored on the physical card itself, so even if it was stolen it could not be hacked.
“When the card is created for the user it has a unique seed on it, and that unique seed is stored with the bank … along with the PIN the user chooses,” he said.
“If I enter the wrong PIN [into the credit card] it will still generate a number for me, but when I put that into the browser [to buy something] it will reject that as a transaction.”