ROBERT SIEGEL, host:
If a new product gets off the ground, the credit card of tomorrow could make the plastic in our wallets today seem absolutely primitive.
Nowadays, if we're buying something on the phone or online, we often not to enter the three-digit security code that's on the back of the card as well as our regular credit card number. Well, now comes a new idea to make that card more secure.
What if the code changed every 10 seconds? And there are devices like that to allow unauthorized people to get into secure government educational or corporate computers. But to this idea is to put the changing code onto a credit card.
David Utter writes about this for Web Pro News and joins us by phone from Lexington, Kentucky. Welcome to the program.
Mr. DAVID UTTER (Reporter, Web Pro News): Hi, Robert.
SIEGEL: And I'd like you to run us through a hypothetical transaction that would use this new kind of credit card, which I gather has been developed by InCard Technologies Corporation.
Mr. UTTER: The way a transaction would work would be the way most people are used to doing transactions today. They would log on to a Web site to perform some sort of business, a retail purchase, perhaps. When it comes time to complete the transaction, they will be prompted for the one time password available from their payment card by pressing a button on the card.
A number is generated, and that number is valid as a one-time password for a limited time. Entering that number completes the transaction and verifies the person physically has possession of the card.
SIEGEL: Now, you said pressing a button on the card and there's a display on the - is this still the same size as a credit card?
Mr. UTTER: It's exactly the same size as a typical card that you or I or anyone else carries in their pocket today.
SIEGEL: Would there be a battery inside the credit card to do this?
Mr. UTTER: Correct. It has a battery, and a circuit, and a little button that powers it up when it needs to generate occur that you press.
SIEGEL: If I press my credit card today, a number will come up. If I don't use my credit card for a week and then I press it then, would that same number come up or is my credit card's own circuit thinking all that time and advancing through a large number of codes?
Mr. UTTER: From the way the technology is described, the circuit is only activated by pressing the button. If your card is sitting in a drawer for a week, then it's not going to generate any numbers until you come back and press a button and get one as you need it.
SIEGEL: Well, then how would the matching number back home know what my number is? And how would it validate that selection if it depends on when I press the button on a credit card?
Mr. UTTER: The way, as I understand the technology, the backend server is going to recognize a certain number of valid pass codes during a particular period of time to the way the circuit is made. It's going to generate numbers based on the time that you press it. For it to properly work with a backend server, it has to have a way to be able to recognize the time that it's being pressed and for the server on the other end to also recognize a valid pass code that could come through at that particular time.
SIEGEL: So it sounds like my super secure credit card would not just have a circuit in it and a button and a display, it would have a clock in it...
Mr. UTTER: It has an operating system in it.
SIEGEL: And that operating system would know that on a given date, even if I haven't used it for a week, there's a specific set of numbers that might be valid in the first week of May or the first couple of days of May 2007.
Mr. UTTER: It seems that the generation of the pass codes is going to be linked to the date and time. It would have to be for it to sink properly with the backend server waiting for that one-time pass code.
SIEGEL: Well, are we likely to see this on the market anytime soon?
Mr. UTTER: I think there would be concerns that people have about online security. It would be surprising not to see it. As an example, E*TRADE had to pay out about $18 million last October to cover people who were defrauded financially because of their credentials being logged by malicious software on their systems and how these particular accounts had some, sort of, on time pass code available. Those losses, probably wouldn't have taken place if E*TRADE (unintelligible) that amount of money.
SIEGEL: On the other hand, if somebody had your credit card, if they stole it somehow, they wouldn't have to know any pin or anything like that, they just press a button and they'd be valid.
Mr. UTTER: If they have the physical card then they do have control.
SIEGEL: Well, David Utter, thanks a lot of talking with us about this.
Mr. UTTER: Thank you, Robert. I appreciate the time.
SIEGEL: Mr. David Utter speaking to us from Lexington, Kentucky where he writes of WebProNews.
(Soundbite of music)
SIEGEL: ALL THINGS CONSIDERED is a production of NPR News, which is solely responsible for it's content. You can purchase transcripts of stories you hear on this program, visit our Web site, npr.org and click on Transcripts at the top of the page. To learn more about all the books and authors you hear on NPR programs, go to npr.org/books.
This is NPR.