ROBERT SIEGEL, Host:
David Utter writes about this for Web Pro News and joins us by phone from Lexington, Kentucky. Welcome to the program.
DAVID UTTER: Hi, Robert.
SIEGEL: And I'd like you to run us through a hypothetical transaction that would use this new kind of credit card, which I gather has been developed by InCard Technologies Corporation.
UTTER: A number is generated, and that number is valid as a one-time password for a limited time. Entering that number completes the transaction and verifies the person physically has possession of the card.
SIEGEL: Now, you said pressing a button on the card and there's a display on the - is this still the same size as a credit card?
UTTER: It's exactly the same size as a typical card that you or I or anyone else carries in their pocket today.
SIEGEL: Would there be a battery inside the credit card to do this?
UTTER: Correct. It has a battery, and a circuit, and a little button that powers it up when it needs a generated code, that you press.
SIEGEL: If I press my credit card today, a number will come up. If I don't use my credit card for a week and then I press it then, would that same number come up or is my credit card's own circuit thinking all that time and advancing through a large number of codes?
UTTER: From the way the technology is described, the circuit is only activated upon pressing the button. If your card is sitting in a drawer for a week, then it's not going to generate any numbers until you come back and press a button and get one as you need it.
SIEGEL: Well, then how would the matching number back home know what my number is? And how would it validate that selection if it depends on when I press the button on a credit card?
UTTER: The way, as I understand the technology, the backend server is going to recognize a certain number of valid pass codes during a particular period of time. The way the circuit is made, it's going to generate numbers based on the time that you press it. For it to properly work with a backend server, it has to have a way to be able to recognize the time that it's being pressed and for the server on the other end to also recognize a valid pass code that could come through at that particular time.
SIEGEL: So it sounds like my super secure credit card would not just have a circuit in it and a button and a display, it would have a clock in it...
UTTER: It has an operating system in it.
SIEGEL: And that operating system would know that on a given date, even if I haven't used it for a week, there's a specific set of numbers that might be valid in the first week of May or the first couple of days of May 2007.
UTTER: It seems that the generation of the pass codes is going to be linked to the date and time. It would have to be for it to sync properly with the backend server waiting for that one-time pass code.
SIEGEL: Well, are we likely to see this on the market anytime soon?
UTTER: I think that with the concerns that people have about online security, it would be surprising not to see it. As an example, E*TRADE had to pay out about $18 million last October to cover people who were defrauded financially because of their credentials being logged by malicious software on their systems. And had these particular accounts had some sort of on-time pass code available, those losses probably wouldn't have taken place, and E*TRADE would not have been out that amount of money.
SIEGEL: On the other hand, if somebody had your credit card, if they stole it somehow, they wouldn't have to know any PIN or anything like that, they just press a button and they'd be valid.
UTTER: If they have the physical card then they do have control.
SIEGEL: Well, David Utter, thanks a lot of talking with us about this.
UTTER: Thank you, Robert. I appreciate the time.
SIEGEL: Mr. David Utter speaking to us from Lexington, Kentucky, where he writes for WebProNews.
(SOUNDBITE OF MUSIC)
SIEGEL: This is NPR.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.