Credit Card Authentication feasibility
 

Hi,
Don't think this tread is about piracy, that's not the subject at all !

To connect my bank web space, I've to use a small computing equipment where I need to plug my credit card in. Once plugged, this device computes some cryptographic challenge to generate a code I can use to connect the web site.

I just wonder if there is some way to develop an smartphone application to do the same. Of course, this application should know about the credit card. But I wonder if this would be enough to be able to compute the challenges the same way.

Any idea?

Re: Credit Card Authentication feasibility
 

I'm fairly sure the device you have is just for user interface (input pin, input challenge, show response) and the actual computation of the challenge/response is done on the card itself.

Hence, not possible to do without the card.

Re: Credit Card Authentication feasibility
 

Sorry about the rant but I cannot help myself. I thought the whole point of online banking was convenience. Having to carry around a card reader or any other gizmo flies straight in the face of that. None of the two banks I deal with have yet started to require similar nonsense and I dread the day when they start.

Re: Credit Card Authentication feasibility
 

Yep, I do confirm, that's all but convenient.

That's why I was asking about an application to not having to carry the device.

Re: Credit Card Authentication feasibility
 

Quick reply...

If the credit card includes PayWave, or something similar for contact-less payments... If your mobile phone includes NFC antennae... Then you may be able to develop mobile phone application which would pretend to be your-card-reader-plugged-into-phone, while in fact interacting with credit card through NFC.

Do you have some specifications, datasheet, or something, about what exactly your card reader is doing?

Thank you. Best wishes.
~~~~~~~~~~~~~~~~~
Per aspera ad astra...

Re: Credit Card Authentication feasibility
 

The chip on the card can store data (even algorithms) but cannot compute, or?
So it needs some kind of CPU, here given by gizmo.
Maybe wikiwide's idea could be feasible.

BUT if it really would be so easy I would even be more scared ;)

Re: Credit Card Authentication feasibility
 

Why? Admittedly I do not know what kind of challenge-answer is involved but I woukd imagine that the whole point is identifying you.

Now, there are (currently) three ways of identification, based on something that you...

• ...are. This is the strongest method and can be based on various biometric parameters (iris scan, voice signature, fingerprint...). Difficult to do with gizmos such as the one mentioned by the OP.
• ...have. The centuries old lock-and-key belongs here. As do various gizmos provided by the banks. The gizmo may well be just to identify that you have the right card, in which case the card is the key, not the gizmo. I do not see replacing the gizmo with a phone any less secure than replacing the gizmo with another gizmo from the same bank.
• ...know. The most common and also weakest method involving various kinds of password. Both my banks use this method, trying to reinforce it by having three different passwords and using three different input methods (to fool key loggers etc).

Re: Credit Card Authentication feasibility
 

I think that credit card includes both memory (encrypted, or something) and chip-processor-CPU. It just needs power source to start working, and somebody to communicate with. In this case, gizmo is power source, and somebody who knows credit-card language well enough to conduct card's communication with the bank through the computer.

NFC of your phone can act as power source (beware of battery drain) if your card supports contact-less payments, but the communication API (imitation of gizmo) will be the most troublesome part. Because bank will likely try to keep it a secret.

Oh, and I forgot: if credit card designers are paranoic, the contact-less aka NFC communications will be more limited than contact-communications. A different algorithm for them, or something.

Thank you. Best wishes.

Re: Credit Card Authentication feasibility
 

As far as I know (because I worked in the cryptography world a long time ago), these kind of computing are based on "zero knowledge proof" (https://en.wikipedia.org/wiki/Zero-knowledge_proof).