Beepcard has announced a new credit card they have developed that supports audio-based authentication for credit card transactions, via technology embedded within the card itself. This is a very cool idea, assuming they can get past a couple technology and personal adoption issues.
Beepcard had previously developed a credit card that could be used to verify that a remote customer had physical possession of the credit card being used for an online transaction. The customer would hold the special credit card up to a microphone hooked up to the computer being used to facilitate the transaction. The customer pressed a button and the card would emit a pseudo-random sound. The actual sound is determined by an algorithm simultaneously run on a chip on the card and running on a server. The sound is recorded by an applet that can be installed by the customer or downloaded from a website. Beepcard’s software running on a remote server would then verify whether the correct sound was emitted. Since the sound is cryptographically (3DES) unpredictable, you don’t have to worry about a replay attack.
Although the article doesn’t mention it (but Beepcard’s website hints at this), I don’t see why a company couldn’t ask the customer to hold the card up to a telephone’s microphone and press the button, record the sound on the call center’s equuipment, and then verify the recording with the server’s calculation. That would provide additional security even for orders through a human or automated call center agent. Of course, calls over cellphones or poor connections might have problems. Sampling rates for telephone calls are typically around 8 kHz with 8-bit samples, so a second or two of audio should be able to provide you with plenty of information bits for a secure audio code. Heck, the RSA SecurID token I used to have at work used only a six digit number as the ID code.
Their new credit card contains a microphone. You speak your password and the card authenticaes you. Assuming they used digit-only passwords, the voice recognition software needs to distinguish between only ten digits., albeit in a speaker independent manner. Of course, this is still quite an accomplishment for software running on a very small, extremely low power, CPU.
Some day, this will be extended to speaker authentication with non-secret phrases. You will speak a large set of phrases and a model will be constructed for your speech patterns. You will then be prompted to repeat a varying, non-secret phrase, such as count from 1 to 6, or say the alphabet from f to j. The randomness will make it harder for a thief to use a recording and the non-secret nature of the phrase will allow you to use in public settings.
Of course, the challenges include:
- Battery life – they are targeting to support 10 transactions a day for two years
- Thicker, more fragile card – the card is three times as thick as a normal card, and obviously more fragile
- Customer security concerns – even though the card should make transactions more secure, people often fear new technology, especially if it is difficult to explain to them exactly how it works
- Spoken passwords – Since you have to speak your password, it is suitable for use only where you don’t think anyone else can hear you
- Hoarse voices – if the customer can’t speak normally, they can’t use the card unless they tell someone else their password. This will be an even bigger problem for speaker authentication.