A password for your credit cards

InCard Technologies' way to validate online transactions: credit cards that generate one-time passwords. Photos: Credit card security Video: Here's DisplayCard

Joris Evers
Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

3 min read
As banks face an end-of-year deadline to strengthen online authentication, one company believes it holds the right card to customer security--a one-time-password.

Los Angeles-based Innovative Card Technologies, or InCard, has found a way to build a display, battery and password-generating chip into a card, such as a credit card. The technology competes with tokens, such as those sold by RSA Security, Vasco and VeriSign.

credit card

"We took a form factor that was awkward and fat and miniaturized it," Alan Finkelstein, InCard's chief executive officer, said in an interview. "The current tokens are clumsy and can only do one thing well, issue the one-time password. Our card can be your credit card, your employee ID card and give you access to buildings."

Just like the tokens, the card, called a DisplayCard, generates passwords that can be used to validate online logins or transactions, for example when banking online. The cards offer an extra level of security, in addition to the traditional login name and password. Some banks, such as online broker ETrade Financial, have provided high-net customers with tokens for some time.

The InCard product comes as financial services companies are under increasing pressure to improve the security of online transactions. The Federal Financial Institutions Examination Council recommended last October that banks introduce multiple-factor authentication by the end of 2006.

Click here to Play

Video: Password on a credit card
Company creates new online authentication method

It took InCard four years to develop the card, Finkelstein said. The company combined technology from a Taiwanese display maker, a U.S. battery manufacturer and a French security team, he said. A Swiss partner, NagraID, owns the rights to the process to combine the pieces and actually manufacture the technical innards of the card.

The biggest development challenges were the ability to bend the card, power consumption and thickness, Finkelstein said. The result is a card that's as thin and flexible as a regular credit card and is guaranteed to work for three years and 16,000 uses. "Which is about 15 times a day, seven days a week," Finkelstein said.

One card, two chips
In the near future, InCard plans to present a card that has two chips, both inside the card. One will generate the password and the other will store personal information, such as details on the last transaction or balance information, he said.

InCard is in talks with various banks and credit card organizations around the globe to get its invention into the market, but it can't announce any deals yet. Visa, however, has already agreed to evangelize the technology to its banks, Finkelstein said.

InCard is well-connected in the banking world. Chairman John Ward previously served as CEO of American Express Bank and held senior positions at Chase Manhattan Bank.

One possible barrier to InCard's success is the price of its card. A credit card with a one-time password generator costs just over $10, much more than the approximately 40 cents it costs to produce a plain card and $5 for a traditional password-generating key fob.

However, InCard says it believes it can overcome that obstacle. Sealing, addressing and mailing a token adds about $5 in cost, according to Finkelstein. "Banks know how to deploy cards in mass numbers...if you combine everything, we're pretty much compatible in cost."

U.S. banks haven't in the past been prepared to pay for tokens and distribute the security gadgets among their customers. The FFIEC recommendation might change that, though there are several options beyond one-time passwords that meet its two-factor authentication definition.

InCard closely controls the rights to produce the one-time-password cards. The card is ready for mass production, according to the company, which plans to license the technology to other players so more cards can be manufactured when needed, Finkelstein said.

About a year and a half from now, InCard expects 5 million of its cards to be in use. The company predicts banks and brokerage firms will hand them out to their best customers.