-------- Original Message -------- Subject: CRYPTO-GRAM, April 15, 2004 Date: Thu, 15 Apr 2004 00:38:40 -0500 From: Bruce Schneier <[EMAIL PROTECTED]>
BeepCard
BeepCard is a technology company. They sell a sound authenticator for credit cards. The demo looks like a credit card -- an actual credit card that passes all the credit card specs for bendability and reliability and everything -- and contains a speaker and a sound chip. When you press a certain part of the card -- the "button" -- it spits out an audible 128-bit random string.
It's a non-repeating string that's reproduced in software at the other end, similar to a SecurID card, so an attacker can't record one audible string and deduce the rest of them.
This is perhaps the coolest security idea I've seen in a long time. They have a demo application where you go to a website and purchase something with a credit card. To authenticate the transaction, you have to put the card up to your computer's microphone and press the button. The sound is captured using a Java or ActiveX control -- no plug-in required -- and acts as an authenticator. It proves that the person making the transaction has the card in his hands, and doesn't just know the number. In credit-card language, it changes the transaction from "card not present" to "card present."
Even cooler, they are making an enhancement to the system that also includes a microphone on the card. This system will require the user to speak a password into the card before pressing the button.
Why do I like this? It's a physical authentication system that doesn't require any special reader hardware. You can use it on a random computer at an Internet cafe. You can use it on a telephone. I can think of all sorts of really easy, really cool applications. If the price is cheap enough, BeepCard has a winner here.
<http://www.beepcard.com>
