Skip to main content

Powered smart card with a biometric one time password system

Periodic Reporting for period 3 - QuardCard (Powered smart card with a biometric one time password system)

Reporting period: 2019-02-01 to 2020-01-31

Financial fraud is a global problem, with online banking fraud rising with double digit % figures with increasing financial activity on the internet. Online transaction safety is a major issue for individuals, card issuers, merchants, and banks, all risking significant losses. Physical payment issues have increased with the popularity of contactless payment where electronic pickpocketing and skimming of cards increases.
The massive increase in Cyber-crime activities happens partly because the internet can be used under false identities and cause anything from fraud, “Man in the middle” attacks or skim personal data of millions of citizens and organizations. Cyber-crime losses are expected to rise to $ 2,100 billion this year.
The digital world makes life convenient for Citizens but equally easy to live incognito in the cyber world performing criminal activities hard or impossible to track down. Citizen biometric databases get hacked and lead to whole nations loss of citizens unique identity, like in India with the Aadhaar data breach and must be stopped.
Block chain solutions and Crypto Currency trading platforms also poses a significant risk of money laundering due to anonymous users. Unique user identification is needed to provide a secure blockchain solution to exclude criminal activities with no ability to detect the culprits’ true identity.
The importance of this project increases for the society to ensure Cyber security and secure unique citizens ID and full privacy protection. An offline biometric card solution is today the only viable way to secure unique user ID as IOT devices can be hacked.
The Increasing number of terror attacks both physically and virtually calls for solutions to protect the society, citizens, and critical infrastructure. The biometric card with backend authentication system provides such protective tool with much lower risk for hacking and removes the risk of losing critical biometric data from databases.
The overall objective is to provide unique user identification with full privacy protection which this project provides.
This project period, our main focus has been to improve security in financial transactions with focus on PSD2 and Tokenization. PSD2 requires strong customer authentication and dynamic linking for card-not-present transaction (e-commerce) and we have solved this issue with a combination of a server update, QuardCard update and a mobile app and now actually perform secure user authentication SCA (2 factor authentication) in card-not present transactions (e-commerce) which means at least 2 of the following factors:
1. Something you have
2. Something you are
3. Something you know
We have also made R&D on Tokenization where a virtual credit card number or token is created as a surrogate value that stands in for a real credit card number in a payment transaction and we now have a roadmap on how to implement this technology with QuardCard and backend server.
In the total project period up to now the development has stabilized and improved the technology further and has brought along a new version of QuardCard with a much better fingerprint touch sensor and new exiting features being implemented, like
1. PSD2 requiring strong customer authentication and dynamic linking in e-commerce
2. Tokenization
3. Energy harvesting
4. Battery augmentation
5. E-ink display
6. Updates to Identity & Authentication server (manage key feature, TOTP, PSD2, SAML 2.0)
7. New Vendor Tool interface between server, NFC reader and firmware
8. Biometric template match in secure element
9. Biometric fingerprint matching as CVM in EMV applets
10. Improved production technology and quality assessment
Ongoing market research has confirmed that the following solution with 4 different card models will cover most requests made by customers:
1. A contact and contactless energy-harvesting card for payment, access control and to some extent ID card
2. A contact and contactless energy-harvesting card with battery augmentation and display for E-commerce, E-banking, card-present transactions, E-government and to some extent access and ID cards. Some of these solutions will have to contain a dynamic magstripe for token transmission to existing “brick and mortar” system
3. An OTP card with display and primary battery for low frequency use for card-not-present and card-present transactions, E-banking, E-government, access, and ID cards
4. A high frequency use card with rechargeable battery, large display, and contactless interface via NFC and BLE as Crypto Currency cold wallet and cryptographic authentication of Block chain users. Dynamic magstripe for token transmission to existing “brick and mortar” system can be added.
Unique user identification is coming closer with both the EU and MasterCard among others starting to mandate biometric authentication of users. Biometric authentication done directly with an offline device like QuardCard, is by far the most secure way of protecting privacy, taking PSD2 and GDPR compliance into account. The offline authentication turning an individual into a token eliminates the value of any hacker attack and eliminates the risk of biometric data loss, due to database hacking.
Stricter GDPR regulations are in force and it is clear that our solution provides a secure and GDPR compatible system solution in the most efficient and secure way ever seen. OTP, dynamic CVV, dynamic PIN and sending code via NFC gives a strong platform to handle tokenization and PSD2 as well. Identity theft can dramatically be reduced by the solution, as the authentication is moved offline with only online tokens visible. The offline template storage enables sending a biometric encoded credit card by mail ensuring only the cardholder´s fingerprint can activate the card.
PSD2 requirement has added a compliance factor with payee number and amount being included in e-commerce data has now been implemented on QuardCard and backend server.
Biometric verification (template match) in Secure Element ensuring biometric verification directly on card is the solution of the future, but for full security it needs our tokenization solution.
QuardCard security is well above other card solutions of today. When implemented in all financial transactions physical and online fraud can be eliminated as transactions require the correct fingerprint.
Distributed storage of fingerprints in offline cards, is a huge step forward in citizen identity protection, and system wise a huge security improvement with each transactions uniquely identified with no critical personal data but exchange of biometric ID one-time-codes.
This enables block chain and Crypto Currency exchange platforms legitimacy, with each created block given a tokenized biometric stamp. In case of suspected criminal activities, authorities can via a block chain data dump identify persons having performed any criminal activities.
The solution can provide huge savings on Cyber-attack losses by only allowing authorized users, biometrically identified access to databases and keep critical data stored only in the card out of hacker reach, only accessible with correct biometric authentication.
As a side effect of the distributed security with the fingerprint match on card, the solution is so far the only fully secure solution taking both true identification, Cyber security and hygiene into consideration keeping the Covid19 virus in mind.
Production version of QuardCard ready for personalization
QuardCard Biometric OTP card with EMV chip, FPC1080A swipe sensor and display for OTP, CVV and PIN
QuardCard Biometric OTP card with EMV chip, FPC1321 touch sensor and display for OTP, CVV and PIN