Web Security Device Uses Stripe Cards

A company in Microsoft Corp.'s backyard is bucking the trend toward smart cards and digital wallets by promoting an Internet security device for old-fashioned magnetic stripe cards.

Universal Teller Machine Systems Corp. of Bellevue, Wash., says its "UTM Machine" -- a device the size of a computer diskette -- can make debit or automated teller machine cards a realistic on-line payment option.

Instead of typing a credit card number into a form on a Web shopping site, a consumer would insert an ATM or credit card into a UTM device, which in turn would slide into the personal computer disk drive. A screen resembling an ATM display would pop up on the computer monitor and the consumer would use the computer's keypad to type a personal identification number. Messages on the screen would then prompt the consumer through the transaction, as with an ATM.

UTM executives say the system is safer and more convenient than entering credit card numbers into digital wallets or Web order forms, but critics say the company seems to be spiffing up a buggy whip just as Model Ts are catching on.

American Express Co.'s Blue card, introduced last month, has both a computer chip and, for conventional retailing transactions, a standard magnetic stripe. The "smart chip," as Amex calls it, is designed to open doors to the Internet. Cardmembers will get a card reader -- free until Jan. 31, $25 thereafter -- for authenticating transactions with digital certificates programmed into the chip.

People in the smart card industry say the combination of the chip with digital authentication may be the long-awaited spark to mass adoption of the advanced cards by banks and other companies. And that, experts say, could make the UTM device seem moot.

Robert Lee, president and chief executive officer of UTM, said the Blue card with its PC-connected readers could actually be good for his cause. Because the payments infrastructure still weighs heavily in favor of magnetic stripes, the UTM system will feel more familiar to consumers, he reasoned.

The company is encouraging banks in the United States and abroad that buy its system to give free card readers to customers. Just as magnetic stripe cards are less expensive than smart cards -- 35 to 40 cents each versus $5 to $10, Mr. Lee said -- the $6 cost of a UTM device looks cheap next to a $40 or $50 smart card reader.

Again, smart card promoters have answers. Reader costs are falling. Celo Communications, a Swedish digital security company that has opened shop in Mountain View, Calif., just put one on the market for $39 and said it would go well below that in large production quantities. In France, card industry executives have said they expect to equip all PCs for smart cards -- a requirement of the national standard for electronic commerce -- for $20 per keyboard or less.

As those prices come down -- or as smart card readers become standard with new PCs, something Microsoft and others are pushing for -- it becomes easier to justify the cards on the basis of their ability to help reduce fraud and to permit fee-generating services such as loyalty-point programs.

But UTM is betting that the smart card revolution is still a few more turns around the track.

"We're basically putting the power of an ATM into the hands of consumers," said Mr. Lee, 48, who founded UTM in February 1998 after a career in computer programming, graphics, and marketing.

The company says it holds patents on the manufacturing process and one component of the reader and that it has letters of intent from one financial institution in the United States and three in Europe. (Mr. Lee said the smart card infrastructure in Europe does not extend to Internet transactions.)

The system "sounds like too little, too late," said Ben Miller, a veteran consultant and chairman of Cardtech/Securtech, the company that runs the largest annual smart card conference in the world. (Cardtech/Securtech is owned by Thomson Corp., which is also the parent of American Banker.)

Mr. Miller said UTM has misread the market and seems to be trying to extend the life of magnetic stripe cards, which have "inherent weaknesses" including vulnerability to fraud because they are "relatively simple" to copy.

With a UTM device, he said, a purchase is "still a customer-activated transaction," Mr. Miller said. "There is no clerk there to see what that card looked like, where it came from."

Mr. Miller cited another practical problem. Fewer Internet-access devices are being built with disk drives. Apple Computer Inc.'s iMac does not come with one, for example, though it can be purchased separately. WebTV, cellular telephones, and other remote devices and appliances are gaining popularity as Internet access tools -- many of them with smart card slots.

Erik Bowman, formerly of Cardtech/Securtech and manager of emerging markets for Identicator, a fingerprint biometrics unit of Identix Inc., said the UTM device, as a transitional item, should not be scoffed at. He said that given the novelty of Internet payments and continued skepticism among much of the public, psychological barriers should not be underestimated. Something like the UTM device could ease worries.

"You don't have very many smart cards in wallets right now," Mr. Bowman said.

UTM Systems boldly predicts it will ship more than five million devices in 2000 -- after it has gotten banks, ATM networks, and on-line merchants to sign on. (That number would be equal to about one in 10 U.S. households with personal computers.)

The 17-employee company started with about $1 million in seed money raised mostly in the Seattle area. The company currently has a commitment of $10 million from strategic investors in the United States and Far East, Mr. Lee said, and is attempting to raise $20 million to launch its machine. Company directors include Luke Helms, former head of Bank of America's Seafirst affiliate in Seattle and now a vice chairman at KeyCorp.

Mr. Lee said his company plans to begin bank trials this year and to roll out the product in early 2000. He said it is in "very serious negotiations" with three shopping portals, each linking to thousands of on-line merchants.

UTM says it will not take any cut of transaction revenue, but instead will make money from merchant advertising on the on-screen interface that pops up when consumers initiate transactions.

"The mag stripe cards are cheap to deploy, banks have all the equipment in place, and they can send them out quickly, inexpensively, and efficiently," Mr. Lee said. "They have the infrastructure and it's done -- it's easy."

To be sure, there are obstacles. Banks would have to rely on UTM to authenticate cardholders. And as they begin to use the device, they would have to get into the habit for the first time of entering PINs for Internet transactions, whether credit or debit.

UTM's idea is that a bank would send a consumer the card reader and a PIN in separate mail. The PIN would be unconnected to the existing PIN attached to an ATM card. The lithium-battery-powered UTM reader contains a microprocessor chip, which cannot be activated without the unique PIN assigned to it.

After it is activated, the chip in the card reader would process the data encoded on the magnetic stripe and send a message to UTM's server. For security, the message would be encrypted.

This message would be used to certify the authenticity of the source and would include a portion of the card number. Those digits would then be relayed to a bank via an ATM network to authorize the transaction.

"This way, no (account) numbers -- and no PINs -- get sent over the line, nor will a merchant ever get the entire number for a transaction," Mr. Lee said. "The bank verifies the identity of the customer through UTM and validates the transaction to the merchant."

The Secure Electronic Transaction protocol for Internet payments, which was developed by Visa U.S.A. and MasterCard International, was expressly designed so that account numbers do not flow over the network and transactions are validated through the exchanges of banks', merchants', and consumers' digital certificates. SET has not taken off, especially in the United States, but technologists are convinced that as fraud concerns spread, it or something like it will have to be ready, and the American Express packaging of certificates and chips could well point the way. (Amex is a supporter of SET too, though at this stage it has not used the protocol in consumer transactions.)

UTM says it wants to play a central role in authenticating on-line transactions, but some observers say banks will not give up that role.

Stephen S. Cole, president and chief executive officer of Cash Station Inc., a Chicago-based ATM network, said UTM's plan is flawed.

"Today, the (financial) institution is the one that authorizes that PIN," he said. "They're not going to trust some third party to validate that Steve Cole is who he says he is."

Financial institutions will want the authorization procedure for debit on the Internet to be transparent -- to work the same way as it would for a transaction at a gas pump or checkout lane, Mr. Cole said.

Moreover, an extra piece of hardware -- like a serial-port connection or a diskette-shaped card sleeve -- is unlikely to be embraced by consumers, Mr. Cole said. Network executives say they are looking at ways to use an ATM/debit card on the Internet without the physical card; the biggest obstacle is getting a personal computer to encrypt and transmit a PIN with security equal to the point of sale.

Mr. Cole said the key is to make such an encryption system into an industry standard, which the ATM networks are the "logical entity" to develop. From there, he said, UTM and its competitors can fight for the hardware and software business that would result.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER