Is there any future for smartcards?

Eugen Leitl eugen at leitl.org
Mon Sep 12 07:46:20 EDT 2005 

On Sun, Sep 11, 2005 at 06:49:58PM -0400, Scott Guthery wrote:

> 1) GSM/3G handsets are networked card readers that are pretty
> successful.  They are I'd wager about as secure as an ATM or a POS,
> particularly with respect to social attacks.

The smartphones not secure at all, because anything you enter
on the keypad and see on the display can be compromised, so
the tamper-proof cryptographic goodness locked inside the SIM
smartcard will cheerfully approve whatever the code running
on the smartphone will tell it to approve, regardless of
what is being displayed to the user.

Virtually all new phones sold are smartphones, and for every
platform there are documented vulnerabilities, exploits, and
malware already in the wild. Increased use of mobile phones 
as means of payment are a strong motivation for malware 
writers. Most of smartphone users are security-naive teenagers.
This indicates that we'll be getting all problems with desktop
machines, and more, shortly. 
 
> 2) ISO is currently writing a standard for a secure home card reader.
> The starting point is FINREAD. See JTC1/SC17/SG4/TF10.

I own a secure home card reader (which happens on run on Windows, Linux
and OS X, with open source drivers -- my model has a keyboard but no 
display, but other models from the same manufacturer do). 

Standars are good. I'm all for standars, as long as they describe 
what eventually will be a real world product. Unless financial
institutions will be required by law to issue secure smartcards
and smartcard readers, or suffer extreme losses through fraud
they won't introduce these secure readers and smartcards.
 
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050912/fe198652/attachment.pgp>

More information about the cryptography mailing list