Is there any future for smartcards?
eugen at leitl.org
Mon Sep 12 07:46:20 EDT 2005
On Sun, Sep 11, 2005 at 06:49:58PM -0400, Scott Guthery wrote:
> 1) GSM/3G handsets are networked card readers that are pretty
> successful. They are I'd wager about as secure as an ATM or a POS,
> particularly with respect to social attacks.
The smartphones not secure at all, because anything you enter
on the keypad and see on the display can be compromised, so
the tamper-proof cryptographic goodness locked inside the SIM
smartcard will cheerfully approve whatever the code running
on the smartphone will tell it to approve, regardless of
what is being displayed to the user.
Virtually all new phones sold are smartphones, and for every
platform there are documented vulnerabilities, exploits, and
malware already in the wild. Increased use of mobile phones
as means of payment are a strong motivation for malware
writers. Most of smartphone users are security-naive teenagers.
This indicates that we'll be getting all problems with desktop
machines, and more, shortly.
> 2) ISO is currently writing a standard for a secure home card reader.
> The starting point is FINREAD. See JTC1/SC17/SG4/TF10.
I own a secure home card reader (which happens on run on Windows, Linux
and OS X, with open source drivers -- my model has a keyboard but no
display, but other models from the same manufacturer do).
Standars are good. I'm all for standars, as long as they describe
what eventually will be a real world product. Unless financial
institutions will be required by law to issue secure smartcards
and smartcard readers, or suffer extreme losses through fraud
they won't introduce these secure readers and smartcards.
Eugen* Leitl <a href="http://leitl.org">leitl</a>
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: Digital signature
More information about the cryptography