Is there any future for smartcards?
ericm at lne.com
ericm at lne.com
Mon Sep 12 10:25:25 EDT 2005
On Sun, Sep 11, 2005 at 07:32:45PM +0200, Eugen Leitl wrote:
> On Sun, Sep 11, 2005 at 10:53:34PM +1200, Peter Gutmann wrote:
> > The problem with this is that in 99.99% of cases the insecure networked
> > machine *is* the reader, rendering the smart card pretty much pointless=
> USB smarcard readers with displays are not expensive, especially
> if purchased in quantities. A financial institution would probably
> recover the costs quite rapidly, if it gave away smartcards and=20
> such readers for free to its customers, given the amount of fraud.
A company I worked at developed a secure smart card reader/keyboard in
1997/98 . It had a display and enough crypto capabilities that it could
do the cardholder side of SET. It would get the PIN or fingerprint
from the user, use that to unlock the card, then verify the merchant's
signature on the payment request it got from the PC and display that to
the user and get acknowledgement before having the smart card sign the
payment message and handing that back to the PC to send to the merchant.
I spent a lot of time meeting with bankers and going to standards
comittees. The credit card industry basically said "Very nice.
It's secure. But who is going to pay for it?" The added security
wasn't worth the added cost (~$20 BOM cost) to the card card issuers.
The fact that it did SET and SET didn't go anywhere didn't help, but after
shoving SET on there, we could have put anything on (and did do EMV).
But no credit card issuer bought the concept. They all said that if
we could get them deployed, they'd like to be able to use them.
The problem in the case of credit card issuers is that they aren't
the ones who bear the cost of card fraud-- the merchants generally bear
the cost of the goods stolen. They just figure that as part of
Amex did at one point give out SET smart cards and dumb card readers using
code written by a competitor of ours. The SET code didn't actually work,
and even if it had, there were no merchants using it. The Amex card was
a cool partially transluctent card with the smart card 'bug' highlighted,
so it impressed clerks at Frys. But that was all it was good for.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography