On Sun, Sep 11, 2005 at 07:32:45PM +0200, Eugen Leitl wrote: > On Sun, Sep 11, 2005 at 10:53:34PM +1200, Peter Gutmann wrote: >=20 > > The problem with this is that in 99.99% of cases the insecure networked > > machine *is* the reader, rendering the smart card pretty much pointless= . I've >=20 > USB smarcard readers with displays are not expensive, especially > if purchased in quantities. A financial institution would probably > recover the costs quite rapidly, if it gave away smartcards and=20 > such readers for free to its customers, given the amount of fraud.
A company I worked at developed a secure smart card reader/keyboard in 1997/98 . It had a display and enough crypto capabilities that it could do the cardholder side of SET. It would get the PIN or fingerprint from the user, use that to unlock the card, then verify the merchant's signature on the payment request it got from the PC and display that to the user and get acknowledgement before having the smart card sign the payment message and handing that back to the PC to send to the merchant. I spent a lot of time meeting with bankers and going to standards comittees. The credit card industry basically said "Very nice. It's secure. But who is going to pay for it?" The added security wasn't worth the added cost (~$20 BOM cost) to the card card issuers. The fact that it did SET and SET didn't go anywhere didn't help, but after shoving SET on there, we could have put anything on (and did do EMV). But no credit card issuer bought the concept. They all said that if we could get them deployed, they'd like to be able to use them. The problem in the case of credit card issuers is that they aren't the ones who bear the cost of card fraud-- the merchants generally bear the cost of the goods stolen. They just figure that as part of the overhead. Amex did at one point give out SET smart cards and dumb card readers using code written by a competitor of ours. The SET code didn't actually work, and even if it had, there were no merchants using it. The Amex card was a cool partially transluctent card with the smart card 'bug' highlighted, so it impressed clerks at Frys. But that was all it was good for. Eric --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]