part of the EU finread standard .... seems to be chipcard readers that have certified security modules comparable to POS terminals .... aka class-4 terminals that include secure pinpads and secure displays.
there is the concept of hardware token holding a private key that is never divulged and therefor the token can uniquely authenticate itself (something you have). what finread doesn't quite get around to specifying is a compareable mechanism in the terminal/reader to uniquely authenticate itself .... with the transition to open network ... rather than VANs & other forms of private networks ... it is a lot more difficult to accurately assure the integrity of the end-point (aka is it really a class-4 terminal/reader). x9.59 payment protocol for all types of payments in all types of environments (aka not just credit on the internet) .... included the provision that the end-point terminal also may be required to authenticate itself as well as any hardware token. we demo'ed such a hardware token & terminal combination this week at securetech/cardtech (aka both the hardware token and the secure terminal signing different kinds of transactions ... payment, access, authorization, etc). misc. recent security & finread threads http://www.garlic.com/~lynn/2002c.html#10 Opinion on smartcard security requested http://www.garlic.com/~lynn/2002c.html#21 Opinion on smartcard security requested http://www.garlic.com/~lynn/2002f.html#46 Security Issues of using Internet Banking http://www.garlic.com/~lynn/2002f.html#55 Security Issues of using Internet Banking [EMAIL PROTECTED] on 4/24/2002 1:55 pm wrote: I'm not sure. At least here in Europe we had "phantom transactions" at ATMs. Reasons I remember have been eavesdropping of PINs, maintenance errors, fake ATMs, etc. Today, it is hard to tell between somebody whose ATM-PIN was attacked, and somebody who only claims that his PIN was attacked. I think we have to anticipate that log-in procedures into signature systems may also be attacked. Actually the difference between using a local signature implementation in a networked office-PC and using a server-based one may be small - the user doesn't really control either system. But on the server-based system, by definition other people have control of the password. And not all transactions can easily be reversed, in particular not money transations.