Adam Shostack <[EMAIL PROTECTED]> writes:

>I'd suggest starting from the deployment, training, and help desk costs.  The
>technology is free, getting users to use it is not.  I helped several banks
>look at this stuff in the late 90s, when cost of a smartcard reader was order
>~25, and deployment costs were estimated at $100, and help desk at

Banks here have been using SMS-based transaction verification for a few years
now (although not done very well, sigh) without, apparently, any real problems
(I've been trying to get figures for per-transaction costs out of them for a
while now, so far without any success).  Since the SMS-based system is just a
labour-intensive way of doing what I was proposing but using a cellphone
instead of a dedicated device, my guess is that the overhead won't be that
bad.  If it was, the banks wouldn't be doing it now :-).

(Using smart cards as a yardstick isn't terribly useful, as I mentioned in my
previous message they're really a deployment DoS mechanism, not a solution).

>I don't think smartcards (per se) are the answer.  What you really need is
>something like a palm pilot, with screen and input and a reasonably
>trustworthy OS, along with (as you say) the appropriate UI investment.

Smart cards are part of the problem set, not the solution set - they're just
an expensive and awkward distraction from solving the real problem.  What I
was suggesting (and have been for at least ten years :-) is a small external
single-function device (no need for an OS) that can't be compromised by
malware because there's no attack vector for the malware to get at it.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to