2012/9/25 NdK <ndk.cla...@gmail.com>
> Il 24/09/2012 21:37, Andreas Jellinghaus ha scritto:
>
> > no, I was refering to all the magic solutions that make things secure
> > suddenly.
> there was a good comic strip I can't find just now...
> Hackers view: oh, no, this laptop is protected by 4096-bit RSA... no way
> we can recover it even with $1000000!
> Grunt view: this laptop is locked... take this $5 wrench and beat off
> the pass from the user.
>
> Too bad it proves right... Here in Italy we've had many episodes of
> people kidnapped to make their families let robbers enter well-protected
> houses... :(
>
> > Like sms-tan instead of pin+tan, or funny devices reading flickering
> > info on some banks online system,
> > or smart cards with biometrics on board, or
> > $government-identified-super-secure-signing-cards or
> > stupid "de-mail" (email with a postage cost of half an euro) which they
> > try to sell in germany, and all this stuff.
> Not to speak of italian "posta certificata" ("certified mail", with
> provable delivery so that it can have legal value)... :)
>
> > EMV is of course totaly bloated and thus far too complex, and the whole
> > idea of visa and mastercard keeping
> > paypass and paywave confidential, even partners under NDA only get to
> > see their bits, that is real stupid and insecure.
> Maybe because they know it's not secure?
>
No, I think it is well intended - try to be compatible with every old thing
and have all the features everyone wants in there.
Except the result of such a process is not good.
> EMV for sure: there's an unauthenticated bit that tells the card to
> authenticate the transaction without asking for the PIN...
>
Thats ok, it is a valid feature. If people buy something for less than a
dollar, and the transaction is authenticated with the
signature of a rsa key in the smart card, and we haven't reached the
consecutive lower boundary amount yet, then simply
approving the transaction is perfectly fine - getting a PIN or doing an
online transaction isn't worth doing for such a small
amount of money.
Most vending machines still use modems and dial up for every transaction
and hang up again later.
Thats why card transactions are so slow. Once the standard is to have a
permanent internet connection,
the cost of doing an online transaction is lower (less delay) and the
profile could be changed to do everything online.
But since the card doesn't know where it is, it can only have a world wide
setting, and people expect the card to
work in the remote places with the worst infrastructure. Maybe some day
banks want to give people two credit cards
with different settings?
Andreas
> BYtE,
> Diego.
>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
