WebApp Sec mailing list archives
RE: Smart card proposal
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Mon, 24 Jan 2005 18:47:21 +1100
The bank is performing the same effective authentication as they do at their ATM's. Something you have (the card) and something you know (the
This is only true if the combined PC + smartcard reader + chip/smartcard are the security equivalent of an ATM. No such smartcard platform exists today, as far as I know - PCs are way to insecure to even dream of this level security.
Users already have an idea of how to protect their credit cards. They
Most users have no idea of how to set up a smartcard reader, let alone minimally secure their PC. Why is a smartcard going to help given this limitation?
ATM's mostly already have infrastructure to read and communicate with smart cards. Users can use ATM's as self-service terminals to set up their internet banking. e.g. the user enters their PIN at the ATM, selects Internet Banking, Register. The ATM instructs the smart card to generate a private key, takes a copy of the public key, generates a CSR, requests the Bank's CA to sign the cert, and installs the cert into the smart card. It then asks the user to choose a PIN for the certificate,
So now the user has a second PIN to potentially forget or tell to 200 of their best friends.
so that it cannot be accessed without it. At the same time, it links the certificate to the same accounts that the user can access via the ATM, so that Internet banking is effectively seamless.
Many installed ATMs don't have the software functionality to do this today
If the user forgets the certificate PIN, and tries to guess it more than ${policy} times, the smart card locks it out. Then, the user can go to an ATM, enter his ATM PIN, request a certificate PIN reset, the ATM then supplies a (card specific) PIN Unlock Key, which allows the user to enter a new PIN for the cert. The certificate lifetime would be the same as the validity period of the credit card. When the bank issues a new credit card, the user should go back to an ATM, and reregister for Internet banking.
Bzzt - If I've already done this once, I do NOT want to have to repeat this every 2/3 years. I don't with my debit card (which is real money, and no chargeback, nor fraud) Just some initial thoughts Lyal
Current thread:
- Smart card proposal Rogan Dawes (Jan 23)
- RE: Smart card proposal Lyal Collins (Jan 24)
- RE: Smart card proposal Richard M. Smith (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- <Possible follow-ups>
- RE: Smart card proposal Michael Silk (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- Re: Smart card proposal Rishi Pande (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 27)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)