RE: Smart card proposal

["Lyal Collins" <lyal.collins () key2it com au>]

> The bank is performing the same effective authentication as 
> they do at 
> their ATM's. Something you have (the card) and something you 
> know (the 

This is only true if the combined PC + smartcard reader + chip/smartcard are
the security equivalent of an ATM.

No such smartcard platform exists today, as far as I know - PCs are way to
insecure to even dream of this level security.

> Users already have an idea of how to protect their credit cards. They 

Most users have no idea of how to set up a smartcard reader, let alone
minimally secure their PC.  Why is a smartcard going to help given this
limitation?


> ATM's mostly already have infrastructure to read and communicate with 
> smart cards. Users can use ATM's as self-service terminals to set up 
> their internet banking. e.g. the user enters their PIN at the ATM, 
> selects Internet Banking, Register. The ATM instructs the 
> smart card to 
> generate a private key, takes a copy of the public key, 
> generates a CSR, 
> requests the Bank's CA to sign the cert, and installs the 
> cert into the 
> smart card. It then asks the user to choose a PIN for the 
> certificate, 
So now the user has a second PIN to potentially forget or tell to 200 of
their best friends.

> so that it cannot be accessed without it. At the same time, 
> it links the 
> certificate to the same accounts that the user can access via 
> the ATM, 
> so that Internet banking is effectively seamless.

Many installed ATMs don't have the software functionality to do this today

> If the user forgets the certificate PIN, and tries to guess 
> it more than 
> ${policy} times, the smart card locks it out. Then, the user 
> can go to 
> an ATM, enter his ATM PIN, request a certificate PIN reset, 
> the ATM then 
> supplies a (card specific) PIN Unlock Key, which allows the user to 
> enter a new PIN for the cert.
>
> The certificate lifetime would be the same as the validity 
> period of the 
> credit card. When the bank issues a new credit card, the user 
> should go 
> back to an ATM, and reregister for Internet banking. 

Bzzt - If I've already done this once, I do NOT want to have to repeat this
every 2/3 years.  I don't with my debit card (which is real money, and no
chargeback, nor fraud)

Just some initial thoughts

Lyal