WebApp Sec mailing list archives
RE: (smart cards) Proposal to anti-phishing
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 24 Jan 2005 15:45:17 -0600
Rogan,
Well, it is possible for a single token to contain multiple certificates/private keys, so it does not HAVE to lead to proliferation. And of course, a number of banks are issuing smart card based credit cards and debit cards. I wonder how big a leap it would be for the banks to include a private key on the card, too.
Smart cards, I think, are one of the most realistic answers for the future. Either unique cards (and for banks the credit or debit card is the perfect unique vehicle) or "national smart cards" which like it or not, I suspect we'll be using someday for medical info, fighting the war or terror, and enabling the fine folks at FinCEN further correlation capabilities regarding the spending habits of private citizens. I am not sure how far smart cards have come in Europe in the last year, but they're not present in the US right now. (please enlighten me on the status of universal smart cards for those of you outside the US...) Your other excellent comments are inline for those that missed them, -ae
Then, with a smart card reader, which will become ubiquitous as more and more banks start using this technique, you simply plug in your credit card, and you are authenticated. It should even be possible to enforce good password controls in the smart card, such as limiting the number of retries, enforcing a password length, etc. Password reset could possibly even be handled by the ATM's, if they have access to a PUK. I would like to think that people would not leave their credit cards in the slot when they are finished, as they asociate the credit card with physical security (keep it with me).
The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: (smart cards) Proposal to anti-phishing Evans, Arian (Jan 24)