WebApp Sec mailing list archives

Re: Smart card proposal

From: Rogan Dawes <discard () dawes za net>
Date: Tue, 25 Jan 2005 08:28:32 +0100

Hugo Fortier wrote:

On Mon, 24 Jan 2005 21:39:08 +0100, Rogan Dawes <discard () dawes za net> wrote:

Rishi Pande wrote:

   I like Rogan's solution. But, I think by putting these card-readers
at internet cafes (a rarity in my town - and I stay about an hour away
from NYC) you are basically circumventing the solution that online
banking offers- ease of use - it's 4 am let me go and check my bank
account.


The idea behind installing them in the Internet Cafe's is that people
who are mobile can expect to find at least one smart card reader at an
Internet Cafe, sot hey don't have to worry about whether the place they
will be at can use their smart card . . .



Could you trust a smart card reader found in a Internet Cafe? People
are doing fake ATM front end to steal your NIP and magnetic strip,
don't you think they could do a smart card reader with a backdoor?

There is a big difference between stealing a magnetic strip and a smartcard. One you can copy, the other you cannot. That's one of the reasonsto use a smart-card, rather than a magnetic strip, other than capacity,built-in CPU, etc, etc.

You should't be trusting a Internet Cafe computer to access your
online bank account anyway...

True enough. But users will do it, regardless of what we tell them todo. And if the bank's don't "seed" the internet cafes with smart cardreaders, they will install them themselves, eventually. I was justsuggesting it as a mechanism for accelerating the uptake. It iscertainly better to do your internet banking from an internet cafe usinga smart-card, than with just a username and password.

At least any transactions have to be simultaneous to others that you areperforming, and I'm pretty sure that people will remember where ithappened, and be able to track back to the PC that was compromised, andstart with a forensics investigation, etc, etc . . .


And the consequence of getting your online banking account compromised
are a lot worst than getting your debit card comprimised...


True.


Hugo


Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

Current thread:

Smart card proposal Rogan Dawes (Jan 23)
- RE: Smart card proposal Lyal Collins (Jan 24)
- RE: Smart card proposal Richard M. Smith (Jan 24)
  - Re: Smart card proposal Hugo Fortier (Jan 24)
- <Possible follow-ups>
- RE: Smart card proposal Michael Silk (Jan 24)
  - Re: Smart card proposal Rogan Dawes (Jan 24)
    - Re: Smart card proposal Rishi Pande (Jan 24)
    - Re: Smart card proposal Rogan Dawes (Jan 24)
    - Re: Smart card proposal Hugo Fortier (Jan 24)
    - Re: Smart card proposal Rogan Dawes (Jan 27)
- RE: Smart card proposal maburns (Jan 24)
  - Re: Smart card proposal Hugo Fortier (Jan 24)
  - RE: Smart card proposal Richard M. Smith (Jan 24)
    - Re: Smart card proposal Rogan Dawes (Jan 27)
- RE: Smart card proposal McAllister, Andrew (Jan 27)
- RE: Smart card proposal Ofer Shezaf (Jan 27)
- RE: Smart card proposal Ofer Shezaf (Jan 27)
  - RE: Smart card proposal Richard M. Smith (Jan 27)
    - Re: Smart card proposal DE Gustafson (Jan 27)
    - Re: Smart card proposal Koh Gim Leng (Jan 28)

(Thread continues...)