RE: Smart card proposal

["McAllister, Andrew" <McAllisterA () umsystem edu>]

Target department stores here in the US used to send free USB smartcard
readers to their Visa credit card holders (Target National Bank). You
plug in the reader to your PC, install some software and it would work
as a multi-factor authentication mechanism. If I recall correctly, you
needed the card AND an ID and password to login to your on-line account.


It also worked as a premium card where you could print coupons that were
relevant to your past shopping habits. This part didn't require
authentication, just the card inserted into the reader.

I used it once, found it interesting but ultimately not that useful. I
thought I'd like the extra security, but realized it wasn't really any
more secure. 

The reasons it wasn't more secure:
1) As others have mentioned, if someone owned my machine they could
manipulate it when the card was inserted. Though I would argue that
security by obscurity would make this much more difficult. 
2) No other sites used the reader. All other on-line shopping was still
traditional. That is, you still had to provide the card number etc. So
no authenticated purchases except at Target.
3) I didn't trust something that interacted with my credit card and my
web browser. Call me suspicious, but I believe that the only interface
between what's in my wallet and the internet should be me.
4) I find all shopper-premium/coupon tracking schemes to be contrary to
my privacy. I usually pay with cash anyway (let's see them track that).

The card reader quickly went on the shelf and from what I can tell of
the Target Visa web site, everyone else abandoned it too.

Andy