Written by
There’s another imperative. Banks are under pressure to introduce "two factor authentication" (2FA) for online transactions and they’ve just spend a load of money on issuing a jolly hand device for storing keys and certificates: smart cards. Now, the smart cards that the banks have issued will shortly have to upgraded to the higher-security version of "chip & PIN" cards. These are called Dynamic Data Authentication (DDA) cards and they are already being rolled out in other countries (eg, France). The interesting thing about them, from the digital ID perspective, is that they have cryptographic co-processors on board. This means that they can support a digital signature application with minimal effort (this is how the American Express Blue cards did it).
So if the bank sends me a simple USB smart card reader so that I can log on with my chip and PIN card, that’s convenient. But the bank could then store either more key pairs, or more certificates, on the smart card and charge other organisations (eg, the government, retailers) for using them. This makes solving the phishing and fraud problem a line of business rather than a cost and, surely, that’s a way to get something done. As in the chat room example discussed last week, the bank might be able to sell several certificates to the same person and it might also be able to sell chip and PIN cards to people for them to use purely for log on and not for payment at all. Now that’s what I call a disruptive technology!
