Triple play

[Dave Birch] Someone asked me about the idea of connecting contactless cards to PCs via USB (since PCs lack contactless interfaces — or at least they do outside Japan). This is kind of product they were thinking about: a USB interface on a payment card, using the chip to generate a one-time password (OTP) for transactions. The card is emulating keyboard output so no drivers are required and it can work across machines or operating systems. A trojan could capture the OTP and redirect it, but that’s a general problem with this kind of 2FA. But what’s the point of using an OTP? If you can connect the card to the PC, and you’re not bothered about keyboard input being subverted, then why just use EMV and do a level 2 transaction (using the PC as a POS terminal)? Oh right, it’s a U.S. card.

Technorati Tags: contactless, identity, smart cards, technology

Another way forward might be to dispense with the “card” and just focus on the chip and interfaces, as has been done with this Korean product, which looks like a USB key and simply contains a chip (in this case, for payments) with a contactless interface for use at physical point-of-service and a USB interface for online use. It’s certainly tempting to try to bring physical and virtual identity together in this way. If digital identity is implemented in some sort of smart card, then connecting the smart card to a computer becomes an issue. But as the experience of “chip and PIN” payment cards has taught us in the U.K., asking people to enter a PIN (or a fingerprint, or anything else) into an untrusted device (ie, a POS terminal or a PC) is an invitation to trouble. So it’s not clear at all whether this kind of implementation would provide additional security or merely the simulation of security: you would to enter the PIN directly on-card to make it worthwhile, in which case you’d surely be thinking (as I do all the time) “why can’t I just use my phone?”. If we used a PKI application on the phone — accessing SIM-based cryptography — then we could bypass all of the insecurity of the PC world.

Now, this is hardly a new idea. There have been several pilots and trials — involving major operators — implementing this kind of architecture and connecting the phone to the PC by Bluetooth or WiFi. But I think this shows another area where NFC (sorry to keep going on about it) will be really revolutionary.

On the whole, there’s more chance of making the phone the “standard” tamper-resistant environment rather than a special purpose piece of hardware, simply because everyone has one already and it’s very clever. But it might be a worthwhile strategy to use the something like one of these contactless keys as an interim step to help to develop the ecosystem.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]