About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Season's greetings | Main | Top gearknob »

Triple play

By davebirch posted Jan 2 2008 at 9:38 AM
[Dave Birch] Someone asked me about the idea of connecting contactless cards to PCs via USB (since PCs lack contactless interfaces -- or at least they do outside Japan). This is kind of product they were thinking about: a USB interface on a payment card, using the chip to generate a one-time password (OTP) for transactions. The card is emulating keyboard output so no drivers are required and it can work across machines or operating systems. A trojan could capture the OTP and redirect it, but that's a general problem with this kind of 2FA. But what's the point of using an OTP? If you can connect the card to the PC, and you're not bothered about keyboard input being subverted, then why just use EMV and do a level 2 transaction (using the PC as a POS terminal)? Oh right, it's a U.S. card.

Technorati Tags: , , ,

Another way forward might be to dispense with the "card" and just focus on the chip and interfaces, as has been done with this Korean product, which looks like a USB key and simply contains a chip (in this case, for payments) with a contactless interface for use at physical point-of-service and a USB interface for online use. It's certainly tempting to try to bring physical and virtual identity together in this way. If digital identity is implemented in some sort of smart card, then connecting the smart card to a computer becomes an issue. But as the experience of "chip and PIN" payment cards has taught us in the U.K., asking people to enter a PIN (or a fingerprint, or anything else) into an untrusted device (ie, a POS terminal or a PC) is an invitation to trouble. So it's not clear at all whether this kind of implementation would provide additional security or merely the simulation of security: you would to enter the PIN directly on-card to make it worthwhile, in which case you'd surely be thinking (as I do all the time) "why can't I just use my phone?". If we used a PKI application on the phone -- accessing SIM-based cryptography -- then we could bypass all of the insecurity of the PC world.

Now, this is hardly a new idea. There have been several pilots and trials -- involving major operators -- implementing this kind of architecture and connecting the phone to the PC by Bluetooth or WiFi. But I think this shows another area where NFC (sorry to keep going on about it) will be really revolutionary.

On the whole, there's more chance of making the phone the "standard" tamper-resistant environment rather than a special purpose piece of hardware, simply because everyone has one already and it's very clever. But it might be a worthwhile strategy to use the something like one of these contactless keys as an interim step to help to develop the ecosystem.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Triple play:


The comments to this entry are closed.