WebApp Sec mailing list archives
RE: Smart card proposal
From: "McAllister, Andrew" <McAllisterA () umsystem edu>
Date: Tue, 25 Jan 2005 09:11:56 -0600
Target department stores here in the US used to send free USB smartcard readers to their Visa credit card holders (Target National Bank). You plug in the reader to your PC, install some software and it would work as a multi-factor authentication mechanism. If I recall correctly, you needed the card AND an ID and password to login to your on-line account. It also worked as a premium card where you could print coupons that were relevant to your past shopping habits. This part didn't require authentication, just the card inserted into the reader. I used it once, found it interesting but ultimately not that useful. I thought I'd like the extra security, but realized it wasn't really any more secure. The reasons it wasn't more secure: 1) As others have mentioned, if someone owned my machine they could manipulate it when the card was inserted. Though I would argue that security by obscurity would make this much more difficult. 2) No other sites used the reader. All other on-line shopping was still traditional. That is, you still had to provide the card number etc. So no authenticated purchases except at Target. 3) I didn't trust something that interacted with my credit card and my web browser. Call me suspicious, but I believe that the only interface between what's in my wallet and the internet should be me. 4) I find all shopper-premium/coupon tracking schemes to be contrary to my privacy. I usually pay with cash anyway (let's see them track that). The card reader quickly went on the shelf and from what I can tell of the Target Visa web site, everyone else abandoned it too. Andy
Current thread:
- RE: Smart card proposal, (continued)
- RE: Smart card proposal Michael Silk (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- Re: Smart card proposal Rishi Pande (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 27)
- Re: Smart card proposal Rogan Dawes (Jan 24)
- RE: Smart card proposal Michael Silk (Jan 24)
- Re: Smart card proposal Hugo Fortier (Jan 24)
- RE: Smart card proposal Richard M. Smith (Jan 24)
- Re: Smart card proposal Rogan Dawes (Jan 27)
- RE: Smart card proposal Richard M. Smith (Jan 27)
- Re: Smart card proposal DE Gustafson (Jan 27)
- Re: Smart card proposal Koh Gim Leng (Jan 28)
- RE: Smart card proposal Lyal Collins (Jan 28)
- Security Webcast Series JoeStagner (Feb 02)