July 30, 2006
smart cards with displays - at last!
Jane Adams reports over on the Digital Money blog:
Now Visa International is working with InCard Technologies, an American company that has come up with something called Power Inlay Technology. The result is a smart card with a screen (or a smart card with a built in light or one that plays annoying jingles - isn't technology wonderful?) and a random number generator. That means the card is capable of generating a dynamic cvv2 for example.
Hoping over to InCardTech, we find, right down the bottom of the page:
 | DisplayCard with Additional Information
Depending on the type of payment card in question, a wealth of information useful to the consumer can be conveyed on an easy to read display. All this at the consumer’s fingertips!
Offering you what you need to know, when you need to know it. |
Potentially interesting! What does this mean? Jane says:
It doesn't come with a keypad yet but Visa seems confident that it will.What does that mean? That means that the arguments about who pays for readers for token based authentication for secure sign on to online banking will become redundant. Who needs a reader if you can tap your PIN directly into the card and the card itself displays your one time passcode?
Whoa, slight confusion there. You still need a reader ... to communicate with the smart card. What you don't necessarily need, in the fullness of time, is an expensive Class 4 secured reader, with its own display, keypad and Go button.
So while this will eliminate some costs, indeed a major cost, costs will remain.
And those costs are still rather traumatic, especially in comparison to your other smart card that already comes with its secure reader, including display and keypad, and soon to include GPS and other handy dandy tracking tools. (your cell/mobile/handy.) So while this may eventually cause smart cards to be independently useful in some universe, I'd suspect it is too little, too late at this stage.
| Also from the Maginot product line, they even have a one time pad card. |  |
in theory, people with cellphones and/or pdas could use their own pin entry device ... and the cellphone/pda could have proximity, near field, bluetooth, &/or wifi ... with point-of-sale (and/or some server).
note that all sorts of things are subject to mitm-attacks ... this mentions possibility of mitm-attacks on terminals (potentially even with dda cards):
http://www.garlic.com/~lynn/2006o.html#16 Gen 2 EPC Protocol Approved as ISO 18000-6C
http://www.garlic.com/~lynn/2006o.html#17 Gen 2 EPC Protocol Approved as ISO 18000-6C
... however there possibly are also MITM-attacks against cards even with class 4 secured reader (aka possibly even overlays similar to what has been used with ATM-machines, counterfeit/compromised operations). this is somewhat related to the finread stuff:
http://www.garlic.com/~lynn/subpubkey.html#finread
in the case of finread, the terminal is supposedly yours and it is used for your own protection where potentially your own PC (that the finread is attached to) might be compromised (an isolated security boundary supposedly out of reach of common PC compromises)
in the case of a class 4 secured terminal ... there is potential of something like a MITM terminal/overlay between you and the real terminal.
misc. past postings mentioning MITM-attacks
http://www.garlic.com/~lynn/subpubkey.html#mitm
recent near field article:
Near Field Communication Technology Turns Cell Phones into "Debit Cards"
http://www.dailytech.com/article.aspx?newsid=1856
How would you compare this to Mondex's cards?