On 2013-01-03 01:28, Julien Pierre wrote: > Anders, > > On 1/1/2013 12:47, Anders Rundgren wrote: >> Although the recent CA failures cast a shadow over the web they have >> AFAIK not led to any major losses for anybody. The credit-card system >> OTOH is a major source of losses and hassles. IMO the only parties >> that can fix it are the browser vendors. In the EU and Asia hundreds >> of millions of EMV-cards are in circulation but since there is no >> useful system on the Internet these cards are still equipped with >> mag-strip and CCV "passwords" printed in clear on the back of the >> cards which makes them subject to attacks in spite of the chip. > > Are you sure that internet use is the only reason for the mag-stripe and > CCV passwords being on the card ? > Are 100% of the physical card readers EMV capable in EU and Asia ?
As you suspected the answer is no, the payment industry is diverse and pretty divided. > It's not clear to me how any single browser vendor could design a > solution for this, given the huge variety of browsing devices nowadays. > Even the hardware on those devices is quite different, let alone software. > > Developing card readers that physically can connect to all those > devices, as well as software stacks for each OS and browser, is going to > be a very expensive task. Well, expensive or not, this work has already been done. Unfortunately it works pretty bad since the interoperability matrix simply is unmanageable. I think it fair concluding that traditional smart cards on the Internet is a dead concept except in organizations having ex(t|p)ensive IT-support. If there had been a truly standard PKI token with an USB connector the situation could have been different but that was Microsoft's call and they didn't take it. So what's left? Embedded credentials. This is clearly an area which is "owned" by the platform vendors. Intel: http://communities.intel.com/community/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki-and-protected-transaction-display Microsoft: http://www.microsoft.com/en-us/download/details.aspx?id=29076 Google: http://www.google.com/wallet A major problem with these schemes is that they are quite different as well as covered by NDAs. It appears that Mozilla is the only platform vendor without a known plan or program in place. I didn't include Apple here since they rarely advertize anything until it is actually shipping. > A much less expensive and simpler approach might be some kind of > universal standalone device that provides power to the card, and allows > doing some challenge/response type authentication with the card, > resulting in a dynamic number that the user could enter into any SSL web > form. This is used in a few countries: http://en.wikipedia.org/wiki/Chip_Authentication_Program However, it only works in "federated mode" like VISA/MasterCards's 3D Secure and still requires that you key in all the card data. The US merchants have rejected 3D Secure and IMO they did the right thing; systems for consumers that do not combine security and convenience should be abolished :-) Anders > > Julien > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
