The NACHA pilot announced about a month ago .... specifies an AADS based
transaction.
The combined press release last week at BAI (something like cebit for the world
retail banking industry) ... specifies AADS/X9.59 digital signing.
The AADS strawman proposes an online paramerterized risk management
infrastructure that can be software, hardware, bin-activated hardware,
bio-sensor activated hardware, etc (i.e. integrity level of the compartment
doing the digital signing). The issue isn't that the chip enables offline ...
but that a chip with various characteristics can improve the integrity of online
(non-face-to-face) transactions.
misc. references.
http://internetcouncil.nacha.org/
http://www.garlic.com/~lynn/
and specific ...
http://www.garlic.com/~lynn/99.html#224
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo1
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo2
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo3
David Honig <[EMAIL PROTECTED]> on 12/13/99 12:12:42 PM
To: "Steven M. Bellovin" <[EMAIL PROTECTED]>, Steve Reid
<[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED] (bcc: Lynn Wheeler/CA/FDMS/FDC)
Subject: Re: Debit card fraud in Canada
At 10:49 AM 12/13/99 -0500, Steven M. Bellovin wrote:
>true for credit cards? If so, a simple visual recorder -- already used by
>other thieves -- might suffice, and all the tamper-resistance in the world
>won't help. Crypto, in other words, doesn't protect you if the attack is on
>the crypto endpoint or on the cleartext.
Wouldn't a thumbprint reader on the card (to authenticate the meat to the
smartcard) be a tougher thing to shoulder surf?
Does raise the cost over a PIN.
Aren't there protocols where the exchange can't be replayed,
but proof-of-knowledge is demonstrated?
Or would these exchanges require on-line connectivity, thereby defeating
the utility of smartcards some?