Cryptosmith

Gunnar Peterson asks a fair question in his 1 Raindrop blog: when are first-world countries like the US and UK going to catch up with Ghana and other third world countries that have started using smart card-based cash.

The engineer in me watches such experiments with interest. But after watching several smart card false starts here in the US (the Focus card, the Target card) I’m beginning to see that smart cards will just have to wait for a different “killer app.” They’re not going to provide Americans with e-cash any time soon.

We have a pretty effective version of e-cash already, thanks to a standard mechanism for processing credit card numbers. The system may be a security nightmare, but the vendors have clearly decided that the cost of replacement still overwhelms the cost of fraud. I notice that “Verified by Visa” doesn’t even bother to check passwords itself any more - the perceived extra assurance apparently didn’t pay for itself in reduced fraud.

It was not the inventors of RSA public-key cryptography, nor the company they started, that put their crypto on every computer desktop world-wide. The folks at Netscape did it when they put together the Commerce Server and the Navigator browser, hooked securely together with the RSA-based SSL protocol. Netscape took the impossible (security for Internet data transmissions) and made it practical. Smart cards need to find an empty niche like that to fill.

Posted under Information Security |