Joe Schuler is tired of hearing people cast aspersions on the security of smart cards.
Mr. Schuler, a Minneapolis-based consultant and longtime enthusiast of computer chips as a way to improve plastic payment cards, is offering $1,000 to anyone who compromises their security.
"I'm saying, let those who have been talking about it step forward," Mr. Schuler said. "It's time for them to put up or shut up."
If Mr. Schuler has to pay up, or if anyone otherwise proves that the integrated circuits in the new breed of plastic cards can be readily compromised, then MasterCard, Visa, and the rest of the payment system establishment will have to scramble for the next "sure thing" in security.
Their decision to throw their lot behind smart cards seems safe so far, and there haven't been any takers since Mr. Schuler issued his $1,000 challenge at the Cardtech/Securtech West conference on Nov. 30 in Santa Clara, Calif.
"If it's that easy," he said, "all they have to do to collect the reward is take one of these cards, increase the dollar value contained in its memory, and return it to me in working order. I'll even give them a printout that shows what's in the card's memory. I'm confident I will not have to write a check."
But there are, indeed, some nagging questions as to whether chip cards have been sufficiently tested to withstand the anticipated criminal onslaught.
There is also a widespread assumption, which has held true for other antifraud measures, that people will find ways to beat them when the stakes rise high enough.
The compromising of the current magnetic-stripe card has become so widespread that the credit card associations are essentially writing it off in favor of the chip.
"Visa and MasterCard see the chip as much more secure than the magnetic the magnetic stripe," said Stephen White, an Atlanta-based consultant with Dove Associates Inc. "It's not only harder to break into, but it can be used to migrate to an even more secure, biometric-type security system like fingerprints or voice prints.
"But people will want to break these systems, and eventually they will," Mr. White said. "It will certainly be more difficult than breaking the magnetic stripe and may take longer, but ultimately it will be done, and the industry will have to take further action against that."
Mr. White, like Mr. Schuler, pointed out that chip cards' track record in other countries indicates their high level of security. But they have not yet evolved into a global, mass-market payment device like the magnetically encoded credit card, which would attract concerted attention from fraud artists.
Mr. Schuler conceded that simple stored-value telephone chip cards like those popular in France can be compromised, but the more sophisticated microprocessors used in banking and payment applications would significantly raise the level of protection.
Two of the better-known developers of chip cards that act as stores of value in place of cash -- National Westminster Bank's Mondex program in Britain and Electronic Payment Services Inc.'s Smart Card Enterprise in Wilmington, Del. -- say they are paying close attention to security.
This may cause less of a liability to Smart Card Enterprise. Its system, scheduled for a market test in Delaware next summer, will be geared toward low-value payments, with no more than $20 to be stored on a typical card.
Mondex, to be tested in Swindon, England, at around the same time, will have a much higher currency limit.
Also, the system is so closely modeled on cash that payments can be made between individuals and will not leave the audit trails typical of credit cards.
Mondex's security and auditability have been criticized by the likes of Visa International, which is working with Smart Card Enterprise and other organizations from around the world on chip standards for stored-value cards.
"Is the consumer likely to put $400 to $500 on a card?" said Michael Nash, a Visa senior vice president. "Why take the chance?
"The opportunity is not in the large-value transactions" where consumers will still prefer conventional credit or debit cards, Mr. Nash said.
"Mondex is based on the unrealistic and dangerous assumption that no one can break into a smart card chip, and I wouldn't want to build a worldwide payment system on that," David Chaum, a computer scientist and proponent of an alternative called DigiCash, told a recent meeting of the Financial Services Technology Consortium.
The consortium, a group of more than a dozen major banks exploring the implications of advanced technologies, has learned from Sandia National Laboratories in New Mexico that integrated cricuits can, indeed, be duplicated.
Such reverse engineering would require specialized equipment and materials that may not yet be accessible or affordable to most of the public, but would be dangerous in the wrong hands.
Mr. Chaum, who is based in Amsterdam, wants to see layers of security and authentication beyond what the chip alone delivers.
He says his solution, which can facilitate payments over online computer networks like the Internet, strikes a middle ground between complete auditability -- which he sees as a threat to personal privacy -- and Mondex's lack of auditability.
Along the same line, Mr. White said Visa International's recently announced alliance with Microsoft Corp. to ensure security of accounts used in online "cyberpayments" attacks a much more urgent priority than reinforcing the integrated-circuit card.
For its part, Mondex has both sounded an alarm about security threats and insisted that it is countering them.
"Security is the No. 1 issue, and Mondex grew out of the search for security," Tim Jones, the unit's chief executive officer, said in early December at the Bank Administration Institute's retail delivery systems conference.
"We have to recognize that the level of attack will be extreme.
"We have to make the harshest assumptions" and build the system accordingly.
Mr. Jones has not divulged the extent of his defense mechanisms, but he said, "We have reverse-engineered silicon." In November, Hitachi, the initial maker of Mondex chips, said it would produce a special version of its H8/310 series to address security concerns.
"The Hitachi H8 has been around for a long time, and maybe it is not as secure as some of the newer products from Siemens or SGS-Thomson, but it's still pretty secure," Mr. Schuler said.
"I believe claims about hacking into or reverse-engineering smart cards are unfounded."
