Amid all the heat generated by smart cards-the debates over what they should do, how much they cost, and whether there can be a return on investment-is one important area of general agreement.
Compared to the magnetic tape that has been used for the last generation to store cardholder data, silicon chips are infinitely more durable and secure.
Durability means less wearing out. Magnetically encoded plastic cards must be reissued every couple of years to insure against their becoming demagnetized or otherwise unable to be read by point of sale terminals. If there is ever to be a business case for smart cards, longer card lives can only help.
Security is something else entirely, more crucial to any enterprise than card durability but harder to understand and even more difficult to put in bottom-line perspective.
With controversies raging over competing technical approaches such as those adopted by MasterCard and Visa, and with the rivalry between Microsoft and Sun Microsystems now spilling into the chip card realm, questions arise about comparative, or relative, security.
No one disputes that the chips' logic and memory capacity-which leave magnetic stripe cards in the dust-create openings for such security enhancements as digital certificates and fingerprints or other biometric characteristics. But the business-case and investment conundrums make SET, the Internet payment protocol covered Tuesday in the first installment of this series, seem like a simple marketing exercise.
Relating SET to smart cards-the digital certificates at the heart of the Secure Electronic Transaction standard can be stored in the cards-adds yet another layer of complexity to banking and payments industry executives' puzzlement over how to strike an effective security and privacy chord with their public.
But except in a few, largely experimental pockets of activity, the SET- smart card linkage remains of longer-term concern. People looking into chip security have more than enough else to ponder.
Aside from the many technical claims and system variations to be assessed, "we are in a highly political environment," said Duncan Brown, senior consultant in North America for London-based Ovum Ltd.
Mr. Brown has fed some of the controversy, concluding earlier this year that Java Card, the extension of Sun Microsystems Inc.'s Java programming language and the technical centerpiece of the Visa Open Platform program, was inferior to the Multos operating system associated with MasterCard International's Mondex subsidiary.
"The security model was not particularly well defined," Mr. Brown told American Banker. The version of Java that was "shoehorned" into the limited space on a chip card "makes me uneasy," he said. "We are a long way from guaranteeing security on a Java platform."
In political debates, there are always rebuttals.
Visa and its allies have argued that the scaling back of Java actually made it less vulnerable to the network-borne infections that have preoccupied Java architects and firewall builders. In late October the Sun- led Java Card Forum came out with version 2.1 of its applications programming interface, which included a cryptography component that presumably would address some of the uneasiness.
Also last month, Microsoft Corp. introduced Smart Card for Windows. Mr. Brown said both Java Card and Multos "are severely threatened" by Microsoft, which expressly pitched its Windows-based proposal at the corporate security market.
Nick Habgood, chief executive officer of Maosco Ltd., the London-based consortium that serves as custodian of Multos, concluded that his system and Microsoft's can coexist-just as he has contended Multos and Java can. And he had no qualms with the security thrust.
"The reason most people are using smart cards is to introduce security, whether in payments or a network environment," Mr. Habgood said.
Microsoft has been a strong proponent of PC/SC, a standard it collaborated on with several smart card makers, Hewlett-Packard Co., and others for hooking chip card readers up with personal computers. Microsoft itself is certifying PC vendors' card interfaces to the Windows 2000 operating system, and it is writing chip card specifications into the "Wintel" documentation it periodically publishes with Intel Corp.
HP and International Business Machines Corp. were among the first to produce PCs with built-in card readers; Gemplus and other device manufacturers are offering peripheral attachments for retrofitting. Key Tronic Corp., the leading manufacturer of keyboards, unveiled one at Comdex this week in Las Vegas with a fingerprint scanner and card slot.
Corporations' use of identity cards and digital ID techniques, the thinking goes, will take off first. A digital certificate in the card could authorize access to a given computer or data base, whether at one's own desktop or when traveling with a laptop. It would be a small technical step from there to electronic commerce and eventually to mainstream, consumer- level activity.
Microsoft and Sun disagree on much, but not on that systematic evolution of an infrastructure. While the banking industry may be dragging its feet on where, when, and how to invest in the chip, the Wintel and Java specs and various other vendors' salesmanship are seeing to it that card readers are or will soon be common in cable television boxes and Microsoft's WebTV terminal, in satellite-TV equipment and mobile telephones, in public phones and maybe even retail payment terminals.
The readers can authenticate customers or subscribers; nothing prevents them from handling credit, debit, and micropayment cards. That could be the rub for bankers: There may not be much to prevent a nonbank, a telecommunications or media or software company, from providing a payment or privacy-assurance service.
"Financial services has a large number of customers with the greatest need" for security, said Patrick Richard, founder and chief technology officer of Xcert International Inc., a U.S.-Canadian company selling public key encryption infrastructures, particularly for banking and business-to- business applications.
"If banks don't do it, competitors will," warned Mr. Richard, whose company is a supplier to ABAecom, the American Bankers Association's recently formed "root key" venture. "Their customers have high-assurance requirements that will force banks to be in place" with certificates, whether residing in PC hard drives, on smart cards, or other storage media such as PCMCIA cards.
Silicon Valley entrepreneurs have been on to the idea for years that integrated circuits on cards make all sorts of things possible that could never be contemplated with magnetic stripes.
It is an article of faith at Verisign Inc., the digital signature company that did a high-profile initial public offering this year, that "smart cards are the digital wallet of the future," said marketing director Anil Pereira.
The data encryption company that Verisign was spun out of, RSA Data Security Inc., is owned by Security Dynamics Technologies Inc., which does a big business in smart-card-like security tokens for bank money transfers and other "high-assurance" operations.
Because of the portability aspect, Spyrus Inc. "pushed the smart card concept from the beginning" six years ago, said co-founder and president Sue Pontius. Initially that meant PCMCIA computer cards for the federal government's classified Fortezza system, but Spyrus is carrying that into the commercial market with a smart card product called Rosetta and a line of powerful, portable reading devices.
Cylink Corp., another public key encryption competitor and a supplier to several sizable banks, has built "the least expensive smart card reader on the market," said its recently installed president and former National Security Agency official William Crowell. "Smart cards are a means to provide (encryption) keys to consumers and inject some simplicity-16-byte or 1,024-bit keys are a little hard to remember."
Yet the consumer-market business implications of security have seemed hazy since the French chip industry began trying to sell the rest of the world on smart cards in the early 1980s. They became standard in that country, spawning a growth market for card makers like Groupe Bull and Schlumberger, because they solved a serious fraud problem. Using personal identification numbers and other measures, the French were able to authorize most card payments at the point of transaction without requiring calls over what was, until the last decade, one of the more backward and expensive telephone networks in the industrialized world.
The antifraud reasoning never flew in the United States, where cheap and reliable communications made on-line authorizations a snap.
Bert Ely, an Alexandria, Va.-based consultant with an interest in payment systems policy, said the on-line efficiencies and economics may prove too compelling for smart cards to succeed-anywhere.
"With the way telecommunications costs are going, I see the long-term trend more toward on-line than off-line," he said, "which goes against the smart card."
No obituaries are being written yet, even in the United States, where Mr. Habgood's Maosco group just added Discover Financial Services as a member, undaunted by the disappointing results of the 100,000-card Mondex- Visa Cash trial in New York City.
In concert with bankers in France and even in some countries with well- developed stored-value card programs for small-ticket purchases, U.S. executives decided-and confirmed in New York-that there is no good business case in a basic electronic purse service standing alone.
Any payback would have to come from multiple applications on a card. Multos, Java Card, and Smart Card for Windows are all designed to meet that need, each erecting-or relying on armies of programmers to develop-the necessary protective barriers between sectors on the chip (and sparking arguments over whose measures are best).
But at least in the United States, the world's largest consumer economy and credit card market, financial institutions are still pushing uphill to get customers to buy multiple services from them, let alone from them and others sharing "real estate" on a single card.
Mr. Habgood said that while enterprise and network applications might be "mainstreamed" first in North America, European advances will be "more about fraud and reducing telecommunications costs and creating differentiated, value-added services."
Emerging-market countries are leapfrogging communications-based authorization systems and "moving straight to smart cards (as) part of a new infrastructure," he said.
The common denominator is that "secure, tamper-resistant device," Mr. Habgood said, "and security is fundamental to all these applications."
Nobody rests easy about it. They begin from an assumption that "nothing is secure," said Forrester Research analyst Ted Julian. He was quick to add that there has been "no major incident" affecting Java or its Microsoft counterpart, Active-X-maybe par for the course for things so new.
No less an authority than Sun Microsystems security architect Li Gong said, "There is no absolute security."
"Are smart cards more secure than magnetic stripe or optical memory cards? Yes," said Henry Dreifus of Dreifus Associates Ltd., Longwood, Fla., who published a book on the subject this year. "But you are just raising the pole vault bar a couple of feet" for hackers who get excited by such challenges.
Like many in the field, Mr. Dreifus advises that smart cards be regarded as one of many system components with damage controls that contain any security breach without bringing down the infrastructure.
"Smart cards are a wonderful security-enhancing technology, especially for mobile computing applications," said Mark Greene, vice president of electronic commerce for IBM in Somers, N.Y. "But they are not a substitute for other kinds of security or for highly sensitive, mission-critical data. It's not appropriate to rely on smart cards as the only way in to a mainframe, for example."
"The smart card is smart enough to hold secrets-but not all secrets," Mr. Dreifus said.
The lesson occasionally hits home in headlines like "Researchers Unearth Massive Chip Security Problem" (Financial Review of Australia on June 6) or "Code Breaker Cracks Smart Cards' Digital Safe" (The New York Times, June 22).
Cryptography Research of San Francisco, one of the laboratories that companies like Visa and Mondex employ to attack and stress test their systems, had called attention to differential power analysis, a code- cracking technique that caused some red faces among those who prefer to keep such things quiet until countermeasures are in place. But DPA would not have come to light if it were not for the due diligence being undertaken.
"It is not always obvious in these published attacks what generation or particular technology is being talked about," said David Karpenske, vice president of marketing, Schlumberger Test and Transactions, San Jose, Calif. "DPA was actually used on older designs. We have equipment that can test for that." Chip design techniques increasingly "mask these functions and block attacks."
More worrisome is that DPA is the tip of an iceberg.
"There have been thousands of attacks, peeling away at the layers in the semiconductor to get to the ROM (read-only memory) coding," said Mr. Dreifus. "The German phone card system was broken and had to be upgraded. There was an early attack on French cards-people built simulators that allowed them to make unlimited calls. There was a known attack against Mondex that forced them to make a change."
Smart card manufacturers have risen to the occasion with increasingly powerful chips able to do cryptographic operations, such as Schlumberger's Cryptoflex line and Gemplus' GPK series, GemXpresso for Java, and Gemsafe for enterprise and network security operations. Siemens announced this month that the German banks had approved its 16-bit cryptocontroller-said to be the first of its kind, essentially a little computer with 32K of ROM and countermeasures against DPA-for the next generation of the 40 million- card Geldkarte chip program.
At the recent Cartes '98 exposition in Paris, Schlumberger announced SiShell, a manufacturing technique that "hardens" the silicon against electron beams and other probes and bombardments.
Security "will never be truly solved," Mr. Karpenske said. The costs and countermeasures applied must be based on a risk-management calculation, he said.
To say security is a high priority for Mondex International and its arm's-length Maosco affiliate would be an understatement. Officials there pride themselves on a militaristic attention to detail. Under a European certification system known as ITSec, they have achieved Level 6, which means it takes government-class resources and equipment to break the defenses.
Because its multi-application operating system predated Java Card or anything else comparable, Mondex had to do all that itself. It can claim the advantages of an "industry-controlled standard," Mr. Habgood said. But the emphasis on "armor plating" and the card-to-card cash transfer mechanism that is a Mondex hallmark make juicy targets for hackers.
Not that Java is immune. Mr. Habgood said it lacks an ITSec type of evaluation and he questioned some of its application-loading and verification procedures.
"People have to kick it around to raise the level of security and have it perceived as secure," said software analyst Eric Brown of Forrester in Cambridge, Mass. "It is not enough for manufacturers to say it's secure-it has to be third parties. There haven't been that many broadly available implementations for third parties to attack."
Because Java is an open standard, hundreds of thousands of developers are working in the language and solutions are expected to bubble up-as should also happen in the even larger Windows community.
Java-ites are "putting their toes into the water carefully" and the security results are "looking pretty good," said Mr. Dreifus. "Millions of people are sweating this stuff."
Sun aimed to make Java "the most secure platform for Internet-based activities," said Li Gong of the company's JavaSoft unit.
In principle, he said, security must built for a given class of attacks, must be simply applied and cost-effective, and realistically evaluated. "Total solutions" are almost impossible; they might be possible in "pure Java," but there will be few such environments. So plenty of defenses have been deployed in the Java Developers Kit and associated Java Cryptographic Engine.
Java Card "can be as secure as you want," said David Ankri, director of marketing and development, Oberthur Smart Cards, a French company and Java Card Forum member. "People focus on this one aspect but there are many links in the chain and systems have to be secure on multiple levels. There is a lot of work to be done, but it is going in the right direction."
"Early versions of Java Card technology were not mature, not as secure as other products," said Christophe Chancel of Gemplus' multimedia division. "This is being worked on." He said a secure platform based on a 32-bit processor, well suited to Java, should be on the market next year.
Taking nothing for granted, Visa hired Reliable Software Technologies of Sterling, Va., to help focus on Java security needs. In a recently published book, "E-Commerce Security," RST research scientist Anup K. Ghosh listed 13 Java flaws that came to light between early 1996 and summer 1997.
With that kind of assistance and the fact that "it is easy for anybody to get hold of Java and try to attack it, we get the benefit of some very high-powered brains," said Visa International senior vice president and Open Platform chief Philip Yen.
He acknowledged that it will be some time before cards are ready for the full-blown Java on the Internet. He contended that even on today's elementary 8-bit chips, Java "is just as good or better than anything else out there," and claimed the migration path to 32-bit cards and PC-class Java features is clearer than Multos.'
Mr. Greene of IBM, a Sun ally, agreed that Java Card today is "appropriate and very secure on the consumer level," and IBM is "building mission-critical applications" with it.
"But it's all relative," he said. "The only absolutely secure computer is one that is turned off."
"It's a constant battle" to stay ahead of the criminal element, said Mr. Karpenske. "Every day the attack techniques are changing. There is no panacea that will last five years."
The magnetic stripe has not changed for 20 years. Chips occupy the opposite end of the technology spectrum-dynamic and discontinuous and, except for Moore's Law on falling costs and rising performance, unpredictable.
"There will be problems with any new technology," said Mr. Yen. "We have to allow for that rather than assume it will be 100% foolproof and stable."
