Gemplus Group has introduced a security system that could encourage the use of smart cards with personal computers and other remote access devices.
Gemsafe, which the French smart card manufacturer unveiled Monday, includes hardware and software for verifying a cardholder's identity and thereby enhancing security on the Internet, corporate intranets, and electronic mail systems.
Gemplus officials say Gemsafe can address public concerns about on-line security until smart card readers are standard computer attachments.
A customer's digital certificate, stored on the card, could improve on password-only home banking or on-line trading services. Beyond that, it becomes portable. The card can authenticate the customer from any input device.
"Today's Internet browsers and e-mail programs have security measures installed, but they are software-based and require only a password for access," said Michel Roux, Gemplus vice president and general manager of Internet and information technologies.
"Now users can be sure it is safe by simply inserting their smart card into their reader, typing in their personal identification number, and allowing the chip on the card to carry out user authentication."
Internet fraud has become increasingly costly, with losses estimated at $10 billion annually, according to a March 1998 Computer Security Institute-Federal Bureau of Investigation computer crimes survey.
Citing consumer surveys, John Landwehr, director of product marketing for Gemplus Americas in Redwood City, Calif., said 60% to 80% of consumers are concerned about Internet transaction safety and so are deterred from trying the medium.
Mr. Landwehr said Gemsafe's selling points, aside from fraud protection and portability, include compatibility with a broad range of standards, such as the X.509 digital certificate, and "plug and play" installation with any PC.
The product works with browser technology from both Netscape Communications Corp. and Microsoft Corp. Gemplus, one of several vendors in the PC/SC Work group, which supports smart card interfaces with personal computers, was also among those signing on this year to a Microsoft program to certify smart cards for use with the Windows and Windows NT operating systems.
Industry observers viewed Gemsafe as positive for transaction security.
"I am impressed, and I think it addresses a couple of tough issues," said Jerome Svigals, a consultant and smart card advocate based in Redwood City, Calif.
He viewed the concept as an improvement on SET 1.0, the credit card industry Internet protocol that relies on certificates in computer hard drives. "You have to pass a set of security tests to open up the card for a transaction, and that enhances the certificates," he said.
"There is somewhat of a risk when you have an unencrypted transmission between the keyboard and the smart card because theoretically a hacker can find a way to monitor the keystrokes," said William L. Powar, principal of Venture Architects in Palo Alto, Calif. "But realistically, this has to be better than the other options."
Gemplus said the PIN is in any event not transmitted to any Web server. The only communication is between the keyboard and the card reader.
Though long seen as security tokens, smart cards have only recently begun to be accommodated by hardware. In one transitional step, Fischer International Systems Corp. and Toshiba Corp. formed a joint venture, SmartDisk Corp. of Naples, Fla., to market the Smarty, a device that enables a conventional PC drive to read a chip card.
Mr. Landwehr sees several developments accelerating the migration: Hewlett-Packard Co. is shipping a smart-card-enabled laptop computer, and the Microsoft-Intel "Wintel" design guide for next year calls for smart card compatibility.
Mr. Powar said there are efforts to scale the federal government's more elaborate security token, the Fortezza computer card, down to a lower-cost chip card. Spyrus announced at the recent Cardtech/Securtech conference it would supply 20,000 of these Rosetta cards for the Defense Messaging System, which could also spur private-sector uses.
"We can't assume the smart card industry is going to change overnight," Mr. Powar said. "Automation of point of sale and the integration of magnetic stripe readers into cash registers did not happen overnight, so too will this take time."
Gemsafe shipments are to start July 1. An evaluation kit for larger- scale business deployments, including 25 smart cards and serial port readers, costs $1,999 to $3,999. An individual user's package-card, reader, browser software, and a voucher for a Verisign digital certificate-costs $99, with volume discounts available. Mr. Landwehr said Gemplus may consider retail distribution in addition to its business channels.
