SAN FRANCISCO Though smart cards are being touted as the answer to online security concerns, many questions remain about how the technology should be deployed and how safe consumers will feel after they are armed with the cards, according to speakers at the Smart Card Forums eighth annual meeting.
Smart card issuers should see the security issue as one of confidence-building rather than one of risk management, said Richard K. Hite, a senior vice president at Visa International. The inherent challenge in electronic commerce is maintaining acceptable levels of trust, he said in a presentation at last weeks meeting.
The difficulty of validating buyers and sellers identity is threatening the growth of electronic commerce, said Rick Dalmazzi, president and chief executive of Certicom Corp., a Hayward, Calif.-based company specializing in wireless Internet security. Digital certificates and digital signatures which can be stored on smart cards can give merchants the confidence they need, he said.
If we can achieve identity, we can achieve trust, Mr. Dalmazzi said. If we can achieve trust, we can reduce risk.
Smart cards could bridge the trust gap between merchants and consumers by allowing the latter to keep their identity stored on the card while using a desktop computer, a mobile telephone, or any other Web-connected portable device, Mr. Dalmazzi said. This would avoid the need for multiple digital certificates, one for every piece of equipment.
The problem is that each device has a unique need for its identity requirements, Mr. Dalmazzi said.
Biometrics, such as fingerprint imaging, may not be viable for mobile commerce because it is expensive and power-hungry, Mr. Dalmazzi said. Also unresolved is how fingerprint images would be stored and managed securely.
Paul Kocher, president of Cryptography Research Inc. in San Francisco, warned against overloading smart cards.
There is a direct connection between how successful something is going to be and its complexity, he said, explaining that if too many security functions are stored on the chip, the cards will be cumbersome for consumers.
Mr. Kocher said smart card issuers should not count on the vendor community to create an impregnable system. A lot of customers have unrealistic expectations, he said. Tamper-resistant is just resistant it is not tamper-proof.
As they begin to deploy smart cards, issuers should do all they can to guard peoples privacy and data. You can always refund somebodys money and they are happy, Mr. Kocher said, but once identity is compromised, so is the client relationship.
Issuers should insist that vendors be explicit about any hazards they might encounter, Mr. Kocher continued.
If a vendor will not give that information, do not do business with them, he said. If a vendor will accept all of the risks, then trust us is perfectly acceptable.