Here in several european countries people are doing just that:
- using a Java SmartCard (your identity card) + a card reader (not hooked to the computer) + a PIN to connect to your online bank but ALSO to challenge/response any VISA/credit card transaction.
If I'm not mistaken there are about 200 millions citizen in Brazil who have a Java SmartCard as their identity card (as a medical care card I'm sure, identity I don't know for sure).
I think it's a bit early to decide that it failed and that it's an illusion. There are probably hundreds of millions of people who are carrying daily a Java SmartCard and using it to perform kinda safer online transactions.
MITM attacks over unsuspecting users are still possible using "mocking birds", but it's becoming harder and harder to game the system.
An identity card is not a commerce solution -- there is no cost/benefit analysis for governments, they just decide which vendors should get lots of money (I know, I was one of them! Thanks governments!) We did this in the US and now there are no fake passports here in the US, we win! Ooops...
http://www.schneier.com/blog/archives/2006/08/hackers_clone_...
I think you'll see that it concludes much the same thing as I mentioned the banks (here in the US anyway) conclude: the costs are not worth the theoretical "kinda safer" gains in security.
Security is a nuanced, no-one-solution-fits-all, dynamic, evolving systems engineering problem. The adversaries are smart, but more importantly have common sense (unlike governments and consumers) - they will exploit weaknesses in the weakest link. Replace passwords with smart cards, no problem - they will go after the next link. The (US and EU) banks know this -- they all employ layered fraud and security measures --- despite consumers who may have unquestioning faith in the perfect security of smart cards.
And when you come back in 5 years and payment cards are still NOT being used in the mainstream (US anyway where cost vs. benefit is important), please have the courtesy to up vote.
You're totally wrong. Probably because you're living in the U.S., where it's still the stone age from that standpoint.
http://en.wikipedia.org/wiki/Smart_card
Here in several european countries people are doing just that:
- using a Java SmartCard (your identity card) + a card reader (not hooked to the computer) + a PIN to connect to your online bank but ALSO to challenge/response any VISA/credit card transaction.
If I'm not mistaken there are about 200 millions citizen in Brazil who have a Java SmartCard as their identity card (as a medical care card I'm sure, identity I don't know for sure).
I think it's a bit early to decide that it failed and that it's an illusion. There are probably hundreds of millions of people who are carrying daily a Java SmartCard and using it to perform kinda safer online transactions.
MITM attacks over unsuspecting users are still possible using "mocking birds", but it's becoming harder and harder to game the system.