Menu
▾
▴
Re: [Opensc-devel] SE (Security Element) dropped in new Nexus 7
|
From: Anders R. <and...@te...> - 2013-08-09 15:34:06
|
On 2013-08-09 16:42, Andreas Schwier wrote: > Build-in SEs in a mobile device don't make sense if you can also have a > centrally managed SE. And mobile phones tend to have good network > coverage at any point where interactions via NFC happen. A centrally managed SE is maybe something for Google but not for the Internet in general. That was essentially the #1 problem with the GP model; only Google had the keys to the kingdom that was baaaaaaaaaaad :-) > > No need to have any local risk processing if you are online anyway. > > And with EMV cards you're absolutely right. I don't really understand > why I need to key-in my credit card number into unsafe webforms, provide > an additional 3D secure password into a form that pops-up and probably > screws the transaction underway. I want to put my credit card into the > cheap reader I use for homebanking already and perform an EMV > transaction via the net. I don't know what prevents banks from offering > such a solution (oh sorry of course I know: This would benefit me and > not my bank). Agree but the true problem is that the Financial industry and the former tech leader (Microsoft) never got together. It is essentially the same with Governments. The Swedish government has now given up on smart cards and client certificates and is now about to launch a pretty expensive centralized signature service. Anyway, I believe 3D Secure actually will be reborn! ------ As you probably know the big credit card networks already back in 1999 launched a "Web Payment" scheme called 3D Secure. Nowadays it is known as VbV (Verified by VISA) and SecureCode (MasterCard's variant). Short description: - The payment request (from the merchant) is routed (redirected) to the card issuer. - The issuer performs an extra authentication step for the cardholder which results in a signed card holder authenticity response which gives the merchant assurance that the payer is legitimate. 3D Secure system is mandatory in Scandinavia but have without exception been ignored by US e-tailers. IMO, 3D Secure is probably the most user-hostile payment-system ever. So why bother? I do because the core concept is cool and could in a revised format become useful. Currently we are stuck with "User ID" (Card Number) and "Password" (CCV) printed in clear (!) on the card and that is neither convenient nor secure. The following WebCrypto extension proposal http://webpki.org/papers/PKI/pki-webcrypto.pdf offers dynamically loaded "Trusted Chrome" which can support both POS-style and 3D Secure-like payments. thanx, Anders > > Andreas > > > > On 08/09/2013 11:28 AM, Anders Rundgren wrote: >> http://www.nfcworld.com/2013/07/30/325212/no-secure-element-in-new-nexus-7/ >> >> I believe this is because a Security Element based on smart card concepts >> like GP (GlobalPlatform) doesn't really work on the Internet. >> >> There are already hundreds of millions of EMV-cards out there and they >> never got a connection to the Internet either. >> >> Anders >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > |
