SE (Security Element) dropped in new Nexus 7

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SE (Security Element) dropped in new Nexus 7

Anders Rundgren
http://www.nfcworld.com/2013/07/30/325212/no-secure-element-in-new-nexus-7/

I believe this is because a Security Element based on smart card concepts
like GP (GlobalPlatform) doesn't really work on the Internet.

There are already hundreds of millions of EMV-cards out there and they
never got a connection to the Internet either.

Anders

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SE (Security Element) dropped in new Nexus 7

Andreas Schwier (ML)
Build-in SEs in a mobile device don't make sense if you can also have a
centrally managed SE. And mobile phones tend to have good network
coverage at any point where interactions via NFC happen.

No need to have any local risk processing if you are online anyway.

And with EMV cards you're absolutely right. I don't really understand
why I need to key-in my credit card number into unsafe webforms, provide
an additional 3D secure password into a form that pops-up and probably
screws the transaction underway. I want to put my credit card into the
cheap reader I use for homebanking already and perform an EMV
transaction via the net. I don't know what prevents banks from offering
such a solution (oh sorry of course I know: This would benefit me and
not my bank).

Andreas



On 08/09/2013 11:28 AM, Anders Rundgren wrote:

> http://www.nfcworld.com/2013/07/30/325212/no-secure-element-in-new-nexus-7/
>
> I believe this is because a Security Element based on smart card concepts
> like GP (GlobalPlatform) doesn't really work on the Internet.
>
> There are already hundreds of millions of EMV-cards out there and they
> never got a connection to the Internet either.
>
> Anders
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Sch├╝lerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SE (Security Element) dropped in new Nexus 7

Anders Rundgren
On 2013-08-09 16:42, Andreas Schwier wrote:
> Build-in SEs in a mobile device don't make sense if you can also have a
> centrally managed SE. And mobile phones tend to have good network
> coverage at any point where interactions via NFC happen.

A centrally managed SE is maybe something for Google but not for the Internet in general.  That was essentially the #1 problem with the GP model; only Google had the keys to the kingdom that was baaaaaaaaaaad :-)

>
> No need to have any local risk processing if you are online anyway.
>
> And with EMV cards you're absolutely right. I don't really understand
> why I need to key-in my credit card number into unsafe webforms, provide
> an additional 3D secure password into a form that pops-up and probably
> screws the transaction underway. I want to put my credit card into the
> cheap reader I use for homebanking already and perform an EMV
> transaction via the net. I don't know what prevents banks from offering
> such a solution (oh sorry of course I know: This would benefit me and
> not my bank).

Agree but the true problem is that the Financial industry and the former tech leader (Microsoft) never got together.  It is essentially the same with Governments. The Swedish government has now given up on smart cards and client certificates and is now about to launch a pretty expensive centralized signature service.

Anyway, I believe 3D Secure actually will be reborn!

------

As you probably know the big credit card networks already back in 1999 launched a "Web Payment" scheme called 3D Secure.

Nowadays it is known as VbV (Verified by VISA) and SecureCode (MasterCard's variant).

Short description:
- The payment request (from the merchant) is routed (redirected) to the card issuer.
- The issuer performs an extra authentication step for the cardholder which results in a signed card holder authenticity response which gives the merchant assurance that the payer is legitimate.

3D Secure system is mandatory in Scandinavia but have without exception been ignored by US e-tailers.  IMO, 3D Secure is probably the most user-hostile payment-system ever.

So why bother?  I do because the core concept is cool and could in a revised format become useful.  Currently we are stuck with "User ID" (Card Number) and "Password" (CCV) printed in clear (!) on the card and that is neither convenient nor secure.

The following WebCrypto extension proposal

   http://webpki.org/papers/PKI/pki-webcrypto.pdf

offers dynamically loaded "Trusted Chrome" which can support both POS-style and 3D Secure-like payments.

thanx,
Anders


>
> Andreas
>
>
>
> On 08/09/2013 11:28 AM, Anders Rundgren wrote:
>> http://www.nfcworld.com/2013/07/30/325212/no-secure-element-in-new-nexus-7/
>>
>> I believe this is because a Security Element based on smart card concepts
>> like GP (GlobalPlatform) doesn't really work on the Internet.
>>
>> There are already hundreds of millions of EMV-cards out there and they
>> never got a connection to the Internet either.
>>
>> Anders
>>
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>> It's a free troubleshooting tool designed for production.
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SE (Security Element) dropped in new Nexus 7

Andreas Jellinghaus-4


Am 09.08.2013 17:34 schrieb "Anders Rundgren" <[hidden email]>:
...
>
> Anyway, I believe 3D Secure actually will be reborn!
>
> ------
>
> As you probably know the big credit card networks already back in 1999 launched a "Web Payment" scheme called 3D Secure.
>
> Nowadays it is known as VbV (Verified by VISA) and SecureCode (MasterCard's variant).

At least my german bank implements this with a huge liability shift towards the customer. Thus i refuse to buy with any VbV enabled merchant.

Andreas


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SE (Security Element) dropped in new Nexus 7

Anders Rundgren
On 2013-08-12 07:15, Andreas Jellinghaus wrote:

>
> Am 09.08.2013 17:34 schrieb "Anders Rundgren" <[hidden email] <mailto:[hidden email]>>:
> ...
>>
>> Anyway, I believe 3D Secure actually will be reborn!
>>
>> ------
>>
>> As you probably know the big credit card networks already back in 1999 launched a "Web Payment" scheme called 3D Secure.
>>
>> Nowadays it is known as VbV (Verified by VISA) and SecureCode (MasterCard's variant).
>
> At least my german bank implements this with a huge liability shift towards the customer. Thus i refuse to buy with any VbV enabled merchant.
>

Interesting and pretty weird.

Anyway, the basic principle (using your bank/issuer as a federated party in
the transaction), has been "cloned" any number of times over the world.

What I hope to bring is a programmable framework based on an enhanced WebCrypto
scheme so that we some day may actually retire the mag-strip and userid/password
(printed in clear text..) from credit cards.  EMV-cards are due to the latter as
susceptible to skimming as the non-chip cards and that sux, doesn't it?

It is clear that the card industry, the financial institutions and Microsoft
can continue for another 15 year on the Internet without succeeding!

Anders



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel