Does a smartcard reader add value in generating an OTP?

Marite, I think one of the things you have missed is that by using either the Gemalto device or the IBM USB device and an IC payment card you can access more than one online service i.e. several credit card issuers and or several on-line banking services. With an RSA securid you can only access one.

Nick, I didn't miss it at all. That's precisely why I described the new B.3.2.Trust system of 'mutual' authentication by a Trusted Third Party (by B.3.2.Trust).

With this system, a single OTP device can be used (by the holder) with any online service or even for peer-to-peer transactions (not just with online banks or card issuers).

The codes generated by this gemalto device are event-based OTPs. Time-based OTPs are more secure.

Lastly, I generally am wary of the proliferation of standalone card readers. They are toys for fraudsters.

The IBM idea is not related to OTP, except that it replaces it. In the IBM scenario the device displays important elements of the transaction, such as the amount or the beneficiary, which are authenticated cryptographically between the device and the bank without the user's PC being involved. This means that malware and other attacks (MITM - man in the middle - in the IBM description) cannot change these elements.

OTP - one time password that you have to transcribe?

Not exactly a front runner in the user friendly stakes is it?

I guess no-one thinks about that anymore, they're so desperate for even a semblance of security.

Mutual authentication is one thing I would have thought would be an essential requirement for any sensible system.

How would you describe a 'solution' that didn't mutually authenticate? I'd suggest 'useless' would be appropriate.

Happy days.

A crucial advantage of using a standard EMV smartcard to generate the OTP is that the bank has already invested in the difficult and expensive process of making sure the right device with an embedded secret (ie the smartcard in this case) has got to the right person.  With non-smartcard devices such as RSA's SecureID you have to incur these costs twice.  This more than offsets the costs of the smartcard readers, which have no secret in them.  There are several other advantages such as multi-channel applicability (mentioned above by Nick Green), no dependence on proprietary standards and technology, no need to remember more than one PIN, and a natural evolution to secure e-commerce through integration with 3D Secure standards.  I could go on, but the growing list of major banks which have adopted CAP and VbV speaks for itself.

One other thing - the original article says the gemalto solution doesn't protect against man-in-the-middle attacks.  This is simply not true.  You get such protection simply by entering additional information such as the beneficiary's account number or amount (mentioned aove by Jonathan Rosenne).  Most banks using remote chip authentication already routinely use this for transfers above a certain value.

Nick Collin said : "I could go on, but the growing list of major banks which have adopted CAP and VbV speaks for itself."

Laughing out...  Adopted? They are being mandated! And they in turn force their cardholders to register. Like I said, the card schemes earn regardless of who issues their label. On the other hand, the issuing bank takes the risk of alienating customers with an ineffective solution (just read the forums filled with cardholder complaints...).

OTPs have been by far more successful than the card reader/card authentication method for log-in access authentication despite their cost. 

Identification data in a card is static much like a fingerprint. Static Identification is useful to fraudsters. This is why a time-based OTP logically provides more security since a captured time-based OTP is useless to a fraudster. And of course, with OTPs, end-users need not remember the pin.

So, this is also why I think there isn't much utility in adding a smartcard reader/smartcard to generate an OTP.

The issue of cost related to time-based OTPs can now be resolved by a trusted third party (a new system by a french company) that authenticates both the B (businesses) and C (consumers). Therefore, one OTP device can be used by an end-user with one to many parties. This new system enables any strong multi-factor authentication method to have a universal application. This multi-channel / universal applicability will then  lower the cost of time-based OTPs quite considerably.

Whether its time-based OTPs, card reader/card authentication or biometrics, what's clearly lacking is mutual authentication. Authentication of web servers should also be done and this new system does this.

Nick also said : "..., and a natural evolution to secure e-commerce through integration with 3D Secure standards."    All I can say is that a system exists that can make card-not-present transactions more secure than card-present transactions and this isn't by using a card reader/card. Unfortunately, I'm not at liberty to say more at this time ...

ANY system that does not do mutual authentication does not protect against man-in-the-middle attacks.  Does the Gemalto or the IBM ZTIC do mutual authentication? When I'm typing a time-based OTP, do I know that I am giving it to a legitimate website? While I am using the card reader/card and I enter a beneficiary's account number and/or amount, do I, as an end-user know for sure that I am not sending this confidential data to a man-in-the-middle? While I am using an IBM ZTIC usb, do I, as an end-user know for sure that what I am seeing on the display of that usb key is coming from a legitimate website?

Merite:  with CAP, the card reader is not physically connected to the PC.  The card identification data, beneficiary account number, etc is cryptographically combined by the card to generate the OTP which is then manually entered into the PC.  There is no way this data can be intercepted.

I'm not aware of any bank which has been mandated to use CAP.  Can you give examples?

Mutual authentication would be nice to have but in practice it turns out to be impractical.  The industry developed a PKI solution called SET (Secure Electronic Transactions) some years ago but despite massive efforts it was never adopted - it was just too expensive and difficult to roll out on a commercial basis in a mass market.  Hence the adoption of the 3D Secure model which breaks up the solution into manageable chunks.

"I'm not aware of any bank which has been mandated to use CAP.  Can you give examples?"

Answer : VBV (since your first post stated : "but the growing list of major banks which have adopted CAP and VbV speaks for itself.")

You also said : "There is no way this data can be intercepted."

Yet you sort of negated yourself with the sentence before. "by the card to generate the OTP which is then manually entered into the PC." Entered into the PC is the POC (point of compromise) and is phishable at this point. 

Perhaps, we should go back to my subject line : "Does a smartcard reader add value in generating an OTP?" The multi-channel is a good angle, but there's still no real added value in adding a card reader to an OTP generator since OTPs by themselves can also be multi-channel.

"Mutual authentication would be nice to have but in practice it turns out to be impractical." and you also spoke about PKI and SET.

Sorry Nick, SET is as old as my grandmother and a lot of things are quite possible now, technologically speaking, which would make mutual authentication quite practical and easy to implement. SET also didn't provide mutual authentication.

Cheers.

Hello.

We, the consumers, can already buy EMV card readers on the web. We might be able to get them in retail shops sometime. Although they could be as smart (if not smarter) as cards, most of them are designed to be as card-neutral as possible. The result is that, should I loose or break mine, I could borrow your card reader to authenticate myself with my banking card. Something I couldn't do with a so-called OTP token, provided that your bank had provided you-- oeuf corse -- with such a token, or keyfob, or usb 'smart security device', etc. The secrets are in the cards and the tokens, not in the readers. 

Readers that operate in a connected mode are being developed to facilitate next generation eSEPA payment services operations, including Credit Transfers and Direct Debits, and not only Card Payments.  Something that handheld tokens don't and won't do because they were not designed for this.  Except that...

Last week, at Cartes, Kobil and Vasco demoed card readers with an opto-electronic interface that enables cardholders to download data onto their reader + card via an optical flashing pattern displayed on the screen of their PC. Funny: Back in 1994, at the CSI trade show, I remember demonstrating a similar system from ActivIdentity (then ActivCard). Do we have here an alternative to connected readers. Maybe.  

Gemalto, Kobil, Todos, Vasco, XIRING... not to mention others who didn't exhibit, such as IBM, had new versions of EMV card readers that perform a wide diversity of services.  Worth to be mentioned, XIRING introduced its award-winner 'XiSign Wallet', a standard EMV card reader that leverages several EMV-enabled operations including CAP/DPA authentication, Prepaid value checking and cardholder control of contactless payments.  

I believe that above mentioned industry examples and references are rich enough to demonstrate how and why, yes, a smart card reader does add value in generating an OTP...  I have no strong opinion on the bits and bytes that are supposed to make OTP vs C/R vs MACing vs whatever-you-want a stronger or weaker solution:  I think that as long as one ignores the business requirements for which a solution is chosen, one cannot launch a fatwa against x, y or z methods or systems...  

The market for EMV and CAP / OTP authentication applications is changing fast. Eurosmart* restated last week that they were around 600 million smart banking cards in Europe, a large majority of which being already EMV compliant.  XIRING said that there are today around 15 million EMV card readers, whereas there were 10 millions last year.  Will Gartner confirm its 2008-2012 CAGR forecast and plan on 1,3bn EMV cards by 2013? 

The number and nature of countries which prepare themselves to adopt EMV as their next generation banking card standard, including Russia, India and China, give us a feeling that EMV 'cards' (whatever is their form factors) are still in the infancy stage of their market development cycle. 

What will it take -- at both client and server levels -- to manage large scale, multichannel user populations? Populations who want to work, live, play... and pay online with the same levels of confidence they have offline?  

* Download World Card Summit's Eurosmart Jacques Seneca PPT at www.eurosmart.com

Thank you for your cartes-exposium-inspired feedback. Before I add another comment, I should expose the fact that I have nothing to gain from choosing OTPs versus card and card/reader. I speak as an informed consumer.

OTPs are just as versatile to handle any type of transaction such as credit transfers and direct debits. In fact, a number of banks are using OTPs not only for log-in access but also for transaction authentication of credit transfers, direct debits, standing orders, etc. So, I don't know what makes you say "Something that handheld tokens don't and won't do because they were not designed for this." 

AMEX gave away card readers to their cardholders years ago and obviously scrapped that idea. France Telecom also did the same 'pilot' years ago with bad results. As a consumer, it would never cross my mind to pay for a card reader. Perhaps, fraudsters have other things in mind with these card readers.

Also as a consumer, I will always feel that OTP devices or OTP generators are more secure than a card reader/card combo. Time-based OTPs are also preferrable than event-based OTPs. I also include OTP generators since one can get an OTP not only through a physical device but can also receive it via mobile.

If I ever lose my OTP 'key', I can receive OTPs in my mobile while I wait for a replacement. If I lose my OTP device, I would not worry too much since whoever has it must also know my accounts and userid/passwords. I truly don't see myself going around or travelling with a card reader.

I must always have my house keys or my mobile. An OTP device that I can keep with my keys or OTPs sent to my mobile is ideal. 

Overall, I do think that this competition from card readers is good for the market. This will motivate OTP providers to unleash the potential of OTPs. 

The Co-Operative Bank is now making card readers mandatory. From April, customers will be required to use the device to generate a one-time password to be entered to authorise web-based transactions.

http://www.finextra.co.uk/fullstory.asp?id=19453